Cumulus Linux 5.0 Release Notes
Download all 5.0 release notes as .xls5.0.1 Release Notes
Open Issues in 5.0.1
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 4413450 | When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2 |
| 4004453 | The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.13.1, 5.10.0-5.13.1 |
| 3927016 | Following an EVPN extended mobility event, where a host with IP address A and MAC address A moves within the fabric and now resides at IP address A and MAC address B, you might see traffic destined to this host experience drops as the flow is software forwarded on the egress VTEP. | 5.0.1-5.9.1 | 5.9.2-5.13.1, 5.10.0-5.13.1 |
| 3895042 | After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command#snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a | 4.4.0-5.9.1 | 5.9.2-5.13.1, 5.10.0-5.13.1 |
| 3773177 | When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 or later with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb | 4.0.0-4.4.5, 5.0.0-5.13.1 | |
| 3684998 | DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.13.1 |
| 3585467 | NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | 5.7.0-5.13.1 |
| 3560622 | When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0-5.13.1 |
| 3554231 | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009 Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that “agent forwarding should be enabled with caution”), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ‘'). For Cumulus Linux 5.7.0, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5, 5.7.0-5.13.1 |
| 3491259 | When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.13.1 |
| 3488136 | When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf command. | 4.2.1-5.5.1 | 5.6.0-5.13.1 |
| 3482006 | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.13.1 |
| 3474391 | The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.13.1 |
| 3445841 | FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.6.0 | 5.7.0-5.13.1 |
| 3432897 | When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | 5.5.0-5.13.1 |
| 3429530 | On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.13.1 |
| 3424967 | sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don’t run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo … to execute the sudo command. | 5.0.0-5.13.1 | |
| 3420056 | The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.13.1 | |
| 3413785 | To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo … to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.13.1 |
| 3351951 | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-4.4.5, 5.0.0-5.13.1 | 4.3.2 |
| 3350789 | NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.13.1 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.13.1 |
| 3329096 | The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd, then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. | 5.0.0-5.3.1 | 5.4.0-5.13.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.13.1 | |
| 3301988 | Some EVPN multihoming show commands might cause BGP to crash if you use the json flag and attempt to reference the default VRF by name. For example, show bgp l2vpn evpn es-vrf json. | 5.0.0-5.3.1 | 5.4.0-5.13.1 |
| 3270988 | After restarting switchd on the NVIDIA SN2100 switch, the FAN speeds are at one hundred percent. To work around this issue, restart the hw-management service. | 4.4.5-5.2.0 | 5.2.1-5.13.1 |
| 3262012 | When an FRR routing service (such as bgpd) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. | 4.4.0-5.3.1 | 5.4.0-5.13.1 |
| 3235368 | When you try to configure VRF route leaking between many VRFs using multiple NCLU commands before running the net commit command, the commit fails. To work around this issue, configure VRF leaking one command at a time and run net commit after each command. | 4.4.4-5.2.1 | 5.3.0-5.13.1 |
| 3234085 | When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 5.0.1-5.3.1 | 4.3.2-4.4.5, 5.4.0-5.13.1 |
| 3227677 | When daylight saving time changes the time, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-5.2.1 | 5.3.0-5.13.1 |
| 3218207 | Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes. | 4.3.0-5.2.1 | 5.3.0-5.13.1 |
| 3217675 | When you run the NVUE nv set bridge domain br_default multicast snooping enable off command to disable multicast snooping, the bridge still shows that multicast snooping is enabled. | 5.0.1-5.2.1 | 5.3.0-5.13.1 |
| 3217674 | Multicast PTP over UDP traffic does not forward to data ports when the PTP service is disabled. To work around this issue, change the ptp.timestamping setting to FALSE in the /etc/cumulus/switchd.conf file, then restart switchd. | 5.0.1-5.2.1 | 5.3.0-5.13.1 |
| 3211359 | The net show interface command output shows Type=Unknown for the specified interface. | 4.4.3-5.0.1 | 5.1.0-5.13.1 |
| 3211054 | On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:
| 4.4.2-5.2.1 | 5.3.0-5.13.1 |
| 3202991 | Locally generated multicast traffic including IGMPv2 GSQs do not transmit to local clients when using PIM. | 5.0.1-5.2.1 | 5.3.0-5.13.1 |
| 3200373 | After rebooting the switch, the IPv6 link local address for an SVI that belongs to non-default VRF is missing, and doesn’t show on the switch. To resolve this issue, run the ifreload -a command. | 5.0.0-5.2.1 | 5.3.0-5.13.1 |
