Cumulus VX 3.5 Release Notes

Follow

Overview

Cumulus VX is a free virtual environment for cloud and network administrators to test the latest technology from Cumulus Networks, removing all organizational and economic barriers to getting started with open networking in your own time, at your own pace, and within your own environment.

The environment can be used to learn about, and evaluate, Cumulus Linux, anytime and anywhere, producing sandbox environments for prototype assessment, pre-production rollouts, and script development.

These release notes support Cumulus VX 3.5 and describe its features and known issues.

Stay up to date: Click Follow above so you can receive a notification when we update these release notes.

{{table_of_contents}}

What's New

To see the list of new features and improvements in Cumulus VX 3.5.x, read the Cumulus Linux 3.5 release notes.

Note: The EA version of netq is not supported under Cumulus VX 3.5.0.

Downloading Cumulus VX

Refer to the Getting Started documentation to download and setup Cumulus VX instances.

Configuration Notes

Keep in mind the following issues when you are running your Cumulus VX virtual machine.

 Perl, Python and BDB Modules

Any Perl scripts that use the DB_File module or Python scripts that use the bsddb module won't run under Cumulus VX.

Documentation

Support

Cumulus Networks provides support for customers using Cumulus VX in testing and troubleshooting environments. For more information, refer to the Cumulus VX Support Policy.

If you have any questions or feedback about Cumulus VX, visit the Cumulus VX community for further support. 

Issues Fixed in Cumulus VX 3.5.1

The following is a list of issues fixed in Cumulus VX 3.5.1 from earlier versions of Cumulus VX.

Release Note ID Summary Description

RN-691 (CM-18647)
Configuring a DHCP relay on a VRR interface with NCLU causes errors

When configuring a DHCP relay on a VRR interface using the NCLU commands, errors are seen when running sudo ifreload -a and net commit.

cumulus@switch:~$ sudo ifreload -a
error: 'scope'

To work around this issue, edit the /etc/network/interfaces file and remove any vlanX-v0 stanzas, then run sudo ifreload -a again.

This issue is fixed in Cumulus VX 3.5.1.


RN-695 (CM-19156)
When adding an OSPF passive interface to a VRF that does not exist, ospfd crashes

Adding an OSPF passive interface to an OSPF VRF that has not been defined previously causes ospfd to crash.

To work around this issue, create the VRF before you add the passive OSPF interface.

This issue is fixed in Cumulus VX 3.5.1.


RN-732 (CM-16550)
With management VRF, the `net show time ntp servers`` command shows empty output

With management VRF, the output of the NCLU command net show time ntp servers is empty.

This issue is fixed in Cumulus VX 3.5.1.


RN-748 (CM-19202)
The `link autoneg off` setting not applied to the last set of interfaces in a list if OFF already set on one of the interfaces

Using NCLU to assign the link autoneg off setting to a list of interfaces fails to complete the list if one of the interfaces in the list already has the link autoneg off setting.

This issue is fixed in Cumulus VX 3.5.1.


RN-781 (CM-19067)
VXLAN symmetric routing: Packets are CPU forwarded after switchd restarts

When VXLAN symmetric routing in enabled, sometimes packets get forwarded to the CPU after switchd is restarted.

To work around this issue, restart the networking service:

cumulus@switch:~$ sudo systemctl restart networking

This issue is fixed in Cumulus VX 3.5.1.


RN-786 (CM-19300)
NCLU `net show interface` command output for bridge interfaces is incorrect or missing

The output for the NCLU net show interface command for bridge interfaces is missing or incorrect. The interface mode does not show Bridge/L2 and the member interfaces are shown.

This issue was a regression of an earlier issue and has been fixed again in Cumulus VX 3.5.1.


RN-789 (CM-19280)
CPU not put into the flood group with ARP suppression off

For VXLAN routing, when ARP suppression is disabled, the CPU is not placed in the flood group so ARP requests are do not reach the CPU.

This issue is fixed in Cumulus VX 3.5.1.


RN-790 (CM-19279)
Configuring DHCP relay with VRR breaks ifreload

When you configure DHCP relay with VRR, the ifreload command does not work as expected; for example the IP address might be removed from an SVI.

This issue is fixed in Cumulus VX 3.5.1.


RN-791 (CM-19218)
Configuring DHCP relay with VRR breaks ifreload

When the switch boots, DNS issues sometimes causes ZTP to fail when searching for an install script.

This issue is fixed in Cumulus VX 3.5.1.


RN-794 (CM-19153)
NCLU `net show config` command output is incorrectly formatted

The output of the NCLU net show config commands is not formatted correctly. Trying to copy and paste the output produces an error.

This issue is fixed in Cumulus VX 3.5.1.


RN-796 (CM-19045)
netd sometimes crashes with SNMP trap configuration

The netd service crashes if you issue the snmp-server trap-link-up command with a non-default snmpd.conf file. The configuration file is expected to include the following default configuration option:

monitor -r 60 -o laNames -o laErrMessage "laTable" laErrorFlag != 0'

To workaround this issue, you can manually edit the /etc/snmp/snmpd.conf file and add the missing default configuration option.

This issue is fixed in Cumulus VX 3.5.1.


RN-797 (CM-18980)
NCLU needs support for multiple access client IP addresses associated with a single community

Previously, with NCLU, you were unable to add multiple IP addresses without defining a unique community for each. You can now add multiple access IP addresses to use the same community password.

This issue is fixed in Cumulus VX 3.5.1.

Issues Fixed in Cumulus VX 3.5.0

The following is a list of issues fixed in Cumulus VX 3.5.0 from earlier versions of Cumulus VX.

Release Note ID Summary Description

RN-125 (CM-1576)
Network LSA with an old router ID isn't flushed out by the originator

When the router ID is changed, the router should remove the previous network LSA (link-state advertisement) that it generated based on the IP address on the interface in the Network LSA.

Cumulus Networks didn't remove this LSA, so it would only change when it naturally aged out.

This issue is fixed in Cumulus VX 3.5.0. The fix now changes the router ID upon changing rather than having to wait for the max age timer.


