From 171ec515aa8352478f06f310f34c5e9778fc739f Mon Sep 17 00:00:00 2001 From: rachel-netq Date: Wed, 15 Apr 2026 21:47:47 +0000 Subject: [PATCH] Automated release note commit --- content/cumulus-linux-37/Whats-New/rn.md | 666 +++++++++---------- content/cumulus-linux-37/rn.xml | 666 +++++++++---------- content/cumulus-linux-40/Whats-New/rn.md | 168 ++--- content/cumulus-linux-40/rn.xml | 168 ++--- content/cumulus-linux-41/Whats-New/rn.md | 160 ++--- content/cumulus-linux-41/rn.xml | 160 ++--- content/cumulus-linux-42/Whats-New/rn.md | 146 ++-- content/cumulus-linux-42/rn.xml | 146 ++-- content/cumulus-linux-43/Whats-New/rn.md | 294 ++++---- content/cumulus-linux-43/rn.xml | 294 ++++---- content/cumulus-linux-44/Whats-New/rn.md | 356 +++++----- content/cumulus-linux-44/rn.xml | 356 +++++----- content/cumulus-linux-50/Whats-New/rn.md | 106 +-- content/cumulus-linux-50/rn.xml | 106 +-- content/cumulus-linux-51/Whats-New/rn.md | 66 +- content/cumulus-linux-51/rn.xml | 66 +- content/cumulus-linux-510/Whats-New/rn.md | 66 +- content/cumulus-linux-510/rn.xml | 66 +- content/cumulus-linux-511/Whats-New/rn.md | 306 ++++----- content/cumulus-linux-511/rn.xml | 306 ++++----- content/cumulus-linux-512/Whats-New/rn.md | 76 +-- content/cumulus-linux-512/rn.xml | 76 +-- content/cumulus-linux-513/Whats-New/rn.md | 172 ++--- content/cumulus-linux-513/rn.xml | 172 ++--- content/cumulus-linux-514/Whats-New/rn.md | 98 +-- content/cumulus-linux-514/rn.xml | 98 +-- content/cumulus-linux-515/Whats-New/rn.md | 160 ++--- content/cumulus-linux-515/rn.xml | 160 ++--- content/cumulus-linux-516/Whats-New/rn.md | 138 ++-- content/cumulus-linux-516/rn.xml | 138 ++-- content/cumulus-linux-53/Whats-New/rn.md | 124 ++-- content/cumulus-linux-53/rn.xml | 124 ++-- content/cumulus-linux-54/Whats-New/rn.md | 64 +- content/cumulus-linux-54/rn.xml | 64 +- content/cumulus-linux-55/Whats-New/rn.md | 130 ++-- content/cumulus-linux-55/rn.xml | 130 ++-- content/cumulus-linux-56/Whats-New/rn.md | 78 +-- content/cumulus-linux-56/rn.xml | 78 +-- content/cumulus-linux-57/Whats-New/rn.md | 70 +- content/cumulus-linux-57/rn.xml | 70 +- content/cumulus-linux-58/Whats-New/rn.md | 62 +- content/cumulus-linux-58/rn.xml | 62 +- content/cumulus-linux-59/Whats-New/rn.md | 312 ++++----- content/cumulus-linux-59/rn.xml | 312 ++++----- content/cumulus-netq-24/More-Documents/rn.md | 6 +- content/cumulus-netq-24/rn.xml | 6 +- content/cumulus-netq-30/More-Documents/rn.md | 2 +- content/cumulus-netq-30/rn.xml | 2 +- content/cumulus-netq-31/More-Documents/rn.md | 2 +- content/cumulus-netq-31/rn.xml | 2 +- content/cumulus-netq-32/Whats-New/rn.md | 6 +- content/cumulus-netq-32/rn.xml | 6 +- content/cumulus-netq-33/Whats-New/rn.md | 10 +- content/cumulus-netq-33/rn.xml | 10 +- content/cumulus-netq-41/Whats-New/rn.md | 4 +- content/cumulus-netq-41/rn.xml | 4 +- content/cumulus-netq-410/Whats-New/rn.md | 14 +- content/cumulus-netq-410/rn.xml | 14 +- content/cumulus-netq-411/Whats-New/rn.md | 10 +- content/cumulus-netq-411/rn.xml | 10 +- content/cumulus-netq-412/Whats-New/rn.md | 14 +- content/cumulus-netq-412/rn.xml | 14 +- content/cumulus-netq-413/Whats-New/rn.md | 18 +- content/cumulus-netq-413/rn.xml | 18 +- content/cumulus-netq-414/Whats-New/rn.md | 14 +- content/cumulus-netq-414/rn.xml | 14 +- content/cumulus-netq-42/Whats-New/rn.md | 4 +- content/cumulus-netq-42/rn.xml | 4 +- content/cumulus-netq-43/Whats-New/rn.md | 4 +- content/cumulus-netq-43/rn.xml | 4 +- content/cumulus-netq-44/Whats-New/rn.md | 4 +- content/cumulus-netq-44/rn.xml | 4 +- content/cumulus-netq-46/Whats-New/rn.md | 2 +- content/cumulus-netq-46/rn.xml | 2 +- content/cumulus-netq-47/Whats-New/rn.md | 2 +- content/cumulus-netq-47/rn.xml | 2 +- content/cumulus-netq-48/Whats-New/rn.md | 4 +- content/cumulus-netq-48/rn.xml | 4 +- content/cumulus-netq-49/Whats-New/rn.md | 10 +- content/cumulus-netq-49/rn.xml | 10 +- 80 files changed, 3948 insertions(+), 3948 deletions(-) diff --git a/content/cumulus-linux-37/Whats-New/rn.md b/content/cumulus-linux-37/Whats-New/rn.md index 75641b61ff..7ffd94dec6 100644 --- a/content/cumulus-linux-37/Whats-New/rn.md +++ b/content/cumulus-linux-37/Whats-New/rn.md @@ -22,7 +22,7 @@ pdfhidden: True | [3216921](#3216921)
| RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-3.7.16, 4.3.0-4.4.5 | | | [3216759](#3216759)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3209699](#3209699)
| RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.16.1| -| [3129819](#3129819)
| On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime. | 3.7.15-3.7.16 | | +| [3129819, 3040075](#3129819, 3040075)
| On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime. | 3.7.15-3.7.16 | | | [3128328](#3128328)
| The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error. | 3.7.16-4.3.0 | 4.3.1-4.4.5| | [3120423](#3120423)
| When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. | 3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.16.1| | [3093966](#3093966)
| On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | @@ -43,7 +43,7 @@ pdfhidden: True | [2947679](#2947679)
| If the clagd service stops during initDelay, the peerlink flag does not clear from any VNIs that become dual connected during this time. switchd uses the peerlink flag to program MLAG loop prevention. As a result of the overlapping stale flags, traffic destined for the VXLAN might drop. | 3.7.15-3.7.16 | | | [2934939](#2934939)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-3.7.16 | | | [2910017](#2910017)
| SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. | 3.7.15-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.16.1| -| [2899413](#2899413)
| Broadcom switches return a table full error when creating VXLAN gports, which causes switchd to crash. | 3.7.15-4.3.0 | 4.3.1-4.4.5| +| [2899413, 3036049, 3069904](#2899413, 3036049, 3069904)
| Broadcom switches return a table full error when creating VXLAN gports, which causes switchd to crash. | 3.7.15-4.3.0 | 4.3.1-4.4.5| | [2866084](#2866084)
| When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command, then add "vxlan-learning": "off" in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
Reboot the affected switches. | 3.7.12-4.3.0 | 4.3.1-4.4.5| | [2866061](#2866061)
| On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 3.7.12-3.7.16 | | | [2859177](#2859177)
| The cl-route-check --layer3 command fails with a memory error. For example:
cumulus@switch:~$ sudo cl-route-check --layer3Traceback (most recent call last):
File "/usr/cumulus/bin/cl-route-check", line 1270, in 
 routing.collect_data()
File "/usr/cumulus/bin/cl-route-check", line 528, in collect_data
 self.collect_data_bgp_ipv4()
File "/usr/cumulus/bin/cl-route-check", line 711, in collect_data_bgp_ipv4
 bgp_ipv4 = json.loads(output)
File "/usr/lib/python2.7/json/__init__.py", line 338, in loads
 return _default_decoder.decode(s)
File "/usr/lib/python2.7/json/decoder.py", line 366, in decode
 obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python2.7/json/decoder.py", line 382, in raw_decode
 obj, end = self.scan_once(s, idx)MemoryError
| 3.7.15-3.7.16 | | @@ -53,12 +53,12 @@ pdfhidden: True | [2798979](#2798979)
| Configuring a route map to filter VNIs will cause type-3 routes not to be advertised even for L2VNIs permitted through the route map | 3.7.15-3.7.16 | | | [2792750](#2792750)
| If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. | 3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1| | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2730225](#2730225)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5| -| [2716822](#2716822)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2716822, 2710844](#2716822, 2710844)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| -| [2684452](#2684452)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | +| [2684452, 2701788, 2940067](#2684452, 2701788, 2940067)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | | [2669438](#2669438)
| Editing the /etc/frr/frr.conf file to add a new sequence at the beginning of an existing large prefix list changes the subsequent sequence numbers of the next entries in the list and FRR reload might fail with the error message frr.service reload operation timed out. Stopping. To work around this issue, instead of adding the new prefix using an existing sequence number and pushing other sequences forward, use a sequence number that is free; for example, instead of of using 5 -> 10 -> 15, use 5 -> 7 -> 10. | 3.7.11-3.7.16 | | | [2653400](#2653400)
| When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | | | [2648658](#2648658)
| If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.4 | 4.4.0-4.4.5| @@ -69,7 +69,7 @@ pdfhidden: True | [2556037](#2556037)
| After you add an interface to the bridge, an OSPF session flap might occur
| 3.7.9-4.2.0 | 4.2.1-4.4.5| | [2555908](#2555908)
| If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up
To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5| | [2555528](#2555528)
| In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer's ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5| -| [2555175](#2555175)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| +| [2555175, 3195351, 2672721](#2555175, 3195351, 2672721)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| | [2554785](#2554785)
| After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX="cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2554709](#2554709)
| The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.
To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. | 3.7.13-3.7.16, 4.2.1-4.4.5 | | | [2554588](#2554588)
| If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is running
To work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:
DHCPD_PID="-pf {0}"
to:
DHCPD_PID="-pf {1}"
| 3.7.13-4.2.1 | 4.3.0-4.4.5| @@ -83,7 +83,7 @@ pdfhidden: True | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552939](#2552939)
| RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552869](#2552869)
| On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5| -| [2552742](#2552742)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2552742, 2553000, 2553936](#2552742, 2553000, 2553936)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552739](#2552739)
| Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | | | [2552294](#2552294)
| NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2551911](#2551911)
| ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5| @@ -121,7 +121,7 @@ pdfhidden: True | [2547942](#2547942)
| On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-4.0.1 | 4.1.0-4.4.5| | [2547839](#2547839)
| When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547659](#2547659)
| On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5| | [2547573](#2547573)
| On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | | | [2547443](#2547443)
| On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5| @@ -135,9 +135,9 @@ pdfhidden: True | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546450](#2546450)
| On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold. | 3.7.11-3.7.16 | | | [2546385](#2546385)
| SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546203](#2546203)
| When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior:
* Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet.
* If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet. | 3.7.11-3.7.16 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546010](#2546010)
| When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | | | [2545997](#2545997)
| The NCLU command net show interface produces an error if bonds with no members exist.
To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | | | [2545566](#2545566)
| The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT. | 3.7.12-4.0.1 | 4.1.0-4.4.5| @@ -150,27 +150,27 @@ pdfhidden: True | [2544829](#2544829)
| Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | | | [2544556](#2544556)
| If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543840](#2543840)
| On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

