LoadMaster 7.2.55.0 Release Notes
LMOS Version 7.2.55.0 is a feature and bug-fix release made available on 15 September 2021. Please read the sections below before installing or upgrading to this GA release.
Contents
Supported Models for Upgrade
Upgrade Patch XML File Verification Notes
Downgrading to Earlier Versions
New Features
Support for Newer AWS Machine Types
WAF: Clearing the False Positive Analysis Counters and Events
WAF: Configurable OWASP POST Body Size
WAF: Remote Logging TLS Version
GEO: Capacity, Performance, and UI Enhancements
Change Notices
SSL Renegotiation Disabled By Default
Ciphers Use for Re-encryption
Network Telemetry VLAN Enhancement
Increased Size Limitation for SSO Custom Form Images
RPS Limiting UI Removed for Non-Offloaded HTTPS Port 443 VSs
Security Updates
Update OpenSSL to Version 1.1.1k
Strict Transport Security Header Settings
Single Sign On: SameSite and Secure Options
Console Support for WUI Cipher Reset
Certificate Chain of Trust for UI Authentication
Console Security Update
WUI Template Security Update
Issues Resolved
New Known Issues
Existing Known Issues
Before You Upgrade (READ ME FIRST)
Please pay special attention to the issues below before you begin an upgrade to this LMOS release.
Generation of 4096-bit DHE Key
During an upgrade to this version of LMOS from a version prior to 7.2.53.0, a new 4096-bit DHE key is generated. On smaller LoadMasters, this can lead to significant CPU and memory consumption that could impact regular virtual service traffic. So, Kemp strongly recommends that this update be performed in a maintenance interval.
Best Practices Cipher Set
In LMOS 7.2.52.0, the BestPractices cipher set was updated. If you are upgrading from a version prior to 7.2.52.0, this change is effective immediately after upgrade to this release. This change was made to improve LoadMaster security and conform to the latest industry best practices.
If you depend on any of the cipher sets being removed from the BestPractices set, then before you upgrade you must create a custom cipher set that contains these ciphers and assign this new custom cipher set to the Virtual Services that are currently using the BestPractices cipher set. After this is done, you can upgrade to this release and your services will continue to use the old ciphers. If you do not, then after upgrade any clients that depend on these ciphers being available will no longer be able to connect. |
---|
It is recommended, however, that you migrate your services as soon as possible to use the new BestPractices cipher set. For more information on the cipher suites removed from the set, please see the LMOS 7.2.52.0 Release Notes.
Supported Models for Upgrade
This release of LMOS is supported on the Hardware and Virtual models shown in the first three columns of the table below. It is not supported and should not be installed on any model listed in the two columns at right. This update patch can be applied to any supported model regardless of licensing (e.g., SPLA, MELA) or platform (e.g., hardware, local cloud, public cloud).
Supported Virtual Models |
Supported Hardware Models |
Supported Bare Metal Models | UNSUPPORTED Hardware Models |
UNSUPPORTED Virtual Models |
|
VLM-200 VLM-500 VLM-2000 VLM-3000 VLM-5000 VLM-10G VLM-GEO VLM-MAX |
LM-X1 LM-X3 LM-X15 LM-X25 LM-X40 LM-3000 LM-3400 LM-4000 |
LM-5400 LM-5600 LM-8000 LM-8020 LM-8020M LM-R320 |
LMB-1G LMB-2G LMB-5G LMB-10G LMB-MAX |
LM-2000 |
VLM-100 VLM-1000 |
If your model number is not listed above, please see the list of End of Life models.
Upgrade Path
You can upgrade to this release of LMOS from any previous 7.2.x release. For full upgrade path information, please see the article Kemp LoadMaster Firmware Upgrade Path.
Upgrade Patch XML File Verification Notes
By default, verification of the digital signature on upgrade images is required in LMOS 7.2.50.0 and above. See the Update Verification Options setting under System Administration > Miscellaneous Options > WUI Settings. If the unit you are upgrading is set to require validation, you'll need to supply the XML Verification File supplied with this release.
