Cumulus Linux 5.5 Release Notes
Download all 5.5 release notes as .xls
5.5.1 Release Notes
Open Issues in 5.5.1
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 4004453 |
The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1, 5.10.0-5.10.1 | 5.9.2 |
| 3982222 |
When SPAN is enabled on a bridge member, an ARP or Gratuitous ARP received during a failover event between locally attached redundant devices such as load balancers might fail to update the bridge MAC table to point to the interface with the newly active load balancer. | 5.4.0-5.9.1 | 5.9.2-5.10.1 |
| 3949367 |
If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.10.1 |
| 3917601 |
If a packet containing an all zero source MAC address (00:00:00:00:00:00) is learned on the ASIC, switchd sends the learn notification to the kernel but the kernel rejects the MAC address as invalid. The ASIC continuously sends the mac-learn notifications, which wastes CPU resources. To work around this issue, configure ACLs to match on the all-zero source MAC address and drop the invalid packets. |
5.5.0-5.9.1 | 5.9.2-5.10.1 |
| 3895042 |
After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command#snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a |
4.4.0-5.9.1 | 5.9.2-5.10.1 |
| 3859422 |
On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port. | 5.2.0-5.9.1 | 5.9.2-5.10.1 |
| 3773177 |
When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 or later with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb |
4.0.0-4.4.5, 5.0.0-5.10.1 | |
| 3765395 |
The nv unset nve vxlan flooding and nv set nve vxlan flooding enable off commands do not disable BUM flooding. To work around this issue, disable BUM flooding with vtysh commands:leaf01# configure terminal |
5.5.0-5.8.0 | 5.9.0-5.10.1 |
| 3751952 |
ifupdown2 tries to set the multicast database hash elasticity (bridge-hashel attribute) with a value of 4096. However, this attribute is now deprecated in the Linux kernel and the value is always 16. |
5.5.1-5.7.0 | 5.8.0-5.10.1 |
| 3739008 |
The Lenovo MSN4600-VS2RC (PN SSG7B27990 Back-to-Front/C2P Airflow) might run the fan tray fans at a high speed because the software believes the PSU fans are running in the wrong direction. | 5.5.1-5.8.0 | 5.9.0-5.10.1 |
| 3730904 |
When sending untagged frames to the CPU with an MTU higher than the SVD (single VXLAN device) MTU, the kernel might crash. | 5.4.0-5.8.0 | 5.9.0-5.10.1 |
| 3715651 |
If you run NVUE commands to configure PIM for a VRF before you create the VRF, PIM does not create the pimreg device and the pimd service crashes. |
5.5.1 | 5.6.0-5.10.1 |
| 3713419 |
When monitoring system statistics and network traffic with sFlow, an aggressive link flap might produce a memory leak in the sFlow service hsflowd. |
5.1.0-5.7.0 | 5.8.0-5.10.1 |
| 3702431 |
Traditional SNMP snippets do not take effect unless you first enable SNMP with the NVUE nv set service snmp-server enable on and nv set service snmp-server listening-address commands. Alternatively, you can use the equivalent REST API methods. |
5.4.0-5.8.0 | 5.9.0-5.10.1 |
| 3696061 |
When the MAC address of a neighbor changes, the zebra IP routing manager might crash. |
5.2.1-5.6.0 | 5.7.0-5.10.1 |
| 3695541 |
When applying a full configuration with NVUE that includes VRRP and BGP in VRFs, the VRRP configuration does not come up after you run nv config apply. BGP routes might also be missing. This issue only happens during the initial nv config apply of a full configuration, not during a normal initialization during a reboot or FRR restart. To work around this issue, reboot or restart FRR. |
5.5.1 | 5.6.0-5.10.1 |
| 3695430 |
When you configure extended nexthop encoding for a peer group, the peers in the group do not inherit the configuration. To work around this issue, configure extended nexthop encoding on each individual peer in the group. NVIDIA recommends that you upgrade to Cumulus Linux 5.6 or later to avoid this issue. | 5.4.0-5.6.0 | 5.7.0-5.10.1 |
| 3684998 |
DHCP lease information is not collected in the cl-support file. |
4.3.0-5.6.0 | 5.7.0-5.10.1 |
| 3668939 |
When you enable MIB 1.3.6.1.4.1.40310.1 in the snmpd.conf file, you might see high CPU usage by the snmpd service. |
5.5.1-5.6.0 | 5.7.0-5.10.1 |
| 3663182 |
Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. |
5.3.1-5.6.0 | 5.7.0-5.10.1 |
| 3647426 |
If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:% AS specified for local as is the same as the remote as and this is not allowedThis configuration is not allowed; it is considered to be eBGP and local preference is not advertised. |
5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.10.1 |
| 3630492 |
On the NVIDIA SN2201 switch, the ledmgrd -d command output shows the system and PSU LED status as orange when the physical LED is green. |
5.5.1-5.7.0 | 5.8.0-5.10.1 |
| 3616338 |
When you reboot an MLAG switch with 3000 or more VNIs, there might be extended traffic loss during reboot. To work around this issue, configure the clagd service initDelay to 300 seconds with the nv set mlag init-delay 300 command. |
5.5.1-5.6.0 | 5.7.0-5.10.1 |
| 3613258 |
With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed between switchd and the kernel. |
5.2.1-5.6.0 | 5.7.0-5.10.1 |
| 3610967 |
In an EVPN symmetric routing configuration, running the NVUE nv set vrf command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. |
5.3.0-5.8.0 | 5.9.0-5.10.1 |
| 3610611 |
Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf ping command to use a source address (such as an SVI address) with the ip vrf exec command. |
5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3609128 |
When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=aIn addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk. |
5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3606739 |
The thermal control service, hw-management-tc.service, stops and switch fan speeds run at 100% when the ASIC temperature can’t be read. This can occur if the SDK is not started. |
5.5.1-5.6.0 | 5.7.0-5.10.1 |
| 3603237 |
If the secondary MLAG peer continuously reboots, you might experience momentary traffic loss. | 5.5.1-5.6.0 | 5.7.0-5.10.1 |
| 3599699 |
Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec command. |
5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3597456 |
NVUE does not allow you to use the reserved name lo in an interface name. |
5.5.1-5.6.0 | 5.7.0-5.10.1 |
| 3585467 |
NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. |
5.0.0-5.6.0 | 5.7.0-5.10.1 |
| 3582826 |
When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3580435 |
On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. |
5.3.1-5.6.0 | 5.7.0-5.10.1 |
| 3576961 |
The NVUE command to clear all ACL counters at once is not available. To work around this issue, run the cl-acltool -Z all command to reset the statistics for all ACL rules. |
5.5.1-5.6.0 | 5.7.0-5.10.1 |
| 3573800 |
After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del <old_mac> dev bridge vlan <vlan_id> command. |
5.3.1-5.6.0 | 5.7.0-5.10.1 |
