LoadMaster 7.2.53.0 Release Notes (Early Access)

LMOS Version 7.2.53.0.19826 is an Early Access feature and bug-fix release made available in December 2020. This EA release is being made available for customers who want to try out the new functionality and fixes in advance of the GA release. The GA release of 7.2.53.0 will be made available in the coming few weeks. Please read the sections below before installing or upgrading to this EA release.

Previous 7.2.53.0 Early Access Version

A previous early access image, 7.2.53.0.19719, was made available earlier in December 2020. The only substantial addition to this latest Early Access version is Let's Encrypt Support.

Contents

Before You Upgrade (READ ME FIRST)
Supported Models for Upgrade
Upgrade Path
Upgrade Patch XML File Verification Notes
Downgrading to Earlier Versions
New Features
Let's Encrypt Support
Bandwidth Rate Limiting & QoS
StoreFront Pre-Authentication (ESP) for Citrix Workspace/Receiver
Kubernetes Ingress Controller
Increase strength of DHE key exchange keys for SSL/TLS to 4096
HA: Interface Reboot Feature
GEO: Additional Record Types Supported
Change Notices
Enhanced ESP Client Session Logging
Changes Affecting Long-Lived UDP Connections
LoadMaster Change of Ownership - Improve existing workflow
Content Rules and 512-byte Response Limit
Cavium III SSL Accelerator Performance Switch
IRQ Pinning Default for LoadMaster MT VNFs
Certificate Signing Request (CSR) Generation Permissions
LoadMaster Licensing FQDN Change
GEO: Option to Prevent a Disabled GEO Cluster from Responding
Security Updates
Elliptical Curve CA Certificate Regenerated
OpenSSH Update
Updated Certificate PIV Support (Smartcard) for SSO & WUI
X.509 Certificate Format Updated
LDAPS and Syslog Server Certificate Validation
Issues Resolved
New Known Issues
Existing Known Issues

Before You Upgrade (READ ME FIRST)

Please pay special attention to the issues below before you begin an upgrade to this LMOS release.

Generation of 4096-bit DHE Key

As with any update, an upgrade to this release should be done during a maintenance interval; and this is particularly true of LMOS 7.2.53.0 because of the update described in the section Increase strength of DHE key exchange keys for SSL/TLS to 4096:

During upgrade from a version prior to 7.2.53.0, a new 4096-bit DHE key is generated. On smaller LoadMasters, this can lead to significant CPU and memory consumption that could impact regular virtual service traffic. So, Kemp strongly recommends that this update be performed in a maintenance interval. 

Best Practices Cipher Set

In LMOS 7.2.52.0, the BestPractices cipher set was updated. If you are upgrading from a version prior to 7.2.52.0, this change is effective immediately after upgrade to this release. This change was made to improve LoadMaster security and conform to the latest industry best practices.

If you depend on any of the cipher sets being removed from the BestPractices set, then before you upgrade you must create a custom cipher set that contains these ciphers and assign this new custom cipher set to the Virtual Services that are currently using the BestPractices cipher set. After this is done, you can upgrade to this release and your services will continue to use the old ciphers. If you do not, then after upgrade any clients that depend on these ciphers being available will no longer be able to connect.

It is recommended, however, that you migrate your services as soon as possible to use the new BestPractices cipher set. For more information on the cipher suites removed from the set, please see the LMOS 7.2.52.0 Release Notes.

Supported Models for Upgrade

This release of LMOS is supported on the Hardware and Virtual models shown in the first three columns of the table below. It is not supported and should not be installed on any model listed in the two columns at right. This update patch can be applied to any supported model regardless of licensing (e.g., SPLA, MELA) or platform (e.g., hardware, local cloud, public cloud).

Supported
Virtual
Models
Supported
Hardware
Models
Supported Bare Metal Models UNSUPPORTED
Hardware

Models
UNSUPPORTED
Virtual

Models
VLM-200
VLM-500
VLM-2000
VLM-3000
VLM-5000
VLM-10G
VLM-GEO
VLM-MAX
LM-X1
LM-X3
LM-X15
LM-X25
LM-X40
LM-2400
LM-3000
LM-3400
LM-4000
LM-5000
LM-5400
LM-5600
LM-8000
LM-8020
LM-8020M
LM-R320

LMB-1G
LMB-2G
LMB-5G
LMB-10G
LMB-MAX
LM-2000
LM-2200
LM-2500
LM-2600
LM-3500
LM-3600
LM-5300
LM-5500

LM-Exchange
LM-GEO
VLM-100
VLM-1000

If your model number is not listed above, please see the list of End of Life models.

