If you are using the current version of Cumulus Linux, the content on this page may not be up to date. The current version of the documentation is available here. If you are redirected to the main page of the user guide, then this page may have been renamed; please search for it there.

Cumulus Linux 5.7 Release Notes

Download 5.7 Release Notes xls    Download all 5.7 release notes as .xls

5.7.0 Release Notes

Open Issues in 5.7.0

Issue IDDescriptionAffectsFixed
3773177
When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
4.0.0-4.4.5, 5.0.0-5.8.0
3766994
Cumulus Linux 5.6 and 5.7 do not include FRR log rotation, which can result in a very large log file that affects disk usage. To work around this issue, run the following commands as the cumulus user on the Cumulus Linux 5.6 or 5.7 switch. The commands do not impact any other system function.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/f/frr-logrotate/frr-logrotate_8.4.3-0+cl5.7.0u1_amd64.deb 
cumulus@switch:~$ dpkg –install frr-logrotate_8.4.3-0+cl5.7.0u1_amd64.deb
5.6.0-5.7.05.8.0
3751952
ifupdown2 tries to set the multicast database hash elasticity (bridge-hashel attribute) with a value of 4096. However, this attribute is now deprecated in the Linux kernel and the value is always 16.5.5.1-5.7.05.8.0
3744830
When configured with NVUE, the Radius secret key can be a maximum of 19 characters long.5.7.0-5.8.0
3739159
Disabling adaptive routing globally or on interfaces and performing ISSU, has a significant traffic outage. The issue recovers after ISSU completes.5.7.0-5.8.0
3739008
The Lenovo MSN4600-VS2RC (PN SSG7B27990 Back-to-Front/C2P Airflow) might run the fan tray fans at a high speed because the software believes the PSU fans are running in the wrong direction.5.5.1-5.8.0
3738626
If you configure a VNI before an SVI, you can’t add or remove the VRR address from the SVI. To work around this issue, configure the SVI before the VNI.5.6.0-5.7.05.8.0
3730904
When sending untagged frames to the CPU with an MTU higher than the SVD (single VXLAN device) MTU, the kernel might crash.5.4.0-5.8.0
3718614
When a corrupt or invalid ZTP script exists on the ZTP file server, the ZTP service on the switch might crash and report Too many open files after approximately 1000 download attempts. To recover and restart ZTP, reboot the switch. Always provide a valid ZTP script when using ZTP download.5.7.05.8.0
3713420
When you run the systemctl restart switchd.service command or reboot the switch after you set the host route preference option with the NVUE nv set system forwarding host-route-preference command or manually in the /etc/cumulus/switchd.conf file, switchd crashes and creates core files.5.7.05.8.0
3713419
When monitoring system statistics and network traffic with sFlow, an aggressive link flap might produce a memory leak in the sFlow service hsflowd.5.1.0-5.7.05.8.0
3712007
In RSTP mode when there is a bridge port flap, Cumulus Linux flushes, then re-adds dynamic MAC addresses on the peer link, which might cause short traffic disruption.5.6.0-5.7.05.8.0
3710396
In an eBGP multihop configuration with dynamic neighbors, Cumulus Linux does not update the configured TTL but uses the MAXTTL instead. This issue is only observed with dynamic peers.5.6.0-5.7.05.8.0
3702431
Traditional SNMP snippets do not take effect unless you first enable SNMP with the NVUE nv set service snmp-server enable on and nv set service snmp-server listening-address commands. Alternatively, you can use the equivalent REST API methods.5.4.0-5.8.0
3698680
If you run the ifreload -a command when ACLs exist but nonatomic update mode is set in the switchd.conf file, traffic pauses on unaffected interfaces.5.6.0-5.7.05.8.0
3698482
The NVUE nv show system config snippet command does not show any data because traditional and flexible snippets represent free-form text that are not suitable to be configured or retrieved with the NVUE CLI. To work around this issue, run the nv show system config snippet -o json or nv show system config snippet -o yaml command. You can also a run a GET /nvue_v1/system/config/snippet REST API method.5.7.0-5.8.0
3695491
When you log into a Cumulus Linux switch after a fresh install through the serial console, the management VRF might not be available. (This is not an issue with ssh.) To work around this issue, log out, then log back into the console a few seconds later, after the switch finishes booting.5.7.05.8.0
3689195
When you enable 802.1X auth-fail VLAN on an interface, hostapd doesn’t activate the auth-fail VLAN unless it receives an explicit Access-Reject response.5.7.0-5.8.0
