Cumulus Linux 5.12 Release Notes
Download all 5.12 release notes as .xls
5.12.1 Release Notes
Open Issues in 5.12.1
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 4329931 |
In previous releases, Cumulus Linux incorrectly allowed SyncE and PPS In features to be enabled at the same time. Upgrading systems with both features configured using NVUE to 5.12.0 or higher results in a failure to apply the startup configuration as part of the first boot of the upgraded version. To work around the issue, unset one of the features before you upgrade. | 5.12.0-5.12.1 | |
| 4318464 |
When connecting two NVIDIA devices using DAC in Auto-Neg mode with 100GbE R1 (one lane) port speed, the link will go down. To avoid this, make sure to use firmware version xx.2014.3xxx and above on both sides. | 5.12.0-5.12.1 | |
| 4309876 |
When you configure an invalid switch port (swp), NVUE adds the invalid configuration instead of rejecting it. The invalid interface in the configuration does not have any functional impact. | 5.12.0-5.12.1 | |
| 4309875 |
When you configure an invalid switch port (swp), NVUE adds the invalid configuration instead of rejecting it. The invalid interface in the configuration does not have any functional impact. | 5.12.0-5.12.1 | |
| 4291993 |
After upgrading Cumulus Linux with optimized (two partition) image upgrade the second time, the ssh and nginx services do not start. To work around this issue, before rebooting to upgrade, check if the cumulus-upgrade-on-shutdown service is active (exited) with the systemctl status cumulus-upgrade-on-shutdown command. If the command output shows inactive (dead)), run the following commands to ensure that a subsequent two partition upgrade correctly uses the cumulus-upgrade-on-shutdown service:cumulus@switch:~$ sudo systemctl enable cumulus-upgrade-on-shutdown |
5.12.0-5.12.1 | |
| 4291970 |
When you enable NVUE pagination with the nv set system cli pagination state enabled command, even short outputs become paginated inside less even though they fit the terminal. If you want to see pagination only for CLI outputs larger than the terminal size, set nv set system cli pagination state to auto. |
5.12.0-5.12.1 | |
| 4287285 |
Due to unsupported EVPN BUM replication configuration (a mix of PIM and HER modes), a resource leak can occur. | 5.11.0-5.12.1 | |
| 4280299 |
The nv action fetch system packages key command fails if the key ID is an scp/ftp or URL path that requires a password to access the key. To work around this issue, use a URI that does not require password authentication for the key ID. |
5.12.0-5.12.1 | |
| 4277042 |
On the NVIDIA SN5600 switch, you see low power alarms immediately after a reboot. The alarms disappear after showing up initially. Certain modules typically show low power alarms on initialization. No action is needed. | 5.12.0-5.12.1 | |
| 4271311 |
The management interface on the NVIDIA SN2010 and SN2100 switch negotiates to 100 Mbps instead of 1 Gbps. | 5.11.0-5.12.1 | |
| 4271215 |
NVUE overwrites the MOTD file during NVUE configuration with no option to ignore it |
5.11.0-5.12.1 | |
| 4262480 |
NVUE fails to apply numbered BGP large community lists (community lists with multiple rules). To work around this issue, use named large community lists. | 5.12.0-5.12.1 | |
| 4259744 |
The nv config replace command fails with a 404 NOT FOUND error. To work around this issue, run the nv config detach command before trying another configuration change. |
5.12.0-5.12.1 | |
| 4257386 |
NVUE overwrites the MOTD file during NVUE configuration with no option to ignore it |
5.11.0-5.12.1 | |
| 4249096 |
Binary upgrade from Cumulus Linux 4.3.1 to 5.12.0 is not supported. To work around this issue, perform a binary upgrade from Cumulus Linux 4.3.1 to 5.9.0, then perform a binary upgrade from Cumulus Linux 5.9.0 to 5.12.0. | 5.12.0-5.12.1 | |
| 4214678 |
Changes to open telemetry configuration or export states restarts the telemetry service and resets all health metrics. | 5.12.0-5.12.1 | |
| 4210596 |
After a factory reset, TACACS does not work. To work around this issue, run the following commands one after the other:cumulus@switch:~$ sudo pam-auth-update –enable tacplus –force |
5.12.0-5.12.1 | |
| 4200952 |
Configuring the listening-address for the SNMP server fails for IP addresses associated with VRFs other than the management VRF. | 5.11.0-5.12.1 | |
| 4178578 |
An unexpected thermal reboot occurs due to an incorrect firmware status in the i2c driver. | 5.10.0-5.12.1 | |
| 4177067 |
When doing a package upgrade from CL5.9 or CL5.10 to CL5.11, the installation of nslcd might open an interactive dialog to configure nslcd.conf .To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:cumulus@switch:~$ sudo apt-get update |
5.11.0-5.12.1 | |
| 4156409 |
When you enable the BGP PIC next hop group per source option:
|
5.11.0-5.12.1 | |
| 4154839 |
When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump etc) first as the cumulus user, then with sudo, you see the following error:PermissionError: Errno 13] Permission denied: ‘/tmp/python_err_log.txt’ To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. |
5.11.0-5.12.1 | |
| 4142857 |
The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. |
5.10.0-5.12.1 | |
| 4139511 |
When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. The issue is harmless.[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock |
5.11.0-5.12.1 | |
| 4134447 |
The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. This log message has no functionality impact and can be safely ignored. |
5.11.0-5.12.1 | |
| 4129757 |
If you include a comma in the BGP community list, extended community list, or large community list regex expression of a routing policy, you see error messages and FRR reload fails. Make sure the regex expression does not contain a comma. For example, instead of ^65550:([0-9]{1,2}|[1-9][1-9]):.$, specify ^65550:([0-9]|[0-9][0-9]):.$ and instead of ^65550:([0-4]{1,2}|[7-9][8-9]):.$, specify ^65550:([0-4]|[0-4][0-4]|[7-9][8-9]):.$. |
5.11.0-5.12.1 | |
| 4128952 |
Cumulus Linux does not support LDAP over IPv6. | 5.11.0-5.12.1 | |
| 4124376 |
The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. |