| 3195345 | Communication between single-connected MLAG hosts on different switches fails because packets received by single-connected MLAG hosts are not forwarded over the peer link. To work around this issue, when adding a switch to an MLAG pair, enable all the interfaces. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 3192808 | When a switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-4.4.5, 5.0.1-5.13.1 | 4.3.2 |
| 3157240 | When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an errorsudo /usr/lib/cumulus/mlxcmd roce counters –port | 4.4.4-5.1.0 | 5.2.0-5.13.1 |
| 3150317 | During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.13.1 |
| 3142615 | The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.13.1 |
| 3141826 | A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1) 1.3.6.1.2.1.47 –> Entity MIB 1.3.6.1.2.1.99 –> Entity Sensor MIB 1.3.6.1.2.1.23 –> rip2 1.3.6.1.2.1.2 –> interface/interfaces 1.3.6.1.2.1.31 –> ifMIB 1.3.6.1.2.1.4 –> IP 1.3.6.1.2.1.25 –> hostResource | 5.0.1-5.8.0 | 5.9.0-5.13.1 |
| 3141818 | If there is extensive and continuous next-hop group (NHG) churn when routes keep moving from one NHG to another NHG repeatedly, switchd increases in memory allocation until memory is exhausted. Other processes might be affected as they try to acquire memory which is unavailable. | 5.0.1-5.1.0 | 5.2.0-5.13.1 |
| 3139364 | When Cumulus Linux updates the ECMP container with a new next hop list, it allocates the flow counters for the new next hop list without deallocating the counters bound to the old next hop list. This results in resource exhaustion and you see the following error messages in the /var/log/switchd.log file:hal_mlx_stat.c:3215 ERR Failed to allocate counter(s) for ecmp [71025:0] status: Internal Errorhal_mlx_stat.c:3196 ERR Counter set for ecmp [71025:0] idx 0 failed: Internal Errorhal_mlx_sdk_nexthop_wrap.c:1076 ERR Counter 0 alloc for ecmp next hop failed: Internal Errorhal_mlx_sdk_counter_wrap.c:54 ERR Counter alloc failed: No More ResourcesThis issue does not have any functional impact to forwarding. Even without the flow counters attached to the ECMP group, packet forwarding works without any issues To avoid allocating next hop counters for any new ECMP next hop list update, set mlx.stats.ecmp.enable to FALSE in the /etc/mlx/datapath/stats.conf file, then restart switchd with the sudo systemctl reload switchd command. | 5.0.0-5.2.1 | 5.3.0-5.13.1 |
| 3138746 | The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.13.1 |
| 3138057 | When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log. To work around this problem, restart FRR with the sudo systemctl restart frr command. | 4.4.0-5.2.1 | 5.3.0-5.13.1 |
| 3136983 | When a layer 3 neighbor entry resolves to a bridge FDB entry that does not exist in the kernel, switchd might contribute to high CPU load while it continues to try to sync and resolve the neighbor entry. This results in many sync_l3_nexthop messages printed to /var/log/switchd.log. | 5.0.1-5.1.0 | 5.2.0-5.13.1 |
| 3136905 | When you upgrade from Cumulus Linux 5.0.1 to Cumulus Linux 5.1.0, the upgrade adds KexAlgorithms and MACs configuration to the /etc/ssh/sshd_config file without prompting for confirmation. This might cause the /etc/ssh/sshd_config file to be incorrect if there is a Match section; KexAlgorithms and MACs must come before Match. To work around this issue, move the lines that start with KexAlgorithms and MACs before Match or remove them, then restart the SSH service with the sudo systemctl restart ssh command. If you have already specified KexAlgorithms or MACs, you can remove the newly added lines after upgrade. | 5.0.1-5.1.0 | 5.2.0-5.13.1 |
| 3131423 | During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.13.1 |
| 3123965 | Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error | 4.4.0-5.1.0 | 5.2.0-5.13.1 |
| 3120423 | When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. | 3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.13.1 |
| 3119673 | If the switch receives an EVPN route with multiple RTs that match the import policy for a local VNI, the bgpd service crashes. | 5.0.0-5.1.0 | 5.2.0-5.13.1 |
| 3117340 | When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. | 4.3.0-5.1.0 | 5.2.0-5.13.1 |
| 3115415 | In the Cumulus-BGPVRF-MIB, the bgpPeerFsmEstablishedTime OID does not correctly report the time since a BGP session goes down. | 4.4.4-5.1.0 | 5.2.0-5.13.1 |
| 3112971 | When you configure a VRF static route using the legacy command syntax in FRR (for example: ip route 10.0.0.0/8 172.16.1.1 vrf vrf-red), then make subsequent VRF or route configuration changes, FRR might crash. To avoid this problem, use the current method for configuring VRF routes within the VRF stanza:vrf vrf-red | 4.4.3-5.1.0 | 5.2.0-5.13.1 |
| 3112938 | In the Cumulus-BGPVRF-MIB, the bgpPeerFsmEstablishedTransitions OID always reports a value of 0. | 4.4.4-5.1.0 | 5.2.0-5.13.1 |
| 3102128 | When you configure a new VNI, the VLAN 1 VNI mapping is removed from the VXLAN device. To work around this issue, set the VNI interface mapped to VLAN 1 down and up again. | 5.0.0-5.1.0 | 5.2.0-5.13.1 |
| 3084476 | After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.13.1 | 4.4.4-4.4.5 |
| 3084027 | Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.13.1 | |
| 3077736 | When you run the NVUE command to change the minimum interval between received BFD control packets or the minimum interval for sending BFD control packets, the configuration apply fails.