Upgrade Path

You can upgrade to this release of LMOS from any previous 7.2.x release. For full upgrade path information, please see the article Kemp LoadMaster Firmware Upgrade Path.

Upgrade Patch XML File Verification Notes

By default, verification of the digital signature on upgrade images is required in LMOS 7.2.50 and above. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are upgrading is set to require validation, you'll need to supply one of the two XML Verification Files supplied with this release:

  • 7.2.53.0.19826.RC.PATCH-64-MULTICORE-preV7.2.51.0.checksum.xml
    Use this file when upgrading a LoadMaster running a release prior to LMOS 7.2.51.
  • 7.2.53.0.19826.RC.PATCH-64-MULTICORE.checksum.xml
    Use this file when upgrading from LMOS 7.2.51 or repeating an upgrade to LMOS 7.2.53 (that is, LoadMaster is already running 7.2.53.0 and you want to repeat the upgrade process).

LoadMasters running an LMOS version prior to 7.2.49 do not provide the option of XML file verification in the UI or API. If you are upgrading from one of these releases to 7.2.53, you can verify the digital signatures offline using a manual process documented on the support website.

See Appendix A for a table that shows you which XML file to use for signature verification based on your current release and the release to which you want to upgrade.

Downgrading to Earlier Versions

Downgrading a LoadMaster running LMOS 7.2.53 to LMOS 7.2.51 (or a later release) can be performed using any desired Update Verification Options setting.

Downgrading to LMOS 7.2.50 or a previous release can only be done when the Update Verification Options setting is set to Optional or Legacy. When performing the downgrade, do not specify an XML file. If you want to verify the digital signature on the image before downgrading, you can do so using a manual process documented on the support website.

[Note that XML file verification is not part of the process of switching the active LoadMaster partition to the LMOS release that was running on LoadMaster before the last update.]

New Features

Let's Encrypt Support

Support for obtaining, managing, and automatically renewing certificates from the Let's Encrypt Certificate Authority (CA). In the UI, navigate to the Certificates & Security > Let's Encrypt Certs page. The main capabilities are:

  • A built-in LoadMaster ACME protocol client.
  • Client supports obtaining a certificate from Let’s Encrypt (LE) servers, as well as user-driven certificate renewal.
  • Users can create a new LE account via LoadMaster or use an already obtained account key. The key can have been previously obtained using another ACME client.
  • LoadMaster automatically configure a SubVS (and content rules) to automatically respond to the required domain ownership challenge from the LE server.  Note that only the HTTP-01 method of validating FQDN ownership is currently supported.
  • Certificates obtained using the LM ACME client are managed on a new UI page, and assigned to Virtual Services on the existing Manage Certificates page. They can be used for:
    • VS Decryption
    • VS Re-encryption
    • Administrative Login
  • Up to 10 SANs (Subject Alternative Names) can be specified per certificate request.

Bandwidth Rate Limiting & QoS

LoadMaster's Rate Limiting and QoS capabilities have been enhanced to support bandwidth limiting at three levels:

  • Global: across all clients accessing any VS
  • Client: for a single IP or a subnet accessing any VS
  • Virtual Service: for any client accessing a specific VS or SubVS

The global and client limits are available in the UI on the System Administration > QoS/Limiting page, at the bottom of the Global Limits and at the bottom of the Client Limiting accordion (which also contain the connection and request based limiting delivered in LMOS 7.2.52). A bandwidth limit set at the global level overrides one set at either the client or VS/SubVS levels.

Bandwidth limits can also be set on the Virtual Service (VS) and Sub-Virtual Service (SubVS) levels, using a new control at the bottom of the VS and SubVS Standard Options. A bandwidth limit set at the VS level overrides one set at the SubVS level. Similarly, a bandwidth limit set at the global level overrides one set at the Client, VS, or SubVS level.