RN-387 (CM-8163)
Quagga appears to not honor passive interfaces if VRR is active

In a VRR configuration, any interface-specific routing configuration (e.g., OSPF mode of operation) specified on the subinterface having a virtual IP address does not take effect. This is because when an operator has specified a virtual IP on a bridge, the system creates another internal interface bridge with the virtual IP and MAC. These two interfaces are treated distinctly by Quagga, so any interface-specific routing configuration on the bridge does not get carried over to the second bridge.

As a workaround, a VRR deployment needing any interface-specific routing configuration on the interface with a virtual IP address, the routing configuration must also be specified against the internally-created virtual interface.

This issue is fixed in Cumulus VX 3.5.0.


RN-448 (CM-11302)
Using the json option in the "show ip bgp" command causes peer session flaps

This issue causes peer session flaps on Penguin Arctica 4806XP and Supermicro SSE-X3648S switches. It occurs with 16K IPv4 prefixes and only when you run show ip bgp json.

However, on switches with Tomahawk ASICs, with 61K IPv4 prefixes and default timers, the same show ip bgp json command causes all peer sessions to go down.

This issue is fixed in Cumulus VX 3.5.0.


RN-542 (CM-13461)
Polling the BGP RIB with "show ip bgp" causes the peer to flap if the RIB has more than 600K entries

This is a known issue that's currently being investigated. The Quagga log shows these commands taking a very long to execute.

To work around this issue, Cumulus Networks recommends you use larger keepalive/hold timers — 60 and 180 seconds, respectively.

This issue is fixed in Cumulus VX 3.5.0.


RN-598 (CM-15575)
clagd process restarts when updating backup-ip

An error was found when an accidental change was made to the backup IP, and then corrected. ifreload -a would restart the clagd process to invoke the daemon with the new backup IP, rather than updating the backup IP with the change.

This issue is fixed in Cumulus VX 3.5.0.


RN-646 (CM-17704)
switchd crashes when auto-negotiation is enabled on 10G LR/SR interfaces  

When auto-negotiation is enabled on a 10G LR or SR interface, switchd might crash and cannot be restarted unless you reboot the whole switch.

This issue was a regression of an earlier issue and has been fixed again in Cumulus VX 3.5.0.


RN-649 (CM-17778)
The clagd service fails to start if the backup IP is over a management VRF

The clagd service fails to start up if the backup is in the non-default VRF. For example, a configuration like clagd-backup-ip 192.1.1.1 vrf green results in a clagd startup failure.

This issue was a regression of an earlier issue and has been fixed again in Cumulus VX 3.5.0.


RN-650 (CM-17843)
NCLU: cannot configure FRR if all FRR daemons are disabled  A regression occurred where upgraded instances did not keep previous Quagga configurations. This meant that once the instance booted into 3.4.0, FRR was not configured.

This issue was a regression of an earlier issue and has been fixed again in Cumulus VX 3.5.0.


RN-672 (CM-18154)  
Redistribute neighbor service rdnbrd does not add zebra route if connected host moves to a different interface

This situation occurs if the host was reachable via a given port (say swp1), and then also becomes reachable via a second port (say swp2). In this case, the routing table entry gets updated to point to swp2, but the neighbor entry on swp1 remains reachable.

If the host stops responding on swp2, the neighbor entry on swp1 remains reachable and keeps getting refreshed. As the entry on swp2 transitions to a FAILED status, the rdnbrd service removes the route from table 10, but table 10 does not get notified of a neighbor change and thus doesn't have an entry for this connected neighbor.

The only workaround is to restart the rdnbrd service, but this is not advised, especially in the case if the host moves around the network frequently, as would be the case if the host is a virtual machine.

This issue is fixed in Cumulus VX 3.5.0.


RN-674 (CM-17577)
Cannot set the MTU for switch ports that is different than the MTU for eth0

You cannot set both a global MTU and an individual MTU in a policy file. For example, this configuration does not work:

root@leaf01:/home/cumulus# cat /etc/network/ifupdown2/policy.d/mtu.json
{
 "address": {"defaults": { "mtu": "9216" }},
 "ethtool": {"iface_defaults": {"eth0": {"mtu": "1500"}}}
}

This issue is fixed in Cumulus VX 3.5.0.


RN-698 (CM-17205)
When updating neighbor entries in hardware, a Mellanox switch returns "neigh_add failed. err: Entry Already Exists" error

This error occurs when VRR is configured.

This issue is fixed in Cumulus VX 3.5.0.


RN-699 (CM-18951)
ifupdown2 policy applied incorrectly for eth0 

On Cumulus Linux, the ifupdown2 policy files stored in /etc/network/ifupdown2/policy.d/ may not be correctly applied to the eth0 interface.

This issue is fixed in Cumulus VX 3.5.0.


RN-700 (CM-17209)
When both MLAG switches share the same IP address, it causes a loop

When configuring MLAG, if the clagd-peer-ip is the same as the switch's IP address, it causes the switch to peer with itself, resulting in a loop.

This issue is fixed in Cumulus VX 3.5.0. The clagd-peer-ip cannot be the same as the peerlink subinterface IP address.


RN-701 (CM-17226)
MLAG clagd service exits due to misconfiguration

The switch stops the clagd.service when it detects a mismatched configuration, such as different sys-mac or clagd-vxlan-anycast-ip among the MLAG pair.

This issue is fixed in Cumulus VX 3.5.0.


RN-703 (CM-17432)
An ACL fails to match traffic after an interface is bounced and the internal VLAN ID is changed

This issue is fixed in Cumulus VX 3.5.0.


RN-704 (CM-18886)
ifreload causes MTU to drop on bridge SVIs

When you run the ifreload command on a bridge SVI with an MTU higher than 1500, the MTU gets reset to 1500 after the initial ifreload -a, then resets to its original value when running ifreload -a a second time.

This issue is fixed in Cumulus Linux 3.5.0.