5.11.0-5.12.1 | |
| 4118970 |
When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.12.1 | |
| 4105127 |
Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. |
5.11.0-5.12.1 | |
| 4100629 |
NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.12.1 | |
| 4082210 |
When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. |
5.11.0-5.12.1 | |
| 4077921 |
You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1. You must install the Cumulus Linux 5.10.1 image. | 5.10.1-5.12.1 | |
| 4047798 |
Packet distribution based on ECMP hash is not working for VXLAN on top of rack switches where it is encapped. To work around this issue, enable lag hashing with gtp-teid to distribute VXLAN encapped packets across egress interfaces on the top of rack switches. | 5.10.0-5.12.1 | |
| 4030380 |
When you rollback interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you can’t configure FEC on the interface at the lower layers. |
5.10.0-5.12.1 | |
| 4019256 |
If you change the switch hostname, the histogram data producer service restarts. | 5.10.0-5.12.1 | |
| 4005422 |
When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. |
5.10.0-5.12.1 | |
| 3985682 |
On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.12.1 | |
| 3966312 |
When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.12.1 | |
| 3915878 |
If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled. [v8.2302.0] The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. |
5.9.0-5.12.1 | |
| 3879809 |
What Just Happened (WJH) does not work on Spectrum-4 switches. | 5.9.0-5.12.1 | |
| 3879717 |
Running snmpwalk on the switch with the management IP address does not work. To work around this issue, use the localhost option (snmpwalk -v 2c -c public28 localhost 1.3.6.1.2.1.14) or create a control plane ACL whitelist rule. |
5.10.0-5.12.1 | |
| 3878394 |
When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:ZTP: ZTP DHCP: Unexpected error: ‘ascii’ codec can’t decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure To work around this issue, use the -q option with wget. |
5.9.0-5.12.1 | |
| 3877516 |
When you connect two NVIDIA switches and configure 400G speed in force mode, links don’t come up. To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. |
5.9.0-5.12.1 | |
| 3875373 |
When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. |
5.9.0-5.12.1 | |
| 3861745 |
On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL=“EFI System” /boot/efi before using update-grub. |
5.9.0-5.12.1 | |
| 3855796 |
When configuring a Unicast Master Table for clients, the server addresses must be reachable and the route to the destination must exist. The unicast table can have one directly-connected port for a client. This restriction is only for directly connected ports and doesn’t apply to Unicast Servers on other devices or switches. | 5.9.0-5.12.1 | |
| 3847439 |
In rare cases on the Spectrum 1 switch where a dual connected host transmits all traffic flows to only one switch in a connected MLAG pair and the host changes behavior to hash all flows to the other MLAG switch, there might be traffic loss if the MAC FDB entry on the original switch ages out. | 5.9.0-5.12.1 | |
| 3835635 |
When adaptive routing is enabled, traffic for non adaptive routing enabled ports and non adaptive routing ECMPs might be routed over all ports in ECMP. Avoid using regular ECMPs with adaptive routing enabled on the switch. | 5.9.0-5.12.1 | |
| 3819945 |
When you connect an NVIDIA SN4410, SN4700, or SN5600 switch to any Spectrum 1, Spectrum-2, or Spectrum-3 peer switch (with four lanes) using a 4x breakout configuration and the default lanes per port setting, links do not come up. To work around this issue, provide the lanes per port configuration shown below:cumulus@switch:~$ nv set interface |
5.9.0-5.12.1 | |
| 3818545 |
The terminal monitoring software SecureCRT has a known issue when running on both Windows and Mac systems where it gets stuck when monitoring the serial port of the switch as Cumulus Linux boots up. When this occurs, the serial port stops as shown below and SecureCRT is unable to receive any more serial data from the switch (it is able to transmit).Mounting dev-hugepages.mount - Huge Pages File System.. |
5.9.0-5.12.1 | |
| 3774274 |
When you manually configure the /etc/cumulus/datapath/qos/qos_features.conf file without applying the QoS configuration with NVUE, running the nv config apply empty command later does not clean up the QoS configuration. If the QoS configuration includes breakout ports, the nv config apply empty command fails due to a switchd reload trigger failure. To work around this issue, clean up the configuration manually in the /etc/cumulus/datapath/qos/qos_features.conf, then run the nv config apply empty command. |
5.8.0-5.12.1 | |
| 3773177 |
When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 or later with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb |
4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3771168 |
When you perform an ISSU upgrade on a Spectrum 1 switch, the switchd service might crash. |
5.8.0-5.12.1 | |
| 3677533 |
Due to resource constraints on the Spectrum 1 switch, staticd performance drops and takes longer to read static routes compared to the time BGP takes to complete a graceful restart and advertise routes and EOR to its helpers. As a result, static routes are advertised after the EOR is sent to graceful restart helpers, which delete the stale static routes and relearn them after receiving the EOR from the restarting node. Temporary traffic loss might occur. |
5.7.0-5.12.1 | |
| 3655681 |
When you disable, then enable STP auto-edge on a port, the port might not transition to the operational edge even though the port does not receive bpdus. To work around this issue, configure the port as an admin-edge port. | 5.7.0-5.12.1 | |
| 3637444 |
Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl . |
5.7.0-5.12.1 | |
| 3591918 |
The nv action disconnect system aaa user command does not clear all the open sessions. To work around this issue, run the command as many times as the number of sessions to clear all the sessions. |
5.6.0-5.12.1 | |
