Cumulus Linux 4.4 Release Notes
Download all 4.4 release notes as .xls4.4.5 Release Notes
Open Issues in 4.4.5
Issue ID | Description | Affects | Fixed |
---|---|---|---|
4143345 |
On the Trident3 switch, if you use NCLU to configure BGP neighbor shutdown, NCLU stops responding when you include more than 200 neighbors per peer group. If you do not use NCLU to configure BGP neighbor shutdown, you can configure a maximum of 300 neighbors per peer group. | 4.3.0-4.4.5 | |
4037015 |
The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.11.0, 5.10.0-5.11.0 |
3980941 |
After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command#snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a |
4.4.0-5.9.1 | 5.9.2-5.11.0, 5.10.0-5.11.0 |
3773177 |
When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 or later with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb |
4.0.0-4.4.5, 5.0.0-5.11.0 | |
3684998 |
DHCP lease information is not collected in the cl-support file. |
4.3.0-5.6.0 | 5.7.0-5.11.0 |
3528464 |
Cumulus Linux might mark a layer 2 VLAN-tagged packet as a packet to CPU and the INPUT chain ACL might drop the packet. To work around this issue, add an additional addrtype match on the ACL to prevent an erroneous ACL match; for example:[iptables] |
4.3.0-4.4.5 | |
3488136 |
When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf command. |
4.2.1-5.5.1 | 5.6.0-5.11.0 |
3474391 |
The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. |
4.3.1-5.5.1 | 5.6.0-5.11.0 |
3429530 |
On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.11.0 |
3420056 |
The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.11.0 | |
3400244 |
NCLU accepts multiple instances of same net add bgp commands and stores the configuration in the /etc/frr/frr.conf file when you run the net commit command. As a result, unintended commands might be processed during frr-reload . To work around this issue, edit the /etc/frr/frr.conf file to remove the duplicated entries. |
4.3.1-4.4.5 | |
3390022 |
When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads , or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a . |
4.2.1-4.4.5 | |
3389994 |
During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. |
4.2.1-4.3.1, 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.11.0 |
3387852 |
If you remove NGINX from the switch, then run apt autoremove , switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. |
4.4.0-4.4.5 | |
3368217 |
When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. |
4.4.4-4.4.5 | |
3351951 |
Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.11.0 |
3339249 |
The sensors.conf files in Cumulus Linux are out of date. |
4.2.1-4.4.5 | |
3333064 |
The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd , then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. |
4.4.0-5.3.1 | 5.4.0-5.11.0 |
3330705 |
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. |
3.7.0-5.3.1 | 5.4.0-5.11.0 |
3327477 |
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. |
3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.11.0 | |
3321391 |
On the NVIDIA SN2410 switch, ports with optical transceivers show FAULT errors in the sensor command output. |
4.2.1-5.3.1 | 5.4.0-5.11.0 |
3303105 |
Clagd crash is observed with the following traceback in /var/log/clagd.log following a clag sync event which is typically driven by a peerlink up event: unhandled exception: Traceback (most recent call last): File “/usr/sbin/clagd”, line 1304, in PeerRecvT PeerRecv() File “/usr/sbin/clagd”, line 513, in PeerRecv ParseProtoBufMessage(nlm, myPeerMsg) File “/usr/sbin/clagd”, line 853, in ParseProtoBufMessage msgData = FdbSync.ParseProtoBufMessage(msgHdr) File “/usr/lib/python3/dist-packages/clag/fdbsync.py”, line 892, in ParseProtoBufMessage msgData.ParseFromString(msgHdr.data) google.protobuf.message.DecodeError: Error parsing message |
4.4.0-4.4.5 | |
3293110 |
You cannot set the NTF router flag (NTF_ROUTER) on neighbor entries from the user space. | 4.4.2-4.4.5 | |
3292873 |
When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:[Dec-08-17:09:58] root@switch:/home/cumulus# ztp -r http://myztp.server.local/ztp |
4.4.2-4.4.5 | |
3291548 |
In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd . |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
3288156 |
When you configure a new VNI, the VLAN 1 VNI mapping is removed from the VXLAN device. To work around this issue, set the VNI interface mapped to VLAN 1 down and up again. | 4.4.3-5.1.0 | 5.2.0-5.11.0 |
3284719 |
Certain EVPN multihoming show commands might cause the bgpd service to crash if you use the json flag and try to reference the default VRF by name. For example: show bgp l2vpn evpn es-vrf json . |
4.4.2-4.4.5 | |
3270988 |
After restarting switchd on the NVIDIA SN2100 switch, the FAN speeds are at one hundred percent. To work around this issue, restart the hw-management service. |
4.4.5-5.2.0 | 5.2.1-5.11.0 |
3269537 |
When an FRR routing service (such as bgpd ) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. |
4.4.0-5.3.1 | 5.4.0-5.11.0 |
3244740 |
If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.11.0 |
3236366 |
When you run docker commands, the command process might crash. The crash can occur during the apt upgrade process, where you can run docker commands implicitly. To work around this issue, run ulimit -v unlimited before running docker commands. |
4.4.5 | |
3235368 |
When you try to configure VRF route leaking between many VRFs using multiple NCLU commands before running the net commit command, the commit fails. To work around this issue, configure VRF leaking one command at a time and run net commit after each command. |
4.4.4-5.2.1 | 5.3.0-5.11.0 |
3227677 |
When daylight saving time changes the time, the MLAG initDelay timer resets and all MLAG bonds go down. |
4.4.4-5.2.1 | 5.3.0-5.11.0 |
3226579 |
The net show interface command output shows Type=Unknown for the specified interface. |
4.4.3-4.4.5 | |
3221470 |
Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error |
4.4.0-5.1.0 | 5.2.0-5.11.0 |
3218207 |
Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes. | 4.3.0-5.2.1 | 5.3.0-5.11.0 |
3216922 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). |
3.7.0-5.2.1 | 5.3.0-5.11.0 |
3216921 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) |
3.7.0-3.7.16, 4.3.0-4.4.5 | |
3216759 |
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. |
3.7.15-3.7.16, 4.3.0-4.4.5 | |
3211369 |
The NCLU net show interface pluggables command takes a long time (approximately five minutes) to complete. |
4.2.1-4.4.5 | |
3211359 |
The net show interface command output shows Type=Unknown for the specified interface. |
4.4.3-5.0.1 | 5.1.0-5.11.0 |
3211054 |
On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:
|
4.4.2-5.2.1 | 5.3.0-5.11.0 |
3209699 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) |
3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.11.0 |
3192808 |
When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. |
4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.11.0 |
3168564 |
In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then upOn Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. |
4.3.1-4.4.5 | |
3163845 |
If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload . For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31 , the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. |
4.3.1-4.4.5 | |
3157240 |
When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an errorsudo /usr/lib/cumulus/mlxcmd roce counters –port |
4.4.4-5.1.0 | 5.2.0-5.11.0 |
3150317 |
During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.11.0 |
3138746 |
The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.11.0 |
3138057 |
When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log . To work around this problem, restart FRR with the sudo systemctl restart frr command. |
4.4.0-5.2.1 | 5.3.0-5.11.0 |
3135801 |
Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. |
4.0.0-4.3.0, 4.4.0-4.4.5 | 3.7.16, 4.3.1 |
3131423 |
During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3129819 |
On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime. |
3.7.15-3.7.16, 4.3.0-4.4.5 | |
3123556 |
When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. |
3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.11.0 |
3119615 |
In an MLAG topology, if you admin down a single connected interface, any dynamic MAC addresses on the peer link are flushed, then added back momentarily, which creates a disruption in traffic. | 3.7.15-5.1.0 | 5.2.0-5.11.0 |
3117340 |
When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3115415 |
In the Cumulus-BGPVRF-MIB, the bgpPeerFsmEstablishedTime OID does not correctly report the time since a BGP session goes down. |
4.4.4-5.1.0 | 5.2.0-5.11.0 |
3113042 |
After a fresh installation of Cumulus Linux, the package manager reports that the cumulus-archive-keyring package can be upgraded This is a security fix made available after the 4.4.4 image release to change the repository URLs in the /etc/apt/sources.list file from http to https. |
4.4.4-4.4.5 | |
3112971 |
When you configure a VRF static route using the legacy command syntax in FRR (for example: ip route 10.0.0.0/8 172.16.1.1 vrf vrf-red ), then make subsequent VRF or route configuration changes, FRR might crash. To avoid this problem, use the current method for configuring VRF routes within the VRF stanza:vrf vrf-red |
4.4.3-5.1.0 | 5.2.0-5.11.0 |
3112938 |
In the Cumulus-BGPVRF-MIB, the bgpPeerFsmEstablishedTransitions OID always reports a value of 0. |
4.4.4-5.1.0 | 5.2.0-5.11.0 |
3093966 |
On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
3084027 |
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. |
4.3.0-4.4.5, 5.0.0-5.11.0 | |
3073668 |
On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | |
3072613 |
When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
3071652 |
On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. |
4.4.4-4.4.5, 5.1.0-5.11.0 | |
3070672 |
TACACS Command Authorization results in a traceback error and command is not executed | 4.4.0-4.4.5 | |
3059135 |
In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route To resolve this issue, restart FRR with the sudo systemctl restart frr command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3046023 |
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. |
4.2.1-5.1.0 | 5.2.0-5.11.0 |
3034435 |
In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.11.0 |
3032234 |
In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. |
4.4.2-5.0.1 | 5.1.0-5.11.0 |
3021838 |
PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local . As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly. |
4.4.2-5.0.1 | 5.1.0-5.11.0 |
3008388 |
When you set vlan-bridge-binding on for a VLAN interface, the VLAN interface status does not change to down even when all bridge member ports are down. |
4.4.3-5.0.1 | 5.1.0-5.11.0 |
3007564 |
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. |
3.7.15-5.0.1 | 5.1.0-5.11.0, 5.2.0-5.11.0 |
2994402 |
When you run ifquery as non-root, EVPN multihoming bond configuration failsTo work around this issue, always use sudo when running ifupdown2 commands ( ifup , ifreload , ifdown , and ifquery ). |
4.4.2-5.0.1 | 5.1.0-5.11.0 |
2971159 |
On rare occasions, the link up time on optical media can be more than five seconds. | 4.4.3-4.4.5 | |
2964279 |
When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. |
3.7.15, 4.4.2-4.4.5, 5.0.0-5.11.0 | 3.7.16 |
2951110 |
The net show time ntp servers command does not show any output with the management VRF. |
3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.11.0 | |
2944167 |
When you use NCLU commands to add a port to a bridge and the port already exists under the bridge, Cumulus Linux removes all other ports from the bridge. | 4.4.2-4.4.5 | |
2943443 |
Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd , expect a single VNI for a given bridge or VLAN. |
3.7.15, 4.2.1-4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
2943080 |
The overlay ASN is removed after a route flap. | 4.4.0-5.0.1 | 5.1.0-5.11.0 |
2940051 |
In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. |
3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.11.0 |
2933466 |
You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file. |
4.4.0-5.0.1 | 5.1.0-5.11.0 |
2913859 |
ECMP error messages, similar to the following, show in log files:Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container |
4.4.0-5.0.1 | 5.1.0-5.11.0 |
2904450 |
When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2902013 |
The NCLU commit command adds a five second delay. | 4.2.1-4.4.5 | |
2896450 |
On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. To work around this issue, restart switchd a second or third time until all interfaces are functioning correctly, or reboot the switch. |
4.3.0-4.4.5 | |
2875338 |
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
2866080 |
On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 4.3.0-4.4.5 | |
2862211 |
On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restartTo work around this issue, load the port configuration in a staggered manner (groups of five downlink ports). |
3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.11.0 |
2860323 |
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.11.0 |
2845531 |
If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI’s parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address. |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
2841584 |
After you upgrade Cumulus Linux on one of the MLAG peers, the bonds do not come up and the reason shows anycast-ip-mismatch even though there is no VXLAN configuration on the switch. To work around this issue, configure an anycast IP address under the loopback interface on both switches in the MLAG pair. |
4.4.2-4.4.5 | 5.0.0-5.11.0 |
2838905 |
On Broadcom ARM switches, the NTP clock slowly drifts to a very high offset (over 500ms) and the clock is not able to synchronize. To work around this issue, use the chrony implementation of NTP instead of ntpd . chrony synchronizes the system clock faster and with better accuracyInstructions for using chrony are here : https://docs.nvidia.com/networking-ethernet-software/knowledge-base/Network-Solutions/Chrony-on-Cumulus-Linux/ |
4.3.0-4.4.5 | |
2837378 |
The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.11.0 |
2821869 |
The cl-route-check –layer3 command fails with a memory error. For example:cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last): |
3.7.15-4.4.5 | 5.0.0-5.11.0 |
2820565 |
SNMP does not start and you see errors similar to the following:cumulus@switch:~$ sudo systemctl status snmpd.service snmpd.service - Simple Network Management Protocol (SNMP) Daemon.To work around this issue, run the sudo systemctl restart snmpd.service command. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2815646 |
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
2813563 |
When you change the port speed with the NVUE nv set interface command, then run nv config apply , the port is disabled. To work around this issue, run the ifreload -a command after you apply the port speed setting. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2803428 |
The clagctl -v -j and net show clag verbose json commands show incorrect output. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2802859 |
When the INTF_CMD list in the /etc/default/isc-dhcp-relay file includes non-existent or partially configured interfaces from the /etc/netwwork/interfaces file, there is an open file descriptor leak in DHCP Relay; the DHCP Relay service exits and you see error messages. To work around this issue, either clean up the INTF_CMD list in the /etc/default/isc-dhcp-relay file to remove non-existent or partially configured interfaces from the /etc/network/interfaces file or correct the /etc/network/interfaces file to have a complete configuration for all interfaces defined in the INTF_CMD list in the /etc/default/isc-dhcp-relay file. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2799575 |
When next hop tracking fails for a global next hop, BGP invalidates the entire path instead of only invalidating the global next hop. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2799568 |
When you add or remove a global unicast address from an interface, BGP does not update the global next hop advertised to the unnumbered BGP peer. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2798406 |
If an MLAG failure of an EVPN Active-Active VTEP pair occurs after you disable EVPN Advertise Primary IP Address, remote VTEPs might not be able to install the anycast RMAC of the failed MLAG peers or the related bridge FDB entry To work around this issue, do not disable EVPN Advertise Primary IP Address, which is enabled by default when you use address-virtual for layer 3 VNI SVI interfaces. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2794766 |
The Mellanox 3700C switch reports a slow memory leak in sx_sdk. Memory increases by about 240B/hour and does not free up. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2792750 |
If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. |
3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1 |
2792616 |
If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2788780 |
When you enable ARP and ND suppression and the switch forwards ARP and ND packets to the kernel, RX_DRP counters might increment but the packets are processed as normal. | 4.4.0-4.4.5 | |
2781537 |
In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD . |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2780915 |
In NVUE, you can’t deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2780834 |
To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2780211 |
When you use the NVUE nv set vrf default router bgp peer command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2771653 |
When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more, which consumes a lot of hardware space. | 4.3.0-4.4.5 | |
2763819 |
When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. | 4.4.0-4.4.5 | |
2754791 |
Remote MAC addreses in zebra are out of sync with bgpd . The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. |
3.7.14.2-3.7.16, 4.3.0-4.4.5 | |
2753955 |
On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.11.0 |
2752330 |
With BGP and layer 2 forwarding, Smart System Manager warm boot mode can cause packet loss. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2747750 |
Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 | 5.0.0-5.11.0 |
2743186 |
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. |
3.7.15-5.1.0 | 5.2.0-5.11.0 |
2739402 |
The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2739398 |
Cumulus Linux does not support a bond or bond member as a SPAN destination. | 4.4.0-4.4.5 | 4.3.1 |
2738040 |
In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | |
2736244 |
When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:% The Graceful Restart command used is not valid at this moment. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2736108 |
When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2734103 |
ACL [No More Resources] messages keep appearing and you can’t reinstall the ACL. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
2732605 |
The ESI line in the show bgp l2vpn evpn route command output always shows VNI: 0. This is a cosmetic software issue. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2732587 |
The bridge MAC address is updated during a port change on bridge interfaces. | 4.3.0, 4.4.0-4.4.5 | 4.3.1, 5.0.0-5.11.0 |
2728207 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2728206 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2728119 |
When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2713888 |
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. |
3.7.15-5.0.1 | 5.1.0-5.11.0 |
2711533 |
On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | |
2710208 |
The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. |
4.2.1-4.4.5 | |
2700767 |
Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16 |
2698649 |
When configuring a single VXLAN device in the /etc/network/interfaces file, if you edit the multicast group address in vxlan-mcastgrp-map , then revert the change, the change does not take effect. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2687344 |
On the NVIDIA SN3700 switch, the decode-syseeprom shows device absent for a PSU that is present. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2685994 |
When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to applyTo work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 |
4.0.0-5.0.1 | 5.1.0-5.11.0 |
2685036 |
When the PIM RP configuration includes an anycast IP address and the route to that anycast IP address changes while joined to a multicast stream, you might receive the multicast stream from both the old and the new anycast source. | 4.4.0-4.4.5 | |
2684925 |
The NVUE nv show vrf default router bgp peer command produces a 404 not found error. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2671652 |
In VXLAN routing environments, you might experience sub-optimal route convergence delays (longer than five seconds) when a prefix transitions to a new ECMP next-hop group. This condition might occur when a VTEP loses ECMP routes through all uplink peerings, then installs the routes through a different path, such as an MLAG peerlink. | 4.4.0-4.4.5, 5.5.0-5.11.0 | |
2669858 |
OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf. This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper. |
3.7.14-3.7.16, 4.0.0-4.4.5 | |
2639303 |
When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:ERROR: ‘NoneType’ object has no attribute ‘conf_key_value_multiple_values’See /var/log/netd.log for more details. |
4.3.0-4.4.5 | |
2621244 |
When a VRF name includes evpn , the NCLU net show bgp vrf command fails with the error ERROR: The call to /usr/bin/vtysh failed. To work around this issue, do not use evpn in the VRF name or run the desired commands directly from FRR with vtysh . |
4.3.0-4.4.5 | |
2618227 |
The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. |
4.3.0-4.4.5 | |
2606326 |
If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | |
2599274 |
On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress To recover from this state, flap the bond interface (not the physical swp) by running ifdown <bond_name> ; sleep 1 ; ifup <bond_name> . |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2596458 |
When bridge.unreg_v6_mcast_prune = TRUE is configured in the /etc/cumulus/switchd.conf file, traffic destined to IPv6 link-local multicast addresses might not be flooded within the bridgeTo work around this issue, disable pruning for IPv6 multicast by setting bridge.unreg_v6_mcast_prune = FALSE in the /etc/cumulus/switchd.conf file. |
4.4.0-4.4.5 | |
2574368 |
When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedlyTo work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr . |
4.1.1-4.4.5 | |
2556772 |
The net show clag verify-vlans command fails with the following log:
To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command. |
4.2.1-4.4.5 | |
2556369 |
If you use NCLU to configure an ACL for eth0, you can’t designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with “-A INPUT -i eth0”. |
4.2.1-4.4.5 | |
2556082 |
The NCLU net del vrf command does not delete a numbered VRF. For example:
|
4.2.1-4.4.5 | |
2556081 |
You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | |
2555981 |
In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2555873 |
On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic. | 4.3.0-4.4.5 | |
2555763 |
The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:
To work around this issue, use the FRR command to delete a neighbor. |
4.3.0-4.4.5 | |
2555613 |
The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:
The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). |
4.2.1-4.4.5 | |
2555318 |
If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:
This error has no functional impact. |
4.3.0-4.4.5 | |
2554986 |
The ethtool utility doesn’t contain the latest values, as a result the Revision Compliance field shows Unallocated . |
4.2.1-4.4.5 | |
2554812 |
If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. |
4.2.1-4.4.5 | |
2554783 |
If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as , advertised locally-originated routes have the ASN of the peer prepended to the AS path.This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
2554709 |
The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. |
3.7.13-3.7.16, 4.2.1-4.4.5 | |
2554670 |
When you have a large number of ACLs, the cl-acltool -L ip and cl-resource-query commands take a long time to complete. |
4.3.0-4.4.5 | |
2554582 |
On switches with the Maverick ASIC, control traffic is dropped due to receive buffering. | 4.2.0-4.4.5 | |
2554533 |
On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | |
2554466 |
Kernel routes added by iproute2 are missing in FRR after an interface flap.To work around this issue, configure a static route in FRR. |
4.2.1-4.4.5 | |
2554222 |
The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the /etc/network/interface file. For example:
|
4.2.1-4.4.5 | |
2554218 |
MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | |
2554202 |
The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. |
4.2.1-4.4.5 | |
2553989 |
Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | |
2553887 |
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. |
3.7.7-3.7.16, 4.0.0-4.4.5 | |
2553677 |
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:
To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:
Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. |
3.7.13-3.7.16, 4.0.0-4.4.5 | |
2553237 |
The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. |
4.2.0-4.4.5 | |
2553116 |
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2553015 |
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. |
3.7.10-3.7.16, 4.2.0-4.4.5 | |
2552691 |
On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface. To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. |
4.2.0-4.4.5 | |
2552453 |
On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file. |
4.2.0-4.4.5 | |
2552309 |
The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:
These messages are for internal validation purposes only and can be safely ignored. |
4.2.0-4.4.5 | |
2552294 |
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2552266 |
OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files. The two scenarios where an exploit may be useful to an attacker: -The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar , zip , or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp , which you can use instead of scp to copy files.To disable scp completely, use /bin/chmod 0 /usr/bin/scp . |
3.7.14-3.7.16, 4.0.0-4.4.5 | |
2551666 |
If you modify an interface name, then reuse the previous interface name for a different VLAN, the ifreload -a command generates an error similar to the following:
|
4.1.0-4.4.5 | |
2551578 |
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload /ifup commands fail with an invalid table id or unable to get vrf table id error. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2551565 |
If you toggle VRRP priority values between VRRP routers, then restart switchd , a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affectedTo work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. |
3.7.13-3.7.16, 4.2.0-4.4.5 | |
2551335 |
When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands. |
4.0.0-4.4.5 | |
2551305 |
The net show configuration command provides the wrong net add command for ACL under the VLAN interface. |
3.7.12-3.7.16, 4.1.0-4.4.5 | |
2551273 |
On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux. | 4.1.0-4.4.5 | |
2551221 |
When span-to-cpu is enabled on L3 swp interface with an IP address configured, packets with destination IP as switchport’s IP address don’t reach switchport. To capture packets directed towards switcport’s IP, disable span-to-cpu and use tcpdump on swichport instead. | 4.2.0-4.4.5 | |
2551111 |
If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state. zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address. |
4.0.0-4.4.5 | |
2550974 |
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | |
2550793 |
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550713 |
Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes switchd to use high CPU due to very frequent VXLAN tunnel sync events.To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration. |
4.1.1-4.4.5 | |
2550642 |
ACLs with SPAN target and in-interface as bond member are not supported on Spectrum-based switches | 4.2.0-4.4.5 | |
2550444 |
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550443 |
The net show rollback description command returns an error even if the string matches a commit description.To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550243 |
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service . For example:
|
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550056 |
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
|
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549925 |
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
To work around this issue, run the ifreload -a command a second time. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2549872 |
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error. |
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549782 |
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2549731 |
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
|
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549392 |
When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file. To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command. |
4.1.0-4.4.5 | |
2548924 |
On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic. | 4.1.1-4.4.5 | |
2548657 |
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
You can safely ignore these error messages. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548579 |
The following security vulnerability has been announced: CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. |
3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16 |
2548315 |
The following security advisory has been announced for bash: CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.To work around this issue, do not make bash or bash scripts setuid . |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548310 |
When the system boots, we might see " cumulus systemd-udevd[7566]: Process ‘/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25’ failed with exit code 1" errors. These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later; |
4.1.0-4.4.5 | |
2548260 |
The net add routing route-map command does not add the set statement into the /etc/frr/frr.conf file. |
4.0.0-4.4.5 | |
2548243 |
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
2548117 |
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548062 |
When ports are split to 4x25G, RS FEC needs to explicitly configured on both ends (especially when interoperating with non-Mellanox switches). | 4.1.0-4.4.5 | |
2548044 |
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16 |
2547903 |
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs Vulnerable: 2.9.4+dfsg1-7Fixed: 2.9.4+dfsg1-7+deb10u1 |
4.0.0-4.4.5 | |
2547890 |
QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | |
2547782 |
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547706 |
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd . To work around this issue, reboot the switch. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547405 |
When you restart the hsflowd service, you see a systemd warning message similar to the following:
|
4.0.0-4.4.5 | |
2547120 |
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546991 |
The FRR service does not provide a way for automation to know if the configuration applied properly. To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546895 |
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter2.Restart the switchd service with the sudo systemctl restart switchd.service commandsystemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546874 |
On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. |
4.0.0-4.4.5 | |
2546255 |
On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | |
2546225 |
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer , which causes issues with cl-support.
