LoadMaster 7.2.47.0 Release Notes

LMOS Version 7.2.47.0 is a feature and bug-fix update released in August 2019. Please read the sections below before installing or upgrading. 

New Features

The following new features have been implemented.

TLS 1.3 Hardware Support

Software-based SSL support for TLS 1.3 was delivered in a previous release, and with this release LoadMaster now supports TLS 1.3 for hardware SSL acceleration as well. Hardware-accelerated SSL is available with specific LoadMaster hardware appliances.

Exchange 2019 Application Template

A new Kemp Application Template for Exchange 2019, with an accompanying Deployment Guide, have been published to the KEMP website. The template is available

URL Hash Scheduling Method

A new Scheduling Method has been added within a Virtual Service’s Standard Options called url hash. This new scheduling method was developed primarily to support Dell EMC Elastic Cloud Storage (ECS) applications and efficient use of ECS-based resources, but could also be used to support other workloads where storage efficiency is the primary goal. The url hash method works by creating a hash value based on the object referenced in the client request’s URL and the number of Real Servers or SubVSs in the Virtual Service. All requests for a particular URL will be sent to the same RS/SubVS, unless a Real Server or SubVS is added or removed – in which case all hash values are recalculated and subsequent traffic will be redistributed accordingly. If a request is received for a URL that matches a hash, but the appropriate Real Server or SubVS is unavailable (e.g., disabled), then only read requests from the client are permitted.

 

Feature Enhancements

The following feature enhancements have been implemented.

SSL Certificate Assignment

The character limit for the Certificates field in a Virtual Service’s SSL Properties has been increased from 1024 to 8192 characters. The WUI returns an error if you specify a number of certificates that would cause the field to exceed this limit.

ESP Performance

ESP configurations leveraging KCD has been optimized to support customers that require a large number of concurrent sessions.

Serial Console for Public Cloud Platforms

Serial console support has been enhanced so that you can now connect to the LoadMaster serial console in public clouds, such as AWS and Azure. This allows access to all console interface capabilities, including resetting the password for the administrative login (bal).

Metered Licensing Workflow

The process of licensing LoadMaster from a Kemp 360 Central Metered Licensing deployment has been simplified so that in most cases no other action than requesting and successfully retrieving a metered license is required to:

  • license the LoadMaster and put it into operation
  • add it to Kemp 360 Central and enable monitoring and statistics collection

See the Metered Licensing Management document on the Kemp website for a complete description of the new workflow for deploying a LoadMaster license it from Kemp 360 Central.

WAF Event Logs, Remote Logging, and Disk Space Consumption

When large amounts of WAF data are being generated and remote logging is enabled, it’s possible for temporary WAF log data to exhaust available disk space. To alleviate this issue:

  • WAF event log generation is now suspended when used file space grows above 90%. If log suspension occurs, a message will be displayed in the WUI and in the logs.
  • WAF event log generation will resume automatically when disk space usage falls below 80%.
  • Two new controls have been added to the System Configuration > Logging Options > Extended Log Files page that allow you to Save and Clear Temporary WAF Remote Log Data, so you can manually reduce the amount of disk space consumed by temporary data.

Netconsole IPv6 Support

You can now set an IPv6 address for a Netconsole host, with the restriction that LoadMaster must also have an IPv6 address on the interface chosen in the Netconsole options.

Priority for ChaCha20Poly1305 Ciphers

LoadMaster SSL handshake processing has been enhanced to give priority to ChaCha20Poly1305 ciphers when they are preferred in a client’s request.

Memory and Disk Usage Reporting

Enhancements to memory and disk usage display/reporting in the WUI and API include the following:

  • The WUI now displays memory used and free memory in MB (instead of KB).
  • The amount of total memory has been added.
  • ‘Memory Available’ is renamed to ‘Free’.
  • Disk usage partition size is displayed in GB, along with total disk space, and percentage used.
  • More information has also been added to the ‘stats’ API output.