| 5.0.1-5.1.0 | 5.2.0-5.13.1 |
| 3077547 | When you configure multiple multicast RPs with groups matched by prefix lists, Cumulus Linux selects only one of the RPs and this selection is incorrect. | 5.0.1-5.1.0 | 5.2.0-5.13.1 |
| 3077513 | When a MAC address is moved to a new VTEP in an EVPN MAC mobility scenario using traditional bridges, there might be up to 30 seconds of convergence delay. | 5.0.1-5.1.0 | 5.2.0-5.13.1 |
| 3074390 | You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the nvue account to the exclude_users line in /etc/tacplus_nss.conf:exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,* | 5.0.1-5.3.1 | 5.4.0-5.13.1 |
| 3072674 | In an MLAG configuration, if you put a single connected interface into an admin down state, any dynamic MAC addresses on the peer link are flushed, then added back, which causes momentary traffic disruption. | 3.7.15-5.1.0 | 5.2.0-5.13.1 |
| 3066664 | In an EVPN-MH configuration, the switch fails to redirect tagged frames with the CoS bits set. | 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.13.1 |
| 3061445 | When you run the NVUE command to change the minimum interval between received BFD control packets or the minimum interval for sending BFD control packets, the configuration apply failscumulus@switch:~$ nv set vrf default router bgp neighbor 10.10.10.2 bfd min-rx-interval 400cumulus@switch:~$ nv config apply2022-05-04T21:36:10.800975+00:00 switch frrinit.sh16431: Stopped watchfrr | 5.0.1-5.1.0 | 5.2.0-5.13.1 |
| 3059566 | When you add an interface to a layer 3 bond, traffic does not forward and you see errors similar to the following:2022-05-02T13:14:40.118597+00:00 cumulus sx_sdk: ROUTER: Failed to delete router interface(27) ref count isn’t 0, err= Resource is in use | 4.4.2-4.4.3, 5.0.1-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.13.1 |
| 3059380 | When you configure VRF leaking from the default VRF to a non-default VRF, SSH sessions originating from the switch CLI in the default VRF do not connect to devices in the non-default VRF. | 5.0.1-5.1.0 | 5.2.0-5.13.1 |
| 3059135 | In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.13.1 |
| 3055255 | When you run the NVUE nv show interface command, a watchdog timeout might occur and the nvued service fails. | 5.0.1 | 5.1.0-5.13.1 |
| 3054869 | When you run NVUE commands as part of ZTP scripts, the commands fail with errors that indicate a missing $HOME environment variable. The issue has been fixed where the ZTP module initializes the $HOME environment variable before launching the ZTP scripts. However, if you are running older releases, before you use any NVUE commands in the ZTP script, add a section and define the HOME environment variable. Populate the variable with the default expected root user home directory value (/root), then export the HOME variable so it is available globally for NVUE to useHOME=/rootexport HOME | 5.0.0-5.1.0 | 5.2.0-5.13.1 |
| 3046023 | The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.13.1 |
| 3044596 | In the non-default VRF, BFD goes down after port flap. | 5.0.1-5.1.0 | 5.2.0-5.13.1 |
| 3041425 | When you add or remove PortAutoEdge on a bond with the NVUE nv set interface command, the command fails with the following error and then attempts to enable or disable PortAutoEdge on any interface also failcumulus@switch:~$ nv set interface swp1 bridge domain br_default stp auto-edge offcumulus@switch:~$ nv config applyUnable to reload-or-restart services (switchd,ifreload-nvue.service):[sudo] password for nvue: Job for ifreload-nvue.service failed because the control process exited with error code | 5.0.1-5.1.0 | 5.2.0-5.13.1 |
| 3041307 | If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent FDB entry for the old MAC address. | 3.7.15, 4.3.0, 4.4.0-4.4.3, 5.0.0-5.13.1 | 3.7.16, 4.3.1, 4.4.4-4.4.5 |
| 3040080 | On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic. | 4.4.2-4.4.3, 5.0.0-5.13.1 | 4.4.4-4.4.5 |
| 3037824 | The NVUE nv show interface command shows an empty table instead of showing the port link state. | 5.0.0-5.3.1 | 5.4.0-5.13.1 |
| 3035855 | When you configure ACLs on the switch, you might see a switchd segmentation fault. | 5.0.1 | 5.1.0-5.13.1 |
| 3034435 | In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.13.1 |
| 3032234 | In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | 5.1.0-5.13.1 |
| 3030238 | When you change the time with NTP or manually, the clagd service stops. | 5.0.1 | 4.3.1-4.4.5, 5.1.0-5.13.1 |
| 3021897 | After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON. | 4.4.3, 5.0.0-5.13.1 | 4.4.4-4.4.5 |
| 3021838 | PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local. As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly. | 4.4.2-5.0.1 | 5.1.0-5.13.1 |
| 3021696 | On the NVIDIA SN4600C switch, when you run the /usr/share/snmp/resq_pp.py script used by SNMP, you see the following log message in syslog regardless of the forwarding table profile set in the /etc/cumulus/datapath/traffic.conf fileresq_pp: EXCEPTION=invalid literal for int() with base 10: ‘v4-lpm-heavy’ | 4.4.0-4.4.3, 5.0.0-5.13.1 | 4.4.4-4.4.5 |
| 3020254 | When ARP suppression is off, GARPs from neighmgrd for remote neighbors are sent over VXLAN. | 3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.3.1, 4.4.4-4.4.5, 5.2.0-5.13.1 |
| 3017127 | After you convert a port from a layer 2 bond member to a layer 3 port, the switch drops transmitted untagged packets as egress VLAN membership discards. | 4.4.2-4.4.3, 5.0.0-5.0.1 | 4.4.4-4.4.5, 5.1.0-5.13.1 |
| 3016882 | In certain cases, when you power cycle the switch, the NVUE configuration might become corrupted, which prevents NVUE from running. You see a critical error in the log file similar to:CRITICAL: cue_versions_v1.repo: The NVUE internal data store is corrupted or has been initialized incorrectly. The is an unrecoverable errorTo work around this issue, remove the /var/lib/nvue/config and /var/lib/nvue/meta directories, then restart the nvued service with the sudo systemctl start nvued command. If possible, NVUE recovers user configuration and saves it in the /etc/nvue.d directory. The recovered configuration will be saved as YAML files, which are named as nvue-recovery-. You can reapply the recovered configuration with the nv config patch nvue-recovery- followed by nv config apply commands. | 5.0.1-5.1.0 | 5.2.0-5.13.1 |
| 3014664 | On the NVIDIA SN3420, the smonctl command output shows the maximum PSU temperature higher than the critical temperature. | 4.4.2-4.4.3, 5.0.0-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.13.1 |
| 3008388 | When you set vlan-bridge-binding on for a VLAN interface, the VLAN interface status does not change to down even when all bridge member ports are down. | 4.4.3-5.0.1 | 5.1.0-5.13.1 |