| 3.7.6-3.7.16 | | | [2543800](#2543800)
| When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
| 3.7.8-3.7.16 | 4.0.0-4.4.5| | [2543647](#2543647)
| ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-4.2.1 | 4.3.0-4.4.5| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543627](#2543627)
| Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5| -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543058](#2543058)
| The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2543052](#2543052)
| Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as "inactive" in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2542310](#2542310)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | +| [2542310, 2523456](#2542310, 2523456)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | | [2542305](#2542305)
| If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2541212](#2541212)
| The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | @@ -184,7 +184,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -203,12 +203,12 @@ pdfhidden: True | [2538302](#2538302)
| portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
| 3.7.0-3.7.16 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | @@ -222,19 +222,19 @@ pdfhidden: True | Issue ID | Description | Affects | |--- |--- |--- | | [3135801](#3135801)
| Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra
When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. | 3.7.12-3.7.15 | | -| [2973714](#2973714)
| When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15, 4.3.0, 4.4.0-4.4.1 | | +| [2973714, 2826122](#2973714, 2826122)
| When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15, 4.3.0, 4.4.0-4.4.1 | | | [2964279](#2964279)
| When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. | 3.7.15, 4.4.2-4.4.5 | | | [2959024](#2959024)
| ACL rules do not always install in hardware after switch reboot
To work around this issue, run the sudo cl-acltool -i command to reinstall the ACL rules. | 3.7.14.2-3.7.15 | | | [2943442](#2943442)
| Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN. | 3.7.15, 4.2.1-4.3.0, 4.4.2-5.0.1 | | | [2940076](#2940076)
| In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so on
The problem is seen on the switch that experiences the clagd state transition. | 3.7.12-3.7.15 | | | [2940063](#2940063)
| Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file. | 3.7.12-3.7.15, 4.1.1-4.3.0 | | -| [2940052](#2940052)
| When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. | 3.7.15, 4.2.1-4.3.0 | | +| [2940052, 2748965](#2940052, 2748965)
| When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. | 3.7.15, 4.2.1-4.3.0 | | | [2940051](#2940051)
| In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | | | [2934940](#2934940)
| When you change the SVI vlan-id value in the /etc/network/interfaces file, then run ifreload -a, the 802.1Q ID for the SVI in the kernel does not change.
This operation is not supported in the kernel without recreating the SVI. To apply the change, run ifdown, then ifup for the SVI to recreate the interface. | 3.7.13-3.7.15, 4.2.1 | | | [2934938](#2934938)
| When the clagd process terminates unexpectedly due to signals such as sig11 or sig6, no core file is generated. | 3.7.15 | | | [2934935](#2934935)
| VXLAN route updates during high frequency might cause switchd to leak memory. | 3.7.14.2-3.7.15 | | | [2923737](#2923737)
| When switchd restarts, the port watch daemon (portwd) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd. | 3.7.15 | | -| [2879645](#2879645)
| When you add a new VLAN, the VLAN interface type shows as unknown and cannot be reached. | 3.7.15 | | +| [2879645, 2879646](#2879645, 2879646)
| When you add a new VLAN, the VLAN interface type shows as unknown and cannot be reached. | 3.7.15 | | | [2875279](#2875279)
| In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-5.0.1 | | | [2848219](#2848219)
| On the Dell S3048 switch configured for 802.1x authentication, you might see file descriptor exhaustion with hostapd messages indicating that Cumulus Linux is unable to open /dev/urandom or write out the transient ACL files. To work around this issue, reboot the switch. | 4.3.0 | | | [2821970](#2821970)
| When there is a netlink event showing an update to a forwarding database entry from the VXLAN driver, ip monitor reports the remote VTEP address (dst) as ??? . The bridge monitor command correctly shows the value. | 3.7.15 | | @@ -243,7 +243,7 @@ pdfhidden: True | [2803044](#2803044)
| In an EVPN configuration with IP or MAC mobility, higher MM EVPN routes do not remove the old ARP entries during VIP migration between VTEP racks. | 3.7.14.2-3.7.15 | | | [2801262](#2801262)
| On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart. | 3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | | | [2799742](#2799742)
| On the Edgecore AS4610 switch, the historic CPU usage displayed in /run/sysmonitor/history sometimes shows as a negative value. | 4.2.1-4.3.0 | | -| [2794750](#2794750)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | | +| [2794750, 2555635](#2794750, 2555635)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | | | [2736265](#2736265)
| After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-3.7.15, 4.2.1-4.3.0 | | | [2717312](#2717312)
| When you modify a prefix list with NCLU commands, the bgpd service crashes. | 3.7.14.2-3.7.15 | | | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | | @@ -252,7 +252,7 @@ pdfhidden: True | [2668483](#2668483)
| If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent FDB entry for the old MAC address. | 3.7.15, 4.3.0, 4.4.0-4.4.3, 5.0.0-5.0.1 | | | [2660582](#2660582)
| In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure)
To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 | | | [2645846](#2645846)
| When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | | -| [2638400](#2638400)
| When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role. | 3.7.15, 4.3.0 | | +| [2638400, 3348697](#2638400, 3348697)
| When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role. | 3.7.15, 4.3.0 | | | [2581473](#2581473)
| When netq-agent is installed on the Dell N3048EP platform, switchd might crash if pluggables are installed in the SFP+ ports. | 3.7.13-3.7.15 | | | [2548044](#2548044)
| When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | | @@ -269,7 +269,7 @@ pdfhidden: True | [3216759](#3216759)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3209699](#3209699)
| RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.16.1| | [3135801](#3135801)
| Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra
When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. | 3.7.12-4.3.0 | 4.3.1-4.4.5| -| [3129819](#3129819)
| On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime. | 3.7.15-3.7.16 | | +| [3129819, 3040075](#3129819, 3040075)
| On the EdgeCore AS4610 switch, the clagd service loses communication after 198 days of uptime. | 3.7.15-3.7.16 | | | [3120423](#3120423)
| When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. | 3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.16.1| | [3093966](#3093966)
| On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3073668](#3073668)
| On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | | @@ -282,7 +282,7 @@ pdfhidden: True | [3015881](#3015881)
