Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster Release Notes

LMOS Version is a feature and bug-fix release made available in December 2020. Please read the sections below before installing or upgrading.


Before You Upgrade (READ ME FIRST)

This release updates the BestPractices cipher set as shown in the section below and this change is effective immediately after upgrade to this release. This change is being made to improve LoadMaster security and conform to the latest industry best practices. For more information on the cipher suites being removed from the set, please see the section Best Practices Cipher Set Updated, below.

If you depend on any of the cipher sets being removed from the BestPractices set, then before you upgrade you must create a custom cipher set that contains these ciphers and assign this new custom cipher to the Virtual Services that are currently using the BestPractices cipher set. If you do not, any clients that depend on these ciphers being available will no longer be able to connect. After this is done, you can upgrade to LMOS and your services will continue to use the old ciphers.

It is recommended, however, that you migrate your services as soon as possible to use the new BestPractices cipher set provided with LMOS

Supported Models for Upgrade

This release of LMOS is supported on the Hardware and Virtual models shown in the first three columns of the table below. It is not supported and should not be installed on any model listed in the two columns at right. This update patch can be applied to any supported model regardless of licensing (e.g., SPLA, MELA) or platform (e.g., hardware, local cloud, public cloud).

Supported Bare Metal Models UNSUPPORTED





If your model number is not listed above, please see the list of End of Life models.

Update Image Verification

Depending on the LMOS version running on the LoadMaster you are updating, you may need to supply one of the XML verification files when upgrading. See the notes for your release below.

Currently Running Version Update Notes
or later

Verification of the digital signature on update images is required by default. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are updating is set to require validation, you must upload the following XML Verification file supplied with this release during the update process:

After the update, any capabilities specific to 7.2.51 will no longer be available on LoadMaster.


Same as above, except a different XML file supplied with this release must be uploaded during the update process:

After the update, any capabilities specific to 7.2.50 will no longer be available on LoadMaster.

Online verification not supported. You can verify the digital signature using a manual process documented on the support website using the same verification file as shown above for 7.2.50.

After the update, any capabilities specific to will no longer be available on LoadMaster. or earlier

Online verification not supported. You can verify the digital signature using a manual process documented on the support website using the same verification file as shown above for 7.2.50.

If you are currently running LMOS 7.1.x or an earlier version, please see the article Kemp LoadMaster Firmware Upgrade Path for full upgrade path information.

Change Notices

Best Practices Cipher Set Updated

In LoadMaster firmware version 7.2.52, the BestPractices cipher set was updated. The cipher set is now based on the recommendations provided in the Use Secure Cipher Suites section of the following SSL Labs article: SSL and TLS Deployment Best Practices. The following table shows the ciphers that remain in the BestPractices cipher in LMOS 7.2.52 in the left column, and the ciphers removed from the set in the right column:

Carried Forward
























In addition to the above, the following two ciphers were added to the BestPractices set:



Cavium III SSL Accelerator Performance Switch

Customers with LoadMaster hardware (e.g., an LM-X40) with a Cavium III hardware SSL accelerator installed have reported performance issues when using the Cavium III hardware with TLS 1.3. A new switch has been introduced on the Network Options page in the UI that allows you to switch from using the current 1.1.1 OpenSSL libraries to using the older 1.0.2 libraries, which do not exhibit the performance issues seen with the 1.1.1 libraries; please note, however, that the older libraries do not support TLS 1.3. Please consult with Kemp Support before enabling this workaround. [Note that these performance issues do not apply to Cavium V hardware.]

IRQ Pinning Default for LoadMaster MT VNFs

When using this or a subsequent release as a VNF node in a LoadMaster Multi-Tenant (MT) deployment, the IRQ Pinning option on LoadMaster is now enabled by default when the VNF is deployed to improve overall system performance.

Modified Supported Elliptical Curves in LoadMaster Client Hello

In previous releases, the LoadMaster proposed the following Elliptical Curves for ECDHE ciphers in the client hello:

  • secp256r1
  • secp384r1
  • secp521r1
  • x25519
  • x448

The last two curves (x25519 and x448) are no longer supported to meet Common Criteria security requirements.

Security Updates

The following changes to existing LMOS features and behavior have been made in this release to improve LoadMaster's security profile.

Best Practices Cipher Set Updated

See the section above under Change Notices.

Syslog and LDAPS Server Certificate Validity Checking

LoadMaster has been modified to use OCSP to check the validity of the server certificates supplied by syslog and LDAPS servers configured into the configuration. If these checks fail, connections to the server are not permitted.

