Cumulus Linux 3.7 Release Notes

Follow

Overview

These release notes support the Cumulus Linux 3.7.0, 3.7.1, and 3.7.2 releases and describe currently available features and known issues. 

Stay up to Date 

  • Sign in and click Follow above to receive a notification when we update these release notes.
  • Subscribe to our product bulletin mailing list to receive important announcements and updates about issues that arise in our products.
  • Subscribe to our security announcement mailing list to receive alerts whenever we update our software for security issues.

{{table_of_contents}}

What's New in Cumulus Linux 3.7

Cumulus Linux 3.7.2 contains a number of new platforms, features and improvements:

Cumulus Linux 3.7.1 contains bug fixes only.

Cumulus Linux 3.7.0 contains a number of new platforms, features and improvements:

Licensing

Cumulus Linux is licensed on a per-instance basis. Each network system is fully operational, enabling any capability to be utilized on the switch with the exception of forwarding on switch panel ports. Only eth0 and console ports are activated on an un-licensed instance of Cumulus Linux. Enabling front panel ports requires a license.

After you receive a license key from Cumulus Networks or an authorized reseller, you can install the license. Follow the steps in the Cumulus Linux Quick Start Guide.

Install or Upgrade to Version 3.7

Whether you are installing Cumulus Linux 3.7 for the first time or upgrading from an earlier version, follow the steps in the Installation Management section of the Cumulus Linux User Guide.

Update a Deployment that Has MLAG Configured

If you are using MLAG to dual connect two switches in your environment, and those switches are still running Cumulus Linux 2.5 ESR or any other release earlier than 3.0.0, the switches will not be dual-connected after you upgrade the first switch. To ensure a smooth upgrade, follow the steps in the Upgrading Cumulus Linux topic of the Cumulus Linux User Guide.

 Perl, Python and BDB Modules

Any Perl scripts that use the DB_File module or Python scripts that use the bsddb module do not run under Cumulus Linux 3.7.

Documentation

You can read the technical documentation here.

Issues Fixed in Cumulus Linux 3.7.2

The following is a list of issues fixed in Cumulus Linux 3.7.2 from earlier versions of Cumulus Linux. 

Release Note ID Summary Description

RN-604 (CM-15959)
ARP suppression does not work well for VXLAN active-active

In some instances, ARP requests are not suppressed in a VXLAN active-active configuration but get flooded over VXLAN tunnels instead. This issue occurs because there is no control plane syncing the snooped local neighbor entries between the MLAG pair; MLAG does not perform this sync and neither does EVPN.

This issue is fixed in Cumulus Linux 3.7.2.


RN-932 (CM-20869)
A bridge loop causes BGP EVPN to install a remote MAC as a local MAC and BGP does not recover automatically

A bridge loop causes frames that arrive through EVPN to be forwarded back to the EVPN bridge. After resolving the forwarding loop, the bridge FDB table recovers, but BGP does not recover automatically. Because the MAC appears to move rapidly, BGP installs the remote MAC as a local entry and advertises it out. Even though the bridge FDB table appears to be correct, bridged traffic destined to the misprogrammed MAC fails.

This issue is fixed in Cumulus Linux 3.7.2.


RN-938 (CM-20979)
Removing a VLAN from a bridge configured with VXLAN results in an outage

Removing a VLAN from a bridge configured with VXLAN causes a network service outage until the configuration change is reverted with the net rollback last command.

To work around this issue, remove the VNI interface first, then remove the unused VLAN from the bridge.

This issue is fixed in Cumulus Linux 3.7.2.


RN-960 (CM-21154)
Deleting an interface with the NCLU command does not remove the interface from the `frr.conf` file

When you use NCLU to delete an interface, the associated configuration is not removed from the /etc/frr/frr.conf file.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1062 (CM-22450)
Input chain ACLs do not apply in hardware on Broadcom platforms

Input chain ACLs do not apply in hardware on Broadcom platforms and input packets are processed against rules in the kernel instead. This can result in rules with the drop action not applying in hardware and the packets reaching the kernel.

This issue is fixed in Cumulus Linux 3.7.2 for platforms that do not provide native support for VXLAN routing (non-RIOT platforms).


RN-1075 (CM-21795)
On an Edgecore AS4610 or AS5812 switch, after inserting a 1G LX module or rebooting the switch with the module installed, no traffic is passed on the link if auto-negotiation is enabled

If you insert a 1G LX module into an Edgecore 4610 or 5812 switch or reboot the switch with this module installed, no traffic is passed on the switch port when auto-negotiation is enabled. Flapping the link down or up does not repair it.

To work around this issue, disable auto-negotiation, then re-enable it to repair the link; otherwise, disable auto-negotiation permanently. For example, if swp1 has the 1G module, disable then re-enable auto-negotiation as follows:

cumulus@switch:~$ net add interface swp1 link autoneg off
cumulus@switch:~$ net commit
cumulus@switch:~$ net add interface swp1 link autoneg on
cumulus@switch:~$ net commit

This issue is fixed in Cumulus Linux 3.7.2.


RN-1077 (CM-22274)
Configuration of import and export route targets for VNIs in EVPN differs between layer 2 and layer 3

To ease interoperation with non-Cumulus devices, it is possible to configure the route-target import and export values under the layer 2 VNI EVPN configuration. The same configuration does not work for both layer 2 VNI and layer 3 VNIs. Set the EVPN address-family within the VNI context when configuring the route-target in the layer 2 VNI. Set the EVPN address-family without the VNI context when configuring the route-target in the layer 3 VNI.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1079 (CM-22004)
ARP reply packets are flooded to all remote VTEPs when the packet arrives on a different MLAG peer

ARP reply packets are flooded to all remote VTEPs when the ARP reply arrives on a different MLAG peer than the one where the permanent MAC exits.

To work around this issue:

  1. Manually define the MAC address for the SVI.

    The MAC address allocated to the SVI is inherited by the bridge (by default). The bridge inherits the MAC address from a physical interface (swp*). This inheritance might result in a different SVI MAC address after a reboot (for example, a configuration change might result in the port being removed from the bridge).

    For this example, the MAC address of SVI vlan123 is statically configured as sw01 = MM:MM:MM:11:11:11 and sw02 = MM:MM:MM:22:22:22.

  2. Program a static entry on sw01 pointing to sw02 over the peerlink bond in VLAN 123:
    iface vlan123
        post-up bridge fdb add MM:MM:MM:22:22:22 dev peerlink vlan 123 master static
    
  3. Configure a static MAC address on sw02 pointing to the SVI owned by sw01 over the peerlink bond in VLAN 123:
    iface vlan123
        post-up bridge fdb add MM:MM:MM:11:11:11 dev peerlink vlan 123 master static
    
  4. Repeat steps above for each VLAN.

    This issue is fixed in Cumulus Linux 3.7.2.


RN-1081 (CM-22268)
On Mellanox switches, BFD rules configured in `00control_plane.rules` have no effect

Configuring BFD policies in the 00control_plane.rules file on Mellanox switches has no effect.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1082 (CM-22257)
You can add ports as bridge ports multiple times with NCLU

When you add ports as bridge ports multiple times with the NCLU command, the commits succeed without error.

To work around this issue, remove the extra interfaces with the net del bridge bridge ports <interface> command.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1085 (CM-22237)
NCLU SNMP configuration does not start the SNMP server

When you configure SNMP with NCLU commands, the SNMP server does not restart and you see a warning:

WARNING: snmpd is not running.  Run "journalctl -u snmpd" for error messages.

To work around this issue, start SNMP manually.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1092 (CM-22443)
IEEE 802.1X support for management VRF

Add the DAS listener service to the /etc/vrf/systemd.conf file so it can be started in the management VRF as needed.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1096 (CM-22032)
On a Trident 3 switch, cl-ecmpcalc returns a traceback error

On the Trident 3 switch, cl-ecmpcalc returns invalid entries (two entries for MAC address 00:00:00:00:00:00) that cause script failures.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1138 (CM-22484)
On a Mellanox switch, two way ECMP with a /31 mask is not programmed correctly in hardware

On a Mellanox switch, when using an ECMP route over /31 interfaces, incorrect layer 3 neighbor and layer 3 route entries are shown. 

This issue is fixed in Cumulus Linux 3.7.2.


RN-1139 (CM-22695)
On a Trident3 switch, EVPN pings to external hosts fail when networking is restarted on an exit spine

When you use a Trident3 switch as the exit node, which is playing the role of the spine, pings to external hosts fail after a systemctl restart networking event.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1143 (CM-22631)
Adding MTU to a VLAN adds `mtu` lines for each bridge port even if they are not defined in /etc/network/interfaces

If you add the MTU to a VLAN with the NCLU net add vlan <vlan> mtu <mtu> command, Cumulus Linux adds extra mtu lines in the /etc/network/interfaces file when there are defined bridge ports that do not exist elsewhere in the file.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1148 (CM-22783)
On the Dell S5248 switch, the `net show system` command shows blank output for the CPU and Chipset values

When you run the NCLU net show system command on the Dell S5248F-ON switch, the output shows blank values for both CPU and Chipset:

cumulus@switch:~$ net show system 
Dellemc S5248F
...

Chipset:
Port Config: 48 x 25G-SFP28 & 4 x 100G-QSFP28 & 2 x 200G-QSFP-DD
CPU:
Uptime: 0:37:19.280000 

This issue is fixed in Cumulus Linux 3.7.2.


RN-1149 (CM-22748)
The `exit-vrf` line is added beneath the `vni` line within the `vrf` stanza in the vtysh configuration

When you have certain options configured (such as PIM, MSDP, or ssmping), exit-vrf is copied beneath the vni line within the vrf stanza in the running vtysh configuration and in the /etc/frr/frr.conf file. This can cause a conflict; for example, if you are running PIM in the same VRF, the vni line is added above the ip pim rp line:

vrf evpn-vrf
 vni 104001
 exit-vrf
 ip pim rp 2.2.2.2 224.0.0.0/4

This issue is fixed in Cumulus Linux 3.7.2.


RN-1154 (CM-22779)
DHCP relay core dumps when using -U and an interface with no IP address

Under certain conditions, DHCP relay produces a segmentation fault when used in an EVPN symmetric environment with the -U option.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1155 (CM-22755)
In a VXLAN/EVPN environment, packet loss is observed when an unrelated interface goes down

In a VXLAN/EVPN environment, when an unrelated interface either goes down or comes up, traffic traversing through the other underlay interface stops working for about two milliseconds.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1156 (CM-22662)
Debian Security Advisory DSA-4314 for net-snmp issues CVE-2018-18065

The following CVEs were announced in Debian Security Advisory DSA-4314-1 and affect the net-snmp package.

This issue is fixed in Cumulus Linux 3.7.2.

------------------------------------------------------------------

Debian Security Advisory DSA-4314-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

October 11, 2018 https://www.debian.org/security/faq

------------------------------------------------------------------

Package : net-snmp

CVE ID : CVE-2018-18065

Debian Bug : 910638

Magnus Klaaborg Stubman discovered a NULL pointer dereference bug in net-snmp, a suite of Simple Network Management Protocol applications, allowing a remote, authenticated attacker to crash the snmpd process (causing a denial of service).

For the stable distribution (stretch), this problem has been fixed in version 5.7.3+dfsg-1.7+deb9u1.

We recommend that you upgrade your net-snmp packages.

For the detailed security status of net-snmp, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/net-snmp

Upstream info and fix are:

https://dumpco.re/blog/net-snmp-5.7.3-remote-dos

https://sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d/


RN-1173 (CM-22917)
The `poed` service is not enabled by default on PoE platforms in Cumulus Linux 3.7

When installing a Cumulus Linux 3.6.1 through 3.7.1 image, the poed service is not enabled by default.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1174 (CM-22734)
IPv6 onlink routes are not being installed in some cases

When installing an IPv6 onlink route, if the kernel has a default route and the gateway resolves out of the default route, the route is rejected if the passed in ifindex does not match. With IPv4, the default route match is ignored and the onlink based route is installed.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1175 (CM-22508)
The `net show system` command on the Facebook Backpack generates a WARNING in netd.log

When you run the net show system command on a Facebook Backpack switch, you see an error in netd.log:

2018-09-21T03:10:20.476355+00:00 cel-bs02-fc1 netd:    INFO:  RXed: user cumulus, command "/usr/bin/net show system"
2018-09-21T03:10:20.559883+00:00 cel-bs02-fc1 netd: WARNING:  Could not detect platform information for "cel,bigstone_g_fab1"

This issue is fixed in Cumulus Linux 3.7.2.