| Traffic flows fail because the remote VTEP IP address is missing in the layer 3 neighbor table in hardware on the switch. This happens when there is a neighbor entry for the same /32 that we have also received a type-5 route for. When the route is learned after the neighbor entry there is a timing condition that can be hit that will cause the neighbor entry to get removed from hardware when the route is installed in hardware
This condition has been seen when customers re-use the VTEP IP on an interface inside of a vrf. The neigh entry for the TEP IP is installed when a symmetric route is learned via that VTEP. The Type-5 route for the TEP IP is learned in the VRF if the customer has redistributed it or advertised it within BGP in the VRF. | 3.7.15-3.7.16 | | | [2993719](#2993719)
| After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. This is issue is impacting all Cumulus Linux releases. The following attribute: vxlan-purge-remotes yes is intended to fix the issue (this attribute has been available since CL2). It was decided to change ifupdown2's default behavior to automatically purge BUM entries added by ifup/ifreload. | 3.7.15-5.0.1 | 5.1.0-5.16.1, 5.2.0-5.16.1| | [2991514](#2991514)
| Cumulus Linux can take a long time (100 seconds) to sync a large number of VNIs on a bridge. | 3.7.15-4.3.0 | 4.3.1-4.4.5| -| [2973714](#2973714)
| When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1| +| [2973714, 2826122](#2973714, 2826122)
| When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1| | [2972538](#2972538)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 3.7.15-3.7.16 | | | [2965759](#2965759)
| On the EdgeCore AS4610-54T switch, the fan speed reports a minimum threshold in the logs. | 3.7.15-3.7.16 | | | [2964279](#2964279)
| When a VNI flaps, an incorrect list of layer 2 VNIs are associated with a layer 3 VNI. The NCLU net show evpn vni detail command output shows duplicate layer 2 VNIs under a layer 3 VNI. | 3.7.15, 4.4.2-4.4.5 | 3.7.16| @@ -293,7 +293,7 @@ pdfhidden: True | [2943442](#2943442)
| Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN. | 3.7.15-4.3.0, 4.4.2-5.0.1 | 4.3.1, 5.1.0-5.16.1| | [2940076](#2940076)
| In a VXLAN fabric with ToR switches configured in a MLAG pair, BUM traffic received on a VXLAN tunnel is decapsulated and forwarded on the peer link bond. The BUM traffic is then encapsulated by the peer switch and sent back to the fabric. The issue has been seen in environments where the following conditions exist at the same time:1) high VNI scale2) switchd is busy processing updates3) clagd is in a transition state, such as Up, then Down, then Up. For example, when clagd restarts, the switch reboots, and so on
The problem is seen on the switch that experiences the clagd state transition. | 3.7.12-3.7.15 | 3.7.16| | [2940063](#2940063)
| Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file. | 3.7.12-3.7.15, 4.1.1-4.3.0 | 3.7.16, 4.3.1-4.4.5, 5.0.0-5.16.1| -| [2940052](#2940052)
| When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. | 3.7.15-4.3.0 | 4.3.1-4.4.5| +| [2940052, 2748965](#2940052, 2748965)
| When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. | 3.7.15-4.3.0 | 4.3.1-4.4.5| | [2940051](#2940051)
| In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.16.1| | [2934940](#2934940)
| When you change the SVI vlan-id value in the /etc/network/interfaces file, then run ifreload -a, the 802.1Q ID for the SVI in the kernel does not change.
This operation is not supported in the kernel without recreating the SVI. To apply the change, run ifdown, then ifup for the SVI to recreate the interface. | 3.7.13-4.2.1 | 4.3.0-4.4.5| | [2934939](#2934939)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-3.7.16 | | @@ -301,8 +301,8 @@ pdfhidden: True | [2934935](#2934935)
| VXLAN route updates during high frequency might cause switchd to leak memory. | 3.7.14.2-4.3.0 | 4.3.1-4.4.5| | [2923737](#2923737)
| When switchd restarts, the port watch daemon (portwd) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd. | 3.7.15 | 3.7.16, 4.3.1-4.4.5| | [2910017](#2910017)
| SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. | 3.7.15-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.16.1| -| [2899413](#2899413)
| Broadcom switches return a table full error when creating VXLAN gports, which causes switchd to crash. | 3.7.15-4.3.0 | 4.3.1-4.4.5| -| [2879645](#2879645)
| When you add a new VLAN, the VLAN interface type shows as unknown and cannot be reached. | 3.7.15 | 3.7.16| +| [2899413, 3036049, 3069904](#2899413, 3036049, 3069904)
| Broadcom switches return a table full error when creating VXLAN gports, which causes switchd to crash. | 3.7.15-4.3.0 | 4.3.1-4.4.5| +| [2879645, 2879646](#2879645, 2879646)
| When you add a new VLAN, the VLAN interface type shows as unknown and cannot be reached. | 3.7.15 | 3.7.16| | [2866084](#2866084)
| When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command, then add "vxlan-learning": "off" in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
Reboot the affected switches. | 3.7.12-4.3.0 | 4.3.1-4.4.5| | [2866061](#2866061)
| On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 3.7.12-3.7.16 | | | [2859177](#2859177)
| The cl-route-check --layer3 command fails with a memory error. For example:
cumulus@switch:~$ sudo cl-route-check --layer3Traceback (most recent call last):
File "/usr/cumulus/bin/cl-route-check", line 1270, in 
 routing.collect_data()
File "/usr/cumulus/bin/cl-route-check", line 528, in collect_data
 self.collect_data_bgp_ipv4()
File "/usr/cumulus/bin/cl-route-check", line 711, in collect_data_bgp_ipv4
 bgp_ipv4 = json.loads(output)
File "/usr/lib/python2.7/json/__init__.py", line 338, in loads
 return _default_decoder.decode(s)
File "/usr/lib/python2.7/json/decoder.py", line 366, in decode
 obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python2.7/json/decoder.py", line 382, in raw_decode
 obj, end = self.scan_once(s, idx)MemoryError
| 3.7.15-3.7.16 | | @@ -315,19 +315,19 @@ pdfhidden: True | [2803044](#2803044)
| In an EVPN configuration with IP or MAC mobility, higher MM EVPN routes do not remove the old ARP entries during VIP migration between VTEP racks. | 3.7.14.2-3.7.15 | 3.7.16| | [2801262](#2801262)
| On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart. | 3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.16.1| | [2798979](#2798979)
| Configuring a route map to filter VNIs will cause type-3 routes not to be advertised even for L2VNIs permitted through the route map | 3.7.15-3.7.16 | | -| [2794750](#2794750)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2794750, 2555635](#2794750, 2555635)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2792750](#2792750)
| If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. | 3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1| | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2736265](#2736265)
| After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5| | [2730225](#2730225)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5| | [2717312](#2717312)
| When you modify a prefix list with NCLU commands, the bgpd service crashes. | 3.7.14.2-3.7.15 | 3.7.16| -| [2716822](#2716822)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2716822, 2710844](#2716822, 2710844)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| | [2690100](#2690100)
| When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

