Cumulus Linux 5.7 Release Notes
Download all 5.7 release notes as .xls5.7.0 Release Notes
Open Issues in 5.7.0
| Issue ID | Description | Affects | Fixed |
|---|---|---|---|
| 3875696 | The default TX State for 1G Base-X optical modules that are unconfigured or admin down in Cumulus Linux 5.7.0 and later is OFF. However, on the first boot after upgrade from an earlier release, a module TX power might be ON or OFF depending on the TX State it was before the upgrade. The TX_Disable line is not properly set on first boot. To work around this issue, reboot the switch again, or ifup or ifdown the 1G Base-X interface to disable TX Power. | 5.7.0-5.8.0 | |
| 3863858 | VRR interfaces might show dadfailed on their IPv6 link-local address. | 5.6.0-5.8.0 | |
| 3832116 | When you configure a SPAN session either with the NVUE nv set system port-mirror session command or in the /etc/cumulus/switchd.d/port-mirror.conf file and the default route is configured to 0.0.0.0/0, the SPAN session might not work as expected. To work around this issue, remove the default route 0.0.0.0/0 and use alternate routes instead. | 5.7.0-5.8.0 | |
| 3782996 | If you have installed a large number ACLs, you might see a switchd memory leak over a period of time that stops the switchd process because it is out of memory . | 5.6.0-5.8.0 | |
| 3782543 | When you configure the BGP setting bgp max-med on-startup with vtysh, the MED on some peers might not be set to 4294967294 as expected on startup. The max-med might also fail to reset after the startup timer expires. | 5.6.0-5.8.0 | |
| 3773177 | When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 or later with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb | 4.0.0-4.4.5, 5.0.0-5.8.0 | |
| 3766994 | Cumulus Linux 5.6 and 5.7 do not include FRR log rotation, which can result in a very large log file that affects disk usage. To work around this issue, run the following commands as the cumulus user on the Cumulus Linux 5.6 or 5.7 switch. The commands do not impact any other system function.cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/f/frr-logrotate/frr-logrotate_8.4.3-0+cl5.7.0u1_amd64.deb | 5.6.0-5.7.0 | 5.8.0 |
| 3765395 | The nv unset nve vxlan flooding and nv set nve vxlan flooding enable off commands do not disable BUM flooding. To work around this issue, disable BUM flooding with vtysh commands:leaf01# configure terminal | 5.5.0-5.8.0 | |
| 3752266 | If you configure DHCP Server HA, the switch failover might cause the DHCP service to report a time mismatch too great error. | 5.7.0-5.8.0 | |
| 3751952 | ifupdown2 tries to set the multicast database hash elasticity (bridge-hashel attribute) with a value of 4096. However, this attribute is now deprecated in the Linux kernel and the value is always 16. | 5.5.1-5.7.0 | 5.8.0 |
| 3744830 | When configured with NVUE, the Radius secret key can be a maximum of 19 characters long. | 5.7.0-5.8.0 | |
| 3739159 | Disabling adaptive routing globally or on interfaces and performing ISSU, has a significant traffic outage. The issue recovers after ISSU completes. | 5.7.0-5.8.0 | |
| 3739008 | The Lenovo MSN4600-VS2RC (PN SSG7B27990 Back-to-Front/C2P Airflow) might run the fan tray fans at a high speed because the software believes the PSU fans are running in the wrong direction. | 5.5.1-5.8.0 | |
| 3738626 | If you configure a VNI before an SVI, you can’t add or remove the VRR address from the SVI. To work around this issue, configure the SVI before the VNI. | 5.6.0-5.7.0 | 5.8.0 |
| 3730904 | When sending untagged frames to the CPU with an MTU higher than the SVD (single VXLAN device) MTU, the kernel might crash. | 5.4.0-5.8.0 | |
| 3718614 | When a corrupt or invalid ZTP script exists on the ZTP file server, the ZTP service on the switch might crash and report Too many open files after approximately 1000 download attempts. To recover and restart ZTP, reboot the switch. Always provide a valid ZTP script when using ZTP download. | 5.7.0 | 5.8.0 |
| 3713420 | When you run the systemctl restart switchd.service command or reboot the switch after you set the host route preference option with the NVUE nv set system forwarding host-route-preference command or manually in the /etc/cumulus/switchd.conf file, switchd crashes and creates core files. | 5.7.0 | 5.8.0 |
| 3713419 | When monitoring system statistics and network traffic with sFlow, an aggressive link flap might produce a memory leak in the sFlow service hsflowd. | 5.1.0-5.7.0 | 5.8.0 |