To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546131 |
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.This workaround only works when an out-of-band network is present. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2545837 |
If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server command, the /etc/ntp.conf file is misconfigured.To work around this issue, run the net add time ntp server command before you run the net add time ntp source command. |
3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
2545520 |
The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2545233 |
On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | |
2545125 |
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
2544978 |
If you delete an undefined bond, then add a bond slave, the net commit command fails. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544968 |
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544957 |
NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | |
2544953 |
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit , the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. |
3.7.10-3.7.16, 4.0.0-4.4.5 | |
2544880 |
When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. |
4.0.0-4.4.5 | |
2544723 |
Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2544463 |
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported .To work around this issue, do not use auto-negotiation and set the local port speed to 10G. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544456 |
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544311 |
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
2544155 |
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2544113 |
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2543937 |
An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.To work around this issue, remove the interface alias description from iproute2 . |
3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543915 |
When you enable a service in the management VRF, systemctl issues a warning similar to the following:Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unitYou can safely ignore this warning. |
4.0.0-5.9.2 | 5.10.0-5.11.0 |
2543900 |
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
2543841 |
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. |
3.7.8-3.7.16, 4.0.0-4.4.5 | |
2543816 |
On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. |
3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
2543781 |
NCLU does not allow you to configure OSPF NSSAs. For example:
To work around this issue, use FRR instead. For example:
|
3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543724 |
If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:
|
3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543646 |
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
2543401 |
On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. |
4.0.0-4.4.5 | |
2543211 |
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2543164 |
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. |
3.7.7-3.7.16, 4.0.0-4.4.5 | |
2543096 |
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. |
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542945 |
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad :
|
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542837 |
On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16 |
2542305 |
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. |
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542301 |
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2541212 |
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2541029 |
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540753 |
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
|
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540444 |
SNMP incorrectly requires engine ID specification. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540352 |
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
|
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2540340 |
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540274 |
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540204 |
When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540192 |
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled. To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540155 |
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2540042 |
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails. To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540041 |
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540040 |
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540031 |
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2539994 |
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
|
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2539962 |
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2539670 |
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2539124 |
The net add interface command adds no ptm-enable for that interface in the frr.conf file. Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538790 |
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG. To restore connectivity, remove the VLAN ID from the bridge. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538590 |
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538562 |
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings. Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538294 |
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2537699 |
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. |
3.7.1-3.7.16, 4.0.0-4.4.5 | |
2537544 |
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl ; for example, SNMP output from the BRIDGE-MIB. |
3.7.1-3.7.16, 4.0.0-4.4.5 | |
2536576 |
If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware. |
4.0.0-4.4.5 | |
2536384 |
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2536256 |
For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.
These packets are now policed by catch all rules. To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100. |
4.0.0-4.4.5 | |
2536242 |
On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes. | 4.0.0-4.4.5 | |
2536179 |
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535986 |
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535965 |
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535723 |
The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF. | 4.0.0-4.4.5 | |
2535605 |
FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor. To work around this issue, add ttl-security to individual neighbors instead of the peer group. |
4.0.0-4.4.5 | |
2535209 |
The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. |
3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2534734 |
Span rules matching the out-interface as a bond do not mirror packets. | 4.0.0-4.4.5 | |
2533691 |
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2533625 |
PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. |
4.0.0-4.4.5 | |
2533337 |
When you use NCLU to bring a bond admin down (net add bond ), the bond interface goes into admin down state but the switch ports enslaved to the bond remain UP. If you are using bond-lacp-bypass-allow or balance-xor mode, the host might continue to send traffic. This traffic will be dropped because although the bond slaves are UP, they are not members of the bridge.To work around this issue, use the sudo ifdown command. |
4.0.0-4.4.5 | |
2531273 |
In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet. To work around this issue, change the value of arp_ignore to 2. See [Address Resolution Protocol in the Cumulus Linux user guide|https://docs.cumulusnetworks.com/cumulus-linux/Layer-3/Address-Resolution-Protocol-ARP/] for more information. |
4.0.0-4.4.5 |
Fixed Issues in 4.4.5
Issue ID | Description | Affects |
---|---|---|
3205701 |
A firmware upgrade has been implemented to optimize the PCIe bus between the CPU and Spectrum ASIC on NVIDIA SN4700, SN4600, SN4600C, and SN4410 switches manufactured with 0x26 1 17 in EEPROM. Affected switches will not boot properly without this firmware upgrade. To see the EEPROM value, run the onie-syseeprom command from ONIE or run the decode-syseeprom command from Cumulus Linux. |
4.4.4, 5.2.0 |
4.4.4 Release Notes
Open Issues in 4.4.4
Issue ID | Description | Affects | Fixed |
---|---|---|---|
4143345 |
On the Trident3 switch, if you use NCLU to configure BGP neighbor shutdown, NCLU stops responding when you include more than 200 neighbors per peer group. If you do not use NCLU to configure BGP neighbor shutdown, you can configure a maximum of 300 neighbors per peer group. | 4.3.0-4.4.5 | |
4037015 |
The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.11.0, 5.10.0-5.11.0 |
3980941 |
After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command#snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a |
4.4.0-5.9.1 | 5.9.2-5.11.0, 5.10.0-5.11.0 |
3773177 |
When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 or later with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb |
4.0.0-4.4.5, 5.0.0-5.11.0 | |
3684998 |
DHCP lease information is not collected in the cl-support file. |
4.3.0-5.6.0 | 5.7.0-5.11.0 |
3528464 |
Cumulus Linux might mark a layer 2 VLAN-tagged packet as a packet to CPU and the INPUT chain ACL might drop the packet. To work around this issue, add an additional addrtype match on the ACL to prevent an erroneous ACL match; for example:[iptables] |
4.3.0-4.4.5 | |
3488136 |
When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf command. |
4.2.1-5.5.1 | 5.6.0-5.11.0 |
3474391 |
The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. |
4.3.1-5.5.1 | 5.6.0-5.11.0 |
3429530 |
On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.11.0 |
3420056 |
The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.11.0 | |
3400244 |
NCLU accepts multiple instances of same net add bgp commands and stores the configuration in the /etc/frr/frr.conf file when you run the net commit command. As a result, unintended commands might be processed during frr-reload . To work around this issue, edit the /etc/frr/frr.conf file to remove the duplicated entries. |
4.3.1-4.4.5 | |
3390022 |
When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads , or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a . |
4.2.1-4.4.5 | |
3389994 |
During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. |
4.2.1-4.3.1, 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.11.0 |
3387852 |
If you remove NGINX from the switch, then run apt autoremove , switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. |
4.4.0-4.4.5 | |
3368217 |
When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. |
4.4.4-4.4.5 | |
3351951 |
Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.11.0 |
3339249 |
The sensors.conf files in Cumulus Linux are out of date. |
4.2.1-4.4.5 | |
3333064 |
The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd , then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. |
4.4.0-5.3.1 | 5.4.0-5.11.0 |
3330705 |
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. |
3.7.0-5.3.1 | 5.4.0-5.11.0 |
3327477 |
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. |
3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.11.0 | |
3321391 |
On the NVIDIA SN2410 switch, ports with optical transceivers show FAULT errors in the sensor command output. |
4.2.1-5.3.1 | 5.4.0-5.11.0 |
3303105 |
Clagd crash is observed with the following traceback in /var/log/clagd.log following a clag sync event which is typically driven by a peerlink up event: unhandled exception: Traceback (most recent call last): File “/usr/sbin/clagd”, line 1304, in PeerRecvT PeerRecv() File “/usr/sbin/clagd”, line 513, in PeerRecv ParseProtoBufMessage(nlm, myPeerMsg) File “/usr/sbin/clagd”, line 853, in ParseProtoBufMessage msgData = FdbSync.ParseProtoBufMessage(msgHdr) File “/usr/lib/python3/dist-packages/clag/fdbsync.py”, line 892, in ParseProtoBufMessage msgData.ParseFromString(msgHdr.data) google.protobuf.message.DecodeError: Error parsing message |
4.4.0-4.4.5 | |
3293110 |
You cannot set the NTF router flag (NTF_ROUTER) on neighbor entries from the user space. | 4.4.2-4.4.5 | |
3292873 |
When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:[Dec-08-17:09:58] root@switch:/home/cumulus# ztp -r http://myztp.server.local/ztp |
4.4.2-4.4.5 | |
3291548 |
In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd . |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
3288156 |
When you configure a new VNI, the VLAN 1 VNI mapping is removed from the VXLAN device. To work around this issue, set the VNI interface mapped to VLAN 1 down and up again. | 4.4.3-5.1.0 | 5.2.0-5.11.0 |
3284719 |
Certain EVPN multihoming show commands might cause the bgpd service to crash if you use the json flag and try to reference the default VRF by name. For example: show bgp l2vpn evpn es-vrf json . |
4.4.2-4.4.5 | |
3269537 |
When an FRR routing service (such as bgpd ) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. |
4.4.0-5.3.1 | 5.4.0-5.11.0 |
3244740 |
If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.11.0 |
3235368 |
When you try to configure VRF route leaking between many VRFs using multiple NCLU commands before running the net commit command, the commit fails. To work around this issue, configure VRF leaking one command at a time and run net commit after each command. |
4.4.4-5.2.1 | 5.3.0-5.11.0 |
3227677 |
When daylight saving time changes the time, the MLAG initDelay timer resets and all MLAG bonds go down. |
4.4.4-5.2.1 | 5.3.0-5.11.0 |
3226579 |
The net show interface command output shows Type=Unknown for the specified interface. |
4.4.3-4.4.5 | |
3221470 |
Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error |
4.4.0-5.1.0 | 5.2.0-5.11.0 |
3218207 |
Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes. | 4.3.0-5.2.1 | 5.3.0-5.11.0 |
3216922 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). |
3.7.0-5.2.1 | 5.3.0-5.11.0 |
3216921 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) |
3.7.0-3.7.16, 4.3.0-4.4.5 | |
3216759 |
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. |
3.7.15-3.7.16, 4.3.0-4.4.5 | |
3211369 |
The NCLU net show interface pluggables command takes a long time (approximately five minutes) to complete. |
4.2.1-4.4.5 | |
3211359 |
The net show interface command output shows Type=Unknown for the specified interface. |
4.4.3-5.0.1 | 5.1.0-5.11.0 |
3211054 |
On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:
|
4.4.2-5.2.1 | 5.3.0-5.11.0 |
3209699 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) |
3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.11.0 |
3205701 |
A firmware upgrade has been implemented to optimize the PCIe bus between the CPU and Spectrum ASIC on NVIDIA SN4700, SN4600, SN4600C, and SN4410 switches manufactured with 0x26 1 17 in EEPROM. Affected switches will not boot properly without this firmware upgrade. To see the EEPROM value, run the onie-syseeprom command from ONIE or run the decode-syseeprom command from Cumulus Linux. |
4.4.4, 5.2.0 | 4.4.5, 5.2.1-5.11.0 |
3192808 |
When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. |
4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.11.0 |
3168564 |
In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then upOn Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. |
4.3.1-4.4.5 | |
3163845 |
If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload . For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31 , the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. |
4.3.1-4.4.5 | |
3157240 |
When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an errorsudo /usr/lib/cumulus/mlxcmd roce counters –port |
4.4.4-5.1.0 | 5.2.0-5.11.0 |
3150317 |
During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.11.0 |
3138746 |
The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.11.0 |
3138057 |
When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log . To work around this problem, restart FRR with the sudo systemctl restart frr command. |
4.4.0-5.2.1 | 5.3.0-5.11.0 |
3135801 |
Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. |
4.0.0-4.3.0, 4.4.0-4.4.5 | 3.7.16, 4.3.1 |
3131423 |
During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3129819 |
On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime. |
3.7.15-3.7.16, 4.3.0-4.4.5 | |
3123556 |
When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. |
3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.11.0 |
3119615 |
In an MLAG topology, if you admin down a single connected interface, any dynamic MAC addresses on the peer link are flushed, then added back momentarily, which creates a disruption in traffic. | 3.7.15-5.1.0 | 5.2.0-5.11.0 |
3117340 |
When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3115415 |
In the Cumulus-BGPVRF-MIB, the bgpPeerFsmEstablishedTime OID does not correctly report the time since a BGP session goes down. |
4.4.4-5.1.0 | 5.2.0-5.11.0 |
3113042 |
After a fresh installation of Cumulus Linux, the package manager reports that the cumulus-archive-keyring package can be upgraded This is a security fix made available after the 4.4.4 image release to change the repository URLs in the /etc/apt/sources.list file from http to https. |
4.4.4-4.4.5 | |
3112971 |
When you configure a VRF static route using the legacy command syntax in FRR (for example: ip route 10.0.0.0/8 172.16.1.1 vrf vrf-red ), then make subsequent VRF or route configuration changes, FRR might crash. To avoid this problem, use the current method for configuring VRF routes within the VRF stanza:vrf vrf-red |
4.4.3-5.1.0 | 5.2.0-5.11.0 |
3112938 |
In the Cumulus-BGPVRF-MIB, the bgpPeerFsmEstablishedTransitions OID always reports a value of 0. |
4.4.4-5.1.0 | 5.2.0-5.11.0 |
3093966 |
On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
3084027 |
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. |
4.3.0-4.4.5, 5.0.0-5.11.0 | |
3073668 |
On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | |
3072613 |
When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
3071652 |
On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. |
4.4.4-4.4.5, 5.1.0-5.11.0 | |
3070672 |
TACACS Command Authorization results in a traceback error and command is not executed | 4.4.0-4.4.5 | |
3059135 |
In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route To resolve this issue, restart FRR with the sudo systemctl restart frr command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3046023 |
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. |
4.2.1-5.1.0 | 5.2.0-5.11.0 |
3034435 |
In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.11.0 |
3032234 |
In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. |
4.4.2-5.0.1 | 5.1.0-5.11.0 |
3021838 |
PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local . As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly. |
4.4.2-5.0.1 | 5.1.0-5.11.0 |
3008388 |
When you set vlan-bridge-binding on for a VLAN interface, the VLAN interface status does not change to down even when all bridge member ports are down. |
4.4.3-5.0.1 | 5.1.0-5.11.0 |
3007564 |
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. |
3.7.15-5.0.1 | 5.1.0-5.11.0, 5.2.0-5.11.0 |
2994402 |
When you run ifquery as non-root, EVPN multihoming bond configuration failsTo work around this issue, always use sudo when running ifupdown2 commands ( ifup , ifreload , ifdown , and ifquery ). |
4.4.2-5.0.1 | 5.1.0-5.11.0 |
2971159 |
On rare occasions, the link up time on optical media can be more than five seconds. | 4.4.3-4.4.5 | |
2964279 |
When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. |
3.7.15, 4.4.2-4.4.5, 5.0.0-5.11.0 | 3.7.16 |
2951110 |
The net show time ntp servers command does not show any output with the management VRF. |
3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.11.0 | |
2944167 |
When you use NCLU commands to add a port to a bridge and the port already exists under the bridge, Cumulus Linux removes all other ports from the bridge. | 4.4.2-4.4.5 | |
2943443 |
Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd , expect a single VNI for a given bridge or VLAN. |
3.7.15, 4.2.1-4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
2943080 |
The overlay ASN is removed after a route flap. | 4.4.0-5.0.1 | 5.1.0-5.11.0 |
2940051 |
In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. |
3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.11.0 |
2933466 |
You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file. |
4.4.0-5.0.1 | 5.1.0-5.11.0 |
2913859 |
ECMP error messages, similar to the following, show in log files:Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container |
4.4.0-5.0.1 | 5.1.0-5.11.0 |
2904450 |
When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2902013 |
The NCLU commit command adds a five second delay. | 4.2.1-4.4.5 | |
2896450 |
On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. To work around this issue, restart switchd a second or third time until all interfaces are functioning correctly, or reboot the switch. |
4.3.0-4.4.5 | |
2875338 |
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
2866080 |
On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 4.3.0-4.4.5 | |
2862211 |
On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restartTo work around this issue, load the port configuration in a staggered manner (groups of five downlink ports). |
3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.11.0 |
2860323 |
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.11.0 |
2845531 |
If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI’s parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address. |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
2841584 |
After you upgrade Cumulus Linux on one of the MLAG peers, the bonds do not come up and the reason shows anycast-ip-mismatch even though there is no VXLAN configuration on the switch. To work around this issue, configure an anycast IP address under the loopback interface on both switches in the MLAG pair. |
4.4.2-4.4.5 | 5.0.0-5.11.0 |
2838905 |
On Broadcom ARM switches, the NTP clock slowly drifts to a very high offset (over 500ms) and the clock is not able to synchronize. To work around this issue, use the chrony implementation of NTP instead of ntpd . chrony synchronizes the system clock faster and with better accuracyInstructions for using chrony are here : https://docs.nvidia.com/networking-ethernet-software/knowledge-base/Network-Solutions/Chrony-on-Cumulus-Linux/ |
4.3.0-4.4.5 | |
2837378 |
The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.11.0 |
2821869 |
The cl-route-check –layer3 command fails with a memory error. For example:cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last): |
3.7.15-4.4.5 | 5.0.0-5.11.0 |
2820565 |
SNMP does not start and you see errors similar to the following:cumulus@switch:~$ sudo systemctl status snmpd.service snmpd.service - Simple Network Management Protocol (SNMP) Daemon.To work around this issue, run the sudo systemctl restart snmpd.service command. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2815646 |
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
2813563 |
When you change the port speed with the NVUE nv set interface command, then run nv config apply , the port is disabled. To work around this issue, run the ifreload -a command after you apply the port speed setting. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2803428 |
The clagctl -v -j and net show clag verbose json commands show incorrect output. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2802859 |
When the INTF_CMD list in the /etc/default/isc-dhcp-relay file includes non-existent or partially configured interfaces from the /etc/netwwork/interfaces file, there is an open file descriptor leak in DHCP Relay; the DHCP Relay service exits and you see error messages. To work around this issue, either clean up the INTF_CMD list in the /etc/default/isc-dhcp-relay file to remove non-existent or partially configured interfaces from the /etc/network/interfaces file or correct the /etc/network/interfaces file to have a complete configuration for all interfaces defined in the INTF_CMD list in the /etc/default/isc-dhcp-relay file. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2799575 |
When next hop tracking fails for a global next hop, BGP invalidates the entire path instead of only invalidating the global next hop. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2799568 |
When you add or remove a global unicast address from an interface, BGP does not update the global next hop advertised to the unnumbered BGP peer. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2798406 |
If an MLAG failure of an EVPN Active-Active VTEP pair occurs after you disable EVPN Advertise Primary IP Address, remote VTEPs might not be able to install the anycast RMAC of the failed MLAG peers or the related bridge FDB entry To work around this issue, do not disable EVPN Advertise Primary IP Address, which is enabled by default when you use address-virtual for layer 3 VNI SVI interfaces. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2794766 |
The Mellanox 3700C switch reports a slow memory leak in sx_sdk. Memory increases by about 240B/hour and does not free up. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2792750 |
If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. |
3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1 |
2792616 |
If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2788780 |
When you enable ARP and ND suppression and the switch forwards ARP and ND packets to the kernel, RX_DRP counters might increment but the packets are processed as normal. | 4.4.0-4.4.5 | |
2781537 |
In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD . |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2780915 |
In NVUE, you can’t deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2780834 |
To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2780211 |
When you use the NVUE nv set vrf default router bgp peer command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2771653 |
When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more, which consumes a lot of hardware space. | 4.3.0-4.4.5 | |
2763819 |
When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. | 4.4.0-4.4.5 | |
2754791 |
Remote MAC addreses in zebra are out of sync with bgpd . The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. |
3.7.14.2-3.7.16, 4.3.0-4.4.5 | |
2753955 |
On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.11.0 |
2752330 |
With BGP and layer 2 forwarding, Smart System Manager warm boot mode can cause packet loss. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2747750 |
Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 | 5.0.0-5.11.0 |
2743186 |
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. |
3.7.15-5.1.0 | 5.2.0-5.11.0 |
2739402 |
The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2739398 |
Cumulus Linux does not support a bond or bond member as a SPAN destination. | 4.4.0-4.4.5 | 4.3.1 |
2738040 |
In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | |
2736244 |
When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:% The Graceful Restart command used is not valid at this moment. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2736108 |
When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2734103 |
ACL [No More Resources] messages keep appearing and you can’t reinstall the ACL. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
2732605 |
The ESI line in the show bgp l2vpn evpn route command output always shows VNI: 0. This is a cosmetic software issue. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2732587 |
The bridge MAC address is updated during a port change on bridge interfaces. | 4.3.0, 4.4.0-4.4.5 | 4.3.1, 5.0.0-5.11.0 |
2728207 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2728206 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2728119 |
When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2713888 |
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. |
3.7.15-5.0.1 | 5.1.0-5.11.0 |
2711533 |
On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | |
2710208 |
The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. |
4.2.1-4.4.5 | |
2700767 |
Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16 |
2698649 |
When configuring a single VXLAN device in the /etc/network/interfaces file, if you edit the multicast group address in vxlan-mcastgrp-map , then revert the change, the change does not take effect. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2687344 |
On the NVIDIA SN3700 switch, the decode-syseeprom shows device absent for a PSU that is present. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2685994 |
When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to applyTo work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 |
4.0.0-5.0.1 | 5.1.0-5.11.0 |
2685036 |
When the PIM RP configuration includes an anycast IP address and the route to that anycast IP address changes while joined to a multicast stream, you might receive the multicast stream from both the old and the new anycast source. | 4.4.0-4.4.5 | |
2684925 |
The NVUE nv show vrf default router bgp peer command produces a 404 not found error. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2671652 |
In VXLAN routing environments, you might experience sub-optimal route convergence delays (longer than five seconds) when a prefix transitions to a new ECMP next-hop group. This condition might occur when a VTEP loses ECMP routes through all uplink peerings, then installs the routes through a different path, such as an MLAG peerlink. | 4.4.0-4.4.5, 5.5.0-5.11.0 | |
2669858 |
OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf. This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper. |
3.7.14-3.7.16, 4.0.0-4.4.5 | |
2639303 |
When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:ERROR: ‘NoneType’ object has no attribute ‘conf_key_value_multiple_values’See /var/log/netd.log for more details. |
4.3.0-4.4.5 | |
2621244 |
When a VRF name includes evpn , the NCLU net show bgp vrf command fails with the error ERROR: The call to /usr/bin/vtysh failed. To work around this issue, do not use evpn in the VRF name or run the desired commands directly from FRR with vtysh . |
4.3.0-4.4.5 | |
2618227 |
The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. |
4.3.0-4.4.5 | |
2606326 |
If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | |
2599274 |
On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress To recover from this state, flap the bond interface (not the physical swp) by running ifdown <bond_name> ; sleep 1 ; ifup <bond_name> . |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2596458 |
When bridge.unreg_v6_mcast_prune = TRUE is configured in the /etc/cumulus/switchd.conf file, traffic destined to IPv6 link-local multicast addresses might not be flooded within the bridgeTo work around this issue, disable pruning for IPv6 multicast by setting bridge.unreg_v6_mcast_prune = FALSE in the /etc/cumulus/switchd.conf file. |
4.4.0-4.4.5 | |
2574368 |
When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedlyTo work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr . |
4.1.1-4.4.5 | |
2556772 |
The net show clag verify-vlans command fails with the following log:
To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command. |
4.2.1-4.4.5 | |
2556369 |
If you use NCLU to configure an ACL for eth0, you can’t designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with “-A INPUT -i eth0”. |
4.2.1-4.4.5 | |
2556082 |
The NCLU net del vrf command does not delete a numbered VRF. For example:
|
4.2.1-4.4.5 | |
2556081 |
You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | |
2555981 |
In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2555873 |
On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic. | 4.3.0-4.4.5 | |
2555763 |
The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:
To work around this issue, use the FRR command to delete a neighbor. |
4.3.0-4.4.5 | |
2555613 |
The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:
The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). |
4.2.1-4.4.5 | |
2555318 |
If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:
This error has no functional impact. |
4.3.0-4.4.5 | |
2554986 |
The ethtool utility doesn’t contain the latest values, as a result the Revision Compliance field shows Unallocated . |
4.2.1-4.4.5 | |
2554812 |
If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. |
4.2.1-4.4.5 | |
2554783 |
If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as , advertised locally-originated routes have the ASN of the peer prepended to the AS path.This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
2554709 |
The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. |
3.7.13-3.7.16, 4.2.1-4.4.5 | |
2554670 |
When you have a large number of ACLs, the cl-acltool -L ip and cl-resource-query commands take a long time to complete. |
4.3.0-4.4.5 | |
2554582 |
On switches with the Maverick ASIC, control traffic is dropped due to receive buffering. | 4.2.0-4.4.5 | |
2554533 |
On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | |
2554466 |
Kernel routes added by iproute2 are missing in FRR after an interface flap.To work around this issue, configure a static route in FRR. |
4.2.1-4.4.5 | |
2554222 |
The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the /etc/network/interface file. For example:
|
4.2.1-4.4.5 | |
2554218 |
MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | |
2554202 |
The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. |
4.2.1-4.4.5 | |
2553989 |
Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | |
2553887 |
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. |
3.7.7-3.7.16, 4.0.0-4.4.5 | |
2553677 |
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:
To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:
Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. |
3.7.13-3.7.16, 4.0.0-4.4.5 | |
2553237 |
The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. |
4.2.0-4.4.5 | |
2553116 |
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2553015 |
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. |
3.7.10-3.7.16, 4.2.0-4.4.5 | |
2552691 |
On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface. To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. |
4.2.0-4.4.5 | |
2552453 |
On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file. |
4.2.0-4.4.5 | |
2552309 |
The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:
These messages are for internal validation purposes only and can be safely ignored. |
4.2.0-4.4.5 | |
2552294 |
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2552266 |
OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files. The two scenarios where an exploit may be useful to an attacker: -The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar , zip , or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp , which you can use instead of scp to copy files.To disable scp completely, use /bin/chmod 0 /usr/bin/scp . |
3.7.14-3.7.16, 4.0.0-4.4.5 | |
2551666 |
If you modify an interface name, then reuse the previous interface name for a different VLAN, the ifreload -a command generates an error similar to the following:
|
4.1.0-4.4.5 | |
2551578 |
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload /ifup commands fail with an invalid table id or unable to get vrf table id error. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2551565 |
If you toggle VRRP priority values between VRRP routers, then restart switchd , a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affectedTo work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. |
3.7.13-3.7.16, 4.2.0-4.4.5 | |
2551335 |
When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands. |
4.0.0-4.4.5 | |
2551305 |
The net show configuration command provides the wrong net add command for ACL under the VLAN interface. |
3.7.12-3.7.16, 4.1.0-4.4.5 | |
2551273 |
On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux. | 4.1.0-4.4.5 | |
2551221 |
When span-to-cpu is enabled on L3 swp interface with an IP address configured, packets with destination IP as switchport’s IP address don’t reach switchport. To capture packets directed towards switcport’s IP, disable span-to-cpu and use tcpdump on swichport instead. | 4.2.0-4.4.5 | |
2551111 |
If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state. zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address. |
4.0.0-4.4.5 | |
2550974 |
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | |
2550793 |
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550713 |
Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes switchd to use high CPU due to very frequent VXLAN tunnel sync events.To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration. |
4.1.1-4.4.5 | |
2550642 |
ACLs with SPAN target and in-interface as bond member are not supported on Spectrum-based switches | 4.2.0-4.4.5 | |
2550444 |
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550443 |
The net show rollback description command returns an error even if the string matches a commit description.To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550243 |
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service . For example:
|
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550056 |
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
|
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549925 |
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
To work around this issue, run the ifreload -a command a second time. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2549872 |
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error. |
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549782 |
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2549731 |
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
|
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549392 |
When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file. To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command. |
4.1.0-4.4.5 | |
2548924 |
On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic. | 4.1.1-4.4.5 | |
2548657 |
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
You can safely ignore these error messages. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548579 |
The following security vulnerability has been announced: CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. |
3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16 |
2548315 |
The following security advisory has been announced for bash: CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.To work around this issue, do not make bash or bash scripts setuid . |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548310 |
When the system boots, we might see " cumulus systemd-udevd[7566]: Process ‘/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25’ failed with exit code 1" errors. These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later; |
4.1.0-4.4.5 | |
2548260 |
The net add routing route-map command does not add the set statement into the /etc/frr/frr.conf file. |
4.0.0-4.4.5 | |
2548243 |
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
2548117 |
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548062 |
When ports are split to 4x25G, RS FEC needs to explicitly configured on both ends (especially when interoperating with non-Mellanox switches). | 4.1.0-4.4.5 | |
2548044 |
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16 |
2547903 |
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs Vulnerable: 2.9.4+dfsg1-7Fixed: 2.9.4+dfsg1-7+deb10u1 |
4.0.0-4.4.5 | |
2547890 |
QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | |
2547782 |
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547706 |
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd . To work around this issue, reboot the switch. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547405 |
When you restart the hsflowd service, you see a systemd warning message similar to the following:
|
4.0.0-4.4.5 | |
2547120 |
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546991 |
The FRR service does not provide a way for automation to know if the configuration applied properly. To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546895 |
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter2.Restart the switchd service with the sudo systemctl restart switchd.service commandsystemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546874 |
On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. |
4.0.0-4.4.5 | |
2546255 |
On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | |
2546225 |
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer , which causes issues with cl-support.
To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546131 |
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.This workaround only works when an out-of-band network is present. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2545837 |
If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server command, the /etc/ntp.conf file is misconfigured.To work around this issue, run the net add time ntp server command before you run the net add time ntp source command. |
3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
2545520 |
The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2545233 |
On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | |
2545125 |
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
2544978 |
If you delete an undefined bond, then add a bond slave, the net commit command fails. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544968 |
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544957 |
NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | |
2544953 |
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit , the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. |
3.7.10-3.7.16, 4.0.0-4.4.5 | |
2544880 |
When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. |
4.0.0-4.4.5 | |
2544723 |
Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2544463 |
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported .To work around this issue, do not use auto-negotiation and set the local port speed to 10G. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544456 |
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544311 |
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
2544155 |
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2544113 |
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2543937 |
An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.To work around this issue, remove the interface alias description from iproute2 . |
3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543915 |
When you enable a service in the management VRF, systemctl issues a warning similar to the following:Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unitYou can safely ignore this warning. |
4.0.0-5.9.2 | 5.10.0-5.11.0 |
2543900 |
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
2543841 |
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. |
3.7.8-3.7.16, 4.0.0-4.4.5 | |
2543816 |
On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. |
3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
2543781 |
NCLU does not allow you to configure OSPF NSSAs. For example:
To work around this issue, use FRR instead. For example:
|
3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543724 |
If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:
|
3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543646 |
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
2543401 |
On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. |
4.0.0-4.4.5 | |
2543211 |
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2543164 |
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. |
3.7.7-3.7.16, 4.0.0-4.4.5 | |
2543096 |
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. |
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542945 |
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad :
|
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542837 |
On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16 |
2542305 |
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. |
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542301 |
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2541212 |
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2541029 |
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540753 |
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
|
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540444 |
SNMP incorrectly requires engine ID specification. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540352 |
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
|
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2540340 |
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540274 |
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540204 |
When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540192 |
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled. To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540155 |
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2540042 |
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails. To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540041 |
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540040 |
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540031 |
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2539994 |
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
|
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2539962 |
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2539670 |
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2539124 |
The net add interface command adds no ptm-enable for that interface in the frr.conf file. Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538790 |
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG. To restore connectivity, remove the VLAN ID from the bridge. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538590 |
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538562 |
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings. Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538294 |
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2537699 |
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. |
3.7.1-3.7.16, 4.0.0-4.4.5 | |
2537544 |
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl ; for example, SNMP output from the BRIDGE-MIB. |
3.7.1-3.7.16, 4.0.0-4.4.5 | |
2536576 |
If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware. |
4.0.0-4.4.5 | |
2536384 |
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2536256 |
For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.
These packets are now policed by catch all rules. To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100. |
4.0.0-4.4.5 | |
2536242 |
On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes. | 4.0.0-4.4.5 | |
2536179 |
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535986 |
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535965 |
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535723 |
The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF. | 4.0.0-4.4.5 | |
2535605 |
FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor. To work around this issue, add ttl-security to individual neighbors instead of the peer group. |
4.0.0-4.4.5 | |
2535209 |
The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. |
3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2534734 |
Span rules matching the out-interface as a bond do not mirror packets. | 4.0.0-4.4.5 | |
2533691 |
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2533625 |
PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. |
4.0.0-4.4.5 | |
2533337 |
When you use NCLU to bring a bond admin down (net add bond ), the bond interface goes into admin down state but the switch ports enslaved to the bond remain UP. If you are using bond-lacp-bypass-allow or balance-xor mode, the host might continue to send traffic. This traffic will be dropped because although the bond slaves are UP, they are not members of the bridge.To work around this issue, use the sudo ifdown command. |
4.0.0-4.4.5 | |
2531273 |
In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet. To work around this issue, change the value of arp_ignore to 2. See [Address Resolution Protocol in the Cumulus Linux user guide|https://docs.cumulusnetworks.com/cumulus-linux/Layer-3/Address-Resolution-Protocol-ARP/] for more information. |
4.0.0-4.4.5 |
Fixed Issues in 4.4.4
Issue ID | Description | Affects |
---|---|---|
3297171 |
Restarting switchd might fail due an ACL SPAN module initialization failure. |
4.4.2-4.4.3 |
3107615 |
Cumulus Linux installation fails with the error Installation Problems, sub-task Installing Optional Packages . This occurs because the web server hosting the Cumulus Linux image remaps a 404 for a non-existent file image.optional_pkgs into a web page, which it then incorrectly attempts to use as a list of optional packagesTo work around this issue, on the web server hosting the image, create an empty file with the same name as the image with .optional_pkgs appended to the name. |
4.4.0-4.4.3 |
3094082 |
If you apply a PBR policy with a next hop group but the next hop is not reachable, the PBR service crashes. | 4.4.0-4.4.3 |
3091381 |
Restarting switchd might fail due to an ACL SPAN module initialization failure. |
4.4.2-4.4.3 |
3089165 |
A slow memory leak might occur in switchd } if the route fails to install in hardware when hardware resources are exhausted. |
4.2.1-4.4.3 |
3089148 |
The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error. |
4.3.0 |
3084476 |
After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd . |
4.4.3, 5.0.0-5.11.0 |
3083265 |
The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command. |
3.7.16-4.4.3 |
3082583 |
On the NVIDIA SN3420 switch, the smonctl command output shows the maximum PSU temperature higher than the critical temperature. |
4.4.2-4.4.3, 5.0.0-5.1.0 |
3078202 |
On the NVIDIA Spectrum 1 switch, when a port goes down, it might not come back up. To work around this issue, disable, then enable the port. | 5.0.0-5.1.0 |
3077737 |
The update-ports.service fails because a blank space in the comment lines of the /etc/cumulus/ports.conf file causes parsing errorsTo work around this issue, remove the blank spaces in the commented lines, then restart the update-ports and switchd services. |
3.7.15-4.3.0 |
3073649 |
In an EVPN-MH configuration, the switch fails to redirect tagged frames with the CoS bits set. | 4.4.0-4.4.3, 5.0.0-5.1.0 |
3060399 |
When you add an interface to a layer 3 bond, traffic does not forward and you see errors similar to the following:2022-05-02T13:14:40.118597+00:00 cumulus sx_sdk: ROUTER: Failed to delete router interface(27) ref count isn’t 0, err= Resource is in use |
4.4.2-4.4.3, 5.0.1-5.1.0 |
3058604 |
When you change the time with NTP or manually, the clagd service stops. | 4.3.0 |
3041306 |
If you update the MAC address of an SVI using ifreload and hwaddress , the kernel maintains a stale permanent fdb entry for the old MAC address. |
3.7.15, 4.3.0, 4.4.0-4.4.3, 5.0.0-5.0.1 |
3031228 |
In a static VXLAN configuration with a traditional or single VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other |
4.3.0 |
3023256 |
After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON. |
4.4.3 |
3021887 |
On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic. | 4.4.2-4.4.3, 5.0.0-5.0.1 |
3021879 |
Cumulus Linux learns remote MAC addresses as local entries on the bridge with the wrong remote VTEP IP address even when bridge learning is off on the VTEP and ARP suppression is enabled. | 4.4.0-4.4.3 |
3021877 |
After you configure a new VLAN on a bond, traffic might stop forwarding on the bond interface. This issue occurs only when you specify bridge-vids on the bond. This issue does not occur when you configure VLANs only on the bridge interface and let the bond get the bridge-vids applied from the bridge. |
4.4.2-4.4.3 |
3021698 |
After you convert a port from a layer 2 bond member to a layer 3 port, the switch drops transmitted untagged packets as egress VLAN membership discards To work around this issue, restart switchd with the sudo systemctl restart switchd.service command. |
4.4.2-4.4.3, 5.0.0-5.0.1 |
3021692 |
When ARP suppression is off, Cumulus Linux sends GARPs from neighmgrd for remote neighbors over VXLAN. |
3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.0 |
3020157 |
When you configure QoS remarking on a bond, the port stops forwarding traffic. | |
3018159 |
After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON. |
4.4.3, 5.0.0-5.0.1 |
3017180 |
When you run the /usr/share/snmp/resq_pp.py script used by SNMP, you see the following log message in syslog regardless of the forwarding table profile set in the /etc/cumulus/datapath/traffic.conf file. |
4.4.0-4.4.3, 5.0.0-5.0.1 |
2961216 |
When there is a peer link failure followed by a power failure or a crash on the primary switch, the MLAG secondary switch takes up to 24 seconds to change roles to the Primary. | 4.4.2-4.4.3 |
4.4.3 Release Notes
Open Issues in 4.4.3
Issue ID | Description | Affects | Fixed |
---|---|---|---|
4143345 |
On the Trident3 switch, if you use NCLU to configure BGP neighbor shutdown, NCLU stops responding when you include more than 200 neighbors per peer group. If you do not use NCLU to configure BGP neighbor shutdown, you can configure a maximum of 300 neighbors per peer group. | 4.3.0-4.4.5 | |
4037015 |
The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.11.0, 5.10.0-5.11.0 |
3980941 |
After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command#snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a |
4.4.0-5.9.1 | 5.9.2-5.11.0, 5.10.0-5.11.0 |
3773177 |
When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 or later with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb |
4.0.0-4.4.5, 5.0.0-5.11.0 | |
3684998 |
DHCP lease information is not collected in the cl-support file. |
4.3.0-5.6.0 | 5.7.0-5.11.0 |
3528464 |
Cumulus Linux might mark a layer 2 VLAN-tagged packet as a packet to CPU and the INPUT chain ACL might drop the packet. To work around this issue, add an additional addrtype match on the ACL to prevent an erroneous ACL match; for example:[iptables] |
4.3.0-4.4.5 | |
3488136 |
When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf command. |
4.2.1-5.5.1 | 5.6.0-5.11.0 |
3474391 |
The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. |
4.3.1-5.5.1 | 5.6.0-5.11.0 |
3429530 |
On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.11.0 |
3420056 |
The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.11.0 | |
3400244 |
NCLU accepts multiple instances of same net add bgp commands and stores the configuration in the /etc/frr/frr.conf file when you run the net commit command. As a result, unintended commands might be processed during frr-reload . To work around this issue, edit the /etc/frr/frr.conf file to remove the duplicated entries. |
4.3.1-4.4.5 | |
3390022 |
When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads , or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a . |
4.2.1-4.4.5 | |
3389994 |
During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. |
4.2.1-4.3.1, 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.11.0 |
3387852 |
If you remove NGINX from the switch, then run apt autoremove , switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. |
4.4.0-4.4.5 | |
3351951 |
Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.11.0 |
3339249 |
The sensors.conf files in Cumulus Linux are out of date. |
4.2.1-4.4.5 | |
3333064 |
The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd , then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. |
4.4.0-5.3.1 | 5.4.0-5.11.0 |
3330705 |
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. |
3.7.0-5.3.1 | 5.4.0-5.11.0 |
3327477 |
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. |
3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.11.0 | |
3321391 |
On the NVIDIA SN2410 switch, ports with optical transceivers show FAULT errors in the sensor command output. |
4.2.1-5.3.1 | 5.4.0-5.11.0 |
3303105 |
Clagd crash is observed with the following traceback in /var/log/clagd.log following a clag sync event which is typically driven by a peerlink up event: unhandled exception: Traceback (most recent call last): File “/usr/sbin/clagd”, line 1304, in PeerRecvT PeerRecv() File “/usr/sbin/clagd”, line 513, in PeerRecv ParseProtoBufMessage(nlm, myPeerMsg) File “/usr/sbin/clagd”, line 853, in ParseProtoBufMessage msgData = FdbSync.ParseProtoBufMessage(msgHdr) File “/usr/lib/python3/dist-packages/clag/fdbsync.py”, line 892, in ParseProtoBufMessage msgData.ParseFromString(msgHdr.data) google.protobuf.message.DecodeError: Error parsing message |
4.4.0-4.4.5 | |
3297171 |
Restarting switchd might fail due an ACL SPAN module initialization failure. |
4.4.2-4.4.3 | 4.4.4-4.4.5 |
3293110 |
You cannot set the NTF router flag (NTF_ROUTER) on neighbor entries from the user space. | 4.4.2-4.4.5 | |
3292873 |
When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:[Dec-08-17:09:58] root@switch:/home/cumulus# ztp -r http://myztp.server.local/ztp |
4.4.2-4.4.5 | |
3291548 |
In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd . |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
3288156 |
When you configure a new VNI, the VLAN 1 VNI mapping is removed from the VXLAN device. To work around this issue, set the VNI interface mapped to VLAN 1 down and up again. | 4.4.3-5.1.0 | 5.2.0-5.11.0 |
3284719 |
Certain EVPN multihoming show commands might cause the bgpd service to crash if you use the json flag and try to reference the default VRF by name. For example: show bgp l2vpn evpn es-vrf json . |
4.4.2-4.4.5 | |
3269537 |
When an FRR routing service (such as bgpd ) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. |
4.4.0-5.3.1 | 5.4.0-5.11.0 |
3244740 |
If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.11.0 |
3226579 |
The net show interface command output shows Type=Unknown for the specified interface. |
4.4.3-4.4.5 | |
3221470 |
Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error |
4.4.0-5.1.0 | 5.2.0-5.11.0 |
3218207 |
Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes. | 4.3.0-5.2.1 | 5.3.0-5.11.0 |
3216922 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). |
3.7.0-5.2.1 | 5.3.0-5.11.0 |
3216921 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) |
3.7.0-3.7.16, 4.3.0-4.4.5 | |
3216759 |
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. |
3.7.15-3.7.16, 4.3.0-4.4.5 | |
3211369 |
The NCLU net show interface pluggables command takes a long time (approximately five minutes) to complete. |
4.2.1-4.4.5 | |
3211359 |
The net show interface command output shows Type=Unknown for the specified interface. |
4.4.3-5.0.1 | 5.1.0-5.11.0 |
3211054 |
On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:
|
4.4.2-5.2.1 | 5.3.0-5.11.0 |
3209699 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) |
3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.11.0 |
3192808 |
When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. |
4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.11.0 |
3168564 |
In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then upOn Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. |
4.3.1-4.4.5 | |
3163845 |
If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload . For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31 , the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. |
4.3.1-4.4.5 | |
3150317 |
During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.11.0 |
3138746 |
The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.11.0 |
3138057 |
When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log . To work around this problem, restart FRR with the sudo systemctl restart frr command. |
4.4.0-5.2.1 | 5.3.0-5.11.0 |
3135801 |
Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. |
4.0.0-4.3.0, 4.4.0-4.4.5 | 3.7.16, 4.3.1 |
3131423 |
During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3129819 |
On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime. |
3.7.15-3.7.16, 4.3.0-4.4.5 | |
3123556 |
When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. |
3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.11.0 |
3119615 |
In an MLAG topology, if you admin down a single connected interface, any dynamic MAC addresses on the peer link are flushed, then added back momentarily, which creates a disruption in traffic. | 3.7.15-5.1.0 | 5.2.0-5.11.0 |
3117340 |
When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3112971 |
When you configure a VRF static route using the legacy command syntax in FRR (for example: ip route 10.0.0.0/8 172.16.1.1 vrf vrf-red ), then make subsequent VRF or route configuration changes, FRR might crash. To avoid this problem, use the current method for configuring VRF routes within the VRF stanza:vrf vrf-red |
4.4.3-5.1.0 | 5.2.0-5.11.0 |
3107615 |
Cumulus Linux installation fails with the error Installation Problems, sub-task Installing Optional Packages . This occurs because the web server hosting the Cumulus Linux image remaps a 404 for a non-existent file image.optional_pkgs into a web page, which it then incorrectly attempts to use as a list of optional packagesTo work around this issue, on the web server hosting the image, create an empty file with the same name as the image with .optional_pkgs appended to the name. |
4.4.0-4.4.3 | 4.3.1, 4.4.4-4.4.5, 5.2.0-5.11.0 |
3094082 |
If you apply a PBR policy with a next hop group but the next hop is not reachable, the PBR service crashes. | 4.4.0-4.4.3 | 4.4.4-4.4.5 |
3093966 |
On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
3091381 |
Restarting switchd might fail due to an ACL SPAN module initialization failure. |
4.4.2-4.4.3 | 4.4.4-4.4.5, 5.0.0-5.11.0 |
3089165 |
A slow memory leak might occur in switchd } if the route fails to install in hardware when hardware resources are exhausted. |
4.2.1-4.4.3 | 4.4.4-4.4.5 |
3084476 |
After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd . |
4.4.3, 5.0.0-5.11.0 | 4.4.4-4.4.5 |
3084027 |
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. |
4.3.0-4.4.5, 5.0.0-5.11.0 | |
3083265 |
The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command. |
3.7.16-5.1.0 | 5.2.0-5.11.0 |
3082583 |
On the NVIDIA SN3420 switch, the smonctl command output shows the maximum PSU temperature higher than the critical temperature. |
4.4.2-4.4.3, 5.0.0-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.11.0 |