| 3008057 | After you configure a new VLAN on a bond, traffic might stop forwarding on the bond interface. This issue occurs only when you specify bridge-vids on the bond. This issue does not occur when you configure VLANs only on the bridge interface and let the bond get the bridge-vids applied from the bridge. | 5.0.0-5.0.1 | 4.4.4-4.4.5, 5.1.0-5.13.1 |
| 3007564 | After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. This is issue is impacting all Cumulus Linux releases. The following attribute: vxlan-purge-remotes yes is intended to fix the issue (this attribute has been available since CL2). It was decided to change ifupdown2’s default behavior to automatically purge BUM entries added by ifup/ifreload. | 3.7.15-5.1.0 | 5.2.0-5.13.1 |
| 3007020 | The sudo smonctl command output shows an error for the ASIC temperature sensor (temp6). | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 3003167 | Updating an existing tunnel configuration with NVUE or directly in the /etc/network/interfaces file causes traffic loss. The original tunnel is destroyed and then recreated (with a new ifindex)The new behavior will make sure to apply the configuration delta without disrupting any traffic as much as possible. Note that a tunnel mode change can’t be applied without causing traffic loss. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2999243 | sFlow fails to send flow samples. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2994402 | When you run ifquery as non-root, EVPN multihoming bond configuration failsTo work around this issue, always use sudo when running ifupdown2 commands ( ifup, ifreload, ifdown, and ifquery). | 4.4.2-5.0.1 | 5.1.0-5.13.1 |
| 2980891 | Slow memory leak caused by snmpd process using Zabbix template “Template Net Mellanox SNMP” | 4.2.1-4.3.0, 4.4.0-5.0.1 | 4.3.1, 5.1.0-5.13.1 |
| 2978165 | When you use NVUE to configure an ACL rule with a set cos action, the nv config apply command fails with the following error message:{nofromat}$ cumulus@switch:~$ nv config applyFailed to prepare to applyUnrecoverable internal error{nofromat} | 5.0.1 | 5.1.0-5.13.1 |
| 2972540 | With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.13.1 | |
| 2964279 | When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. | 3.7.15, 4.4.2-4.4.5, 5.0.0-5.13.1 | 3.7.16 |
| 2957968 | After you install the RADIUS libnss-mapuser package, the nvued service fails to start. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2952117 | If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it. | 4.2.1-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.13.1 |
| 2951110 | The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.13.1 | |
| 2949123 | The NVUE command nv show service ntp mgmt server does not show any configured servers. | 5.0.0-5.2.1 | 5.3.0-5.13.1 |
| 2943443 | Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN. | 3.7.15, 4.2.1-4.3.0, 4.4.2-4.4.5, 5.0.0-5.13.1 | 3.7.16, 4.3.1 |
| 2943080 | The overlay ASN is removed after a route flap. | 4.4.0-5.0.1 | 5.1.0-5.13.1 |
| 2940005 | If you reboot the switch when using WJH, you need to start the what-just-happened service even if the service is enabled. | 5.0.1 | 5.1.0-5.13.1 |
| 2939231 | If you use NVUE to configure selective route leaking to exclude certain prefixes, the route map fails to apply when you run the nv config apply command. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2933466 | You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file. | 4.4.0-5.0.1 | 5.1.0-5.13.1 |
| 2932083 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document filesare processed Vulnerable: <= 9.27~dfsg-2+deb10u4Fixed: 9.27~dfsg-2+deb10u5 | 5.0.0-5.13.1 | 4.4.3-4.4.5 |
| 2914835 | NVUE flexible snippets create invalid YAML files. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2913859 | ECMP error messages, similar to the following, show in log files:Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container | 4.4.0-5.0.1 | 5.1.0-5.13.1 |
| 2910017 | SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. | 3.7.15-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.13.1 |
| 2904450 | When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.13.1 | |
| 2903374 | The nv show interfaces command returns a 500 error and syslog shows a python error, triggered by third party devices (non CL) missing LLDP fieldsTo work around this issue, disable LLDP on a single interface. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2898044 | NVUE commands including the nv config apply command might fail with the following error because the /etc/resolv.conf file is missingFailed to prepare to applyUnrecoverable internal error | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2891255 | CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file. Vulnerable: <= 2.6.20-0+deb10u1 Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.13.1 | 4.4.2-4.4.5 |
| 2890681 | CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.13.1 | 4.4.2-4.4.5 |
| 2886488 | NVUE commands fail to configure port mirroring. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2886476 | If you enable or disable the advertise primary IP address setting when originating EVPN default type-5 routes, the default route or prefix originated from one of the MLAG peers sends a null layer 3 VNI, which prevents the remote VTEP from installing the default route. | 5.0.0-5.1.0 | 5.2.0-5.13.1 |
| 2885305 | Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.13.1 | |
| 2885287 | When you change the port breakout configuration, you must restart switchd to clean up any previously-associated port states and reinitialize the ports. Reloading switchd does not work. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2875338 | In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-4.4.5, 5.0.0-5.13.1 | 3.7.16, 4.3.1 |
| 2867248 | The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file. | 5.0.0-5.1.0 | 5.2.0-5.13.1 |
| 2867042 | When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.13.1 | |
| 2861989 | Incomplete or unnecessary configuration in FRR results in FRR restarting instead of rejecting the configuration with an error. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2860323 | If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.13.1 |
| 2859015 | In a static VXLAN configuration with a traditional or single VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2855908 | Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send To work around this issue, run the vtysh clear ip mroute command. | 3.7.15-4.3.0, 4.4.0-5.0.1 | 4.3.1, 5.1.0-5.13.1 |
| 2831968 | The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.13.1 |
| 2823307 | Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.13.1 | |
| 2821929 | FRR restarts even when the NVUE configuration overwrite mode is set. | 5.0.0-5.3.1 | 5.4.0-5.13.1 |