| 3712007 | In RSTP mode when there is a bridge port flap, Cumulus Linux flushes, then re-adds dynamic MAC addresses on the peer link, which might cause short traffic disruption. | 5.6.0-5.7.0 | 5.8.0 |
| 3710396 | In an eBGP multihop configuration with dynamic neighbors, Cumulus Linux does not update the configured TTL but uses the MAXTTL instead. This issue is only observed with dynamic peers. | 5.6.0-5.7.0 | 5.8.0 |
| 3702431 | Traditional SNMP snippets do not take effect unless you first enable SNMP with the NVUE nv set service snmp-server enable on and nv set service snmp-server listening-address commands. Alternatively, you can use the equivalent REST API methods. | 5.4.0-5.8.0 | |
| 3698680 | If you run the ifreload -a command when ACLs exist but nonatomic update mode is set in the switchd.conf file, traffic pauses on unaffected interfaces. | 5.6.0-5.7.0 | 5.8.0 |
| 3695491 | When you log into a Cumulus Linux switch after a fresh install through the serial console, the management VRF might not be available. (This is not an issue with ssh.) To work around this issue, log out, then log back into the console a few seconds later, after the switch finishes booting. | 5.7.0 | 5.8.0 |
| 3686389 | When you use NVUE commands to configure an untagged VLAN (PVID) on a bridge to a non-default value, nv show bridge commands still indicate that the untagged VLAN is 1 (the default value). The untagged VLAN you configured is properly set on bridge ports, but displays incorrectly in operational NVUE show commands. | 5.6.0-5.7.0 | 5.8.0 |
| 3685007 | Cumulus Linux does not support 802.1X dynamic VLANs on PEAP with MS Windows-based supplicants. | 5.7.0-5.8.0 | |
| 3679478 | During switch boot, you see the following messages in the syslog:2024-03-04T10:34:49.650950+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR ]: Tele impl module is already initialized2024-03-04T10:34:49.651041+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR ]: sdk_tele_init failed, for chip type CHIP_TYPE_SWITCH_SPECTRUM3, err = Already initialized This is due to both the ASIC Monitoring service and the What Just Happened (WJH) service trying to initialize the SDK TELE module. You can ignore the messages because the TELE service has already initialized properly. | 5.7.0-5.8.0 | |
| 3677533 | Due to resource constraints on the Spectrum 1 switch, staticd performance drops and takes longer to read static routes compared to the time BGP takes to complete a graceful restart, and advertise routes and EOR to its helpers. As a result, static routes are advertised after the EOR is sent to graceful restart helpers, which delete the stale static routes and relearn them after receiving the EOR from the restarting node. Temporary traffic loss might occur. | 5.7.0-5.8.0 | |
| 3672706 | When you enable port security, you can configure a maximum of 450 port security static MAC addresses for an interface. | 5.7.0-5.8.0 | |
| 3671288 | On rare occasions, when the BGP service receives multiple update messages due to multiple route churns in the network, the next hop might become unreachable during the time that the switch processes BGP updates and withdraws with EVPN prefixes. As a result, the EVPN neighbor might be missed in the kernel. | 5.6.0-5.7.0 | 5.8.0 |
| 3637444 | Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl . | 5.7.0-5.8.0 | |
| 3636266 | When an unresolved next hop is present in a next hop group, especially over an SVI interface, the switch checks if the neighbor MAC address is in the forwarding table. If the neighbor’s MAC address is not there, the switch skips this next hop from backend programming and you see the switchd error ERR NH: l3 nhg v6 l3 nhg contains one or more unresolvable nexthops. There is no impact to switch functionality as unresolved neighbors are not programmed in hardware until they are resolved. | 5.7.0-5.8.0 | |
| 3632843 | When the switch receives a type-5 route in BGP and there is a network statement for the same prefix, BGP sometimes removes the request to track next hops from FRR. As next hop reachability changes, BGP no longer reacts to the change. To work around this issue, run the clear bgp * command for all peerings. | 5.6.0-5.7.0 | 5.8.0 |
| 3630492 | On the NVIDIA SN2201 switch, the ledmgrd -d command output shows the system and PSU LED status as orange when the physical LED is green. | 5.5.1-5.7.0 | 5.8.0 |