Enhanced Server-Side KCD Authentication Cipher Option

A new option for server-side Kerberos Constrained Delegation (KCD) authentication improves the security of LoadMaster's server side KCD connections to meet evolving security policies.

In previous release, KCD was configured to use RC4, DES, and DES3 ciphers for server connections; these ciphers could not be modified. With this release, you can now enable the Use AES 256 SHA1 KCD Cipher option on the Virtual Services > Manage SSO UI page to specify that the RC4, DES, and DES3 ciphers be disabled for server-side KCD and that the aes256-cts-hmac-sha1-96 cipher be used instead. This option can be enabled/disabled as needed within different server-side Single Sign On (SSO) configurations.

Enhanced NTP Key Exchange Algorithms

The SHA-1 hashing algorithm has been added to the key types supported for NTP on the System Configuration > System Administration > Date/Time UI page. Click Show NTP Authentication Parameters to display the NTP Key Type parameter. Note that, in previous releases, SHA-1 was presented as a choice, but this was actually implementing the legacy SHA (a.k.a. SHA-0) hashing algorithm. This has also been corrected in this release, so that the three key types supported are now: MD5, SHA-1, and legacy SHA.

Regeneration of SSH Host Key

The LoadMaster host key that is used for SSH login can now be regenerated using controls on the system console. Log into the console and choose Local Administration > Regenerate SSH Host Keys to regenerate the key. Please note the following:

  • When you regenerate the LoadMaster's host key, all current SSH clients will need to be updated with the new public key. Clients will receive connection errors and be unable to connect until the new public key is added to the client's known_hosts file.
  • When LoadMaster is configured in either the High Availability or Clustering modes, the host keys on the two LoadMasters are automatically synchronized to maintain the SSH connection on which the configuration depends.
  • Note that in GEO Partnering mode, SSH host keys are not automatically synchronized, because GEO does not use a shared IP address and the information exchange between partners doesn't depend on SSH access.

Certificate Signing Request (CSR) Generation Permissions

If Self-Signed Certificate Handling is set to EC certs with an EC signature (in Certificates & Security > Remote Access), CSR generation is restricted to the administrative (bal) user only. If Self-Signed Certificate Handling is set to a different value, all users can generate CSRs. 

Certificate Signing Request (CSR) Generation Key Display

In previous releases, both the unsigned Certificate Signing Request (CSR) generated by LoadMaster and the associated private key were displayed in the UI (or returned via the API). A new option has been provided to allow the private key to be managed more securely, preventing unintentional disclosure or improper handling of the private key by the user.

This new option appears only when the Certificates & Security > Remote Access > Self-Signed Certificate Handling option is set to EC certs with an EC signature -- which means that an elliptical curve cipher will be used for both the certificate and the digital signature.

Once the above option is selected, a new Display Private Key check box appears on the  Certificates & Security > Generate CSR UI page.

  • When Display Private Key is disabled (the default), the private key is not displayed in the UI after the CSR is created. The unsigned CSR is downloaded by the user as in previous releases. Once it is signed by a Certificate Authority, the user uploads the signed certificate to the LoadMaster -- the difference from previous releases being that the user does not have to also upload the private key, since LoadMaster maintains it internally when Display Private Key is disabled. If the saved private key matches the new certificate, the certificate gets imported and the saved private key is deleted. The stored private key is not encrypted but there is no access to it from the outside and it cannot be seen or displayed.
  • When Display Private Key is enabled, LoadMaster behaves as in previous releases: the private key is displayed to the user and must be uploaded to LoadMaster along with the private key.

X.509 Certificate Format Updated

LoadMaster has been enhanced to use the X.509v3 certificate format, as defined in RFC 5280. [Previously, the X.509v1 format defined in RFC 1422 was used.]

Outbound Connection Certificate Validation

Certificate chain validation has been enhanced for all outbound connections:

  • The entire certificate chain sent by remote servers is verified back to the trusted signing Certificate Authority (CA).
  • For OCSP servers, the certificate must also contain the OCSP Signing purpose (id-kp 9 with OID in the extendedKeyUsage field.

In all cases, the appropriate certificates for chain of trust validation will need to be uploaded to the LoadMaster certificate store.

Issues Resolved

The following issues from previous LMOS releases have been addressed in this release.


PD-16513 UI Authentication via LDAPS: Fixed a bug where LDAPS was not checking "Basic Constraints" as required for intermediate certs in a chain.
PD-16361 SSL Certificates: LoadMaster has been modified to reject an otherwise valid server certificate that lacks the Server Authentication purpose in the extendedKeyUsage field; no connection is established in this case.
PD-16157 High Availability (HA) Status: On the Open Telecom platform only, LoadMasters configured into HA show a status of Active/Active if multiple health checks are being executed and these connections remain open for long periods. This bug has been fixed and HA status is now displayed appropriately.