Note that:
- In previous releases, two verification files were provided: one for pre-7.2.51 systems and one for later systems. This restriction has been removed with the 7.2.53.0 release; if upgrading from firmware 7.2.51.0 / 7.2.48.3 and above you can use the XML file provided with this release. If upgrading from any other firmware version you must following the upgrade path detailed in Kemp LoadMaster Firmware Upgrade Path article.
- LoadMasters running an LMOS version prior to 7.2.49 do not provide the option of XML file verification in the UI or API. If you are upgrading from one of these releases to this release, you can verify the digital signatures offline using a manual process documented on the support website.
Downgrading to Earlier Versions
Downgrading a LoadMaster running LMOS 7.2.55.0 to LMOS 7.2.51.0 (or a later release) can be performed using any desired Update Verification Options setting.
Downgrading to LMOS 7.2.50.0 or a previous release can only be done when the Update Verification Options setting is set to Optional or Legacy. When performing the downgrade, do not specify an XML file. If you want to verify the digital signature on the image before downgrading, you can do so using a manual process documented on the support website.
Downgrading on AWS
LMOS 7.2.55.0 now uses AWS Nitro-based instance types (see below). LMOS running on a Nitro instance cannot be downgraded to a release prior to LMOS 7.2.55.0. This issue will be fixed in the next LMOS LTS firmware release.
New Features
The following new features have been added to LMOS since the previous release.
Support for Newer AWS Instance Types
We have upgraded our AWS offerings to support 'Nitro-based' instance types as shown in the table below. The recommended instance type or each offering is listed first in bold.
VLM-FREE | VLM-500 | VLM-3000 |
t3a.small | m5d.large | m5d.large |
t3a.medium | m5d.xlarge | m5d.xlarge |
t3a.large | m5d.2xlarge | m5d.2xlarge |
m5d.16xlarge | m5d.16xlarge | |
c5d.large | c5d.large | |
c5d.xlarge | c5d.xlarge | |
c5d.2xlarge | c5d.2xlarge | |
c5d.4xlarge | c5d.4xlarge | |
c5d.9xlarge | c5d.9xlarge | |
c5d.18xlarge | c5d.18xlarge | |
VLM-MAX | BYOL | License Agreement Based (Metered/SPLA) |
m5d.large | m5d.large | m5d.large |
All three offerings support the machine types listed above for VLM-3000, plus the following: | ||
r5d.large | r5d.large | r5d.large |
r5d.xlarge | r5d.xlarge | r5d.xlarge |
r5d.2xlarge | r5d.2xlarge | r5d.2xlarge |
r5d.4xlarge | r5d.4xlarge | r5d.4xlarge |
r5d.8xlarge | r5d.8xlarge | r5d.8xlarge |
Note that a fresh install of LoadMaster on AWS using one of the Nitro-based instances above cannot be downgraded to an earlier release. This issue will be fixed in the next LMOS LTS firmware release due in October 2021.
WAF: Clearing the False Positive Analysis Counters and Events
A Reset FPA Counters button has been added to the Web Application Firewall > False Positive Analysis page (which also clears the events table). If desired, the Download button at the top right of the Latest Events table can be used to download the current list of events before clearing.
WAF: Configurable OWASP POST Body Size
In previous releases, the maximum Request Body Size Limit for a POST body was hard coded to 1048576 bytes (1 MB). This setting is now configurable in the Virtual Service (and SubVS) API and UI settings. The default remains 1048576 bytes, with a supported range of 1024 bytes to 10485760 bytes (10 MB). This setting is available in a WAF-enabled Virtual Service under WAF Advanced Options. The Inspect HTTP POST Request Bodies option must be enabled before this new control is visible in the UI.
WAF: Remote Logging TLS Version
In previous releases, the updated WAF remote logging facility (Web Application Firewall > Export Logs) was not negotiating TLS versions above TLS 1.0. In LMOS 7.2.55, WAF has been modified to use the Certificates & Security > Remote Access > Outbound Connection Cipher Set setting for handshake negotiation.