RN-705 (CM-17468)
If lacp-bypass-allow is configured, `net show config commands` displays a bond configuration incorrectly

If lacp-bypass-allow is configured on an interface, the output of net show configuration commands is displayed in an order that NCLU rejects if you try to copy and paste the commands and run them again. Consider the following command output:

cumulus@leaf03:~$ net show config commands
...
net add bridge bridge vlan-aware
net add bond server03 bond lacp-bypass-allow
net add bond server03 bond slaves swp1
net add bond server03 bridge access 20
net add bond server03 clag id 3
net add bond server03 stp bpduguard
net add hostname leaf03

Since net add bond server03 bond lacp-bypass-allow appears before the bond is defined with bond slaves, NCLU will reject the command.

This issue is fixed in Cumulus VX 3.5.0.


RN-707 (CM-17804)
MLAG goodbye message over peerlink not always sent

In an MLAG configuration, when the primary switch goes down, Cumulus VX now sends a goodbye message over the backup link as well as over the peerlink.


RN-708 (CM-18749)
MLAG bridge mbd timer issue 

MLAG does not sync the bridge mdb state between peers. 

This issue is fixed in Cumulus VX 3.5.0.


RN-710 (CM-18663)
Incorrect NCLU IPv6 SNMP configuration 

Valid IPv6 addresses cannot be bound by snmpd because the square brackets are missing in the configuration. These square brackets are required to distinguish between an IPv6 address and a port configuration (both contain a colon).

This issue is fixed in Cumulus VX 3.5.0.


RN-711 (CM-17842)
NCLU net show lldp command reports wrong mode in LLDP output for Trunk/L2

The net show lldp command should display Access/L2 for the mode, but actually reports it as Trunk/L2.

This issue is fixed in Cumulus VX 3.5.0.


RN-712 (CM-18634)
BGP IPv4 default-originate command fails next hop check when using unnumbered with IPv6 addresses 

BGP unnumbered does not support IPv6 GUA addresses on the interface which is peering IPv6. 

This issue is fixed in Cumulus VX 3.5.0.


RN-713 (CM-18473)
New functionality within NCLU is enabled automatically after an upgrade 

All NCLU components are now enabled by default after an upgrade, unless explicitly disabled. If you edit the netd.conf file, you can keep your version of the file when performing an upgrade. 


RN-714 (CM-18458)
1G SFP ports flap when reloading settings with ifreload -a 

If a 1G fibre SFP is installed in a 10G SFP+ port and the port speed is not specified (auto-negotiation is on), reloading settings with the ifreload -a command causes the link to flap because of redundant ethtool set commands in ifupdown2.

This issue is fixed in Cumulus VX 3.5.0.


RN-715 (CM-18012)
clagctl reports a host as single-attached when both MLAG peer switches are down

In an MLAG configuration, clagctl incorrectly reports offline servers as single connected when both of its MLAG switches are down. The proto-down reason should not indicate any active members.

This issue is fixed in Cumulus VX 3.5.0.


RN-716 (CM-18433)
netd crashes if the default user cumulus is removed 

If you remove the default user cumulus from the system, netd fails to produce output and generates a traceback message when you run NCLU commands. Some commands return no output to the terminal screen, other commands indicate that netd is not working correctly. 

This issue is fixed in Cumulus VX 3.5.0.


RN-717 (CM-18023)
NCLU does not add `ip igmp` before applying the `igmp join group` command

NCLU does not add ip igmp under an interface configuration before it applies the ip igmp join-group command, so a command like net add vlan 2 igmp join 192.0.2.0 0.0.0.0 silently fails.

This issue is fixed in Cumulus VX 3.5.0.


RN-718 (CM-18031)
The NCLU OSPF message-digest-key command is incorrectly translated to the FRRouting configuration

The following NCLU command:

cumulus@switch:~$ net add vlan 501 ospf message-digest-key 7 md5 ospf

Gets incorrectly translated to the following in the FRRouting configuration, /etc/frr/frr.conf:

 ip ospf message-digest-key 7 md5 ip ospf

The correct syntax should be:

 ip ospf message-digest-key 7 md5 ospf

This issue is fixed in Cumulus VX 3.5.0.


RN-719 (CM-18052)
After stopping the hsflowd service, sFlow continues to sample, causing buffer drops

If you stop the hsflowd service, the sFlow sampling appears to continue, sending the samples to the kernel. The sampled ports end up pushing a lot of traffic, and the added sFlow data was causing buffer drops.

This issue is fixed in Cumulus VX 3.5.0.


RN-720 (CM-18355)
Change in default multicast buffer size 

Sending multicast traffic to several interfaces while one interface is congested leads to dropped packets on all receivers. In Cumulus VX 3.5.0, the default multicast buffer size has been changed so that the buffer size per port cannot be more than 128K (1024 cells).


RN-721 (CM-18069)
OSPFv3 (IPv6) does not install IPv6 prefix into the OSPFv3 RIB

This issue is fixed in Cumulus VX 3.5.0.


RN-723 (CM-18161)
Running ifreload bounces the loopback interface if an IPv6 address defined before an IPv4 address

To work around this issue, edit the configuration in /etc/network/interfaces and move the IPv6 configuration after the IPv4 configuration.

This is incorrect:

auto lo 
iface lo inet loopback 
    address 2001:db8::1/128 
    address 192.0.2.1/32

This is correct:

auto lo 
iface lo inet loopback 
    address 192.0.2.1/32
    address 2001:db8::1/128 

This issue is fixed in Cumulus VX 3.5.0.


RN-725 (CM-11824)
LACP protocol status flag in /proc/net/bonding/<name> output

 A new status line is added to the output to indicate the LACP protocol status per member interface.


RN-727 (CM-14152)
ifreload not re-enabling IGMP snooping

fupdown2 does not merge all the attributes defined in the policy files by default.

This issue is fixed in Cumulus VX 3.5.0.


RN-728 (CM-14790)
No license error message from ifreload and NCLU commands

If a license file is not installed for switchd, ifreload and NCLU commands display an error on a setting that it can't apply (such as link speed).

You now see a warning message indicating that a license file is not installed.


RN-729 (CM-16099)
Logging for MLAG role change

It is not clear in MLAG logging what the switch's role is at any given time.

More logging is now added to specify what the role of the switch is. 