| 3572580 |
You cannot set a VLAN match and a MAC protocol IPv4 match in a MAC type ACL rule. To apply ACLs with a VLAN match and layer 3 header matches ( IPV4/IPV6), you need to use type ipv4 or ipv6 ACLs with the VLAN match specified. |
5.5.1 | 5.6.0-5.10.1 |
| 3572566 |
The NVUE nv action commands are missing from nv list-commands output. |
5.5.1 | 5.6.0-5.10.1 |
| 3567708 |
In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active. | 5.3.1-5.6.0 | 5.7.0-5.10.1 |
| 3566980 |
When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running. |
5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3560622 |
When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0-5.10.1 |
| 3556762 |
On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.10.1 | |
| 3554231 |
CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009 Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that “agent forwarding should be enabled with caution”), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ‘') For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. |
4.0.0-4.3.1, 5.0.0-5.10.1 | 4.3.2-4.4.5 |
| 3549138 |
In an EVPN environment with ARP suppression enabled, when a host sends a unicast ARP request to a remote host, the ARP reply is duplicated. It is replied once by the remote host and once by the VTEP. | 5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3541912 |
Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic. |
5.1.0-5.5.1 | 5.6.0-5.10.1 |
| 3541518 |
When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3538497 |
In an EVPN symmetric routing configuration, after rebooting a switch that uses VLAN 1 for a layer 3 VNI, traffic forwarding for VLAN 1 fails. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3534718 |
The BGP command to suppress longer prefixes inside the aggregate address before sending updates (nv set vrf or vtysh router bgp ) does not suppress more specific routes from being exported into the EVPN routing table and advertised as EVPN type-5 routes. To work around this issue, announce EVPN type-5 routes by adding an additional outbound policy or export policy to filter out the more specific routes. |
5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3528359 |
A switchd assertion crash occurs after KVD resource exhaustion in the SDK because entries are in a pending delete state, which causes an ECMP allocation failure. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3526004 |
For layer 3 VNIs, Cumulus Linux automatically creates an SVI name that includes an underscore (for example, vlan4036_l3), which is not allowed in SVI names. As a result, commands such as nv show interface for the SVI show an error. The underscore (_) character is now allowed in SVI names. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3522524 |
FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. | 5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3520511 |
If you apply EVPN multihoming configuration such as es-df-pref, es-id and es-sys-mac with vtysh after you remove a bond interface that is part of a bridge and run ifreload -a, FRR crashes. To work around this issue, do not remove a bond from a bridge before you configure EVPN multihoming with vtysh. |
5.5.1 | 5.6.0-5.10.1 |
| 3517376 |
When you use CMIS specification based optics, the l1-show command output provides incorrect values for digital diagnostics (TX Power and RX Power). To work around this issue, run the mlxlink command with either the -m or –cable –ddm flags. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3509445 |
If a BGP numbered session is in a non-established state, SNMP walk commands to the system might time out when the BGPVRF MIB is included in the OIDs to collect. In addition, FRR might report warnings about AgentX in the log files. | 5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3498939 |
In an EVPN environment, VM migration (IP and MAC address migration) might not work because the new local VTEP to which the VM migrates does not install the entry in the kenel. To work around this issue, restart the switchd service. |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3496931 |
When you update a prefix list associated with an RP, the pimd service might crash if the prefix list exists without any prefixes. To work around this issue, ensure that any prefix list associated with an RP includes at least one prefix at all times. |
5.3.1-5.5.1 | 5.6.0-5.10.1 |
| 3496889 |
When PTP is not enabled on the switch, NVUE nv show ptp commands freeze. This might cause other NVUE commands to fail and the NVUE service to restart. |
5.3.1-5.5.1 | 5.6.0-5.10.1 |
| 3495630 |
The NVUE nv show service ptp command output shows an incorrect value. To work around this issue, run the nv show service ptp command or the Linux pmc utility. |
5.3.1-5.5.1 | 5.6.0-5.10.1 |
| 3488136 |
When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf command. |
4.2.1-5.5.1 | 5.6.0-5.10.1 |
| 3486102 |
SNMP and TACACS secrets are shown in cleartext. | 5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3484058 |
When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.8.0 | 5.9.0-5.10.1 |
| 3479786 |
The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the groupTo work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. |
5.3.0-5.5.1 | 5.6.0-5.10.1 |
| 3474391 |
The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. |
4.3.1-5.5.1 | 5.6.0-5.10.1 |
| 3472865 |
The json output for the vtysh -c ‘show bgp all json command is missing a string key in front of the list of routes under the l2vpnevpn address family. |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3471052 |
On certain QSFP-DD and OSFP optical modules, the ethtool -m command, and the related NCLU and NVUE commands that display optical module information fail. |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3467890 |
BGP aggregate routers are not advertised after learning the same route from another protocol. To work around this issue, restart the FRR service or, if possible, don’t learn the route from another protocol (use route maps instead). | 5.3.0-5.5.1 | 5.6.0-5.10.1 |
| 3466703 |
In rare cases when there is high load, the clagd service might experience a buffer overflow and MLAG bonds stay in a proto-down state on the secondary switch. You see a “NetlinkThread: Netlink overflow” log message and the MLAG state indicates VLAN conflicts between peers. To work around this issue, restart the clagd service with the sudo systemctl restart clagd command on the switch that reports the overflow log message. |
5.2.0-5.5.1 | 5.6.0-5.10.1 |
| 3459696 |
If you run the NVUE nv show vrf command when the BGP instance is not enabled, you see an NVUE traceback error. |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3455078 |
When you bring down or delete a bridge or all interfaces on the switch, you see the following error message in the /var/log/switchd.log file:ERR bridge destroy for vlanThe errors are temporary and have no impact on functionality or traffic. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3452763 |