Network Telemetry VLAN Enhancement
In previous releases, Network Telemetry could not be enabled on a VLAN with an IP address if the underlying interface was not also assigned an IP address. In this release, Network Telemetry can be enabled on a VLAN regardless of whether the underlying interface has an IP address.
Network Telemetry is an add-on package. After you upgrade to LMOS 7.2.55.0, do one of the following to get the latest package:
- If you're installing Network Telemetry for the first time, navigate to Network Telemetry in the LoadMaster main menu and click Install to get the latest add-on package.
- If you installed Network Telemetry on an earlier release, then after upgrading to LMOS 7.2.55.0 you can get the latest version of the add-on as follows:
- Go to the Other Downloads page on the Kemp website.
- Click on the Network Telemetry Flowmon Add-On link.
- The download page lists the add-on packages for both the latest GA release and for the LTS (Long Term Support) release. Click on the link for the 7.2.55.0 add-on.
- Once the download is complete, unzip the archive. There will be two files: the add-on image and an XML file.
- Navigate to System Configuration > System Administration > Software Update in the LoadMaster UI. The bottom section of the screen should look like this:
-
- Click the Browse buttons to upload the software package and the XML verification file.
- Once the files are uploaded, click Install Addon Package.
- Once the package is installed, click OK on the confirmation message that appears. The Version Installed in the screen above should now be 7.2.55.0.nnnnn.RELEASE.
Note: In a small number of cases, LoadMaster needs to be rebooted to complete the add-on upgrade. If the Flowmon add-on package appears in red text in the screen above, a reboot is required. Navigate to System Configuration > System Administration > Reboot System and click Reboot. Otherwise, the package is ready to use after you install or update it.
LoadMaster Dashboard Installer for Collector (Version 2)
A new version of the LoadMaster dashboard creation script for Flowmon Collector (supplied originally with LMOS 7.2.53.0) is available from the Other Downloads section of the support website. Key improvements in this version:
- An additional LMOS API script is provided to automate creation of the configuration file required to run the dashboard script. Like the dashboard script itself, this is a bash shell script that can be run from the Collector's SSH login shell.
- The dashboards created reflect LoadMaster settings (such as Alternate IP Address, Transparency, and Subnet Originating Requests) that affect the IP addresses LoadMaster uses to communicate with Real Servers and clients. Prompts are issues for any information that cannot be clearly identified using the API.
- SubVS traffic is now visualized on separate per-SubVS dashboards.
For complete instructions on using the scripts, see the documentation included in the download archive.
GEO: Capacity, Performance, and UI Enhancements
GEO capacity and performance have been improved in this release:
- In previous releases, the number of Fully Qualified Domain Names (FQDNs) that can be defined is limited to 256 total FQDNs. With this release, significant improvements to processing and performance have resulted in the removal of this limitation. The practical limit to the number of FQDNs supported will be determined by available system resources -- including the amount of load balanced traffic being handled by LoadMaster. As a rule of thumb, an FQDN with 64 IP addresses consumes about 2MB of memory.
- The global limit of 1024 IP addresses and records has also been removed. [Note: the limit of 64 IP addresses per FQDN remains.]
- Modifications to the FQDN UI support the above limitation changes and the UI should be generally more responsive than in previous releases.
Change Notices
SSL Renegotiation Disabled By Default
Starting with LMOS 7.2.55, the System Configuration > Miscellaneous Options > L7 Configuration > SSL Renegotiation setting will be disabled by default, as a recommended security best practice. There are many published vulnerabilities with renegotiation and TLS 1.3 removes support for it completely. Note that this change applies to both new deployments and upgrades.
Ciphers Use for Re-encryption
In previous releases, the ciphers used for re-encryption connections to Real Servers was not configurable. All re-encryption connections now use the same set of ciphers used by other outbound connections, as specified by the Certificates & Security >Remote Access > Outbound Connection Cipher Set setting.
