If you are using the current version of Cumulus Linux, the content on this page may not be up to date. The current version of the documentation is available here. If you are redirected to the main page of the user guide, then this page may have been renamed; please search for it there.

Cumulus Linux 5.3 Release Notes

Download 5.3 Release Notes xls    Download all 5.3 release notes as .xls

5.3.1 Release Notes

Open Issues in 5.3.1

Issue IDDescriptionAffectsFixed
4004453
The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful.4.3.0-5.9.1, 5.10.0-5.10.15.9.2
3949367
If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user.5.3.1-5.9.15.9.2-5.10.1
3895042
After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a 

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a 
4.4.0-5.9.15.9.2-5.10.1
3859422
On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port.5.2.0-5.9.15.9.2-5.10.1
3773177
When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 or later with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
4.0.0-4.4.5, 5.0.0-5.10.1
3713419
When monitoring system statistics and network traffic with sFlow, an aggressive link flap might produce a memory leak in the sFlow service hsflowd.5.1.0-5.7.05.8.0-5.10.1
3696061
When the MAC address of a neighbor changes, the zebra IP routing manager might crash.5.2.1-5.6.05.7.0-5.10.1
3684998
DHCP lease information is not collected in the cl-support file.4.3.0-5.6.05.7.0-5.10.1
3663182
Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command.5.3.1-5.6.05.7.0-5.10.1
3647426
If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised.
5.0.0-5.5.14.3.2-4.4.5, 5.6.0-5.10.1
3613258
With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed between switchd and the kernel.5.2.1-5.6.05.7.0-5.10.1
3610967
In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF.5.3.0-5.8.05.9.0-5.10.1
3585467
NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly.5.0.0-5.6.05.7.0-5.10.1
3580435
On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:
smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)
This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout.
5.3.1-5.6.05.7.0-5.10.1
3573800
After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del <old_mac> dev bridge vlan <vlan_id> command.5.3.1-5.6.05.7.0-5.10.1
3567708
In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active.5.3.1-5.6.05.7.0-5.10.1
3562767
ACLs do not process inbound DHCP packets and the packets do not contribute to ACL counters5.2.0-5.4.05.5.0-5.10.1
3560622
When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated.5.0.0-5.5.15.6.0-5.10.1
3554231
CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that “agent forwarding should be enabled with caution”), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ‘')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected.
4.0.0-4.3.1, 5.0.0-5.10.14.3.2-4.4.5
3541912
Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic.5.1.0-5.5.15.6.0-5.10.1
3496931
When you update a prefix list associated with an RP, the pimd service might crash if the prefix list exists without any prefixes. To work around this issue, ensure that any prefix list associated with an RP includes at least one prefix at all times.5.3.1-5.5.15.6.0-5.10.1
3496889
When PTP is not enabled on the switch, NVUE nv show ptp commands freeze. This might cause other NVUE commands to fail and the NVUE service to restart.5.3.1-5.5.15.6.0-5.10.1
3495630
The NVUE nv show service ptp current command output shows an incorrect value. To work around this issue, run the nv show service ptp monitor timestamp-log command or the Linux pmc utility.5.3.1-5.5.15.6.0-5.10.1
3491259
When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures.5.0.0-5.5.15.6.0-5.10.1
3488136
When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command.4.2.1-5.5.15.6.0-5.10.1
3484058
When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber.5.3.0-5.8.05.9.0-5.10.1
3479786
The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch.
5.3.0-5.5.15.6.0-5.10.1
3474391
The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB.4.3.1-5.5.15.6.0-5.10.1
3470941
On the NVIDIA SN4700 switch, reversing the upper four lanes on a port does not work and might cause link degradation. If you swap the upper and lower four lanes on a port, the firmware gets stuck.5.3.0-5.5.05.5.1-5.10.1
3467890
BGP aggregate routers are not advertised after learning the same route from another protocol. To work around this issue, restart the FRR service or, if possible, don’t learn the route from another protocol (use route maps instead).5.3.0-5.5.15.6.0-5.10.1
3466703
In rare cases when there is high load, the clagd service might experience a buffer overflow and MLAG bonds stay in a proto-down state on the secondary switch. You see a “NetlinkThread: Netlink overflow” log message and the MLAG state indicates VLAN conflicts between peers. To work around this issue, restart the clagd service with the sudo systemctl restart clagd command on the switch that reports the overflow log message.5.2.0-5.5.15.6.0-5.10.1
3445841
FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id).5.0.0-5.6.05.7.0-5.10.1
3434791
Changing the ebgp-multihop setting for a BGP peer always resets the peer, even if the configured TTL value matches the existing TTL value of the peer.5.3.1-5.4.05.5.0-5.10.1
3432897
When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories.5.0.0-5.4.05.5.0-5.10.1
3429530
On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time.4.2.1-5.4.05.5.0-5.10.1
3428677
In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state.5.3.0-5.6.05.7.0-5.10.1
3424967
sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don’t run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo … to execute the sudo command.5.0.0-5.10.1
3420056
The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors.4.4.0-4.4.5, 5.0.0-5.10.1
3413827
During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors.4.2.1-4.3.1, 4.4.0-5.4.04.3.2, 5.5.0-5.10.1
3413785
To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo … to execute the sudo command using the TACACS+ server on the default VRF.5.0.0-5.5.15.6.0-5.10.1
3402935
For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
5.0.0-5.4.05.5.0-5.10.1
3393306
The python-netaddr package is not preinstalled on the switch, which leads to an error similar to the following when SNMP accesses data from the CUMULUS-BGPVRF-MIB
CUMULUS-BGPVRF-MIB::bgpPeerFsmEstablishedTransitions = No Such Instance currently exists at this OID
To work around this issue, manually install the python-netaddr package with the sudo -E apt-get install python-netaddr command.