When you use the NVUE API with TACACS+, users might see a 403 Forbidden message if no TACACS+ user has logged in some other way, such as with SSH. To work around this issue, log in any TACACS+ user through SSH before you use the NVUE API with TACACS+ users, or run the following commands:cumulus@switch:~$ sudo touch /run/tacacs_client_mapcumulus@switch:~$ sudo chown root:shadow /run/tacacs_client_mapcumulus@switch:~$ sudo chmod 0644 /run/tacacs_client_map |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3452732 |
The nv set router policy ext-community-list command does not generate the standard based BGP community list. As a result, routes do not match the expected community list. To work around this issue, create a snippet to add the policy configuration to the /etc/frr/frr.conf file, then patch the configuration. For example:cumulus@switch:~$ sudo nano frr_policy.yaml- set: cumulus@switch:~$ nv config patch frr_policy.yaml |
5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3452681 |
When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. |
5.5.0-5.10.1 | |
| 3448984 |
If you use NVUE to apply a configuration when the optional TACACS+ packages are not installed on the switch, you might see messages similar to the following in the /var/log/syslog file when auditd restarts (for example, when the switch reboots):audispd: Unable to stat /sbin/audisp-tacplus (No such file or directory) audispd: Skipping audisp-tacplus.conf plugin due to errorsThese messages do not affect the functionality of the switch. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3447762 |
If the NVUE startup.yaml configuration file is invalid, the nv config apply startup command times out without providing details on the error. |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3445841 |
FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). |
5.0.0-5.6.0 | 5.7.0-5.10.1 |
| 3442569 |
When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. |
5.5.0-5.10.1 | |
| 3436595 |
When using WJH, if you export dropped packets to a file in PCAP format, the file contains custom WJH header data. As a result, certain tools, such as Wireshark, cannot decode the data. To work around this issue, use the –no_metadata option with the export command:cumulus@switch:~$ what-just-happened poll –export –no_metadata |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3433944 |
The wjh_dissector.lua WJH packet decoder script provided with Cumulus Linux might fail to decode all WJH packets. |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3433577 |
When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. |
5.5.0-5.8.0 | 5.9.0-5.10.1 |
| 3428677 |
In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. |
5.3.0-5.6.0 | 5.7.0-5.10.1 |
| 3424967 |
sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don’t run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo … to execute the sudo command. |
5.0.0-5.10.1 | |
| 3420056 |
The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.10.1 | |
| 3419940 |
When generating a cl-support file either manually or when an issue occurs on the system, you see the following kernel error messages:‘Register access failed (reg_id=0x9029, status=0x4)’ followed by a hex dump of a few linesThis error message is benign and has no functional impact. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3419928 |
The NVUE PIM timer command option names keep-alive and rp-keep-alive are inconsistent and need to change to keepalive and rp-keepalive. |
5.4.0-5.6.0 | 5.7.0-5.10.1 |
| 3413785 |
To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo … to execute the sudo command using the TACACS+ server on the default VRF. |
5.0.0-5.5.1 | 5.6.0-5.10.1 |
| 3405024 |
You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. | 5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3394674 |
If you restart FRR with the log file debugging level set to informational, BGP crashes. |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3393966 |
When you configure OSPF network statements using NVUE with the nv set vrf command, subsequent configuration changes with NVUE might bring down all OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement, or use the nv set interface command to enable OSPF on interfaces instead of using a network statement. |
5.5.0-5.9.2 | 5.10.0-5.10.1 |
| 3378733 |
After you add or delete a static MAC entry on the bridge FDB, a core dump occurs if the interface is VXLAN and the MAC address is 00:00:00:00:00:00. | 5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3362113 |
If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. |
5.4.0-5.10.1 | |
| 3347677 |
In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.10.1 |
| 3347538 |
When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.10.1 | |
| 3344846 |
The Spectrum-3 hardware configuration is not optimized for the best PTP accuracy when using 25GbE. You might see higher than expected PTP offsets on this platforms and interface speed. | 5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3341214 |
If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. |
5.4.0-5.10.1 | |
| 3336808 |
If you run the NVUE nv set interface command without providing a description, the nv config apply command fails with the error Unable to restart services (ifreload-nvue.service). |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3334275 |
When you run the sensors command, the output shows an erroneous fault on some front panel ports. |
5.2.0-5.7.0 | 5.8.0-5.10.1 |
| 3329518 |
When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. |
5.4.0-5.10.1 | |
| 3327477 |
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. |
3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.10.1 | |
| 3326659 |
If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds. | 5.4.0-5.10.1 | |
| 3293114 |
In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface . In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface . |
5.3.0-5.5.1 | 5.6.0-5.10.1 |
| 3266197 |
When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure. |
5.2.0-5.6.0 | 5.7.0-5.10.1 |
| 3264269 |
When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly. | 5.3.0-5.6.0 | 5.7.0-5.10.1 |
| 3258232 |
If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.6.0 | 5.7.0-5.10.1 |
| 3241567 |
When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. |
5.3.0-5.10.1 | |
| 3232091 |
The NVUE nv unset interface command does not restore the port lane setting to the default value. To work around this issue, run the nv set interface command. |
5.4.0-5.6.0 | 5.7.0-5.10.1 |
| 3226506 |
The l1-show eth0 command does not show port information and is not supported in this release. |
5.3.0-5.10.1 | |
| 3221628 |
Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. |
5.2.0-5.6.0 | 5.7.0-5.10.1 |
| 3187469 |
At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0-5.10.1 |
| 3178090 |
The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint. |
5.1.0-5.5.1 | 5.6.0-5.10.1 |
| 3172682 |