spine01# show bgp vrf all ipv6 unicast statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

To workaround this issue, run the command against each VRF independently. | 3.7.15, 4.0.0-4.3.0 | 3.7.16, 4.3.1-4.4.5| | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| -| [2684452](#2684452)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | +| [2684452, 2701788, 2940067](#2684452, 2701788, 2940067)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | | [2669831](#2669831)
| If you try to remove BFD configuration with systemctl reload frr, the FRR service fails. The reload action results in a TypeError: expected string or bytes-like object error
You see this issue only if there is default configuration, such as configuration in the /etc/frr/frr.conf file that is suppressed from view in the FRR running configuration
To work around this issue, remove the default configuration lines; for example: 
username cumulus nopassword
| 3.7.14.2-3.7.15 | 3.7.16| | [2669438](#2669438)
| Editing the /etc/frr/frr.conf file to add a new sequence at the beginning of an existing large prefix list changes the subsequent sequence numbers of the next entries in the list and FRR reload might fail with the error message frr.service reload operation timed out. Stopping. To work around this issue, instead of adding the new prefix using an existing sequence number and pushing other sequences forward, use a sequence number that is free; for example, instead of of using 5 -> 10 -> 15, use 5 -> 7 -> 10. | 3.7.11-3.7.16 | | | [2668483](#2668483)
| If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent FDB entry for the old MAC address. | 3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.0.1 | 4.3.1, 4.4.4-4.4.5, 5.1.0-5.16.1| @@ -335,7 +335,7 @@ pdfhidden: True | [2653400](#2653400)
| When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | | | [2648658](#2648658)
| If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.4 | 4.4.0-4.4.5| | [2645846](#2645846)
| When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | 3.7.16, 4.3.1-4.4.5| -| [2638400](#2638400)
| When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role. | 3.7.15, 4.3.0 | 3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| +| [2638400, 3348697](#2638400, 3348697)
| When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role. | 3.7.15, 4.3.0 | 3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| | [2638137](#2638137)
| When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | | | [2633245](#2633245)
| On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | | | [2607965](#2607965)
| On the EdgeCore AS7726 switch, when you run the NCLU net show system command, you see the error Command not found. | 3.7.14.2-3.7.16 | | @@ -344,7 +344,7 @@ pdfhidden: True | [2556037](#2556037)
| After you add an interface to the bridge, an OSPF session flap might occur
| 3.7.9-4.2.0 | 4.2.1-4.4.5| | [2555908](#2555908)
| If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up
To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5| | [2555528](#2555528)
| In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer's ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5| -| [2555175](#2555175)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| +| [2555175, 3195351, 2672721](#2555175, 3195351, 2672721)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| | [2554785](#2554785)
| After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX="cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2554709](#2554709)
| The IP address specified in the ip pim use-source command configured on the loopback interface should be inherited by unnumbered interfaces during their Primary IP address selection process. If ip pim use-source is configured on the loopback after an unnumbered interface has already selected their Primary IP address, the unnumbered interface does not update its Primary IP address to be the new use-source value until after there is a netlink update for that interface.
To work around this issue, configure ip pim use-source on each unnumbered interface directly or ensure ip pim use-source is applied to the loopback before other unnumbered interfaces are enabled for PIM. | 3.7.13-3.7.16, 4.2.1-4.4.5 | | | [2554588](#2554588)
| If you try to reconfigure a DHCP server after you delete the switch configuration with the net del all command, the dhcpd service fails because a duplicate process is running
To work around this issue, edit the /usr/lib/python2.7/dist-packages/nclu/plugins/dhcp.py file to change:
DHCPD_PID="-pf {0}"
to:
DHCPD_PID="-pf {1}"
| 3.7.13-4.2.1 | 4.3.0-4.4.5| @@ -358,7 +358,7 @@ pdfhidden: True | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552939](#2552939)
| RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552869](#2552869)
| On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5| -| [2552742](#2552742)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2552742, 2553000, 2553936](#2552742, 2553000, 2553936)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552739](#2552739)
| Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | | | [2552294](#2552294)
| NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2551911](#2551911)
| ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5| @@ -397,7 +397,7 @@ pdfhidden: True | [2547942](#2547942)
| On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-4.0.1 | 4.1.0-4.4.5| | [2547839](#2547839)
| When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547659](#2547659)
| On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5| | [2547573](#2547573)
| On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | | | [2547443](#2547443)
| On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5| @@ -411,9 +411,9 @@ pdfhidden: True | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546450](#2546450)
| On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold. | 3.7.11-3.7.16 | | | [2546385](#2546385)
| SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546203](#2546203)
| When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior:
* Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet.
* If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet. | 3.7.11-3.7.16 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546010](#2546010)
| When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | | | [2545997](#2545997)
| The NCLU command net show interface produces an error if bonds with no members exist.
To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | | | [2545566](#2545566)
| The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT. | 3.7.12-4.0.1 | 4.1.0-4.4.5| @@ -426,27 +426,27 @@ pdfhidden: True | [2544829](#2544829)
| Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | | | [2544556](#2544556)
| If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543840](#2543840)
| On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