| 2812075 | When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together. | 5.0.0-5.1.0 | 5.2.0-5.13.1 |
| 2743186 | When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.13.1 |
| 2736108 | When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.13.1 | |
| 2734103 | ACL [No More Resources] messages keep appearing and you can’t reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.13.1 |
| 2713888 | With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.13.1 |
| 2685994 | When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to applyTo work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 | 4.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2684925 | The NVUE nv show vrf default router bgp peer command produces a 404 not found error. | 4.4.0-4.4.5, 5.0.0-5.13.1 | |
| 2543915 | When you enable a service in the management VRF, systemctl issues a warning similar to the following:Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unitYou can safely ignore this warning. | 4.0.0-5.9.2 | 5.10.0-5.13.1 |
Fixed Issues in 5.0.1
| Issue ID | Description | Affects |
|---|---|---|
| 2908541 | Running apt dist-upgrade causes switchd to stop and never start again. Do not use apt dist-upgrade; use apt upgrade instead. Cumulus Linux does not support apt dist-upgradeTo work around this issue, if you run apt dist-upgrade and switchd no longer works, run the apt install sx-sdk-eth-dev command (and run the command for any other removed package) or reinstall the Cumulus Linux image. | 5.0.0 |
5.0.0 Release Notes
Open Issues in 5.0.0
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 4413450 | When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2 |
| 4004453 | The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.13.1, 5.10.0-5.13.1 |
| 3895042 | After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command#snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a | 4.4.0-5.9.1 | 5.9.2-5.13.1, 5.10.0-5.13.1 |
| 3773177 | When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 or later with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb | 4.0.0-4.4.5, 5.0.0-5.13.1 | |
| 3684998 | DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.13.1 |
| 3585467 | NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | 5.7.0-5.13.1 |
| 3560622 | When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0-5.13.1 |
| 3554231 | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009 Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that “agent forwarding should be enabled with caution”), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ‘'). For Cumulus Linux 5.7.0, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 | 4.3.2-4.4.5, 5.7.0-5.13.1 |
| 3491259 | When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.13.1 |
| 3488136 | When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf command. | 4.2.1-5.5.1 | 5.6.0-5.13.1 |
| 3482006 | If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.13.1 |
| 3474391 | The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.13.1 |
| 3445841 | FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.6.0 | 5.7.0-5.13.1 |
| 3432897 | When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | 5.5.0-5.13.1 |
| 3429530 | On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.13.1 |
| 3424967 | sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don’t run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo … to execute the sudo command. | 5.0.0-5.13.1 | |
| 3420056 | The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.13.1 | |
| 3413785 | To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo … to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.13.1 |
| 3351951 | Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-4.4.5, 5.0.0-5.13.1 | 4.3.2 |
| 3350789 | NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.13.1 |
| 3330705 | When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.13.1 |
| 3329096 | The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd, then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. | 5.0.0-5.3.1 | 5.4.0-5.13.1 |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.13.1 | |
| 3301988 | Some EVPN multihoming show commands might cause BGP to crash if you use the json flag and attempt to reference the default VRF by name. For example, show bgp l2vpn evpn es-vrf json. | 5.0.0-5.3.1 | 5.4.0-5.13.1 |
| 3270988 | After restarting switchd on the NVIDIA SN2100 switch, the FAN speeds are at one hundred percent. To work around this issue, restart the hw-management service. | 4.4.5-5.2.0 | 5.2.1-5.13.1 |
| 3262012 | When an FRR routing service (such as bgpd) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. | 4.4.0-5.3.1 | 5.4.0-5.13.1 |
| 3235368 | When you try to configure VRF route leaking between many VRFs using multiple NCLU commands before running the net commit command, the commit fails. To work around this issue, configure VRF leaking one command at a time and run net commit after each command. | 4.4.4-5.2.1 | 5.3.0-5.13.1 |
| 3227677 | When daylight saving time changes the time, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-5.2.1 | 5.3.0-5.13.1 |
| 3218207 | Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes. | 4.3.0-5.2.1 | 5.3.0-5.13.1 |
| 3211359 | The net show interface command output shows Type=Unknown for the specified interface. | 4.4.3-5.0.1 | 5.1.0-5.13.1 |
| 3211054 | On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:
| 4.4.2-5.2.1 | 5.3.0-5.13.1 |
| 3200373 | After rebooting the switch, the IPv6 link local address for an SVI that belongs to non-default VRF is missing, and doesn’t show on the switch. To resolve this issue, run the ifreload -a command. | 5.0.0-5.2.1 | 5.3.0-5.13.1 |
| 3195345 | Communication between single-connected MLAG hosts on different switches fails because packets received by single-connected MLAG hosts are not forwarded over the peer link. To work around this issue, when adding a switch to an MLAG pair, enable all the interfaces. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 3157240 | When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an errorsudo /usr/lib/cumulus/mlxcmd roce counters –port | 4.4.4-5.1.0 | 5.2.0-5.13.1 |
| 3150317 | During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.13.1 |
| 3142615 | The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.13.1 |