RN-731 (CM-16233)
netd crashes when configuring nameserver with no resolv.conf file

If you remove the /etc/resolv.conf file, then try to apply a name server configuration with NCLU, netd crashes.

This issue is fixed in Cumulus VX 3.5.0.


RN-733 (CM-16612)
VXLAN interfaces stay down after ifreload -a 

After issuing the ifreload -a command when adding VXLAN-interfaces, the new XVLAN interfaces remain in the NO CARRIER state. This issue occurs

only if there is no MLAG peer connectivity.

This issue is fixed in Cumulus VX 3.5.0.


RN-734 (CM-16716)
SPAN rules on a VXLAN VNI interface fail to install

Installing SPAN rules on a VXLAN VNI interface results in an installation error.

This issue is fixed in Cumulus VX 3.5.0.


RN-735 (CM-16862)
Unable to start a service if VRF name contains a dash (-) 

If a VRF name contains a dash (-), any service you try to start fails with the message "Invalid VRF name." 

This issue is fixed in Cumulus VX 3.5.0.


RN-736 (CM-18619)
Multiple DHCP relay forwarding requests overlap on outgoing interface 

Multiple DHCP relay forwarding requests are replicated erroneously to a server that does not serve that subnet.

This issue is fixed in Cumulus VX 3.5.0.


RN-739 (CM-18790)
Confusing message received on IP unnumbered interface even though packet is forwarded

When DHCP relay is configured and a DHCP packet is received on an IP unnumbered interface, a Discard message is logged even though the DHCP packet is forwarded.

This issue is fixed in Cumulus VX 3.5.0.


RN-740 (CM-18847)
Unreachable IPv6 route cache entries for connected network not removed when carrier restored

When traffic originating from the kernel is generated and destined to a connected VRF IPv6 global address while the connected interface is carrier-down, an unreachable route cache entry is created against the loopback interface:

cumulus@leaf01:~$ ip -6 ro ls cache table NAME
unreachable 2001:DB8::5 dev lo  metric 0 
    cache  error -101 pref medium

When the carrier is restored, this entry remains and subsequent route lookups continue to return unreachable results erroneously:

cumulus@leaf01:~$ sudo vrf task exec NAME ping6 2001:DB8::5
connect: Network is unreachable

This issue is fixed in Cumulus VX 3.5.0.


RN-767 (CM-17475)
Security: Linux kernel issues fixed in Cumulus VX 3.5.0: DSA-3945-1 CVE-2017-7346 CVE-2017-7482 CVE-2017-7533 CVE-2017-7541 CVE-2017-7542 CVE-2017-9605 CVE-2017-10810 CVE-2017-10911 CVE-2017-11176 CVE-2017-1000365

The following CVEs that were announced in Debian Security Advisory DSA-3945-1 apply to packages maintained and built by Cumulus Networks. They have been fixed in Cumulus VX 3.5.0 (package version 4.1.33-1+cl3u10):

--------------------------------------------------------------------------
Debian Security Advisory DSA-3945-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 17, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-7346 CVE-2017-7482 CVE-2017-7533 CVE-2017-7541
CVE-2017-7542 CVE-2017-9605 CVE-2017-10810 CVE-2017-10911
CVE-2017-11176 CVE-2017-1000365

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2017-7346
Li Qiang discovered that the DRM driver for VMware virtual GPUs does not properly check user-controlled values in the vmw_surface_define_ioctl() functions for upper limits. A local user can take advantage of this flaw to cause a denial of service.

CVE-2017-7482
Shi Lei discovered that RxRPC Kerberos 5 ticket handling code does not properly verify metadata, leading to information disclosure, denial of service or potentially execution of arbitrary code.

CVE-2017-7533
Fan Wu and Shixiong Zhao discovered a race condition between inotify events and VFS rename operations allowing an unprivileged local attacker to cause a denial of service or escalate privileges.

CVE-2017-7541
A buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN driver could allow a local user to cause kernel memory corruption, leading to a denial of service or potentially privilege escalation.

CVE-2017-7542
An integer overflow vulnerability in the ip6_find_1stfragopt() function was found allowing a local attacker with privileges to open raw sockets to cause a denial of service.

CVE-2017-9605
Murray McAllister discovered that the DRM driver for VMware virtual GPUs does not properly initialize memory, potentially allowing a local attacker to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call.

CVE-2017-10810
Li Qiang discovered a memory leak flaw within the VirtIO GPU driver resulting in denial of service (memory consumption).

CVE-2017-10911 / XSA-216
Anthony Perard of Citrix discovered an information leak flaw in Xen blkif response handling, allowing a malicious unprivileged guest to obtain sensitive information from the host or other guests.

CVE-2017-11176
It was discovered that the mq_notify() function does not set the sock pointer to NULL upon entry into the retry logic. An attacker can take advantage of this flaw during a user-space close of a Netlink socket to cause a denial of service or potentially cause other impact.

CVE-2017-1000365
It was discovered that argument and environment pointers are not taken properly into account to the imposed size restrictions on arguments and environmental strings passed through RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of this flaw in conjunction with other flaws to execute arbitrary code.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.43-2+deb8u3.


RN-768 (CM-18121)
Security: Linux kernel issues fixed in Cumulus VX 3.5.0: DSA-3981-1, CVE-2017-7518, 7558, 10661, 11600, 12134, 12146, 12153, 12154, 14106, 14140, 14156, 14340, 14489, 14497, 1000111, 1000112, 1000251, 1000252, 1000370, 1000371, 100038

The following CVEs that were announced in Debian Security Advisory DSA-3981-1 apply to packages maintained and built by Cumulus Networks. They have been fixed in Cumulus VX 3.5.0 (package version 4.1.33-1+cl3u10):

The two debian bugs that are listed:
https://lists.debian.org/debian-kernel/2017/07/msg00080.html

https://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1550113.html

--------------------------------------------------------------------------
Debian Security Advisory DSA-3981-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
September 20, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : linux
CVE ID : CVE-2017-7518 CVE-2017-7558 CVE-2017-10661 CVE-2017-11600
CVE-2017-12134 CVE-2017-12146 CVE-2017-12153 CVE-2017-12154
CVE-2017-14106 CVE-2017-14140 CVE-2017-14156 CVE-2017-14340
CVE-2017-14489 CVE-2017-14497 CVE-2017-1000111 CVE-2017-1000112
CVE-2017-1000251 CVE-2017-1000252 CVE-2017-1000370 CVE-2017-1000371
CVE-2017-1000380
Debian Bug : 866511 875881

Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks.