| 3587393 |
If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps. To work around this issue when using copper cables:
To work around this issue when using fiber cables:
|
5.6.0-5.12.1 | |
| 3556762 |
On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.12.1 | |
| 3540510 |
400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.12.1 | |
| 3538321 |
In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.12.1 | |
| 3497622 |
When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.12.1 | |
| 3472163 |
On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.12.1 | |
| 3444490 |
Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.12.1 | |
| 3442569 |
When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. |
5.5.0-5.12.1 | |
| 3430430 |
When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.12.1 | |
| 3424967 |
sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don’t run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo … to execute the sudo command. |
5.0.0-5.12.1 | |
| 3420056 |
The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.12.1 | |
| 3362113 |
If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. |
5.4.0-5.12.1 | |
| 3347538 |
When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.12.1 | |
| 3341214 |
If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. |
5.4.0-5.12.1 | |
| 3329518 |
When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. |
5.4.0-5.12.1 | |
| 3327477 |
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. |
3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3326659 |
If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds. | 5.4.0-5.12.1 | |
| 3253218 |
Auto-negotiation isn’t supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.12.1 | |
| 3241567 |
When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. |
5.3.0-5.12.1 | |
| 3226506 |
The l1-show eth0 command does not show port information and is not supported in this release. |
5.3.0-5.12.1 | |
| 3225117 |
Occasionally, packet losses might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.12.1 | |
| 3172504 |
When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.12.1 | |
| 3147782 |
You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUNDTo work around this issue, reference the OID without the preceding period ( . ) in the command. |
5.3.0-5.12.1 | |
| 3145869 |
On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7. | 5.2.0-5.12.1 | |
| 3135952 |
PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed <port_speed> autoneg off lanes <no_of_lanes> command. For example: cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 |
5.2.0-5.12.1 | |
| 3115242 |
When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. |
5.1.0-5.12.1 | |
| 3103821 |
On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.12.1 | |
| 3084476 |
After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. |
4.4.3, 5.0.0-5.12.1 | 4.4.4-4.4.5 |
| 3084027 |
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. |
4.3.0-4.4.5, 5.0.0-5.12.1 | |
| 3071652 |
On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. |
4.4.4-4.4.5, 5.1.0-5.12.1 | |
| 3061656 |
When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.12.1 | |
| 2972540 |
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.12.1 | |
| 2964279 |
When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. |
3.7.15, 4.4.2-4.4.5, 5.0.0-5.12.1 | 3.7.16 |
| 2951110 |
The net show time ntp servers command does not show any output with the management VRF. |
3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.12.1 | |
| 2932083 |
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document filesare processed Vulnerable: <= 9.27~dfsg-2+deb10u4Fixed: 9.27~dfsg-2+deb10u5 |
5.0.0-5.12.1 | 4.4.3-4.4.5 |
| 2904450 |
When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. |
4.4.0-4.4.5, 5.0.0-5.12.1 | |
| 2891255 |
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file. Vulnerable: <= 2.6.20-0+deb10u1 Fixed: 2.6.20-0+deb10u2 |
4.0.0-4.4.1, 5.0.0-5.12.1 | 4.4.2-4.4.5 |
| 2890681 |
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 |
4.0.0-4.4.1, 5.0.0-5.12.1 | 4.4.2-4.4.5 |
| 2885305 |
Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.12.1 | |
| 2867042 |
When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.12.1 | |
| 2823307 |
Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.12.1 | |
| 2736108 |
When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. |
4.4.0-4.4.5, 5.0.0-5.12.1 | |
| 2684925 |
The NVUE nv show vrf default router bgp peer command produces a 404 not found error. |
4.4.0-4.4.5, 5.0.0-5.12.1 | |
| 2671652 |
In VXLAN routing environments, you might experience sub-optimal route convergence delays (longer than five seconds) when a prefix transitions to a new ECMP next-hop group. This condition might occur when a VTEP loses ECMP routes through all uplink peerings, then installs the routes through a different path, such as an MLAG peerlink. | 4.4.0-4.4.5, 5.5.0-5.12.1 |
Fixed Issues in 5.12.1
| Issue ID | Description | Affects |
|---|---|---|
| 4298572 |
The Spectrum-4 switch reports a Modules DataPath FSM fault in logs when the link fails at polling. |
5.10.1-5.12.0 |
| 4286489 |
Optimized (two partition) upgrade and rollback fails when you apply configuration by editing the /etc/nvue.d/startup.yaml file, then run nv config apply startup. To work around this issue, after activating optimized upgrade, but before rebooting, save a copy of the contents of /var/lib/nvue/ to some other location. Then, after activating rollback, but before rebooting, move /var/lib/nvue/ to some other location and copy the previously saved contents to /var/lib/nvue/. |
5.12.0 |
| 4286417 |
When sending control packets which have in their TX base header system target port 259-1023 (above cap_max_system_ports and below cap_ports - which is used for LAG forwarding), a health event of a fatal cause will occur in the switch. | 5.11.0-5.12.0 |
5.12.0 Release Notes
Open Issues in 5.12.0
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 4329931 |