| 3.7.6-3.7.16 | | | [2543800](#2543800)
| When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
| 3.7.8-3.7.16 | 4.0.0-4.4.5| | [2543647](#2543647)
| ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-4.2.1 | 4.3.0-4.4.5| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543627](#2543627)
| Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5| -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543058](#2543058)
| The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2543052](#2543052)
| Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as "inactive" in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2542310](#2542310)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | +| [2542310, 2523456](#2542310, 2523456)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | | [2542305](#2542305)
| If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2541212](#2541212)
| The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | @@ -460,7 +460,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -479,12 +479,12 @@ pdfhidden: True | [2538302](#2538302)
| portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
| 3.7.0-3.7.16 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | @@ -497,7 +497,7 @@ pdfhidden: True ### Fixed Issues in 3.7.15 | Issue ID | Description | Affects | |--- |--- |--- | -| [2599607](#2599607)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-3.7.14.2 | | +| [2599607, 2545364, 3297583](#2599607, 2545364, 3297583)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-3.7.14.2 | | | [2595889](#2595889)
| In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-3.7.14.2, 4.0.0-4.2.1 | | | [2595816](#2595816)
| Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | | | [2589747](#2589747)
| If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | | @@ -505,8 +505,8 @@ pdfhidden: True | [2556815](#2556815)
| When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP.
To work around this issue, disable ARP suppression. | 3.7.14-3.7.14.2, 4.3.0 | | | [2556763](#2556763)
| In a configuration with both traditional and VLAN-aware bridges, the VLAN membership check on a VLAN-aware bridge does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-3.7.14.2, 4.0.0-4.3.0 | | | [2556233](#2556233)
| Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity | 3.7.9-3.7.14.2 | | -| [2556023](#2556023)
| After upgrading Cumulus Linux with the apt-upgrade command, then rebooting an MLAG pair, if there are no bonds configured with a clag-id, the clagd service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down state
To work around this issue, after upgrading both switches, restart the clagd service with the sudo systemctl restart clagd command on each MLAG pair. | 3.7.14-3.7.14.2 | | -| [2556011](#2556011)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | | +| [2556023, 2555201](#2556023, 2555201)
| After upgrading Cumulus Linux with the apt-upgrade command, then rebooting an MLAG pair, if there are no bonds configured with a clag-id, the clagd service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down state
To work around this issue, after upgrading both switches, restart the clagd service with the sudo systemctl restart clagd command on each MLAG pair. | 3.7.14-3.7.14.2 | | +| [2556011, 2556276](#2556011, 2556276)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | | | [2555532](#2555532)
| QinQ (802.1Q) packets routed to a layer 3 subinterface are still double tagged with the VLAN of the subinterface and the original inner VLAN when they leave the subinterface. | 4.2.0-4.2.1 | | | [2555401](#2555401)
| On the Edgecore AS7312 switch, eth0 and swp use the same MAC address. | 3.7.14-3.7.14.2, 4.0.0-4.2.1 | | | [2555278](#2555278)
| When you change the anycast address for the MLAG pair (clagd-vxlan-anycast-ip), high peak traffic occurs on the peer link interface of all MLAG switches. | 3.7.13-3.7.14.2 | | @@ -515,7 +515,7 @@ pdfhidden: True | [2554804](#2554804)
| On Mellanox SN2010 and SN2100 switches, the maximum fan speed is exceeded by fifteen percent. | 3.7.14-3.7.14.2 | | | [2554719](#2554719)
| A slow memory leak is observed (1% per 14 hours) in kmalloc-256.
To work around this issue, reboot the switch. | 3.7.12-3.7.14.2 | | | [2553748](#2553748)
| On switches with the Spectrum ASIC, the IPv6 default route is present in the kernel but missing in hardware. | 3.7.11-3.7.14.2, 4.2.1 | | -| [2552213](#2552213)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | | +| [2552213, 2553637](#2552213, 2553637)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | | | [2550600](#2550600)
| The received PVST BPDU for a VLAN is flooded even though the ingress port doesn't have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | | | [2549226](#2549226)
| You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | | @@ -546,14 +546,14 @@ pdfhidden: True | [2815592](#2815592)
| In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.16.1| | [2803044](#2803044)
| In an EVPN configuration with IP or MAC mobility, higher MM EVPN routes do not remove the old ARP entries during VIP migration between VTEP racks. | 3.7.14.2-3.7.15 | 3.7.16| | [2801262](#2801262)
| On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart. | 3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.16.1| -| [2794750](#2794750)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2794750, 2555635](#2794750, 2555635)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2736265](#2736265)
| After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5| | [2730225](#2730225)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5| | [2717312](#2717312)
| When you modify a prefix list with NCLU commands, the bgpd service crashes. | 3.7.14.2-3.7.15 | 3.7.16| | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| -| [2684452](#2684452)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | +| [2684452, 2701788, 2940067](#2684452, 2701788, 2940067)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | | [2669831](#2669831)
| If you try to remove BFD configuration with systemctl reload frr, the FRR service fails. The reload action results in a TypeError: expected string or bytes-like object error
You see this issue only if there is default configuration, such as configuration in the /etc/frr/frr.conf file that is suppressed from view in the FRR running configuration
To work around this issue, remove the default configuration lines; for example: 
username cumulus nopassword
| 3.7.14.2-3.7.15 | 3.7.16| | [2669438](#2669438)
| Editing the /etc/frr/frr.conf file to add a new sequence at the beginning of an existing large prefix list changes the subsequent sequence numbers of the next entries in the list and FRR reload might fail with the error message frr.service reload operation timed out. Stopping. To work around this issue, instead of adding the new prefix using an existing sequence number and pushing other sequences forward, use a sequence number that is free; for example, instead of of using 5 -> 10 -> 15, use 5 -> 7 -> 10. | 3.7.11-3.7.16 | | | [2660582](#2660582)
| In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure)
To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 | 3.7.16| @@ -562,7 +562,7 @@ pdfhidden: True | [2638137](#2638137)
| When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | | | [2633245](#2633245)
| On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | | | [2607965](#2607965)
| On the EdgeCore AS7726 switch, when you run the NCLU net show system command, you see the error Command not found. | 3.7.14.2-3.7.16 | | -| [2599607](#2599607)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.16.1| +| [2599607, 2545364, 3297583](#2599607, 2545364, 3297583)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.16.1| | [2595889](#2595889)
| In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-4.2.1 | 4.3.0-4.4.5| | [2595816](#2595816)
| Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2589747](#2589747)
| If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. | 3.7.12-4.2.1 | 4.3.0-4.4.5| @@ -573,7 +573,7 @@ pdfhidden: True | [2556763](#2556763)
| In a configuration with both traditional and VLAN-aware bridges, the VLAN membership check on a VLAN-aware bridge does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5| | [2556233](#2556233)
| Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity | 3.7.9-3.7.14.2 | 3.7.15-3.7.16| | [2556037](#2556037)
| After you add an interface to the bridge, an OSPF session flap might occur
| 3.7.9-4.2.0 | 4.2.1-4.4.5| -| [2556023](#2556023)
| After upgrading Cumulus Linux with the apt-upgrade command, then rebooting an MLAG pair, if there are no bonds configured with a clag-id, the clagd service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down state
To work around this issue, after upgrading both switches, restart the clagd service with the sudo systemctl restart clagd command on each MLAG pair. | 3.7.14-3.7.14.2 | 3.7.15-3.7.16| +| [2556023, 2555201](#2556023, 2555201)
| After upgrading Cumulus Linux with the apt-upgrade command, then rebooting an MLAG pair, if there are no bonds configured with a clag-id, the clagd service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down state
To work around this issue, after upgrading both switches, restart the clagd service with the sudo systemctl restart clagd command on each MLAG pair. | 3.7.14-3.7.14.2 | 3.7.15-3.7.16| | [2555908](#2555908)
| If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up
To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5| | [2555528](#2555528)
| In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer's ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5| | [2555401](#2555401)
| On the Edgecore AS7312 switch, eth0 and swp use the same MAC address. | 3.7.14-4.2.1 | 4.3.0-4.4.5| @@ -595,7 +595,7 @@ pdfhidden: True | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552939](#2552939)
| RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552869](#2552869)
| On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5| -| [2552742](#2552742)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2552742, 2553000, 2553936](#2552742, 2553000, 2553936)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552739](#2552739)
| Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | | | [2552294](#2552294)
| NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2551911](#2551911)
| ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5| @@ -636,7 +636,7 @@ pdfhidden: True | [2547942](#2547942)
| On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-4.0.1 | 4.1.0-4.4.5| | [2547839](#2547839)
| When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547659](#2547659)
| On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5| | [2547573](#2547573)
| On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | | | [2547443](#2547443)
| On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5| @@ -650,9 +650,9 @@ pdfhidden: True | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546450](#2546450)
| On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold. | 3.7.11-3.7.16 | | | [2546385](#2546385)
| SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546203](#2546203)
| When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior:
* Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet.
* If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet. | 3.7.11-3.7.16 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546010](#2546010)
| When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | | | [2545997](#2545997)
| The NCLU command net show interface produces an error if bonds with no members exist.
To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | | | [2545566](#2545566)
| The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT. | 3.7.12-4.0.1 | 4.1.0-4.4.5| @@ -665,27 +665,27 @@ pdfhidden: True | [2544829](#2544829)
| Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | | | [2544556](#2544556)
| If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543840](#2543840)
| On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