RN-1176 (CM-22477)
BFD shares the same TRAP group as bulk IP2ME

On Mellanox switches, BFD packets share the same TRAP group (Trap Group 8) as other bulk IP2ME traffic. If traffic is flooded to the CPU (for example, because of route withdrawal) BFD packets are dropped.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1177 (CM-22459)
NCLU command fails to delete the OSPF message-digest-key from an interface in a VRF

The NCLU net del command fails to remove a message-digest-key from a subinterface in a VRF and displays an error message.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1178 (CM-22410)
Configuring BGP community-list does not enable `bgpd`

If you configure a BGP community list using NCLU, it should set bgpd=yes if it is not already enabled. Communities are only used with BGP. If you try to configure a community (or extcommunity) before enabling bgpd (either by editing the /etc/frr/daemons file or by running other BGP NCLU commands), NCLU accepts the configuration and no warning is reported when committed. However, the configuration is not accepted by FRR.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1179 (CM-22393)
NCLU support for large communities

NCLU currently supports BGP prefix filtering via community and extcommunity, but not large-community, which are common in 4-Byte ASN environments.

This issue is fixed in Cumulus Linux 3.7.2. NCLU now supports large-community.


RN-1180 (CM-22087)
NCLU fails to parse when `link-speed 10` is applied

NCLU does not allow for configuration of link-speed 10 and does not parse any unrelated NCLU configuration when link-speed 10 is detected in the /etc/network/interfaces file.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1182 (CM-21856)
VXLAN-encapsulated packets are not forwarded on Mellanox Spectrum switches

On the Mellanox Spectrum switch, VXLAN-encapsulated packets are not being forwarded.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1183 (CM-19714)
The BGP martian next hop table is not updated on an interface IP address change

Configuring an IP address on any local layer 3 interface causes the interface IP address to be placed in the BGP martian next hop table. However, subsequent removal of that address from an interface does not remove it from the BGP martian next hop table.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1184 (CM-17391)
Add support for permanent MAC address sync between MLAG peers

MLAG does not sync permanent MAC addresses between peers and nolearning is turned on; traffic with a next-hop pointing to the peerlink is forwarded to the CPU and throughput is limited.

This issue is fixed in Cumulus Linux 3.7.2. Permanent MAC address sync between MLAG peers is now supported.


RN-1194 (CM-21930)
Mellanox switches prefer RMAC learned over VXLAN instead of the local permanent FDB entry

Mellanox switches prefer a MAC entry learned through the VNI over a permanent entry for the corresponding SVI.

This issue is fixed in Cumulus Linux 3.7.2.


RN-1195 (CM-23131)
MLAG AttributeError: 'NoneType' object has no attribute 'replace'

In an MLAG configuration, you might see the traceback AttributeError: 'NoneType' object has no attribute 'replace'.

This issue is fixed in Cumulus Linux 3.7.2.

New Known Issues in Cumulus Linux 3.7.2

The following issues are new to Cumulus Linux and affect the current release.

Release Note ID Summary Description

RN-1145 (CM-22560)
Debian Security Advisory DSA-4306-1 for python issues CVE-2018-1060 CVE-2018-1061 CVE-2018-1000802

The following CVEs were announced in Debian Security Advisory DSA-4306-1 and affect the python package.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4306-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 27, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package: python3.4

CVE ID: CVE-2018-1060 CVE-2018-1061CVE-2018-1000802

Multiple security issues were discovered in Python: ElementTree failed to initialise Expat's hash salt, two denial of service issues were found in difflib and poplib and the shutil module was affected by a command injection vulnerability.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

This issue will be fixed in a future version of Cumulus Linux.


RN-1150 (CM-22891)
Debian Security Advisory DSA-4332-1 for ruby issues CVE-2018-16395 CVE-2018-16396

The following CVEs were announced in Debian Security Advisory DSA-4332-1 and affect the ruby package.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4332-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

November 03, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : ruby2.3

CVE ID : CVE-2018-16395 CVE-2018-16396

Several vulnerabilities have been discovered in the interpreter for the Ruby language. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2018-16395

Tyler Eckstein reported that the equality check of OpenSSL::X509::Name could return true for non-equal objects. If a malicious X.509 certificate is passed to compare with an existing certificate, there is a possibility to be judged incorrectly that they are equal.

CVE-2018-16396

Chris Seaton discovered that tainted flags are not propagated in Array#pack and String#unpack with some directives.

For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u4.

We recommend that you upgrade your ruby2.3 packages.

For the detailed security status of ruby2.3, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ruby2.3

The 2.1 tracker for jessie is: https://security-tracker.debian.org/tracker/ruby2.1

This issue will be fixed in a future version of Cumulus Linux.


RN-1151 (CM-22956)
FRR ignores the BGP peer group password for dynamic/bgp listen range neighbors

FRR ignores a BGP password configured in a peer group that is associated with the bgp listen range. In the following example, the password cumulus has no effect on neighbors that connect in the 10.30.40.0/24 range. If the neighbor has neighbor password cumulus configured, the peering does not come up.

router bgp 65001
 neighbor LXD peer-group
 neighbor LXD remote-as external
 neighbor LXD password cumulus
 neighbor LXD timers 1 3
 neighbor LXD timers connect 3
 bgp listen limit 20
 bgp listen range 10.30.4.0/24 peer-group LXD
!

This is a known issue that is currently being investigated.


RN-1152 (CM-22933)
The centralized EVPN gateway MAC address is not refreshed in the network when ARP suppression is enabled on the gateway

In a centralized VXLAN routing topology, the gateway advertises its MAC address to all other VTEPs. If the layer 2 network extends beyond the access layer VTEPs (for example, a KVM with a bridge running on the host), the gateway MAC address needs to be refreshed either by way of the end hosts/VMs ARPing for the gateway IP address or the network has to refresh it by way of periodic gratuitous ARP.

Currently, Cumulus Linux relies on the centralized gateway to generate gratuitous ARP (neighmgrd). However, if ARP suppression is enabled on the gateway, the gARP gets suppressed on VXLAN interfaces. As a result, the gateway MAC address might age out in the host bridge scenario and lead to an excessive unknown unicast flood within the host bridge when VMs send packets to be routed by the gateway.

If the gateway only has connections to firewalls (and is unlikely to see a massive number of ARP requests), you can work around this issue by disabling ARP suppression on the centralized gateway. In a more general topology, where the centralized gateway might also have a lot of local host connections and sees a lot of ARP requests, turning off ARP suppression might not be a desirable solution.

This is a known issue that is currently being investigated.


RN-1157 (CM-22885)
Enabling FEC causes `ifreload -a` to always invoke `ethtool --set-fec`

After FEC is enabled on an interface, ifupdown2 invokes ethtool --set-fec, even if FEC is unchanged. For Broadcom switches, this might cause a link flap.

This is a known issue that is currently being investigated.


RN-1158 (CM-22609)
Debian Security Advisory DSA-4311-1 for git issues CVE-2018-17456

The following CVEs were announced in Debian Security Advisory DSA-4311-1 and affect the git package.

-------------------------------------------------------------------

Debian Security Advisory DSA-4311-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

October 05, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------

Package : git

CVE ID : CVE-2018-17456

joernchen of Phenoelit discovered that git, a fast, scalable, distributed revision control system, is prone to an arbitrary code execution vulnerability via a specially crafted .gitmodules file in a project cloned with --recurse-submodules.

For the stable distribution (stretch), this problem has been fixed in version 1:2.11.0-3+deb9u4.

We recommend that you upgrade your git packages.

For the detailed security status of git, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/git

This issue will be fixed in a future Cumulus Linux release.


RN-1159 (CM-22441)
Debian Security Advisory DSA-4924 for ghostscript issues CVE-2018-16509 CVE-2018-16802 CVE-2018-11645

The following CVEs were announced in Debian Security Advisory DSA-4924-1 and affect the ghostscript package.

----------------------------------------------------------

Debian Security Advisory DSA-4294-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 16, 2018 https://www.debian.org/security/faq

----------------------------------------------------------

Package : ghostscript

CVE ID : CVE-2018-16509 CVE-2018-16802

Tavis Ormandy discovered multiple vulnerabilites in Ghostscript, an interpreter for the PostScript language, which could result in the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled).

For the stable distribution (stretch), these problems have been fixed in version 9.20~dfsg-3.2+deb9u5.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript

This issue will be fixed in a future Cumulus Linux release.


RN-1160 (CM-22298)
Debian Security Advisory DSA-4286-1 for curl issues CVE-2018-14618

The following CVEs were announced in Debian Security Advisory DSA-4286-1 and affect the curl package.

-------------------------------------------------------------

Debian Security Advisory DSA-4286-1 security@debian.org

https://www.debian.org/security/ Alessandro Ghedini

September 05, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------

Package : curl

CVE ID : CVE-2018-14618

Zhaoyang Wu discovered that cURL, an URL transfer library, contains a buffer overflow in the NTLM authentication code triggered by passwords that exceed 2GB in length on 32bit systems. See https://curl.haxx.se/docs/CVE-2018-14618.html for more information.

For the stable distribution (stretch), this problem has been fixed in version 7.52.1-5+deb9u7.

We recommend that you upgrade your curl packages.

For the detailed security status of curl, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/curl

This issue will be fixed in a future Cumulus Linux release.


RN-1161 (CM-22937)
NCLU SNMPv3 user configuration does not get applied correctly

NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.

To work around this issue, stop snmpd, remove the cache file, then restart snmpd.

This is a known issue that is currently being investigated.


RN-1162 (CM-22814, CM-22813)
NCLU fails to remove the BGP graceful shutdown community

The NCLU net del bgp graceful-shutdown command does not disable graceful BGP shutdown.

To work around this issue, remove the configuration from vtysh. For example:

cumulus@leaf01:~$ sudo vtysh
leaf01# conf t
leaf01(config)# router bgp 65104
leaf01(config-router)# no bgp graceful-shutdown
leaf01(config-router)# end
leaf01# wr
Note: this version of vtysh never writes vtysh.conf
Building Configuration...
Integrated configuration saved to /etc/frr//frr.conf
[OK]
leaf01# exit

When removed, the FRR configuration looks like this:

router bgp 65104
 bgp router-id 10.255.255.14
 neighbor swp51 interface remote-as external
 neighbor swp52 interface remote-as external

This is a known issue that is currently being investigated.


RN-1164 (CM-22808)
On the Trident II+ switch, `hsflowd` does not stop with the `systemctl stop hsflowd` command

When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.

This is a known issue that is currently being investigated.


RN-1165 (CM-22802)
The NCLU `bridge pvid` command does not add the interface to bridge ports

When you run the net add (bond|interface) <iface> bridge pvid command, NCLU does not add the port as a slave of the VLAN-aware bridge.

This is a known issue that is currently being investigated.


RN-1167 (CM-22794)
The Dell S5048F-ON Temp3 sensor shows as absent

The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.

This is a known issue that is currently being investigated.


RN-1169 (CM-20053)
Recursive next-hops using iBGP  marked inactive with multiple route reflectors in the path

In certain topologies that use BGP and route reflectors, next hop resolution might be impacted by advertising the spine-leaf link addresses from the leafs themselves. The problem is seen primarily with multiple links between each pair of spine and leaf switches, and redistribute connected configured on the leafs.

To work around this issue, only advertise the spine to leaf addresses from the spine switches (or use IGP for next-hop propagation). You can use network statements for the interface addresses that you need to advertise to limit the addresses advertised by the leaf switches. Or, define redistribute connected with route maps to filter the outbound updates and remove the spine to leaf addresses from being sent from the leafs.

This is a known issue that is currently being investigated.