Increased Size Limitation for SSO Custom Form Images
The size limitation for images provided in custom image sets for Forms Based single sign on has been increased from 256 KB to 1 MB.
RPS Limiting UI Removed for Non-Offloaded HTTPS Port 443 VSs
The QoS/Limiting option for rate limiting by HTTP Requests per Second (RPS) will no longer appear in the UI for HTTPS Virtual Services on port 443 with SSL Acceleration disabled. SSL Acceleration must be enabled or this option will not appear -- the SSL connection must be terminated on LoadMaster for this option to work.
Security Updates
Update OpenSSL to Version 1.1.1k
The version of OpenSSL on LoadMaster has been updated from 1.1.1 (no letter) to 1.1.1k, to address various issues in the previously supported release. See the OpenSSL 1.1.1 Release Notes page for more information on the differences between 1.1.1k and previous releases.
Strict Transport Security Header Settings
HTTP Strict Transport Security (HSTS) allows a server (in this case LMOS) to set a header in client responses that instructs the client to force all subsequent connections to use HTTPS and to disregard any attempt to load any resource in that domain (and possibly its subdomains) over HTTP.
The Strict-Transport-Security header has various associated settings, none of which were exposed in the UI in previous releases. With this release, all settings are available through both the API and the UI. In the UI, they are exposed as follows:
- The default maximum age of all Strict-Transport-Security headers set by LoadMaster is 31536000 seconds (365 days/1 year). This global value can be modified on the System Configuration > Miscellaneous Options > L7 Configuration page by setting L7 Security Header Age to the desired number of seconds. Two years (63072000 seconds) is a commonly used value; the largest value that can be set is three years (94608000 seconds).
- The content of the Strict-Transport-Security header can be customized for each Virtual Service in the SSL Properties section of the VS configuration:
- Don't add the Strict Transport Security Header: This is the default value.
- Add the Strict Transport Security Header -- no subdomains: Adds the header only to client responses in the domain, not for any subdomains.
- Add the Strict Transport Security Header -- include subdomains: Adds the header to client responses in the domain and all subdomains.
- Add the Strict Transport Security Header -- no subdomains + preload: Adds the header only to client responses in the domain, not for any subdomains; allow the use of HSTS preloading, if supported by the client browser.
- Add the Strict Transport Security Header -- include subdomains + preload: Adds the header to client responses in the domain and all subdomains; allow the use of HSTS preloading, if supported by the client browser.
See the following links for more information and guidelines on setting the HSTS header; also see this explanation of HSTS preloading.
Single Sign On: SameSite and Secure Options
Single Sign On data connections in previous release didn't include either a "SameSite" or "Secure" parameter in the Set-Cookie header. With this release, the "Secure" parameter is now always sent and, by default, the "SameSite" parameter is not added. These options can be set globally or per-Virtual Service:
- The global setting on the System Configuration > Miscellaneous Options > L7 Configuration page can be set to the following values:
- SameSite Option Not Added (the default value, compatible with previous releases)
- None
- Lax
- Strict
- The Virtual Service setting appears under ESP Options when ESP is enabled and Client Authentication Mode is set to Forms Based. The default value at this level is the System Default setting, which means it's the same as the global setting. The other values shown above can also be set at the VS level.
Console Support for WUI Cipher Reset
The system console has been enhanced to support resetting the cipher set used by the LoadMaster UI, for use cases where setting a cipher set improperly may cause the UI to be unreachable. To use this facility:
- Log into the system console using the hardware or hypervisor console capability, or via SSH.
- At the LoadMaster Configuration menu, select Local Administration > Web Address > Restore Admin WUI access to default mode.
This command does the following:
- Resets the Certificates & Security > Admin WUI Access > WUI Cipher Set parameter to the default WUI cipher set.
- Resets the Certificates & Security > Remote Access > Self-signed Certificate Handling parameter to the default (RSA self-signed certs).
