Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster 7.2.49.1 Release Notes

LMOS Version 7.2.49.1 is a feature and bug-fix release made available in March 2020. Please read the sections below before installing or upgrading.

Contents

Supported Models for Upgrade
Upgrade Path
New Features
   Digital Verification of Upgrade Patches and Add-On Packages
   CAPTCHA V2 for Forms Based Authentication
   SNMP: Real Server Statistics Values
   Content Rules Enhancement: Flag Negation Logic for Conditional Rule Execution
   WAF Support for Chunked Transfer Encoded POST/PUT Requests
   High Availability Broadcast Support
Change Notices
   Reduced Frequency of License Expiry Notifications
   IPv6 Address Handling Enhancements
   UI Safe Edit Mode (Beta)
   Call Home Transitions to Kemp Analytics
   Relicensing SPLA LoadMasters
Issues Resolved
New Known Issues
Existing Known Issues

Supported Models for Upgrade

This release of LMOS is supported on the Hardware and Virtual platforms specific in the first three columns of the table below. It is not supported and should not be installed on any of the hardware and software listed in the two columns at right.

Please note that the same update patch can be applied to any supported model regardless of:

  • licensing (e.g., SPLA, MELA)
  • platform (e.g., hardware, local cloud, public cloud)
Supported
Virtual
Models
Supported
Hardware
Models
Supported Bare Metal Models UNSUPPORTED
Hardware

Models
UNSUPPORTED
Virtual

Models
VLM-200
VLM-500
VLM-2000
VLM-3000
VLM-5000
VLM-10G
VLM-GEO
VLM-MAX
LM-X1
LM-X3
LM-X15
LM-X25
LM-X40
LM-2400
LM-3000
LM-3400

LM-4000
LM-5000
LM-5400
LM-5600
LM-8000
LM-8020
LM-8020M

LMB-1G
LMB-2G
LMB-5G
LMB-10G
LMB-MAX
LM-2000
LM-2200
LM-2500
LM-2600
LM-3500
LM-3600
LM-5300
LM-5500

LM-Exchange
LM-GEO
VLM-100
VLM-1000

If your model number is not listed above, please see the list of End of Life models.

Upgrade Path

You can upgrade to this release of LMOS from any previous 7.2.x release. For full upgrade path information, please see the article Kemp LoadMaster Firmware Upgrade Path.

New Features

Digital Verification of Upgrade Patches and Add-On Packages

In previous releases, LoadMaster validated the checksum and package format of all update patches and add-ons before allowing these to be installed on the system. The digital signatures associated with a patch or add-on could also be validated manually by the customer on a system other than LoadMaster.

With this release, the LoadMaster user interface and API have been enhanced to also support the verification of the digital signatures used to secure LMOS upgrade patches and add-on packages, in addition to the mandatory checksum and format checks performed in previous releases.

This feature is enabled by default and adds new controls to the the System Configuration > System Administration > Update Software page. There, you’ll see a new Verification File control in both the Update LoadMaster Software and the Install New Addon Package sections of the page.

Using these controls, you can upload the XML signature file provided by Kemp and it will be used to verify the digital signatures on the update or add-on images. The system will refuse to continue the update process if the signature verification check fails. If you don't upload a verification file, then no signature verification will be performed (as in previous releases).

If you want to completely disable this feature (which is not recommended), open the System Administration > WUI Settings page and turn off the Display Verify Update Option check box.

CAPTCHA V2 for Forms Based Authentication

Access to ESP-enabled Virtual Services behind LoadMaster that use Forms Based Authentication can now include a CAPTCHA challenge-response test as part of the form workflow. CAPTCHA-based authentication is essentially designed to ensure that entities accessing web services are not automated programs, such as bots, and are also typically employed to combat Denial-of-Service (DoS) cyberattacks. LoadMaster uses reCAPTCHA Version 2 to provide CAPTCHA services.

SNMP: Real Server Statistics Values

The following real server performance values (already available in the UI) are now available via SNMP, for both Round Trip Time (RTT) and First Request/Response Time. All times are in milliseconds (ms):

Statistic Description
Current Average The average of all values observed over the last 5 seconds (or since the last statistics reset).
Current Max The maximum value observed over the last 5 seconds (or since the last statistics reset).

Current Min

The minimum value observed over the last 5 seconds (or since the last statistics reset).
Long Term Avg The average of all values observed since the Virtual Service started handling traffic (or since the last statistics reset).
Long Term Max The maximum value observed since the Virtual Service started handling traffic (or since the last statistics reset).
Long Term Min The minimum value observed since the Virtual Service started handling traffic (or since the last statistics reset).

You can download  the revised LoadMaster MIBs that include these new statistics from this Kemp website page by clicking Tools > General > LoadMaster SNMP MIBs.

Content Rules Enhancement: Flag Negation Logic for Conditional Rule Execution

In conditional execution of content rules, multiple content rules are assigned to a Virtual Service and are executed in order; flags set by earlier rules can be used to determine whether or not later rules should be executed. In previous releases, you could only test whether a previous rule set (or enabled) a particular flag. With this release, you can now also test whether a previously executed rule did not set a particular flag. This allows for more complex logical decisions when constructing a chain of rules.