| 3139364 | When Cumulus Linux updates the ECMP container with a new next hop list, it allocates the flow counters for the new next hop list without deallocating the counters bound to the old next hop list. This results in resource exhaustion and you see the following error messages in the /var/log/switchd.log file:hal_mlx_stat.c:3215 ERR Failed to allocate counter(s) for ecmp [71025:0] status: Internal Errorhal_mlx_stat.c:3196 ERR Counter set for ecmp [71025:0] idx 0 failed: Internal Errorhal_mlx_sdk_nexthop_wrap.c:1076 ERR Counter 0 alloc for ecmp next hop failed: Internal Errorhal_mlx_sdk_counter_wrap.c:54 ERR Counter alloc failed: No More ResourcesThis issue does not have any functional impact to forwarding. Even without the flow counters attached to the ECMP group, packet forwarding works without any issues To avoid allocating next hop counters for any new ECMP next hop list update, set mlx.stats.ecmp.enable to FALSE in the /etc/mlx/datapath/stats.conf file, then restart switchd with the sudo systemctl reload switchd command. | 5.0.0-5.2.1 | 5.3.0-5.13.1 |
| 3138746 | The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.13.1 |
| 3138057 | When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log. To work around this problem, restart FRR with the sudo systemctl restart frr command. | 4.4.0-5.2.1 | 5.3.0-5.13.1 |
| 3131423 | During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.13.1 |
| 3123965 | Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error | 4.4.0-5.1.0 | 5.2.0-5.13.1 |
| 3120423 | When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. | 3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.13.1 |
| 3119673 | If the switch receives an EVPN route with multiple RTs that match the import policy for a local VNI, the bgpd service crashes. | 5.0.0-5.1.0 | 5.2.0-5.13.1 |
| 3117340 | When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. | 4.3.0-5.1.0 | 5.2.0-5.13.1 |
| 3115415 | In the Cumulus-BGPVRF-MIB, the bgpPeerFsmEstablishedTime OID does not correctly report the time since a BGP session goes down. | 4.4.4-5.1.0 | 5.2.0-5.13.1 |
| 3112971 | When you configure a VRF static route using the legacy command syntax in FRR (for example: ip route 10.0.0.0/8 172.16.1.1 vrf vrf-red), then make subsequent VRF or route configuration changes, FRR might crash. To avoid this problem, use the current method for configuring VRF routes within the VRF stanza:vrf vrf-red | 4.4.3-5.1.0 | 5.2.0-5.13.1 |
| 3112938 | In the Cumulus-BGPVRF-MIB, the bgpPeerFsmEstablishedTransitions OID always reports a value of 0. | 4.4.4-5.1.0 | 5.2.0-5.13.1 |
| 3102128 | When you configure a new VNI, the VLAN 1 VNI mapping is removed from the VXLAN device. To work around this issue, set the VNI interface mapped to VLAN 1 down and up again. | 5.0.0-5.1.0 | 5.2.0-5.13.1 |
| 3084476 | After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.13.1 | 4.4.4-4.4.5 |
| 3084027 | Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.13.1 | |
| 3072674 | In an MLAG configuration, if you put a single connected interface into an admin down state, any dynamic MAC addresses on the peer link are flushed, then added back, which causes momentary traffic disruption. | 3.7.15-5.1.0 | 5.2.0-5.13.1 |
| 3066664 | In an EVPN-MH configuration, the switch fails to redirect tagged frames with the CoS bits set. | 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.13.1 |
| 3059135 | In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.13.1 |
| 3054869 | When you run NVUE commands as part of ZTP scripts, the commands fail with errors that indicate a missing $HOME environment variable. The issue has been fixed where the ZTP module initializes the $HOME environment variable before launching the ZTP scripts. However, if you are running older releases, before you use any NVUE commands in the ZTP script, add a section and define the HOME environment variable. Populate the variable with the default expected root user home directory value (/root), then export the HOME variable so it is available globally for NVUE to useHOME=/rootexport HOME | 5.0.0-5.1.0 | 5.2.0-5.13.1 |
| 3046023 | The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.13.1 |
| 3041307 | If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent FDB entry for the old MAC address. | 3.7.15, 4.3.0, 4.4.0-4.4.3, 5.0.0-5.13.1 | 3.7.16, 4.3.1, 4.4.4-4.4.5 |
| 3040080 | On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic. | 4.4.2-4.4.3, 5.0.0-5.13.1 | 4.4.4-4.4.5 |
| 3037824 | The NVUE nv show interface command shows an empty table instead of showing the port link state. | 5.0.0-5.3.1 | 5.4.0-5.13.1 |
| 3034435 | In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.13.1 |
| 3032234 | In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | 5.1.0-5.13.1 |
| 3021897 | After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON. | 4.4.3, 5.0.0-5.13.1 | 4.4.4-4.4.5 |
| 3021838 | PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local. As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly. | 4.4.2-5.0.1 | 5.1.0-5.13.1 |
| 3021696 | On the NVIDIA SN4600C switch, when you run the /usr/share/snmp/resq_pp.py script used by SNMP, you see the following log message in syslog regardless of the forwarding table profile set in the /etc/cumulus/datapath/traffic.conf fileresq_pp: EXCEPTION=invalid literal for int() with base 10: ‘v4-lpm-heavy’ | 4.4.0-4.4.3, 5.0.0-5.13.1 | 4.4.4-4.4.5 |
| 3020254 | When ARP suppression is off, GARPs from neighmgrd for remote neighbors are sent over VXLAN. | 3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.3.1, 4.4.4-4.4.5, 5.2.0-5.13.1 |
| 3017127 | After you convert a port from a layer 2 bond member to a layer 3 port, the switch drops transmitted untagged packets as egress VLAN membership discards. | 4.4.2-4.4.3, 5.0.0-5.0.1 | 4.4.4-4.4.5, 5.1.0-5.13.1 |
| 3014664 | On the NVIDIA SN3420, the smonctl command output shows the maximum PSU temperature higher than the critical temperature. | 4.4.2-4.4.3, 5.0.0-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.13.1 |
| 3008388 | When you set vlan-bridge-binding on for a VLAN interface, the VLAN interface status does not change to down even when all bridge member ports are down. | 4.4.3-5.0.1 | 5.1.0-5.13.1 |
| 3008057 | After you configure a new VLAN on a bond, traffic might stop forwarding on the bond interface. This issue occurs only when you specify bridge-vids on the bond. This issue does not occur when you configure VLANs only on the bridge interface and let the bond get the bridge-vids applied from the bridge. | 5.0.0-5.0.1 | 4.4.4-4.4.5, 5.1.0-5.13.1 |
| 3007564 | After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. This is issue is impacting all Cumulus Linux releases. The following attribute: vxlan-purge-remotes yes is intended to fix the issue (this attribute has been available since CL2). It was decided to change ifupdown2’s default behavior to automatically purge BUM entries added by ifup/ifreload. | 3.7.15-5.1.0 | 5.2.0-5.13.1 |