Certificate Chain of Trust for UI Authentication
The ability to specify the intermediate and Certificate Authority (CA) certificates to be used to validate a client certificate presented for login to the UI has been added to the API and to the Certificates & Security > WUI Access Options UI page. Controls have been added to the top of the page under Admin WUI Options that list all the intermediate and CA certificates currently installed on LoadMaster and allow you to select the certificate(s) that will be used to validate client certificates presented for login. Any client certificates presented whose chain of trust cannot be validated using the selected CA and Intermediate certificates will be denied access. The default is to check against all existing certificates.
Console CLI Security Update
The system console has been updated to close vulnerabilities present in the CLI in previous releases that could allow an already authenticated user to obtain a privileged shell. The CVE identifier for this vulnerability is CVE-2021-41068.
WUI Template Security Update
Validation has been enhanced for the upload of a Virtual Service Template to the system, to close a security vulnerability wherein a carefully constructed file can be uploaded as a template and create unwanted files on the filesystem. The CVE identifier for this vulnerability is CVE-2021-41069.
Issues Resolved
PD-18853 |
Logging - ESP CEF Format Logs: Fixed various issues that could cause incorrect information to be displayed in the ESP Common Event Format (CEF) format logs. |
PD-18852 |
Console Security: Addressed security issues in the console interface that could allow an authenticated user to gain access to a privileged shell. |
PD-18831 |
Let's Encrypt: Fixed errors that caused domain names to be compared in a case-sensitive manner, instead of case-insensitive. |
PD-18784 |
Logging - ESP Performance: Addressed issues with date calculations that could cause ESP logging to consume significant CPU resources. |
PD-18737 |
HTTP/2 Performance: Fixed issues related to clients that are accepting data slower than real servers are sending data that could negatively affect HTTP/2 performance. |
PD-18727 |
Access Control Lists (ACLs): In previous releases, an ACL entry that denies access to a Virtual Service would be ignored (and access allowed) under these conditions:
This issue has been fixed. |
PD-18597 |
Statistics for Client Limiting: Fixed an issue that resulted in no limiting statistics being displayed after activating "generate limiter statistics". |
PD-18594 |
HTTP/2 File Access: Customers reported HTTP/2 failures when accessing files using either a MAC client using Safari or Linux clients using the curl command, where the real server reports a broken pipe. The workaround was to disable HTTP/2. This bug has been fixed. |
PD-18525 |
WAF: Fixed an issue where enabling WAF on a Virtual Service did not enable statistics to be displayed. |
PD-18479 |
WAF: Fixed a bug that resulted in the counters for Top 10 Countries being reset when WAF is enabled/disabled and stop displaying data. |
PD-18478 |
WAF: Fixed a bug that caused response rules to not be processed properly, resulting in WAF not blocking attacks that should have been blocked. |
PD-18469 |
Kubernetes Ingress Controller: Moved internal logs that occur under some circumstances to the debug log. |
PD-18466 |
WAF: Fixed issues that could cause a segmentation fault or reboot when the WAF configuration is modified while there is traffic passing through the WAF engine. |
PD-18454 |
ESP Post-Pass Authentication: Fixed a bug that broke the "Post-Pass" authentication method (and hence broke preauthentication for Citrix Workspace App deployments). |
PD-18448 |
Health Checking: Fixed a bug that broke the Show Headers button for the HTTP Protocol and HTTPS Protocol Real Server Check Methods. |
PD-18440 |
WAF: Addressed an issue with connection timeouts that caused the log message "Hit connection limit 64000" to appear and WAF processing to stop when a remote real server fails. |
PD-18437 |
API V2 (JSON): Fixed an issue with the addvs command that caused a segmentation fault when an invalid configuration is supplied. |
PD-18423 |
API V2 (JSON): Fixed issues with several commands where the JSON output returned was either incorrect or empty. |
PD-18295 |
WAF: Modified the permitted characters for custom WAF rule and data files to also include period and dash characters. The full set of supported characters includes: all alphanumeric characters, period (.), dash (-), and underscore (_). |
PD-18292 |