In all cases, bandwidth limits are set in kilobits per second (Kbits/sec); the minimum setting is 16 and the maximum is 99999999. 

Bandwidth limiting statistics are available in the UI on the Statistics > Real Time Statistics > Client Limits > Bandwidth page. The top 10 clients that have been dropped due to bandwidth limiting are displayed for the last 30 seconds, the last 5 minutes, and the last 30 minutes.

StoreFront Pre-Authentication for Citrix Workspace and Receiver

In previous releases, clients using Citrix Workspace App (or its predecessor, Receiver) to log in to a LoadMaster Citrix StoreFront / Citrix Apps & Desktops configuration log in directly to Citrix StoreFront without any pre-authentication by the LoadMaster via ESP. Pre-authentication was available only by logging into the StoreFront infrastructure via LM using a browser, but this workflow is HTML5-dependent and not always implemented in StoreFront deployments.

In this release, clients can now take advantage of pre-authentication via ESP on LM using their Workspace or Receiver App. This workflow is supported by:

  • a new Client Authentication Mode named Pass Post has been added to the Virtual Service ESP Options section of the UI
  • an additional Virtual Service (VS) has been added to the existing StoreFront template to support direct Workspace access

No other changes were made to the UI or API. With the above, a user can successfully log in using POST-based authentication on the client side and Forms-Based Authentication (FBA) on the server side.

This enhancement is accompanied by updated VS templates and an updated Deployment Guide.

Kubernetes Ingress Controller

Installation of the Kubernetes Ingress Controller (KIC) has been integrated with LoadMaster. Open the Virtual Services > Kubernetes Settings menu in the UI and click the Install button to begin installing KIC. This version of KIC supports the following capabilities:

  • Automated mapping of Kubernetes service object configuration to Kemp LoadMaster Virtual Service and Sub-Virtual Services.
  • Support for reading Kubernetes annotations to ingest metadata information about objects.
  • Capabilities for communication with a Kubernetes API server.

KIC supports two modes of operation:

  • Service Mode: A unique and original operating mode developed by Kemp. It allows NetOps Teams and AppDev Teams to work together more seamlessly despite different toolchains and working practices.
  • Ingress Mode: this is the standard Kubernetes Ingress Controller operating mode designed for cross-functional Teams operating purely through the Kubernetes API.

DHE Key Size Support Extended to 4096

By default, LoadMaster uses a 2048-bit key size for DHE key exchanges. Some government agencies are now requiring 4096-bit keys and this capability has been added to LoadMaster.

The key size is set on the System Configuration > Miscellaneous Options > Network Options page of the UI using the Size of SSL Diffie-Hellman Key Exchange drop-down list.

Please Note:

  • After upgrading from a version prior to 7.2.53, LoadMaster can take up to 30 minutes (on smaller models) to generate a new 4096-bit key. During this time, there will be an impact to CPU and memory available for load balancing traffic. The new option in the UI will not appear until the key is generated. If you cannot see the 4096 option in the drop-down list 30 minutes after upgrading, try logging in to the LoadMaster again.
  • Performance using the 4096-bit key will be at most 25% of the performance observed when using a 2048-bit key. This impact is not uncommon and is to be expected due to the increased overhead associated with doubling the size of the key.

HA: Interface Reboot Feature for L4 Connection Updates

A new High Availability (HA) option allows you to specify that a LoadMaster configured in HA will reboot if any configured interface loses connectivity with the network (i.e., experiences a link failure). The reboot occurs regardless of the LoadMaster's HA status (Primary or Standby).

This feature is primarily designed to be enabled only along with the Inter HA L4 TCP Connection Updates option, to facilitate L4 connection updates in HA. You should consult with Kemp Support before enabling the new interface reboot option.

When Hard Reboot on link Failure is enabled, the LoadMaster is forced to reboot if there is a link failure (that is, if an interface becomes unavailable). The new check box is available in the System Configuration > HA Parameters screen when both of these are true:

  • High Availability (HA) is configured
  • The Switch to Preferred Server option is set to No Preferred Server. This is necessary to prevent possible circular swapping between the active and standby LoadMaster units. 