3073668 |
On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | |
3073649 |
In an EVPN-MH configuration, the switch fails to redirect tagged frames with the CoS bits set. | 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.11.0 |
3072613 |
When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
3070672 |
TACACS Command Authorization results in a traceback error and command is not executed | 4.4.0-4.4.5 | |
3060399 |
When you add an interface to a layer 3 bond, traffic does not forward and you see errors similar to the following:2022-05-02T13:14:40.118597+00:00 cumulus sx_sdk: ROUTER: Failed to delete router interface(27) ref count isn’t 0, err= Resource is in use |
4.4.2-4.4.3, 5.0.1-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.11.0 |
3059135 |
In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route To resolve this issue, restart FRR with the sudo systemctl restart frr command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3046023 |
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. |
4.2.1-5.1.0 | 5.2.0-5.11.0 |
3041306 |
If you update the MAC address of an SVI using ifreload and hwaddress , the kernel maintains a stale permanent fdb entry for the old MAC address. |
3.7.15, 4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
3032234 |
In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. |
4.4.2-5.0.1 | 5.1.0-5.11.0 |
3023256 |
After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON. |
4.4.3 | 4.4.4-4.4.5 |
3021887 |
On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic. | 4.4.2-5.0.1 | 5.1.0-5.11.0 |
3021879 |
Cumulus Linux learns remote MAC addresses as local entries on the bridge with the wrong remote VTEP IP address even when bridge learning is off on the VTEP and ARP suppression is enabled. | 4.4.0-4.4.3 | 3.7.15-3.7.16, 4.4.4-4.4.5, 5.0.0-5.11.0 |
3021877 |
After you configure a new VLAN on a bond, traffic might stop forwarding on the bond interface. This issue occurs only when you specify bridge-vids on the bond. This issue does not occur when you configure VLANs only on the bridge interface and let the bond get the bridge-vids applied from the bridge. |
4.4.2-4.4.3 | 4.4.4-4.4.5, 5.1.0-5.11.0 |
3021838 |
PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local . As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly. |
4.4.2-5.0.1 | 5.1.0-5.11.0 |
3021698 |
After you convert a port from a layer 2 bond member to a layer 3 port, the switch drops transmitted untagged packets as egress VLAN membership discards To work around this issue, restart switchd with the sudo systemctl restart switchd.service command. |
4.4.2-4.4.3, 5.0.0-5.0.1 | 4.4.4-4.4.5, 5.1.0-5.11.0 |
3021692 |
When ARP suppression is off, Cumulus Linux sends GARPs from neighmgrd for remote neighbors over VXLAN. |
3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.11.0 |
3018159 |
After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON. |
4.4.3-5.0.1 | 5.1.0-5.11.0 |
3017180 |
When you run the /usr/share/snmp/resq_pp.py script used by SNMP, you see the following log message in syslog regardless of the forwarding table profile set in the /etc/cumulus/datapath/traffic.conf file. |
4.4.0-5.0.1 | 5.1.0-5.11.0 |
3008388 |
When you set vlan-bridge-binding on for a VLAN interface, the VLAN interface status does not change to down even when all bridge member ports are down. |
4.4.3-5.0.1 | 5.1.0-5.11.0 |
3007564 |
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. |
3.7.15-5.0.1 | 5.1.0-5.11.0, 5.2.0-5.11.0 |
2994402 |
When you run ifquery as non-root, EVPN multihoming bond configuration failsTo work around this issue, always use sudo when running ifupdown2 commands ( ifup , ifreload , ifdown , and ifquery ). |
4.4.2-5.0.1 | 5.1.0-5.11.0 |
2971159 |
On rare occasions, the link up time on optical media can be more than five seconds. | 4.4.3-4.4.5 | |
2964279 |
When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. |
3.7.15, 4.4.2-4.4.5, 5.0.0-5.11.0 | 3.7.16 |
2961216 |
When there is a peer link failure followed by a power failure or a crash on the primary switch, the MLAG secondary switch takes up to 24 seconds to change roles to the Primary. | 4.4.2-4.4.3 | 4.4.4-4.4.5 |
2951110 |
The net show time ntp servers command does not show any output with the management VRF. |
3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.11.0 | |
2944167 |
When you use NCLU commands to add a port to a bridge and the port already exists under the bridge, Cumulus Linux removes all other ports from the bridge. | 4.4.2-4.4.5 | |
2943443 |
Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd , expect a single VNI for a given bridge or VLAN. |
3.7.15, 4.2.1-4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
2943080 |
The overlay ASN is removed after a route flap. | 4.4.0-5.0.1 | 5.1.0-5.11.0 |
2940051 |
In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. |
3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.11.0 |
2933466 |
You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file. |
4.4.0-5.0.1 | 5.1.0-5.11.0 |
2913859 |
ECMP error messages, similar to the following, show in log files:Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container |
4.4.0-5.0.1 | 5.1.0-5.11.0 |
2904450 |
When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2902013 |
The NCLU commit command adds a five second delay. | 4.2.1-4.4.5 | |
2896450 |
On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. To work around this issue, restart switchd a second or third time until all interfaces are functioning correctly, or reboot the switch. |
4.3.0-4.4.5 | |
2875338 |
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
2866080 |
On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 4.3.0-4.4.5 | |
2862211 |
On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restartTo work around this issue, load the port configuration in a staggered manner (groups of five downlink ports). |
3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.11.0 |
2860323 |
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.11.0 |
2845531 |
If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI’s parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address. |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
2841584 |
After you upgrade Cumulus Linux on one of the MLAG peers, the bonds do not come up and the reason shows anycast-ip-mismatch even though there is no VXLAN configuration on the switch. To work around this issue, configure an anycast IP address under the loopback interface on both switches in the MLAG pair. |
4.4.2-4.4.5 | 5.0.0-5.11.0 |
2838905 |
On Broadcom ARM switches, the NTP clock slowly drifts to a very high offset (over 500ms) and the clock is not able to synchronize. To work around this issue, use the chrony implementation of NTP instead of ntpd . chrony synchronizes the system clock faster and with better accuracyInstructions for using chrony are here : https://docs.nvidia.com/networking-ethernet-software/knowledge-base/Network-Solutions/Chrony-on-Cumulus-Linux/ |
4.3.0-4.4.5 | |
2837378 |
The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.11.0 |
2821869 |
The cl-route-check –layer3 command fails with a memory error. For example:cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last): |
3.7.15-4.4.5 | 5.0.0-5.11.0 |
2820565 |
SNMP does not start and you see errors similar to the following:cumulus@switch:~$ sudo systemctl status snmpd.service snmpd.service - Simple Network Management Protocol (SNMP) Daemon.To work around this issue, run the sudo systemctl restart snmpd.service command. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2815646 |
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
2813563 |
When you change the port speed with the NVUE nv set interface command, then run nv config apply , the port is disabled. To work around this issue, run the ifreload -a command after you apply the port speed setting. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2803428 |
The clagctl -v -j and net show clag verbose json commands show incorrect output. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2802859 |
When the INTF_CMD list in the /etc/default/isc-dhcp-relay file includes non-existent or partially configured interfaces from the /etc/netwwork/interfaces file, there is an open file descriptor leak in DHCP Relay; the DHCP Relay service exits and you see error messages. To work around this issue, either clean up the INTF_CMD list in the /etc/default/isc-dhcp-relay file to remove non-existent or partially configured interfaces from the /etc/network/interfaces file or correct the /etc/network/interfaces file to have a complete configuration for all interfaces defined in the INTF_CMD list in the /etc/default/isc-dhcp-relay file. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2799575 |
When next hop tracking fails for a global next hop, BGP invalidates the entire path instead of only invalidating the global next hop. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2799568 |
When you add or remove a global unicast address from an interface, BGP does not update the global next hop advertised to the unnumbered BGP peer. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2798406 |
If an MLAG failure of an EVPN Active-Active VTEP pair occurs after you disable EVPN Advertise Primary IP Address, remote VTEPs might not be able to install the anycast RMAC of the failed MLAG peers or the related bridge FDB entry To work around this issue, do not disable EVPN Advertise Primary IP Address, which is enabled by default when you use address-virtual for layer 3 VNI SVI interfaces. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2794766 |
The Mellanox 3700C switch reports a slow memory leak in sx_sdk. Memory increases by about 240B/hour and does not free up. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2792750 |
If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. |
3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1 |
2792616 |
If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2788780 |
When you enable ARP and ND suppression and the switch forwards ARP and ND packets to the kernel, RX_DRP counters might increment but the packets are processed as normal. | 4.4.0-4.4.5 | |
2781537 |
In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD . |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2780915 |
In NVUE, you can’t deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2780834 |
To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2780211 |
When you use the NVUE nv set vrf default router bgp peer command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2771653 |
When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more, which consumes a lot of hardware space. | 4.3.0-4.4.5 | |
2763819 |
When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. | 4.4.0-4.4.5 | |
2754791 |
Remote MAC addreses in zebra are out of sync with bgpd . The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. |
3.7.14.2-3.7.16, 4.3.0-4.4.5 | |
2753955 |
On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.11.0 |
2752330 |
With BGP and layer 2 forwarding, Smart System Manager warm boot mode can cause packet loss. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2747750 |
Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 | 5.0.0-5.11.0 |
2743186 |
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. |
3.7.15-5.1.0 | 5.2.0-5.11.0 |
2739402 |
The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2739398 |
Cumulus Linux does not support a bond or bond member as a SPAN destination. | 4.4.0-4.4.5 | 4.3.1 |
2738040 |
In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | |
2736244 |
When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:% The Graceful Restart command used is not valid at this moment. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2736108 |
When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2734103 |
ACL [No More Resources] messages keep appearing and you can’t reinstall the ACL. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
2732605 |
The ESI line in the show bgp l2vpn evpn route command output always shows VNI: 0. This is a cosmetic software issue. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2732587 |
The bridge MAC address is updated during a port change on bridge interfaces. | 4.3.0, 4.4.0-4.4.5 | 4.3.1, 5.0.0-5.11.0 |
2728207 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2728206 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2728119 |
When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2713888 |
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. |
3.7.15-5.0.1 | 5.1.0-5.11.0 |
2711533 |
On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | |
2710208 |
The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. |
4.2.1-4.4.5 | |
2700767 |
Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16 |
2698649 |
When configuring a single VXLAN device in the /etc/network/interfaces file, if you edit the multicast group address in vxlan-mcastgrp-map , then revert the change, the change does not take effect. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2687344 |
On the NVIDIA SN3700 switch, the decode-syseeprom shows device absent for a PSU that is present. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2685994 |
When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to applyTo work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 |
4.0.0-5.0.1 | 5.1.0-5.11.0 |
2685036 |
When the PIM RP configuration includes an anycast IP address and the route to that anycast IP address changes while joined to a multicast stream, you might receive the multicast stream from both the old and the new anycast source. | 4.4.0-4.4.5 | |
2684925 |
The NVUE nv show vrf default router bgp peer command produces a 404 not found error. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2671652 |
In VXLAN routing environments, you might experience sub-optimal route convergence delays (longer than five seconds) when a prefix transitions to a new ECMP next-hop group. This condition might occur when a VTEP loses ECMP routes through all uplink peerings, then installs the routes through a different path, such as an MLAG peerlink. | 4.4.0-4.4.5, 5.5.0-5.11.0 | |
2669858 |
OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf. This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper. |
3.7.14-3.7.16, 4.0.0-4.4.5 | |
2639303 |
When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:ERROR: ‘NoneType’ object has no attribute ‘conf_key_value_multiple_values’See /var/log/netd.log for more details. |
4.3.0-4.4.5 | |
2621244 |
When a VRF name includes evpn , the NCLU net show bgp vrf command fails with the error ERROR: The call to /usr/bin/vtysh failed. To work around this issue, do not use evpn in the VRF name or run the desired commands directly from FRR with vtysh . |
4.3.0-4.4.5 | |
2618227 |
The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. |
4.3.0-4.4.5 | |
2606326 |
If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | |
2599274 |
On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress To recover from this state, flap the bond interface (not the physical swp) by running ifdown <bond_name> ; sleep 1 ; ifup <bond_name> . |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2596458 |
When bridge.unreg_v6_mcast_prune = TRUE is configured in the /etc/cumulus/switchd.conf file, traffic destined to IPv6 link-local multicast addresses might not be flooded within the bridgeTo work around this issue, disable pruning for IPv6 multicast by setting bridge.unreg_v6_mcast_prune = FALSE in the /etc/cumulus/switchd.conf file. |
4.4.0-4.4.5 | |
2574368 |
When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedlyTo work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr . |
4.1.1-4.4.5 | |
2556772 |
The net show clag verify-vlans command fails with the following log:
To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command. |
4.2.1-4.4.5 | |
2556369 |
If you use NCLU to configure an ACL for eth0, you can’t designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with “-A INPUT -i eth0”. |
4.2.1-4.4.5 | |
2556082 |
The NCLU net del vrf command does not delete a numbered VRF. For example:
|
4.2.1-4.4.5 | |
2556081 |
You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | |
2555981 |
In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2555873 |
On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic. | 4.3.0-4.4.5 | |
2555763 |
The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:
To work around this issue, use the FRR command to delete a neighbor. |
4.3.0-4.4.5 | |
2555613 |
The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:
The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). |
4.2.1-4.4.5 | |
2555318 |
If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:
This error has no functional impact. |
4.3.0-4.4.5 | |
2554986 |
The ethtool utility doesn’t contain the latest values, as a result the Revision Compliance field shows Unallocated . |
4.2.1-4.4.5 | |
2554812 |
If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. |
4.2.1-4.4.5 | |
2554783 |
If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as , advertised locally-originated routes have the ASN of the peer prepended to the AS path.This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
2554709 |
The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. |
3.7.13-3.7.16, 4.2.1-4.4.5 | |
2554670 |
When you have a large number of ACLs, the cl-acltool -L ip and cl-resource-query commands take a long time to complete. |
4.3.0-4.4.5 | |
2554582 |
On switches with the Maverick ASIC, control traffic is dropped due to receive buffering. | 4.2.0-4.4.5 | |
2554533 |
On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | |
2554466 |
Kernel routes added by iproute2 are missing in FRR after an interface flap.To work around this issue, configure a static route in FRR. |
4.2.1-4.4.5 | |
2554222 |
The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the /etc/network/interface file. For example:
|
4.2.1-4.4.5 | |
2554218 |
MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | |
2554202 |
The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. |
4.2.1-4.4.5 | |
2553989 |
Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | |
2553887 |
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. |
3.7.7-3.7.16, 4.0.0-4.4.5 | |
2553677 |
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:
To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:
Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. |
3.7.13-3.7.16, 4.0.0-4.4.5 | |
2553237 |
The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. |
4.2.0-4.4.5 | |
2553116 |
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2553015 |
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. |
3.7.10-3.7.16, 4.2.0-4.4.5 | |
2552691 |
On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface. To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. |
4.2.0-4.4.5 | |
2552453 |
On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file. |
4.2.0-4.4.5 | |
2552309 |
The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:
These messages are for internal validation purposes only and can be safely ignored. |
4.2.0-4.4.5 | |
2552294 |
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2552266 |
OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files. The two scenarios where an exploit may be useful to an attacker: -The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar , zip , or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp , which you can use instead of scp to copy files.To disable scp completely, use /bin/chmod 0 /usr/bin/scp . |
3.7.14-3.7.16, 4.0.0-4.4.5 | |
2551666 |
If you modify an interface name, then reuse the previous interface name for a different VLAN, the ifreload -a command generates an error similar to the following:
|
4.1.0-4.4.5 | |
2551578 |
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload /ifup commands fail with an invalid table id or unable to get vrf table id error. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2551565 |
If you toggle VRRP priority values between VRRP routers, then restart switchd , a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affectedTo work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. |
3.7.13-3.7.16, 4.2.0-4.4.5 | |
2551335 |
When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands. |
4.0.0-4.4.5 | |
2551305 |
The net show configuration command provides the wrong net add command for ACL under the VLAN interface. |
3.7.12-3.7.16, 4.1.0-4.4.5 | |
2551273 |
On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux. | 4.1.0-4.4.5 | |
2551221 |
When span-to-cpu is enabled on L3 swp interface with an IP address configured, packets with destination IP as switchport’s IP address don’t reach switchport. To capture packets directed towards switcport’s IP, disable span-to-cpu and use tcpdump on swichport instead. | 4.2.0-4.4.5 | |
2551111 |
If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state. zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address. |
4.0.0-4.4.5 | |
2550974 |
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | |
2550793 |
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550713 |
Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes switchd to use high CPU due to very frequent VXLAN tunnel sync events.To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration. |
4.1.1-4.4.5 | |
2550642 |
ACLs with SPAN target and in-interface as bond member are not supported on Spectrum-based switches | 4.2.0-4.4.5 | |
2550444 |
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550443 |
The net show rollback description command returns an error even if the string matches a commit description.To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550243 |
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service . For example:
|
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550056 |
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
|
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549925 |
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
To work around this issue, run the ifreload -a command a second time. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2549872 |
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error. |
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549782 |
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2549731 |
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
|
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549392 |
When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file. To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command. |
4.1.0-4.4.5 | |
2548924 |
On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic. | 4.1.1-4.4.5 | |
2548657 |
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
You can safely ignore these error messages. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548579 |
The following security vulnerability has been announced: CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. |
3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16 |
2548315 |
The following security advisory has been announced for bash: CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.To work around this issue, do not make bash or bash scripts setuid . |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548310 |
When the system boots, we might see " cumulus systemd-udevd[7566]: Process ‘/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25’ failed with exit code 1" errors. These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later; |
4.1.0-4.4.5 | |
2548260 |
The net add routing route-map command does not add the set statement into the /etc/frr/frr.conf file. |
4.0.0-4.4.5 | |
2548243 |
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
2548117 |
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548062 |
When ports are split to 4x25G, RS FEC needs to explicitly configured on both ends (especially when interoperating with non-Mellanox switches). | 4.1.0-4.4.5 | |
2548044 |
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16 |
2547903 |
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs Vulnerable: 2.9.4+dfsg1-7Fixed: 2.9.4+dfsg1-7+deb10u1 |
4.0.0-4.4.5 | |
2547890 |
QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | |
2547782 |
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547706 |
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd . To work around this issue, reboot the switch. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547405 |
When you restart the hsflowd service, you see a systemd warning message similar to the following:
|
4.0.0-4.4.5 | |
2547120 |
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546991 |
The FRR service does not provide a way for automation to know if the configuration applied properly. To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546895 |
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter2.Restart the switchd service with the sudo systemctl restart switchd.service commandsystemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546874 |
On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. |
4.0.0-4.4.5 | |
2546255 |
On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | |
2546225 |
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer , which causes issues with cl-support.
To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546131 |
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.This workaround only works when an out-of-band network is present. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2545837 |
If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server command, the /etc/ntp.conf file is misconfigured.To work around this issue, run the net add time ntp server command before you run the net add time ntp source command. |
3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
2545520 |
The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2545233 |
On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | |
2545125 |
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
2544978 |
If you delete an undefined bond, then add a bond slave, the net commit command fails. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544968 |
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544957 |
NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | |
2544953 |
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit , the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. |
3.7.10-3.7.16, 4.0.0-4.4.5 | |
2544880 |
When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. |
4.0.0-4.4.5 | |
2544723 |
Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2544463 |
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported .To work around this issue, do not use auto-negotiation and set the local port speed to 10G. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544456 |
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544311 |
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
2544155 |
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2544113 |
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2543937 |
An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.To work around this issue, remove the interface alias description from iproute2 . |
3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543915 |
When you enable a service in the management VRF, systemctl issues a warning similar to the following:Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unitYou can safely ignore this warning. |
4.0.0-5.9.2 | 5.10.0-5.11.0 |
2543900 |
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
2543841 |
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. |
3.7.8-3.7.16, 4.0.0-4.4.5 | |
2543816 |
On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. |
3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
2543781 |
NCLU does not allow you to configure OSPF NSSAs. For example:
To work around this issue, use FRR instead. For example:
|
3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543724 |
If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:
|
3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543646 |
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
2543401 |
On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. |
4.0.0-4.4.5 | |
2543211 |
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2543164 |
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. |
3.7.7-3.7.16, 4.0.0-4.4.5 | |
2543096 |
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. |
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542945 |
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad :
|
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542837 |
On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16 |
2542305 |
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. |
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542301 |
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2541212 |
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2541029 |
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540753 |
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
|
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540444 |
SNMP incorrectly requires engine ID specification. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540352 |
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
|
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2540340 |
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540274 |
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540204 |
When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540192 |
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled. To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540155 |
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2540042 |
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails. To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540041 |
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540040 |
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540031 |
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2539994 |
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
|
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2539962 |
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2539670 |
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2539124 |
The net add interface command adds no ptm-enable for that interface in the frr.conf file. Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538790 |
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG. To restore connectivity, remove the VLAN ID from the bridge. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538590 |
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538562 |
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings. Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538294 |
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2537699 |
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. |
3.7.1-3.7.16, 4.0.0-4.4.5 | |
2537544 |
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl ; for example, SNMP output from the BRIDGE-MIB. |
3.7.1-3.7.16, 4.0.0-4.4.5 | |
2536576 |
If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware. |
4.0.0-4.4.5 | |
2536384 |
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2536256 |
For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.