CVE-2017-7518
Andy Lutomirski discovered that KVM is prone to an incorrect debug exception (#DB) error occurring while emulating a syscall instruction. A process inside a guest can take advantage of this flaw for privilege escalation inside a guest.

CVE-2017-10661 (jessie only)
Dmitry Vyukov of Google reported that the timerfd facility does not properly handle certain concurrent operations on a single file descriptor. This allows a local attacker to cause a denial of service or potentially execute arbitrary code.

CVE-2017-11600
Bo Zhang reported that the xfrm subsystem does not properly validate one of the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability can use this to cause a denial of service or potentially to execute arbitrary code.

CVE-2017-12134 / #866511 / XSA-229
Jan H. Schoenherr of Amazon discovered that when Linux is running in a Xen PV domain on an x86 system, it may incorrectly merge block I/O requests. A buggy or malicious guest may trigger this bug in dom0 or a PV driver domain, causing a denial of service or potentially execution of arbitrary code.

This issue can be mitigated by disabling merges on the underlying back-end block devices, e.g.:
echo 2 > /sys/block/nvme0n1/queue/nomerges

CVE-2017-12153
Bo Zhang reported that the cfg80211 (wifi) subsystem does not properly validate the parameters to a netlink message. Local users with the CAP_NET_ADMIN capability (in any user namespace with a wifi device) can use this to cause a denial of service.

CVE-2017-12154
Jim Mattson of Google reported that the KVM implementation for Intel x86 processors did not correctly handle certain nested hypervisor configurations. A malicious guest (or nested guest in a suitable L1 hypervisor) could use this for denial of service.

CVE-2017-14106
Andrey Konovalov discovered that a user-triggerable division by zero in the tcp_disconnect() function could result in local denial of service.

CVE-2017-14140
Otto Ebeling reported that the move_pages() system call performed insufficient validation of the UIDs of the calling and target processes, resulting in a partial ASLR bypass. This made it easier for local users to exploit vulnerabilities in programs installed with the set-UID permission bit set.

CVE-2017-14156
"sohu0106" reported an information leak in the atyfb video driver. A local user with access to a framebuffer device handled by this driver could use this to obtain sensitive information.

CVE-2017-14340
Richard Wareing discovered that the XFS implementation allows the creation of files with the "realtime" flag on a filesystem with no realtime device, which can result in a crash (oops). A local user with access to an XFS filesystem that does not have a realtime device can use this for denial of service.

CVE-2017-14489
ChunYu Wang of Red Hat discovered that the iSCSI subsystem does not properly validate the length of a netlink message, leading to memory corruption. A local user with permission to manage iSCSI devices can use this for denial of service or possibly to execute arbitrary code.

CVE-2017-14497 (stretch only)
Benjamin Poirier of SUSE reported that vnet headers are not properly handled within the tpacket_rcv() function in the raw packet (af_packet) feature. A local user with the CAP_NET_RAW capability can take advantage of this flaw to cause a denial of service (buffer overflow, and disk and memory corruption) or have other impact.

Cumulus VX is not vulnerable. The vulnerable code is not present in the Cumulus VX kernel.

CVE-2017-1000111
Andrey Konovalov of Google reported a race condition in the raw packet (af_packet) feature. Local users with the CAP_NET_RAW capability can use this for denial of service or possibly to execute arbitrary code.

CVE-2017-1000112
Andrey Konovalov of Google reported a race condition flaw in the UDP Fragmentation Offload (UFO) code. A local user can use this flaw for denial of service or possibly to execute arbitrary code.

CVE-2017-1000251 / #875881
Armis Labs discovered that the Bluetooth subsystem does not properly validate L2CAP configuration responses, leading to a stack buffer overflow. This is one of several vulnerabilities dubbed "Blueborne". A nearby attacker can use this to cause a denial of service or possibly to execute arbitrary code on a system with Bluetooth enabled.

CVE-2017-1000252 (stretch only)
Jan H. Schoenherr of Amazon reported that the KVM implementation for Intel x86 processors did not correctly validate interrupt injection requests. A local user with permission to use KVM could use this for denial of service.

Cumulus VX does not enable KVM functionality, and therefore is not vulnerable.

CVE-2017-1000370
The Qualys Research Labs reported that a large argument or environment list can result in ASLR bypass for 32-bit PIE binaries.

CVE-2017-1000371
The Qualys Research Labs reported that a large argument or environment list can result in a stack/heap clash for 32-bit PIE binaries.

CVE-2017-1000380
Alexander Potapenko of Google reported a race condition in the ALSA (sound) timer driver, leading to an information leak. A local user with permission to access sound devices could use this to obtain sensitive information.

Debian disables unprivileged user namespaces by default, but if they are enabled (via the kernel.unprivileged_userns_clone sysctl) then CVE-2017-11600, CVE-2017-14497 and CVE-2017-1000111 can be exploited by any local user.

For the oldstable distribution (jessie), these problems have been fixed in version 3.16.43-2+deb8u5.


RN-769 (CM-18624)
Security: FRR and Quagga issue fixed in Cumulus VX 3.5.0: DSA-4011-1 CVE-2017-16227

The following CVEs that were announced in Debian Security Advisory DSA-4011-1 apply to the FRRouting package and upstream Quagga package. They have been fixed in Cumulus VX 3.5.0 (package version 3.1+cl3u1 and 3.1+cl3u3):

--------------------------------------------------------------------------
Debian Security Advisory DSA-4011-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
October 30, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : quagga
CVE ID : CVE-2017-16227
Debian Bug : 879474

It was discovered that the bgpd daemon in the Quagga routing suite does not properly calculate the length of multi-segment AS_PATH UPDATE messages, causing bgpd to drop a session and potentially resulting in loss of network connectivity.