5.3.1-5.4.05.5.0-5.10.1
3390758
The neighmgrd service does not enable the snooper unless ARP suppression is enabled on at least one VXLAN interface. This can result in missing ARP and NDP entries if the host does not directly interact with the switch.5.3.1-5.4.05.5.0-5.10.1
3389198
The NVUE nv unset command does not completely remove IPv6 DNS server configuration
5.3.1-5.4.05.5.0-5.10.1
3388067
TACACS+ packages in the local apt repository might be out of date; as a result, the upgrade does not install tacacs0 through tacacs15 users in the correct NVUE groups. When you run NVUE commands as a TACACS+ user, the commands fail and you see the error You do not have permission to execute that command
To obtain the correct packages, install the tacplus-client package and its dependencies from apt.cumulusnetworks.com.
5.1.0-5.4.05.5.0-5.10.1
3379873
apt source linux fails to download the Linux kernel source code. To work around this issue, run the sudo apt update && sudo apt install linux-source-5.10 command or download the desired version from https://apt.cumulusnetworks.com/repo/pool/cumulus/l/linux/ and install it with the sudo dpkg -i $filename command. The source code in a tar.xz file will then be located in the /usr/src/ directory.5.2.0-5.4.05.5.0-5.10.1
3351953
In rare circumstances, attempting to install a Cumulus Linux 5.3 image can fail during installation. The device stops at the (initramfs) prompt. To resume installation, enter the exit command at the (initramfs) prompt.5.3.0-5.3.15.4.0-5.10.1
3351951
Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit.4.2.1-4.3.1, 4.4.0-5.3.14.3.2, 5.4.0-5.10.1
3351936
Switch fans run at very high speed but the temperature is normal.5.2.0-5.3.15.4.0-5.10.1
3350789
NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility.5.0.0-5.4.05.5.0-5.10.1
3349207
The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation.5.2.0-5.4.05.5.0-5.10.1
3347677
In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown.5.1.0-5.6.05.7.0-5.10.1
3340890
When you run the NVUE nv show interface command, you see an error similar to the following:
Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL SERVER ERROR
5.3.0-5.4.05.5.0-5.10.1
3339336
The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead.5.2.0-5.3.15.4.0-5.10.1
3334275
When you run the sensors command, the output shows an erroneous fault on some front panel ports.5.2.0-5.7.05.8.0-5.10.1
3330705
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present.3.7.0-5.3.15.4.0-5.10.1
3330600
The SNMP monitor might fail to send the expected traps.5.3.0-5.3.15.4.0-5.10.1
3329494
Ethtool HwIfInDot3FrameErrors (Rx FCS Errors) might lead to an incorrect and very large HwIfInErrors count. To work around this issue, stop the source of the FCS errors, then reset the interface counters. First, run the sudo mst status command to find the device, then run the sudo mlxlink -d -p <port_number> -pc command to reset the interface counters; for example, sudo mlxlink -d /dev/mst/mt53104_pciconf0 -p 39 -pc.5.3.1-5.4.05.5.0-5.10.1
3327477
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password.3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.10.1
3322944
The ptmd service causes memory leaks.5.3.0-5.3.15.4.0-5.10.1
3308248
DHCP packets do not forward over VXLAN interfaces in multicast replication environments. This issue does not affect VXLAN environments using head end replication (HER).5.2.0-5.3.15.4.0-5.10.1
3303084
The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward the BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed.5.3.0-5.3.15.4.0-5.10.1
3301988
Some EVPN multihoming show commands might cause BGP to crash if you use the json flag and attempt to reference the default VRF by name. For example, show bgp l2vpn evpn es-vrf json.5.0.0-5.3.15.4.0-5.10.1
3301950
When upgrading from Cumulus Linux 5.0.0 thru 5.2.1 to Cumulus Linux 5.3.0 or 5.3.1, the babeltrace and python3-babeltrace packages are not added automatically even though they are in the default image in Cumulus Linux 5.3.0 and later. You may need these packages to decode LTTNG traces with /usr/lib/frr/frr_babeltrace.py.. If you need to use this script, run the sudo apt update && sudo apt install babeltrace python3-babeltrace command to install the packages.5.3.0-5.3.15.4.0-5.10.1
3298616
NVUE gracefully detects and handles upgrades that include valid flexible snippets. For any invalid (incompatible) flexible snippets, you must delete the snippets before you apt upgrade Cumulus Linux; otherwise, the NVUE nv config apply command and the equivalent REST API, do not run.5.3.0-5.3.15.4.0-5.10.1
3296715
When you clear interface counters with the ethtool -S clear command, the command fails with the following message:
switch:~$ ethtool -S swp1 clearethtool (-S): unknown parameter ‘clear’
5.2.0-5.3.15.4.0-5.10.1
3293114
In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface ip neighbor-discovery router-advertisement enable off. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface ip neighbor-discovery router-advertisement enable on.5.3.0-5.5.15.6.0-5.10.1
3293039
When you add the /etc/frr/frr.conf file to the ignore list for NVUE, any configuration change causes FRR to restart because a check is done to see if any running configuration has changed since the previously applied configuration in the vtysh shell.5.3.0-5.3.15.4.0-5.10.1
3292773
NVUE requires the SNMPv2 community string to be a minimum of eight characters.5.3.0-5.3.15.4.0-5.10.1
3289972
When the switch needs to forward a frame that has a source MAC address of 00:00:00:00:00:00, the dmesg log might report the message bridge: RTM_NEWNEIGH with invalid ether address in a loop every 30 seconds. The log message is harmless and frames with that MAC forward correctly.5.3.0-5.3.15.4.0-5.10.1
3289646
The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed.5.2.0-5.3.15.4.0-5.10.1
3283598
After you restart the FRR service, show commands incorrectly reflect the VLAN associated with layer 3 VNIs as 0:
# net show evpn vni 123VNI: 123Type: L3Tenant VRF: BLUEVlan: 0
5.3.0-5.3.15.4.0-5.10.1
3267328
On Spectrum 1 switches when configuring ACLs in non-atomic mode, if there are too many IPv6 matches due to rules with both input-interface and output-interface matches on SVIs, the ACL install fails and switchd crashes.5.2.0-5.3.15.4.0-5.10.1
3266197
When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure.5.2.0-5.6.05.7.0-5.10.1
3266050