These packets are now policed by catch all rules. To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100. |
4.0.0-4.4.5 | |
2536242 |
On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes. | 4.0.0-4.4.5 | |
2536179 |
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535986 |
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535965 |
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535723 |
The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF. | 4.0.0-4.4.5 | |
2535605 |
FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor. To work around this issue, add ttl-security to individual neighbors instead of the peer group. |
4.0.0-4.4.5 | |
2535209 |
The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. |
3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2534734 |
Span rules matching the out-interface as a bond do not mirror packets. | 4.0.0-4.4.5 | |
2533691 |
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2533625 |
PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. |
4.0.0-4.4.5 | |
2533337 |
When you use NCLU to bring a bond admin down (net add bond ), the bond interface goes into admin down state but the switch ports enslaved to the bond remain UP. If you are using bond-lacp-bypass-allow or balance-xor mode, the host might continue to send traffic. This traffic will be dropped because although the bond slaves are UP, they are not members of the bridge.To work around this issue, use the sudo ifdown command. |
4.0.0-4.4.5 | |
2531273 |
In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet. To work around this issue, change the value of arp_ignore to 2. See [Address Resolution Protocol in the Cumulus Linux user guide|https://docs.cumulusnetworks.com/cumulus-linux/Layer-3/Address-Resolution-Protocol-ARP/] for more information. |
4.0.0-4.4.5 |
Fixed Issues in 4.4.3
Issue ID | Description | Affects |
---|---|---|
2968495 |
If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it. |
4.2.1-4.4.2 |
2961079 |
CVE-2021-28965 CVE-2021-31799 CVE-2021-31810 CVE-2021-41817 CVE-2021-41819 CVE-2021-32066: Several vulnerabilities have been discovered in the interpreter for the Ruby language and the Rubygems included, which may result on result in XML roundtrip attacks, the execution of arbitrary code, information disclosure, StartTLS stripping in IMAP or denial of service Vulnerable: <= 2.5.5-3+deb10u3Fixed: 2.5.5-3+deb10u4 |
4.4.0-4.4.2 |
2961008 |
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. |
3.7.15-4.4.2, 5.0.0-5.0.1 |
2959575 |
When a port flaps with PTP enabled, the switch firmware might become unresponsive and you see the following log message:[ptp4l.ERR]: [435345.036] timed out while polling for tx timestamp |
4.4.0-4.4.2 |
2959550 |
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-4.4.2, 5.0.0-5.0.1 |
2949513 |
CVE-2022-22747: Incorrect parsing of pkcs7 sequences in nss, the Mozilla Network Security Service library, may result in denial of service Vulnerable: <= 2:3.42.1-1+deb10u4Fixed: 2:3.42.1-1+deb10u5 |
4.4.0-4.4.2 |
2932085 |
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document filesare processed Vulnerable: <= 9.27~dfsg-2+deb10u4Fixed: 9.27~dfsg-2+deb10u5 |
4.4.0-4.4.2 |
4.4.2 Release Notes
Open Issues in 4.4.2
Issue ID | Description | Affects | Fixed |
---|---|---|---|
4143345 |
On the Trident3 switch, if you use NCLU to configure BGP neighbor shutdown, NCLU stops responding when you include more than 200 neighbors per peer group. If you do not use NCLU to configure BGP neighbor shutdown, you can configure a maximum of 300 neighbors per peer group. | 4.3.0-4.4.5 | |
4037015 |
The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.11.0, 5.10.0-5.11.0 |
3980941 |
After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command#snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a |
4.4.0-5.9.1 | 5.9.2-5.11.0, 5.10.0-5.11.0 |
3773177 |
When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 or later with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb |
4.0.0-4.4.5, 5.0.0-5.11.0 | |
3684998 |
DHCP lease information is not collected in the cl-support file. |
4.3.0-5.6.0 | 5.7.0-5.11.0 |
3528464 |
Cumulus Linux might mark a layer 2 VLAN-tagged packet as a packet to CPU and the INPUT chain ACL might drop the packet. To work around this issue, add an additional addrtype match on the ACL to prevent an erroneous ACL match; for example:[iptables] |
4.3.0-4.4.5 | |
3488136 |
When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf command. |
4.2.1-5.5.1 | 5.6.0-5.11.0 |
3474391 |
The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. |
4.3.1-5.5.1 | 5.6.0-5.11.0 |
3429530 |
On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.11.0 |
3420056 |
The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.11.0 | |
3400244 |
NCLU accepts multiple instances of same net add bgp commands and stores the configuration in the /etc/frr/frr.conf file when you run the net commit command. As a result, unintended commands might be processed during frr-reload . To work around this issue, edit the /etc/frr/frr.conf file to remove the duplicated entries. |
4.3.1-4.4.5 | |
3390022 |
When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads , or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a . |
4.2.1-4.4.5 | |
3389994 |
During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. |
4.2.1-4.3.1, 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.11.0 |
3387852 |
If you remove NGINX from the switch, then run apt autoremove , switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. |
4.4.0-4.4.5 | |
3351951 |
Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.11.0 |
3339249 |
The sensors.conf files in Cumulus Linux are out of date. |
4.2.1-4.4.5 | |
3333064 |
The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd , then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. |
4.4.0-5.3.1 | 5.4.0-5.11.0 |
3330705 |
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. |
3.7.0-5.3.1 | 5.4.0-5.11.0 |
3327477 |
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. |
3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.11.0 | |
3321391 |
On the NVIDIA SN2410 switch, ports with optical transceivers show FAULT errors in the sensor command output. |
4.2.1-5.3.1 | 5.4.0-5.11.0 |
3303105 |
Clagd crash is observed with the following traceback in /var/log/clagd.log following a clag sync event which is typically driven by a peerlink up event: unhandled exception: Traceback (most recent call last): File “/usr/sbin/clagd”, line 1304, in PeerRecvT PeerRecv() File “/usr/sbin/clagd”, line 513, in PeerRecv ParseProtoBufMessage(nlm, myPeerMsg) File “/usr/sbin/clagd”, line 853, in ParseProtoBufMessage msgData = FdbSync.ParseProtoBufMessage(msgHdr) File “/usr/lib/python3/dist-packages/clag/fdbsync.py”, line 892, in ParseProtoBufMessage msgData.ParseFromString(msgHdr.data) google.protobuf.message.DecodeError: Error parsing message |
4.4.0-4.4.5 | |
3297171 |
Restarting switchd might fail due an ACL SPAN module initialization failure. |
4.4.2-4.4.3 | 4.4.4-4.4.5 |
3293110 |
You cannot set the NTF router flag (NTF_ROUTER) on neighbor entries from the user space. | 4.4.2-4.4.5 | |
3292873 |
When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:[Dec-08-17:09:58] root@switch:/home/cumulus# ztp -r http://myztp.server.local/ztp |
4.4.2-4.4.5 | |
3291548 |
In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd . |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
3284719 |
Certain EVPN multihoming show commands might cause the bgpd service to crash if you use the json flag and try to reference the default VRF by name. For example: show bgp l2vpn evpn es-vrf json . |
4.4.2-4.4.5 | |
3269537 |
When an FRR routing service (such as bgpd ) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. |
4.4.0-5.3.1 | 5.4.0-5.11.0 |
3244740 |
If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.11.0 |
3221470 |
Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error |
4.4.0-5.1.0 | 5.2.0-5.11.0 |
3218207 |
Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes. | 4.3.0-5.2.1 | 5.3.0-5.11.0 |
3216922 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). |
3.7.0-5.2.1 | 5.3.0-5.11.0 |
3216921 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) |
3.7.0-3.7.16, 4.3.0-4.4.5 | |
3216759 |
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. |
3.7.15-3.7.16, 4.3.0-4.4.5 | |
3211369 |
The NCLU net show interface pluggables command takes a long time (approximately five minutes) to complete. |
4.2.1-4.4.5 | |
3211054 |
On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:
|
4.4.2-5.2.1 | 5.3.0-5.11.0 |
3209699 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) |
3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.11.0 |
3192808 |
When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. |
4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.11.0 |
3168564 |
In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then upOn Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. |
4.3.1-4.4.5 | |
3163845 |
If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload . For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31 , the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. |
4.3.1-4.4.5 | |
3150317 |
During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.11.0 |
3138746 |
The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.11.0 |
3138057 |
When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log . To work around this problem, restart FRR with the sudo systemctl restart frr command. |
4.4.0-5.2.1 | 5.3.0-5.11.0 |
3135801 |
Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. |
4.0.0-4.3.0, 4.4.0-4.4.5 | 3.7.16, 4.3.1 |
3131423 |
During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3129819 |
On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime. |
3.7.15-3.7.16, 4.3.0-4.4.5 | |
3123556 |
When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. |
3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.11.0 |
3119615 |
In an MLAG topology, if you admin down a single connected interface, any dynamic MAC addresses on the peer link are flushed, then added back momentarily, which creates a disruption in traffic. | 3.7.15-5.1.0 | 5.2.0-5.11.0 |
3117340 |
When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3107615 |
Cumulus Linux installation fails with the error Installation Problems, sub-task Installing Optional Packages . This occurs because the web server hosting the Cumulus Linux image remaps a 404 for a non-existent file image.optional_pkgs into a web page, which it then incorrectly attempts to use as a list of optional packagesTo work around this issue, on the web server hosting the image, create an empty file with the same name as the image with .optional_pkgs appended to the name. |
4.4.0-4.4.3 | 4.3.1, 4.4.4-4.4.5, 5.2.0-5.11.0 |
3094082 |
If you apply a PBR policy with a next hop group but the next hop is not reachable, the PBR service crashes. | 4.4.0-4.4.3 | 4.4.4-4.4.5 |
3093966 |
On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
3091381 |
Restarting switchd might fail due to an ACL SPAN module initialization failure. |
4.4.2-4.4.3 | 4.4.4-4.4.5, 5.0.0-5.11.0 |
3089165 |
A slow memory leak might occur in switchd } if the route fails to install in hardware when hardware resources are exhausted. |
4.2.1-4.4.3 | 4.4.4-4.4.5 |
3084027 |
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. |
4.3.0-4.4.5, 5.0.0-5.11.0 | |
3083265 |
The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command. |
3.7.16-5.1.0 | 5.2.0-5.11.0 |
3082583 |
On the NVIDIA SN3420 switch, the smonctl command output shows the maximum PSU temperature higher than the critical temperature. |
4.4.2-4.4.3, 5.0.0-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.11.0 |
3073668 |
On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | |
3073649 |
In an EVPN-MH configuration, the switch fails to redirect tagged frames with the CoS bits set. | 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.11.0 |
3072613 |
When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
3070672 |
TACACS Command Authorization results in a traceback error and command is not executed | 4.4.0-4.4.5 | |
3060399 |
When you add an interface to a layer 3 bond, traffic does not forward and you see errors similar to the following:2022-05-02T13:14:40.118597+00:00 cumulus sx_sdk: ROUTER: Failed to delete router interface(27) ref count isn’t 0, err= Resource is in use |
4.4.2-4.4.3, 5.0.1-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.11.0 |
3059135 |
In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route To resolve this issue, restart FRR with the sudo systemctl restart frr command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3046023 |
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. |
4.2.1-5.1.0 | 5.2.0-5.11.0 |
3041306 |
If you update the MAC address of an SVI using ifreload and hwaddress , the kernel maintains a stale permanent fdb entry for the old MAC address. |
3.7.15, 4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
3032234 |
In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. |
4.4.2-5.0.1 | 5.1.0-5.11.0 |
3021887 |
On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic. | 4.4.2-5.0.1 | 5.1.0-5.11.0 |
3021879 |
Cumulus Linux learns remote MAC addresses as local entries on the bridge with the wrong remote VTEP IP address even when bridge learning is off on the VTEP and ARP suppression is enabled. | 4.4.0-4.4.3 | 3.7.15-3.7.16, 4.4.4-4.4.5, 5.0.0-5.11.0 |
3021877 |
After you configure a new VLAN on a bond, traffic might stop forwarding on the bond interface. This issue occurs only when you specify bridge-vids on the bond. This issue does not occur when you configure VLANs only on the bridge interface and let the bond get the bridge-vids applied from the bridge. |
4.4.2-4.4.3 | 4.4.4-4.4.5, 5.1.0-5.11.0 |
3021838 |
PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local . As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly. |
4.4.2-5.0.1 | 5.1.0-5.11.0 |
3021698 |
After you convert a port from a layer 2 bond member to a layer 3 port, the switch drops transmitted untagged packets as egress VLAN membership discards To work around this issue, restart switchd with the sudo systemctl restart switchd.service command. |
4.4.2-4.4.3, 5.0.0-5.0.1 | 4.4.4-4.4.5, 5.1.0-5.11.0 |
3021692 |
When ARP suppression is off, Cumulus Linux sends GARPs from neighmgrd for remote neighbors over VXLAN. |
3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.11.0 |
3017180 |
When you run the /usr/share/snmp/resq_pp.py script used by SNMP, you see the following log message in syslog regardless of the forwarding table profile set in the /etc/cumulus/datapath/traffic.conf file. |
4.4.0-5.0.1 | 5.1.0-5.11.0 |
3007564 |
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. |
3.7.15-5.0.1 | 5.1.0-5.11.0, 5.2.0-5.11.0 |
2994402 |
When you run ifquery as non-root, EVPN multihoming bond configuration failsTo work around this issue, always use sudo when running ifupdown2 commands ( ifup , ifreload , ifdown , and ifquery ). |
4.4.2-5.0.1 | 5.1.0-5.11.0 |
2968495 |
If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it. |
4.2.1-4.4.2 | 4.4.3-4.4.5, 5.1.0-5.11.0 |
2964279 |
When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. |
3.7.15, 4.4.2-4.4.5, 5.0.0-5.11.0 | 3.7.16 |
2961216 |
When there is a peer link failure followed by a power failure or a crash on the primary switch, the MLAG secondary switch takes up to 24 seconds to change roles to the Primary. | 4.4.2-4.4.3 | 4.4.4-4.4.5 |
2961079 |
CVE-2021-28965 CVE-2021-31799 CVE-2021-31810 CVE-2021-41817 CVE-2021-41819 CVE-2021-32066: Several vulnerabilities have been discovered in the interpreter for the Ruby language and the Rubygems included, which may result on result in XML roundtrip attacks, the execution of arbitrary code, information disclosure, StartTLS stripping in IMAP or denial of service Vulnerable: <= 2.5.5-3+deb10u3Fixed: 2.5.5-3+deb10u4 |
4.4.0-4.4.2 | 4.4.3-4.4.5 |
2961008 |
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. |
3.7.15-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.11.0 |
2959575 |
When a port flaps with PTP enabled, the switch firmware might become unresponsive and you see the following log message:[ptp4l.ERR]: [435345.036] timed out while polling for tx timestamp |
4.4.0-4.4.2 | 4.4.3-4.4.5 |
2959550 |
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.11.0 |
2951110 |
The net show time ntp servers command does not show any output with the management VRF. |
3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.11.0 | |
2949513 |
CVE-2022-22747: Incorrect parsing of pkcs7 sequences in nss, the Mozilla Network Security Service library, may result in denial of service Vulnerable: <= 2:3.42.1-1+deb10u4Fixed: 2:3.42.1-1+deb10u5 |
4.4.0-4.4.2 | 4.4.3-4.4.5 |
2944167 |
When you use NCLU commands to add a port to a bridge and the port already exists under the bridge, Cumulus Linux removes all other ports from the bridge. | 4.4.2-4.4.5 | |
2943443 |
Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd , expect a single VNI for a given bridge or VLAN. |
3.7.15, 4.2.1-4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
2943080 |
The overlay ASN is removed after a route flap. | 4.4.0-5.0.1 | 5.1.0-5.11.0 |
2940051 |
In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. |
3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.11.0 |
2933466 |
You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file. |
4.4.0-5.0.1 | 5.1.0-5.11.0 |
2932085 |
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document filesare processed Vulnerable: <= 9.27~dfsg-2+deb10u4Fixed: 9.27~dfsg-2+deb10u5 |
4.4.0-4.4.2 | 4.4.3-4.4.5 |
2913859 |
ECMP error messages, similar to the following, show in log files:Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container |
4.4.0-5.0.1 | 5.1.0-5.11.0 |
2904450 |
When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2902013 |
The NCLU commit command adds a five second delay. | 4.2.1-4.4.5 | |
2896450 |
On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. To work around this issue, restart switchd a second or third time until all interfaces are functioning correctly, or reboot the switch. |
4.3.0-4.4.5 | |
2875338 |
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
2866080 |
On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 4.3.0-4.4.5 | |
2862211 |
On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restartTo work around this issue, load the port configuration in a staggered manner (groups of five downlink ports). |
3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.11.0 |
2860323 |
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.11.0 |
2845531 |
If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI’s parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address. |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
2841584 |
After you upgrade Cumulus Linux on one of the MLAG peers, the bonds do not come up and the reason shows anycast-ip-mismatch even though there is no VXLAN configuration on the switch. To work around this issue, configure an anycast IP address under the loopback interface on both switches in the MLAG pair. |
4.4.2-4.4.5 | 5.0.0-5.11.0 |
2838905 |
On Broadcom ARM switches, the NTP clock slowly drifts to a very high offset (over 500ms) and the clock is not able to synchronize. To work around this issue, use the chrony implementation of NTP instead of ntpd . chrony synchronizes the system clock faster and with better accuracyInstructions for using chrony are here : https://docs.nvidia.com/networking-ethernet-software/knowledge-base/Network-Solutions/Chrony-on-Cumulus-Linux/ |
4.3.0-4.4.5 | |
2837378 |
The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.11.0 |
2821869 |
The cl-route-check –layer3 command fails with a memory error. For example:cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last): |
3.7.15-4.4.5 | 5.0.0-5.11.0 |
2820565 |
SNMP does not start and you see errors similar to the following:cumulus@switch:~$ sudo systemctl status snmpd.service snmpd.service - Simple Network Management Protocol (SNMP) Daemon.To work around this issue, run the sudo systemctl restart snmpd.service command. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2815646 |
In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
2813563 |
When you change the port speed with the NVUE nv set interface command, then run nv config apply , the port is disabled. To work around this issue, run the ifreload -a command after you apply the port speed setting. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2803428 |
The clagctl -v -j and net show clag verbose json commands show incorrect output. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2802859 |
When the INTF_CMD list in the /etc/default/isc-dhcp-relay file includes non-existent or partially configured interfaces from the /etc/netwwork/interfaces file, there is an open file descriptor leak in DHCP Relay; the DHCP Relay service exits and you see error messages. To work around this issue, either clean up the INTF_CMD list in the /etc/default/isc-dhcp-relay file to remove non-existent or partially configured interfaces from the /etc/network/interfaces file or correct the /etc/network/interfaces file to have a complete configuration for all interfaces defined in the INTF_CMD list in the /etc/default/isc-dhcp-relay file. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2799575 |
When next hop tracking fails for a global next hop, BGP invalidates the entire path instead of only invalidating the global next hop. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2799568 |
When you add or remove a global unicast address from an interface, BGP does not update the global next hop advertised to the unnumbered BGP peer. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2798406 |
If an MLAG failure of an EVPN Active-Active VTEP pair occurs after you disable EVPN Advertise Primary IP Address, remote VTEPs might not be able to install the anycast RMAC of the failed MLAG peers or the related bridge FDB entry To work around this issue, do not disable EVPN Advertise Primary IP Address, which is enabled by default when you use address-virtual for layer 3 VNI SVI interfaces. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2794766 |
The Mellanox 3700C switch reports a slow memory leak in sx_sdk. Memory increases by about 240B/hour and does not free up. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2792750 |
If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. |
3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1 |
2792616 |
If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2788780 |
When you enable ARP and ND suppression and the switch forwards ARP and ND packets to the kernel, RX_DRP counters might increment but the packets are processed as normal. | 4.4.0-4.4.5 | |
2781537 |
In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD . |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2780915 |
In NVUE, you can’t deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2780834 |
To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2780211 |
When you use the NVUE nv set vrf default router bgp peer command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2771653 |
When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more, which consumes a lot of hardware space. | 4.3.0-4.4.5 | |
2763819 |
When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. | 4.4.0-4.4.5 | |
2754791 |
Remote MAC addreses in zebra are out of sync with bgpd . The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. |
3.7.14.2-3.7.16, 4.3.0-4.4.5 | |
2753955 |
On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.11.0 |
2752330 |
With BGP and layer 2 forwarding, Smart System Manager warm boot mode can cause packet loss. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2747750 |
Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 | 5.0.0-5.11.0 |
2743186 |
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. |
3.7.15-5.1.0 | 5.2.0-5.11.0 |
2739402 |
The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2739398 |
Cumulus Linux does not support a bond or bond member as a SPAN destination. | 4.4.0-4.4.5 | 4.3.1 |
2738040 |
In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | |
2736244 |
When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:% The Graceful Restart command used is not valid at this moment. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2736108 |
When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2734103 |
ACL [No More Resources] messages keep appearing and you can’t reinstall the ACL. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
2732605 |
The ESI line in the show bgp l2vpn evpn route command output always shows VNI: 0. This is a cosmetic software issue. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2732587 |
The bridge MAC address is updated during a port change on bridge interfaces. | 4.3.0, 4.4.0-4.4.5 | 4.3.1, 5.0.0-5.11.0 |
2728207 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2728206 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2728119 |
When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2713888 |
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. |
3.7.15-5.0.1 | 5.1.0-5.11.0 |
2711533 |
On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | |
2710208 |
The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. |
4.2.1-4.4.5 | |
2700767 |
Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16 |
2698649 |
When configuring a single VXLAN device in the /etc/network/interfaces file, if you edit the multicast group address in vxlan-mcastgrp-map , then revert the change, the change does not take effect. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2687344 |
On the NVIDIA SN3700 switch, the decode-syseeprom shows device absent for a PSU that is present. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2685994 |
When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to applyTo work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 |
4.0.0-5.0.1 | 5.1.0-5.11.0 |
2685036 |
When the PIM RP configuration includes an anycast IP address and the route to that anycast IP address changes while joined to a multicast stream, you might receive the multicast stream from both the old and the new anycast source. | 4.4.0-4.4.5 | |
2684925 |
The NVUE nv show vrf default router bgp peer command produces a 404 not found error. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2671652 |
In VXLAN routing environments, you might experience sub-optimal route convergence delays (longer than five seconds) when a prefix transitions to a new ECMP next-hop group. This condition might occur when a VTEP loses ECMP routes through all uplink peerings, then installs the routes through a different path, such as an MLAG peerlink. | 4.4.0-4.4.5, 5.5.0-5.11.0 | |
2669858 |
OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf. This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper. |
3.7.14-3.7.16, 4.0.0-4.4.5 | |
2639303 |
When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:ERROR: ‘NoneType’ object has no attribute ‘conf_key_value_multiple_values’See /var/log/netd.log for more details. |
4.3.0-4.4.5 | |
2621244 |
When a VRF name includes evpn , the NCLU net show bgp vrf command fails with the error ERROR: The call to /usr/bin/vtysh failed. To work around this issue, do not use evpn in the VRF name or run the desired commands directly from FRR with vtysh . |
4.3.0-4.4.5 | |
2618227 |
The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. |
4.3.0-4.4.5 | |
2606326 |
If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | |
2599274 |
On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress To recover from this state, flap the bond interface (not the physical swp) by running ifdown <bond_name> ; sleep 1 ; ifup <bond_name> . |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2596458 |
When bridge.unreg_v6_mcast_prune = TRUE is configured in the /etc/cumulus/switchd.conf file, traffic destined to IPv6 link-local multicast addresses might not be flooded within the bridgeTo work around this issue, disable pruning for IPv6 multicast by setting bridge.unreg_v6_mcast_prune = FALSE in the /etc/cumulus/switchd.conf file. |
4.4.0-4.4.5 | |
2574368 |
When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedlyTo work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr . |
4.1.1-4.4.5 | |
2556772 |
The net show clag verify-vlans command fails with the following log:
To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command. |
4.2.1-4.4.5 | |
2556369 |
If you use NCLU to configure an ACL for eth0, you can’t designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with “-A INPUT -i eth0”. |
4.2.1-4.4.5 | |
2556082 |
The NCLU net del vrf command does not delete a numbered VRF. For example:
|
4.2.1-4.4.5 | |
2556081 |
You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | |
2555981 |
In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2555873 |
On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic. | 4.3.0-4.4.5 | |
2555763 |
The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:
To work around this issue, use the FRR command to delete a neighbor. |
4.3.0-4.4.5 | |
2555613 |
The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:
The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). |
4.2.1-4.4.5 | |
2555318 |
If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:
This error has no functional impact. |
4.3.0-4.4.5 | |
2554986 |
The ethtool utility doesn’t contain the latest values, as a result the Revision Compliance field shows Unallocated . |
4.2.1-4.4.5 | |
2554812 |
If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. |
4.2.1-4.4.5 | |
2554783 |
If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as , advertised locally-originated routes have the ASN of the peer prepended to the AS path.This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
2554709 |
The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. |
3.7.13-3.7.16, 4.2.1-4.4.5 | |
2554670 |
When you have a large number of ACLs, the cl-acltool -L ip and cl-resource-query commands take a long time to complete. |
4.3.0-4.4.5 | |
2554582 |
On switches with the Maverick ASIC, control traffic is dropped due to receive buffering. | 4.2.0-4.4.5 | |
2554533 |
On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | |
2554466 |
Kernel routes added by iproute2 are missing in FRR after an interface flap.To work around this issue, configure a static route in FRR. |
4.2.1-4.4.5 | |
2554222 |
The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the /etc/network/interface file. For example:
|
4.2.1-4.4.5 | |
2554218 |
MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | |
2554202 |
The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. |
4.2.1-4.4.5 | |
2553989 |
Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | |
2553887 |
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. |
3.7.7-3.7.16, 4.0.0-4.4.5 | |
2553677 |
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:
To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:
Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. |
3.7.13-3.7.16, 4.0.0-4.4.5 | |
2553237 |
The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. |
4.2.0-4.4.5 | |
2553116 |
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2553015 |
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. |
3.7.10-3.7.16, 4.2.0-4.4.5 | |
2552691 |
On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface. To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. |
4.2.0-4.4.5 | |
2552453 |
On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file. |
4.2.0-4.4.5 | |
2552309 |
The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:
These messages are for internal validation purposes only and can be safely ignored. |
4.2.0-4.4.5 | |
2552294 |
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2552266 |
OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files. The two scenarios where an exploit may be useful to an attacker: -The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar , zip , or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp , which you can use instead of scp to copy files.To disable scp completely, use /bin/chmod 0 /usr/bin/scp . |
3.7.14-3.7.16, 4.0.0-4.4.5 | |
2551666 |
If you modify an interface name, then reuse the previous interface name for a different VLAN, the ifreload -a command generates an error similar to the following:
|
4.1.0-4.4.5 | |
2551578 |
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload /ifup commands fail with an invalid table id or unable to get vrf table id error. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2551565 |
If you toggle VRRP priority values between VRRP routers, then restart switchd , a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affectedTo work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. |
3.7.13-3.7.16, 4.2.0-4.4.5 | |
2551335 |
When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands. |
4.0.0-4.4.5 | |
2551305 |
The net show configuration command provides the wrong net add command for ACL under the VLAN interface. |
3.7.12-3.7.16, 4.1.0-4.4.5 | |
2551273 |
On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux. | 4.1.0-4.4.5 | |
2551221 |
When span-to-cpu is enabled on L3 swp interface with an IP address configured, packets with destination IP as switchport’s IP address don’t reach switchport. To capture packets directed towards switcport’s IP, disable span-to-cpu and use tcpdump on swichport instead. | 4.2.0-4.4.5 | |
2551111 |
If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state. zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address. |
4.0.0-4.4.5 | |
2550974 |
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | |
2550793 |
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550713 |
Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes switchd to use high CPU due to very frequent VXLAN tunnel sync events.To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration. |
4.1.1-4.4.5 | |
2550642 |
ACLs with SPAN target and in-interface as bond member are not supported on Spectrum-based switches | 4.2.0-4.4.5 | |
2550444 |
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550443 |
The net show rollback description command returns an error even if the string matches a commit description.To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550243 |
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service . For example:
|
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550056 |
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
|
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549925 |
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
To work around this issue, run the ifreload -a command a second time. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2549872 |
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error. |
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549782 |
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2549731 |
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
|
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549392 |
When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file. To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command. |
4.1.0-4.4.5 | |
2548924 |
On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic. | 4.1.1-4.4.5 | |
2548657 |
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
You can safely ignore these error messages. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548579 |
The following security vulnerability has been announced: CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. |
3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16 |
2548315 |
The following security advisory has been announced for bash: CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.To work around this issue, do not make bash or bash scripts setuid . |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548310 |
When the system boots, we might see " cumulus systemd-udevd[7566]: Process ‘/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25’ failed with exit code 1" errors. These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later; |
4.1.0-4.4.5 | |
2548260 |
The net add routing route-map command does not add the set statement into the /etc/frr/frr.conf file. |
4.0.0-4.4.5 | |
2548243 |
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
2548117 |
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548062 |
When ports are split to 4x25G, RS FEC needs to explicitly configured on both ends (especially when interoperating with non-Mellanox switches). | 4.1.0-4.4.5 | |
2548044 |
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16 |
2547903 |
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs Vulnerable: 2.9.4+dfsg1-7Fixed: 2.9.4+dfsg1-7+deb10u1 |
4.0.0-4.4.5 | |
2547890 |
QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | |
2547782 |
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547706 |
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd . To work around this issue, reboot the switch. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547405 |
When you restart the hsflowd service, you see a systemd warning message similar to the following:
|
4.0.0-4.4.5 | |
2547120 |
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546991 |
The FRR service does not provide a way for automation to know if the configuration applied properly. To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546895 |
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter2.Restart the switchd service with the sudo systemctl restart switchd.service commandsystemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546874 |
On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. |
4.0.0-4.4.5 | |
2546255 |
On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | |
2546225 |
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer , which causes issues with cl-support.