For the oldstable distribution (jessie), this problem has been fixed in version 0.99.23.1-1+deb8u4 or the stable distribution (stretch), this problem has been fixed in version 1.1.1-3+deb9u1.

We recommend that you upgrade your quagga packages.


RN-770 (CM-18462)
Security: mysql issues fixed in Cumulus VX 3.5.0: DSA-4002-1 CVE-2017-10268 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384

The following security issues announced in DSA-4002-1 apply to Debian packages distributed as part of Cumulus VX. They have been fixed in the Cumulus VX 3.5.0 release (version 5.5.58-0+deb8u1 of the mysql package):

CVE-2017-10379
CVE-2017-10378
CVE-2017-10268
CVE-2017-10384


RN-771 (CM-18606)
Security: curl issue fixed in Cumulus VX 3.5.0: DSA-4007-1 CVE-2017-1000257

The following security issues announced in DSA-4007-1 apply to Debian packages distributed as part of Cumulus VX. They have been fixed in the Cumulus VX 3.5.0 release (version 7.38.0-4+deb8u8 of the curl package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4007-1 security@debian.org
https://www.debian.org/security/ Alessandro Ghedini
October 27, 2017 https://www.debian.org/security/faq
---------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2017-1000257

Brian Carpenter, Geeknik Labs and 0xd34db347 discovered that cURL, an URL transfer library, incorrectly parsed an IMAP FETCH response with size 0, leading to an out-of-bounds read.

For the oldstable distribution (jessie), this problem has been fixed in version 7.38.0-4+deb8u7.

We recommend that you upgrade your curl packages.


RN-772 (CM-19011)
Security: libcurl issue fixed in Cumulus VX 3.5.0: DSA-4051 CVE-2017-8816 CVE-2017-8817

The following security issues announced in DSA-4051-1 apply to Debian packages distributed as part of Cumulus VX. They have been fixed in the Cumulus VX 3.5.0 release (version 7.38.0-4+deb8u8 of the curl and libcurl3 packages).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4051-1 security@debian.org
https://www.debian.org/security/ Yves-Alexis Perez
November 29, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : curl
CVE ID : CVE-2017-8816 CVE-2017-8817

Two vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2017-8816
Alex Nichols discovered a buffer overrun flaw in the NTLM authentication code which can be triggered on 32bit systems where an integer overflow might occur when calculating the size of a memory allocation.

CVE-2017-8817
Fuzzing by the OSS-Fuzz project led to the discovery of a read out of bounds flaw in the FTP wildcard function in libcurl. A malicious server could redirect a libcurl-based client to an URL using a wildcard pattern, triggering the out-of-bound read.

For the oldstable distribution (jessie), these problems have been fixed in version 7.38.0-4+deb8u8.

We recommend that you upgrade your curl packages.


RN-773 (CM-18609)
Security: wget issue fixed in Cumulus VX 3.5.0: DSA-4008-1 CVE-2017-13089 CVE-2017-13090

The following security issues announced in DSA-4008-1 apply to Debian packages distributed as part of Cumulus VX. They have been fixed in the Cumulus VX 3.5.0 release (version 1.16-1+deb8u4 of the wget package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4008-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
October 28, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : wget
CVE ID : CVE-2017-13089 CVE-2017-13090

Antti Levomaeki, Christian Jalio, Joonas Pihlaja and Juhani Eronen discovered two buffer overflows in the HTTP protocol handler of the Wget download tool, which could result in the execution of arbitrary code
when connecting to a malicious HTTP server.

For the oldstable distribution (jessie), these problems have been fixed in version 1.16-1+deb8u4.

We recommend that you upgrade your wget packages.


RN-774 (CM-18676)
Security: openssl issue fixed in Cumulus VX 3.5.0: DSA-4017-1 CVE-2017-3735 CVE-2017-3736

The following security issues announced in DSA-4017-1 apply to Debian packages distributed as part of Cumulus VX. They have been fixed in the Cumulus VX 3.5.0 release (version 1.0.1t-1+deb8u7 of the openssl package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4017-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 03, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : openssl1.0
CVE ID : CVE-2017-3735 CVE-2017-3736

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. The Common Vulnerabilities and Exposures project identifies the following issues:

CVE-2017-3735
It was discovered that OpenSSL is prone to a one-byte buffer overread while parsing a malformed IPAddressFamily extension in an X.509 certificate.

Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20170828.txt

CVE-2017-3736
It was discovered that OpenSSL contains a carry propagation bug in the x86_64 Montgomery squaring procedure.

Details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20171102.txt

We recommend that you upgrade your openssl1.0 packages.


RN-775 (CM-18752)
Security: postgresql-common issue fixed in Cumulus VX 3.5.0: DSA-4029-1 CVE-2017-8806

The following security issues announced in DSA-4029-1 apply to Debian packages distributed as part of Cumulus VX. They have been fixed in the Cumulus VX 3.5.0 release (version 165+deb8u3 of the postgresql-common package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4029-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 09, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : postgresql-common
CVE ID : CVE-2017-8806

It was discovered that the pg_ctlcluster, pg_createcluster and pg_upgradecluster commands handled symbolic links insecurely which could result in local denial of service by overwriting arbitrary files.

For the oldstable distribution (jessie), this problem has been fixed in version 165+deb8u3.

We recommend that you upgrade your postgresql-common packages.


RN-776 (CM-18763)
Security: postgresql issue fixed in Cumulus VX 3.5.0: DSA-4027-1 CVE-2017-15098

The following security issues announced in DSA-4027-1 apply to Debian packages distributed as part of Cumulus VX. They have been fixed in the Cumulus VX 3.5.0 release (version 9.4.15-0+deb8u1 of the postgresql-9.4 package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4027-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
November 09, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : postgresql-9.4
CVE ID : CVE-2017-15098

A vulnerabilitiy has been found in the PostgreSQL database system: Denial of service and potential memory disclosure in the json_populate_recordset() and jsonb_populate_recordset() functions.