Due to a race at the initial configuration, the SDK RDQ test may test RDQ configured for WJH and fail the test resulting in a fatal health event.5.2.0-5.3.15.4.0-5.10.1
3264269
When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly.5.3.0-5.6.05.7.0-5.10.1
3258232
If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time.5.3.0-5.6.05.7.0-5.10.1
3255899
The Linux utility that sends ARP packets is constrained to 512 interfaces on the system. In large scale deployments, the warm boot process fails repeatedly as it sends gratuitous ARP requests for each local address. This issue does not impact the functionality and can be ignored.5.2.0-5.3.15.4.0-5.10.1
3244955
ACL configurations fail when the TCAM memory is exhausted because the CTCAM profile is configured with duplicate entries.5.2.0-5.3.15.4.0-5.10.1
3241567
When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time.5.3.0-5.10.1
3241047
When you delete a route under the following conditions, switchd might crash:- The minimum number of routes is set to a non-zero value
- KVD utilization is higher than sixty percent
- The number of routes currently configured is less than the minimum reserved value, and multiple KVD linear resources have just been freed and are waiting in the Garbage Collector queue.
5.2.0-5.3.15.4.0-5.10.1
3234814
With double tagged QinQ interfaces, if the bridge corresponding to the QinQ interface flaps, you might see invalid learning notifications and errors from similar to the following:
Can’t set non-static MAC address for non-vPort 0x0001006B when VID is VFID. 
5.3.0-5.4.05.5.0-5.10.1
3226525
When using TACACS+, if you configure per-command authorization with the tacplus-restrict command, NVUE configuration commands fail for any user with a privilege level lower than 15. This occurs because NVUE is not able to create a .local user directory.5.2.0-5.3.15.4.0-5.10.1
3226506
The l1-show eth0 command does not show port information and is not supported in this release.5.3.0-5.10.1
3221628
Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings.5.2.0-5.6.05.7.0-5.10.1
3187469
At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address.5.1.0-5.5.15.6.0-5.10.1
3178090
The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint.5.1.0-5.5.15.6.0-5.10.1
3172682
On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure.5.2.0-5.5.15.6.0-5.10.1
3172504
When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY.5.2.0-5.10.1
3147782
You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command.
5.3.0-5.10.1
3145869
On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7.5.2.0-5.10.1
3145222
The NVUE nv show system forwarding –output json command does not provide any output. To work around this issue, run the nv show system forwarding command.5.2.0-5.3.15.4.0-5.10.1
3145204
On the NVIDIA Spectrum-1 switch, the nv show system forwarding command shows GTP hashing output, which is not supported on this switch.5.2.0-5.4.05.5.0-5.10.1
3144740
The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service.5.2.0-5.4.05.5.0-5.10.1
3142615
The BGP4-MIB.txt file is missing from Net-SNMP agent.5.0.0-5.4.05.5.0-5.10.1
3141826
A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 –> Entity MIB
1.3.6.1.2.1.99 –> Entity Sensor MIB
1.3.6.1.2.1.23 –> rip2
1.3.6.1.2.1.2 –> interface/interfaces
1.3.6.1.2.1.31 –> ifMIB
1.3.6.1.2.1.4 –> IP
1.3.6.1.2.1.25 –> hostResource
5.0.1-5.8.05.9.0-5.10.1
3135952
PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed <port_speed> autoneg off lanes <no_of_lanes> command. For example:
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
5.2.0-5.10.1
3122301
On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames.5.2.0-5.10.1
3115242
When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID.5.1.0-5.10.1
3103821
On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames.5.2.0-5.10.1
3084476
After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd.4.4.3, 5.0.0-5.10.14.4.4-4.4.5
3084027
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware.4.3.0-4.4.5, 5.0.0-5.10.1
3074390
You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the nvue account to the exclude_users line in /etc/tacplus_nss.conf:
exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,*
5.0.1-5.3.15.4.0-5.10.1
3071652
On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up.4.4.4-4.4.5, 5.1.0-5.10.1
3069069
When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops.5.1.0-5.5.15.6.0-5.10.1
3061656
When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds.5.1.0-5.10.1
3055283
After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually.5.1.0-5.4.05.5.0-5.10.1
3053094
When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds.5.1.0-5.10.1
3045310
If GTP Hashing is set to true, after more than two warm boots, switchd fails and a cl-support file is generated.5.1.0-5.4.05.5.0-5.10.1
3037824
The NVUE nv show interface link state command shows an empty table instead of showing the port link state.5.0.0-5.3.15.4.0-5.10.1
3034435
In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community.4.4.4-5.4.05.5.0-5.10.1
3015393
The NVUE nv show interface command shows the operational state of the tunnel as down even though the tunnel is up, and encapsulation and decapsulation occurs correctly.5.1.0-5.3.15.4.0-5.10.1
2972540
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts.5.0.0-5.10.1
2964279
When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI.3.7.15, 4.4.2-4.4.5, 5.0.0-5.10.13.7.16
2951110
The net show time ntp servers command does not show any output with the management VRF.3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.10.1
2904450
When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show.4.4.0-4.4.5, 5.0.0-5.10.1
2891255
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file.
Vulnerable: <= 2.6.20-0+deb10u1
Fixed: 2.6.20-0+deb10u2
4.0.0-4.4.1, 5.0.0-5.10.14.4.2-4.4.5
2890681
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1
4.0.0-4.4.1, 5.0.0-5.10.14.4.2-4.4.5
2867042
When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration.5.0.0-5.10.1
2847755
When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit.5.0.0-5.10.1
2823307
Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration.5.0.0-5.10.1
2821929
FRR restarts even when the NVUE configuration overwrite mode is set.5.0.0-5.3.15.4.0-5.10.1
2736108
When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value.4.4.0-4.4.5, 5.0.0-5.10.1
2684925
The NVUE nv show vrf default router bgp peer command produces a 404 not found error.4.4.0-4.4.5, 5.0.0-5.10.1
2543915
When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unit
You can safely ignore this warning.
4.0.0-5.9.25.10.0-5.10.1