| 3.7.6-3.7.16 | | | [2543800](#2543800)
| When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
| 3.7.8-3.7.16 | 4.0.0-4.4.5| | [2543647](#2543647)
| ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-4.2.1 | 4.3.0-4.4.5| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543627](#2543627)
| Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5| -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543058](#2543058)
| The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2543052](#2543052)
| Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as "inactive" in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2542310](#2542310)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | +| [2542310, 2523456](#2542310, 2523456)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | | [2542305](#2542305)
| If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2541212](#2541212)
| The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | @@ -699,7 +699,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -718,12 +718,12 @@ pdfhidden: True | [2538302](#2538302)
| portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
| 3.7.0-3.7.16 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | @@ -736,10 +736,10 @@ pdfhidden: True ### Fixed Issues in 3.7.14.2 | Issue ID | Description | Affects | |--- |--- |--- | -| [2556012](#2556012)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | | +| [2556012, 2556276](#2556012, 2556276)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | | | [2555494](#2555494)
| On Broadcom switches, when WARN level switchd log messages are generated, switchd might crash resulting in a core file generated on the system. | 4.2.0-4.2.1 | | | [2555178](#2555178)
| On Mellanox switches, the ASIC temperature sensor reading reports zeros. As a result, the fan speed is higher than normal.
You can see the temperature reading in the output of the sensors command. | 3.7.14 | | -| [2552214](#2552214)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | | +| [2552214, 2553637](#2552214, 2553637)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | | ## 3.7.14 Release Notes ### Open Issues in 3.7.14 @@ -763,19 +763,19 @@ pdfhidden: True | [2866061](#2866061)
| On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 3.7.12-3.7.16 | | | [2815592](#2815592)
| In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.16.1| | [2801262](#2801262)
| On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart. | 3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.16.1| -| [2794750](#2794750)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2794750, 2555635](#2794750, 2555635)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2736265](#2736265)
| After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5| | [2730225](#2730225)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5| | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| -| [2684452](#2684452)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | +| [2684452, 2701788, 2940067](#2684452, 2701788, 2940067)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | | [2669438](#2669438)
| Editing the /etc/frr/frr.conf file to add a new sequence at the beginning of an existing large prefix list changes the subsequent sequence numbers of the next entries in the list and FRR reload might fail with the error message frr.service reload operation timed out. Stopping. To work around this issue, instead of adding the new prefix using an existing sequence number and pushing other sequences forward, use a sequence number that is free; for example, instead of of using 5 -> 10 -> 15, use 5 -> 7 -> 10. | 3.7.11-3.7.16 | | | [2660582](#2660582)
| In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure)
To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 | 3.7.16| | [2653400](#2653400)
| When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | | | [2645846](#2645846)
| When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | 3.7.16, 4.3.1-4.4.5| | [2638137](#2638137)
| When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | | | [2633245](#2633245)
| On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | | -| [2599607](#2599607)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.16.1| +| [2599607, 2545364, 3297583](#2599607, 2545364, 3297583)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.16.1| | [2595889](#2595889)
| In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-4.2.1 | 4.3.0-4.4.5| | [2595816](#2595816)
| Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2589747](#2589747)
| If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. | 3.7.12-4.2.1 | 4.3.0-4.4.5| @@ -785,8 +785,8 @@ pdfhidden: True | [2556763](#2556763)
| In a configuration with both traditional and VLAN-aware bridges, the VLAN membership check on a VLAN-aware bridge does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5| | [2556233](#2556233)
| Some ECMP next-hops might fail installation into hardware at high ECMP group and route scale. The following log message will be observed when this condition occurs:WARN xx routes reverted to non-ECMP due to NH table capacity | 3.7.9-3.7.14.2 | 3.7.15-3.7.16| | [2556037](#2556037)
| After you add an interface to the bridge, an OSPF session flap might occur
| 3.7.9-4.2.0 | 4.2.1-4.4.5| -| [2556023](#2556023)
| After upgrading Cumulus Linux with the apt-upgrade command, then rebooting an MLAG pair, if there are no bonds configured with a clag-id, the clagd service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down state
To work around this issue, after upgrading both switches, restart the clagd service with the sudo systemctl restart clagd command on each MLAG pair. | 3.7.14-3.7.14.2 | 3.7.15-3.7.16| -| [2556012](#2556012)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| +| [2556023, 2555201](#2556023, 2555201)
| After upgrading Cumulus Linux with the apt-upgrade command, then rebooting an MLAG pair, if there are no bonds configured with a clag-id, the clagd service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down state
To work around this issue, after upgrading both switches, restart the clagd service with the sudo systemctl restart clagd command on each MLAG pair. | 3.7.14-3.7.14.2 | 3.7.15-3.7.16| +| [2556012, 2556276](#2556012, 2556276)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2555908](#2555908)
| If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up
To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5| | [2555528](#2555528)
| In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer's ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5| | [2555401](#2555401)
| On the Edgecore AS7312 switch, eth0 and swp use the same MAC address. | 3.7.14-4.2.1 | 4.3.0-4.4.5| @@ -809,10 +809,10 @@ pdfhidden: True | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552939](#2552939)
| RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552869](#2552869)
| On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5| -| [2552742](#2552742)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2552742, 2553000, 2553936](#2552742, 2553000, 2553936)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552739](#2552739)
| Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | | | [2552294](#2552294)
| NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | -| [2552214](#2552214)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14.2, 4.1.1-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| +| [2552214, 2553637](#2552214, 2553637)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14.2, 4.1.1-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| | [2551911](#2551911)
| ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5| | [2551578](#2551578)
| When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2551565](#2551565)
| If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affected
To work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. | 3.7.13-3.7.16, 4.2.0-4.4.5 | | @@ -851,7 +851,7 @@ pdfhidden: True | [2547942](#2547942)
| On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-4.0.1 | 4.1.0-4.4.5| | [2547839](#2547839)
| When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547659](#2547659)
| On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5| | [2547573](#2547573)
| On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | | | [2547443](#2547443)
| On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5| @@ -865,9 +865,9 @@ pdfhidden: True | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546450](#2546450)
| On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold. | 3.7.11-3.7.16 | | | [2546385](#2546385)
| SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546203](#2546203)
| When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior:
* Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet.
* If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet. | 3.7.11-3.7.16 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546010](#2546010)
| When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | | | [2545997](#2545997)
| The NCLU command net show interface produces an error if bonds with no members exist.
To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | | | [2545566](#2545566)
| The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT. | 3.7.12-4.0.1 | 4.1.0-4.4.5| @@ -880,27 +880,27 @@ pdfhidden: True | [2544829](#2544829)
| Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | | | [2544556](#2544556)
| If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543840](#2543840)
| On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