| 3007020 | The sudo smonctl command output shows an error for the ASIC temperature sensor (temp6). | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 3003167 | Updating an existing tunnel configuration with NVUE or directly in the /etc/network/interfaces file causes traffic loss. The original tunnel is destroyed and then recreated (with a new ifindex)The new behavior will make sure to apply the configuration delta without disrupting any traffic as much as possible. Note that a tunnel mode change can’t be applied without causing traffic loss. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2999243 | sFlow fails to send flow samples. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2994402 | When you run ifquery as non-root, EVPN multihoming bond configuration failsTo work around this issue, always use sudo when running ifupdown2 commands ( ifup, ifreload, ifdown, and ifquery). | 4.4.2-5.0.1 | 5.1.0-5.13.1 |
| 2980891 | Slow memory leak caused by snmpd process using Zabbix template “Template Net Mellanox SNMP” | 4.2.1-4.3.0, 4.4.0-5.0.1 | 4.3.1, 5.1.0-5.13.1 |
| 2972540 | With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.13.1 | |
| 2964279 | When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. | 3.7.15, 4.4.2-4.4.5, 5.0.0-5.13.1 | 3.7.16 |
| 2957968 | After you install the RADIUS libnss-mapuser package, the nvued service fails to start. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2952117 | If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it. | 4.2.1-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.13.1 |
| 2951110 | The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.13.1 | |
| 2949123 | The NVUE command nv show service ntp mgmt server does not show any configured servers. | 5.0.0-5.2.1 | 5.3.0-5.13.1 |
| 2943443 | Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN. | 3.7.15, 4.2.1-4.3.0, 4.4.2-4.4.5, 5.0.0-5.13.1 | 3.7.16, 4.3.1 |
| 2943080 | The overlay ASN is removed after a route flap. | 4.4.0-5.0.1 | 5.1.0-5.13.1 |
| 2939231 | If you use NVUE to configure selective route leaking to exclude certain prefixes, the route map fails to apply when you run the nv config apply command. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2933466 | You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file. | 4.4.0-5.0.1 | 5.1.0-5.13.1 |
| 2932083 | CVE-2021-45944 CVE-2021-45949: Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document filesare processed Vulnerable: <= 9.27~dfsg-2+deb10u4Fixed: 9.27~dfsg-2+deb10u5 | 5.0.0-5.13.1 | 4.4.3-4.4.5 |
| 2914835 | NVUE flexible snippets create invalid YAML files. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2913859 | ECMP error messages, similar to the following, show in log files:Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container | 4.4.0-5.0.1 | 5.1.0-5.13.1 |
| 2910017 | SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. | 3.7.15-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.13.1 |
| 2908541 | Running apt dist-upgrade causes switchd to stop and never start again. Do not use apt dist-upgrade; use apt upgrade instead. Cumulus Linux does not support apt dist-upgradeTo work around this issue, if you run apt dist-upgrade and switchd no longer works, run the apt install sx-sdk-eth-dev command (and run the command for any other removed package) or reinstall the Cumulus Linux image. | 5.0.0 | 5.0.1-5.13.1 |
| 2904450 | When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.13.1 | |
| 2903374 | The nv show interfaces command returns a 500 error and syslog shows a python error, triggered by third party devices (non CL) missing LLDP fieldsTo work around this issue, disable LLDP on a single interface. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2898044 | NVUE commands including the nv config apply command might fail with the following error because the /etc/resolv.conf file is missingFailed to prepare to applyUnrecoverable internal error | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2891255 | CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file. Vulnerable: <= 2.6.20-0+deb10u1 Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.13.1 | 4.4.2-4.4.5 |
| 2890681 | CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.13.1 | 4.4.2-4.4.5 |
| 2886488 | NVUE commands fail to configure port mirroring. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2886476 | If you enable or disable the advertise primary IP address setting when originating EVPN default type-5 routes, the default route or prefix originated from one of the MLAG peers sends a null layer 3 VNI, which prevents the remote VTEP from installing the default route. | 5.0.0-5.1.0 | 5.2.0-5.13.1 |
| 2885305 | Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.13.1 | |
| 2885287 | When you change the port breakout configuration, you must restart switchd to clean up any previously-associated port states and reinitialize the ports. Reloading switchd does not work. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2875338 | In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-4.4.5, 5.0.0-5.13.1 | 3.7.16, 4.3.1 |
| 2867248 | The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file. | 5.0.0-5.1.0 | 5.2.0-5.13.1 |
| 2867042 | When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.13.1 | |
| 2861989 | Incomplete or unnecessary configuration in FRR results in FRR restarting instead of rejecting the configuration with an error. | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2860323 | If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.13.1 |
| 2859015 | In a static VXLAN configuration with a traditional or single VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other | 5.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2855908 | Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send To work around this issue, run the vtysh clear ip mroute command. | 3.7.15-4.3.0, 4.4.0-5.0.1 | 4.3.1, 5.1.0-5.13.1 |
| 2831968 | The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.13.1 |
| 2823307 | Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.13.1 | |
| 2821929 | FRR restarts even when the NVUE configuration overwrite mode is set. | 5.0.0-5.3.1 | 5.4.0-5.13.1 |
| 2812075 | When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together. | 5.0.0-5.1.0 | 5.2.0-5.13.1 |
| 2743186 | When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.13.1 |
| 2736108 | When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.13.1 | |
| 2734103 | ACL [No More Resources] messages keep appearing and you can’t reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.13.1 |
| 2713888 | With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctlyhal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More ResourcesTo work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.13.1 |
| 2685994 | When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to applyTo work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 | 4.0.0-5.0.1 | 5.1.0-5.13.1 |
| 2684925 | The NVUE nv show vrf default router bgp peer command produces a 404 not found error. | 4.4.0-4.4.5, 5.0.0-5.13.1 | |