Fixed Issues in 5.3.1

Issue IDDescriptionAffects
3303372
On Spectrum-2 switches, 200G ports might flap. This issue happens rarely.5.3.0
3303082
When you delete a route under the following conditions, switchd might crash:
- The minimum number of routes is set to a non-zero value.
- KVD utilization is higher than sixty percent.
- The number of routes currently configured is less than the minimum reserved value, and multiple KVD linear resources have just been freed and are waiting in the Garbage Collector queue.
5.2.0-5.3.0

5.3.0 Release Notes

Open Issues in 5.3.0

Issue IDDescriptionAffectsFixed
4004453
The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful.4.3.0-5.9.1, 5.10.0-5.10.15.9.2
3895042
After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a 

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a 
4.4.0-5.9.15.9.2-5.10.1
3859422
On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port.5.2.0-5.9.15.9.2-5.10.1
3773177
When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 or later with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
4.0.0-4.4.5, 5.0.0-5.10.1
3713419
When monitoring system statistics and network traffic with sFlow, an aggressive link flap might produce a memory leak in the sFlow service hsflowd.5.1.0-5.7.05.8.0-5.10.1
3696061
When the MAC address of a neighbor changes, the zebra IP routing manager might crash.5.2.1-5.6.05.7.0-5.10.1
3684998
DHCP lease information is not collected in the cl-support file.4.3.0-5.6.05.7.0-5.10.1
3647426
If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised.
5.0.0-5.5.14.3.2-4.4.5, 5.6.0-5.10.1
3613258
With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed between switchd and the kernel.5.2.1-5.6.05.7.0-5.10.1
3610967
In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF.5.3.0-5.8.05.9.0-5.10.1
3585467
NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly.5.0.0-5.6.05.7.0-5.10.1
3562767
ACLs do not process inbound DHCP packets and the packets do not contribute to ACL counters5.2.0-5.4.05.5.0-5.10.1
3560622
When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated.5.0.0-5.5.15.6.0-5.10.1
3554231
CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that “agent forwarding should be enabled with caution”), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ‘')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected.
4.0.0-4.3.1, 5.0.0-5.10.14.3.2-4.4.5
3541912
Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic.5.1.0-5.5.15.6.0-5.10.1
3491259
When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures.5.0.0-5.5.15.6.0-5.10.1
3488136
When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command.4.2.1-5.5.15.6.0-5.10.1
3484058
When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber.5.3.0-5.8.05.9.0-5.10.1
3479786
The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch.
5.3.0-5.5.15.6.0-5.10.1
3474391
The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB.4.3.1-5.5.15.6.0-5.10.1
3470941
On the NVIDIA SN4700 switch, reversing the upper four lanes on a port does not work and might cause link degradation. If you swap the upper and lower four lanes on a port, the firmware gets stuck.5.3.0-5.5.05.5.1-5.10.1
3467890
BGP aggregate routers are not advertised after learning the same route from another protocol. To work around this issue, restart the FRR service or, if possible, don’t learn the route from another protocol (use route maps instead).5.3.0-5.5.15.6.0-5.10.1
3466703
In rare cases when there is high load, the clagd service might experience a buffer overflow and MLAG bonds stay in a proto-down state on the secondary switch. You see a “NetlinkThread: Netlink overflow” log message and the MLAG state indicates VLAN conflicts between peers. To work around this issue, restart the clagd service with the sudo systemctl restart clagd command on the switch that reports the overflow log message.5.2.0-5.5.15.6.0-5.10.1
3445841
FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id).5.0.0-5.6.05.7.0-5.10.1
3432897
When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories.5.0.0-5.4.05.5.0-5.10.1
3429530
On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time.4.2.1-5.4.05.5.0-5.10.1
3428677
In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state.5.3.0-5.6.05.7.0-5.10.1
3424967
sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don’t run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo … to execute the sudo command.5.0.0-5.10.1
3420056
The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors.4.4.0-4.4.5, 5.0.0-5.10.1
3413827
During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbors cannot synchronize between MLAG nodes. The clagctl dumppermanentneighs command only shows local neighbors.4.2.1-4.3.1, 4.4.0-5.4.04.3.2, 5.5.0-5.10.1
3413785
To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo … to execute the sudo command using the TACACS+ server on the default VRF.5.0.0-5.5.15.6.0-5.10.1
3402935
For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
5.0.0-5.4.05.5.0-5.10.1
3388067
TACACS+ packages in the local apt repository might be out of date; as a result, the upgrade does not install tacacs0 through tacacs15 users in the correct NVUE groups. When you run NVUE commands as a TACACS+ user, the commands fail and you see the error You do not have permission to execute that command
To obtain the correct packages, install the tacplus-client package and its dependencies from apt.cumulusnetworks.com.
5.1.0-5.4.05.5.0-5.10.1
3379873
apt source linux fails to download the Linux kernel source code. To work around this issue, run the sudo apt update && sudo apt install linux-source-5.10 command or download the desired version from https://apt.cumulusnetworks.com/repo/pool/cumulus/l/linux/ and install it with the sudo dpkg -i $filename command. The source code in a tar.xz file will then be located in the /usr/src/ directory.5.2.0-5.4.05.5.0-5.10.1
3351953