SAML Client-Side Authentication with Server Token Server-Side Authentication

When ESP is enabled, SAML is selected for the Client Authentication Mode, and Server Token is selected for the Server Authentication Mode, a new optional parameter appears that allows you to specify a Token Server FQDN. When set, LoadMaster contacts the token server at the given FQDN during sign-on and obtains a permanent access token from that token server. If this parameter is unset, then LoadMaster obtains the token from the Real Server (as in previous releases).

Change Notices

This release includes the following modification to existing behavior that may require changes to procedures and/or scripts currently in use within your organization.

Modify API Scripts that Deploy Metered License LoadMasters

Because of the changes to the Metered Licensing workflow (see the enhancements to the Metered Licensing Workflow, described above), existing scripts that deploy metered license LoadMasters must be modified to use the new usersetsyspassword() routine instead of the set_initial_password() routine, to set the ‘bal’ user password after the LoadMaster is successfully licensed. See the LMOS API Documentation on the Kemp website for more information.

Issues Resolved

The following issues have been resolved in this release.

PD-13370

WUI: Fixed an issue that caused many "Resource temporarily unavailable" errors to appear in the log, with accompanying loss of access to the WUI.

PD-13347

Licensing: In previous releases, if a password for a Kemp ID contained a "`" (backtick) character the LM would fail to get a license from the Kemp licensing server. This issue has been fixed so that licensing is successful in this case.

PD-13337

HA: In High Availability configurations where the configuration is actively being updated, it is possible for signal 15 and segmentation fault errors to be observed in the log, along with configuration corruption that can only be resolved by failing over to the standby LoadMaster, or by applying a backup. This issue has been fixed.

PD-13332

Virtual Services: In previous releases, a user could not set an Extra Port range on a VS if the length of the integer ranges were different (i.e. 99 has a length of 2 & 100 has a length of 3). This issue has been fixed so that a user can now set an Extra Port range on a VS as long as the first number in the range is less than the second number.

PD-13308

Security: Fixed a potential security vulnerability where javascript could be added to the MOTD via the API. This is now not permitted.

PD-13307

Security: Fixed a potential security vulnerability where a script could be uploaded to the MOTD via the API. This is now not permitted.

PD-13305

GEO: Fixed an issue that caused updates to GEO partners to fail.

PD-13304

Security: In previous releases, it was possible to discover a LoadMaster's private IP address via the API if someone knew only the public IP address. Now, the private IP address is no longer seen in the API response, nor is it seen in the LoadMaster WUI unless a user has logged in.

PD-13303

API: Fixed an issue with the 'lscpi' API that caused an 'xmlParseEntityRef' error to be returned instead of a proper response.

PD-13293

LDAP: In previous releases, configuring multiple LDAP servers on the LDAP Endpoint caused WUI Authentication to fail; however, it works if a single server is specified. This issue has been fixed.

PD-13266

Networking: In LMOS 7.2.46, changes made to the Bonding mode (e.g., from 802.3ad to Active-Backup) reverted back to the previous value. This issue has been fixed.

PD-13264

Browser Support: In previous releases, the LoadMaster WUI Certificate doesn't have a SAN (Server Alternate Name) value, and this causes a certificate error in the Chrome and Firefox browsers. This issue has been fixed by adding a SAN to the certificate.

PD-13235

Health Checks: When upgrading from LMOS 7.2.42 to 7.2.46, Virtual Services using LDAP health checks may fail after upgrade. This issue has been fixed.

PD-13217

SMTP: In previous releases, setting the SMTP Server to "smtp.office365.com" on port 587 does not work. This issue has been fixed, so that "smtp.office365.com" on port 587 with STARTTLS can now be used.

PD-13154

GEO: Fixed an issue that could cause the following spurious error to appear: "GEO_ACL_Automatic_Update: feature is not enabled and/or support is expired. Please contact Kemp support.".

PD-13103

HTTP/2: Fixed an HTTP/2 issue that caused the LoadMaster to reboot when an invalid User Agent string was received.

PD-13100

GEO: Fixed an issue that caused segmentation faults on GEO partners.

PD-13086

SSL Certificates: In previous releases, the LMOS API call 'listcert' is not displaying the 'publickey' field for ECCC certificates. The API now displays the 'publickey' field for ECCC certificates, along with a new 'type' field (with values of 'RSA' or 'ECC').