GEO: Additional Record Types Supported

GEO Global Server Load Balancing (GSLB) has been enhanced to support additional record types for domains, as follows:

  • Multiple TXT and CNAME records per Fully Qualified Domain Name (FQDN).
  • One MX record per FQDN. 

These record types allow you to communicate domain resources to clients:

  • A TXT (text) record is essentially unformatted data that can be used for almost any purpose, but typically contains information to be consumed by clients to classify a domain in some way, provide details about a domain, or specify resources available within a domain. 
  • A CNAME (canonical name) record points a DNS name (such as www.example.com) to another DNS name (such as lb.example.com). This is typically used to define a website alias.
  • An MX (mail exchanger) record specifies the mail server responsible for accepting email messages on behalf of a domain. 

To configure records for a specific FQDN, a new Additional Records section has been added to the FQDN configuration page of the UI. Click Global Balancing > Manage FQDNs and then click Modify on the relevant FQDN.

Change Notices

Enhanced ESP Client Session Logging

Client session logging for ESP-enabled Virtual Services has been enhanced to include additional session information: 

  • The initially created ESP session.
  • The time when the LoadMaster cleared the session from the cache. Note that if the entire cache is cleared, a single log message is recorded at the time of clearing, which notes that all existing sessions at that time were cleared form the cache.
  • If an ESP session is deleted (when the user logs out from the application, when the session expires, or the user enters invalid credentials). The time of when the LoadMaster cleared the session is also logged. 

You can view these logs by going to System Configuration > Logging Options > Extended Log Files in the LoadMaster User Interface (UI) and clicking View for ESP User Logs.

Changes Affecting Long-Lived UDP Connections

It is common for some applications (such as Citrix Virtual Desktop Infrastructure and Microsoft Always On VPN) to open UDP connections that last days or even weeks. To address persistence and port following issues seen for these long-lived UDP connections, the following two changes have been made to Layer 7 Virtual Services:

  • Increased Maximum Persistence Timeout: The maximum value of the persistence timeout setting has been increased from 7 days to 28 days. You can configure the persistence Timeout drop-down list after a persistence Mode is selected in the Standard Options section of the Virtual Service modify screen (Virtual Services > View/Modify Services > Modify). 
  • Persistence Refresh: If the persistence Timeout described above is set to 4 days or more, a Refresh Persist check box appears, which is disabled by default. When Refresh Persist is enabled, persistence table entries are auto-refreshed each day for long-lived connections. This is intended for use in long-lived UDP connection configurations where persistence is observed to not be maintained over periods longer than 4 days -- this could be caused by any number of issues that may or may not apply, such as very long idle times. Please consult with Kemp Support before enabling this option.

LoadMaster Change of Ownership Updates

The System Configuration > System Administration > License Management page has been updated to provide easier methods for changing system ownership and provide additional licensing information:

  • The Update License button was renamed to Update License/Owner. In addition to updating your LoadMaster license, this button can be used to change the ownership of the LoadMaster license (update the Kemp ID and password associated with the license). This can be done either online or offline.
  • The Serial Number of the license has been added to the top of the License Management screen for convenience, as it is required in various circumstances (e.g., getting support, offline licensing). 

Content Rules and 512-byte Response Limit

In previous releases, content rules are only applied to responses if the response body is larger than 512 bytes. This behavior has been modified so that:

  • The 512-byte limit doesn't apply to response body modification rules.
  • The 512-byte limit is only observed when compression is enabled. If compression is not enabled, then all content rules are applied regardless of response size.

Cavium III SSL Accelerator Performance Switch

Customers with LoadMaster hardware (e.g., an LM-X40) with a Cavium III hardware SSL accelerator installed have reported performance issues when using the Cavium III hardware with TLS 1.3. A new switch has been introduced on the Network Options page in the UI that allows you to switch from using the current 1.1.1 OpenSSL libraries to using the older 1.0.2 libraries, which do not exhibit the performance issues seen with the 1.1.1 libraries. Unfortunately, the older 1.0.2 libraries do not support TLS 1.3, so TLS 1.3 will not be available for incoming client connections after switching to the older libraries.