3686389
When you use NVUE commands to configure an untagged VLAN (PVID) on a bridge to a non-default value, nv show bridge commands still indicate that the untagged VLAN is 1 (the default value). The untagged VLAN you configured is properly set on bridge ports, but displays incorrectly in operational NVUE show commands.5.6.0-5.7.05.8.0
3685007
Cumulus Linux does not support 802.1X dynamic VLANs on PEAP with MS Windows-based supplicants.5.7.0-5.8.0
3679478
Both the ASIC Monitoring service and the What Just Happened (WJH) service try to initialize the SDK TELE module; however, initialization is successful only for the first service to initialize the module. There is no functional impact if a service tries to initialize the module again.5.7.0-5.8.0
3677821
If you bring down an interface with Linux or NVUE commands, all the static neighbor entries disappear for that interface.5.7.0-5.8.0
3677533
Due to resource constraints on the Spectrum 1 switch, staticd performance drops and takes longer to read static routes compared to the time BGP takes to complete a graceful restart, and advertise routes and EOR to its helpers. As a result, static routes are advertised after the EOR is sent to graceful restart helpers, which delete the stale static routes and relearn them after receiving the EOR from the restarting node. Temporary traffic loss might occur.5.7.0-5.8.0
3677429
When there is a flood of ARP packets, switchd might get overwhelmed and go into a busy state. Any NVUE configuration commands for switchd might time out and you might see WARN MAC table full, skipped processing #x learn records log messages in the switchd.log file. To work around this issue, wait for switchd to resolve the ARP floods, which might take a few minutes depending on the amount of ARP flooding (typically between three and five minutes), then reapply the NVUE configuration.5.7.0-5.8.0
3672706
When you enable port security, you can configure a maximum of 450 port security static MAC addresses for an interface.5.7.0-5.8.0
3671288
On rare occasions, when the BGP service receives multiple update messages due to multiple route churns in the network, the next hop might become unreachable during the time that the switch processes BGP updates and withdraws with EVPN prefixes. As a result, the EVPN neighbor might be missed in the kernel.5.6.0-5.7.05.8.0
3637444
Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane.5.7.0-5.8.0
3636266
When an unresolved next hop is present in a next hop group, especially over an SVI interface, the switch checks if the neighbor MAC address is in the forwarding table. If the neighbor’s MAC address not there, the switch skips this next hop from backend programming and you see the switchd error ERR NH: l3 nhg v6 l3 nhg contains one or more unresolvable nexthops. There is no impact to switch functionality as unresolved neighbors are not programmed in hardware until they are resolved.5.7.0-5.8.0
3634428
The NUVE nv config history command does not display the correct TACACS user.5.7.0-5.8.0
3632843
When the switch receives a type-5 route in BGP and there is a network statement for the same prefix, BGP sometimes removes the request to track next hops from FRR. As next hop reachability changes, BGP no longer reacts to the change. To work around this issue, run the clear bgp * command for all peerings.5.6.0-5.7.05.8.0
3630492
On the NVIDIA SN2201 switch, the ledmgrd -d command output shows the system and PSU LED status as orange when the physical LED is green.5.5.1-5.7.05.8.0
3614286
To avoid unnecessary traffic loss, ifreload (ifupdown2) only flaps a bond to reset its MAC address when the bond MAC address is not present on any of the bond’s interfaces. Previously, ifupdown2 enforced the bond MAC address to be set to the MAC address of the first interface.5.6.0-5.7.05.8.0
3610967
In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF.5.3.0-5.8.0
3587393
If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
5.6.0-5.8.0
3576949
When you run the NVUE nv set service snmp listening-address localhost vrf or nv set service snmp listening-address localhost-v6 vrf command to configure the SNMP listening address, Cumulus Linux applies the listening address to the default VRF instead of the VRF you specify.5.3.0-5.8.0
3556762
On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout.5.5.0-5.8.0
3549798
If you add a VRF, then SSH into that VRF, which is a generated service (for example, sshd@vrfname.service), the service fails as the VRF is not created in time. To work around this issue, configure the VRF first, apply the configuration, then enable the SSH service on the VRF.5.6.0-5.8.0