To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546131 |
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.This workaround only works when an out-of-band network is present. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2545837 |
If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server command, the /etc/ntp.conf file is misconfigured.To work around this issue, run the net add time ntp server command before you run the net add time ntp source command. |
3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
2545520 |
The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2545233 |
On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | |
2545125 |
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
2544978 |
If you delete an undefined bond, then add a bond slave, the net commit command fails. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544968 |
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544957 |
NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | |
2544953 |
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit , the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. |
3.7.10-3.7.16, 4.0.0-4.4.5 | |
2544880 |
When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. |
4.0.0-4.4.5 | |
2544723 |
Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2544463 |
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported .To work around this issue, do not use auto-negotiation and set the local port speed to 10G. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544456 |
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544311 |
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
2544155 |
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2544113 |
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2543937 |
An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.To work around this issue, remove the interface alias description from iproute2 . |
3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543915 |
When you enable a service in the management VRF, systemctl issues a warning similar to the following:Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unitYou can safely ignore this warning. |
4.0.0-5.9.2 | 5.10.0-5.11.0 |
2543900 |
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
2543841 |
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. |
3.7.8-3.7.16, 4.0.0-4.4.5 | |
2543816 |
On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. |
3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
2543781 |
NCLU does not allow you to configure OSPF NSSAs. For example:
To work around this issue, use FRR instead. For example:
|
3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543724 |
If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:
|
3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543646 |
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
2543401 |
On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. |
4.0.0-4.4.5 | |
2543211 |
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2543164 |
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. |
3.7.7-3.7.16, 4.0.0-4.4.5 | |
2543096 |
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. |
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542945 |
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad :
|
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542837 |
On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16 |
2542305 |
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. |
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542301 |
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2541212 |
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2541029 |
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540753 |
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
|
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540444 |
SNMP incorrectly requires engine ID specification. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540352 |
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
|
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2540340 |
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540274 |
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540204 |
When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540192 |
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled. To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540155 |
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2540042 |
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails. To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540041 |
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540040 |
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540031 |
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2539994 |
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
|
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2539962 |
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2539670 |
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2539124 |
The net add interface command adds no ptm-enable for that interface in the frr.conf file. Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538790 |
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG. To restore connectivity, remove the VLAN ID from the bridge. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538590 |
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538562 |
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings. Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538294 |
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2537699 |
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. |
3.7.1-3.7.16, 4.0.0-4.4.5 | |
2537544 |
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl ; for example, SNMP output from the BRIDGE-MIB. |
3.7.1-3.7.16, 4.0.0-4.4.5 | |
2536576 |
If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware. |
4.0.0-4.4.5 | |
2536384 |
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2536256 |
For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.
These packets are now policed by catch all rules. To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100. |
4.0.0-4.4.5 | |
2536242 |
On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes. | 4.0.0-4.4.5 | |
2536179 |
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535986 |
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535965 |
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535723 |
The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF. | 4.0.0-4.4.5 | |
2535605 |
FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor. To work around this issue, add ttl-security to individual neighbors instead of the peer group. |
4.0.0-4.4.5 | |
2535209 |
The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. |
3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2534734 |
Span rules matching the out-interface as a bond do not mirror packets. | 4.0.0-4.4.5 | |
2533691 |
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2533625 |
PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. |
4.0.0-4.4.5 | |
2533337 |
When you use NCLU to bring a bond admin down (net add bond ), the bond interface goes into admin down state but the switch ports enslaved to the bond remain UP. If you are using bond-lacp-bypass-allow or balance-xor mode, the host might continue to send traffic. This traffic will be dropped because although the bond slaves are UP, they are not members of the bridge.To work around this issue, use the sudo ifdown command. |
4.0.0-4.4.5 | |
2531273 |
In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet. To work around this issue, change the value of arp_ignore to 2. See [Address Resolution Protocol in the Cumulus Linux user guide|https://docs.cumulusnetworks.com/cumulus-linux/Layer-3/Address-Resolution-Protocol-ARP/] for more information. |
4.0.0-4.4.5 |
Fixed Issues in 4.4.2
Issue ID | Description | Affects |
---|---|---|
2999341 |
CVE-2021-3570The ptp4l program in linuxptp, an implementation of the Precision Time Protocol (PTP), does not validate the messageLength field of incoming messages, allowing a remote attacker to cause a denial of service, information leak, or potentially remote code execution Fixed: 1.9.2-1+deb10u1 |
4.2.1-4.4.1 |
2923458 |
At high interface scale (around 100 or more combined SVI and VNI interfaces), the sudo ifreload -a command might report a buffer underrun event with the message error: Buffer underrun . |
4.4.0-4.4.1 |
2895333 |
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-4.4.1 |
2891255 |
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file. Vulnerable: <= 2.6.20-0+deb10u1 Fixed: 2.6.20-0+deb10u2 |
4.0.0-4.4.1, 5.0.0-5.11.0 |
2890681 |
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 |
4.0.0-4.4.1, 5.0.0-5.11.0 |
2879712 |
On CumulusLinux 4.4.0, attempting to install any tacplus or radius package from the CumulusLinux-4.4-latest distribution on apt.cumulusnetworks.com will fail due to incorrect package metadata (specifically a SHA512 checksum that will cause a hash sum mismatch) in the preinstalled cumulus-local-apt-archive package. The workaround is to remove /var/lib/apt/lists/_var_lib_cumulus_cumulus-local-apt-archive_dists_cumulus-local-apt-archive_main_binary-amd64_Packages or uninstall the cumulus-local-apt-archive package on the affected switch. | 4.4.0-4.4.1 |
2877796 |
CVE-2021-43527: The NSS package is vulnerable to a heap overflow when verifying DSA/RSA-PSS DER-encoded signatures Vulnerable: <= 3.42.1-1+deb10u3Fixed: 3.42.1-1+deb10u4 |
4.4.0-4.4.1 |
2873322 |
CVE-2020-21913: International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp. | 4.4.0-4.4.1 |
2867156 |
TACACS+ client package installation from the CumulusLinux-4.4-latest distribution on apt.cumulusnetworks.com fails because package metadata in the preinstalled cumulus-local-apt-archive package is incorrect, which causes a hash sum mismatch. |
4.4.0-4.4.1 |
2854785 |
When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. |
3.7.15, 4.3.0, 4.4.0-4.4.1 |
2854784 |
After building VLAN or VXLAN interfaces, MLAG becomes unstable. | 4.3.0-4.4.1 |
2848204 |
FRR does not prevent EVPN routes from being imported into VNIs when they are not needed. For example, you can import a type-5 route into a layer 2 VNI if the configured import route target matches the route target on the type-5 route. When this occurs, the network address of the IP prefix carried within the type-5 route incorrectly shows as a remote VTEP for the layer 2 VNI in the net show evpn vni command output. For example:router bgp 64100Imported Route: * [5]:[0]:[32]:[10.252.11.124] net show evpn vni 9204 snippet:VNI: 9204 |
4.4.0-4.4.1 |
2845537 |
CVE-2020-19143: A flaw was discovered in tiff, a Tag Image File Format library, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.1.0+git191117-2~deb10u2Fixed: 4.1.0+git191117-2~deb10u3 |
4.4.0-4.4.1 |
2840818 |
CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts). | 4.0.0-4.3.0 |
2802207 |
The SDK process sx_core prints the messages shown below and the switch stops forwarding traffickernel: sx_core: Did not receive completion for SDQ dqn (1) idx (849) after 10 secondskernel: sx_core: __sx_core_post_send: Cannot send packet on dqn [1] sdq stuck |
4.4.0-4.4.1 |
2783611 |
If you remove ports from a bridge and add IP addresses in one ifreload , connected routes are bound to the wrong routing information field. |
4.3.0-4.4.1 |
2782033 |
The following vulnerabilities have been announced in the openssl packages:CVE-2021-3711: buffer overflow vulnerability in SM2 decryption CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function More details at https://www.openssl.org/news/secadv/20210824.txt Vulnerable: <= 1.1.1d-0+deb10u6Fixed: 1.1.1d-0+deb10u7 |
4.0.0-4.4.1 |
2771871 |
IPv4 and IPv6 neighbor entries in a FAILED state are incorrectly programmed into hardware as FORWARD entries instead of TRAP entries. Traffic is forwarded to these neighbors with a destination MAC address of 00:00:00:00:00:00 instead of trapping them to the CPU to resolve the correct MAC address This affects failed neighbor entries on routed interfaces that are not SVIs. |
4.3.0-4.4.1 |
2755614 |
When route_preferred_over_neigh is set to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. |
4.0.0-4.3.0, 4.4.0-4.4.1 |
2754691 |
CVE-2021-3672: in c-ares, a library that performs DNS requests and name resolution asynchronously, missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking) Vulnerable: 1.14.0-1Fixed: 1.14.0-1+deb10u1 |
4.0.0-4.4.1 |
2754685 |
CVE-2021-38165: lynx, a non-graphical (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data Vulnerable: 2.8.9rel.1-3Fixed: 2.8.9rel.1-3+deb10u1 |
4.0.0-4.4.1 |
2754679 |
CVE-2020-26558 / CVE-2021-0129: Bluez does not properly check permissions during pairing operation, which could allow an attacker to impersonate the initiating device CVE-2020-27153: a double free flaw in the disconnect_cb() routine in the gattool. A remote attacker can take advantage of this flaw during service discovery for denial of service, or potentially, execution of arbitrary code Vulnerable: <= 5.50-1.2~deb10u1Fixed: 5.50-1.2~deb10u2 |
4.0.0-4.4.1 |
2749106 |
Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. | 4.4.0-4.4.1 |
2747605 |
CVE-2021-3246: a buffer overflow in libsndfile, a libraryfor reading/writing audio files, which could result in denial of serviceor potentially the execution of arbitrary code when processing amalformed audio file Vulnerable: 1.0.28-6Fixed: 1.0.28-6+deb10u1 |
4.0.0-4.4.1 |
2739690 |
CVE-2021-22918: An out-of-bounds read was discovered in the uv__idna_to_ascii() function of Libuv, an asynchronous event notification library, which could result in denial of service or information disclosure Vulnerable: 1.24.1-1Fixed: 1.24.1-1+deb 10u1 |
4.0.0-4.4.1 |
2739647 |
In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.1 |
2739639 |
CVE-2021-36222: It was discovered that the Key Distribution Center (KDC) in krb5, the MIT implementation of Kerberos, is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a denial of service (KDC crash) by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST Vulnerable: <= 1.17-3+deb10u1Fixed: 1.17-3+deb10u2 |
4.0.0-4.4.1 |
2734122 |
CVE-2021-33910: The Qualys Research Labs discovered that an attacker-controlled allocation using the alloca() function could result in memorycorruption, allowing to crash systemd and hence the entire operating system. Details can be found at https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt Vulnerable: <= 241-7~deb10u7Fixed: 241-7~deb10u8 |
4.0.0-4.4.1 |
2734107 |
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0, 4.4.0-4.4.1 |
2728205 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 |
2723603 |
In a static VXLAN configuration, the bridge-learning on setting does not turn on VXLAN-learning . |
4.4.0-4.4.1 |
2719356 |
If you reduce the reserved VLAN range in the /etc/cumulus/switchd.conf file to below 32 and you make multiple VLAN or bridge configuration changes, the VLANs might not be created in hardware and you might see the log message hal_mlx_l2.c:3045 ERR vlan create failed The minimum supported size of the reserved VLAN range in the /etc/cumulus/switchd.conf file is 32 VLANs for single VLAN-aware bridge configurations. |
4.4.0-4.4.1 |
2706744 |
In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event. | 4.3.0-4.4.1 |
4.4.0 Release Notes
Open Issues in 4.4.0
Issue ID | Description | Affects | Fixed |
---|---|---|---|
4143345 |
On the Trident3 switch, if you use NCLU to configure BGP neighbor shutdown, NCLU stops responding when you include more than 200 neighbors per peer group. If you do not use NCLU to configure BGP neighbor shutdown, you can configure a maximum of 300 neighbors per peer group. | 4.3.0-4.4.5 | |
4037015 |
The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.11.0, 5.10.0-5.11.0 |
3980941 |
After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command#snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a |
4.4.0-5.9.1 | 5.9.2-5.11.0, 5.10.0-5.11.0 |
3773177 |
When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 or later with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb |
4.0.0-4.4.5, 5.0.0-5.11.0 | |
3684998 |
DHCP lease information is not collected in the cl-support file. |
4.3.0-5.6.0 | 5.7.0-5.11.0 |
3528464 |
Cumulus Linux might mark a layer 2 VLAN-tagged packet as a packet to CPU and the INPUT chain ACL might drop the packet. To work around this issue, add an additional addrtype match on the ACL to prevent an erroneous ACL match; for example:[iptables] |
4.3.0-4.4.5 | |
3488136 |
When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf command. |
4.2.1-5.5.1 | 5.6.0-5.11.0 |
3474391 |
The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. |
4.3.1-5.5.1 | 5.6.0-5.11.0 |
3429530 |
On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.11.0 |
3420056 |
The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.11.0 | |
3400244 |
NCLU accepts multiple instances of same net add bgp commands and stores the configuration in the /etc/frr/frr.conf file when you run the net commit command. As a result, unintended commands might be processed during frr-reload . To work around this issue, edit the /etc/frr/frr.conf file to remove the duplicated entries. |
4.3.1-4.4.5 | |
3390022 |
When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads , or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a . |
4.2.1-4.4.5 | |
3389994 |
During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. |
4.2.1-4.3.1, 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.11.0 |
3387852 |
If you remove NGINX from the switch, then run apt autoremove , switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. |
4.4.0-4.4.5 | |
3351951 |
Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.11.0 |
3339249 |
The sensors.conf files in Cumulus Linux are out of date. |
4.2.1-4.4.5 | |
3333064 |
The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd , then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. |
4.4.0-5.3.1 | 5.4.0-5.11.0 |
3330705 |
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. |
3.7.0-5.3.1 | 5.4.0-5.11.0 |
3327477 |
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. |
3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.11.0 | |
3321391 |
On the NVIDIA SN2410 switch, ports with optical transceivers show FAULT errors in the sensor command output. |
4.2.1-5.3.1 | 5.4.0-5.11.0 |
3303105 |
Clagd crash is observed with the following traceback in /var/log/clagd.log following a clag sync event which is typically driven by a peerlink up event: unhandled exception: Traceback (most recent call last): File “/usr/sbin/clagd”, line 1304, in PeerRecvT PeerRecv() File “/usr/sbin/clagd”, line 513, in PeerRecv ParseProtoBufMessage(nlm, myPeerMsg) File “/usr/sbin/clagd”, line 853, in ParseProtoBufMessage msgData = FdbSync.ParseProtoBufMessage(msgHdr) File “/usr/lib/python3/dist-packages/clag/fdbsync.py”, line 892, in ParseProtoBufMessage msgData.ParseFromString(msgHdr.data) google.protobuf.message.DecodeError: Error parsing message |
4.4.0-4.4.5 | |
3291548 |
In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd . |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
3269537 |
When an FRR routing service (such as bgpd ) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. |
4.4.0-5.3.1 | 5.4.0-5.11.0 |
3244740 |
If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps. | 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.11.0 |
3221470 |
Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error |
4.4.0-5.1.0 | 5.2.0-5.11.0 |
3218207 |
Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes. | 4.3.0-5.2.1 | 5.3.0-5.11.0 |
3216922 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users). |
3.7.0-5.2.1 | 5.3.0-5.11.0 |
3216921 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) |
3.7.0-3.7.16, 4.3.0-4.4.5 | |
3216759 |
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. |
3.7.15-3.7.16, 4.3.0-4.4.5 | |
3211369 |
The NCLU net show interface pluggables command takes a long time (approximately five minutes) to complete. |
4.2.1-4.4.5 | |
3209699 |
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users) |
3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.11.0 |
3192808 |
When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. |
4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.11.0 |
3168564 |
In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then upOn Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. |
4.3.1-4.4.5 | |
3163845 |
If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload . For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31 , the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. |
4.3.1-4.4.5 | |
3138746 |
The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.11.0 |
3138057 |
When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log . To work around this problem, restart FRR with the sudo systemctl restart frr command. |
4.4.0-5.2.1 | 5.3.0-5.11.0 |
3135801 |
Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. |
4.0.0-4.3.0, 4.4.0-4.4.5 | 3.7.16, 4.3.1 |
3131423 |
During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3129819 |
On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime. |
3.7.15-3.7.16, 4.3.0-4.4.5 | |
3123556 |
When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. |
3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.11.0 |
3119615 |
In an MLAG topology, if you admin down a single connected interface, any dynamic MAC addresses on the peer link are flushed, then added back momentarily, which creates a disruption in traffic. | 3.7.15-5.1.0 | 5.2.0-5.11.0 |
3117340 |
When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3107615 |
Cumulus Linux installation fails with the error Installation Problems, sub-task Installing Optional Packages . This occurs because the web server hosting the Cumulus Linux image remaps a 404 for a non-existent file image.optional_pkgs into a web page, which it then incorrectly attempts to use as a list of optional packagesTo work around this issue, on the web server hosting the image, create an empty file with the same name as the image with .optional_pkgs appended to the name. |
4.4.0-4.4.3 | 4.3.1, 4.4.4-4.4.5, 5.2.0-5.11.0 |
3094082 |
If you apply a PBR policy with a next hop group but the next hop is not reachable, the PBR service crashes. | 4.4.0-4.4.3 | 4.4.4-4.4.5 |
3093966 |
On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
3089165 |
A slow memory leak might occur in switchd } if the route fails to install in hardware when hardware resources are exhausted. |
4.2.1-4.4.3 | 4.4.4-4.4.5 |
3084027 |
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. |
4.3.0-4.4.5, 5.0.0-5.11.0 | |
3083265 |
The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command. |
3.7.16-5.1.0 | 5.2.0-5.11.0 |
3073668 |
On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | |
3073649 |
In an EVPN-MH configuration, the switch fails to redirect tagged frames with the CoS bits set. | 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.11.0 |
3072613 |
When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | |
3070672 |
TACACS Command Authorization results in a traceback error and command is not executed | 4.4.0-4.4.5 | |
3059135 |
In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route To resolve this issue, restart FRR with the sudo systemctl restart frr command. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
3046023 |
The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. |
4.2.1-5.1.0 | 5.2.0-5.11.0 |
3041306 |
If you update the MAC address of an SVI using ifreload and hwaddress , the kernel maintains a stale permanent fdb entry for the old MAC address. |
3.7.15, 4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
3021879 |
Cumulus Linux learns remote MAC addresses as local entries on the bridge with the wrong remote VTEP IP address even when bridge learning is off on the VTEP and ARP suppression is enabled. | 4.4.0-4.4.3 | 3.7.15-3.7.16, 4.4.4-4.4.5, 5.0.0-5.11.0 |
3021692 |
When ARP suppression is off, Cumulus Linux sends GARPs from neighmgrd for remote neighbors over VXLAN. |
3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.11.0 |
3017180 |
When you run the /usr/share/snmp/resq_pp.py script used by SNMP, you see the following log message in syslog regardless of the forwarding table profile set in the /etc/cumulus/datapath/traffic.conf file. |
4.4.0-5.0.1 | 5.1.0-5.11.0 |
3007564 |
After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. |
3.7.15-5.0.1 | 5.1.0-5.11.0, 5.2.0-5.11.0 |
2999341 |
CVE-2021-3570The ptp4l program in linuxptp, an implementation of the Precision Time Protocol (PTP), does not validate the messageLength field of incoming messages, allowing a remote attacker to cause a denial of service, information leak, or potentially remote code execution Fixed: 1.9.2-1+deb10u1 |
4.2.1-4.4.1 | 4.4.2-4.4.5 |
2968495 |
If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it. |
4.2.1-4.4.2 | 4.4.3-4.4.5, 5.1.0-5.11.0 |
2961079 |
CVE-2021-28965 CVE-2021-31799 CVE-2021-31810 CVE-2021-41817 CVE-2021-41819 CVE-2021-32066: Several vulnerabilities have been discovered in the interpreter for the Ruby language and the Rubygems included, which may result on result in XML roundtrip attacks, the execution of arbitrary code, information disclosure, StartTLS stripping in IMAP or denial of service Vulnerable: <= 2.5.5-3+deb10u3Fixed: 2.5.5-3+deb10u4 |
4.4.0-4.4.2 | 4.4.3-4.4.5 |
2961008 |
SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. |
3.7.15-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.11.0 |
2959575 |
When a port flaps with PTP enabled, the switch firmware might become unresponsive and you see the following log message:[ptp4l.ERR]: [435345.036] timed out while polling for tx timestamp |
4.4.0-4.4.2 | 4.4.3-4.4.5 |
2959550 |
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.11.0 |
2951110 |
The net show time ntp servers command does not show any output with the management VRF. |
3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.11.0 | |
2949513 |
CVE-2022-22747: Incorrect parsing of pkcs7 sequences in nss, the Mozilla Network Security Service library, may result in denial of service Vulnerable: <= 2:3.42.1-1+deb10u4Fixed: 2:3.42.1-1+deb10u5 |
4.4.0-4.4.2 | 4.4.3-4.4.5 |
2943080 |
The overlay ASN is removed after a route flap. | 4.4.0-5.0.1 | 5.1.0-5.11.0 |
2940051 |
In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. |
3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.11.0 |
2933466 |
You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file. |
4.4.0-5.0.1 | 5.1.0-5.11.0 |
2932085 |
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document filesare processed Vulnerable: <= 9.27~dfsg-2+deb10u4Fixed: 9.27~dfsg-2+deb10u5 |
4.4.0-4.4.2 | 4.4.3-4.4.5 |
2923458 |
At high interface scale (around 100 or more combined SVI and VNI interfaces), the sudo ifreload -a command might report a buffer underrun event with the message error: Buffer underrun . |
4.4.0-4.4.1 | 4.4.2-4.4.5 |
2913859 |
ECMP error messages, similar to the following, show in log files:Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container |
4.4.0-5.0.1 | 5.1.0-5.11.0 |
2904450 |
When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2902013 |
The NCLU commit command adds a five second delay. | 4.2.1-4.4.5 | |
2896450 |
On the Dell N3248PXE switch, fixed RJ45 interfaces with PoE neighbors can end up in Paused mode after a switchd restart, which blocks traffic on that interface. To work around this issue, restart switchd a second or third time until all interfaces are functioning correctly, or reboot the switch. |
4.3.0-4.4.5 | |
2895333 |
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-4.4.1 | 4.4.2-4.4.5 |
2891255 |
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file. Vulnerable: <= 2.6.20-0+deb10u1 Fixed: 2.6.20-0+deb10u2 |
4.0.0-4.4.1, 5.0.0-5.11.0 | 4.4.2-4.4.5 |
2890681 |
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 |
4.0.0-4.4.1, 5.0.0-5.11.0 | 4.4.2-4.4.5 |
2879712 |
On CumulusLinux 4.4.0, attempting to install any tacplus or radius package from the CumulusLinux-4.4-latest distribution on apt.cumulusnetworks.com will fail due to incorrect package metadata (specifically a SHA512 checksum that will cause a hash sum mismatch) in the preinstalled cumulus-local-apt-archive package. The workaround is to remove /var/lib/apt/lists/_var_lib_cumulus_cumulus-local-apt-archive_dists_cumulus-local-apt-archive_main_binary-amd64_Packages or uninstall the cumulus-local-apt-archive package on the affected switch. | 4.4.0-4.4.1 | 4.4.2-4.4.5 |
2877796 |