On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure. |
5.2.0-5.5.1 | 5.6.0-5.10.1 |
| 3172504 |
When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.10.1 | |
| 3147782 |
You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUNDTo work around this issue, reference the OID without the preceding period ( . ) in the command. |
5.3.0-5.10.1 | |
| 3145869 |
On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7. | 5.2.0-5.10.1 | |
| 3141826 |
A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1) 1.3.6.1.2.1.47 –> Entity MIB 1.3.6.1.2.1.99 –> Entity Sensor MIB 1.3.6.1.2.1.23 –> rip2 1.3.6.1.2.1.2 –> interface/interfaces 1.3.6.1.2.1.31 –> ifMIB 1.3.6.1.2.1.4 –> IP 1.3.6.1.2.1.25 –> hostResource |
5.0.1-5.8.0 | 5.9.0-5.10.1 |
| 3135952 |
PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed <port_speed> autoneg off lanes <no_of_lanes> command. For example: cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 |
5.2.0-5.10.1 | |
| 3122301 |
On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.10.1 | |
| 3115242 |
When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. |
5.1.0-5.10.1 | |
| 3103821 |
On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.10.1 | |
| 3084476 |
After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. |
4.4.3, 5.0.0-5.10.1 | 4.4.4-4.4.5 |
| 3084027 |
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. |
4.3.0-4.4.5, 5.0.0-5.10.1 | |
| 3071652 |
On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. |
4.4.4-4.4.5, 5.1.0-5.10.1 | |
| 3069069 |
When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. |
5.1.0-5.5.1 | 5.6.0-5.10.1 |
| 3061656 |
When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.10.1 | |
| 3053094 |
When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.10.1 | |
| 2972540 |
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.10.1 | |
| 2964279 |
When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. |
3.7.15, 4.4.2-4.4.5, 5.0.0-5.10.1 | 3.7.16 |
| 2951110 |
The net show time ntp servers command does not show any output with the management VRF. |
3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.10.1 | |
| 2904450 |
When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. |
4.4.0-4.4.5, 5.0.0-5.10.1 | |
| 2891255 |
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file. Vulnerable: <= 2.6.20-0+deb10u1 Fixed: 2.6.20-0+deb10u2 |
4.0.0-4.4.1, 5.0.0-5.10.1 | 4.4.2-4.4.5 |
| 2890681 |
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 |
4.0.0-4.4.1, 5.0.0-5.10.1 | 4.4.2-4.4.5 |
| 2867042 |
When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.10.1 | |
| 2847755 |
When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.10.1 | |
| 2823307 |
Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.10.1 | |
| 2736108 |
When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. |
4.4.0-4.4.5, 5.0.0-5.10.1 | |
| 2684925 |
The NVUE nv show vrf default router bgp peer command produces a 404 not found error. |
4.4.0-4.4.5, 5.0.0-5.10.1 | |
| 2671652 |
In VXLAN routing environments, you might experience sub-optimal route convergence delays (longer than five seconds) when a prefix transitions to a new ECMP next-hop group. This condition might occur when a VTEP loses ECMP routes through all uplink peerings, then installs the routes through a different path, such as an MLAG peerlink. | 4.4.0-4.4.5, 5.5.0-5.10.1 | |
| 2543915 |
When you enable a service in the management VRF, systemctl issues a warning similar to the following:Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unitYou can safely ignore this warning. |
4.0.0-5.9.2 | 5.10.0-5.10.1 |
Fixed Issues in 5.5.1
| Issue ID | Description | Affects |
|---|---|---|
| 3470941 |
On the NVIDIA SN4700 switch, reversing the upper four lanes on a port does not work and might cause link degradation. If you swap the upper and lower four lanes on a port, the firmware gets stuck. | 5.3.0-5.5.0 |
5.5.0 Release Notes
Open Issues in 5.5.0
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 4004453 |
The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1, 5.10.0-5.10.1 | 5.9.2 |
| 3982222 |
When SPAN is enabled on a bridge member, an ARP or Gratuitous ARP received during a failover event between locally attached redundant devices such as load balancers might fail to update the bridge MAC table to point to the interface with the newly active load balancer. | 5.4.0-5.9.1 | 5.9.2-5.10.1 |
| 3949367 |
If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.10.1 |
| 3917601 |
If a packet containing an all zero source MAC address (00:00:00:00:00:00) is learned on the ASIC, switchd sends the learn notification to the kernel but the kernel rejects the MAC address as invalid. The ASIC continuously sends the mac-learn notifications, which wastes CPU resources. To work around this issue, configure ACLs to match on the all-zero source MAC address and drop the invalid packets. |
5.5.0-5.9.1 | 5.9.2-5.10.1 |
| 3895042 |
After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command#snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a |
4.4.0-5.9.1 | 5.9.2-5.10.1 |
| 3859422 |
On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port. | 5.2.0-5.9.1 | 5.9.2-5.10.1 |
| 3773177 |
When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 or later with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb |
4.0.0-4.4.5, 5.0.0-5.10.1 | |
| 3765395 |
The nv unset nve vxlan flooding and nv set nve vxlan flooding enable off commands do not disable BUM flooding. To work around this issue, disable BUM flooding with vtysh commands:leaf01# configure terminal |
5.5.0-5.8.0 | 5.9.0-5.10.1 |
| 3730904 |
When sending untagged frames to the CPU with an MTU higher than the SVD (single VXLAN device) MTU, the kernel might crash. | 5.4.0-5.8.0 | 5.9.0-5.10.1 |
| 3713419 |
When monitoring system statistics and network traffic with sFlow, an aggressive link flap might produce a memory leak in the sFlow service hsflowd. |
5.1.0-5.7.0 | 5.8.0-5.10.1 |
| 3702431 |
Traditional SNMP snippets do not take effect unless you first enable SNMP with the NVUE nv set service snmp-server enable on and nv set service snmp-server listening-address commands. Alternatively, you can use the equivalent REST API methods. |
5.4.0-5.8.0 | 5.9.0-5.10.1 |
| 3696061 |
When the MAC address of a neighbor changes, the zebra IP routing manager might crash. |
5.2.1-5.6.0 | 5.7.0-5.10.1 |
| 3695430 |
When you configure extended nexthop encoding for a peer group, the peers in the group do not inherit the configuration. To work around this issue, configure extended nexthop encoding on each individual peer in the group. NVIDIA recommends that you upgrade to Cumulus Linux 5.6 or later to avoid this issue. | 5.4.0-5.6.0 | 5.7.0-5.10.1 |
| 3684998 |
DHCP lease information is not collected in the cl-support file. |
4.3.0-5.6.0 | 5.7.0-5.10.1 |
| 3663182 |
Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. |
5.3.1-5.6.0 | 5.7.0-5.10.1 |
| 3647426 |
If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:% AS specified for local as is the same as the remote as and this is not allowedThis configuration is not allowed; it is considered to be eBGP and local preference is not advertised. |