3538321
In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave.5.6.0-5.8.0
3484058
When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber.5.3.0-5.8.0
3463827
On rare occasions, SPT switchover might not happen cleanly in PIM, resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout.5.6.0-5.8.0
3452681
When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND.5.5.0-5.8.0
3433577
When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment.5.5.0-5.8.0
3424967
sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don’t run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo … to execute the sudo command.5.0.0-5.8.0
3368217
None
When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down.4.4.4-4.4.5, 5.2.1-5.8.0
3362113
If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration.5.4.0-5.8.0
3350027
If you uninstall dynamic NAT rules and switchd restarts before all the dynamic NAT flows age out and are deleted, you might see dynamic flow deletion errors in switchd.log. These errors do not affect new dynamic NAT flows from new NAT rules.5.4.0-5.8.0
3347538
When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation.5.4.0-5.8.0
3345054
The NVUE nv show interface qos command takes a significant time to show output or times out. To work around this issue, use specific QoS commands. For example, to show congestion control information, run the nv show interface qos congestion-control command.5.4.0-5.8.0
3341214
If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text.5.4.0-5.8.0
3334275
When you run the sensors command, the output shows an erroneous fault on some front panel ports.5.2.0-5.7.05.8.0
3329518
When using TACACS+, if the /etc/nsswitch.conf file specifies passwd: files tacplus (files is listed before tacplus), a user that is present in both the local /etc/passwd file and the TACACS+ server cannot log into the switch. NVIDIA recommends that when using TACACS+, you list tacplus before files in /etc/nsswitch.conf. When using NVUE, ensure that tacacs has priority over local.5.4.0-5.8.0
3327477
If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password.3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.8.0
3326659
If you have a large number of MAC addresses, they do not age out at the MAC ageing timeout value configured on the switch. It might take up to 30 seconds more for the MAC addresses to age out and be deleted from the hardware. To work around this issue, wait for the ageing timeout value plus 30 seconds.5.4.0-5.8.0
3241567
When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time.5.3.0-5.8.0
3226506
The l1-show eth0 command does not show port information and is not supported in this release.5.3.0-5.8.0
3172504
When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY.5.2.0-5.8.0
3147782
You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command.
5.3.0-5.8.0
3145869
On a Spectrum-3 switch, the PTP offset in 10GbE changes between +-27. The average offset is around 7.5.2.0-5.8.0
3135952
PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed <port_speed> autoneg off lanes <no_of_lanes> command. For example:
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
5.2.0-5.8.0
3122301
On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames.5.2.0-5.8.0
3115242
When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID.5.1.0-5.8.0
3103821
On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames.5.2.0-5.8.0
3084476
After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd.4.4.3, 5.0.0-5.8.04.4.4-4.4.5
3084027
Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware.4.3.0-4.4.5, 5.0.0-5.8.0
3071652
On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up.4.4.4-4.4.5, 5.1.0-5.8.0
3061656
When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds.5.1.0-5.8.0
3053094
When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds.5.1.0-5.8.0
2972540
With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts.5.0.0-5.8.0
2964279
When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI.3.7.15, 4.4.2-4.4.5, 5.0.0-5.8.03.7.16
2951110
The net show time ntp servers command does not show any output with the management VRF.3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.8.0
2904450
When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show.4.4.0-4.4.5, 5.0.0-5.8.0
2891255
CVE-2021-39925: Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 to 3.2.17 allows denial of service via packet injection or crafted capture file.