In previous releases, Cumulus Linux incorrectly allowed SyncE and PPS In features to be enabled at the same time. Upgrading systems with both features configured using NVUE to 5.12.0 or higher results in a failure to apply the startup configuration as part of the first boot of the upgraded version. To work around the issue, unset one of the features before you upgrade. | 5.12.0-5.12.1 | |
| 4318464 |
When connecting two NVIDIA devices using DAC in Auto-Neg mode with 100GbE R1 (one lane) port speed, the link will go down. To avoid this, make sure to use firmware version xx.2014.3xxx and above on both sides. | 5.12.0-5.12.1 | |
| 4309876 |
When you configure an invalid switch port (swp), NVUE adds the invalid configuration instead of rejecting it. The invalid interface in the configuration does not have any functional impact. | 5.12.0-5.12.1 | |
| 4309875 |
When you configure an invalid switch port (swp), NVUE adds the invalid configuration instead of rejecting it. The invalid interface in the configuration does not have any functional impact. | 5.12.0-5.12.1 | |
| 4298572 |
The Spectrum-4 switch reports a Modules DataPath FSM fault in logs when the link fails at polling. |
5.10.1-5.12.0 | 5.12.1 |
| 4291993 |
After upgrading Cumulus Linux with optimized (two partition) image upgrade the second time, the ssh and nginx services do not start. To work around this issue, before rebooting to upgrade, check if the cumulus-upgrade-on-shutdown service is active (exited) with the systemctl status cumulus-upgrade-on-shutdown command. If the command output shows inactive (dead)), run the following commands to ensure that a subsequent two partition upgrade correctly uses the cumulus-upgrade-on-shutdown service:cumulus@switch:~$ sudo systemctl enable cumulus-upgrade-on-shutdown |
5.12.0-5.12.1 | |
| 4291970 |
When you enable NVUE pagination with the nv set system cli pagination state enabled command, even short outputs become paginated inside less even though they fit the terminal. If you want to see pagination only for CLI outputs larger than the terminal size, set nv set system cli pagination state to auto. |
5.12.0-5.12.1 | |
| 4287285 |
Due to unsupported EVPN BUM replication configuration (a mix of PIM and HER modes), a resource leak can occur. | 5.11.0-5.12.1 | |
| 4286489 |
Optimized (two partition) upgrade and rollback fails when you apply configuration by editing the /etc/nvue.d/startup.yaml file, then run nv config apply startup. To work around this issue, after activating optimized upgrade, but before rebooting, save a copy of the contents of /var/lib/nvue/ to some other location. Then, after activating rollback, but before rebooting, move /var/lib/nvue/ to some other location and copy the previously saved contents to /var/lib/nvue/. |
5.12.0 | 5.12.1 |
| 4286417 |
When sending control packets which have in their TX base header system target port 259-1023 (above cap_max_system_ports and below cap_ports - which is used for LAG forwarding), a health event of a fatal cause will occur in the switch. | 5.11.0-5.12.0 | 5.12.1 |
| 4280299 |
The nv action fetch system packages key command fails if the key ID is an scp/ftp or URL path that requires a password to access the key. To work around this issue, use a URI that does not require password authentication for the key ID. |
5.12.0-5.12.1 | |
| 4277042 |
On the NVIDIA SN5600 switch, you see low power alarms immediately after a reboot. The alarms disappear after showing up initially. Certain modules typically show low power alarms on initialization. No action is needed. | 5.12.0-5.12.1 | |
| 4271311 |
The management interface on the NVIDIA SN2010 and SN2100 switch negotiates to 100 Mbps instead of 1 Gbps. | 5.11.0-5.12.1 | |
| 4271232 |
A Python version change removed the encoding argument parameter of the json loads function, which causes an exception. | 5.11.0-5.12.1 | |
| 4271215 |
NVUE overwrites the MOTD file during NVUE configuration with no option to ignore it |
5.11.0-5.12.1 | |
| 4271213 |
When IPv4 layer 3 switch ports and virtual interfaces flap, switchd might send an ICMP Reply message instead of an ARP request (although no ICMP request was sent). Multiple ICMP Replies might be sent to any of the neighbor IP addresses of that interface. |
5.9.2-5.12.1 | |
| 4262480 |
NVUE fails to apply numbered BGP large community lists (community lists with multiple rules). To work around this issue, use named large community lists. | 5.12.0-5.12.1 | |
| 4260011 |
If all of the neighbors returned in the nv show vrf command output have no address-family configuration, you see an internal error when the nested table in the output is being rendered. |
5.10.0-5.12.1 | |
| 4259744 |
The nv config replace command fails with a 404 NOT FOUND error. To work around this issue, run the nv config detach command before trying another configuration change. |
5.12.0-5.12.1 | |
| 4257386 |
NVUE overwrites the MOTD file during NVUE configuration with no option to ignore it |
5.11.0-5.12.1 | |
| 4249096 |
Binary upgrade from Cumulus Linux 4.3.1 to 5.12.0 is not supported. To work around this issue, perform a binary upgrade from Cumulus Linux 4.3.1 to 5.9.0, then perform a binary upgrade from Cumulus Linux 5.9.0 to 5.12.0. | 5.12.0-5.12.1 | |
| 4246859 |
The nv show service ntp command displays the peers that are discovered together with the configured NTP servers instead of displaying only the NTP configuration. As a result, the “applied” and “operational” columns have different values, which causes confusion. |
5.11.0-5.12.1 | |
| 4245852 |
NVUE Rest API calls that are authenticated with TACACS on the switch append unnecessary database entries to the /run/tacacs_clent_map file, which increases the file size. Over time, this increases the TACACS login authentication time, resulting in delayed login authentication.To work around this issue, delete the tacacs_client_map file with the sudo rm rf /run/tacacs_client_map command. |
5.11.0-5.12.1 | |
| 4214678 |
Changes to open telemetry configuration or export states restarts the telemetry service and resets all health metrics. | 5.12.0-5.12.1 | |
| 4210596 |
After a factory reset, TACACS does not work. To work around this issue, run the following commands one after the other:cumulus@switch:~$ sudo pam-auth-update –enable tacplus –force |
5.12.0-5.12.1 | |
| 4200952 |