In rare circumstances, attempting to install a Cumulus Linux 5.3 image can fail during installation. The device stops at the (initramfs) prompt. To resume installation, enter the exit command at the (initramfs) prompt.5.3.0-5.3.15.4.0-5.10.1
3351951
Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit.4.2.1-4.3.1, 4.4.0-5.3.14.3.2, 5.4.0-5.10.1
3351936
Switch fans run at very high speed but the temperature is normal.5.2.0-5.3.15.4.0-5.10.1
3350789
NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility.5.0.0-5.4.05.5.0-5.10.1
3349207
The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation.5.2.0-5.4.05.5.0-5.10.1
3347677
In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown.5.1.0-5.6.05.7.0-5.10.1
3340890
When you run the NVUE nv show interface command, you see an error similar to the following:
Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL SERVER ERROR
5.3.0-5.4.05.5.0-5.10.1
3339336
The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead.5.2.0-5.3.15.4.0-5.10.1
3334275
When you run the sensors command, the output shows an erroneous fault on some front panel ports.5.2.0-5.7.05.8.0-5.10.1
3330705
When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present.3.7.0-5.3.15.4.0-5.10.1
3330600
The SNMP monitor might fail to send the expected traps.5.3.0-5.3.15.4.0-5.10.1
3327477
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password.3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.10.1
3322944
The ptmd service causes memory leaks.5.3.0-5.3.15.4.0-5.10.1
3308248
DHCP packets do not forward over VXLAN interfaces in multicast replication environments. This issue does not affect VXLAN environments using head end replication (HER).5.2.0-5.3.15.4.0-5.10.1
3303372
On Spectrum-2 switches, 200G ports might flap. This issue happens rarely.5.3.05.3.1-5.10.1
3303084
The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward the BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed.5.3.0-5.3.15.4.0-5.10.1
3303082
When you delete a route under the following conditions, switchd might crash:
- The minimum number of routes is set to a non-zero value.
- KVD utilization is higher than sixty percent.
- The number of routes currently configured is less than the minimum reserved value, and multiple KVD linear resources have just been freed and are waiting in the Garbage Collector queue.
5.2.0-5.3.05.3.1-5.10.1
3301988
Some EVPN multihoming show commands might cause BGP to crash if you use the json flag and attempt to reference the default VRF by name. For example, show bgp l2vpn evpn es-vrf json.5.0.0-5.3.15.4.0-5.10.1
3301950
When upgrading from Cumulus Linux 5.0.0 thru 5.2.1 to Cumulus Linux 5.3.0 or 5.3.1, the babeltrace and python3-babeltrace packages are not added automatically even though they are in the default image in Cumulus Linux 5.3.0 and later. You may need these packages to decode LTTNG traces with /usr/lib/frr/frr_babeltrace.py.. If you need to use this script, run the sudo apt update && sudo apt install babeltrace python3-babeltrace command to install the packages.5.3.0-5.3.15.4.0-5.10.1
3298616
NVUE gracefully detects and handles upgrades that include valid flexible snippets. For any invalid (incompatible) flexible snippets, you must delete the snippets before you apt upgrade Cumulus Linux; otherwise, the NVUE nv config apply command and the equivalent REST API, do not run.5.3.0-5.3.15.4.0-5.10.1
3296715
When you clear interface counters with the ethtool -S clear command, the command fails with the following message:
switch:~$ ethtool -S swp1 clearethtool (-S): unknown parameter ‘clear’
5.2.0-5.3.15.4.0-5.10.1
3293114
In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface ip neighbor-discovery router-advertisement enable off. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface ip neighbor-discovery router-advertisement enable on.5.3.0-5.5.15.6.0-5.10.1
3293039
When you add the /etc/frr/frr.conf file to the ignore list for NVUE, any configuration change causes FRR to restart because a check is done to see if any running configuration has changed since the previously applied configuration in the vtysh shell.5.3.0-5.3.15.4.0-5.10.1
3292773
NVUE requires the SNMPv2 community string to be a minimum of eight characters.5.3.0-5.3.15.4.0-5.10.1
3289972
When the switch needs to forward a frame that has a source MAC address of 00:00:00:00:00:00, the dmesg log might report the message bridge: RTM_NEWNEIGH with invalid ether address in a loop every 30 seconds. The log message is harmless and frames with that MAC forward correctly.5.3.0-5.3.15.4.0-5.10.1
3289646
The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed.5.2.0-5.3.15.4.0-5.10.1
3283598
After you restart the FRR service, show commands incorrectly reflect the VLAN associated with layer 3 VNIs as 0:
# net show evpn vni 123VNI: 123Type: L3Tenant VRF: BLUEVlan: 0
5.3.0-5.3.15.4.0-5.10.1
3267328
On Spectrum 1 switches when configuring ACLs in non-atomic mode, if there are too many IPv6 matches due to rules with both input-interface and output-interface matches on SVIs, the ACL install fails and switchd crashes.5.2.0-5.3.15.4.0-5.10.1
3266197
When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure.5.2.0-5.6.05.7.0-5.10.1
3266050
Due to a race at the initial configuration, the SDK RDQ test may test RDQ configured for WJH and fail the test resulting in a fatal health event.5.2.0-5.3.15.4.0-5.10.1
3264269
When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly.5.3.0-5.6.05.7.0-5.10.1
3258232
If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time.5.3.0-5.6.05.7.0-5.10.1
3255899
The Linux utility that sends ARP packets is constrained to 512 interfaces on the system. In large scale deployments, the warm boot process fails repeatedly as it sends gratuitous ARP requests for each local address. This issue does not impact the functionality and can be ignored.5.2.0-5.3.15.4.0-5.10.1
3244955