| 2543915 | When you enable a service in the management VRF, systemctl issues a warning similar to the following:Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unitYou can safely ignore this warning. | 4.0.0-5.9.2 | 5.10.0-5.13.1 |
Fixed Issues in 5.0.0
| Issue ID | Description | Affects |
|---|---|---|
| 3108491 | In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 |
| 2873186 | In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 |
| 2862211 | On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart. | 3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 |
| 2847618 | When you enable PIM on VLAN interfaces, multicast throughput might not achieve line rate depending on packet sizes in the multicast flow. | |
| 2845531 | If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI’s parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address. | 4.2.1-4.4.5 |
| 2841584 | After you upgrade Cumulus Linux on one of the MLAG peers, the bonds do not come up and the reason shows anycast-ip-mismatch even though there is no VXLAN configuration on the switch. To work around this issue, configure an anycast IP address under the loopback interface on both switches in the MLAG pair. | 4.4.2-4.4.5 |
| 2840817 | CVE-2021-25219: The lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts). | |
| 2839140 | After building VLAN or VXLAN interfaces, MLAG becomes unstable. | 4.3.0-4.4.1 |
| 2835817 | Multicast packets are not seen on a SPAN port. | |
| 2826121 | When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15, 4.3.0, 4.4.0-4.4.1 |
| 2821869 | The cl-route-check –layer3 command fails with a memory error. For example:cumulus@switch:~$ sudo cl-route-check –layer3Traceback (most recent call last): | 3.7.15 |
| 2820565 | SNMP does not start and you see errors similar to the following:cumulus@switch:~$ sudo systemctl status snmpd.service snmpd.service - Simple Network Management Protocol (SNMP) Daemon.To work around this issue, run the sudo systemctl restart snmpd.service command. | 4.3.0-4.4.5 |
| 2813563 | When you change the port speed with the NVUE nv set interface command, then run nv config apply, the port is disabled. To work around this issue, run the ifreload -a command after you apply the port speed setting. | 4.4.0-4.4.5 |
| 2803428 | The clagctl -v -j and net show clag verbose json commands show incorrect output. | 4.4.0-4.4.5 |
| 2803028 | Restarting switchd might fail due to an ACL SPAN module initialization failure. | 4.4.2-4.4.3 |
| 2802859 | When the INTF_CMD list in the /etc/default/isc-dhcp-relay file includes non-existent or partially configured interfaces from the /etc/netwwork/interfaces file, there is an open file descriptor leak in DHCP Relay; the DHCP Relay service exits and you see error messages. To work around this issue, either clean up the INTF_CMD list in the /etc/default/isc-dhcp-relay file to remove non-existent or partially configured interfaces from the /etc/network/interfaces file or correct the /etc/network/interfaces file to have a complete configuration for all interfaces defined in the INTF_CMD list in the /etc/default/isc-dhcp-relay file. | 4.4.0-4.4.5 |
| 2799575 | When next hop tracking fails for a global next hop, BGP invalidates the entire path instead of only invalidating the global next hop. | 4.4.0-4.4.5 |
| 2799568 | When you add or remove a global unicast address from an interface, BGP does not update the global next hop advertised to the unnumbered BGP peer. | 4.4.0-4.4.5 |
| 2798406 | If an MLAG failure of an EVPN Active-Active VTEP pair occurs after you disable EVPN Advertise Primary IP Address, remote VTEPs might not be able to install the anycast RMAC of the failed MLAG peers or the related bridge FDB entry To work around this issue, do not disable EVPN Advertise Primary IP Address, which is enabled by default when you use address-virtual for layer 3 VNI SVI interfaces. | 4.4.0-4.4.5 |
| 2794766 | The Mellanox 3700C switch reports a slow memory leak in sx_sdk. Memory increases by about 240B/hour and does not free up. | 4.3.0-4.4.5 |
| 2792616 | If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information. | 4.3.0-4.4.5 |
| 2781537 | In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD. | 4.3.0-4.4.5 |
| 2780915 | In NVUE, you can’t deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 |
| 2780834 | To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 |
| 2780211 | When you use the NVUE nv set vrf default router bgp peer command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. | 4.4.0-4.4.5 |
| 2755615 | When you set route_preferred_over_neigh to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. | 4.0.0-4.3.0, 4.4.0-4.4.1 |
| 2753955 | On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 |
| 2752330 | With BGP and layer 2 forwarding, Smart System Manager warm boot mode can cause packet loss. | 4.4.0-4.4.5 |
| 2747750 | Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 |
| 2739402 | The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 |
| 2736249 | If you configure BGP graceful restart in the /etc/frr/frr.conf file, then apply the configuration with systemctl reload frr, the configuration fails to apply and you see the following error:Job for frr.service failed | |
| 2736244 | When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:% The Graceful Restart command used is not valid at this moment. | 4.4.0-4.4.5 |
| 2734275 | On NVIDIA Spectrum-1, -2, and -3 switches, the decode-syseeprom command does not return the correct valuecumulus@switch:~$ decode-syseeprom -t psu1Device is not ready: absent | |
| 2734119 | The ESI line of show bgp l2vpn evpn route command always shows VNI: 0. This is a cosmetic software issue. | 4.3.0-4.4.5 |
| 2732587 | The bridge MAC address is updated during a port change on bridge interfaces. | 4.3.0, 4.4.0-4.4.5 |
| 2728119 | When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 |
| 2698649 | When configuring a single VXLAN device in the /etc/network/interfaces file, if you edit the multicast group address in vxlan-mcastgrp-map, then revert the change, the change does not take effect. | 4.4.0-4.4.5 |
| 2687344 | On the NVIDIA SN3700 switch, the decode-syseeprom shows device absent for a PSU that is present. | 4.4.0-4.4.5 |
| 2599274 | On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress To recover from this state, flap the bond interface (not the physical swp) by running ifdown <bond_name> ; sleep 1 ; ifup <bond_name>. | 4.3.0-4.4.5 |
| 2556811 | Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file. | 3.7.12-3.7.15, 4.1.1-4.3.0 |
| 2556039 | In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-3.7.14.2 |
| 2555981 | In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 |
| 2554783 | If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. | 4.2.1-4.4.5 |