LoadMaster 7.2.48.0 Release Notes

LM-X3
LM-X15
LM-X25
LM-X40
LM-2400
LM-3000
LM-3400
LM-4000
LM-5000
LM-5400
LM-5600
LM-8000
LM-8020
LM-8020M
Bare Metal

VLM-200
VLM-2000
VLM-3000
VLM-5000
VLM-10G
VLM-GEO

LM-2000
LM-2200
LM-2500
LM-2600
LM-3500
LM-3600
LM-5300
LM-5500
LM-Exchange
LM-GEO

VLM-100
VLM-1000

PD-13828

IPv6: Under certain circumstances, specifying a Real Server using an FQDN (rather than a hostname or IP address) can result in the FQDN resolving to an invalid IPv6 address. This issue has been fixed.

PD-13816

GEO: In previous releases, the DNS server returns NXDOMAIN or NODATA when there are disabled IPv4 or IPv6 records (i.e., sites) present in the configuration. The DNS server behavior has been modified so that it returns NOERROR in these cases.

PD-13808

Licensing API: For consistency, the aslactivate() and alsilicense() routines will now accept either licensetypeid or lic_type_id as the parameter specifying the license type.

PD-13802

SPLA Licensing: Fixed an issue that could cause several spurious virtual services to appear after a fresh install.

PD-13794

Memory Consumption on Upgrade to 7.2.47: Upgrading a LoadMaster with over 4GB of memory to version 7.2.47 (only), could result in a significant increase in system memory usage on large configurations (many unique Real Server IP/port combinations). This issue has been fixed.

PD-13785

User Interface: Fixed an issue that caused spurious text to appear at the bottom of the Certificates & Security > Remote Access UI when the Admin Login Method was modified.

PD-13780

HTTP/2: An issue that caused embedded videos to fail to load properly via HTTP/2 virtual services has been fixed.

PD-13776

User Interface LDAP Login: Fixed an issue where access is denied by some LDAP servers when specifying permitted groups.

PD-13752

User Interface: Modified the UI so that the date/time format on the Home page and the Update License page are the same.

PD-13750

WAF API: Fixed an issue with the maninstallwafrules() API returning ‘Unknown Command’ when the API was executed successfully.

PD-13749

Security / SSH: Support for the weak MAC algorithm hmac-sha1 has been removed with this release. This may result is some older versions of SSH no longer working with LoadMaster.

PD-13739

User Interface Security: Fixed an issue where LoadMaster was re-generating the default UI certificates after a reboot.

PD-13727

WAF Rules / User Interface Resiliency: In LMOS version 7.2.47, if the download and installation of WAF rules fails on LoadMaster due to corruption, this failure could contribute to the exhaustion of available temporary storage, which would cause the UI to become unavailable. This issue has been fixed.

PD-13720

HTTP/2: Fixed an issue that, when HTTP/2 is enabled on a SubVS, caused only the HTTP/2 response code and not the associated error message text to be returned to the client.

PD-13712

UI Cipher Sets: Modified the UI so that Cipher Set can be named using both plus (+) and minus (-) characters.

PD-13672

Application Template Import: Fixed an issue where you could not import a template containing SubVSs with Basic Authentication enabled on the Client side.

PD-13669

License Expiration: Fixed an issue where LoadMaster services were not being disabled after the system license and applicable grace period had expired.

PD-13668

UI Client Certificate Authentication: Changes were made in 7.2.46 that caused client certificate authentication for the UI to fail. This issue has been fixed.

PD-13664

VMware Tools & VM Workstation: Fixed an issue with the VMWare Tools Add-on that caused an error to be displayed when deploying a LoadMaster in VM Workstation.

PD-13632

Secure Flag in Cookies: In previous releases, the Secure flag in HTTP cookies is only set if the user adds a specific content rule to set it. With this release, the Secure flag is always set when Active Cookie persistence is selected for an HTTPS virtual service.

PD-13583

FIPS Ciphers: Fixed the list of FIPS ciphers in the UI so that it is correct.

PD-13561

Health Checking: When using a POST HTTP health check, the POST data is being sent as URL-encoded text instead of being sent as raw data. This issue has been fixed.

PD-13551

Single Sign On (SSO): On LMOS 7.2.47.1 only, when a virtual service configuration uses NTLM + KCD for user authentication, the connection will close and force the user to re-authenticate. The LoadMaster will also log segfault errors. This issue has been fixed.

PD-13540

VLANs on Bonded Interfaces: In previous releases, when adding or deleting VLANs on a bonded interface, connectivity on that VLAN will be lost during the operation. With this release, you can add and delete VLANs to a bonded interface without losing connectivity on the VLAN.

PD-13515

Sorry Server: Adding a ‘sorry server’ to an HTTPS straight through virtual service does not work. This issue has been fixed.

PD-13511

GEO: Modified how the view configuration file is generated to prevent intermittent response issues seen while using GEO with a Zone Name specified.

PD-13507

SAML: Fixed an issue where the Subject Name Identifier in the SAML response was not being handled properly, resulting in errors.