5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.10.1 |
| 3613258 |
With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed between switchd and the kernel. |
5.2.1-5.6.0 | 5.7.0-5.10.1 |
| 3610967 |
In an EVPN symmetric routing configuration, running the NVUE nv set vrf command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. |
5.3.0-5.8.0 | 5.9.0-5.10.1 |
| 3610611 |
Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf ping command to use a source address (such as an SVI address) with the ip vrf exec command. |
5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3609128 |
When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=aIn addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk. |
5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3599699 |
Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec command. |
5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3585467 |
NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. |
5.0.0-5.6.0 | 5.7.0-5.10.1 |
| 3582826 |
When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3580435 |
On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. |
5.3.1-5.6.0 | 5.7.0-5.10.1 |
| 3573800 |
After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del <old_mac> dev bridge vlan <vlan_id> command. |
5.3.1-5.6.0 | 5.7.0-5.10.1 |
| 3567708 |
In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active. | 5.3.1-5.6.0 | 5.7.0-5.10.1 |
| 3566980 |
When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running. |
5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3560622 |
When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0-5.10.1 |
| 3556762 |
On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.10.1 | |
| 3554231 |
CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009 Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that “agent forwarding should be enabled with caution”), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ‘') For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. |
4.0.0-4.3.1, 5.0.0-5.10.1 | 4.3.2-4.4.5 |
| 3549138 |
In an EVPN environment with ARP suppression enabled, when a host sends a unicast ARP request to a remote host, the ARP reply is duplicated. It is replied once by the remote host and once by the VTEP. | 5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3541912 |
Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic. |
5.1.0-5.5.1 | 5.6.0-5.10.1 |
| 3541518 |
When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3538497 |
In an EVPN symmetric routing configuration, after rebooting a switch that uses VLAN 1 for a layer 3 VNI, traffic forwarding for VLAN 1 fails. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3534718 |
The BGP command to suppress longer prefixes inside the aggregate address before sending updates (nv set vrf or vtysh router bgp ) does not suppress more specific routes from being exported into the EVPN routing table and advertised as EVPN type-5 routes. To work around this issue, announce EVPN type-5 routes by adding an additional outbound policy or export policy to filter out the more specific routes. |
5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3528359 |
A switchd assertion crash occurs after KVD resource exhaustion in the SDK because entries are in a pending delete state, which causes an ECMP allocation failure. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3526004 |
For layer 3 VNIs, Cumulus Linux automatically creates an SVI name that includes an underscore (for example, vlan4036_l3), which is not allowed in SVI names. As a result, commands such as nv show interface for the SVI show an error. The underscore (_) character is now allowed in SVI names. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3522524 |
FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. | 5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3517376 |
When you use CMIS specification based optics, the l1-show command output provides incorrect values for digital diagnostics (TX Power and RX Power). To work around this issue, run the mlxlink command with either the -m or –cable –ddm flags. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3509445 |
If a BGP numbered session is in a non-established state, SNMP walk commands to the system might time out when the BGPVRF MIB is included in the OIDs to collect. In addition, FRR might report warnings about AgentX in the log files. | 5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3498939 |
In an EVPN environment, VM migration (IP and MAC address migration) might not work because the new local VTEP to which the VM migrates does not install the entry in the kenel. To work around this issue, restart the switchd service. |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3496931 |
When you update a prefix list associated with an RP, the pimd service might crash if the prefix list exists without any prefixes. To work around this issue, ensure that any prefix list associated with an RP includes at least one prefix at all times. |
5.3.1-5.5.1 | 5.6.0-5.10.1 |
| 3496889 |
When PTP is not enabled on the switch, NVUE nv show ptp commands freeze. This might cause other NVUE commands to fail and the NVUE service to restart. |
5.3.1-5.5.1 | 5.6.0-5.10.1 |
| 3495630 |
The NVUE nv show service ptp command output shows an incorrect value. To work around this issue, run the nv show service ptp command or the Linux pmc utility. |
5.3.1-5.5.1 | 5.6.0-5.10.1 |
| 3488136 |
When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf command. |
4.2.1-5.5.1 | 5.6.0-5.10.1 |
| 3486102 |
SNMP and TACACS secrets are shown in cleartext. | 5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3484058 |
When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.8.0 | 5.9.0-5.10.1 |
| 3479786 |
The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the groupTo work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. |
5.3.0-5.5.1 | 5.6.0-5.10.1 |
| 3474391 |
The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. |
4.3.1-5.5.1 | 5.6.0-5.10.1 |
| 3472865 |
The json output for the vtysh -c ‘show bgp all json command is missing a string key in front of the list of routes under the l2vpnevpn address family. |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3471052 |
On certain QSFP-DD and OSFP optical modules, the ethtool -m command, and the related NCLU and NVUE commands that display optical module information fail. |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3470941 |
On the NVIDIA SN4700 switch, reversing the upper four lanes on a port does not work and might cause link degradation. If you swap the upper and lower four lanes on a port, the firmware gets stuck. | 5.3.0-5.5.0 | 5.5.1-5.10.1 |
| 3467890 |
BGP aggregate routers are not advertised after learning the same route from another protocol. To work around this issue, restart the FRR service or, if possible, don’t learn the route from another protocol (use route maps instead). | 5.3.0-5.5.1 | 5.6.0-5.10.1 |