SNMP: Fixed an issue that could cause the SNMP daemon to exit when many real servers are configured. |
PD-18268 |
HTTPS Virtual Services: In previous releases, users become unable to connect to an HTTPS Virtual Service and messages like this appear in the LoadMaster log: "kernel: L7: Error binding socket -98.". This issue has been fixed. |
PD-18244 |
Virtual Service UI: Fixed issues associated with missing UI controls after converting a VS from Generic to HTTP-HTTP/2-HTTPS. |
PD-18202 |
LDAP UI Access: Fixed an issue that could allow an invalid user to get UI access. |
PD-18144 |
GEO Clustering: Fixed an issue that caused GEO cluster checks to fail with the log message "logger: error receiving the file from the remote LM". |
PD-18140 |
Logging - ESP: Added ESP user logs when flushing the SSO cache. |
PD-18137 |
WAF: Fixed a bug in Custom Rules selection that required selecting 'drupal' to enable any custom rules. |
PD-18098 |
WAF PowerShell API: Added the AlertThreshold parameter to the addvs command. |
PD-18043 |
Real Servers: Fixed an issue where LoadMaster failed to pass data to a Real Server with an Elliptical Curve (EC) certificate. |
PD-18041 |
SubVS Multiple Connect: In previous releases, when Enable Multiple Connect is turned on for a SubVS, some connections will close if the server response body was empty. This issue has been fixed. |
PD-18028 |
WUI Login: In previous releases, certificate based login will fail unless the CN (Common Name) in the certificate includes an emailAddress attribute. This bug has been fixed. |
PD-18021 | Content Rule UI: Display is incorrect when the 'Ignore case' option is enabled. |
PD-17973 |
Single Sign On - LDAP: Fixed issues associated with LDAP SSO no longer working after an upgrade to LMOS 7.2.53. The issues appeared in conjunction with log messages like the following: |
PD-17947 |
IPv6 and Packet Filtering: Fixed an issue that prevented IPv6 traffic from a Real Server (acting as a client) was not forwarded by the LoadMaster when packet filtering was enabled. |
PD-17934 |
QoS / Client Limiting: Fixed an issue that could cause client limiting to thrash between limiting and not limiting a client. |
PD-17931 |
Content Response Rules: Fixed an issue that caused performance issues when attempting to apply a response rule to an empty file. |
PD-17876 |
QoS/Limiting: Fixed an issue that could cause a kernel panic when limiting UDP traffic. |
PD-17867 |
Historical Graphs UI: Addressed an issue that caused some graphs to disappear from the page following upgrade to v7.2.53. |
PD-17719 |
RADIUS Health Checks: Fixed an issue where RADIUS health checks with very long re-authentication times stop working after upgrade to LMOS 7.2.52. |
PD-17601 |
Syslog CEF Logging: Fixed issues where Common Event Format logging is enabled and some user logs are improperly merged because of spurious characters (%5c) in the login string. |
PD-17451 |
API V2 (JSON): Fixed an issue where the listfqdns API V2 was returning and invalid JSON response with duplicate keys. The parameters are now properly wrapped inside an array. |
PD-16140 |
GEO: Fixed an issue that caused TXT records to be blank after 1024 IP addresses are added to an FQDN. |
PD-15585 |
TLS Handshake: For some applications (e.g., IOS Mail App or Android 10 Skype App), LoadMaster does not properly downgrade the TLS version used when TLS 1.3 is requested but is not configured on the Virtual Service. This bug has been fixed. |
New Known Issues
PD-19194 | AWS: It is not possible to downgrade a fresh install of LMOS 7.2.55.0 in the AWS Cloud to a earlier LMOS release. |
PD-19175 | ESP User Logs: It is possible that the domain name reported in a login message and an associated kill session message do not match. |
PD-19108 |
GEO: Modifying an FQDN entry displays a spurious error on the system console, similar to the one shown below. The FQDN is modified properly. <FQDN>:794 Uncaught ReferenceError: disp_addrr_elements is not defined at <FQDN>:794 (anonymous) @ <FQDN>:794 |
PD-19093 | GEO: Cannot configure GEO into partnering mode unless there is at least one FQDN already defined. |
PD-18646 | Certificate-Based Administrative Login: Using a certificate that does not have a SAN attribute (i.e., no Principal Name) results in a failed login attempt. |
PD-18615 | GEO: No statistics (queries per second, etc.) are displayed for a site if the FQDN is configured to use the "All Available" Selection Criteria. |
Existing Known Issues
PD-19496 |