Please consult with Kemp Support before enabling this workaround. Also note:

  • Switching the OpenSSL version causes a total SSL outage during the switch. This operation should not be performed during working hours.
  • When using the older 1.0.2 libraries, the TLS1.3 check box is no longer available in the SSL Properties section of the Virtual Service modify screen.
  • If you switch from using the older 1.0.2 libraries to using the 1.1.1 libraries, TLS1.3 is automatically re-enabled on all Virtual Services. 
  • The library selection option is not available on LoadMasters that include the Cavium V accelerator hardware. Those cards do not support the older 1.0.2 libraries. 

Please note that these issues DO NOT affect LoadMasters that have the newer Cavium V hardware acceleration cards.

IRQ Pinning Default for LoadMaster MT VNFs

When using this or a subsequent release as a VNF node in a LoadMaster Multi-Tenant (MT) deployment, the IRQ Pinning option on LoadMaster is now enabled by default when the VNF is deployed to improve overall system performance.

As of LoadMaster firmware version 7.2.53 (and Long Term Support (LTS) version 7.2.48.3), the Interrupt Request (IRQ) pinning option is enabled on LoadMaster Virtual Network Function (VNF) builds that are deployed from Multi-Tenant LoadMasters. The reason for this default value change is because Kemp has seen an increase in LoadMaster VNF performance if IRQ pinning is enabled. You can access this option by going to System Configuration > Logging Options > System Log Files > Debug Options. 

Only change this option in consultation with Kemp Technical Support. 

Certificate Signing Request (CSR) Generation Permissions

If Self-Signed Certificate Handling is set to EC certs with an EC signature (in Certificates & Security > Remote Access), CSR generation is restricted to the administrative (bal) user only. If Self-Signed Certificate Handling is set to a different value, all users can generate CSRs. 

LoadMaster Licensing FQDN Change

As of LoadMaster firmware version 7.2.53 (and Long Term Support (LTS) version 7.2.48.3) the LoadMaster licensing Fully Qualified Domain Name (FQDN) has changed. Previously, the FQDN was alsi.kemptechnologies.com. Now, it is licensing.kemp.ax. In some scenarios, Kemp recommends adding the licensing FQDN as an allowed URL on your firewall to ensure all licensing features work, including the downloading and updating of Web Application Firewall (WAF) rules. The URLs to allow vary depending on your LoadMaster firmware version: 

  • LoadMaster firmware version 7.2.53 or above (or 7.2.48.3 Long Term Support (LTS) and above): licensing.kemp.ax 
  • LoadMaster firmware versions below 7.2.53 (or below 7.2.48.3 LTS): alsi.kemptechnologies.com and alsi2.kemptechnologies.com 

GEO: Option to Prevent a Disabled GEO Cluster from Responding

By default in previous releases, when a GEO cluster is marked as disabled it will still respond to client queries. A new parameter named Disabled clusters are unavailable has been introduced. Disabled by default, this parameter when enabled causes requests to the cluster to be dropped if a GEO cluster is disabled. The cluster name on the Global Balancing > Manage FQDNs page of the UI will also be displayed in red text.

Security Updates

Elliptical Curve CA Certificate Regenerated

LoadMaster's Elliptical Curve (EC) Certificate Authority (CA) certificate was regenerated for this release to address these issues in previous releases:

  • EC certificates generated using the previous certificate did not work.
  • Third-party EC certificates did not work with LoadMaster.

As a result, the following actions may be necessary if you are using EC certificates:

  • Any EC certificates generated from LoadMaster in previous releases will no longer be valid and will need to be regenerated. Kemp believes the number of these in use in the field is small.
  • If you are using an EC certificate for the WU, any LoadMaster user that has previously downloaded and installed the LoadMaster root certificate into their browser will need to download and install the new root certificate from LoadMaster after upgrade.

OpenSSH Update

The version of OpenSSH used by LoadMaster has been updated from OpenSSH_7.9p1 to OpenSSH_8.4p1, the latest version of OpenSSH available as of September 2020. Please see the OpenSSH release notes web page for more information.