Vulnerable: <= 2.6.20-0+deb10u1
Fixed: 2.6.20-0+deb10u2
4.0.0-4.4.1, 5.0.0-5.8.04.4.2-4.4.5
2890681
CVE-2021-42771: relative path traversal in Babel, a set of tools for internationalising Python applications, could result in the execution of arbitrary code
Vulnerable: 2.6.0+dfsg.1-1Fixed: 2.6.0+dfsg.1-1+deb10u1
4.0.0-4.4.1, 5.0.0-5.8.04.4.2-4.4.5
2867042
When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration.5.0.0-5.8.0
2847755
When you use NCLU to remove the configuration for a peer that is a member of a group but also has other peer-specific configuration, you must remove the peer-specific configuration before you delete the peer in a separate NCLU commit.5.0.0-5.8.0
2823307
Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration.5.0.0-5.8.0
2736108
When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value.4.4.0-4.4.5, 5.0.0-5.8.0
2705056
When configured with NVUE, SVIs do not inherit the pinned MAC address of the bridge.4.3.0, 5.0.0-5.8.04.3.1-4.4.5
2684925
The NVUE nv show vrf default router bgp peer command produces a 404 not found error.4.4.0-4.4.5, 5.0.0-5.8.0
2671652
In VXLAN routing environments, you might experience sub-optimal route convergence delays (longer than five seconds) when a prefix transitions to a new ECMP next-hop group. This condition might occur when a VTEP loses ECMP routes through all uplink peerings, then installs the routes through a different path, such as an MLAG peerlink.4.4.0-4.4.5, 5.5.0-5.8.0
2543915
CM-26301
When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run ‘systemctl daemon-reload’ to reload unit
You can safely ignore this warning.
4.0.0-4.4.5, 5.0.0-5.8.0

Fixed Issues in 5.7.0

Issue IDDescriptionAffects
3696061
When the MAC address of a neighbor changes, the zebra IP routing manager might crash.5.2.1-5.6.0
3695430
When you configure extended nexthop encoding for a peer group, the peers in the group do not inherit the configuration. To work around this issue, configure extended nexthop encoding on each individual peer in the group. NVIDIA recommends that you upgrade to Cumulus Linux 5.6 or later to avoid this issue.5.4.0-5.6.0
3684998
DHCP lease information is not collected in the cl-support file.4.3.0-5.6.0
3684268
When multiple interfaces have addresses in the same network, deleting one of them might cause the wrong connected route from being deleted.5.6.0
3669935
When you add or delete VXLAN VNI and VLAN interfaces, a memory leak might occur in switchd.5.6.0
3668939
When you enable MIB 1.3.6.1.4.1.40310.1 in the snmpd.conf file, you might see high CPU usage by the snmpd service.5.5.1-5.6.0
3668809
SN2410 switches manufactured or sold by OEMs (not Mellanox) might contain fans that do not support system fan direction detection. As a result, the following messages occur in the log:
/usr/sbin/smond : : Path /run/hw-management/thermal/fan1_dir does not exist/usr/sbin/smond : : Path /run/hw-management/thermal/fan2_dir does not exist
smond has been modified to determine dynamically (at run-time) if the fan has the capability. To drop the messages before they get to the log, create a file, such as /etc/rsyslog.d/18-drop_fan_dir_msgs.conf with the following contents, then restart rsyslogd with the systemctl restart rsyslog command
# The lines below cause the offending message to be dropped from all logs:msg, ereregex, “.*Path /run/hw-management/thermal/fan[1-8]_dir does not exist” stop
5.6.0
3664986
If a core file is generated with a space in the name, Cumulus Linux generates cl-support files until the file is removed. To work around this issue, rename the core file without the space character. The next cl-support file generated will be moved into the cl-support archive and removed from the filesystem.5.6.0
3663182
Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command.5.3.1-5.6.0
3662354
When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing.5.6.0
3661089
When you run the show bgp l2vpn evpn route rd mac json command, VNI information shows twice, once where VNI is in upper case and again where VNI is in lower case (vni).