PD-13500

SSO: A colon character (:) can now be included in the Allowed Virtual Hosts value via the API and in the UI under a virtual service’s ESP Options.

PD-13498

HTTP/2: In previous releases, an SSL accelerated virtual service would not work properly after changing the service type from HTTP-HTTP/2-HTTPS to HTTP/2 Pass-through. This issue has been fixed.

PD-13496

Powershell API: A new cmdlet, Get-SSODomainQuerySession, is provided to fetch SSO domain sessions.

PD-13432

MELA Licensing: In previous releases, when a MELA license obtained from Kemp 360 Central expires, you cannot re-license the Loadmaster with the same license type. With this release, this restriction has been removed.

PD-13431

Licensing: In previous releases, it was possible to license a Free LoadMaster via offline licensing and disable call home. This has been changed so that a Free LoadMaster can only be licensed online. In addition, call home is enabled by default and cannot be disabled.

PD-13401

Memory Exhaustion: In previous releases, in a LoadMaster with a RAM size of 8GB or less it was possible that the system would run out of memory if there were a large number of long lived SSL connections. With this release measures have been implemented to prevent the system from running out of memory. 

PD-13400

SSO: In previous releases, when Failed Login Attempts is set to ‘1’, a user will not get blocked until after 2 failed login attempts. This issue has been fixed.

PD-13376

MELA Licensing: In previous releases, a LoadMaster deployed in Azure did not send its public IP to Kemp 360 Central during licensing, and so Kemp 360 Central could not communicate with it. This issue has been fixed.

PD-13276

Statistics: Fixed issues observed on some platforms where the UI and/or API were reporting differing, incorrect, or invalid values.

PD-13126

GEO: In previous releases, the DNS server returns NXDOMAIN for a query on the second level of a child domain. With this release, the NOERROR status is returned for a DNS query sent on any level of a child domain.

PD-13065

Interface Bonding: (LoadMaster X15 only) Issues seen when bonding interfaces between certain Cisco switches have been fixed.

PD-13053

SSO: In previous releases, clicking the ‘Kill All’ button when viewing the open sessions for one SSO domain also kills all open sessions in all other SSO domains. With this release, only the open sessions associated with the domain being displayed are killed.

PD-13045

SAML: In previous releases, if there are many SAML based sessions open when trying to view open sessions, the WUI does not display the sessions and instead a segmentation fault appears in the logs. This issue has been fixed.

PD-12962

Virtual Service Names: In previous releases, it was possible to begin the name of a virtual service with a number or a special character. This is no longer permitted.

PD-12767

SSO: API (and UI) response times for retrieving/displaying a large number of SSO open sessions has been improved so that most queries complete in under 1 second.

PD-12668

ActiveSync Virtual Services: Connectivity Issues with ActiveSync Virtual Services may be observed at high traffic volumes. Previously, under high load and thousands of SSO sessions, the LM memory utilization would grow until it ran out of memory.
Now, there may be thousands of SSO sessions and the LM memory will remain steady.

PD-12384

KCD Server Authentication: Modified ticket handling to improve response times.

PD-12068

Clustering & Memory Management: Addressed issues causing shared memory corruption when the cluster type is Remote LM and the configuration contains a large number of virtual services.

PD-11737

SAML & KCD: In previous releases, SAML + KCD configurations were reported to experience high CPU usage and slow response times, causing interruptions in client traffic. Improvements to KCD authentication have been made to lower CPU utilization and provide faster response times.

PD-12838

ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a on a subVS.

PD-12653

Networking: A Hyper-V VLM won't boot when a 4th NIC is added.

PD-12616

WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.

PD-12492

Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package.

PD-12354

Hardware Support: The LoadMasters LM-X25 and LM-X40 do not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).

PD-12237

HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state.

PD-12147

ESP / RADIUS: In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.

PD-12058

Browser Support: An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster.

PD-11861

RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication.

PD-11166

Networking: Azure LoadMasters are not translating the additional network address between the Master and Slave correctly.

PD-11044

Sharepoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.

PD-10917

HA: An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure.

PD-10784

HA: Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work.

PD-10586

GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.

PD-10490

Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed.

PD-10474

Intrusion Detection: A SNORT rule is triggering a false positive in certain scenarios.

PD-10466

Hardware Support: The LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF).

PD-10193

Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.

PD-10188

Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.

PD-10159

Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.

PD-10136

Clustering: In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node.

PD-10129

Virtual Services: There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout.

PD-9854
PD-13385

WAF: When WAF is enabled, any requests received that have chunked transfer encoding enabled (e.g., POSTs) are not processed properly and are not forwarded to a real server.

PD-9816

WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.

PD-9765

GEO: DNS TCP requests from unknown sources are not supported.

PD-9507

Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.

PD-9476

WAF: There is no RESTful API command to get/list the installed custom rule data files.

PD-9375

Sharepoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

PD-8853

GEO: Location Based failover does not work as expected.

PD-8725

GEO: Proximity and Location Based scheduling do not work with IPv6 source addresses.