LDAP: Enhanced the UI and API to support the hyphen character (-) in LDAP endpoint names.


AWS Machine Instances: On the AWS cloud platform only, LM was observed not to boot properly when using certain newer machine sizes with BIOS versions above Version 9. This issue has been fixed.


Reliability and Stability: Fixed an issue with processing large amounts of chunked data from servers with compression enabled that could cause the system to become temporarily unavailable (and a failover to occur in High Availability mode).


Logging: In previous releases, various log messages included the file system location of the syslog configuration file. All such messages have been modified to remove the configuration file location.


Adaptive Health Check Agent: Updated the adaptive health check mechanism to use HTTP 1.1 (instead of HTTP 1.0) when making Real Server connections.


Real Server Configuration: Fixed an issue where the parameter values of a Real Server that has been created with a DNS FQDN (instead of an IP address) cannot be modified.


Single Sign On (SSO): On previous releases, access may be denied during SSO when correct credentials have been supplied, along with log messages indicating "XSS attack dtcode 7". This issue occurs because in some cases LoadMaster is not properly handling SameSite cookie options contained in the client request. This issue has been fixed.


Login Security: Fixed a bug that caused two issues: (1) the Failed Login Attempts parameter is ignored and users are not getting locked out; and, (2) it is possible under specific circumstances for a user to be logged into another user's current session.


MELA: Fixed an issue that caused the LoadMaster MELA Activation Check to fail when LoadMaster contacts Kemp 360 Central.


NTLM: In previous releases, when NTLM is enabled on a VS, the LoadMaster reads the request headers, determines that the Authorization header is not present, and sends a 401 reply without waiting for any in-transit client data (such as a POST) to complete. This has been fixed; LoadMaster will now wait for all data before sending a response.


Base System: Fixed an issue that caused spurious “kernel: hpet1: lost x rtc interrupts” messages to be seen in the logs.


API: Modified the ping, ping6, and traceroute APIs to support an FQDN or hostname as input.


GEO / DNS: Fixed an issue where the name resolution cache was not being flushed when the configuration was reloaded.


API: Fixed an issue with the getraidinfo and getraiddisksinfo APIs, where the response contained HTML-encoded angle brackets, instead of ASCII-encoded brackets.


Existing Known Issues

The following issues appeared in the Release Notes for the previous release of LMOS.


Platform Support: Fresh deployments of this release to Open Telekom Cloud set the UI port incorrectly to port 443 (instead of 8443, as documented). The workaround is to reconfigure the OpenCloud TCP security rules to use port 443 instead of 8443, and then access the UI using port 443.


SSO: Password expiry notifications do not currently work with Forms Based Authentication (FBA) enabled on the server side.


10 Gb Interfaces (AWS only): The AWS driver for 10 Gb interfaces (ENA) does not provide a link indication in its output, and so ‘No Link’ is the status displayed for a 10 Gb interface on AWS. Interface graphs for 10 Gb interfaces on the statistics page are not scaled properly, and so can run off the display; this will be addressed in a future release.


WAF: With WAF enabled on a Virtual Service, HTTP PUT commands that use chunked transfer encoding are dropped. This issue will be fixed in a future release.


ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a on a subVS.


Networking: A Hyper-V VLM won't boot when a 4th NIC is added.


WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.


Downgrade: If an Azure VLM is downgraded to the firmware version 7.1.35.x, the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package.


Hardware Support: The LoadMasters LM-X25 and LM-X40 do not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).


HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state.


ESP / RADIUS: In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.


Browser Support: An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster.


RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication.


Networking: Azure LoadMasters are not translating the additional network address between the Master and Slave correctly.


Sharepoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.


HA: An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure.


HA: Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work.


GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.


Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed.


Intrusion Detection: A SNORT rule is triggering a false positive in certain scenarios.


Hardware Support: The LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF).


Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.


Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.


Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.


Clustering: In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node.


Virtual Services: There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout.


WAF: When WAF is enabled, any requests received that have chunked transfer encoding enabled (e.g., POSTs) are not processed properly and are not forwarded to a real server.


WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.


GEO: DNS TCP requests from unknown sources are not supported.


Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.


WAF: There is no RESTful API command to get/list the installed custom rule data files.


Sharepoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.


GEO: Location Based failover does not work as expected.


GEO: Proximity and Location Based scheduling do not work with IPv6 source addresses.