| 3614286 | To avoid unnecessary traffic loss, ifreload (ifupdown2) only flaps a bond to reset its MAC address when the bond MAC address is not present on any of the bond’s interfaces. Previously, ifupdown2 enforced the bond MAC address to be set to the MAC address of the first interface. | 5.6.0-5.7.0 | 5.8.0 |
| 3610967 | In an EVPN symmetric routing configuration, running the NVUE nv set vrf command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | |
| 3587393 | If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps. To work around this issue when using copper cables:
To work around this issue when using fiber cables:
| 5.6.0-5.8.0 | |
| 3556762 | On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.8.0 | |
| 3546857 | The nv show bridge vlan command does not show tagged and untagged VLAN information for the bridge | 5.6.0-5.8.0 | |
| 3541653 | During warm boot with layer 3 traffic, you might experience packet loss for approximately 15 milliseconds. | 5.6.0-5.8.0 | |
| 3538321 | In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.8.0 | |
| 3484058 | When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.8.0 | |
| 3463827 | On rare occasions, SPT switchover might not happen cleanly in PIM, resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.6.0-5.8.0 | |
| 3452681 | When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.8.0 | |
| 3433577 | When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.8.0 | |
| 3424967 | sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don’t run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo … to execute the sudo command. | 5.0.0-5.8.0 | |
| 3420056 | The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.8.0 | |
| 3393966 | Configuring the network statement with the NVUE nv set vrf command might bring down all the OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement. | 5.5.0-5.8.0 | |
| 3368217 None | When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5, 5.2.1-5.8.0 | |
| 3362113 | If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.8.0 | |
| 3350027 | If you uninstall dynamic NAT rules and switchd restarts before all the dynamic NAT flows age out and are deleted, you might see dynamic flow deletion errors in switchd.log. These errors do not affect new dynamic NAT flows from new NAT rules. | 5.4.0-5.8.0 | |
| 3347538 | When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.8.0 | |
| 3341214 | If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.8.0 | |
| 3334275 | When you run the sensors command, the output shows an erroneous fault on some front panel ports. | 5.2.0-5.7.0 | 5.8.0 |
| 3329518 | When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local. | 5.4.0-5.8.0 | |
| 3327477 | If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.8.0 | |
| 3326659 | If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds. | 5.4.0-5.8.0 | |
| 3241567 | When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.8.0 | |
| 3226506 | The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.8.0 | |
| 3172504 | When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.8.0 | |
| 3147782 | You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUNDTo work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.8.0 | |
| 3145869 | On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7. | 5.2.0-5.8.0 | |
| 3141826 | A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1) 1.3.6.1.2.1.47 –> Entity MIB 1.3.6.1.2.1.99 –> Entity Sensor MIB 1.3.6.1.2.1.23 –> rip2 1.3.6.1.2.1.2 –> interface/interfaces 1.3.6.1.2.1.31 –> ifMIB 1.3.6.1.2.1.4 –> IP 1.3.6.1.2.1.25 –> hostResource | 5.0.1-5.8.0 | |
| 3135952 | PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed <port_speed> autoneg off lanes <no_of_lanes> command. For example:cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 | 5.2.0-5.8.0 | |
| 3122301 | On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.8.0 | |
| 3115242 | When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.8.0 | |
| 3103821 | On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.8.0 | |
| 3084476 | After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.8.0 | 4.4.4-4.4.5 |
| 3084027 | Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.8.0 | |
| 3071652 | On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. | 4.4.4-4.4.5, 5.1.0-5.8.0 | |
| 3061656 | When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.8.0 | |