RN-1170 (CM-22849)
An `ovs-vtepd` core dump might occur when a network event leads to an OVSDB server high availability transition

When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core dump might occur. This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.

This is a known issue that is currently being investigated.


RN-1171 (CM-22950)
Debian Security Advisory DSA-4335-1 for nginx issues CVE-2018-16843 CVE-2018-16844 CVE-2018-16845

The following CVEs were announced in Debian Security Advisory DSA-4335-1 and affect the nginx package.

-------------------------------------------------------------------------------------

Debian Security Advisory DSA-4335-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff November 08, 2018

https://www.debian.org/security/faq

--------------------------------------------------------------------------------------

Package : nginx

CVE ID : CVE-2018-16843 CVE-2018-16844 CVE-2018-16845

Three vulnerabilities were discovered in Nginx, a high-performance web and reverse proxy server, which could in denial of service in processing HTTP/2 (via excessive memory/CPU usage) or server memory disclosure in the ngx_http_mp4_module module (used for server-side MP4 streaming).

For the stable distribution (stretch), these problems have been fixed in version 1.10.3-1+deb9u2.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/nginx

This issue will be fixed in a future Cumulus Linux release.


RN-1172 (CM-22346)
Debian Security Advisory DSA-4288-1 for ghostscript issues CVE-2018-15908 CVE-2018-15910 CVE-2018-15911 CVE-2018-16511 CVE-2018-16513 CVE-2018-16539 CVE-2018-16540 CVE-2018-16541 CVE-2018-16542 CVE-2018-16543 CVE-2018-16585

The following CVEs were announced in Debian Security Advisory DSA-4288-1 and affect the ghostscript package.

-----------------------------------------------------------------

Debian Security Advisory DSA-4288-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

September 07, 2018 https://www.debian.org/security/faq

------------------------------------------------------------------

Package : ghostscript

CVE ID : CVE-2018-15908 CVE-2018-15910 CVE-2018-15911 CVE-2018-16511 CVE-2018-16513 CVE-2018-16539 CVE-2018-16540 CVE-2018-16541 CVE-2018-16542 CVE-2018-16543 CVE-2018-16585

Tavis Ormandy discovered multiple vulnerabilities in Ghostscript, an interpreter for the PostScript language, which could result in denial of service, the creation of files or the execution of arbitrary code if a malformed Postscript file is processed (despite the dSAFER sandbox being enabled).

For the stable distribution (stretch), these problems have been fixed in version 9.20~dfsg-3.2+deb9u4.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript, refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript

This issue will be fixed in a future Cumulus Linux release.


RN-1185 (CM-23062)
On the Celestica RedstoneV switch, swp14 and swp22 do not work

On the Celestica RedstoneV switch, the hardware settings are incorrect on swp14 and swp22.

This is a known issue that is currently being investigated.


RN-1186 (CM-23008)
EVPN type-5 received AS-Path prepend not propagated to IBGP peers

The as-path is not propagating for EVPN type-5 prefixes until forced with a clear.

This is a known issue that is currently being investigated.


RN-1187 (CM-23004)
Local authentication (password) is working with the local account even when the RADIUS or TACACS server is running

The local fallback account authenticates using the local password when the RADIUS or TACACS service is up. The expected behavior is for this to fail and only succeed when the RADIUS OR TACACS server fails to respond.

This is a known issue that is currently being investigated.


RN-1189 (CM-19164)
Unable to ping the remote network gateway address (SVI) in a VXLAN symmetric routing configuration with distinct IPs

Currently, Cumulus Linux does not program the remote network SVI IP address in the route table. As a result, you can't ping the remote network gateway address; however, you can ping the hosts in that remote network.

This is a known issue that is currently being investigated.


RN-1190 (CM-22775)
On the Dell S5232F switch, the i2c bus might get stuck

If a pluggable is removed from the Dell S5232F switch during a read transaction, the ocores driver gets stuck and no more i2c transactions are possible on that core.

This is a known issue that is currently being investigated.


RN-1191 (CM-22848)
Input chain ACL drop action does not drop packets if the traffic is destined to the CPU on an SVI (RIOT platforms)

On platforms that provide native support for VXLAN routing (RIOT platforms), input chain ACLs match against forward chain traffic if the traffic is routed by a VRR IP address.

This is a known issue that is currently being investigated.


RN-1192 (CM-23075)
Limitation on the number of interfaces supported in the DHCP relay file

There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces:

2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on   LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.

This is a known issue that is currently being investigated.


RN-1193 (CM-22951)
Unable to bring up some 10G LR interfaces on Mellanox switches

It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware.

This is a known issue that is currently being investigated.


RN-1198 (CM-23287)
Unable to bring up links between Intel NIC X722 LOM and Mellanox switches

There is a known issue where an Intel X722 LOM does not link when connected to a Mellanox SX or SN switch. Contact Customer Support for additional information.

Issues Fixed in Cumulus Linux 3.7.1

The following is a list of issues fixed in Cumulus Linux 3.7.1 from earlier versions of Cumulus Linux. 

Release Note ID Summary Description

RN-993 (CM-20585)
Routes learned from EVPN clouds do not get summarized

Routes that are learned from an EVPN cloud do not get summarized. Only routes that reside on, or are owned by, a switch get summarized.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1080 (CM-21997)
The VRF membership for a VRR interface fails to update in the Mellanox SDK

The VRF membership for a VRR interface fails to update. This issue does not affect SVI (non-v0) interfaces.

To work round this issue, reboot the switch or remove the VRR IP address and reconfigure it. For example:

cumulus@switch:~$ net del vlan 120 ip address-virtual 
cumulus@switch:~$ net commit 
cumulus@switch:~$ net add vlan 120 ip address-virtual 00:00:00:00:01:20 10.120.0.254/24 
cumulus@switch:~$ net commit

This issue is fixed in Cumulus Linux 3.7.1.


RN-1087 (CM-22206)
Mellanox ERSPAN not working with VXLAN

On Mellanox switches, member interfaces for Bond are not supported on ERSPAN.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1098 (CM-22069)
On Tomahawk switches, the hardware MAC entry is not updated on native VLAN changes

On a Tomahawk switch with VXLAN-enabled VLANs, if the native VLAN on a port is changed, the GPORT associated with a MAC address in that VLAN is incorrect.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1100 (CM-22187)
In FRRouting, the BGP aggregate-address statement is ignored when the network statement uses the same IP address

If you start FRRouting and your configuration has a BGP IPv4 network statement that is the same as an aggregate-address statement, then the aggregate is not announced.

For example, if you have the following FRR configuration:

network 172.16.250.0/24
aggregate-address 172.16.250.0/24

Then that network is not advertised unless the 172.16.250.0/24 (exactly) is in the RIB. The issue does not happen if the network statement does not exactly match the aggregate-address statement (including super and subnets).

To work around this issue, remove the matching network statement.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1104 (CM-22472)
MLAG anycast IP address is not applied on the secondary switch after making changes

When clagd is running and you add or modify the MLAG VXLAN anycast IP address on the loopback using NCLU or by editing the configuration file, the changes are not applied. You need to restart clagd manually for the changes to be applied.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1116 (CM-22509)
FRR reload does not apply changes to BGP aggregate addresses

If you change the BGP aggregate addresses using NCLU and FRR is restarted, the configuration is accepted, but the routes do not appear in the BGP table.

To work around this issue, manually change the BGP aggregate addresses in vtysh.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1125 (CM-22540)
Cumulus Linux might be unable to read certain sensors on the Dell S5248F Trident3 switch

Due to changes made to the BMC firmware, Cumulus Linux might be unable to read certain sensors correctly on the Dell S5248F Trident3 switch; for example, the CPU temperature might appear as absent.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1127 (CM-22243)
On a Trident3 switch, packets received with TTL=1 destined to the CPU are marked as RX_DROPs

On the Trident3 switch, any packet received with TTL=1 and destined to the CPU is marked as dropped.

This issue is fixed in Cumulus Linux 3.7.1.


RN-1128 (CM-22630)
OSPF6 fails to start after a fresh 3.7 installation

OSPF6 fails to start on a fresh install of Cumulus Linux 3.7.

This is fixed in Cumulus Linux 3.7.1.

New Known Issues in Cumulus Linux 3.7.1

The following issues are new to Cumulus Linux and affect the current release.

Release Note ID Summary Description

RN-1129 (CM-22608, CM-22555)
On Mellanox Spectrum and Helix4 switches, sFlow sends malformed packets and no flow samples

Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters).

This is a known issue that is currently being investigated.


RN-1131 (CM-22605)
On the Dell S4048 switch, changing the eth0 link speed to 100 causes igb to crash

On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.

To work around this issue:

  • If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000).
  • If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file.

This is a known issue that is currently being investigated.


RN-1133 (CM-22590)
NCLU `net show configuration commands` does not show output for an IPv6 rsyslog host

NCLU net show configuration commands does not display any output for IPv6 rsyslog hosts.

This is a known issue that is currently being investigated.


RN-1134 (CM-22589)
NCLU `net show configuration commands` displays a syslog command with invalid syntax

NCLU net show configuration commands displays a net add syslog command with invalid syntax. For example, if you run the following commands:

cumulus@switch:~$ net add syslog host ipv4 10.0.0.1 port udp 514
cumulus@switch:~$ net commit

then run net show configuration commands, the output of the command syntax is invalid.

This is a known issue that is currently being investigated.


RN-1135 (CM-22583)
On Broadcom switches, single-tagged ARP requests received on the QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI

Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.

This is a known issue that is currently being investigated.


RN-1136 (CM-22554)
The linkstate of a bond is not updated when several members are brought down remotely at once

If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces does not correctly transition to the down state; however, all links show down in hardware.

This is a known issue that is currently being investigated.


RN-1137 (CM-22546)
On the Facebook Voyager, the eth0 port is not visible on initial power on

The eth0 port is not visible in Cumulus Linux or the BIOS on initial boot.

To work around this issue, do a hard power reset to recover the device.

This is a known issue that is currently being investigated.


RN-1138 (CM-22484)
On a Mellanox switch, two way ECMP with a /31 mask is not programmed correctly in hardware

On a Mellanox switch, when using an ECMP route over /31 interfaces, incorrect layer 3 neighbor and layer 3 route entries are shown.

This is a known issue that is currently being investigated.


RN-1139 (CM-22695)
On a Trident3 switch, EVPN pings to external hosts fail when networking is restarted on an exit spine

When you use a Trident3 switch as the exit node, which is playing the role of the spine, pings to external hosts fail after a systemctl restart networking event.

This is a known issue that is currently being investigated.


RN-1140 (CM-22645)
NCLU automatically creates peerlink.4094 with no regard for the configured reserved VLAN range

When you configure MLAG with NCLU, the peerlink and peerlink.4094 interfaces are automatically created; peerlink.4094 is outside of the default reserved VLAN range of 3000-3999. However, when creating the peerlink interfaces, Cumulus Linux does not check against a possible collision with VLANs outside of the default reserved range in case the reserved VLAN range has been modified.

This is a known issue that is currently being investigated.


RN-1141 (CM-22697)
NCLU adds duplicate bridge ports

When you use NCLU to add bridge ports, you can add the same ports to the bridge repeatedly. This can cause problems with automation.

This is a known issue that is currently being investigated.


RN-1142 (CM-22657)
The NCLU `net show counters json` command fails with an error

When you run the net show counters json command, you see the following error if any value is 'Unknown':

ERROR: Execution of the command failed. 
"/usr/cumulus/bin/cl-netstat -j" failed. 
Traceback (most recent call last): 
File "/usr/cumulus/bin/cl-netstat", line 292, in <module> 
cnstat_diff_print(cnstat_dict, cnstat_cached_dict, use_json) 
File "/usr/cumulus/bin/cl-netstat", line 135, in cnstat_diff_print 
print table_as_json(table) 
File "/usr/cumulus/bin/cl-netstat", line 62, in table_as_json 
header[3] : int(line[3]), 
ValueError: invalid literal for int() with base 10: 'Unknown'

To work around this issue, run the following command to clear out the semaphore file created by cl-netstat -c:

cumulus@switch:~$ rm /tmp/cl-netstat-$UID/$UID

This is a known issue that is currently being investigated.