Configuring the listening-address for the SNMP server fails for IP addresses associated with VRFs other than the management VRF. | 5.11.0-5.12.1 | |
| 4178578 |
An unexpected thermal reboot occurs due to an incorrect firmware status in the i2c driver. | 5.10.0-5.12.1 | |
| 4177067 |
When doing a package upgrade from CL5.9 or CL5.10 to CL5.11, the installation of nslcd might open an interactive dialog to configure nslcd.conf .To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:cumulus@switch:~$ sudo apt-get update |
5.11.0-5.12.1 | |
| 4173498 |
After network churn, the watchfrr process might restart FRR because zebra is unresponsive. |
5.9.1-5.12.1 | |
| 4156409 |
When you enable the BGP PIC next hop group per source option:
|
5.11.0-5.12.1 | |
| 4154839 |
When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump etc) first as the cumulus user, then with sudo, you see the following error:PermissionError: Errno 13] Permission denied: ‘/tmp/python_err_log.txt’ To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. |
5.11.0-5.12.1 | |
| 4142857 |
The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. |
5.10.0-5.12.1 | |
| 4139511 |
When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. The issue is harmless.[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock |
5.11.0-5.12.1 | |
| 4134447 |
The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. This log message has no functionality impact and can be safely ignored. |
5.11.0-5.12.1 | |
| 4129757 |
If you include a comma in the BGP community list, extended community list, or large community list regex expression of a routing policy, you see error messages and FRR reload fails. Make sure the regex expression does not contain a comma. For example, instead of ^65550:([0-9]{1,2}|[1-9][1-9]):.$, specify ^65550:([0-9]|[0-9][0-9]):.$ and instead of ^65550:([0-4]{1,2}|[7-9][8-9]):.$, specify ^65550:([0-4]|[0-4][0-4]|[7-9][8-9]):.$. |
5.11.0-5.12.1 | |
| 4128952 |
Cumulus Linux does not support LDAP over IPv6. | 5.11.0-5.12.1 | |
| 4124376 |
The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. |
5.11.0-5.12.1 | |
| 4118970 |
When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.12.1 | |
| 4105127 |
Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. |
5.11.0-5.12.1 | |
| 4101027 |
After you add a VLAN to a bridge member port, you might experience a few seconds of VXLAN traffic loss. | 5.7.0-5.12.1 | |
| 4100629 |
NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.12.1 | |
| 4100170 |
The NVUE Service fails to start after an upgrade from Cumulus Linux 5.9 to Cumulus Linux 5.10 because of a corrupted database. | 5.10.0-5.12.1 | |
| 4100164 |
Low power Intel SATA controllers experience issues when using the mobile low power chipset LPM policy. This can cause the SSD to become read only. |
5.8.0-5.12.1 | |
| 4082210 |
When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. |
5.11.0-5.12.1 | |
| 4077921 |
You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1. You must install the Cumulus Linux 5.10.1 image. | 5.10.1-5.12.1 | |
| 4047798 |
Packet distribution based on ECMP hash is not working for VXLAN on top of rack switches where it is encapped. To work around this issue, enable lag hashing with gtp-teid to distribute VXLAN encapped packets across egress interfaces on the top of rack switches. | 5.10.0-5.12.1 | |
| 4030380 |
When you rollback interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you can’t configure FEC on the interface at the lower layers. |
5.10.0-5.12.1 | |
| 4019256 |
If you change the switch hostname, the histogram data producer service restarts. | 5.10.0-5.12.1 | |
| 4005422 |
When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. |
5.10.0-5.12.1 | |
| 3985682 |
On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.12.1 | |
| 3966312 |
When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.12.1 | |
| 3915878 |
If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled. [v8.2302.0] The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. |
5.9.0-5.12.1 | |
| 3879809 |
What Just Happened (WJH) does not work on Spectrum-4 switches. | 5.9.0-5.12.1 | |
| 3879717 |
Running snmpwalk on the switch with the management IP address does not work. To work around this issue, use the localhost option (snmpwalk -v 2c -c public28 localhost 1.3.6.1.2.1.14) or create a control plane ACL whitelist rule. |
5.10.0-5.12.1 | |
| 3878394 |
When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:ZTP: ZTP DHCP: Unexpected error: ‘ascii’ codec can’t decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure To work around this issue, use the -q option with wget. |
5.9.0-5.12.1 | |
| 3877516 |
When you connect two NVIDIA switches and configure 400G speed in force mode, links don’t come up. To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. |
5.9.0-5.12.1 | |
| 3875373 |
When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. |
5.9.0-5.12.1 | |
| 3861745 |
On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL=“EFI System” /boot/efi before using update-grub. |
5.9.0-5.12.1 | |
| 3855796 |
When configuring a Unicast Master Table for clients, the server addresses must be reachable and the route to the destination must exist. The unicast table can have one directly-connected port for a client. This restriction is only for directly connected ports and doesn’t apply to Unicast Servers on other devices or switches. | 5.9.0-5.12.1 | |
| 3847439 |
In rare cases on the Spectrum 1 switch where a dual connected host transmits all traffic flows to only one switch in a connected MLAG pair and the host changes behavior to hash all flows to the other MLAG switch, there might be traffic loss if the MAC FDB entry on the original switch ages out. | 5.9.0-5.12.1 | |
| 3835635 |
When adaptive routing is enabled, traffic for non adaptive routing enabled ports and non adaptive routing ECMPs might be routed over all ports in ECMP. Avoid using regular ECMPs with adaptive routing enabled on the switch. | 5.9.0-5.12.1 | |
| 3819945 |
When you connect an NVIDIA SN4410, SN4700, or SN5600 switch to any Spectrum 1, Spectrum-2, or Spectrum-3 peer switch (with four lanes) using a 4x breakout configuration and the default lanes per port setting, links do not come up. To work around this issue, provide the lanes per port configuration shown below:cumulus@switch:~$ nv set interface |