| 3053094 | When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.8.0 | |
| 2972540 | With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.8.0 | |
| 2964279 | When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. | 3.7.15, 4.4.2-4.4.5, 5.0.0-5.8.0 | 3.7.16 |
| 2951110 | The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.8.0 | |
| 2904450 | When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.8.0 | |
| 2891255 | CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file. Vulnerable: <= 2.6.20-0+deb10u1 Fixed: 2.6.20-0+deb10u2 | 4.0.0-4.4.1, 5.0.0-5.8.0 | 4.4.2-4.4.5 |
| 2890681 | CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1 | 4.0.0-4.4.1, 5.0.0-5.8.0 | 4.4.2-4.4.5 |
| 2867042 | When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.8.0 | |
| 2847755 | When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit. | 5.0.0-5.8.0 | |
| 2823307 | Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.8.0 | |
| 2736108 | When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.8.0 | |
| 2705056 | When configured with NVUE, SVIs do not inherit the pinned MAC address of the bridge. | 4.3.0, 5.0.0-5.8.0 | 4.3.1-4.4.5 |
| 2684925 | The NVUE nv show vrf default router bgp peer command produces a 404 not found error. | 4.4.0-4.4.5, 5.0.0-5.8.0 | |
| 2671652 | In VXLAN routing environments, you might experience sub-optimal route convergence delays (longer than five seconds) when a prefix transitions to a new ECMP next-hop group. This condition might occur when a VTEP loses ECMP routes through all uplink peerings, then installs the routes through a different path, such as an MLAG peerlink. | 4.4.0-4.4.5, 5.5.0-5.8.0 | |
| 2543915 CM-26301 | When you enable a service in the management VRF, systemctl issues a warning similar to the following:Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unitYou can safely ignore this warning. | 4.0.0-4.4.5, 5.0.0-5.8.0 |
Fixed Issues in 5.7.0
| Issue ID | Description | Affects |
|---|---|---|
| 3696061 | When the MAC address of a neighbor changes, the zebra IP routing manager might crash. | 5.2.1-5.6.0 |
| 3695430 | When you configure extended nexthop encoding for a peer group, the peers in the group do not inherit the configuration. To work around this issue, configure extended nexthop encoding on each individual peer in the group. NVIDIA recommends that you upgrade to Cumulus Linux 5.6 or later to avoid this issue. | 5.4.0-5.6.0 |
| 3684998 | DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 |
| 3684268 | When multiple interfaces have addresses in the same network, deleting one of them might cause the wrong connected route from being deleted. | 5.6.0 |
| 3669935 | When you add or delete VXLAN VNI and VLAN interfaces, a memory leak might occur in switchd. | 5.6.0 |
| 3668939 | When you enable MIB 1.3.6.1.4.1.40310.1 in the snmpd.conf file, you might see high CPU usage by the snmpd service. | 5.5.1-5.6.0 |
| 3668809 | SN2410 switches manufactured or sold by OEMs (not Mellanox) might contain fans that do not support system fan direction detection. As a result, the following messages occur in the log:/usr/sbin/smond : : Path /run/hw-management/thermal/fan1_dir does not exist/usr/sbin/smond : : Path /run/hw-management/thermal/fan2_dir does not exist smond has been modified to determine dynamically (at run-time) if the fan has the capability. To drop the messages before they get to the log, create a file, such as /etc/rsyslog.d/18-drop_fan_dir_msgs.conf with the following contents, then restart rsyslogd with the systemctl restart rsyslog command# The lines below cause the offending message to be dropped from all logs:msg, ereregex, “.*Path /run/hw-management/thermal/fan[1-8]_dir does not exist” stop | 5.6.0 |
| 3664986 | If a core file is generated with a space in the name, Cumulus Linux generates cl-support files until the file is removed. To work around this issue, rename the core file without the space character. The next cl-support file generated will be moved into the cl-support archive and removed from the filesystem. | 5.6.0 |
| 3663182 | Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.3.1-5.6.0 |
| 3662354 | When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.6.0 |
| 3661089 | When you run the show bgp l2vpn evpn route rd command, VNI information shows twice, once where VNI is in upper case and again where VNI is in lower case (vni). | |