For the oldstable distribution (jessie), this problem has been fixed in version 9.4.15-0+deb8u1.

We recommend that you upgrade your postgresql-9.4 packages.


RN-777 (CM-18907)
Security: libxml-libxml-perl issue fixed in Cumulus VX 3.5.0: DSA-4042 CVE-2017-10672 

The following security issues announced in DSA-4042-1 apply to Debian packages distributed as part of Cumulus VX. They have been fixed in the Cumulus VX 3.5.0 release (version 2.0116+dfsg-1+deb8u2 of the libxml-libxml-perl package).

--------------------------------------------------------------------------
Debian Security Advisory DSA-4042-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 19, 2017 https://www.debian.org/security/faq
--------------------------------------------------------------------------

Package : libxml-libxml-perl
CVE ID : CVE-2017-10672
Debian Bug : 866676

A use-after-free vulnerability was discovered in XML::LibXML, a Perl interface to the libxml2 library, allowing an attacker to execute arbitrary code by controlling the arguments to a replaceChild() call.

For the oldstable distribution (jessie), this problem has been fixed in version 2.0116+dfsg-1+deb8u2.


RN-779 (CM-19181)
Active cables (10G fiber, 1G fiber, sometimes 1G RJ45) not working on Dell S4148F-ON S4128F-ON

On Dell S4148F-ON S4128F-ON switches, the following cables do not work on SFP ports:

  • 10G optical modules (10G SR, LR, AOC)
  • 1G optical modules (1G SX, LX, AOC)

1G copper RJ45 modules might fail, depending on how the tx_enable signal is used.

To work around this issue:

  1. In the /etc/cumulus/ports.conf file, set each of the four ports in the port group to 1G. You must set each of the ports in the port group to be 1G or slower, otherwise the auto-negotiation off setting is not accepted.
  2. On RJ45 (1G-BaseT) SFPs, set the link speed to 1000 for 1G or 100 for 100M for each of the four ports in the port group, as shown in the example commands below:
    cumulus@switch:~$ net add interface swpXX
    cumulus@switch:~$ net add interface swpXX link speed 1000
    cumulus@switch:~$ net add interface swpXX link autoneg off
    cumulus@switch:~$ net commit
    These commands create the following configuration in the /etc/network/interfaces file:
    auto swpXX
    iface swpXX
     link-speed 1000
     link-duplex full
     link-autoneg off
  3. To detect unidirectional links for 1G on fiber SFPs (1G-BaseSX, 1G-BaseLX), turn on auto-negotiation for each of the four ports in the port group, as shown in the example commands below. Auto-negotiation is not required but allows unidirectional fiber link detection. 
    cumulus@switch:~$ net add interface swpXX
    cumulus@switch:~$ net add interface swpXX link autoneg on
    cumulus@switch:~$ net commit

    These commands create the following configuration in the /etc/network/interfaces file:

    auto swpXX
    iface swpXX
      link-autoneg on

New Known Issues in Cumulus VX 3.5.0

The following issues are new to Cumulus VX and affect the current release.

Release Note ID Summary Description

RN-695 (CM-19156)
When adding an OSPF passive interface to a VRF that does not exist, ospfd  crashes

Adding an OSPF passive interface to an OSPF VRF that has not been defined previously causes ospfd to crash.

To work around this issue, create the VRF before you add the passive OSPF interface.


RN-742 (CM-18742)
VRR interface MAC is missing in fdb table causing duplicate packets

When running VXLAN routing, the VRR interface MAC address is missing in the fdb table (permanent entry), which causes duplicate packets.

If you encounter this issue, update the interface configuration on all gateway VTEPs using the ifreload -a -X eth0 command.


RN-744 (CM-18986)
Unable to modify BGP ASN for a VRF associated with layer 3 VNI

After editing the frr.conf file to modify the the BGP ASN for a VRF associated with a layer 3 VNI, the change is not applied.

To work around this issue, first delete the layer 3 VNI, then try to modify the BGP VRF instance.


RN-745 (CM-19033)
On Dell Z9100, 4x10G breakout not working, shows as 25G

On a Dell Z9100, the 4x10G breakout ports not working and the speed is still set to the default of 25G.

To work around this issue, change the interface speed for each port in the /etc/cumulus/ports.conf file to 10G, then restart switchd.


RN-748 (CM-19202)
The `link autoneg off` setting not applied to the last set of interfaces in a list if OFF already set on one of the interfaces

Using NCLU to assign the link autoneg off setting to a list of interfaces fails to complete the list if one of the interfaces in the list already has the link autoneg off setting.

Cumulus Networks is currently working to fix this issue.


RN-756 (CM-19134)
Out of memory issues when running net show bgp ipv4 unicast json

When you run the net show bgp ipv4 unicast json command on a large configuration (for example, 64K routes from each of a dozen or more peers), an out of memory issue occurs.

Cumulus Networks is currently working to fix this issue. Avoid running this command on large configurations. Instead, you can run the command vtysh -c 'show bgp ipv4 unicast json.

Previously Known Issues in Cumulus VX 3.5.0

The following issues also affect the current release.

Release Note ID Summary Description

RN-52 (CM-997,
CM-1013)
Parameters like the router ID and DR priority cannot be changed while OSPFv2/v3 is running Router ID and DR priority can only be changed by shutting down OSPFv2/v3, changing the ID, and restarting the OSPF process.

A change to the DR priority may not properly be reflected in the LSAs that are still aging out.

RN-56 (CM-343)
IPv4/IPv6 forwarding disabled mode not recognized

If either of the following is configured:

net.ipv4.ip_forward == 0 

or:

net.ipv6.conf.all.forwarding == 0 

The hardware still forwards packets if there is a neighbor table entry pointing to the destination.


RN-77 (CM-265)
New routes/ECMPs can evict existing/installed Cumulus VX syncs routes between the kernel and the switching silicon. If the required resource pools in hardware fill up, new kernel routes can cause existing routes to move from being fully allocated to being partially allocated.

In order to avoid this, routes in the hardware should be monitored and kept below the ASIC limits.