5.9.0-5.12.1 | |
| 3818545 |
The terminal monitoring software SecureCRT has a known issue when running on both Windows and Mac systems where it gets stuck when monitoring the serial port of the switch as Cumulus Linux boots up. When this occurs, the serial port stops as shown below and SecureCRT is unable to receive any more serial data from the switch (it is able to transmit).Mounting dev-hugepages.mount - Huge Pages File System.. |
5.9.0-5.12.1 | |
| 3774274 |
When you manually configure the /etc/cumulus/datapath/qos/qos_features.conf file without applying the QoS configuration with NVUE, running the nv config apply empty command later does not clean up the QoS configuration. If the QoS configuration includes breakout ports, the nv config apply empty command fails due to a switchd reload trigger failure. To work around this issue, clean up the configuration manually in the /etc/cumulus/datapath/qos/qos_features.conf, then run the nv config apply empty command. |
5.8.0-5.12.1 | |
| 3773177 |
When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 or later with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb |
4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3771168 |
When you perform an ISSU upgrade on a Spectrum 1 switch, the switchd service might crash. |
5.8.0-5.12.1 | |
| 3677533 |
Due to resource constraints on the Spectrum 1 switch, staticd performance drops and takes longer to read static routes compared to the time BGP takes to complete a graceful restart and advertise routes and EOR to its helpers. As a result, static routes are advertised after the EOR is sent to graceful restart helpers, which delete the stale static routes and relearn them after receiving the EOR from the restarting node. Temporary traffic loss might occur. |
5.7.0-5.12.1 | |
| 3655681 |
When you disable, then enable STP auto-edge on a port, the port might not transition to the operational edge even though the port does not receive bpdus. To work around this issue, configure the port as an admin-edge port. | 5.7.0-5.12.1 | |
| 3637444 |
Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl . |
5.7.0-5.12.1 | |
| 3591918 |
The nv action disconnect system aaa user command does not clear all the open sessions. To work around this issue, run the command as many times as the number of sessions to clear all the sessions. |
5.6.0-5.12.1 | |
| 3587393 |
If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps. To work around this issue when using copper cables:
To work around this issue when using fiber cables:
|
5.6.0-5.12.1 | |
| 3556762 |
On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.12.1 | |
| 3540510 |
400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.12.1 | |
| 3538321 |
In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.12.1 | |
| 3497622 |
When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.12.1 | |
| 3472163 |
On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.12.1 | |
| 3444490 |
Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.12.1 | |
| 3442569 |
When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. |
5.5.0-5.12.1 | |
| 3430430 |
When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.12.1 | |
| 3424967 |
sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don’t run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo … to execute the sudo command. |
5.0.0-5.12.1 | |
| 3420056 |
The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.12.1 | |
| 3362113 |
If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. |
5.4.0-5.12.1 | |
| 3347538 |
When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.12.1 | |
| 3341214 |
If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. |
5.4.0-5.12.1 | |
| 3329518 |
When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. |
5.4.0-5.12.1 | |
| 3327477 |
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. |
3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.12.1 | |
| 3326659 |
If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds. | 5.4.0-5.12.1 | |
| 3253218 |
Auto-negotiation isn’t supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.12.1 | |
| 3241567 |
When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. |
5.3.0-5.12.1 | |
| 3226506 |
The l1-show eth0 command does not show port information and is not supported in this release. |
5.3.0-5.12.1 | |
| 3225117 |
Occasionally, packet losses might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.12.1 | |
| 3172504 |
When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.12.1 | |
| 3147782 |
You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUNDTo work around this issue, reference the OID without the preceding period ( . ) in the command. |
5.3.0-5.12.1 | |
| 3145869 |
On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7. | 5.2.0-5.12.1 | |
| 3135952 |
PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed <port_speed> autoneg off lanes <no_of_lanes> command. For example: cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 |
5.2.0-5.12.1 | |
| 3115242 |
When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. |
5.1.0-5.12.1 | |
| 3103821 |
On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.12.1 | |
| 3084476 |
After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. |
4.4.3, 5.0.0-5.12.1 | 4.4.4-4.4.5 |
| 3084027 |
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. |
4.3.0-4.4.5, 5.0.0-5.12.1 | |
| 3071652 |
On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. |
4.4.4-4.4.5, 5.1.0-5.12.1 | |
| 3061656 |
When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.12.1 | |
| 2972540 |
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.12.1 | |
| 2964279 |
When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. |
3.7.15, 4.4.2-4.4.5, 5.0.0-5.12.1 | 3.7.16 |
| 2951110 |
The net show time ntp servers command does not show any output with the management VRF. |
3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.12.1 | |
| 2932083 |
CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document filesare processed Vulnerable: <= 9.27~dfsg-2+deb10u4Fixed: 9.27~dfsg-2+deb10u5 |