3655043
After you upgrade to Cumulus Linux 5.6.0 with package upgrade, configuration changes you make with NVUE commands do not apply and you see the error message Invalid config [rev_id: 4] Default profile parameters can not be modified. Modification allowed on user created profiles. To workaround this issue:1. Remove the PTP configuration using the nv unset service ptp 1 enable syntax
2. Save the configuration nv config apply. 3. Re-add the PTP config. Note: this procedure results in a switchd restart which will have an impact on the data plane.
5.6.0
3655027
If you create a new snippet with the same name as a snippet you deleted, you receive a warning message. To work around this issue, create the new snippet with a different name than any removed snippets.5.6.0
3650661
Configuration changes to an already applied custom flexible snippet that includes a service restart does not restart the service when you apply the patch.5.6.0
3647025
The nv show vrf router rib ipv4 route and nv show vrf router rib ipv6 route commands do not show multiple next hops when there are multiple interfaces for a resolved-via ID.
3646119
If you have VRFs configured and you change the global ASN in FRR, BGP crashes. To work around this issue, don’t unset more than one BGP instance at a time if one of the router bgp instances has VRF leaking configured.5.6.0
3644473
When bulk interface flaps trigger, Cumulus Linux does not process the route.route_preferred_over_neigh=both configuration correctly due to the sequence of the events that occur when switchd creates and processes the route or neighbor and nexthop group.5.6.0
3643624
The help text for the NVUE policer command nv set acl rule action police mode incorrectly indicates that the policer mode units are in bits per second. NVUE configures policers using bytes per second.5.6.0
3639058
When you run the nv show service ntp command, you see an error message instead of the expected output.5.6.0
3627913
The switch drops untagged VLAN traffic on single VXLAN bridge ports.5.6.0
3616643
NVUE commands to set a route map exit policy match produce incorrect configuration in the /etc/frr/frr.conf file.5.6.0
3616338
When you reboot an MLAG switch with 3000 or more VNIs, there might be extended traffic loss during reboot. To work around this issue, configure the clagd service initDelay to 300 seconds with the nv set mlag init-delay 300 command.5.5.1-5.6.0
3613258
With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed between switchd and the kernel.5.2.1-5.6.0
3612959
The interface name for a VLAN subinterface does not show correctly; the VLAN is appended to the interface again.5.6.0
3611215
In an EVPN multihoming configuration, the switchd service produces error messages similar to the following:
2023-09-07T15:45:56.055477+02:00 switch1 switchd7903: hal_mlx_flx_acl.c:2388 hal_mlx_flx_region_pull_bulk_counters failed
These error messages do not affect how the switch functions; however the messages fill up the switchd logs, which is not desirable.
5.6.0
3610611
Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping <REMOTE_IP> -I <SVI_SRC_IP> command.5.5.0-5.6.0
3609128
When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=a
In addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk.
5.5.0-5.6.0
3608014
Software MAC learning might not work for a bridged VLAN subinterface on a bond (such as bond1.100) if you remove a VLAN subinterface completely from the configuration, then add it back with an identical configuration. To work around this issue, restart switchd.5.6.0
3606739
The thermal control service, hw-management-tc.service, stops and switch fan speeds run at 100% when the ASIC temperature can’t be read. This can occur if the SDK is not started.5.5.1-5.6.0
3603237
If the secondary MLAG peer continuously reboots, you might experience momentary traffic loss.5.5.1-5.6.0
3600588
You can’t reset the root password by booting into Cumulus Linux single-user recovery mode. To work around this issue, follow the steps in https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-56/Monitoring-and-Troubleshooting/Single-User-Mode-Password-Recovery/.5.6.0
3599699
Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping <REMOTE_IP> -I <SVI_SRC_IP> command.5.5.0-5.6.0
3597456
NVUE does not allow you to use the reserved name lo in an interface name.5.5.1-5.6.0
3590394
Under rare conditions, running NVUE commands that capture output larger than 4k bytes from Linux tools or utilities might result in failures with 500 INTERNAL SERVER ERROR or Unrecoverable internal error messages. This issue occurs when there are non-ascii characters in large outputs that Cumulus Linux can’t decode. This failure is observed only in Cumulus Linux 5.6 and earlier.5.6.0
3585467
NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly.5.0.0-5.6.0
3582826
When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing.5.5.0-5.6.0
3580435
On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:
smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)
This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout.