CVE-2021-43527: The NSS package is vulnerable to a heap overflow when verifying DSA/RSA-PSS DER-encoded signatures Vulnerable: <= 3.42.1-1+deb10u3Fixed: 3.42.1-1+deb10u4 |
4.4.0-4.4.1 | 4.4.2-4.4.5 |
2875338 |
In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.11.0 |
2873322 |
CVE-2020-21913: International Components for Unicode (ICU-20850) v66.1 was discovered to contain a use after free bug in the pkg_createWithAssemblyCode function in the file tools/pkgdata/pkgdata.cpp. | 4.4.0-4.4.1 | 4.4.2-4.4.5 |
2867156 |
TACACS+ client package installation from the CumulusLinux-4.4-latest distribution on apt.cumulusnetworks.com fails because package metadata in the preinstalled cumulus-local-apt-archive package is incorrect, which causes a hash sum mismatch. |
4.4.0-4.4.1 | 4.4.2-4.4.5 |
2866080 |
On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 4.3.0-4.4.5 | |
2860323 |
If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.11.0 |
2854785 |
When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. |
3.7.15, 4.3.0, 4.4.0-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.11.0 |
2854784 |
After building VLAN or VXLAN interfaces, MLAG becomes unstable. | 4.3.0-4.4.1 | 4.4.2-4.4.5, 5.0.0-5.11.0 |
2848204 |
FRR does not prevent EVPN routes from being imported into VNIs when they are not needed. For example, you can import a type-5 route into a layer 2 VNI if the configured import route target matches the route target on the type-5 route. When this occurs, the network address of the IP prefix carried within the type-5 route incorrectly shows as a remote VTEP for the layer 2 VNI in the net show evpn vni command output. For example:router bgp 64100Imported Route: * [5]:[0]:[32]:[10.252.11.124] net show evpn vni 9204 snippet:VNI: 9204 |
4.4.0-4.4.1 | 4.4.2-4.4.5 |
2845537 |
CVE-2020-19143: A flaw was discovered in tiff, a Tag Image File Format library, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.1.0+git191117-2~deb10u2Fixed: 4.1.0+git191117-2~deb10u3 |
4.4.0-4.4.1 | 4.4.2-4.4.5 |
2845531 |
If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI’s parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address. |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
2838905 |
On Broadcom ARM switches, the NTP clock slowly drifts to a very high offset (over 500ms) and the clock is not able to synchronize. To work around this issue, use the chrony implementation of NTP instead of ntpd . chrony synchronizes the system clock faster and with better accuracyInstructions for using chrony are here : https://docs.nvidia.com/networking-ethernet-software/knowledge-base/Network-Solutions/Chrony-on-Cumulus-Linux/ |
4.3.0-4.4.5 | |
2837378 |
The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.11.0 |
2821869 |
The cl-route-check –layer3 command fails with a memory error. For example:cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last): |
3.7.15-4.4.5 | 5.0.0-5.11.0 |
2820565 |
SNMP does not start and you see errors similar to the following:cumulus@switch:~$ sudo systemctl status snmpd.service snmpd.service - Simple Network Management Protocol (SNMP) Daemon.To work around this issue, run the sudo systemctl restart snmpd.service command. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2813563 |
When you change the port speed with the NVUE nv set interface command, then run nv config apply , the port is disabled. To work around this issue, run the ifreload -a command after you apply the port speed setting. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2803428 |
The clagctl -v -j and net show clag verbose json commands show incorrect output. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2802859 |
When the INTF_CMD list in the /etc/default/isc-dhcp-relay file includes non-existent or partially configured interfaces from the /etc/netwwork/interfaces file, there is an open file descriptor leak in DHCP Relay; the DHCP Relay service exits and you see error messages. To work around this issue, either clean up the INTF_CMD list in the /etc/default/isc-dhcp-relay file to remove non-existent or partially configured interfaces from the /etc/network/interfaces file or correct the /etc/network/interfaces file to have a complete configuration for all interfaces defined in the INTF_CMD list in the /etc/default/isc-dhcp-relay file. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2802207 |
The SDK process sx_core prints the messages shown below and the switch stops forwarding traffickernel: sx_core: Did not receive completion for SDQ dqn (1) idx (849) after 10 secondskernel: sx_core: __sx_core_post_send: Cannot send packet on dqn [1] sdq stuck |
4.4.0-4.4.1 | 4.4.2-4.4.5 |
2799575 |
When next hop tracking fails for a global next hop, BGP invalidates the entire path instead of only invalidating the global next hop. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2799568 |
When you add or remove a global unicast address from an interface, BGP does not update the global next hop advertised to the unnumbered BGP peer. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2798406 |
If an MLAG failure of an EVPN Active-Active VTEP pair occurs after you disable EVPN Advertise Primary IP Address, remote VTEPs might not be able to install the anycast RMAC of the failed MLAG peers or the related bridge FDB entry To work around this issue, do not disable EVPN Advertise Primary IP Address, which is enabled by default when you use address-virtual for layer 3 VNI SVI interfaces. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2794766 |
The Mellanox 3700C switch reports a slow memory leak in sx_sdk. Memory increases by about 240B/hour and does not free up. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2792750 |
If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. |
3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1 |
2792616 |
If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2788780 |
When you enable ARP and ND suppression and the switch forwards ARP and ND packets to the kernel, RX_DRP counters might increment but the packets are processed as normal. | 4.4.0-4.4.5 | |
2783611 |
If you remove ports from a bridge and add IP addresses in one ifreload , connected routes are bound to the wrong routing information field. |
4.3.0-4.4.1 | 4.4.2-4.4.5 |
2782033 |
The following vulnerabilities have been announced in the openssl packages:CVE-2021-3711: buffer overflow vulnerability in SM2 decryption CVE-2021-3712: buffer overrun when processing ASN.1 strings in the X509_aux_print() function More details at https://www.openssl.org/news/secadv/20210824.txt Vulnerable: <= 1.1.1d-0+deb10u6Fixed: 1.1.1d-0+deb10u7 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2781537 |
In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD . |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2780915 |
In NVUE, you can’t deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2780834 |
To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2780211 |
When you use the NVUE nv set vrf default router bgp peer command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2771871 |
IPv4 and IPv6 neighbor entries in a FAILED state are incorrectly programmed into hardware as FORWARD entries instead of TRAP entries. Traffic is forwarded to these neighbors with a destination MAC address of 00:00:00:00:00:00 instead of trapping them to the CPU to resolve the correct MAC address This affects failed neighbor entries on routed interfaces that are not SVIs. |
4.3.0-4.4.1 | 4.4.2-4.4.5 |
2771653 |
When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more, which consumes a lot of hardware space. | 4.3.0-4.4.5 | |
2763819 |
When you enable LACP bypass on a bond, traffic to static MAC addresses configured on the bond might not work when LACP bypass is enforced. | 4.4.0-4.4.5 | |
2755614 |
When route_preferred_over_neigh is set to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. |
4.0.0-4.3.0, 4.4.0-4.4.5 | 4.3.1, 5.0.0-5.11.0 |
2754791 |
Remote MAC addreses in zebra are out of sync with bgpd . The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. |
3.7.14.2-3.7.16, 4.3.0-4.4.5 | |
2754691 |
CVE-2021-3672: in c-ares, a library that performs DNS requests and name resolution asynchronously, missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking) Vulnerable: 1.14.0-1Fixed: 1.14.0-1+deb10u1 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2754685 |
CVE-2021-38165: lynx, a non-graphical (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data Vulnerable: 2.8.9rel.1-3Fixed: 2.8.9rel.1-3+deb10u1 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2754679 |
CVE-2020-26558 / CVE-2021-0129: Bluez does not properly check permissions during pairing operation, which could allow an attacker to impersonate the initiating device CVE-2020-27153: a double free flaw in the disconnect_cb() routine in the gattool. A remote attacker can take advantage of this flaw during service discovery for denial of service, or potentially, execution of arbitrary code Vulnerable: <= 5.50-1.2~deb10u1Fixed: 5.50-1.2~deb10u2 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2753955 |
On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.11.0 |
2752330 |
With BGP and layer 2 forwarding, Smart System Manager warm boot mode can cause packet loss. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2749106 |
Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. | 4.4.0-4.4.1 | 4.4.2-4.4.5 |
2747605 |
CVE-2021-3246: a buffer overflow in libsndfile, a libraryfor reading/writing audio files, which could result in denial of serviceor potentially the execution of arbitrary code when processing amalformed audio file Vulnerable: 1.0.28-6Fixed: 1.0.28-6+deb10u1 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2743186 |
When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. |
3.7.15-5.1.0 | 5.2.0-5.11.0 |
2739690 |
CVE-2021-22918: An out-of-bounds read was discovered in the uv__idna_to_ascii() function of Libuv, an asynchronous event notification library, which could result in denial of service or information disclosure Vulnerable: 1.24.1-1Fixed: 1.24.1-1+deb 10u1 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2739647 |
In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.1 | 4.4.2-4.4.5 |
2739639 |
CVE-2021-36222: It was discovered that the Key Distribution Center (KDC) in krb5, the MIT implementation of Kerberos, is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a denial of service (KDC crash) by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST Vulnerable: <= 1.17-3+deb10u1Fixed: 1.17-3+deb10u2 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2739402 |
The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.11.0 |
2739398 |
Cumulus Linux does not support a bond or bond member as a SPAN destination. | 4.4.0-4.4.5 | 4.3.1 |
2738040 |
In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | |
2736244 |
When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:% The Graceful Restart command used is not valid at this moment. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2736108 |
When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2734122 |
CVE-2021-33910: The Qualys Research Labs discovered that an attacker-controlled allocation using the alloca() function could result in memorycorruption, allowing to crash systemd and hence the entire operating system. Details can be found at https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt Vulnerable: <= 241-7~deb10u7Fixed: 241-7~deb10u8 |
4.0.0-4.4.1 | 4.4.2-4.4.5 |
2734107 |
When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5 |
2734103 |
ACL [No More Resources] messages keep appearing and you can’t reinstall the ACL. |
4.3.0-5.1.0 | 5.2.0-5.11.0 |
2732605 |
The ESI line in the show bgp l2vpn evpn route command output always shows VNI: 0. This is a cosmetic software issue. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2732587 |
The bridge MAC address is updated during a port change on bridge interfaces. | 4.3.0, 4.4.0-4.4.5 | 4.3.1, 5.0.0-5.11.0 |
2728207 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2728206 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2728205 |
CVE-2021-3570: A flaw was found in the ptp4l program of the linuxptp package. A missing length check when forwarding a PTP message between ports allows a remote attacker to cause an information leak, crash, or potentially remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | 3.7.0-4.4.1 | 4.4.2-4.4.5 |
2728119 |
When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2723603 |
In a static VXLAN configuration, the bridge-learning on setting does not turn on VXLAN-learning . |
4.4.0-4.4.1 | 4.4.2-4.4.5 |
2719356 |
If you reduce the reserved VLAN range in the /etc/cumulus/switchd.conf file to below 32 and you make multiple VLAN or bridge configuration changes, the VLANs might not be created in hardware and you might see the log message hal_mlx_l2.c:3045 ERR vlan create failed The minimum supported size of the reserved VLAN range in the /etc/cumulus/switchd.conf file is 32 VLANs for single VLAN-aware bridge configurations. |
4.4.0-4.4.1 | 4.4.2-4.4.5 |
2713888 |
With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. |
3.7.15-5.0.1 | 5.1.0-5.11.0 |
2711533 |
On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | |
2710208 |
The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. |
4.2.1-4.4.5 | |
2706744 |
In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event. | 4.3.0-4.4.1 | 4.4.2-4.4.5 |
2700767 |
Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16 |
2698649 |
When configuring a single VXLAN device in the /etc/network/interfaces file, if you edit the multicast group address in vxlan-mcastgrp-map , then revert the change, the change does not take effect. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2687344 |
On the NVIDIA SN3700 switch, the decode-syseeprom shows device absent for a PSU that is present. |
4.4.0-4.4.5 | 5.0.0-5.11.0 |
2685994 |
When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to applyTo work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 |
4.0.0-5.0.1 | 5.1.0-5.11.0 |
2685036 |
When the PIM RP configuration includes an anycast IP address and the route to that anycast IP address changes while joined to a multicast stream, you might receive the multicast stream from both the old and the new anycast source. | 4.4.0-4.4.5 | |
2684925 |
The NVUE nv show vrf default router bgp peer command produces a 404 not found error. |
4.4.0-4.4.5, 5.0.0-5.11.0 | |
2671652 |
In VXLAN routing environments, you might experience sub-optimal route convergence delays (longer than five seconds) when a prefix transitions to a new ECMP next-hop group. This condition might occur when a VTEP loses ECMP routes through all uplink peerings, then installs the routes through a different path, such as an MLAG peerlink. | 4.4.0-4.4.5, 5.5.0-5.11.0 | |
2669858 |
OpenSSH is vulnerable to CVE-2020-14145, as described in https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf. This is an information leak in algorithm negotiation that can allow man-in-the-middle attacks on initial connection attempts without a previously stored server host key on the client. If desired, mitigation using UpdateHostKeys and HostKeyAlgorithms is also given in that paper. |
3.7.14-3.7.16, 4.0.0-4.4.5 | |
2639303 |
When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:ERROR: ‘NoneType’ object has no attribute ‘conf_key_value_multiple_values’See /var/log/netd.log for more details. |
4.3.0-4.4.5 | |
2621244 |
When a VRF name includes evpn , the NCLU net show bgp vrf command fails with the error ERROR: The call to /usr/bin/vtysh failed. To work around this issue, do not use evpn in the VRF name or run the desired commands directly from FRR with vtysh . |
4.3.0-4.4.5 | |
2618227 |
The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. |
4.3.0-4.4.5 | |
2606326 |
If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | |
2599274 |
On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress To recover from this state, flap the bond interface (not the physical swp) by running ifdown <bond_name> ; sleep 1 ; ifup <bond_name> . |
4.3.0-4.4.5 | 5.0.0-5.11.0 |
2596458 |
When bridge.unreg_v6_mcast_prune = TRUE is configured in the /etc/cumulus/switchd.conf file, traffic destined to IPv6 link-local multicast addresses might not be flooded within the bridgeTo work around this issue, disable pruning for IPv6 multicast by setting bridge.unreg_v6_mcast_prune = FALSE in the /etc/cumulus/switchd.conf file. |
4.4.0-4.4.5 | |
2574368 |
When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedlyTo work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr . |
4.1.1-4.4.5 | |
2556772 |
The net show clag verify-vlans command fails with the following log:
To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command. |
4.2.1-4.4.5 | |
2556369 |
If you use NCLU to configure an ACL for eth0, you can’t designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with “-A INPUT -i eth0”. |
4.2.1-4.4.5 | |
2556082 |
The NCLU net del vrf command does not delete a numbered VRF. For example:
|
4.2.1-4.4.5 | |
2556081 |
You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | |
2555981 |
In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.11.0 |
2555873 |
On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic. | 4.3.0-4.4.5 | |
2555763 |
The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:
To work around this issue, use the FRR command to delete a neighbor. |
4.3.0-4.4.5 | |
2555613 |
The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:
The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). |
4.2.1-4.4.5 | |
2555318 |
If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:
This error has no functional impact. |
4.3.0-4.4.5 | |
2554986 |
The ethtool utility doesn’t contain the latest values, as a result the Revision Compliance field shows Unallocated . |
4.2.1-4.4.5 | |
2554812 |
If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. |
4.2.1-4.4.5 | |
2554783 |
If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as , advertised locally-originated routes have the ASN of the peer prepended to the AS path.This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. |
4.2.1-4.4.5 | 5.0.0-5.11.0 |
2554709 |
The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. |
3.7.13-3.7.16, 4.2.1-4.4.5 | |
2554670 |
When you have a large number of ACLs, the cl-acltool -L ip and cl-resource-query commands take a long time to complete. |
4.3.0-4.4.5 | |
2554582 |
On switches with the Maverick ASIC, control traffic is dropped due to receive buffering. | 4.2.0-4.4.5 | |
2554533 |
On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | |
2554466 |
Kernel routes added by iproute2 are missing in FRR after an interface flap.To work around this issue, configure a static route in FRR. |
4.2.1-4.4.5 | |
2554222 |
The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the /etc/network/interface file. For example:
|
4.2.1-4.4.5 | |
2554218 |
MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | |
2554202 |
The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. |
4.2.1-4.4.5 | |
2553989 |
Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | |
2553887 |
When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:
To work around this issue, remove the DEFAULT user from the TACACS+ server. |
3.7.7-3.7.16, 4.0.0-4.4.5 | |
2553677 |
When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:
To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:
Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. |
3.7.13-3.7.16, 4.0.0-4.4.5 | |
2553237 |
The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. |
4.2.0-4.4.5 | |
2553116 |
When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2553015 |
If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. |
3.7.10-3.7.16, 4.2.0-4.4.5 | |
2552691 |
On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface. To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. |
4.2.0-4.4.5 | |
2552453 |
On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file. |
4.2.0-4.4.5 | |
2552309 |
The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:
These messages are for internal validation purposes only and can be safely ignored. |
4.2.0-4.4.5 | |
2552294 |
NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2552266 |
OpenSSH scp is vulnerable to CVE-2020-15778, where clients that have authorized access to the SSH server can execute commands on the server by copying maliciously named files. The two scenarios where an exploit may be useful to an attacker: -The user is authorized to scp but not ssh (based on the command option in the authorized_keys file), so this vulnerability can allow executing a remote command on the target computer when not authorized to do so.-An attacker plants a maliciously named file in a directory tree that someone later uses scp -r to copy over to the target computer.Be aware that restricting users to scp by using the command option in the authorized_keys file is not effective in preventing those users from executing arbitrary commands on the server.If you want to use scp -r to copy directory trees, avoid copying directory trees to which attackers may have added maliciously-named files. Archiving the directory tree with tar , zip , or a similar program, then copying the archive over to be extracted on the server avoids having to use scp -r altogether. In addition, OpenSSH provides sftp , which you can use instead of scp to copy files.To disable scp completely, use /bin/chmod 0 /usr/bin/scp . |
3.7.14-3.7.16, 4.0.0-4.4.5 | |
2551666 |
If you modify an interface name, then reuse the previous interface name for a different VLAN, the ifreload -a command generates an error similar to the following:
|
4.1.0-4.4.5 | |
2551578 |
When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload /ifup commands fail with an invalid table id or unable to get vrf table id error. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2551565 |
If you toggle VRRP priority values between VRRP routers, then restart switchd , a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affectedTo work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. |
3.7.13-3.7.16, 4.2.0-4.4.5 | |
2551335 |
When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands. |
4.0.0-4.4.5 | |
2551305 |
The net show configuration command provides the wrong net add command for ACL under the VLAN interface. |
3.7.12-3.7.16, 4.1.0-4.4.5 | |
2551273 |
On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux. | 4.1.0-4.4.5 | |
2551221 |
When span-to-cpu is enabled on L3 swp interface with an IP address configured, packets with destination IP as switchport’s IP address don’t reach switchport. To capture packets directed towards switcport’s IP, disable span-to-cpu and use tcpdump on swichport instead. | 4.2.0-4.4.5 | |
2551111 |
If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state. zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address. |
4.0.0-4.4.5 | |
2550974 |
On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | |
2550793 |
The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550713 |
Configuring the subinterface of a VXLAN uplink under another traditional bridge, which also has the VXLAN VNI enslaved, causes switchd to use high CPU due to very frequent VXLAN tunnel sync events.To work around this issue, do not enslave the subinterface of a VXLAN layer 3 uplink under a traditional bridge in a VXLAN configuration. |
4.1.1-4.4.5 | |
2550642 |
ACLs with SPAN target and in-interface as bond member are not supported on Spectrum-based switches | 4.2.0-4.4.5 | |
2550444 |
Tab completion for the net show rollback description command returns information about a snapshot instead of context help.To work around this issue, run the net show commit history command to find descriptions instead of the net show rollback description command. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550443 |
The net show rollback description command returns an error even if the string matches a commit description.To work around this issue, look for your string in the output of the net show commit history command (or grep for it there) instead. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550243 |
When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service . For example:
|
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2550056 |
The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:
|
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549925 |
When you run an Ansible script to replace the /etc/network/interfaces file, then run the ifreload -a command, you see errors similar to the following:
To work around this issue, run the ifreload -a command a second time. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2549872 |
If you have an SVI with multiple VRR IP addresses and try to delete one of the VRR configurations, net commit or ifreload -a returns an error. |
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549782 |
The JSON format output of the net show bgp l2vpn evpn summary command shows the incorrect neighbour state. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2549731 |
When you create SPAN or ERSPAN rules in ebtables, the action fails to install if it is not in lowercase. Make sure that the SPAN or ERSPAN action is all lowercase; for example:
|
3.7.12-3.7.16, 4.1.1-4.4.5 | |
2549392 |
When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file. To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command. |
4.1.0-4.4.5 | |
2548924 |
On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic. | 4.1.1-4.4.5 | |
2548657 |
When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:
You can safely ignore these error messages. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548579 |
The following security vulnerability has been announced: CVE-2020-10531: An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp. |
3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16 |
2548315 |
The following security advisory has been announced for bash: CVE-2019-18276 Qualys scan QID 372268 setuid vulnerability When bash or bash scripts are run setuid, bash is supposed to drop privileges, but does so incorrectly, so that an attacker with command access to the shell can use enable -f for runtime loading of a new builtin that calls setuid() to regain dropped privileges.To work around this issue, do not make bash or bash scripts setuid . |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548310 |
When the system boots, we might see " cumulus systemd-udevd[7566]: Process ‘/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25’ failed with exit code 1" errors. These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later; |
4.1.0-4.4.5 | |
2548260 |
The net add routing route-map command does not add the set statement into the /etc/frr/frr.conf file. |
4.0.0-4.4.5 | |
2548243 |
On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | |
2548117 |
In OVSDB traditional bridge mode, adding or removing a VLAN binding causes a traffic forwarding outage for around 20 seconds or more on adjacent VLAN bindings. Cumulus Linux does not support traditional bridge mode with VMware NSX. | 3.7.12-3.7.16, 4.0.0-4.4.5 | |
2548062 |
When ports are split to 4x25G, RS FEC needs to explicitly configured on both ends (especially when interoperating with non-Mellanox switches). | 4.1.0-4.4.5 | |
2548044 |
When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16 |
2547903 |
CVE-2019-19956: xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs Vulnerable: 2.9.4+dfsg1-7Fixed: 2.9.4+dfsg1-7+deb10u1 |
4.0.0-4.4.5 | |
2547890 |
QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | |
2547782 |
If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547706 |
When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd . To work around this issue, reboot the switch. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2547405 |
When you restart the hsflowd service, you see a systemd warning message similar to the following:
|
4.0.0-4.4.5 | |
2547120 |
After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom –init command. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546991 |
The FRR service does not provide a way for automation to know if the configuration applied properly. To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546895 |
If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter2.Restart the switchd service with the sudo systemctl restart switchd.service commandsystemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546874 |
On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. |
4.0.0-4.4.5 | |
2546255 |
On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | |
2546225 |
When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer , which causes issues with cl-support.