PD-13082

SSL Certificates: Fixed an error that occurred when a user tries to upload a 4096 byte SSH Private Key via the API.

PD-13079

Disk Mgmt: Fixed disk partitioning issues observed in LMOS 7.2.46.

PD-13069
PD-12852

HTTP/2: Fixed issues observed on earlier releases with unexpected reboots due to HTTP/2 traffic processing.

PD-13052

Licensing: Fixed a licensing related issue on the Azure platform that could cause intermittent failures when attempting to contact the Kemp licensing server.

PD-13042

SAML/KCD: Fixed an issue that could cause a reboot when SAML + KCD were enabled under certain conditions.

PD-13041

Licensing: Fixed an issue where the LoadMaster configuration does not get cleared after a "Kill_License" is performed via the LMOS API or licensing server.

PD-13038

SSL Certificates: Fixed an issue where 'Elliptic Curve Cryptography' (ECC) certificates in PFX format can't be uploaded to the LM.

PD-13034

OCSP Stapling: Fixed several issues:

  1. Responses from the server are now periodically refreshed prior to expiration, to prevent issues associated with waiting for a refresh until the expiration time has passed.
  2. Restarting the OCSP service no longer clears previously obtained responses.
  3. Server responses are now validated to ensure they will be accepted by the client. This includes checking for: 'revoked' responses; OCSP 'tryLater' or 'internalError' responses; poorly-formed OCSP responses; invalid timestamps; certificate mis-matches; and, other PKI related errors.

PD-13031

WAF: In previous releases, a false positive was being returned in the WAF event log for a GET call by the WAF Core rule set (rule 942370). This issue has been fixed.

PD-13027

Licensing: Fixed an issue that caused a spurious message to be displayed when "Kill License" is initiated from WUI.

PD-13051
PD-13026

Networking / SSL Errors: In previous releases, all client SSL messages are written to the LoadMaster logs, which can result in spurious client alert messages appearing in the logs. To address this issue, a new parameter setting has been added to the WUI under System Configuration > Miscellaneous Options > Network Options labelled Log SSL errors. This is set by default to log "Fatal errors only", which will suppress client errors and spurious messages from appearing in the log. You can also set this parameter to display client errors (but not spurious messages), or to return to the behavior in previous releases where no messages are suppressed.

PD-13020

SAML: In previous releases, it is possible for a user not in a SAML group to enter a redirect loop during authentication, instead of being returned an error denying them access. This issue has been fixed.

PD-12998

SSL Ciphers (ECDH): In LMOS 7.2.46, OpenSSL was upgraded to version 1.1.1, which removes all support for ECDH ciphers. As a result, any ECDH ciphers specified in the configuration after upgrade could cause issues and should be removed (as stated in the 7.2.46 Release Notes). With 7.2.47, any ECDH ciphers present in a cipher list on LoadMaster will be ignored.

PD-12986

GEO: Fixed an issue that could cause a 'readremote' failure to appear in the log, followed by a GEO Cluster check failure.

PD-12981

Kernel: Fixed an issue that caused spurious kernel call trace warnings to appear in the log.

PD-12980

Virtual Services API: Fixed an API issue where the Virtual Service name was not returned by the 'listclusters' and 'showcluster' API calls. These now display the service name correctly.

PD-12979

Virtual Services API: Fixed an API issue where the Virtual Service name was not returned by the 'listfqdns' and 'showfqdn' API calls. These now display the service name correctly.

PD-12973

GEO: In previous releases, when configuring a Cluster for an FQDN, the Mapping Menu parameter returns an error if a Virtual Service whose name contains a left or right bracket character ('[' or ']') is selected from the drop-down. This issue has been fixed.

PD-12960

Health Checks: Additional Custom Headers of up to 255 characters can be configured for Real Server health checks but due to an internal OS limitation only 144 characters are processed resulting in some Real Server health check failures. This issue has been fixed.

PD-12864

Clustering: When clustering is enabled on previous releases, adaptive scheduling statistics may not be updated as expected on the cluster Administration node. This issue has been fixed.