ACL configurations fail when the TCAM memory is exhausted because the CTCAM profile is configured with duplicate entries.5.2.0-5.3.15.4.0-5.10.1
3241567
When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time.5.3.0-5.10.1
3241047
When you delete a route under the following conditions, switchd might crash:- The minimum number of routes is set to a non-zero value
- KVD utilization is higher than sixty percent
- The number of routes currently configured is less than the minimum reserved value, and multiple KVD linear resources have just been freed and are waiting in the Garbage Collector queue.
5.2.0-5.3.15.4.0-5.10.1
3234814
With double tagged QinQ interfaces, if the bridge corresponding to the QinQ interface flaps, you might see invalid learning notifications and errors from similar to the following:
Can’t set non-static MAC address for non-vPort 0x0001006B when VID is VFID. 
5.3.0-5.4.05.5.0-5.10.1
3226525
When using TACACS+, if you configure per-command authorization with the tacplus-restrict command, NVUE configuration commands fail for any user with a privilege level lower than 15. This occurs because NVUE is not able to create a .local user directory.5.2.0-5.3.15.4.0-5.10.1
3226506
The l1-show eth0 command does not show port information and is not supported in this release.5.3.0-5.10.1
3221628
Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings.5.2.0-5.6.05.7.0-5.10.1
3187469
At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address.5.1.0-5.5.15.6.0-5.10.1
3178090
The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint.5.1.0-5.5.15.6.0-5.10.1
3172682
On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure.5.2.0-5.5.15.6.0-5.10.1
3172504
When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY.5.2.0-5.10.1
3147782
You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command.
5.3.0-5.10.1
3145869
On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7.5.2.0-5.10.1
3145222
The NVUE nv show system forwarding –output json command does not provide any output. To work around this issue, run the nv show system forwarding command.5.2.0-5.3.15.4.0-5.10.1
3145204
On the NVIDIA Spectrum-1 switch, the nv show system forwarding command shows GTP hashing output, which is not supported on this switch.5.2.0-5.4.05.5.0-5.10.1
3144740
The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service.5.2.0-5.4.05.5.0-5.10.1
3142615
The BGP4-MIB.txt file is missing from Net-SNMP agent.5.0.0-5.4.05.5.0-5.10.1
3141826
A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 –> Entity MIB
1.3.6.1.2.1.99 –> Entity Sensor MIB
1.3.6.1.2.1.23 –> rip2
1.3.6.1.2.1.2 –> interface/interfaces
1.3.6.1.2.1.31 –> ifMIB
1.3.6.1.2.1.4 –> IP
1.3.6.1.2.1.25 –> hostResource
5.0.1-5.8.05.9.0-5.10.1
3135952
PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed <port_speed> autoneg off lanes <no_of_lanes> command. For example:
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
5.2.0-5.10.1
3122301
On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames.5.2.0-5.10.1
3115242
When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID.5.1.0-5.10.1
3103821
On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames.5.2.0-5.10.1
3084476
After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd.4.4.3, 5.0.0-5.10.14.4.4-4.4.5
3084027
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware.4.3.0-4.4.5, 5.0.0-5.10.1
3074390
You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the nvue account to the exclude_users line in /etc/tacplus_nss.conf:
exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,*
5.0.1-5.3.15.4.0-5.10.1
3071652
On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up.4.4.4-4.4.5, 5.1.0-5.10.1
3069069
When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops.5.1.0-5.5.15.6.0-5.10.1
3061656
When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds.5.1.0-5.10.1
3055283
After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually.5.1.0-5.4.05.5.0-5.10.1
3053094
When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds.5.1.0-5.10.1
3045310
If GTP Hashing is set to true, after more than two warm boots, switchd fails and a cl-support file is generated.5.1.0-5.4.05.5.0-5.10.1
3037824
The NVUE nv show interface link state command shows an empty table instead of showing the port link state.5.0.0-5.3.15.4.0-5.10.1
3034435
In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community.4.4.4-5.4.05.5.0-5.10.1
3015393
The NVUE nv show interface command shows the operational state of the tunnel as down even though the tunnel is up, and encapsulation and decapsulation occurs correctly.5.1.0-5.3.15.4.0-5.10.1
2972540
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts.5.0.0-5.10.1
2964279
When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI.3.7.15, 4.4.2-4.4.5, 5.0.0-5.10.13.7.16
2951110
The net show time ntp servers command does not show any output with the management VRF.3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.10.1
2904450
When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show.4.4.0-4.4.5, 5.0.0-5.10.1
2891255
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file.
Vulnerable: <= 2.6.20-0+deb10u1
Fixed: 2.6.20-0+deb10u2
4.0.0-4.4.1, 5.0.0-5.10.14.4.2-4.4.5
2890681
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1
4.0.0-4.4.1, 5.0.0-5.10.14.4.2-4.4.5
2867042
When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration.5.0.0-5.10.1
2847755
When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit.5.0.0-5.10.1
2823307
Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration.5.0.0-5.10.1
2821929
FRR restarts even when the NVUE configuration overwrite mode is set.5.0.0-5.3.15.4.0-5.10.1
2736108
When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value.4.4.0-4.4.5, 5.0.0-5.10.1
2684925
The NVUE nv show vrf default router bgp peer command produces a 404 not found error.4.4.0-4.4.5, 5.0.0-5.10.1
2543915
When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unit
You can safely ignore this warning.
4.0.0-5.9.25.10.0-5.10.1