5.0.0-5.12.1 | 4.4.3-4.4.5 |
| 2904450 |
When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. |
4.4.0-4.4.5, 5.0.0-5.12.1 | |
| 2891255 |
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file. Vulnerable: <= 2.6.20-0+deb10u1 Fixed: 2.6.20-0+deb10u2 |
4.0.0-4.4.1, 5.0.0-5.12.1 | 4.4.2-4.4.5 |
| 2890681 |
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 |
4.0.0-4.4.1, 5.0.0-5.12.1 | 4.4.2-4.4.5 |
| 2885305 |
Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.12.1 | |
| 2867042 |
When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.12.1 | |
| 2823307 |
Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.12.1 | |
| 2736108 |
When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. |
4.4.0-4.4.5, 5.0.0-5.12.1 | |
| 2684925 |
The NVUE nv show vrf default router bgp peer command produces a 404 not found error. |
4.4.0-4.4.5, 5.0.0-5.12.1 | |
| 2671652 |
In VXLAN routing environments, you might experience sub-optimal route convergence delays (longer than five seconds) when a prefix transitions to a new ECMP next-hop group. This condition might occur when a VTEP loses ECMP routes through all uplink peerings, then installs the routes through a different path, such as an MLAG peerlink. | 4.4.0-4.4.5, 5.5.0-5.12.1 |
Fixed Issues in 5.12.0
| Issue ID | Description | Affects |
|---|---|---|
| 4280823 |
When you configure an invalid switch port (swp), NVUE adds the invalid configuration instead of rejecting it. The invalid interface in the configuration does not have any functional impact. | |
| 4277143 |
After a factory reset with the nv action reset system factory-default force command, RADIUS does not fully reset; the radius-cmd-acct package is not installed correctly and includes missing files. In addition, /etc/pam.d/common-auth is incorrect. |
5.11.0 |
| 4270957 |
Optimized (two partition) upgrade from Cumulus Linux 5.11.0 requires approximately 2.4 Gbytes of free space in /var after downloading the image with NVUE commands instead of 1.6 Gbytes of free space. Upgrade needs the extra space for an additional copy of the downloaded image in /var . |
5.11.0 |
| 4256151 |
After rebooting the spine switch in an EVPN multihoming configuration, the BGP EVPN Type-2 entry is missing, which causes flooding and duplicates in the fabric. To work around this issue, flush the IP neighbor entries with the sudo ip neigh flush x.x.x.x command. |
5.9.1-5.11.0 |
| 4251984 |
NVUE prevents you from setting the IPv6 RA lifetime to 0 (zero). Use vtysh mode to apply the setting. | 5.11.0 |
| 4251315 |
When you enable NAT dynamic mode and NAT rules with NVUE in a single commit, you see the error error: hw sync failed (Dynamic NAT is not enabled. Ignoring rules..). To work around this issue, enable dynamic NAT with NVUE in one commit, then add NAT ACL rules in a subsequent commit. |
5.11.0 |
| 4250847 |
When the STP state goes down, then back up on the primary MLAG peer, the peerlink state is not updated correctly in mstpd. |
5.8.0-5.11.0 |
| 4242756 |
A Python version change removed the encoding argument parameter of the json loads function, which causes an exception. | 5.11.0 |
| 4240584 |
When you enable SNMP, Cumulus Linux enables and creates an agentx user called debian-snmp automatically for FRR. As a result, TACACS sends log messages similar to the following:«sudo: nss_tacplus: TACACS+ server 10.23.1.0:49 read failed (-3) for user Debian-snmp: Success» To work around this issue, manually add the debian-snmp user to the TACACS configuration exclude_users list so that TACACS ignores this user. |
5.11.0 |
| 4220393 |
The default GRUB timeout style changed from menu to countdown. When booting, a countdown displays on the console and you can use the escape key to break out of the countdown and show the GRUB menu. This reduces the chance of console noise halting the reboot process. If you press the escape key twice, you might go to the GRUB command line. In this case, type normal to get back to the GRUB menu or reboot to reboot the switch. |
5.11.0 |
| 4220147 |
When you bring STP down, then up on the primary MLAG peer, the STP state machine restarts and the peerlink operational edge resets. As a result, the secondary MLAG peer ends up in an STP discarding state. To work around this issue, restart the clagd service. |
5.8.0-5.11.0 |
| 4209429 |
Unreachable or reject routes might not get installed into the SDK. | 5.11.0 |
| 4208746 |
When using the REST API to move a port from one bridge to another bridge, the bridge-vlan configuration on the port might be programmed incorrectly. To resolve the issue, run the ifreload -a command. |
5.9.1-5.11.0 |
| 4207037 |
NVUE Rest API calls that are authenticated with TACACS on the switch append unnecessary database entries to the /run/tacacs_clent_map file, which increases the file size. Over time, this increases the TACACS login authentication time, resulting in delayed login authentication.To work around this issue, delete the tacacs_client_map file with the sudo rm rf /run/tacacs_client_map command. |
5.11.0 |
| 4205060 |
Debian 12 does not support LDAP SSL CRL check. Cumulus Linux now uses CRL file. | 5.11.0 |
| 4203794 |
The nv show platform transceiver command sometimes does not show transceiver data for layer 3 Dot1q subinterfaces (such as swp2.10). To work around this issue, run the ethtool -m command. |
5.11.0 |
| 4203784 |
Under unique hardware failure conditions, when the ASIC temperature sensor read fails repeatedly, the fans are set to twenty percent, which might not be high enough to maintain proper ASIC cooling, resulting in a thermal shutdown. | 5.11.0 |
| 4200758 |
The nv show service ntp command shows the peers that are discovered together with the configured NTP servers instead of displaying only the NTP configuration. As a result, the applied and operational columns have different values, which causes confusion. |
5.11.0 |
| 4199734 |
The nv show system ztp command might report an error when you use a system local that represents time differently from %a %b %d %H:%M:%S %Y %Z. |
5.11.0 |
| 4199125 |
ZTP scripts return an error due to incorrect ASCI to UTF-8 conversion. | 5.11.0 |