| 3466703 |
In rare cases when there is high load, the clagd service might experience a buffer overflow and MLAG bonds stay in a proto-down state on the secondary switch. You see a “NetlinkThread: Netlink overflow” log message and the MLAG state indicates VLAN conflicts between peers. To work around this issue, restart the clagd service with the sudo systemctl restart clagd command on the switch that reports the overflow log message. |
5.2.0-5.5.1 | 5.6.0-5.10.1 |
| 3459696 |
If you run the NVUE nv show vrf command when the BGP instance is not enabled, you see an NVUE traceback error. |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3455078 |
When you bring down or delete a bridge or all interfaces on the switch, you see the following error message in the /var/log/switchd.log file:ERR bridge destroy for vlanThe errors are temporary and have no impact on functionality or traffic. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3452763 |
When you use the NVUE API with TACACS+, users might see a 403 Forbidden message if no TACACS+ user has logged in some other way, such as with SSH. To work around this issue, log in any TACACS+ user through SSH before you use the NVUE API with TACACS+ users, or run the following commands:cumulus@switch:~$ sudo touch /run/tacacs_client_mapcumulus@switch:~$ sudo chown root:shadow /run/tacacs_client_mapcumulus@switch:~$ sudo chmod 0644 /run/tacacs_client_map |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3452732 |
The nv set router policy ext-community-list command does not generate the standard based BGP community list. As a result, routes do not match the expected community list. To work around this issue, create a snippet to add the policy configuration to the /etc/frr/frr.conf file, then patch the configuration. For example:cumulus@switch:~$ sudo nano frr_policy.yaml- set: cumulus@switch:~$ nv config patch frr_policy.yaml |
5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3452681 |
When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. |
5.5.0-5.10.1 | |
| 3448984 |
If you use NVUE to apply a configuration when the optional TACACS+ packages are not installed on the switch, you might see messages similar to the following in the /var/log/syslog file when auditd restarts (for example, when the switch reboots):audispd: Unable to stat /sbin/audisp-tacplus (No such file or directory) audispd: Skipping audisp-tacplus.conf plugin due to errorsThese messages do not affect the functionality of the switch. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3447762 |
If the NVUE startup.yaml configuration file is invalid, the nv config apply startup command times out without providing details on the error. |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3445841 |
FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). |
5.0.0-5.6.0 | 5.7.0-5.10.1 |
| 3442569 |
When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. |
5.5.0-5.10.1 | |
| 3436595 |
When using WJH, if you export dropped packets to a file in PCAP format, the file contains custom WJH header data. As a result, certain tools, such as Wireshark, cannot decode the data. To work around this issue, use the –no_metadata option with the export command:cumulus@switch:~$ what-just-happened poll –export –no_metadata |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3433944 |
The wjh_dissector.lua WJH packet decoder script provided with Cumulus Linux might fail to decode all WJH packets. |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3433577 |
When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. |
5.5.0-5.8.0 | 5.9.0-5.10.1 |
| 3428677 |
In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. |
5.3.0-5.6.0 | 5.7.0-5.10.1 |
| 3424967 |
sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don’t run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo … to execute the sudo command. |
5.0.0-5.10.1 | |
| 3420056 |
The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.10.1 | |
| 3419940 |
When generating a cl-support file either manually or when an issue occurs on the system, you see the following kernel error messages:‘Register access failed (reg_id=0x9029, status=0x4)’ followed by a hex dump of a few linesThis error message is benign and has no functional impact. |
5.5.0-5.5.1 | 5.6.0-5.10.1 |
| 3419928 |
The NVUE PIM timer command option names keep-alive and rp-keep-alive are inconsistent and need to change to keepalive and rp-keepalive. |
5.4.0-5.6.0 | 5.7.0-5.10.1 |
| 3413785 |
To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo … to execute the sudo command using the TACACS+ server on the default VRF. |
5.0.0-5.5.1 | 5.6.0-5.10.1 |
| 3405024 |
You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. | 5.5.0-5.6.0 | 5.7.0-5.10.1 |
| 3394674 |
If you restart FRR with the log file debugging level set to informational, BGP crashes. |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3393966 |
When you configure OSPF network statements using NVUE with the nv set vrf command, subsequent configuration changes with NVUE might bring down all OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement, or use the nv set interface command to enable OSPF on interfaces instead of using a network statement. |
5.5.0-5.9.2 | 5.10.0-5.10.1 |
| 3378733 |
After you add or delete a static MAC entry on the bridge FDB, a core dump occurs if the interface is VXLAN and the MAC address is 00:00:00:00:00:00. | 5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3362113 |
If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. |
5.4.0-5.10.1 | |
| 3347677 |
In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.10.1 |
| 3347538 |
When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.10.1 | |
| 3344846 |
The Spectrum-3 hardware configuration is not optimized for the best PTP accuracy when using 25GbE. You might see higher than expected PTP offsets on this platforms and interface speed. | 5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3341214 |
If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. |
5.4.0-5.10.1 | |
| 3336808 |
If you run the NVUE nv set interface command without providing a description, the nv config apply command fails with the error Unable to restart services (ifreload-nvue.service). |
5.4.0-5.5.1 | 5.6.0-5.10.1 |
| 3334275 |
When you run the sensors command, the output shows an erroneous fault on some front panel ports. |
5.2.0-5.7.0 | 5.8.0-5.10.1 |
| 3329518 |
When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. |
5.4.0-5.10.1 | |
| 3327477 |
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. |
3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.10.1 | |
| 3326659 |
If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds. | 5.4.0-5.10.1 | |
| 3293114 |
In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface . In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface . |
5.3.0-5.5.1 | 5.6.0-5.10.1 |
| 3266197 |
When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure. |
5.2.0-5.6.0 | 5.7.0-5.10.1 |
| 3264269 |
When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly. | 5.3.0-5.6.0 | 5.7.0-5.10.1 |