| 3655043 | After you upgrade to Cumulus Linux 5.6.0 with package upgrade, configuration changes you make with NVUE commands do not apply and you see the error message Invalid config [rev_id: 4] Default profile parameters can not be modified. Modification allowed on user created profiles. To workaround this issue:1. Remove the PTP configuration using the nv unset service ptp 1 enable syntax2. Save the configuration nv config apply. 3. Re-add the PTP config. Note: this procedure results in a switchd restart which will have an impact on the data plane. | 5.6.0 |
| 3655027 | If you create a new snippet with the same name as a snippet you deleted, you receive a warning message. To work around this issue, create the new snippet with a different name than any removed snippets. | 5.6.0 |
| 3650661 | Configuration changes to an already applied custom flexible snippet that includes a service restart does not restart the service when you apply the patch. | 5.6.0 |
| 3647025 | The nv show vrf and nv show vrf commands do not show multiple next hops when there are multiple interfaces for a resolved-via ID. | |
| 3646119 | If you have VRFs configured and you change the global ASN in FRR, BGP crashes. To work around this issue, don’t unset more than one BGP instance at a time if one of the router bgp instances has VRF leaking configured. | 5.6.0 |
| 3644473 | When bulk interface flaps trigger, Cumulus Linux does not process the route.route_preferred_over_neigh=both configuration correctly due to the sequence of the events that occur when switchd creates and processes the route or neighbor and nexthop group. | 5.6.0 |
| 3643624 | The help text for the NVUE policer command nv set acl incorrectly indicates that the policer mode units are in bits per second. NVUE configures policers using bytes per second. | 5.6.0 |
| 3639058 | When you run the nv show service ntp command, you see an error message instead of the expected output. | 5.6.0 |
| 3627913 | The switch drops untagged VLAN traffic on single VXLAN bridge ports. | 5.6.0 |
| 3616643 | NVUE commands to set a route map exit policy match produce incorrect configuration in the /etc/frr/frr.conf file. | 5.6.0 |
| 3616338 | When you reboot an MLAG switch with 3000 or more VNIs, there might be extended traffic loss during reboot. To work around this issue, configure the clagd service initDelay to 300 seconds with the nv set mlag init-delay 300 command. | 5.5.1-5.6.0 |
| 3613258 | With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed between switchd and the kernel. | 5.2.1-5.6.0 |
| 3612959 | The interface name for a VLAN subinterface does not show correctly; the VLAN is appended to the interface again. | 5.6.0 |
| 3611215 | In an EVPN multihoming configuration, the switchd service produces error messages similar to the following:2023-09-07T15:45:56.055477+02:00 switch1 switchd7903: hal_mlx_flx_acl.c:2388 hal_mlx_flx_region_pull_bulk_counters failedThese error messages do not affect how the switch functions; however the messages fill up the switchd logs, which is not desirable. | 5.6.0 |
| 3610611 | Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf ping command to use a source address (such as an SVI address) with the ip vrf exec command. | 5.5.0-5.6.0 |
| 3609128 | When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=aIn addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk. | 5.5.0-5.6.0 |
| 3608014 | Software MAC learning might not work for a bridged VLAN subinterface on a bond (such as bond1.100) if you remove a VLAN subinterface completely from the configuration, then add it back with an identical configuration. To work around this issue, restart switchd. | 5.6.0 |
| 3606739 | The thermal control service, hw-management-tc.service, stops and switch fan speeds run at 100% when the ASIC temperature can’t be read. This can occur if the SDK is not started. | 5.5.1-5.6.0 |
| 3603237 | If the secondary MLAG peer continuously reboots, you might experience momentary traffic loss. | 5.5.1-5.6.0 |
| 3600588 | You can’t reset the root password by booting into Cumulus Linux single-user recovery mode. To work around this issue, follow the steps in https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-56/Monitoring-and-Troubleshooting/Single-User-Mode-Password-Recovery/. | 5.6.0 |
| 3599699 | Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec command. | 5.5.0-5.6.0 |