WAF Support for Chunked Transfer Encoded POST/PUT Requests

The ESP Web Application Firewall (WAF) now supports processing of chunked transfer encoded HTTP POST and PUT requests – that is, any such request that contains a Transfer-Encoding: chunked header. In previous releases, these were blocked by the WAF engine and the requests were dropped. Now, these requests are properly processed.

High Availability Broadcast Support

In past releases, LoadMaster High Availability (HA) status information was communicated between HA partners over a multicast IP address (224.0.0.x); there was no other option. With this release, a new HA parameter (Use Broadcast IP address) can be optionally set to use the broadcast IP address 255.255.255.255 instead of a multicast address. This allows HA configurations to be established on networks where the use of multicast IP addressing is specifically disabled.

Change Notices

Reduced Frequency of License Expiry Notifications

In earlier releases, critical license expiry notifications (email and UI alerts) were generated by LoadMaster every day starting 90 days prior to the license expiry date. Starting with this release, license expiry notifications are sent out on the schedule below at the indicated severity levels. As in previous releases, notifications stop immediately after a license update.

Days Prior to License Expiry Notification
Severity Level
90 Informational
60 Informational
30 Informational
21 Warning
14 Warning
13 Critical
Previous message repeats daily until the license expires.

IPv6 Address Handling Enhancements

IPv6 Neighbor Discovery has been enhanced to provide additional processing of related message formats (Router and Neighbor Solicitations, Router and Neighbor Advertisements). These improvements, while largely invisible to the regular daily activities of a LoadMaster administrator, improve LoadMaster’s ability to participate in Neighbor Discovery on an IPv6 network as an IPv6 host.

UI Safe Edit Mode (Beta)

A new user interface option allows the administrator to modify how pending (uncommitted) changes in the user interface are processed. A check box, Enable Auto-Save, has been added to the System Configuration > Miscellaneous Options > WUI Settings page. By default, this option is turned on, which enables the following existing LoadMaster UI behavior from previous releases:

  • Changes to parameters in drop-down boxes are immediate.
  • There is no warning given to the user when navigating away with a pending change (such as a text box whose content has been changed, but the associated button has not been clicked to commit the change).
  • There is no visual indicator for a pending change.

By turning the Enable Auto-Save check box off, a new Safe Edit mode is enabled, which modifies the above behavior as follows:

  • All drop-down boxes now have an associated button that the user must click to commit the value chosen in the drop-down to the configuration.
  • The user is warned when attempting to navigate away from a page with pending changes. The user can choose to remain on the page, or to ignore pending changes and navigate away from the current page (which loses all information currently entered but not committed).
  • A pending change is indicated by highlighting the change on the page.

Call Home Transitions to Kemp Analytics

The legacy ‘Call Home’ functionality has been expanded in this release to support Kemp Analytics. When you enable Kemp Analytics, the product sends periodic samples of how you are interacting with the user interface. This data is strictly about product usage, enabled capabilities, and statistics. No sensitive user data, or traffic of any kind is either collected or communicated.

Over time, Kemp Analytics will give Kemp the opportunity to help you get the most out of LoadMaster by enabling us to provide additional context and documentation in the UI for the workflows that you use the most, and to help you learn more about Kemp product features and capabilities.

If you previously enabled the legacy ‘Call Home’ functionality, Kemp Analytics will also be enabled on upgrade to this release. If you previously disabled ‘Call Home’, the system will prompt the ‘bal’ user on first login to enable Kemp Analytics.

You can change this setting at any time using the Enable Kemp Analytics check box located on the Certificates & Security > Remote Access page in the UI.

Relicensing SPLA LoadMasters

The SPLA license for a LoadMaster can now be updated without requiring a re-deployment of the LoadMaster. Starting with this release, you can now kill the current license and the LoadMaster will remain active so that you can request a new SPLA license from the KEMP licensing server. The configuration will remain intact through this process. (Regardless of this, it remains best practice to create a backup before performing the license kill operation.)

Issues Resolved

The following issues have been resolved in this release.

PD-14488

WAF: Fixed an issue that caused high memory usage on WAF-enabled VSs when parsing JSON objects.

PD-14426

Content Rules: Content rule names can now use a numeric character as the first character in the name.

PD-14353

UI: Statistics displays have been modified to use the correct abbreviations for bit and byte statistics (e.g., Mb for Megabits and MB for Megabytes).

PD-14258

SSO: An issue was introduced in LMOS 7.2.48.1 that caused the login form to be redisplayed even though correct credentials had been given, under specific circumstances. This issue has been fixed.

PD-14115

UDP Virtual Services: Starting with LMOS 7.2.48, if a UDP VS has an additional address it's possible to see packets for one connection coming back from the wrong IP address. This issue has been fixed, so that a UDP VS can have additional addresses and maintain the proper mapping for the additional address.

PD-14100
PD-14050

Exchange 2016 Outlook Web Access and Authentication Proxy Virtual Services: Starting with LMOS 7.2.48, clients can be logged out immediately after supplying correct credentials. This issue has been fixed.