PD-12880

ESP / Performance: Improved system performance when ESP extended logs are enabled and the system is under heavy load.

PD-12795

RADIUS: In previous releases, the Use Local Account only if AAA Fails option may not work as designed when a RADIUS server and a backup RADIUS server are configured, and no response is received from the backup server. This issue has been fixed.

PD-12774

SNMP: In previous releases, the SNMP OIDs vsActiveConns, rsActiveConns and totRSActiveConns were incorrectly set as 'Counter32' type values. The issue has been fixed by changing the type to 'Gauge32'.

PD-12625

SAML: Addressed issues that caused LoadMaster reboots when processing a high volume of SAML authentication requests.

PD-12622

Licensing: In previous releases, the "readeula" REST API does not work after licensing (except when deployed on AWS). This has been fixed to work properly on all cloud, virtual and hardware models.

PD-12598

Logging: In previous releases, no non-debug-mode syslog messages are generated when a Real Server is busy, listening to a different port, or there are no ports available (port exhaustion). This has been addressed by adding non-debug messages for these events.

PD-12594

ESP Logs: Fixed an issue that could cause incorrect ESP log data display when filtering on a single date. 

PD-12496

ESP SSO: In previous releases, when ESP is enabled and SSO is being used, it's possible for the user credentials to be normalized incorrectly when the configuration is set to use the 'Username' logon format.

PD-12449

API: In previous releases, the LMOS 'stats' and 'listconfig' APIs show an incorrect interface speed when there is no link detected. This issue has been fixed so that the correct speed ('0') is displayed.

PD-12422

MT: In previous releases, a VNF LoadMaster's Real Time Statistics > Network Usage graphics display the speed as '-1', with misalignment of the graph bars as well. This issue has been fixed.

PD-12068

GEO: In previous releases, with cluster checking set to 'Remote LM', clusters may not appear on the partner device, or may have invalid entries. This issue has been fixed.

 

New Known Issues

The following known issues appear in these Release Notes for the first time.

PD-13432

Metered Licensing: When a metered license is obtained from Kemp 360 Central expires, you cannot re-license the Loadmaster with the same license type.

PD-12668

ActiveSync Virtual Services: Connectivity Issues with ActiveSync Virtual Services may be observed at high traffic volumes.

 

Existing Known Issues

The following known issues appeared in the Release Notes for the previous release.

PD-12838

ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a on a subVS.

PD-12653

Networking: A Hyper-V VLM won't boot when a 4th NIC is added.

PD-12616

WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.

PD-12492

Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package.

PD-12354

Hardware Support: The LoadMasters LM-X25 and LM-X40 do not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).

PD-12237

HA / NTP: Configuring NTP with LoadMaster's in a HA configuration causes them to go into Master-Master mode.

PD-12147

ESP / RADIUS: In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.

PD-12058

Browser Support: An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster.

PD-11861

RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication.

PD-11166

Networking: Azure LoadMasters are not translating the additional network address between the Master and Slave correctly.

PD-11044

Sharepoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.

PD-11024

WUI: The WUI is not accessible on NIC-1 from a non-local subnet.

PD-10917

HA: An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure.

PD-10784

HA: Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work.

PD-10586

GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.

PD-10490

Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed.

PD-10474

WAF: A SNORT rule is triggering a false positive in certain scenarios.

PD-10466

Hardware Support: The LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF).

PD-10193

Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.

PD-10188

Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.

PD-10159

Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.

PD-10136

Clustering: In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node.

PD-10129

Virtual Services: There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout.

PD-9854
PD-13385

WAF: When WAF is enabled, any requests received that have chunked transfer encoding enabled (e.g., POSTs) are not processed properly and are not forwarded to a real server.

PD-9816

WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.

PD-9765

GEO: DNS TCP requests from unknown sources are not supported.

PD-9507

Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.

PD-9476

WAF: There is no RESTful API command to get/list the installed custom rule data files.

PD-9375

SharePoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

PD-8853

GEO: Location Based failover does not work as expected.

PD-8725

GEO: Proximity and Location Based scheduling do not work with IPv6 source addresses.

Was this article helpful?

0 out of 0 found this helpful

Comments