Updated Certificate PIV Support (Smartcard) for SSO & WUI

In LoadMaster firmware version 7.2.53, support was added in the Edge Security Pack (ESP) Single Sign On (SSO) functionality for Personal Identity Verification (PIV) smart cards. PIV guidance is to match certificate fields to "altsecurityidentities" in the Active Directory (AD). To support this, additional configuration options have been added to the modify SSO screen for SSO domains with the Authentication Protocol set to Certificates. Prior to LoadMaster firmware version 7.2.53, there was a check box called Check Certificate to User Mapping. As of version 7.2.53, this check box has changed to a drop-down list with the following values: 

  • Not Specified 
  • Subject 
  • Issuer and Subject
  • Issuer and Serial Number 

X.509 Certificate Format Updated

LoadMaster has been enhanced to use the X.509v3 certificate format, as defined in RFC 5280. [Previously, the X.509v1 format defined in RFC 1422 was used.]

LDAPS and Syslog Server Certificate Validation

LoadMaster has been enhanced to validate the entire certificate chain sent by remote LDAPS and Syslog servers, when the system is configured to use ECDSA certificates with ECDSA signatures. This setting is located on the Certificates & Security > Remote Access page of the UI.

Issues Resolved

PD-16515 SSL Certificates: Fixed a bug (which occurred in 7.2.51) that resulted in the Delete button for a certificate to be inactive even when the certificate was no longer used in any virtual services.
PD-16513 UI Authentication via LDAPS: Fixed a bug where LDAPS was not checking "Basic Constraints" as required for intermediate certs in a chain.
PD-16361 SSL Certificates: LoadMaster has been modified to reject an otherwise valid server certificate that lacks the Server Authentication purpose in the extendedKeyUsage field; no connection is established in this case.
PD-16342 Layer 7 POST Handling: Addressed various issues related to POST handling capabilities and error detection within L7, in particular with large POSTs and 401 responses from LoadMaster.
PD-16336 Single Sign On (SSO) API: Previously, it was not possible to kill an SSO session using the Username format via the API. This bug has been fixed.
PD-16214 Single Sign On (SSO) with KCD: In previous releases, it was possible that under high loads, users may experience authentication issues when attempting to log into a virtual service with KCD configured. To mitigate against authentication issues, the KCD ticket creation mechanism has been enhanced to provide hourly detection and retry of service ticket expiry. In addition, doing an SSO flush will now result in the restarting of the SSO manager process (instead of only flushing SSO memory as in previous releases).
PD-16157 High Availability (HA) Status: On the Open Telecom platform only, LoadMasters configured into HA show a status of Active/Active if multiple health checks are being executed and these connections remain open for long periods. This bug has been fixed and HA status is now displayed appropriately.
PD-16156

LDAP: Enhanced the UI and API to support the hyphen character (-) in LDAP endpoint names.

PD-16151 User Interface: Fixed an issue that could cause "stack smash detected" to be displayed on the Statistics > Real Time Statistics > Real Servers page.
PD-16134

AWS Machine Instances: On the AWS cloud platform only, LM was observed not to boot properly when using certain newer machine sizes with BIOS versions above Version 9. This issue has been fixed.

PD-16122

Reliability and Stability: Fixed an issue with processing large amounts of chunked data from servers with compression enabled that could cause the system to become temporarily unavailable (and a failover to occur in High Availability mode).

PD-16057

Logging: In previous releases, various log messages included the file system location of the syslog configuration file. All such messages have been modified to remove the configuration file location.

PD-16056 Logging: Fixed an issue that cause FIPS-related system logs to appear on systems that were not FIPS-enabled.
PD-16032 GEO: Fixed an issue in the HA Partner code that could cause Partners in a cloud deployment to not synchronize properly.
PD-16028 Virtual Service SSL Properties: The Add Received Cipher Name parameter was observed to not enable passing of the received cipher name if the client accesses a SubVS rather than the VS. The system has been modified to always propagate SSL headers to the SubVS level.
PD-15881 User Interface: Fixed the Manage Certificates page to display IPv6 addresses in the correct format.
PD-15869

Adaptive Health Check Agent: Updated the adaptive health check mechanism to use HTTP 1.1 (instead of HTTP 1.0) when making Real Server connections.

PD-15860

Real Server Configuration: Fixed an issue where the parameter values of a Real Server that has been created with a DNS FQDN (instead of an IP address) cannot be modified.