Fixed Issues in 5.3.0

Issue IDDescriptionAffects
3255948
When you upgrade from Cumulus Linux 5.0.0-5.1.0 to Cumulus Linux 5.2.0 or 5.2.1, warm or fast boot fails. Use regular reboot or csmgrctl -c in this case.5.2.0-5.2.1
3235368
When you try to configure VRF route leaking between many VRFs using multiple NCLU commands before running the net commit command, the commit fails. To work around this issue, configure VRF leaking one command at a time and run net commit after each command.4.4.4-5.2.1
3231330
If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service.4.2.1-4.3.1
3228856
If you have a lot of inbound route maps that match lists with many regex statements, a large number of updates from the peer can cause the system to run out of memory. To work around this issue, reduce the number of regex matches in inbound route maps.4.4.0-5.2.1
3228690
When you configure a routing policy multiple times in NVUE with a match evpn default-route statement, the bgpd daemon terminates.
3227905
PTP forced master mode does not work. To work around this issue, change masterOnly to serverOnly in the /etc/ptp4l.conf file.5.2.0-5.2.1
3227895
The match evpn default-route setting does not filter the default route correctly.
3227677
When daylight saving time changes the time, the MLAG initDelay timer resets and all MLAG bonds go down.4.4.4-5.2.1
3227651
Docker commands can cause Cumulus Linux commands to fail. apt upgrade can also fail if you use Docker commands implicitly. To work around this issue, run ulimit -v unlimited before running Docker commands or running apt upgrade.5.2.0-5.2.1
3218207
Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes.4.3.0-5.2.1
3217675
When you run the NVUE nv set bridge domain br_default multicast snooping enable off command to disable multicast snooping, the bridge still shows that multicast snooping is enabled.5.0.1-5.2.1
3217674
Multicast PTP over UDP traffic does not forward to data ports when the PTP service is disabled. To work around this issue, change the ptp.timestamping setting to FALSE in the /etc/cumulus/switchd.conf file, then restart switchd.5.0.1-5.2.1
3216922
RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users).3.7.0-5.2.1
3211114
After an abrupt power cycle, the nvued service might fail to start due to NVUE internal data corruption
This issue has been resolved with the addition of an automatic backup feature, which is enabled by default; if NVUE detects an internal data store corruption, the nvued service recovers from the backup.
5.2.0-5.2.1
3211054
On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:

Packet size is larger than router interface MTU – Validate the router interface MTU configuration
4.4.2-5.2.1
3205859
On the NVIDIA SN3700 and SN4600 switch, the fans run at very high speed but the temperature sensor readings are within an acceptable range.5.2.0-5.2.1
3205858
Ports might experience intermittent I2C EEPROM read problems, which result in blinking amber LEDs and incorrect ethtool output.5.2.0-5.2.1
3205012
The NVIDIA SN4600 switch might experience SDK errors caused by the garbage collection process.5.1.0-5.2.1
3204533
At high scale with 79 VRFs and 10 VLANs per VRF (a total of 790 VLANs), clagd loses backup connection during a switchd restart. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address.5.1.0-5.2.1
3202991
Locally generated multicast traffic including IGMPv2 GSQs do not transmit to local clients when using PIM.5.0.1-5.2.1
3202401
The ethtool -m command and the NVUE nv show interface pluggable command do not show the VPD for optical modules and AOCs (OUI, vendor name, part number, or revision serial number).5.2.0-5.2.1
3200373
After rebooting the switch, the IPv6 link local address for an SVI that belongs to non-default VRF is missing, and doesn’t show on the switch. To resolve this issue, run the ifreload -a command.5.0.0-5.2.1
3196774
In an EVPN configuration, after closing a BGP session on an EVPN peer, the VTEP RMAC is deleted and the hosts lose reachability to each other. To work around this issue, restart FRR or add a static RMAC entry to bridge FDB.5.2.0-5.2.1
3192808
When the switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes.4.3.0-4.3.1, 4.4.0-5.2.1
3188576
IPv6 messages fill the /var/log/frr/frr.log files and logrotate is unable to clean up the old log files. As a result, a significant number of log files are never deleted, which fill up the file system.5.2.0-5.2.1
3187408
Certain NUE commands produce an Invalid Command error. For example:
cumulus@switch:~$ nv set vrf default router bgp peer-group SPINE password CumulusLinux!Invalid Command: set vrf default router bgp peer-group SPINE password CumulusLinux!cumulus@switch:~$ nv set router policy route-map GLOBAL rule 10 description globalInvalid Command: set router policy route-map GLOBAL rule 10 description global
5.2.0-5.2.1
3180043
The EVPN Multihoming ESI configuration command nv set interface evpn multihoming segment identifier does not work.5.1.0-5.2.1
3177985
When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:
[Dec-08-17:09:58] root@switch:/home/cumulus#  ztp -r http://myztp.server.local/ztp
5.2.0-5.2.1
3176318
The NVUE nv set bridge domain br_default stp priority command does not change the STP priority.5.1.0-5.2.1
3171316
Various FRR show commands do not have json output. This applies to BGP show commands ending in prefix-list, route-map, dampening parameters, and longer-prefixes. FRR show bgp detail output contains a summary instead of details on each prefix. FRR show bgp … neighbor routes and show bgp … neighbor received-routes both incorrectly use a json key of advertisedRoutes.5.2.0-5.2.1
3166746
FRR does not install EVPN type-2 routes correctly after the specific operation that deletes and adds all non-uplink ports. The routes show as rejected in the zebra RIB. To work around this problem, restart FRR with the sudo systemctl restart frr command.5.1.0-5.2.1
3159756
When adding a member port to a bond you sometimes see an error. The error occurs if you configure a port as double tagged, then you remove the double tagged configuration and add the port as a bond member. You might not see the error as it depends on timing of interface events during double tagged interface creation. To work around this issue, remove the bond configuration and add it back again.5.2.0-5.2.1
3157711
If you disable SNMP with the NVUE command nv unset service snmp-server, the FRR service restarts and removes the cleanup agentx functionality, which is used to obtain FRR MIBs.5.2.0-5.2.1
3150317
During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change.4.4.2-5.2.1
3150208
When a ZTP script executes a switchd restart, the switchd service might fail with the following log message:
switchd[11549]: hal.c:1378 CRIT No backends found
To work around this issue, avoid restarting the switchd service in the ZTP script; reboot the switch instead.
5.1.0-5.2.1
3139364
When Cumulus Linux updates the ECMP container with a new next hop list, it allocates the flow counters for the new next hop list without deallocating the counters bound to the old next hop list. This results in resource exhaustion and you see the following error messages in the /var/log/switchd.log file:
hal_mlx_stat.c:3215 ERR Failed to allocate counter(s) for ecmp [71025:0] status: Internal Errorhal_mlx_stat.c:3196 ERR Counter set for ecmp [71025:0] idx 0 failed: Internal Errorhal_mlx_sdk_nexthop_wrap.c:1076 ERR Counter 0 alloc for ecmp next hop failed: Internal Errorhal_mlx_sdk_counter_wrap.c:54 ERR Counter alloc failed: No More Resources
This issue does not have any functional impact to forwarding. Even without the flow counters attached to the ECMP group, packet forwarding works without any issues
To avoid allocating next hop counters for any new ECMP next hop list update, set mlx.stats.ecmp.enable to FALSE in the /etc/mlx/datapath/stats.conf file, then restart switchd with the sudo systemctl reload switchd command.
5.0.0-5.2.1
3139164
NVUE does not allow you to set 2X/4X lanes. To work around this issue, set the appropriate lanes for forced speed with the ethtool -s swpX speed <port_speed> autoneg off lanes <no_of_lanes> command. For example, ethtool -s swp1 speed 100000 autoneg off lanes 2.5.2.0-5.2.1
3138057
When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log. To work around this problem, restart FRR with the sudo systemctl restart frr command.4.4.0-5.2.1
3135714
The tacplus package does not create the correct tacacs0-15 users in the right groups. NVUE commands are rejected with the error: “You do not have permission to execute that command.” To work around this issue, add tacacs15 to the nvapply group. Also, add tacacs0 through 14 to the nvshow group:
sudo usermod -a -G nvapply tacacs15sudo usermod -a -G nvshow tacacs0..
sudo usermod -a -G nvshow tacacs14
5.1.0-5.2.1
3135683
On the Spectrum SN2201 switch, when a fan is obstructed with an object, the fan and system LEDs don’t change.5.2.0-5.2.1
3053015
Spectrum-2 and Spectrum-3 switches do not support 1G speed with Cumulus Linux.5.1.0-5.2.1
3040174
When you configure EVPN multihoming with NVUE on a switch with the Spectrum-a1 ASIC, you must configure the following snippet to enable EVPN multihoming in hardware. This is not required for Spectrum-2 or Spectrum-3 switches
- set:
system:
config:
snippet:
switchd:
file: “/etc/cumulus/switchd.conf”
content: |
evpn.multihoming.enable=TRUE
permissions: “0644”
services:
schedule:
service: switchd
action: restart
Apply the snippet with the nv config patch <snippet.yaml> command, then run the nv config apply -y command.
5.1.0-5.2.1
2949123
The NVUE command nv show service ntp mgmt server does not show any configured servers.5.0.0-5.2.1