RN-1143 (CM-22631)
Adding MTU to a VLAN adds `mtu` lines for each bridge port even if they are not defined in /etc/network/interfaces

If you add the MTU to a VLAN with the NCLU net add vlan <vlan> mtu <mtu> command, Cumulus Linux adds extra mtu lines in the /etc/network/interfaces file when there are defined bridge ports that do not exist elsewhere in the file.

This is a known issue that is currently being investigated.


RN-1146 (CM-22796)
Switch ports previously in MLAG go unexpectedly into `protodown on` state

Switch ports that are configured as MLAG interfaces, then deleted, go into protodown on state unexpectedly.

To work around this issue, turn off protodown manually with the ip link command:

cumulus@switch:~$ ip link set  protodown off

This is a known issue that is currently being investigated.

Issues Fixed in Cumulus Linux 3.7.0

The following is a list of issues fixed in Cumulus Linux 3.7.0 from earlier versions of Cumulus Linux.

Release Note ID Summary Description

RN-939 (CM-20944)
On Maverick switches, random links might not come up on boot when enabling RS FEC with 100G AOC cables

On Maverick 100G switches, after enabling FEC on links with 100G AOC cables, random links do not come up after a reboot.

To work around this issue, disable FEC on 100G AOC links.

This issue is fixed in Cumulus Linux 3.7.0.


RN-943 (CM-20639)
The neighbor table and EVPN routes are not updated on receiving GARP from an IP address that moved to a new MAC address

After moving an IP address to a new host, the neighbor table and EVPN routes do not update properly after receiving a GARP from the new MAC address to which the previously-active IP address has been moved.

This issue is fixed in Cumulus Linux 3.7.0.


RN-991 (CM-20316)
arp_accept and arp_ignore do not work for SVIs if a bridge has VXLAN interfaces

On a Cumulus Linux switch, if a bridge has VXLAN interfaces, then the arp_accept and arp_ignore options do not work for any switch virtual interfaces (SVIs).

To work around this issue, disable ARP suppression on the VXLAN interfaces. For example, if the VXLAN is named vni100, disable ARP suppression on it with the following command:

cumulus@switch:~$ net add vxlan vni100 bridge arp-nd-suppress off
cumulus@switch:~$ net commit

This issue is fixed in Cumulus Linux 3.7.0.


RN-1006 (CM-20644)
The ptp4l and phc2sys services are enabled by default resulting in repeated syslog messages

In Cumulus Linux 3.6.1 and later, the ptp4l and phc2sys services are enabled by default. If you are not using PTP or PTP is not configured, the logs are repeatedly filled with messages similar to the following.

2018-06-20T15:38:44.490543+00:00 cumulus phc2sys: [1542.230] Waiting for ptp4l...
2018-06-20T15:38:44.491160+00:00 cumulus phc2sys: [1542.230] uds: sendto failed: No such file or directory
2018-06-20T15:38:45.491747+00:00 cumulus phc2sys: [1543.231] Waiting for ptp4l...
2018-06-20T15:38:45.492259+00:00 cumulus phc2sys: [1543.231] uds: sendto failed: No such file or directory
2018-06-20T15:38:46.492925+00:00 cumulus phc2sys: [1544.233] Waiting for ptp4l...
2018-06-20T15:38:46.493440+00:00 cumulus phc2sys: [1544.233] uds: sendto failed: No such file or directory

To work around this issue in Cumulus Linux 3.6.2, add StartLimitInterval to both the ptp4l and phc2sys services as shown below:

sudo mkdir -p /etc/systemd/system/ptp4l.service.d /etc/systemd/system/phc2sys.service.d
sudo sh -c '/bin/echo -e "[Service]\nStartLimitInterval=375" > /etc/systemd/system/phc2sys.service.d/startinterval.conf'
sudo sh -c '/bin/echo -e "[Service]\nStartLimitInterval=375" > /etc/systemd/system/ptp4l.service.d/startinterval.conf'
sudo systemctl daemon-reload

This issue is fixed in Cumulus Linux 3.7.0.


RN-1040 (CM-22120)
Link down does not work on an Ethernet interface configured in the management VRF

The link-down yes configuration in the /etc/network/interfaces file does not work for eth0 or eth1 configured in the management VRF. This issue is not observed if the Ethernet interface is in the default VRF.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1041 (CM-21890)
Debian Security Advisory DSA-4259 for Ruby issues CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2018-1000073

The following CVEs were announced in Debian Security Advisory DSA-4259-1, and affect the ruby2.3 package.

This issue is fixed in Cumulus Linux 3.7.0.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4259-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

July 31, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package: ruby2.3

CVE ID: CVE-2017-17405 CVE-2017-17742 CVE-2017-17790 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2018-1000073 CVE-2018-1000074 CVE-2018-1000075 CVE-2018-1000076 CVE-2018-1000077 CVE-2018-1000078 CVE-2018-1000079

Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in incorrect processing of HTTP/FTP, directory traversal, command injection, unintended socket creation or information disclosure.

This update also fixes several issues in RubyGems which could allow an attacker to use specially crafted gem files to mount cross-site scripting attacks, cause denial of service through an infinite loop, write arbitrary files, or run malicious code.

For the stable distribution (stretch), these problems have been fixed in version 2.3.3-1+deb9u3.

We recommend that you upgrade your ruby2.3 packages.

Note: CVE-2018-1000073 and CVE-2018-1000074 are awaiting re-analysis.

For the detailed security status of ruby2.3, refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby2.3


RN-1042 (CM-22341)
An MLAG neighsync traceback occurs when you add an SVI with the NCLU command

When you use NCLU to add an SVI to the second MLAG peer (after adding to the first), clagd issues a traceback and becomes unresponsive until systemd puts it into a failed state.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1043 (CM-22066)
NCLU commands hang without response

When you run an NCLU command from the command line, the command hangs without a response.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1044 (CM-21996)
FRR reload fails when adding a new peer group and changing AFIs

When you add a new peer group, then change the AFIs associated with that peer group, the frr-reload script fails with the error Specify remote-as or peer-group commands first.

To work around this issue, perform the configuration in two separate commits. First, create the peer groups and commit, then change the AFIs in a second commit.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1045 (CM-21969)
Incorrect BFD UDP source port range

The BFD UDP source port range is incorrect.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1046 (CM-21922)
NCLU fails to configure 4x10G breakout ports

When you configure a breakout port using NCLU, the configuration is not successful.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1047 (CM-22247)
IPv6 GUA neighbors flushed when interface is added to the existing VRF

When you add a new SVI to the switch and assign it to an existing VRF, all IPv6 global unicast address (GUA) neighbors are flushed and existing traffic between hosts in the data center is dropped.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1049 (CM-22161)
The ptmd shell environment variables are not being set correctly

When the ptmd daemon detects an LLDP neighbor change event, the respective script is executed (if-topo-pass or if-topo-fail). Environment variables are set and are accessible to the script (as described in man ptmd). However, in LLDP events, some environment variables are not getting set correctly.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1050 (CM-22146)
Repeating an existing SNMP v3 user returns an incorrect exit code

If SNMP is configured, entering the NCLU command to create an SNMP v3 user that already exists returns an exit code of 1.

To work around this issue, delete the username with the net del snmp-server username <username> command before adding it again.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1053 (CM-21806)
NCLU mistakenly believes the FRR reload state is not active and restarts the service

NCLU mistakenly believes that the FRR reload state is not active and restarts the service.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1054 (CM-21768)
On a Broadcom Trident II+ switch, VXLAN decapsulation does not work for unknown unicast flooding

On a Broadcom Trident II+ switch, VXLAN decapsulation does not work for unknown unicast flooding.

To work around this issue, disable VXLAN routing by editing the /usr/lib/python2.7/dist-packages/cumulus/__chip_config/bcm/datapath.conf file; change the vxlan_routing_overlay.profile variable to disable, then restart switchd.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1055 (CM-21692)
The Dell S5048 Tomahawk+ ASIC does not provide high power to QSFP

The Dell S5048 Tomahawk+ ASIC does not provide high power to QSFP.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1056 (CM-22147)
Debian Security Advisory DSA-4280-1 for openssh issues CVE-2018-15473

The following CVEs were announced in Debian Security Advisory DSA-4280-1, and affect the openssh package.

This issue is fixed in Cumulus Linux 3.7.0.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4280-1 security@debian.org

https://www.debian.org/security/ Sebastien Delafond

August 22, 2018 https://www.debian.org/security/faq

--------------------------------------------------------------------------

Package : openssh

CVE ID : CVE-2018-15473

Debian Bug : 906236

Dariusz Tytko, Michal Sajdak and Qualys Security discovered that OpenSSH, an implementation of the SSH protocol suite, was prone to a user enumeration vulnerability. This would allow a remote attacker to check whether a specific user account existed on the target server.

For the stable distribution (stretch), this problem has been fixed in version 1:7.4p1-10+deb9u4.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh, refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssh


RN-1057 (CM-21619)
Security: ntp issues CVE-2018-7182 CVE-2018-7183 CVE-2018-7184 CVE-2018-7185

The following CVEs affect ntp.

This issue is fixed in Cumulus Linux 3.7.0.

-------------------------------------------------------------------------

Ubuntu Security Notice USN-3707-1

July 09, 2018

ntp vulnerabilities

-------------------------------------------------------------------------

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 18.04 LTS

Ubuntu 17.10

Ubuntu 16.04 LTS

Ubuntu 14.04 LTS

Summary: Several security issues were fixed in NTP.

Software Description: ntp: Network Time Protocol daemon and utility programs

Details:

Yihan Lian discovered that NTP incorrectly handled certain malformed mode 6 packets. A remote attacker could possibly use this issue to cause ntpd to crash, resulting in a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-7182)

Michael Macnair discovered that NTP incorrectly handled certain responses. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2018-7183)

Miroslav Lichvar discovered that NTP incorrectly handled certain zero-origin timestamps. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-7184)

Miroslav Lichvar discovered that NTP incorrectly handled certain zero-origin timestamps. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2018-7185)

Update instructions: The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04 LTS: ntp 1:4.2.8p10+dfsg-5ubuntu7.1

Ubuntu 17.10: ntp 1:4.2.8p10+dfsg-5ubuntu3.3

Ubuntu 16.04 LTS: ntp 1:4.2.8p4+dfsg-3ubuntu5.9

Ubuntu 14.04 LTS: ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.04.13

In general, a standard system update will make all the necessary changes.

References: https://usn.ubuntu.com/usn/usn-3707-1

CVE-2018-7182, CVE-2018-7183, CVE-2018-7184, CVE-2018-7185


RN-1058 (CM-21700)
NCLU frr-reload failure returns an incorrect error code

If there is a failure when NCLU runs frr-reload.py, an incorrect error code of 0 is returned.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1059 (CM-21939)
Debian Security advisory DSA-4266-1 for kernel issues CVE-2018-13405

The following CVEs were announced in Debian Security Advisory DSA-4266-1, and affect the kernel.

This issue is fixed in Cumulus Linux 3.7.0.

-------------------------------------------------------------------------

Debian shows the CVE-2018-13405 details, including link to the kernel.org fix here: https://security-tracker.debian.org/tracker/CVE-2018-13405.

The kernel.org fix is here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7

Debian has the CVE-2018-5390 TCP DoS info here: https://security-tracker.debian.org/tracker/CVE-2018-5390.

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2018-5390

Linux kernel versions 4.9+ can be forced to make very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet which can lead to a denial of service. An attacker can induce a denial of service condition by sending specially modified packets within ongoing TCP sessions. Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port. Thus, the attacks cannot be performed using spoofed IP addresses.

https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=1a4f14bab1868b443f0dd3c55b689a478f82e72e


RN-1060 (CM-22016)
Debian Security advisory DSA-4269-1 for postgresql issues CVE-2018-10915 CVE-2018-10925

The following CVEs were announced in Debian Security Advisory DSA-4269-1 and affect the postgresql package.