PD-14051

SSO: Fixed an issue where some text appears in English on the French and Portuguese SSO image sets.

PD-14040

UDP Virtual Services for DNS: An issue was introduced in LMOS version 7.2.48.0 that causes a Virtual Service for UDP traffic to not work properly under load. LoadMaster would forward the request to the Real Server, but would not return the server response in a timely manner. This issue has been addressed, and LoadMaster now handles UDP DNS traffic at high loads without interruptions.

PD-14039

LDAP Remote User Groups: Starting with LMOS 7.2.48.0, a user could under certain circumstances be granted the permissions specified for a group to which they didn’t belong. This issue has been fixed.

PD-14022

Wildcard Virtual Services: In LMOS 7.2.48, the LoadMaster reboots if a Virtual Service with a wildcard (*) starts receiving client traffic. This issue has been fixed.

PD-14019

Offline Licensing & Upgrade: After upgrading from version 7.2.47.0 to 7.2.48.0, the ability to perform offline licensing was no longer available. This issue has been fixed.

PD-13981

GEO: Fixed an issue that caused spurious log messages to be recorded while modifying the GEO configuration.

PD-13948

SPLA to MELA Conversion: After converting a SPLA-licensed LoadMaster to a MELA license, the LoadMaster serial number may be displayed incorrectly. This issue has been fixed.

PD-13908

SPLA to MELA Conversion: After converting a SPLA-licensed LoadMaster HA pair to MELA licenses, the LoadMasters were removed from HA pair mode and the slave didn't come up. This issue has been fixed.

PD-13906

SSO: Password Reset Notification capable form sets are now available in French and Portuguese from the Kemp website.

PD-13904

SSO: Previously, a user that receives a password expiry warning cannot log in if Forms Based Authentication is set for both Client and Server authentication mode. This issue has been fixed.

PD-13901

GEO: DNS responses for a query that contains an FQDN defined on LoadMaster may contain records for a Zone Name that is defined on LoadMaster, but to which the FQDN doesn’t belong. This issue has been fixed.

PD-13904

SSO: Password expiry notifications do not currently work with Forms Based Authentication (FBA) enabled on the server side. This issue has been fixed.

PD-13873

10 Gb Interfaces (AWS only): Issues with not displaying link status and speed have been addressed. Interface graphs for 10 Gb interfaces on the statistics page have been modified to scale properly as the traffic level changes.

PD-13385
PD-9854

WAF: With WAF enabled on a Virtual Service, HTTP PUT & POST commands that use chunked transfer encoding are dropped. This issue has been fixed.

PD-13756

LDAP Health Checks: Fixed an issue that occurred in LMOS 7.2.48 where LDAP health checks can fail because they are checking the wrong LDAP endpoint.

PD-13642

LDAP Health Checks: Fixed an issue that occurred in LMOS 7.2.47 where health checks of an LDAP  endpoint configured for STARTTLS consistently fail.

PD-13529

IRQ Pinning (VMs only): In previous releases, enabling IRQ pinning did not persist across reboots; toggling the control in the UI made it work again. This issue has been addressed and IRQ pinning now persists across reboots.

PD-13414

SAML Authentication: After successful authentication, clients may be sent to a site against which they have not been authenticated, causing intermittent client errors that may require a restart of the browser. This issue has been fixed.

PD-12653

Networking: Fixed and issue that caused a Hyper-V VLM to fail to boot after a 4th NIC is added.

PD-8853

GEO: Location Based failover does not work as expected. This issue has been fixed.

 

PD-8725

GEO: Proximity and Location Based scheduling do not work with IPv6 source addresses. This issue has been fixed.

 

 

New Known Issues

The following issues appeared for the first time in this release of LMOS.

PD-14256

SNMP: The VS and RS IN/OUT OIDs are not displaying any data.

PD-14302

GEO: GEO is returning NXDOMAIN in a specific scenario, when it should return NOERROR.

 

Existing Known Issues

The following issues appeared in the Release Notes for the previous release of LMOS.

PD-12838

ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a subVS.

PD-12616

WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.

PD-12492

Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package.

PD-12354
PD-10466

Hardware Support: The LoadMaster models LM-X15, LM-X25, and LM-X40 do not support the following SFP+ modules: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).

PD-12237

HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state.

PD-12147

ESP / RADIUS: In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.

PD-12058

Browser Support: An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster.

PD-11861

RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication.

PD-11166

Networking: Azure LoadMasters are not translating the additional network address between the Master and Slave correctly.

PD-11044

Sharepoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.

PD-10917

HA: An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure.

PD-10784

HA: Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work.

PD-10586

GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.

PD-10490

Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed.

PD-10474

Intrusion Detection: A SNORT rule is triggering a false positive in certain scenarios.

PD-10193

Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.

PD-10188

Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.

PD-10159

Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.

PD-10136

Clustering: In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node.

PD-9816
PD-9476

WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.

PD-9765

GEO: DNS TCP requests from unknown sources are not supported.

PD-9507

Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.

PD-9375

Sharepoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.


Comments