| 3.7.6-3.7.16 | | | [2543800](#2543800)
| When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
| 3.7.8-3.7.16 | 4.0.0-4.4.5| | [2543647](#2543647)
| ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-4.2.1 | 4.3.0-4.4.5| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543627](#2543627)
| Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5| -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543058](#2543058)
| The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2543052](#2543052)
| Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as "inactive" in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2542310](#2542310)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | +| [2542310, 2523456](#2542310, 2523456)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | | [2542305](#2542305)
| If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2541212](#2541212)
| The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | @@ -914,7 +914,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -933,12 +933,12 @@ pdfhidden: True | [2538302](#2538302)
| portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
| 3.7.0-3.7.16 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | @@ -956,16 +956,16 @@ pdfhidden: True | [2554232](#2554232)
| VXLAN encapsulated traffic is not routed to the next hop because the destination VTEP IP address is mis-programmed on the switch, which decapsulates the traffic unexpectedly.
To work around this issue, restart switchd. | 3.7.12-3.7.13 | | | [2553732](#2553732)
| A ping via a dual-connected bond fails, and the audio stream is not routed or encapsulated through the layer 3 VNI. | 3.7.12-3.7.13, 4.0.0-4.2.1 | | | [2553588](#2553588)
| Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn't exist.
To work around this issue, disable IGMP snooping on the switch. | 3.7.12-3.7.13, 4.0.0-4.2.1 | | -| [2553530](#2553530)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-3.7.13, 4.1.1-4.2.1 | | +| [2553530, 2553349](#2553530, 2553349)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-3.7.13, 4.1.1-4.2.1 | | | [2553450](#2553450)
| On the the Dell N3248-PXE switch, when you insert two PSUs at different times, the newly inserted PSU is detected as OK but the fan and temp sensors are ABSENT.
To work around this issue, remove power to both PSUs at the same time, then reinsert power simultaneously. | 3.7.12-3.7.13, 4.2.1 | | | [2553229](#2553229)
| On the Dell N3248PXE switch, RJ45 fixed copper ports that auto-negotiate with a 100M or 10M neighbor incorrectly negotiate a half-duplex link that generates errors. Half duplex modes are not supported on this platform. | 3.7.12-3.7.13, 4.2.1 | | -| [2553001](#2553001)
| When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094):
* clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)

* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs

This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing.

To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses. | 3.7.12-3.7.13 | | -| [2552925](#2552925)
| On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue.
These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch. | 3.7.12-3.7.13 | | +| [2553001, 2552742](#2553001, 2552742)
| When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094):
* clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)

* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs

This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing.