PD-15828

Single Sign On (SSO): On previous releases, access may be denied during SSO when correct credentials have been supplied, along with log messages indicating "XSS attack dtcode 7". This issue occurs because in some cases LoadMaster is not properly handling SameSite cookie options contained in the client request. This issue has been fixed.

PD-15709 GEO: When using IP Range Selection Criteria scheduling, it was seen in previous releases that the DNS response can be incorrect when one IP range is a subset of another IP range. This bug was due to an internal issue has has been fixed.

 

Existing Known Issues

The following issues appeared in the Release Notes for the previous release of LMOS.

PD-15872 LDAP/Syslog: StartTLS is not working when the Server Certificate Validation flag is enabled.
PD-15633 GEO: If you add a Zone Name to GEO after you have created working FQDNs, GEO may no longer respond to queries for one or more of the FQDN safter the Zone Name is added. The workaround is to remove and then re-add the FQDNs that are no longer working.
PD-15475 VS Redirects: If you attempt to upload a new redirect error HTML file to a Virtual Service with Not Available Redirection Handling enabled while traffic is currently being redirected, then traffic to the VS is dropped. Click the Error Message radio button in the UI and the VS begins accepting connections again.
PD-15396 GEO: LM sends a spurious "KEMP GEO" TXT record in DNS responses if the TXT record field is empty and the queried FQDN is not a sub-domain of the ZoneName.
PD-15354 SSO Timeout: In LMOS 7.2.51, a fix was introduced for issues that caused an SSO client to not be properly logged out when the configured session timeout expires. It has been observed that while sessions do timeout, they are not always closed immediately upon the expiry of the timer; it can take close to a minute longer for the session to actually be closed.
PD-15294 ESP Verify Bearer Header: LoadMaster does not return an error when an encrypted token is received and there is no SSL certificate assigned to the VS to decrypt the token.
PD-15172 ESP Verify Bearer Header: Validation is not working when "Allowed Virtual Hosts" and "Allowed Virtual Directories" are blank on the Virtual Service.
PD-14943 Single Sign On: When Form Based Authentication is enabled on the server side, it is possible that after filling out correct credentials and submitting the login form, the form will be presented again; once the second login form is submitted with correct credentials, the login succeeds.
PD-12838 ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a subVS.
PD-12616 WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.
PD-12492 Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package.
PD-12354
PD-10466
Hardware Support: The LoadMaster models LM-X15, LM-X25, and LM-X40 do not support the following SFP+ modules: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).
PD-12237 HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state.
PD-12147 ESP / RADIUS: In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.
PD-12058 Browser Support: An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster.
PD-11861 RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication.
PD-11166 Networking: Azure LoadMasters are not translating the additional network address between the Master and Slave correctly.
PD-11044 SharePoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.
PD-10917 HA: An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure.
PD-10784 HA: Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work.
PD-10586 GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.
PD-10490 Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed.
PD-10474 Intrusion Detection: A SNORT rule is triggering a false positive in certain scenarios.
PD-10193 Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.
PD-10188 Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.
PD-10159 Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.
PD-10136 Clustering: In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node.
PD-9816
PD-9476
WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.
PD-9765 GEO: DNS TCP requests from unknown sources are not supported.
PD-9507 Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.
PD-9375 SharePoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

 

Appendix A: Verifying Upgrade Image Signatures

This table shows you which XML file to use to verify the digital signature on an upgrade image, based on the currently running LMOS version and the version to which you want to upgrade.

Current Release

Use this file to verify the digital signature on the 7.2.53 update image

7.2.53

7.2.53.0.19826.RC.PATCH-64-MULTICORE.checksum.xml

7.2.52

7.2.53.0.19826.RC.PATCH-64-MULTICORE.checksum.xml

7.2.51

7.2.53.0.19826.RC.PATCH-64-MULTICORE.checksum.xml

7.2.50

7.2.53.0.19826.RC.PATCH-64-MULTICORE-pre7.2.51.0.checksum.xml

7.2.49.1

7.2.53.0.19826.RC.PATCH-64-MULTICORE-pre7.2.51.0.checksum.xml

7.2.48.1 and below

Offline Validation Only

 

Was this article helpful?

0 out of 0 found this helpful

Comments