| 3258232 |
If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.6.0 | 5.7.0-5.10.1 |
| 3241567 |
When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. |
5.3.0-5.10.1 | |
| 3232091 |
The NVUE nv unset interface command does not restore the port lane setting to the default value. To work around this issue, run the nv set interface command. |
5.4.0-5.6.0 | 5.7.0-5.10.1 |
| 3226506 |
The l1-show eth0 command does not show port information and is not supported in this release. |
5.3.0-5.10.1 | |
| 3221628 |
Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. |
5.2.0-5.6.0 | 5.7.0-5.10.1 |
| 3187469 |
At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0-5.10.1 |
| 3178090 |
The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint. |
5.1.0-5.5.1 | 5.6.0-5.10.1 |
| 3172682 |
On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure. |
5.2.0-5.5.1 | 5.6.0-5.10.1 |
| 3172504 |
When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.10.1 | |
| 3147782 |
You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUNDTo work around this issue, reference the OID without the preceding period ( . ) in the command. |
5.3.0-5.10.1 | |
| 3145869 |
On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7. | 5.2.0-5.10.1 | |
| 3141826 |
A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1) 1.3.6.1.2.1.47 –> Entity MIB 1.3.6.1.2.1.99 –> Entity Sensor MIB 1.3.6.1.2.1.23 –> rip2 1.3.6.1.2.1.2 –> interface/interfaces 1.3.6.1.2.1.31 –> ifMIB 1.3.6.1.2.1.4 –> IP 1.3.6.1.2.1.25 –> hostResource |
5.0.1-5.8.0 | 5.9.0-5.10.1 |
| 3135952 |
PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed <port_speed> autoneg off lanes <no_of_lanes> command. For example: cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 |
5.2.0-5.10.1 | |
| 3122301 |
On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.10.1 | |
| 3115242 |
When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. |
5.1.0-5.10.1 | |
| 3103821 |
On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.10.1 | |
| 3084476 |
After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. |
4.4.3, 5.0.0-5.10.1 | 4.4.4-4.4.5 |
| 3084027 |
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. |
4.3.0-4.4.5, 5.0.0-5.10.1 | |
| 3071652 |
On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. |
4.4.4-4.4.5, 5.1.0-5.10.1 | |
| 3069069 |
When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. |
5.1.0-5.5.1 | 5.6.0-5.10.1 |
| 3061656 |
When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.10.1 | |
| 3053094 |
When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.10.1 | |
| 2972540 |
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.10.1 | |
| 2964279 |
When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. |
3.7.15, 4.4.2-4.4.5, 5.0.0-5.10.1 | 3.7.16 |
| 2951110 |
The net show time ntp servers command does not show any output with the management VRF. |
3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.10.1 | |
| 2904450 |
When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. |
4.4.0-4.4.5, 5.0.0-5.10.1 | |
| 2891255 |
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file. Vulnerable: <= 2.6.20-0+deb10u1 Fixed: 2.6.20-0+deb10u2 |
4.0.0-4.4.1, 5.0.0-5.10.1 | 4.4.2-4.4.5 |
| 2890681 |
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 |
4.0.0-4.4.1, 5.0.0-5.10.1 | 4.4.2-4.4.5 |
| 2867042 |
When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.10.1 | |
| 2847755 |
When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.10.1 | |
| 2823307 |
Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.10.1 | |
| 2736108 |
When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. |
4.4.0-4.4.5, 5.0.0-5.10.1 | |
| 2684925 |
The NVUE nv show vrf default router bgp peer command produces a 404 not found error. |
4.4.0-4.4.5, 5.0.0-5.10.1 | |
| 2671652 |
In VXLAN routing environments, you might experience sub-optimal route convergence delays (longer than five seconds) when a prefix transitions to a new ECMP next-hop group. This condition might occur when a VTEP loses ECMP routes through all uplink peerings, then installs the routes through a different path, such as an MLAG peerlink. | 4.4.0-4.4.5, 5.5.0-5.10.1 | |
| 2543915 |
When you enable a service in the management VRF, systemctl issues a warning similar to the following:Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unitYou can safely ignore this warning. |
4.0.0-5.9.2 | 5.10.0-5.10.1 |
Fixed Issues in 5.5.0
| Issue ID | Description | Affects |
|---|---|---|
| 3562767 |
ACLs do not process inbound DHCP packets and the packets do not contribute to ACL counters | 5.2.0-5.4.0 |
| 3446455 |
The vtysh show version command shows an incorrect version number; for example, instead of Cumulus Linux 5.4, the command output shows Cumulus Linux 5.3. |
5.4.0 |
| 3437980 |
If the number of bonds and its bond members exceeds the total number of physical ports on the switch
and LACP bypass is enabled, switchd might crash when frequent link flaps occur or switchd restarts. To work around this issue, disable LACP bypass. |
5.4.0 |
| 3434791 |
Changing the ebgp-multihop setting for a BGP peer always resets the peer, even if the configured TTL value matches the existing TTL value of the peer. |
5.3.1-5.4.0 |
| 3432897 |
When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. |
5.0.0-5.4.0 |
| 3429530 |
On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 |
| 3418103 |
On the Spectrum-2 and Spectrum-3 switch, if you use module SPQCELRCDFB when connected to a 3rd party switch, you might see no link or a very long link up time (around two minutes). To work around this issue, bring down the port, then bring it back up. | 5.4.0 |
| 3413860 |
If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 |
| 3413827 |
During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors. |
4.2.1-4.3.1, 4.4.0-5.4.0 |
| 3412357 |
When you configure EVPN either with or without MLAG and change the mapping for a layer 2 or layer 3 VNI, you see a permanent traffic drop for the VNI. To work around this issue, remove the VNI configuration, then add and apply it again. | |
| 3410303 |
The NVUE command to set the frequency of LLDP updates nv set service lldp tx-interval and the NVUE command to set the amount of time to hold the information before discarding it nv set service lldp tx-hold-multiplier do not provide reasonable maximum and minimum values. Cumulus Linux 5.5.0 and later provides new values. For the nv set service lldp tx-interval command, you can now set a minimum value of 5 and a maximum value of 32768. For the nv set service lldp tx-hold command, you can set a minimum value of 1 and a maximum value of 8192. |
5.4.0 |
| 3409223 |
NGNIX might be listening on port 80 through its default configuration in /etc/nginx/sites-enabled/default. To work around this issue, run the following commands:cumulus@switch:~$ sudo rm -f /etc/nginx/sites-enabled/defaultcumulus@switch:~$ systemctl is-active nginx && sudo invoke-rc.d nginx restart |
5.4.0 |
| 3402935 |
For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface |
5.0.0-5.4.0 |
| 3397649 |
When an ECMP route is present in a non-default VRF, resilient hashing does not work as expected and flows might get remapped to a new next hop when the set of nexthops changes. | 5.4.0 |
| 3395247 |
The NVUE nv show system forwarding profile-option command reports an incorrect Max ipv4 mcast routes value. To work around this issue, validate values with cl-resource-query. |
5.4.0 |
| 3393866 |
On a VX, NVUE commands with an argument parameter that can be multiple types (such as IPv4 and IPv6) do not provide auto complete or additional options when you use a question mark. | 5.4.0 |
| 3393306 |
The python-netaddr package is not preinstalled on the switch, which leads to an error similar to the following when SNMP accesses data from the CUMULUS-BGPVRF-MIBCUMULUS-BGPVRF-MIB::bgpPeerFsmEstablishedTransitions = No Such Instance currently exists at this OIDTo work around this issue, manually install the python-netaddr package with the sudo -E apt-get install python-netaddr command. |
5.3.1-5.4.0 |
| 3390758 |
The neighmgrd service does not enable the snooper unless ARP suppression is enabled on at least one VXLAN interface. This can result in missing ARP and NDP entries if the host does not directly interact with the switch. |
5.3.1-5.4.0 |
| 3389198 |
The NVUE nv unset command does not completely remove IPv6 DNS server configuration |
5.3.1-5.4.0 |
| 3388201 |
Cumulus Linux does not let you add an interface to the bond interface when the bridge-allow-untagged no option is present. |
5.4.0 |
| 3388067 |
TACACS+ packages in the local apt repository might be out of date; as a result, the upgrade does not install tacacs0 through tacacs15 users in the correct NVUE groups. When you run NVUE commands as a TACACS+ user, the commands fail and you see the error You do not have permission to execute that commandTo obtain the correct packages, install the tacplus-client package and its dependencies from apt.cumulusnetworks.com. |
5.1.0-5.4.0 |
| 3379873 |
apt source linux fails to download the Linux kernel source code. To work around this issue, run the sudo apt update && sudo apt install linux-source-5.10 command or download the desired version from https://apt.cumulusnetworks.com/repo/pool/cumulus/l/linux/ and install it with the sudo dpkg -i $filename command. The source code in a tar.xz file will then be located in the /usr/src/ directory. |
5.2.0-5.4.0 |
| 3378838 |
When configuring PTP, NVUE does not use the PTP priority2 setting but uses the priority1 setting instead. | 5.4.0 |
| 3375071 |
On the NVIDIA SN2010 and SN2100 switch, smond indicates that the FAN status is BAD and syslog is flooded with Path /run/hw-management/thermal/fan1_status does not exist errors. When you run the smonctl -v command, the TEMP on switch looks OKcumulus@switch:~$ smonctl -vFan1(Fan 1): BAD fan:6931 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan2(Fan 2): BAD fan:6619 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan3(Fan 3): BAD fan:6931 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan4(Fan 4): BAD fan:6720 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%) |
5.1.0-5.4.0 |
| 3375047 |
If you run the NVUE nv set service snmp-server readonly-community command to set an SNMP V2 trap community string that includes fewer than eight characters, the configuration fails. The SNMP V2 trap community string must include eight or more characters. |
5.4.0 |
| 3361904 |
The NVUE PTP shaping commands are available in the NVUE command list; however, these commands are disabled and do not configure PTP shaping. PTP shaping is not supported in Cumulus Linux 5.4. | 5.4.0 |
| 3351941 |
Cumulus Linux 5.4 package upgrade (apt-upgrade) does not support warm restart to complete the upgrade; performing an unsupported upgrade can result in unexpected or undesirable behavior, such as a traffic outage. |
5.4.0 |
| 3350789 |
NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 |
| 3350061 |
If you use TACACS+ authentication, modifying the TACACS+ configuration with NVUE might result in a timeout error when you run the nv config apply command. To work around the issue, restart the nvued service with the sudo systemctl restart nvued.service command, then apply the configuration again. |
5.4.0 |
| 3349533 |
On the Spectrum-2 and Spectrum-3 switch with ports operating at 1G speed, there is loss of frames that have an odd or random frame size. In the frame size range of 75 to 1000 bytes, there is frame loss of less than approximately one percent for all odd or random frame sizes in the range. In the frame size range greater than 1000 bytes, there is no loss observed. | 5.4.0 |
| 3349207 |
The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 |
| 3340890 |
When you run the NVUE nv show interface command, you see an error similar to the following:Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL SERVER ERROR |
5.3.0-5.4.0 |
| 3339278 |
When you use the NVUE REST API with a TACACS+ user account, you see authentication failures. To work around this issue, replace the /etc/pam.d/nvueapi file with the following content:@include common-auth@include common-account@include common-session-noninteractiveAfter you replace the content, run these two commands: cumulus@switch:~$ sudo chown root:shadow /run/tacacs_client_map cumulus@switch:~$ sudo chmod 0664 /run/tacacs_client_map |
5.4.0 |
| 3329494 |
Ethtool HwIfInDot3FrameErrors (Rx FCS Errors) might lead to an incorrect and very large HwIfInErrors count. To work around this issue, stop the source of the FCS errors, then reset the interface counters. First, run the sudo mst status command to find the device, then run the sudo mlxlink -d command to reset the interface counters; for example, sudo mlxlink -d /dev/mst/mt53104_pciconf0 -p 39 -pc. |
5.3.1-5.4.0 |
| 3293560 |
If you run NVUE commands to break out a port into four interfaces, NVUE disables the subsequent port automatically. However, if you run NVUE commands to break out a port into eight interfaces, NVUE does not disable the subsequent port automatically; you have to run the NVUE command to disable the subsequent port. | 5.4.0 |
| 3234814 |
With double tagged QinQ interfaces, if the bridge corresponding to the QinQ interface flaps, you might see invalid learning notifications and errors from similar to the following:Can’t set non-static MAC address for non-vPort 0x0001006B when VID is VFID. |
5.3.0-5.4.0 |
| 3145204 |
On the NVIDIA Spectrum-1 switch, the nv show system forwarding command shows GTP hashing output, which is not supported on this switch. |
5.2.0-5.4.0 |
| 3144740 |
The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. |
5.2.0-5.4.0 |
| 3142615 |
The BGP4-MIB.txt file is missing from Net-SNMP agent. |
5.0.0-5.4.0 |
| 3055283 |
After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. |
5.1.0-5.4.0 |
| 3045310 |
If GTP Hashing is set to true, after more than two warm boots, switchd fails and a cl-support file is generated. |
5.1.0-5.4.0 |
| 3034435 |
In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 |