For example, on systems with Trident+ chips, the limits are as follows:
routes: 16384 <<<< if all routes are ipv4 
 long mask routes 256 <<<< i.e., routes with a mask longer 
       than the route mask limit 
 route mask limit 64
 host_routes: 8192 
 ecmp_nhs: 4044 
 ecmp_nhs_per_route: 52 
That translates to about 77 routes with ECMP NHs, if every route has the maximum ECMP NHs.

Monitoring this in Cumulus VX is performed via the cl-resource-query command:
cumulus@switch:~$ sudo cl-resource-query
 hosts : 3 
 all routes : 29 
 IP4 routes : 17 
 IP6 routes : 12 
 nexthops : 3 
 ecmp_groups : 0
 ecmp_nexthops : 0
 mac entries : 0 / 131072 
 bpdu entries : 500 / 512
The resource to monitor is the ecmp_nexthops. If this count is close to 4044, new ECMPs may evict existing routes.

RN-199 (CM-2624)
When a Quagga route-map is modified, the switch could use the partial map before edits are completed

Cumulus VX triggers a route-map update before the user finishes editing the route map, resulting in an incorrect route map being used. The route-map update trigger should only occur when user finishes editing the map.

Cumulus Networks is working to fix this issue.


RN-221 (CM-4501)
BGP graceful restart, including helper mode, not fully supported If you encounter issues with this, please submit a support request and include the output from cl-support with your ticket.

RN-327 (CM-4290)
Changing the route-map parameter of the redistribute command in OSPF and BGP doesn't affect the state of the resulting redistribution in those protocols

To work around this issue, remove any old redistribute command configurations before adding a new one with or without route-map as a parameter.

For example, if OSPF has a redistribute configuration such as redistribute bgp route-map redist-map-name, you would enable redistribution without a route-map by following these steps in OSPF configuration mode:

  1. no redistribute bgp
  2. redistribute bgp

You would perform a similar sequence of commands for redistribution changes in BGP as well.


RN-382 (CM-6692)
Quagga: Removing bridge via ifupdown2 does not remove it from Quagga Removing a bridge using ifupdown2 does not remove it from the Quagga configuration files. This issue is being investigated; however, restarting Quagga will successfully remove the bridge.

RN-384 (CM-7684)
Keeping VXLAN single-connected devices up on MLAG secondary node In the current MLAG secondary design, if the VXLAN device is not dual-connected, it is kept in a protodown state. You can keep them up with individual IP addresses rather than anycast IPs when the peerlink is down, so that all single-connected hosts will have connectivity. Further investigation regarding this issue is underway.

RN-389 (CM-8410)
switchd supports only port 4789 as the UDP port for VXLAN packets

switchd currently allows only the standard port 4789 as the UDP port for VXLAN packets. There are cases where a hypervisor could be using non-standard UDP port, which would cause VXLAN exchanges with the hardware VTEP to not work. In such a case, packets would not be terminated and encapsulated packets would be sent out on UDP port 4789.


RN-404 (CM-4407)
Aggregating routes in BGP with as-set can result in high CPU usage 

When BGP is configured with aggregate addresses with as-set configuration and there are many routes to be aggregated, the BGP process gets into high CPU usage.

To work around this issue, do not specify the as-set parameter for the aggregate-address configuration.


RN-409 (CM-10054)
BGP may show an inaccessible path as the best path

Existing BGP issues caused peering between a VRF device and a loopback BGP session to stay up if the loopback session doesn’t advertise its local address.

This issue will be fixed in a future release.


RN-446 (CM-10513)
Redistribute neighbor does not work with more than 1024 interfaces

The rdnbrd service crashes because it cannot work with more than 1024 interfaces.

This issue should be fixed in a future release of Cumulus VX.


RN-598 (CM-15575)
CLAGD process restarts when updating backup-ip

An error was found when an accidental change was made to the backup IP, and then corrected. ifreload -a would restart the clagd process to invoke the daemon with the new backup IP, rather than updating the backup IP with the change.

This issue is being investigated.


RN-604 (CM-15959)
ARP suppression does not work well with VxLAN A-A

In some instances, ARP requests do not get suppressed (when they ought to be) in a VxLAN A-A scenario, but instead get flooded over VxLAN tunnels. This issue is caused because there is no "control plane" syncing the snooped local neighbor entries between the CLAG pair; CLAG does not perform this sync, and neither does EVPN.

This issue is being investigated.


RN-605 (CM-15515)
Unable to change the bond-modes using ifup or ifreload When the bond mode is changed from 802.3ad to balance-xor or vice versa using ifup bondx or ifreload -a, the bond-mode does not change, and the following error is produced:
2017-03-23 21:39:37,495:  DEBUG:      autolib.netobjects: [cumulus@127.0.0.1:1042] sudo: ('ifup bond1',)
2017-03-23 21:39:37,926:  DEBUG:      autolib.netobjects: warning: error writing to file /sys/class/net/bond1/bonding/mode([Errno 39] Directory not empty)

This issue is being addressed in a later release.


RN-606 (CM-6366)
BGP: MD5 password is not enforced for dynamic neighbors

It was determined that the MD5 password configured against a BGP listen-range peer-group (used to accept and create dynamic BGP neighbors) is not enforced. This means that connections are accepted from peers that don't specify a password; and only if they don't.

This issue is being investigated.


RN-640 (CM-16461)
Cumulus VX OVA image for VMware reboots due to critical readings from sensors

It has been verified that, after booting a Cumulus VX virtual machine running the VMware OVA image, sometimes messages from sensors appear, saying the "Avg state" is critical, with all values displayed as 100.0; then it generates a cl-support.

This issue is being investigated at this time.


RN-781 (CM-19067)
VXLAN symmetric routing: Packets are CPU forwarded after switchd restarts

When VXLAN symmetric routing in enabled, sometimes packets get forwarded to the CPU after switchd is restarted.

To work around this issue, restart the networking service:

cumulus@switch:~$ sudo systemctl restart networking

This is a known issue that should be fixed in a future version of Cumulus Linux.

Have more questions? Submit a request

Comments

Powered by Zendesk