CVE-2018-10925 is fixed in Cumulus Linux 3.7.0. CVE-2018-10915 will be fixed when it's fixed upstream.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4269-1 security@debian.org

https://www.debian.org/security/ Moritz Muehlenhoff

August 10, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : postgresql-9.6

CVE ID : CVE-2018-10915 CVE-2018-10925

Two vulnerabilities have been found in the PostgreSQL database system:

CVE-2018-10915

Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects.

CVE-2018-10925

It was discovered that some "CREATE TABLE" statements could disclose server memory.

For additional information, refer to the upstream announcement at https://www.postgresql.org/about/news/1878/

For the detailed security status of postgresql-9.6, refer to its security tracker page at: https://security-tracker.debian.org/tracker/postgresql-9.6

https://security-tracker.debian.org/tracker/source-package/postgresql-9.4

https://security-tracker.debian.org/tracker/CVE-2018-10915

https://security-tracker.debian.org/tracker/CVE-2018-10925

CVE-2018-10925 is listed as fixed in jessie source package: 9.4.19-0+deb8u1


RN-1061 (CM-22203)
HTTP API enabled and listening by default

By default, the nginx server used for the HTTP API on port 8080 is enabled, but does not listen to external requests. However, it appears to be listening and answering external requests.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1065 (CM-22300)
Bouncing the VNI interface causes switchd to restart

Bouncing the VNI interface on a VXLAN VTEP causes the switchd process to restart.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1072 (CM-22302)
Cumulus Networks has changed the way you enable the openvswitch-vtep service on boot

In previous versions of Cumulus Linux, the openvswitch-step service was enabled on boot by editing the /etc/default/openvswitch-vtep config file and changing the START variable to yes. In Cumulus Linux 3.7, this configuration file variable is no longer used. You now enable the openvswitch-step service on boot with the following commands:

cumulus@switch:~$ sudo systemctl enable openvswitch-vtep.service
cumulus@switch:~$ sudo systemctl start openvswitch-vtep.service

RN-1105 (CM-22093)
When the Mellanox switch is not licensed, the Ansible setup module might cause a kernel fault

When you start an Ansible playbook on an unlicensed Mellanox switch, a kernel fault occurs when setup script is being executed.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1106 (CM-22088, CM-21978)
After a combination of MAC and IP moves, the neighbor entry for the local host points to the old MAC address

After a sequence of MAC moves and IP moves, the leaf switches behind which the host is present point to the old MAC address associated with that IP address.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1107 (CM-22008)
The `net show config commands` command lists invalid vid and pivd configuration

If a bond is configured with NCLU, incorrect configuration is generated on the system so that when you run net show config commands, you see a message stating that the vid and pvid commands are not supported and incorrect commands are provided to configure them.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1108 (CM-21926)
ML2 REST API call to add a host to the bridge fails

An ML2 REST API call to add a host to the bridge fails with an error.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1109 (CM-21895)
BGPd crashes when you delete a peer (or BGP instance) with max med on startup configured while timer is running

When a BGP peer is created with max med on startup, a timer is created. Deleting the BGP instance that contains that peer during the window in which the timer is still running results in a BGPd crash.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1110 (CM-21833)
GARP messages not transmitted on a physical VLAN interface when VRR is configured

For hosts (virtual machines) that rely on VRR, it is expected that the virtual-address is periodically sent by the gateway to avoid flooding on kvm/libvirt.

Cumulus Linux sends GARP messages every 150 seconds out of the -v0 interface; the packet is not transmitted on the physical VLAN interface.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1111 (CM-21804)
mstpd prints unnecessary `bridge_notify: port ##: no_flush 0` log when there is a netlink link event

Whenever there is a netlink link event, mstpd prints an additional log: bridge_notify: port 65: no_flush 0 where 65 is the ifIndex. There are already clear logs when there is a link transition; this log is not necessary.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1112 (CM-21782)
Changing the `clagd-backup-ip address` parameter results in loss of VRF configuration

If you change the IP address of the clagd-backup-ip parameter in the configuration file and run ifreload -a, the changes are not applied and the VRF configuration is removed.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1113 (CM-21487)
ML2 traceback during `openstack network create` on Openstack Ocata

When running the openstack network create command, you see an internal server error.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1114 (CM-19870)
Edgecore AS4610-54T always displays yellow system LED

The Edgecore AS4610-54T switch always displays a yellow system LED.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1115 (CM-14233)
clagd goes down when you apply the anycast IP address

When adding applying an anycast IP address in a VXLAN configuration to a pair of switches, the clagd process stops.

This issue is fixed in Cumulus Linux 3.7.0.


RN-1168 (CM-22538)
If the /etc/network/interfaces alias is different from the frr.conf description, an /etc/frr/daemons error occurs when deleting the interface

When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error:

"/etc/frr/daemons was modified by another user."

Despite this error being returned, the change still goes through, and the description gets removed from the frr.conf file.

This issue is fixed in Cumulus Linux 3.7.0.

Known Issues in Cumulus Linux 3.7.0

The following known issues affect the current release.

Release Note ID Summary Description

RN-389 (CM-8410)
switchd supports only port 4789 as the UDP port for VXLAN packets

switchd currently allows only the standard port 4789 as the UDP port for VXLAN packets. If a hypervisor uses a non-standard UDP port, VXLAN exchanges with the hardware VTEP do not work; packets are not terminated and encapsulated packets are sent out on UDP port 4789.

This is a known issue that is currently being investigated.


RN-537 (CM-12967)
Pause frames sent by a Tomahawk switch are not honored by the upstream switch

When link pause or priority flow control (PFC) is enabled on a Broadcom Tomahawk-based switch and there is over-subscription on a link, where the ASIC sends pause frames aggressively, the upstream switch does not throttle enough.

If you need link pause or PFC functionality, use a switch that does not use the Tomahawk ASIC.


RN-602 (CM-15094)
sFlow interface speed incorrect in counter samples

Counter samples exported from the switch show an incorrect interface speed.

This is a known issue that is currently being investigated.


RN-604 (CM-15959)
ARP suppression does not work well with VXLAN active-active mode

In some instances, ARP requests are not suppressed in a VXLAN active-active scenario, but instead get flooded over VXLAN tunnels. This issue is caused because there is no control plane syncing the snooped local neighbor entries between the MLAG pair; MLAG does not perform this sync, and neither does EVPN.

This is a known issue that is currently being investigated.


RN-640 (CM-16461)
Cumulus VX OVA image for VMware reboots due to critical readings from sensors

After booting a Cumulus VX virtual machine running the VMware OVA image, sometimes messages from sensors appear, indicating that the "Avg state" is critical, with all values displayed as 100.0. A cl-support is generated.

This is a known issue that is currently being investigated.


RN-656 (CM-17617)
The switchd heartbeat fails on Tomahawk switches with VXLAN scale configuration (512 VXLAN interfaces)

When a Tomahawk switch has 512 VXLAN interfaces configured, the switchd heartbeat fails. This can cause switchd to dump core.

To work around this issue, disable VXLAN statistics in switchd. Edit /etc/cumulus/switchd.conf and comment out the following line:

cumulus@switch:~$ sudo nano /etc/cumulus/switchd.conf

...

#stats.vxlan.member = BRIEF

...

Then restart switchd for the change to take effect. This causes all network ports to reset in addition to resetting the switch hardware configuration.

cumulus@switch:~$ sudo systemctl restart switchd.service
 

RN-744 (CM-18986)
Unable to modify BGP ASN for a VRF associated with layer 3 VNI

After editing the frr.conf file to modify the the BGP ASN for a VRF associated with a layer 3 VNI, the change is not applied.

To work around this issue, first delete the layer 3 VNI, then try to modify the BGP VRF instance.


RN-750 (CM-17457)
On Maverick switches, multicast traffic limited by lowest speed port in the group

The Maverick switch limits multicast traffic by the lowest speed port that has joined a particular group.

This is a known issue that is currently being investigated.


RN-751 (CM-17157)
Pull source-node replication schema patch from upstream

The upstream OVSDB VTEP schema has been updated multiple times and now contains a patch to support source-node replication. This patch is not included with the latest version of Cumulus Linux.

This is a known issue that is currently being investigated.


RN-754 (CM-15812)
Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs

Multicast forwarding fails for IP addresses whose DMAC overlaps with reserved DIPs.

This is a known issue that is currently being investigated.


RN-755 (CM-16855)
Auto-negotiation ON sometimes results in NO-CARRIER

If a two nodes on both sides of a link change from auto-negotiation off to auto-negotiation on for both sides during a short interval (around one second), the link might start flapping or stay down.

To work around this issue and stop the flapping, turn the link down on the switch with the command ifdown swpX, wait a few seconds, then bring the link back up with the command ifup swpX. Repeat this on the other side if necessary.


RN-757 (CM-18537)
On Mellanox switches, congestion drops not counted

On the Mellanox switch, packet drops due to congestion are not counted.

To work around this issue, run the command sudo ethtool -S swp1 to collect interface traffic statistics.


RN-758 (CM-17557)
If sFlow is enabled, some sampled packets (such as multicast) are forwarded twice

When sFlow is enabled, some sampled packets, such as IPMC, are forwarded twice (in the ASIC and then again through the kernel networking stack).

This is a known issue that is currently being investigated.


RN-760 (CM-18682)
smonctl utility JSON parsing error

There is a parsing error with the smonctl utility. In some cases when JSON output is chosen, the smonctl utility crashes. The JSON output is necessary to make the information available through SNMP.

This is a known issue that is currently being investigated.


RN-762 (CM-15677)
SBUS error warnings on Tomahawk switches

SBUS error warnings display on Tomahawk switches.

This is a known issue that is currently being investigated.


RN-764 (CM-17434)
On Broadcom switches, all IP multicast traffic uses only queue 0 

On Broadcom switches, IPv4 and IPv6 multicast traffic always maps into queue 0.

This is a known issue that is currently being investigated.


RN-766 (CM-19006)
On the Broadcom Trident II+, Trident3, and Maverick platform, in an external VXLAN routing environment, the switch does not rewrite MAC addresses and TTL, so packets are dropped by the next hop

On the Broadcom Trident II+, Trident3, and Maverick based switch, in an external VXLAN routing environment, when a lookup is done on the external-facing switch (exit/border leaf) after VXLAN decapsulation, the switch does not rewrite the MAC addresses and TTL; for through traffic, packets are dropped by the next hop instead of correctly routing from a VXLAN overlay network into a non-VXLAN external network (for example, to the Internet).

This issue affects all traffic from VXLAN overlay hosts that need to be routed after VXLAN decapsulation on an exit/border leaf, including:

  • Traffic destined to external networks (through traffic)
  • Traffic destined to the exit leaf SVI address

To work around this issue, modify the external-facing interface for each VLAN sub-interface by creating a temporary VNI and associating it with the existing VLAN ID.

For example, if the expected interface configuration is:

auto swp3.2001
iface swp3.2001
    vrf vrf1
    address 45.0.0.2/24
# where swp3 is the external facing port and swp3.2001 is the VLAN sub-interface

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports vx-4001
    bridge-vids 4001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

Modify the configuration as follows:

auto swp3
iface swp3
    bridge-access 2001
# associate the port (swp3) with bridge 2001

auto bridge
iface bridge
    bridge-vlan-aware yes
    bridge ports swp3 vx-4001 vx-16000000
    bridge-vids 4001 2001
# where vx-4001 is the existing VNI and vx-16000000 is a new temporary VNI
# this is now bridging the port (swp3), the VNI (vx-4001),
# and the new temporary VNI (vx-16000000)
# the bridge VLAN IDs are now 4001 and 2001

auto vlan2001
iface vlan2001
    vlan-id 2001
    vrf vrf1
    address 45.0.0.2/24
    vlan-raw-device bridge
# create a VLAN 2001 with the associated VRF and IP address

auto vx-16000000
iface vx-16000000
    vxlan-id 16000000
    bridge-access 2001
    <... usual vxlan config ...>
# associate the temporary VNI (vx-16000000) with bridge 2001

auto vx-4001
iface vx-4001
    vxlan-id 4001
    <... usual vxlan config ...>
    bridge-access 4001
# where vnid 4001 represents the L3 VNI

auto vlan4001
iface vlan4001
    vlan-id 4001
    vlan-raw-device bridge
    vrf vrf1

If an MLAG pair is used instead of a single exit/border leaf, the same temporary VNIs should be added on both switches of the MLAG pair.