To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2546131 |
On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.This workaround only works when an out-of-band network is present. |
3.7.11-3.7.16, 4.0.0-4.4.5 | |
2545837 |
If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server command, the /etc/ntp.conf file is misconfigured.To work around this issue, run the net add time ntp server command before you run the net add time ntp source command. |
3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
2545520 |
The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2545233 |
On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | |
2545125 |
If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | |
2544978 |
If you delete an undefined bond, then add a bond slave, the net commit command fails. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544968 |
FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:
should be:
To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544957 |
NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | |
2544953 |
When you update the hostname of a switch with the NCLU net add hostname command, then run net commit , the lldpd service does not restart and other devices still see the old hostname.To work around this issue, run the sudo systemctl restart lldpd.service command. |
3.7.10-3.7.16, 4.0.0-4.4.5 | |
2544880 |
When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. |
4.0.0-4.4.5 | |
2544723 |
Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2544463 |
Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported .To work around this issue, do not use auto-negotiation and set the local port speed to 10G. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544456 |
The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2544311 |
Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
2544155 |
NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2544113 |
Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link. To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. |
3.7.9-3.7.16, 4.0.0-4.4.5 | |
2543937 |
An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.To work around this issue, remove the interface alias description from iproute2 . |
3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543915 |
When you enable a service in the management VRF, systemctl issues a warning similar to the following:Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unitYou can safely ignore this warning. |
4.0.0-5.9.2 | 5.10.0-5.11.0 |
2543900 |
On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | |
2543841 |
The net show evpn vni detail json command includes an extra empty dictionary at the end of the output. |
3.7.8-3.7.16, 4.0.0-4.4.5 | |
2543816 |
On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages. |
3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16 |
2543781 |
NCLU does not allow you to configure OSPF NSSAs. For example:
To work around this issue, use FRR instead. For example:
|
3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543724 |
If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error:
|
3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2543646 |
In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | |
2543401 |
On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. |
4.0.0-4.4.5 | |
2543211 |
In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18). |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2543164 |
The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. |
3.7.7-3.7.16, 4.0.0-4.4.5 | |
2543096 |
When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted. |
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542945 |
On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags. To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad :
|
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542837 |
On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16 |
2542305 |
If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically. |
3.7.6-3.7.16, 4.0.0-4.4.5 | |
2542301 |
When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2541212 |
The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2541029 |
On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped. This issue only affects QinQ configurations. |
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540753 |
If the interface alias contains a single or double quotation mark, or an apostrophe, the net show configuration commands fail with the following error:
|
3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540444 |
SNMP incorrectly requires engine ID specification. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540352 |
When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a match interface condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces. For example, this command is incorrect:
These commands are correct:
|
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2540340 |
NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays
Tab completion for the net add vrf command works correctly. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540274 |
On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | |
2540204 |
When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540192 |
The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled. To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. |
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540155 |
On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2540042 |
When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails. To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540041 |
On SVIs in a VLAN-aware bridge, you cannot change the VRRP priority with NCLU. To work around this issue, run the vtysh command inside FRR to change the default priority. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540040 |
Cumulus Linux uses VRRPv3 as the default version, and enables both preempt and accept mode by default. You cannot change these default values with NCLU. To work around this issue, run the vtysh commands (inside FRR) to change the default values. For example:
|
3.7.4-3.7.16, 4.0.0-4.4.5 | |
2540031 |
NCLU does not honor auto all in the /etc/network/interfaces file and removes the existing configuration if no individual auto lines exist. |
3.7.3-3.7.16, 4.0.0-4.4.5 | |
2539994 |
When you try to remove a BGP peer group configuration with NCLU, the command fails but no warning message is shown. For example:
|
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2539962 |
When an LDAP user that does not have NCLU privileges (either in the netshow or netedit group, or in the /etc/netd.conf file) runs an NCLU command, a traceback occurs instead of a permissions error. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2539670 |
On the Edgecore 4610-54P switch, automatic medium-dependent interface crossover (auto-MDIX) stops working on a 100M full duplex interface and does not detect the required cable connection type. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2539124 |
The net add interface command adds no ptm-enable for that interface in the frr.conf file. Running the net add or the net del command does not remove no ptm-enable from the frr.conf file. You have to remove it manually using vtysh. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538790 |
NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG. To restore connectivity, remove the VLAN ID from the bridge. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538590 |
When you configure a control plane ACL to define permit and deny rules destined to the local switch, NCLU programs the control plane ACL rules into the FORWARD chain. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538562 |
On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings. Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. |
3.7.2-3.7.16, 4.0.0-4.4.5 | |
2538294 |
If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2537699 |
There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:
Eventually the dhcrelay service stops. |
3.7.1-3.7.16, 4.0.0-4.4.5 | |
2537544 |
When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl ; for example, SNMP output from the BRIDGE-MIB. |
3.7.1-3.7.16, 4.0.0-4.4.5 | |
2536576 |
If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware. |
4.0.0-4.4.5 | |
2536384 |
The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2536256 |
For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.
These packets are now policed by catch all rules. To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100. |
4.0.0-4.4.5 | |
2536242 |
On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes. | 4.0.0-4.4.5 | |
2536179 |
On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535986 |
At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535965 |
On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly. To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. |
3.7.0-3.7.16, 4.0.0-4.4.5 | |
2535723 |
The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF. | 4.0.0-4.4.5 | |
2535605 |
FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor. To work around this issue, add ttl-security to individual neighbors instead of the peer group. |
4.0.0-4.4.5 | |
2535209 |
The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. |
3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16 |
2534734 |
Span rules matching the out-interface as a bond do not mirror packets. | 4.0.0-4.4.5 | |
2533691 |
If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. |
3.7.12-3.7.16, 4.0.0-4.4.5 | |
2533625 |
PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. |
4.0.0-4.4.5 | |
2533337 |
When you use NCLU to bring a bond admin down (net add bond ), the bond interface goes into admin down state but the switch ports enslaved to the bond remain UP. If you are using bond-lacp-bypass-allow or balance-xor mode, the host might continue to send traffic. This traffic will be dropped because although the bond slaves are UP, they are not members of the bridge.To work around this issue, use the sudo ifdown command. |
4.0.0-4.4.5 | |
2531273 |
In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet. To work around this issue, change the value of arp_ignore to 2. See [Address Resolution Protocol in the Cumulus Linux user guide|https://docs.cumulusnetworks.com/cumulus-linux/Layer-3/Address-Resolution-Protocol-ARP/] for more information. |
4.0.0-4.4.5 |
Fixed Issues in 4.4.0
Issue ID | Description | Affects |
---|---|---|
2828927 |
An unexpected software system shutdown can occur due to a thermal zones issue in the hw-management package. The following message might appear in /var/log/syslog before the shutdown:thermal thermal_zoneX: critical temperature reached (33 C), shutting down |
4.3.0-4.3.3 |
2734173 |
The Mellanox 100G transceiver MMA1L30-CM Rev A3 is not recognized on the SN4600 switch even though the link is up. The ethtool output shows the error Cannot get Module EEPROM data: Invalid argument . |
|
2728138 |
CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230: Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via specially crafted packets. Vulnerable: <= 2.4.47+dfsg-3+deb10u4 Fixed: 2.4.47+dfsg-3+deb10u5 |
4.0.0-4.3.0 |
2728134 |
CVE-2021-27212: A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets. Vulnerable: <= 2.4.47+dfsg-3+deb10u5 Fixed: 2.4.47+dfsg-3+deb10u6 |
4.0.0-4.3.3 |
2695526 |
CVE-2021-3580 CVE-2021-20305: Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures Vulnerable: 3.4.1-1Fixed: 3.4.1-1+deb10u1 |
4.0.0-4.3.3 |
2691506 |
In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.3.0 |
2690017 |
When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log :sx_sdk: LAG: Can’t add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)To work around this issue, restart switchd . |
4.3.0-4.3.3 |
2687159 |
CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332: Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed Vulnerable: 0.6.1-2Fixed: 0.6.1-2+deb10u1 |
4.0.0-4.3.3 |
2684418 |
If you configure items in a VRF that has been created, deleted, then re-created, staticd crashes. |
4.3.0 |
2682971 |
CVE-2020-12762: integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed Vulnerable: 0.12.2+cl4u1Fixed: 0.12.2+cl4.4.0u1 |
4.0.0-4.3.3 |
2682780 |
Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file. |
4.2.0-4.3.3 |
2679948 |
CVE-2021-25217: parsing of stored leases by dhclient or dhcpd has an incorrect length check that may cause a crash Vulnerable: <= 4.3.1-6-cl3.7.14u1Fixed: 4.3.1-6-cl3.7.16u1 |
3.7.0-3.7.15, 4.0.0-4.3.3 |
2679936 |
Following an event that causes the peer link bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer-ip-mismatch . This behavior is seen when you use a clagd-peer-ip linklocal configuration. |
4.3.0 |
2677049 |
CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25687: Several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server, could result in denial of service, cache poisoning or the execution of arbitrary code. | 4.0.0-4.3.0 |
2671667 |
CVE-2021-23017: off-by-one in Nginx, a high-performance web and reverse proxy server, which couldresult in denial of service and potentially the execution of arbitrary code Vulnerable: <= 1.14.2-2+deb10u3Fixed: 1.14.2-2+deb10u4 |
4.0.0-4.3.3 |
2669873 |
In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. | 4.3.0-4.3.3 |
2669073 |
On Spectrum, Spectrum-2, and Spectrum-3 switches, the l1-show command shows the wrong data when the MST service is stoppedTo work around this issue, start the MST service with the sudo mst start command. |
4.3.0-4.3.3 |
2666838 |
CVE-2021-31535: missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code Vulnerable: <= 1.6.7-1+deb10u1Fixed: 1.6.7-1+deb10u2 |
4.0.0-4.3.3 |
2663479 |
CVE-2021-3520: integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption Vulnerable: 1.8.3-1Fixed: 1.8.3-1+deb10u1 |
4.0.0-4.3.3 |
2656527 |
CVE-2020-18032: A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file Vulnerable: 2.40.1-6Fixed: 2.40.1-6+deb10u1 |
4.0.0-4.3.3 |
2648658 |
If you try to use more than one percent of max-ecmp-nexthops , you get an error indicating a failure. |
3.7.15-4.3.3 |
2648587 |
The received PVST BPDU for a VLAN is flooded even though the ingress port doesn’t have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 |
2644072 |
When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role. |
3.7.15, 4.3.0 |
2644053 |
The following vulnerabilities have been announced in BIND:CVE-2021-25214: a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service CVE-2021-25215: named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query CVE-2021-25216: the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u4Fixed: 9.11.5.P4+dfsg-5.1+deb10u5 |
4.0.0-4.3.3 |
2643822 |
On a Mellanox Spectrum-2 switch, after running the systemctl restart networking service command on the MLAG primary switch, the secondary switch also closes its ports. To work around this issue, run the ifreload -a command to restart networking. |
4.2.1-4.3.0 |
2638106 |
The NCLU net show route vrf and vtysh show [ip|ipv6] route vrf commands do not return any output. |
4.3.0 |
2637554 |
The cl-acltool takes a significant amount of time to run, which can slow down automation scripts. |
4.2.0-4.3.0 |
2633061 |
The following vulnerability affects the libgstreamer-plugins-base1.0-0 package. There is no CVE yet; the Debian advisory number is DSA-4903-1 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened Vulnerable: 1.14.4-2Fixed: 1.14.4-2+deb10u1 |
4.0.0-4.3.0 |
2632379 |
When you upgrade the switch with apt-get upgrade , the kexec-tools package is not installed, which causes the Smart System Manager fast restart mode to work incorrectly. |
4.3.0-4.3.3 |
2628693 |
After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. |
3.7.12-3.7.15, 4.2.1-4.3.0 |
2628588 |
After rebooting a switch with PFC configurations, non-PFC enabled ports might not send or receive traffic correctly. | |
2628513 |
CVE-2020-12695: hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service Vulnerable: <= 2.8.0-cl3.7.15u2Fixed: 2.8.0-cl3.7.15u3 |
3.7.14-3.7.14.2, 4.3.0-4.3.3 |
2617000 |
CVE-2021-26933 CVE-2021-27379Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure Vulnerable: < 4.11.4+99-g8bce4698f6-1Fixed: 4.11.4+99-g8bce4698f6-1 |
4.0.0-4.3.3 |
2616998 |
CVE-2021-23358: missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code Vulnerable: 1.9.1~dfsg-1Fixed: 1.9.1~dfsg-1+deb10u1 |
4.0.0-4.3.3 |
2616987 |
CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845: Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image Vulnerable: <= 2.3.0-2+deb10u1Fixed: 2.3.0-2+deb10u2 |
4.0.0-4.3.3 |
2616976 |
Multiple vulnerabilities were discovered in cURL, an URL transfer library:CVE-2020-8169: partial password leak to DNS servers CVE-2020-8177: malicious server could cause curl -J -i to overwrite a local file CVE-2020-8231: libcurl with CURLOPT_CONNECT_ONLY information leak due to wrong connection CVE-2020-8284: PASV response could trick curl into connecting back to an arbitrary IP address and port CVE-2020-8285: libcurl could run out of stack space using FTP wildcard matching (CURLOPT_CHUNK_BGN_FUNCTION) CVE-2020-8286: failure to verify that OSCP response matches intended certificate CVE-2021-22876: libcurl did not strip user credentials from URL when populating Referer HTTP request header CVE-2021-22890: libcurl using HTTPS proxy with TLS1.3 could use the wrong session ticket and bypass server TLS certificate check Vulnerable: <= 7.64.0-4+deb10u1Fixed: 7.64.0-4+deb10u2 |
4.0.0-4.3.3 |
2616967 |
CVE-2021-28957: lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack Vulnerable: <= 4.3.2-1+deb10u2Fixed: 4.3.2-1+deb10u3 |
4.0.0-4.3.3 |
2616964 |
CVE-2021-27291: Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service Vulnerable: <= 2.3.1+dfsg-1+deb10u1Fixed: 2.3.1+dfsg-1+deb10u2 |
4.0.0-4.3.3 |
2616954 |
CVE-2021-3449: A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service Vulnerable: <= 1.1.1d-0+deb10u5Fixed: 1.1.1d-0+deb10u6 |
4.0.0-4.3.3 |
2614016 |
The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module. | 4.2.0-4.3.3 |
2582639 |
On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.3 |
2578872 |
CVE-2021-20270: It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service Vulnerable: 2.3.1+dfsg-1Fixed: 2.3.1+dfsg-1+deb10u1 |
4.0.0-4.3.3 |
2578870 |
CVE-2020-35523 CVE-2020-35524: Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed Vulnerable: <= 4.1.0+git191117-2~deb10u1Fixed: 4.1.0+git191117-2~deb10u2 |
4.0.0-4.3.3 |
2578845 |
The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. |
3.7.11-3.7.14, 4.1.1-4.3.0 |
2577499 |
QSFP+ 40G optics do not work on Spectrum platforms. | 4.3.0-4.3.3 |
2566878 |
CVE-2021-27803: A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. | 3.7.14-3.7.14.2, 4.0.0-4.3.3 |
2564534 |
Several vulnerabilities have been discovered in the GRUB2 bootloader CVE-2020-14372: It was discovered that the acpi command allows a privileged user to load crafted ACPI tables when Secure Boot is enabled CVE-2020-25632: A use-after-free vulnerability was found in the rmmod command CVE-2020-25647: An out-of-bound write vulnerability was found in the grub_usb_device_initialize() function, which is called to handle USB device initialization CVE-2020-27749: A stack buffer overflow flaw was found in grub_parser_split_cmdline CVE-2020-27779: It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled CVE-2021-20225: A heap out-of-bounds write vulnerability was found in the short form option parser CVE-2021-2023: A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering. |
4.0.0-4.3.3 |
2556814 |
When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP. To work around this issue, disable ARP suppression. |
3.7.14-3.7.14.2, 4.3.0 |
2556781 |
CVE-2021-0326: An issue has been found in wpa, a set of tools to support WPA and WPA2 (IEEE 802.11i). Missing validation of data can result in a buffer over-write, which might lead to a DoS of the wpa_supplicant process or potentially arbitrary code execution. Vulnerable: <= 2.8.0-cl3.7.14u1, <= 2.8.0-cl4.2.1u1 |
3.7.14-3.7.14.2, 4.0.0-4.3.3 |
2556777 |
CVE-2021-26937: A flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence. Vulnerable: 4.6.2-3 Fixed: 4.6.2-3+deb10u1 |
4.0.0-4.3.3 |
2556774 |
DSA-4859-1 (no CVE): zstd, a compression utility, was vulnerable to a race condition: it temporarily exposed, during a very short timeframe, a world-readable version of its input even if the original file had restrictive permissions. Vulnerable: <= 1.3.8+dfsg-3+deb10u1 Fixed: 1.3.8+dfsg-3+deb10u2 |
4.0.0-4.3.0 |
2556762 |
In a configuration with both traditional and vlan-aware bridges, the VLAN membership check on a vlan-aware switch does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-3.7.14.2, 4.0.0-4.3.0 |
2556730 |
CVE-2020-8625: A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code. Vulnerable: <= 9.11.5.P4+dfsg-5.1+deb10u2 Fixed: 9.11.5.P4+dfsg-5.1+deb10u3 |
4.0.0-4.3.3 |
2556690 |
The following vulnerabilities have been announced in the openssl packages: CVE-2021-23840: Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. CVE-2021-23841: The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. CVE-2019-1551: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Vulnerable: <= 1.1.1d-0+deb10u4 Fixed: 1.1.1d-0+deb10u5 |
4.0.0-4.3.0 |
2556658 |
CVE-2020-35498: A vulnerability was found in openvswitch. A limitation in the implementation of userspace packet parsing can allow a malicious user to send a specially crafted packet causing the resulting megaflow in the kernel to be too wide, potentially causing a denial of service. The highest threat from this vulnerability is to system availability Vulnerable: <= 2.8.90-1-cl4u5Fixed: 2.8.90-1-cl4u6, 2.8.90-1-cl4.4.0u1, 2.8.90-1-cl5.0.0u8 |
4.0.0-4.3.3 |
2556568 |
DSA-4850-1 (no CVE): libzstd adds read permissions to files while being compressed or uncompressed. Vulnerable: 1.3.8+dfsg-3 Fixed: 1.3.8+dfsg-3+deb10u1 |
4.0.0-4.3.0 |
2556499 |
Cumulus Linux does not support bond members at 200G or greater. | 4.0.0-4.3.0 |
2554797 |
On the Mellanox SN3700C switch, PIM multicast packets are duplicated at the egress VTEP. | 4.2.0-4.3.0 |
2554299 |
In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.2.0-4.3.3 |
2550704 |
On the Mellanox SN3420 switch, 25G SR optics only link up in force mode. | 4.3.0-4.3.3 |
2549371 |
When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. |
3.7.11-4.3.3 |
2545239 |
On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.3 |