Stability: In rare cases, an unexpected reboot may occur as the system is stopping a Virtual Service (because, for example, there are no Real Servers available). If a new connection to the Virtual Service is received during a very short period of time during the process of stopping the Virtual Service, then the system may reboot. |
PD-18099 | Client Certificates: Authentication may be denied if multiple "Other names" are present in the client certificate. |
PD-17927 | LDAP UI Access: Under certain circumstances, a user that has no LDAP credentials can gain access to the UI. |
PD-15872 | LDAP/Syslog: StartTLS is not working when the Server Certificate Validation flag is enabled. |
PD-15633 | GEO: If you add a Zone Name to GEO after you have created working FQDNs, GEO may no longer respond to queries for one or more of the FQDNs after the Zone Name is added. The workaround is to remove and then re-add the FQDNs that are no longer working. |
PD-15475 | VS Redirects: If you attempt to upload a new redirect error HTML file to a Virtual Service with Not Available Redirection Handling enabled while traffic is currently being redirected, then traffic to the VS is dropped. Click the Error Message radio button in the UI and the VS begins accepting connections again. |
PD-15354 | SSO Timeout: In LMOS 7.2.51.0, a fix was introduced for issues that caused an SSO client to not be properly logged out when the configured session timeout expires. It has been observed that while sessions do timeout, they are not always closed immediately upon the expiry of the timer; it can take close to a minute longer for the session to be closed. |
PD-15294 | ESP Verify Bearer Header: LoadMaster does not return an error when an encrypted token is received and there is no SSL certificate assigned to the VS to decrypt the token. |
PD-15172 | ESP Verify Bearer Header: Validation is not working when "Allowed Virtual Hosts" and "Allowed Virtual Directories" are blank on the Virtual Service. |
PD-14943 | Single Sign On: When Form Based Authentication is enabled on the server side, it is possible that after filling out correct credentials and submitting the login form, the form will be presented again; once the second login form is submitted with correct credentials, the login succeeds. |
PD-13899 | ACLs and Real Servers: Real Servers located on networks on which LoadMaster also has an IP address are always allowed to access Virtual Services on that network interface regardless of any access control list (ACL) settings on LoadMaster. For Layer 7 services, this issue can be worked around using Content Rules. The workaround for other services is to block access for local Real Servers (if desired) on another network device (firewall, switch, router, etc.). |
PD-12838 | ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a SubVS. |
PD-12616 | WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option. |
PD-12492 | Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package. |
PD-12354 PD-10466 |
Hardware Support: The LoadMaster models LM-X15, LM-X25, and LM-X40 do not support the following SFP+ modules: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF). |
PD-12237 | HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state. |
PD-12147 | ESP / RADIUS: In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established. |
PD-12058 | Browser Support: An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster. |
PD-11861 | RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication. |
PD-11166 | Networking: Azure LoadMasters are not translating the additional network address between the Master and Slave correctly. |
PD-11044 | SharePoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication. |
PD-10917 | HA: An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure. |
PD-10784 | HA: Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work. |
PD-10586 | GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled. |
PD-10490 | WAF: The vsremovewafrule RESTful API command does not allow multiple rules to be removed. This problem has been fixed. |
PD-10193 | Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported. |
PD-10188 | Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available. |
PD-10159 | Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI. |
PD-10136 | Clustering: In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node. |
PD-9816 PD-9476 |
WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves. |
PD-9765 | GEO: DNS TCP requests from unknown sources are not supported. |
PD-9507 | Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario. |
PD-9375 | SharePoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication. |