RN-788 (CM-19381)
dhcrelay does not bind to interfaces that have names longer than 14 characters

The dhcrelay command does not bind to an interface if the interface's name is longer than 14 characters.

To work around this issue, change the interface name to be 14 or fewer characters if dhcrelay is required to bind to it.

This is a known issue that is currently being investigated.


RN-808 (CM-15902)
In EVPN, sticky MAC addresses move from one bridge port to another

In EVPN environments, sticky MAC addresses move from one bridge port to another on soft nodes.

This is a known issue that is currently being investigated.


RN-822 (CM-19788)
Using the same VLAN ID on a subinterface and bridge VIDs for a given port is not easily corrected

If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict. To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface.

This is a known issue that is currently being investigated.


RN-823 (CM-19724)
Multicast control protocols are classified to the bulk queue by default

PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7.

This is a known issue that is currently being investigated.


RN-881 (CM-20665)
On Tomahawk+ switches, 100G DAC cables don’t link up on 3 out of the 6 ports when auto-negotiation is on

100G Copper Direct Attach Cables (DAC) might not link up on ports 49, 51, and 52 when auto-negotiation is set to on.

To work around this issue, disable auto-negotiation on both sides of the cables plugged into these ports or move the 100G DACs to ports 50, 53, or 54.

This is a known issue that is currently being investigated.


RN-884 (CM-20534)
Dynamic leaking of routes between VRFs occurs through the default BGP instance

The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs.

This is a known issue that is currently being investigated.


RN-885 (CM-20530)
NCLU 'net show interface' command shows 'NotConfigured' for unnumbered interfaces

When an interface is configured for OSPF/BGP unnumbered, the net show interface command shows NotConfigured instead of showing that it is unnumbered.

This is a known issue that is currently being investigated.


RN-886 (CM-20508)
On Mellanox and Broadcom switches, the Cumulus-Resource-Query-MIB defines buffer utilization objects but returns nothing

The Cumulus-Resource-Query-MIB defines the ability to gather buffer utilization status but when these objects are polled, they return nothing.

This is a known issue that is currently being investigated.


RN-893 (CM-20363)
IPv6 RA should include all on-link prefixes as prefix information

IPv6 RAs from a router can be used to do some host auto-configuration. The main aspects that can be auto-configured are the prefixes which are on-link (which can be used by the host to autoconfigure its addresses) and the default router. Some other information can also be indicated. FRR does have support to "advertise" some of these parameters. To work around this issue, configure the prefixes explicitly for announcement through RA using the IPv6 nd prefix command.

This is a known issue that is currently being investigated.


RN-894 (CM-20177)
Inter-subnet routing intermittently stops working in a central VXLAN routing configuration

In a VXLAN centralized routing configuration, IPv6 hosts (auto-configured using SLAAC) might experience intermittent connectivity loss between VXLAN segments (inter-subnet routing) within the data center fabric (EVPN type-5 external routes are not affected). The NA message has the wrong flag set (the router flag is not set, which is incorrect behavior based on RFC 4861, Section 4.4).

To work around this issue, configure bridge-arp-nd-suppress off under VNI interfaces for all VTEP devices.

This is a known issue that is currently being investigated.


RN-896 (CM-20139)
On Mellanox switches, egress ACL (destination port matching) on bonds is not allowed

An ACL rule that matches on an outbound bond interface fails to install. For example, a rule like this fails.

[iptables]
-A FORWARD --out-interface  -j DROP

To work around this issue, duplicate the ACL rule on each physical port of the bond. For example:

[iptables]
-A FORWARD --out-interface  -j DROP
-A FORWARD --out-interface  -j DROP

This is a known issue that is currently being investigated.


RN-899 (CM-20028)
On the Dell-S4148 switch, you can't configure ports on the second pipeline into a gang

On the Dell S4148 switch, when you try to configure any of the ports on the second pipeline (port 31-54) into a gang (40G/4) through the ports.conf file, switchd fails.

This is a known issue that is currently being investigated.


RN-900 (CM-20026)
OSPF default-information originate stops working if removed and added in quick succession

When OSPF is originating a default route, and the command is removed from the process, then re-added, the router stops advertising the default route. Configuring the default-information originate command a second time causes it to start working.

This is a known issue that is currently being investigated.


RN-901 (CM-19936)
'rdnbrd' should not be enabled with EVPN

If you start rdnbrd in an EVPN configuration, local and remote neighbor entries are deleted. Enabling rdnbrd in an EVPN configuration is not supported.


RN-903 (CM-19643)
Disabling 'bgp bestpath as-path multipath relax' still leaves multipath across AS for EVPN

When BGP multipath is enabled, EVPN prefix (type-5) routes imported into a VRF always form multipath across paths that originate even from a different neighbor AS. This happens even if the as-path-relax configuration is disabled or not applied.

This is a known issue that is currently being investigated.


RN-932 (CM-20869)
Bridge loop causes BGP EVPN to install remote MAC as a local MAC and does not recover automatically

A bridge loop causes frames that arrive through EVPN to be forwarded back to the EVPN bridge. After resolving the forwarding loop, the bridge FDB table recovers, but BGP does not recover automatically. Because the MAC appears to move rapidly, BGP installs the remote MAC as a local entry and advertises it out. Even though the bridge FDB table appears to be correct, bridged traffic destined to the misprogrammed MAC fails.

This is a known issue that is currently being investigated.


RN-938 (CM-20979)
Removing a VLAN from a bridge configured with VXLAN results in an outage

Removing a VLAN from a bridge configured with VXLAN causes a network service outage until the configuration change is reverted with the net rollback last command.

To work around this issue, remove the VNI interface first, then remove the unused VLAN from the bridge.

This is a known issue that is currently being investigated.


RN-940 (CM-20813)
On Mellanox switches, packets are not mirrored on matching '-out-interface bond0' SPAN rules

Span rules that match the out-interface as a bond do not mirror packets.

This is a regression of an earlier issue and is being investigated at this time.


RN-941 (CM-20806)
When configuring layer 2 VPN EVPN in vtysh, if the route-target matches the VNI and AS number, the configuration does not display the route target

When configuring layer 2 VPN EVPN in vtysh, if a route-target matches both the AS number and the VNI number, the route target does not display in the configuration. This is currently the default behavior.

This is a known issue that is currently being investigated.


RN-942 (CM-20693)
In NCLU, you can only set the community number in a route map

In NCLU, you can only set the community number in a route map. You cannot set other community options such as no-export, no-advertise, or additive.

This is a known issue that is currently being investigated.


RN-948 (CM-17494)
The default arp_ignore mode does not prevent reachable neighbor entries for hosts not on the connected subnet

In certain cases, a peer device sends an ARP request from a source IP address that is not on the connected subnet and the switch creates a STALE neighbor entry. Eventually, the switch attempts to keep the entry fresh and sends ARP requests to the host. If the host responds, the switch has REACHABLE neighbor entries for hosts that are not on the connected subnet.

To work around this issue, change the value of arp_ignore to 2. See Default ARP Settings in Cumulus Linux for more information.


RN-953 (CM-21082)
Virtual device counters not working as expected

Virtual device counters are not working as expected. The TX counter increments but the RX counter does not.

This is a known issue that is currently being investigated.


RN-989 (CM-9695)
cl-resource-query: ACL metrics are displayed as 0 on a Mellanox switch

ACL-related metrics reported by cl-resource-query on a Mellanox MLX-2700 switch return all ACL metrics as 0. For example:

cumulus@mlx-2700-08:~$ sudo cl-resource-query 
Host entries:              34,   0% of maximum value   5120
IPv4 neighbors:             8
IPv6 neighbors:            13
IPv4 entries:           32768,  82% of maximum value  39936
IPv6 entries:               0,   0% of maximum value  15360
IPv4 Routes:            32768
IPv6 Routes:                0
Total Routes:           32768, 100% of maximum value  32768
ECMP nexthops:             64,   0% of maximum value 209664
MAC entries:                0,   0% of maximum value 409600
Ingress ACL entries:        0,   0% of maximum value      0
Ingress ACL counters:       0,   0% of maximum value      0
Ingress ACL meters:         0,   0% of maximum value      0
Ingress ACL slices:         0,   0% of maximum value      0
Egress ACL entries:         0,   0% of maximum value      0
Egress ACL counters:        0,   0% of maximum value      0
Egress ACL meters:          0,   0% of maximum value      0
Egress ACL slices:          0,   0% of maximum value      0

To work around this issue, run the Mellanox sx_api_resource_manager_dump_all.py debug utility:

cumulus@mlx-2700-08:~$ sudo sx_api_resource_manager_dump_all.py > tmp-cl-resq
cumulus@mlx-2700-08:~$ cat tmp-cl-resq
[+] opening sdk 
[0/1847] sx_api_open handle:0x14c3724 , rc 0 HW Table Utilization Utilization for HW resource TCAM is 42.9 Utilization for HW resource KVD Hash is 69.9 Utilization for HW resource KVD Linear is 49.9 Utilization for HW resource PGT is 0.0 Utilization for HW resource Flow Counter is 0.0 Utilization for HW resource ACL Regions is 1.0 Logical Free Entries Count ============================================================ | Resource| Free Entries| ============================================================ | UC MAC Table | 67181| | MC MAC Table | 67181| | FIB IPV4 UC Table | 132628| | FIB IPV6 UC Table | 95802| | FIB IPV4 MC Table | 2288| | ARP IPV4 Table | 32569| | ARP IPV6 Table | 12292| | Unicast Adjacency Table| 8197| | L2 MC VECTORS Table | 6999| | ACL Extended Actions Table | 8197| | ACL PBS Table| 8197| | eRIF List | 8197| | ILM Table| 67181| | VLAN Table| 1| | VPorts Table| 67181| | FID Table| 16362| | Policy Based MPLS ILM Table| 8197| | ACL Regions| 396| | ACL Rules 18B Key| 2254| | ACL Rules 32B Key| 1024| | ACL Rules 54B Key| 1022| | RIF Counter Basic| 3276| | RIF Counter Enhanced| 1092| | Flow Counter| 2048| | ACL GROUPS Table | 396| Logical Table Utilization ================================================================================================ | Resource| HW Table|Logical Entries | HW Entries| Utilization(%)| ================================================================================================ | UC MAC Table | KVD Hash| 43| 43| 0.0| | FIB IPV4 UC Table | KVD Hash| 89| 65790| 26.5| | FIB IPV6 UC Table | KVD Hash| 51| 28926| 11.6| | FIB IPV4 MC Table | TCAM | 0| 192| 1.1| | ARP IPV4 Table | KVD Hash| 199| 32768| 13.2| | ARP IPV6 Table | KVD Hash| 4092| 32768| 179.6| | Unicast Adjacency Table| KVD Linear| 8187| 8187| 49.9| | VPorts Table| KVD Hash| 0| 22| 0.0| | FID Table| KVD Hash| 22| 22| 0.0| | ACL Regions| ACL Regions| 4| 4| 1.0| | ACL Rules 18B Key| TCAM | 2| 64| 0.3| | ACL Rules 54B Key| TCAM | 2| 5760| 35.1| | ACL GROUPS Table |ACL Group Table| 4| 400| 100.0| cumulus@mlx-2700-08:~$

This is a known issue that is currently being investigated.


RN-993 (CM-20585)
Routes learned via EVPN clouds do not get summarized

Routes that are learned from an EVPN cloud don't get summarized. Only routes that reside on or are owned by a switch get summarized.

This is a known issue and should be fixed in a future release of Cumulus Linux.


RN-994 (CM-21332)
switchd doesn't assign a gport for a VLAN subinterface

When two VLAN subinterfaces are bridged to each other in a traditional mode bridge, switchd doesn't assign a gport to the subinterface, even though a gport is expected for each VLAN subinterface.