| 3597456 | NVUE does not allow you to use the reserved name lo in an interface name. | 5.5.1-5.6.0 |
| 3590394 | Under rare conditions, running NVUE commands that capture output larger than 4k bytes from Linux tools or utilities might result in failures with 500 INTERNAL SERVER ERROR or Unrecoverable internal error messages. This issue occurs when there are non-ascii characters in large outputs that Cumulus Linux can’t decode. This failure is observed only in Cumulus Linux 5.6 and earlier. | 5.6.0 |
| 3585467 | NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 |
| 3582826 | When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 |
| 3580435 | On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. | 5.3.1-5.6.0 |
| 3576961 | The NVUE command to clear all ACL counters at once is not available. To work around this issue, run the cl-acltool -Z all command to reset the statistics for all ACL rules. | 5.5.1-5.6.0 |
| 3575800 | When you configure the peerlink interface with NVUE but do not configure the necessary MLAG parameters with nv set mlag commands (such as the backup IP address, peer IP address, and MLAG MAC address), NVUE apply fails with the following message:
| 5.6.0 |
| 3573800 | After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del <old_mac> dev bridge vlan <vlan_id> command. | 5.3.1-5.6.0 |
| 3567708 | In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active. | 5.3.1-5.6.0 |
| 3566980 | When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running. | 5.5.0-5.6.0 |
| 3554231 None | CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009 Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that “agent forwarding should be enabled with caution”), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ‘') For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected. | 4.0.0-4.3.1, 5.0.0-5.6.0 |
| 3534718 | The BGP command to suppress longer prefixes inside the aggregate address before sending updates (nv set vrf or vtysh router bgp ) does not suppress more specific routes from being exported into the EVPN routing table and advertised as EVPN type-5 routes. To work around this issue, announce EVPN type-5 routes by adding an additional outbound policy or export policy to filter out the more specific routes. | 5.5.0-5.6.0 |
| 3533272 | If you set an OSPF network and define the subnet using a host address (such as 10.1.1.2/24) instead of the (starting) subnet network address (such as 10.1.1.0/24), you can’t unset the prefix with the nv unset vrf default router ospf area network command. Avoid defining the subnet using a host address when setting an OSPF network. | 5.6.0 |
| 3522524 | FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. | 5.5.0-5.6.0 |
| 3517739 | When you connect the SN5600 switch to third party test equipment (such as IXIA) using copper cables, 100G, 200G, 400G, and 800G links do not come up. To work around this issue, use fiber optic cables when testing an SN5600 switch with IXIA for 100G, 200G, 400G, and 800G link speeds. | 5.6.0 |
| 3452732 | The nv set router policy ext-community-list command does not generate the standard based BGP community list. As a result, routes do not match the expected community list. To work around this issue, create a snippet to add the policy configuration to the /etc/frr/frr.conf file, then patch the configuration. For example:cumulus@switch:~$ sudo nano frr_policy.yaml- set: cumulus@switch:~$ nv config patch frr_policy.yaml | 5.5.0-5.6.0 |
| 3445841 | FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.6.0 |
| 3428677 | In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 |
| 3419928 | The NVUE PIM timer command option names keep-alive and rp-keep-alive are inconsistent and need to change to keepalive and rp-keepalive. | 5.4.0-5.6.0 |
| 3405024 | You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. | 5.5.0-5.6.0 |
| 3347677 | In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 |
| 3266197 | When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure. | 5.2.0-5.6.0 |
| 3264269 | When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly. | 5.3.0-5.6.0 |
| 3258232 | If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.6.0 |
| 3232091 | The NVUE nv unset interface command does not restore the port lane setting to the default value. To work around this issue, run the nv set interface command. | 5.4.0-5.6.0 |
| 3221628 | Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 |