| 4198683 |
Configuring the listening-address for the SNMP server fails for IP addresses associated with VRFs other than the management VRF. | 5.11.0 |
| 4195240 |
Cumulus Linux installs and runs the atftpd program by default but cannot access it because a /tftpboot directory is missing. |
5.9.2-5.11.0 |
| 4185962 |
When you change the VRR MAC address, switchd crashes. This occurs because deleting an old VRR MAC address triggers a neighbor update that changes the ECMP container resolution, which results in route entry updatesThis happens in async mode, where the end notification expected after an end of operation is missing. |
5.9.2-5.11.0 |
| 4185426 |
When you add a new MLAG bond, the BPDU guard state of its peer is initialized to False and immediately updated correctly after resync if the bond is up. If the bond is down, resync is not done and the peer PBDU guard state is not updated, which leads to a conflict if the local PBDU guard is enabled. Even though it seems that PBDU configuration does not match between MLAG peers, this issue does not have any functional impact. It gets cleared when the bond becomes up. |
5.9.2-5.11.0 |
| 4184845 |
Stale Next Hop Groups are left in the kernel resulting in polarized Adaptive Routing traffic. | 5.10.1-5.11.0 |
| 4183214 |
If you upgrade the switch from Cumulus Linux 5.9.x or 5.10.x with package upgrade and Radius is enabled, you see configuration and commit errors. To avoid this issue, either disable Radius during package upgrade or disable Radius before package upgrade with the sudo adduser –system –group –home /run/nslcd –no-create-home –gecos ‘nslcd name service LDAP connection daemon’ nslcd command. |
5.11.0 |
| 4182753 |
When you configure the SPAN port mirror truncate size to a value greater than four and less than the supported minimum, NVUE allows the configuration even though there are errors and failures in the mirror session configuration. The supported values for truncate size are 32 to 4088 for Spectrum 1, 48 to 4088 for Spectrum-2 and Spectrum-3, and 64 to 4088 for Spectrum-4. To work around this issue, run the echo <supported_value> > /cumulus/switchd/config/mirror/session/1/truncate_size command before you reconfigure mirror sessions with the supported values. |
5.8.0-5.11.0 |
| 4176931 |
The nv show platform firmware command results in a Python traceback and takes a long time to complete because the VX image does not support the smartctl utility. |
5.11.0 |
| 4175695 |
If all of the neighbors returned in the nv show vrf command output have no address-family configuration, you see an internal error when the nested table in the output is being rendered. |
5.10.0-5.11.0 |
| 4174646 |
On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. | 5.10.1-5.11.0 |
| 4170628 |
If you use a bridge name other than br_default, PTP neighbors fail to establish because the PTP packets are sourced from an unexpected IP address.To work around this issue, configure the base-interface for the VLAN interface with the nv set interface command. |
5.10.0-5.11.0 |
| 4159554 |
When you configure EVPN multihoming with more than one ESI bond member, you might see intermediate traffic loss. | 5.9.1-5.11.0 |
| 4156332 |
On the Spectrum-4 switch, switchd might crash with the following log message:CRIT Restarting switchd to recover from SDK health event: FW Long Command |
5.10.1-5.11.0 |
| 4151336 |
After you reboot the switch, the ifplugd.service fails to start monitoring the interface. | 5.8.0-5.11.0 |
| 4150508 |
When there is a large number of discontiguous VTEP to VLAN mappings, switchd crashes with a Netlink error similar to the following:
|
5.10.1-5.11.0 |
| 4134174 |
If you configure a route map by attaching it to a specific protocol, then you detach it from that protocol, if you then attach the same route map to all protocols, then detach it from all protocols, Cumulus Linux deletes routes from the forwarding table. To work around this issue, either attach the route map to all protocols or attach the route map to each protocol you want to use. For example, to attach the route map to all protocols, run the nv set vrf command. To attach the route map to each protocol you want to use, run the nv set vrf command. |
5.11.0 |
| 4130022 |
LDAP does not support per-command authorization. | 5.11.0 |
| 4127932 |
After you run the nv action install system image command or the cl-image-upgrade -u command, if you run the command a second time to upgrade to a different image, the upgrade might fail because there are leftover /var/install/sys mounts. To resolve this issue, either reboot before you retry image upgrade or run the following commands :cumulus@switch:~$ sudo mount –make-rslave /var/installer/sys |
5.11.0 |
| 4127315 |
If you set BGP community-advertise large to off with NVUE, large communities are still sent to BGP peers. To resolve this issue, NVUE has changed the default value of community-advertise large from off to on. | 5.11.0 |
| 4122591 |
The NVUE nv set system aaa ldap ssl ca-list command shows the following error if you use the string option:Error: At ca-list: ‘/etc/ssl/certs/ca-cert.crt’ is not one of [‘default’, ‘none’] |
5.11.0 |
| 4115126 |
When IPv4 layer 3 switch ports and virtual interfaces flap, switchd might send an ICMP Reply message instead of an ARP request (although no ICMP request was sent). Multiple ICMP Replies might be sent to any of the neighbor IP addresses of that interface. |
5.9.2-5.11.0 |
| 4101560 |
The nv set vrf command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the nv set vrf command. |
5.11.0 |
| 4052578 |
When you perform a binary upgrade from Cumulus Linux 5.8 or earlier to 5.9.0 or later with a pre-staged startup.yaml file, the cumulus user password is reset to the default password because there is no default startup.yaml file present in 5.8.0 or earlier. To work around this issue, generate the startup.yaml file from the existing NVUE configuration. |
5.9.2-5.11.0 |
| 3844670 |
When you configure TACACS with NVUE or merge in an NVUE configuration file including TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with the systemctl restart nvued.service command. |
5.9.0-5.11.0 |