To work around this issue, you can do one of two things:

  • Add a VXLAN on the bridge so it doesn't require real tunnel IP address.
  • Separate the ingress and egress functions across two physical ports.

This is a known issue that is currently being investigated.


RN-995 (CM-21373)
Debian Security advisory DSA-4231-1/CVE-2018-0495 for libgcrypt20 package

Debian issued the following security advisory, DSA-4231-1, which affects the libgcrypt20 package. This advisory applies only to the the Debian Stretch release.

Debian Jessie, upon which Cumulus Linux 3.0 - 3.6.2 is based, is vulnerable, but the vulnerability has not been fixed upstream in Debian yet.

-------------------------------------------------------------------------

Debian Security Advisory DSA-4231-1 security@debian.org

https://www.debian.org/security/ Salvatore Bonaccorso

June 17, 2018 https://www.debian.org/security/faq

-------------------------------------------------------------------------

Package : libgcrypt20

CVE ID : CVE-2018-0495

It was discovered that Libgcrypt is prone to a local side-channel attack allowing recovery of ECDSA private keys.

For the stable distribution (stretch), this problem has been fixed in version 1.7.6-2+deb9u3.

We recommend that you upgrade your libgcrypt20 packages.

For the detailed security status of libgcrypt20 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/libgcrypt20

This issue will be fixed in a future version of Cumulus Linux when a fix made available for Debian Jessie.


RN-996 (CM-21379)
Floating static route is not installed into the FIB when the primary route becomes unavailable

If a primary route becomes unavailable (for example, you run ifdown on the switch port), the backup route remains inactive and is not installed into FIB.

To work around this issue, configure routes as ECMP:

cumulus@switch:~$ net del routing route 4.1.1.0/24 1.1.1.1 10
cumulus@switch:~$ net add routing route 4.1.1.0/24 1.1.1.1
cumulus@switch:~$ net commit

This is a known issue that is currently being investigated.


RN-997 (CM-21393)
A VXLAN implementation is using a UDP source port lower than 1024

Because VXLAN encapsulation uses a full range of source ports, it is possible for Cumulus Linux switches to generate packets with UDP source ports numbered lower than 1023. This might result in the traffic being mishandled in your network if you have rules in place to handle this traffic differently. For example, you might have DSCP setup for this port range.

To work around this issue, avoid using the well known port range for sourcing VXLAN traffic.

This is a known issue that is currently being investigated.


RN-998 (CM-21398)
Creating a MGMT ACL via NCLU results in a FORWARD entry

If you use NCLU to configure an ACL for eth0, you cannot designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.

This is a known issue that is currently being investigated.


RN-1000 (CM-21454)
Creating a new traditional mode bridge causes temporary traffic loss

Sometimes when creating a new bridge in traditional mode, an outage of 20-30 seconds can occur when running ifreload. This issue is more noticeable if you add and remove traditional bridges multiple times a day. The outage is long enough to drop BGP and OSPF sessions running through the switch. However, ifreload debug logs show everything is normal, that no interfaces are going down.

This is a known issue that is currently being investigated.


RN-1002 (CM-21556)
FRR next-hop resolution changes are not updated when applying a VRF to an interface after routes are configured in FRR

When adding new SVIs and static VRF routes in FRR, the appropriate VRF is applied to the interface in the kernel after the static routes are configured in FRR. When the kernel interface changes to the appropriate VRF, FRR next-hop resolution is not updated with the valid connected next-hop interface.

To work around this issue, remove and re-add the static routes.

This is a known issue that is currently being investigated.


RN-1003 (CM-21511)
IGMP queries are not sent if a VXLAN is declared before the bridge in /etc/network/interfaces

If a VNI is configured before the bridge in /etc/network/interfaces, the switch does not send IGMP queries.

To work around this issue, edit the /etc/network/interfaces file to define the bridge before the VNI. For example:

# The primary network interface
auto eth0
iface eth0 inet dhcp

auto lo
iface lo inet loopback
    address 10.26.10.11/32

auto swp9
iface swp9
  bridge-access 100

auto swp10
iface swp10
    bridge-access 100 

auto bridge
iface bridge
   bridge-ports swp9 swp10 vni-10
   bridge-vids 100
   bridge-vlan-aware yes
   bridge-mcquerier 1

auto vni-10
iface vni-10
    vxlan-id 10
    vxlan-local-tunnelip 10.0.0.11
    bridge-access 100

auto bridge.100
vlan bridge.100
  bridge-igmp-querier-src 123.1.1.1

auto vlan100
iface vlan100
    address 10.26.100.2/24
    vlan-id 100
    vlan-raw-device bridge

This is a known issue that is currently being investigated.


RN-1004 (CM-21496)
Scalability of redistribute neighbor limits the number of supported hosts

A Cumulus Linux switch cannot manage Docker containers running on 500 hosts. Entries in table 10 start to expire and are removed from the table.

To work around this issue, modify the ebtable rules for set-rate and set-burst, increasing their values until the issue is resolved. For example, configure set-rate=1200 and set-burst=300.

This is a known issue that is currently being investigated.


RN-1027 (CM-21707)
On Maverick switches, enabling auto-negotiation on 10G (all) and 1G SFP RJ45 breaks the link

On a Maverick switch, if auto-negotiation is configured on a 10G interface and the installed module does not support auto-negotiation (for example, 10G DAC, 10G Optical, 1G RJ45 SFP), the link breaks.

To work around this issue, disable auto-negotiation on interfaces where it is not supported. See the Interface Configuration Recommendations for information about configuring auto-negotiation.

This is a known issue that is currently being investigated.


RN-1039 (CM-22045)
SNMPv3 Trap passwords and encryption keys longer then 16 characters might cause snmpd to core dump

SNMPv3 TRAP passwords or encryption keys longer then 16 characters might result in a core dump. For example:

net add snmp-server trap-destination 3.3.3.3 username 
verlongtrapusername auth-md5 verylongmd52345678901234567890 
encrypt-aes verylongencrypt567890123456789012345678 
engine-id 0x80001f8880f49b75319690895b00000000

# this results in a core dump:
root@cel-redxp-01:/home/cumulus# systemctl status  snmpd
   snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
   Loaded: loaded (/lib/systemd/system/snmpd.service; enabled)
   Active: failed (Result: core-dump) since Wed 2018-09-05 16:18:05 UTC; 1min 25s ago
  Process: 21163 ExecStart=/usr/sbin/snmpd $SNMPDOPTS -f (code=dumped, signal=SEGV)
 Main PID: 21163 (code=dumped, signal=SEGV)
Sep 05 16:18:05 cel-redxp-01 systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon..

Sep 05 16:18:05 cel-redxp-01 systemd[1]: snmpd.service: main process exited, code=dumped, status=11/SEGV
Sep 05 16:18:05 cel-redxp-01 systemd[1]: Unit snmpd.service entered failed state.

To work around this issue, use SNMPv3 TRAP passwords and encryption keys that are 16 characters or shorter.

This is a known issue that is currently being investigated.


RN-1051 (CM-21678)
On Dell switches with Maverick ASICs, "Die Temp Sensor" errors are seen and the state changes to ABSENT

On a Dell switch with a Maverick ASIC, NetQ might receive false alerts like the following via PagerDuty:

cumulus@switch:~$ netq show sensors temp changes | grep absent | grep -v psu 
P2Leaf01 temp9 networking asic die temp sensor absent 43 105 100 5 Unable to find driver path: /cumulu Add 7d:22h:1m:41s 
P2Leaf01 temp6 networking asic die temp sensor absent 45 105 100 5 Unable to find driver path: /cumulu Add 7d:22h:1m:41s 
P2Leaf01 temp6 networking asic die temp sensor absent 47 105 100 5 Unable to read temp4_highest Add 9d:23h:26m:6s 
P2Leaf01 temp6 networking asic die temp sensor absent 45 105 100 5 Unable to read temp4_highest Add 14d:22h:46m:45s 
MSpine01 temp10 networking asic die temp sensor absent -273 105 100 5 Unable to read temp8_input Add 17d:20h:59m:31s 
P1Leaf01 temp10 networking asic die temp sensor absent 44 105 100 5 Unable to find driver path: /cumulu Add 7d:22h:29m:19s 
P1Leaf01 temp10 networking asic die temp sensor absent 43 105 100 5 Unable to find driver path: /cumulu Add 13d:18h:29m:27s 

This message might occur as a result of a timeout at the hardware level, or the switch might be reporting a failure to get a response.

This is a known issue that is currently being investigated.


RN-1062 (CM-22450)
Input chain ACLs do not apply in hardware on Broadcom platforms

Input chain ACLs do not apply in hardware on Broadcom platforms and input packets are processed against rules in the kernel instead. This can result in rules with the drop action not applying in hardware and the packets reaching the kernel.

This is a known issue that is currently being investigated.


RN-1063 (CM-22386)
In OVSDB server high availability mode, the host receives duplicate BUM packets from the service node on VX

The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peerlink. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.

This is a known issue that is currently being investigated.


RN-1064 (CM-22350)
clagd runs out of memory and crashes due to an unhandled exception

The clagd process runs out of memory and crashes because of an unhandled exception.

This is a known issue that is currently being investigated.


RN-1066 (CM-22290)
With dynamic route leaking, software forwarding of packets between connected source and destination fails

When using dynamic route leaking, software forwarding of packets fails between the connected source and destination.

To work around this issue, configure the leak on a switch that does not have any locally-connected hosts.

This is a known issue that is currently being investigated.


RN-1067 (CM-22287)
Traffic stops for about four seconds when the ECMP link goes down

When a layer 3 ECMP path is brought down on the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes.

To work around this issue, change ACL to run in non-atomic mode.

This is a known issue that is currently being investigated.


RN-1068 (CM-21780)
Interface not mapped to VRF when added to bridge

In certain configurations, VNIs do not get mapped to the VRF.

To work around the issue, remove the VRF and add it back again to the VLAN associated with the VNI.

This is a known issue that is currently being investigated.


RN-1069 (CM-21781)
The clagd service remains in a failed state when the peerlink's parent interface does not exist

The clagd service can get stuck in a reset or failed state (status = -1) when the parent interface of the peerlink does not exist.

To work around this issue, restart the clagd service:

cumulus@switch:~$ sudo systemctl restart clagd.service

This is a known issue that is currently being investigated.


RN-1070 (CM-22371)
Improperly directed traffic when there is a  change of input interface for PBR on the Spectrum ASIC

When programming policy-based routing (PBR), if you change the input interface from a physical interface to a subinterface, the traffic is not properly redirected. You must flap the nexthop interface to reprogram the PBR.

This is a known issue that is currently being investigated.


RN-1071 (CM-22345)
Redirected traffic increments INPUT ACL rule counter but does not perform an action

If a packet to an unknown IP address (but known network) enters the switch and matches an INPUT ACL rule, it is redirected for ARP and the counters increment for that rule, but it does not perform the action. This only happens until the ARP reply is sent, and then the traffic is forwarded properly.

To work around this issue, change the rules to INPUT,FORWARD instead of INPUT. Drops should then be logged properly.

This is a known issue that is currently being investigated.


RN-1073 (CM-22301)
Multicast packets exiting tunnels and going to the CPU might need separate policers on Broadcom VXLAN RIOT

For an unresolved address, the IPROUTER default policer rule has been modified to not match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets.

A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.

To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.

This is a known issue that is currently being investigated.


RN-1074 (CM-22145)
The `net show configuration files` command does not include /etc/restapi.conf

The /etc/restapi.conf file is not listed in the net show configuration files command output.

This is a known issue that is currently being investigated.


RN-1075 (CM-21795)
On an Edgecore AS4610 or AS5812, after inserting a 1G LX module or rebooting the switch with it installed, no traffic is passed on the link if autoneg is enabled

If you insert a 1G LX module into an Edgecore 4610 or 5812 switch or reboot the switch with this module installed, no traffic is passed on the switch port when auto-negotiation is enabled. Flapping the link down or up does not repair it.