5.3.1-5.6.0
3576961
The NVUE command to clear all ACL counters at once is not available. To work around this issue, run the cl-acltool -Z all command to reset the statistics for all ACL rules.5.5.1-5.6.0
3575800
When you configure the peerlink interface with NVUE but do not configure the necessary MLAG parameters with nv set mlag commands (such as the backup IP address, peer IP address, and MLAG MAC address), NVUE apply fails with the following message:

MLAG cannot be deleted when a peerlink or peerlink sub-interfaces exist
5.6.0
3573800
After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del <old_mac> dev bridge vlan <vlan_id> command.5.3.1-5.6.0
3567708
In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active.5.3.1-5.6.0
3566980
When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running.5.5.0-5.6.0
3554231
None
CVE-2023-38408: The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) NOTE: this issue exists because of an incomplete fix for CVE-2016-10009
Mitigation: Do not use ssh-agent forwarding (the man page for ssh_config says that “agent forwarding should be enabled with caution”), or start the ssh-agent program with the -P option to allow only specific PKCS#11 libraries (or none with -P ‘')
For Cumulus Linux 4.3.2, the /usr/bin/ssh-agent program has all permissions turned off (chmod 0) to prevent its execution if a vulnerable version is detected.
4.0.0-4.3.1, 5.0.0-5.6.0
3534718
The BGP command to suppress longer prefixes inside the aggregate address before sending updates (nv set vrf router bgp address-family aggregate-route
summary-only or vtysh router bgp aggregate-address
summary-only) does not suppress more specific routes from being exported into the EVPN routing table and advertised as EVPN type-5 routes. To work around this issue, announce EVPN type-5 routes by adding an additional outbound policy or export policy to filter out the more specific routes.
5.5.0-5.6.0
3533272
If you set an OSPF network and define the subnet using a host address (such as 10.1.1.2/24) instead of the (starting) subnet network address (such as 10.1.1.0/24), you can’t unset the prefix with the nv unset vrf default router ospf area network command. Avoid defining the subnet using a host address when setting an OSPF network.5.6.0
3522524
FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors.5.5.0-5.6.0
3517739
When you connect the SN5600 switch to third party test equipment (such as IXIA) using copper cables, 100G, 200G, 400G, and 800G links do not come up. To work around this issue, use fiber optic cables when testing an SN5600 switch with IXIA for 100G, 200G, 400G, and 800G link speeds.5.6.0
3452732
The nv set router policy ext-community-list rule ext-community rt command does not generate the standard based BGP community list. As a result, routes do not match the expected community list. To work around this issue, create a snippet to add the policy configuration to the /etc/frr/frr.conf file, then patch the configuration. For example:
cumulus@switch:~$ sudo nano frr_policy.yaml- set:
system:
config:
snippet:
frr.conf: |
bgp extcommunity-list standard EXTCOMMUNITY1 seq 10 permit rt 65102:10
cumulus@switch:~$ nv config patch frr_policy.yaml
5.5.0-5.6.0
3445841
FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id).5.0.0-5.6.0
3428677
In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state.5.3.0-5.6.0
3419928
The NVUE PIM timer command option names keep-alive and rp-keep-alive are inconsistent and need to change to keepalive and rp-keepalive.5.4.0-5.6.0
3405024
You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause.5.5.0-5.6.0
3347677
In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown.5.1.0-5.6.0
3266197
When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure.5.2.0-5.6.0
3264269
When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly.5.3.0-5.6.0
3258232
If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time.5.3.0-5.6.0
3232091
The NVUE nv unset interface link lanes command does not restore the port lane setting to the default value. To work around this issue, run the nv set interface link lanes command.5.4.0-5.6.0
3221628
Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings.5.2.0-5.6.0