To work around this issue, disable auto-negotiation, then re-enable it to repair the link; otherwise, disable auto-negotiation permanently. For example, if swp1 has the 1G module, disable then re-enable auto-negotiation as follows:

cumulus@switch:~$ net add interface swp1 link autoneg off
cumulus@switch:~$ net commit
cumulus@switch:~$ net add interface swp1 link autoneg on
cumulus@switch:~$ net commit

This is a known issue that is currently being investigated.


RN-1076 (CM-22138)
The `net show system` command does not show port and chip information on the Edgecore OMP-800 switch

When you run the NCLU net show system command or the NetQ netq inventory command on the Edgecore OMP-800 switch, the output does not show any port or chip information.

This is a known issue that is currently being investigated.


RN-1077 (CM-22274)
Configuration of import and export route targets for VNIs in EVPN differs between layer 2 and layer 3

To ease interoperation with non-Cumulus devices, it is possible to configure the route-target import and export values under the layer 2 VNI EVPN configuration. The same configuration does not work for both layer 2 VNI and layer 3 VNI. Set the EVPN address-family within the VNI context when configuring the route-target in layer 2 VNI. Set the EVPN address-family without the VNI context when configuring the route-target in layer 3 VNI.

This is a known issue that is currently being investigated.


RN-1078 (CM-22157)
On the Tomahawk+ switch, switchd fails on restart after configuring 2x50G in ports.conf

On Tomahawk+ switches, the switchd process is unable to restart after configuring 2x25G in the /etc/cumulus/ports.conf file.

This is a known issue that is currently being investigated.


RN-1079 (CM-22004)
ARP reply packets are flooded to all remote VTEPs when the packet arrives on a different MLAG peer

ARP reply packets are flooded to all remote VTEPs when the ARP reply arrives on a different MLAG peer than the one where the permanent MAC exits.

To work around this issue:

    1. Manually define the MAC address for the SVI.
      The MAC address allocated to the SVI is inherited by the bridge (by default). The bridge inherits the MAC address from a physical interface (swp*). This inheritance might result in a different SVI MAC address after a reboot (for example, a configuration change might result in the port being removed from the bridge).
      For this example, the MAC address of SVI vlan123 is statically configured as sw01 = MM:MM:MM:11:11:11 and sw02 = MM:MM:MM:22:22:22.
    2. Program a static entry on sw01 pointing to sw02 over the peerlink bond in VLAN 123:
      iface vlan123
          post-up bridge fdb add MM:MM:MM:22:22:22 dev peerlink vlan 123 master static
    3. Configure a static MAC address on sw02 pointing to the SVI owned by sw01 over the peerlink bond in VLAN 123:
      iface vlan123
          post-up bridge fdb add MM:MM:MM:11:11:11 dev peerlink vlan 123 master static
    4. Repeat steps above for each VLAN.

This is a known issue that is currently being investigated.


RN-1080 (CM-21997)
The VRF membership for a VRR interface fails to update in the Mellanox SDK

The VRF membership for a VRR interface fails to update. This issue does not affect SVI (non-v0) interfaces.

To work round this issue, reboot the switch or remove the VRR IP address and reconfigure it. For example:

cumulus@switch:~$ net del vlan 120 ip address-virtual 
cumulus@switch:~$ net commit 
cumulus@switch:~$ net add vlan 120 ip address-virtual 00:00:00:00:01:20 10.120.0.254/24 
cumulus@switch:~$ net commit

This is a known issue that is currently being investigated.


RN-1081 (CM-22268)
On Mellanox switches, BFD rules configured in `00control_plane.rules` have no effect

Configuring BFD policies in the 00control_plane.rules file on Mellanox switches has no effect.

This is a known issue that is currently being investigated.


RN-1082 (CM-22257)
You can add ports as bridge ports multiple times with NCLU

When you add ports as bridge ports multiple times with the NCLU cmmand, the commits succeed without error.

To work around this issue, remove the extra interfaces with the net del bridge bridge ports <interface> command.

This is a known issue that is currently being investigated.


RN-1083 (CM-21898)
On a Trident3 switch, IGMP traffic does not match the IGMP rule in the 00control file, but matches on the unknown multicast rule in catchall instead

On a Trident3 switch, IGMP packets are not getting policed by the police rule in the 00control ACL file. The packets are policed by the catchall policer in 99control ACL file instead.

-A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police --set-mode pkt --set-rate 100 --set-burst 100

To work around this issue, let the CPU bound IGMP packet hit the following rule and change the policer rate to a desired value for IGMP packets:

-A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police --set-mode pkt --set-rate 100 --set-burst 100

Typically, the destination MAC address 01:00:5e:xx:xx:xx is used only for PIM/IGMP control and data stream packets. However, this workaround cannot handle data stream multicast packets that are not TCP/UDP.

This is a known issue that is currently being investigated.


RN-1084 (CM-22252)
No PSU sensors/smon support for Edgecore OMP-800

On the Edgecore OMP-800, there is no Power Supply information from the sensor or from smonctl.

The platform driver has support for the PSUs but this was not added to the sensors infrastructure.

This is a known issue that is currently being investigated.


RN-1085 (CM-22237)
NCLU SNMP configuration does not start the SNMP server

When you configure SNMP with NCLU commands, the SNMP server does not restart and you see a warning:

WARNING: snmpd is not running.  Run "journalctl -u snmpd" for error messages.

To work around this issue, start SNMP manually.

This is a known issue that is currently being investigated.


RN-1086 (CM-21927)
In QinQ mode on a Mellanox switch, when a switch port is moved from a bond to a non-bond state, individual VLANs are not programmed on ports after running `ifreload`

When running ifreload after updating an interface configuration, sometimes VLANs are not programmed into the hardware data plane. The Linux control plane looks normal but the VLAN has not been programmed into the hardware and packets that arrive for it are dropped.

To work around this issue remove and re-add the affected VLANs from the port.

This is a known issue that is currently being investigated.


RN-1087 (CM-22206)
Mellanox ERSPAN not working with VXLAN

ERSPAN does not work when using VXLAN on Mellanox switches.

This is a known issue that is currently being investigated.


RN-1089 (CM-22205)
If FRR is restarted while a user is in vtysh, the running configuration shows empty

If a user is in vtysh when FRR is restarted, the running configuration in that vtysh session shows empty.

This is a known issue that is currently being investigated.


RN-1090 (CM-21909)
Invalid temperature warning on QuantaMesh BMS T4048-IX8 switch

This issue occurs when Cumulus Linux is trying to access the temperature sensors on the ASIC but it does not get a reply back.

This is a known issue that is currently being investigated.


RN-1091 (CM-22466)
Resilient hashing on Broadcom Trident3 switch not fully supported

Full support for resilient hashing on Broadcom Trident3 switches is not yet available.

This is a known issue that is currently being investigated.


RN-1092 (CM-22443)
IEEE 802.1X Support for management VRF

Add the DAS listener service to the /etc/vrf/systemd.conf file so it can be started in the management VRF as needed.

This issue is currently being investigated.


RN-1094 (CM-22396)
On VXLAN and traditional bridges, frames are tagged with an internal VLAN on untagged interfaces

Frames are tagged with an internal VLAN on untagged interfaces on both a VXLAN and traditional bridge.

This is a known issue that is currently being investigated.


RN-1095 (CM-21813)
The NCLU `net add` and `net commit` commands edit the interfaces file even when the interface configuration is not changed

The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes.

This is a known issue that is currently being investigated.


RN-1096 (CM-22032)
On a Trident3 switch, cl-ecmpcalc returns a traceback error

On the Trident3 switch, cl-ecmpcalc returns invalid entries (two entries for MAC address 00:00:00:00:00:00) that cause script failures.

This is a known issue that is currently being investigated.


RN-1097 (CM-22228)
Virtual counters not working on Trident II+ switches

Counters associated with VLANs and VRFs are not working on Trident II+ switches.

This is a known issue that is currently being investigated.


RN-1098 (CM-22069)
On Tomahawk switches, the hardware MAC entry is not updated on native VLAN changes

On a Tomahawk switch with VXLAN-enabled VLANs, if the native VLAN on a port is changed, the GPORT associated with a MAC address in that VLAN is incorrect.

This is a known issue that is currently being investigated.


RN-1099 (CM-22229)
In EVPN, IPv6 remote prefixes are sometimes not installed and ping between switches in the tenant VRF context fails

Pings between VTEPs in a tenant VRF context do not succeed consistently. This applies to both IPv4 and IPv6 pings.

To verify connectivity and forwarding in a tenant VRF, Cumulus Networks recommends that you ping between tenant hosts or between a tenant host and a switch.

This is a known issue that is currently being investigated.


RN-1100 (CM-22187)
In FRRouting, the BGP aggregate-address statement is ignored when the network statement uses the same IP address

If you start FRRouting and your configuration has a BGP IPv4 network statement that is the same as an aggregate-address statement, then the aggregate is not announced.

For example, if you have the following FRR configuration:

network 172.16.250.0/24
aggregate-address 172.16.250.0/24

Then that network is not advertised unless the 172.16.250.0/24 (exactly) is in the RIB. The issue does not happen if the network statement does not exactly match the aggregate-address statement (including super and subnets).

To work around this issue, remove the matching network statement.

This issue is fixed in the upstream version of FRR.


RN-1101 (CM-22216)
On Mellanox switches, RASH with VXLAN is not moving flows when losing the ECMP path

When RASH is enabled and an ECMP path is taken away using the ip link set <swp> down command, traffic using that ECMP path is never moved to another path and is dropped permanently.

This is a known issue that is currently being investigated.


RN-1102 (CM-22121)
On a Mellanox switch configured for ECMP resilient hashing, "No more resources" errors are seen

This is due to a limitation between Cumulus Linux and the Mellanox hardware. Currently, on a Mellanox switch, Cumulus Linux supports only 4 ECMP containers with 1000 hash entries per container.

This is a known issue that is currently being investigated.


RN-1103 (CM-22417)
MPLS packets are not being forwarded over the MPLS fabric

MPLS packets are not forwarded over the MPLS fabric on a Mellanox switch.

This is a known issue that is currently being investigated.


RN-1104 (CM-22472)
MLAG anycast IP address not applied on the secondary switch after making changes

When clagd is running and you add or modify the MLAG VXLAN anycast IP address on the loopback using NCLU or by editing the configuration file, the changes are not applied. You need to restart clagd manually for the changes to be applied.


RN-1116 (CM-22509)
FRR reload does not apply changes to BGP aggregate addresses

If you change the BGP aggregate addresses using NCLU or by reloading the FRR service, the configuration is accepted, but the routes do not appear in the BGP table.

To work around this issue, manually change the BGP aggregate addresses in vtysh.

This is a known issue that is currently being investigated.


RN-1125 (CM-22540)
Cumulus Linux might be unable to read certain sensors on the Dell S5248F Trident3 switch

Due to changes made to the BMC firmware, Cumulus Linux might be unable to read certain sensors correctly on the Dell S5248F Trident3 switch; for example, the CPU temperature might appear as absent.

This issue should be fixed in the next release of Cumulus Linux.


RN-1197 (CM-23278)
Non-vagrant Cumulus VX images include an unneeded vagrant user

Cumulus VX images for versions 3.7.0 through 3.7.2 include a vagrant user, as the vagrant box format requires it in order to function. This user isn't needed and should be removed from the following Cumulus VX images:

  • cumulus-linux-3.7.0-vx-amd64-qemu.qcow2
  • cumulus-linux-3.7.0-vx-amd64-vbox.ova
  • cumulus-linux-3.7.0-vx-amd64-vmware.ova
  • cumulus-linux-3.7.1-vx-amd64-qemu.qcow2
  • cumulus-linux-3.7.1-vx-amd64-vbox.ova
  • cumulus-linux-3.7.1-vx-amd64-vmware.ova
  • cumulus-linux-3.7.2-vx-amd64-qemu.qcow2
  • cumulus-linux-3.7.2-vx-amd64-vbox.ova
  • cumulus-linux-3.7.2-vx-amd64-vmware.ova

To remove the vagrant user, run:

cumulus@switch:~$ sudo userdel [-r] vagrant

This issue will be fixed in Cumulus VX 3.7.3.

Have more questions? Submit a request

Comments

Powered by Zendesk