To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses. | 3.7.12-3.7.13 | | +| [2552925, 2552378](#2552925, 2552378)
| On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue.
These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch. | 3.7.12-3.7.13 | | | [2552881](#2552881)
| IPv6 TCP or UDP connections (sourcing from an ephemeral port in the range 34048 to 35071) are not forwarded if the switch has more than one layer 2 VNI defined. The traffic might be locally switched on the bridge and dropped.
To work around this issue, disable ARP/ND suppression to remove the internal ACL rule that affects the ports. | 3.7.13, 4.2.1 | | | [2552859](#2552859)
| Mellanox switches with the Spectrum ASIC fail to read PSU Fan/Temp sensors and report them as Absent. The following messages are observed in syslog:

2020-08-21T07:17:39.068160+00:00 cumulus : /usr/sbin/smond : : PSU1Temp1(PSU1 Temp Sensor): state changed from UNKNOWN to ABSENT
2020-08-21T07:17:39.068911+00:00 cumulus : /usr/sbin/smond : : PSU2Temp1(PSU2 Temp Sensor): state changed from UNKNOWN to ABSENT
| 3.7.13 | | | [2552647](#2552647)
| When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding.
To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond. | 3.7.10-3.7.13, 4.2.0 | | | [2552528](#2552528)
| Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-3.7.13, 4.0.0-4.2.1 | | -| [2552506](#2552506)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 | | +| [2552506, 2552604](#2552506, 2552604)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 | | | [2552301](#2552301)
| On a Mellanox switch with the Spectrum ASIC, you see LPC I2C driver errors similar to the following during boot:

Jul 30 23:49:41.651453 mlx-switch systemd[1]: Started udev Kernel Device Manager.
Jul 30 23:49:41.654978 mlx-switch systemd[1]: Starting LSB: Set preliminary keymap...
Jul 30 23:49:41.668214 mlx-switch kernel: LPCI2C ERR: Invalid flag 0x4 in msg 0
Jul 30 23:49:41.668265 mlx-switch kernel: LPCI2C ERR: Incorrect message
...
| 3.7.13 | | | [2552205](#2552205)
| If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer's SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.
To work around this issue, ifdown/ifup the SVI when a MAC address changes. | 3.7.12-3.7.13, 4.0.0-4.2.0 | | | [2551748](#2551748)
| In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings. | 3.7.12-3.7.13, 4.0.0-4.2.1 | | @@ -989,11 +989,11 @@ pdfhidden: True | [2546577](#2546577)
| A traditional bridge with QinQ and a VNI does not work for tagged traffic. | 3.7.10-3.7.13, 4.0.0-4.0.1 | | | [2545934](#2545934)
| Mellanox switches might experience higher CPU usage from the sx_sdk service or when BFD is in use.
To work around this issue, disable BFD to alleviate some of the CPU load. | 3.7.13, 4.0.0-4.1.1 | | | [2545699](#2545699)
| On the Celestica Pebble switch, if you use IPv6 routes with mask /65 to /127, the switchd log fills with errors. | 3.7.10-3.7.13 | | -| [2545537](#2545537)
| On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | 4.0.0-4.1.1 | | +| [2545537, 2545503](#2545537, 2545503)
| On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | 4.0.0-4.1.1 | | | [2545404](#2545404)
| On the Trident3 switch, unicast ARP packets received on a VNI and forwarded to the CPU are not policed. | 3.7.10-3.7.13, 4.0.0-4.0.1 | | | [2535707](#2535707)
| On the Mellanox switch, GRE tunneling does not work if the tunnel source is configured on an SVI interface. If the tunnel source is configured on a physical switch port, then tunneling works as expected. | 4.0.0-4.1.1 | | -| [2534978](#2534978)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | | -| [2529322](#2529322)
| On a Mellanox switch in an MLAG configuration, routed packets that arrive on one switch to be forwarded to a destination MAC across the peer link are dropped due to MLAG loop prevention. This affects both routed unicast and multicast packets.

To work around this issue, modify the routing design or policy such that routes do not have a next hop of an MLAG peer switch that traverses the MLAG peer link. | | | +| [2534978, 2535424](#2534978, 2535424)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | | +| [2529322, 2528139](#2529322, 2528139)
| On a Mellanox switch in an MLAG configuration, routed packets that arrive on one switch to be forwarded to a destination MAC across the peer link are dropped due to MLAG loop prevention. This affects both routed unicast and multicast packets.

To work around this issue, modify the routing design or policy such that routes do not have a next hop of an MLAG peer switch that traverses the MLAG peer link. | | | ## 3.7.13 Release Notes ### Open Issues in 3.7.13 @@ -1017,19 +1017,19 @@ pdfhidden: True | [2866061](#2866061)
| On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 3.7.12-3.7.16 | | | [2815592](#2815592)
| In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.16.1| | [2801262](#2801262)
| On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart. | 3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.16.1| -| [2794750](#2794750)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2794750, 2555635](#2794750, 2555635)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2736265](#2736265)
| After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5| | [2730225](#2730225)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5| | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| -| [2684452](#2684452)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | +| [2684452, 2701788, 2940067](#2684452, 2701788, 2940067)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | | [2669438](#2669438)
| Editing the /etc/frr/frr.conf file to add a new sequence at the beginning of an existing large prefix list changes the subsequent sequence numbers of the next entries in the list and FRR reload might fail with the error message frr.service reload operation timed out. Stopping. To work around this issue, instead of adding the new prefix using an existing sequence number and pushing other sequences forward, use a sequence number that is free; for example, instead of of using 5 -> 10 -> 15, use 5 -> 7 -> 10. | 3.7.11-3.7.16 | | | [2660582](#2660582)
| In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure)
To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 | 3.7.16| | [2653400](#2653400)
| When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | | | [2645846](#2645846)
| When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | 3.7.16, 4.3.1-4.4.5| | [2638137](#2638137)
| When you delete a static route using NCLU, the configuration is not deleted from the running configuration or from the /etc/frr/frr.conf file. | 3.7.13-3.7.16 | | | [2633245](#2633245)
| On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | | -| [2599607](#2599607)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.16.1| +| [2599607, 2545364, 3297583](#2599607, 2545364, 3297583)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.16.1| | [2595889](#2595889)
| In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-4.2.1 | 4.3.0-4.4.5| | [2595816](#2595816)
| Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2589747](#2589747)
| If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. | 3.7.12-4.2.1 | 4.3.0-4.4.5| @@ -1053,27 +1053,27 @@ pdfhidden: True | [2553732](#2553732)
| A ping via a dual-connected bond fails, and the audio stream is not routed or encapsulated through the layer 3 VNI. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2553677](#2553677)
| When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | | [2553588](#2553588)
| Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn't exist.
To work around this issue, disable IGMP snooping on the switch. | 3.7.12-4.2.1 | 4.3.0-4.4.5| -| [2553530](#2553530)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-4.2.1 | 4.3.0-4.4.5| +| [2553530, 2553349](#2553530, 2553349)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-4.2.1 | 4.3.0-4.4.5| | [2553450](#2553450)
| On the the Dell N3248-PXE switch, when you insert two PSUs at different times, the newly inserted PSU is detected as OK but the fan and temp sensors are ABSENT.
To work around this issue, remove power to both PSUs at the same time, then reinsert power simultaneously. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2553229](#2553229)
| On the Dell N3248PXE switch, RJ45 fixed copper ports that auto-negotiate with a 100M or 10M neighbor incorrectly negotiate a half-duplex link that generates errors. Half duplex modes are not supported on this platform. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2553219](#2553219)
| You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2553116](#2553116)
| When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2553050](#2553050)
| SNMP status might incorrectly reflect that a BGP neighbor is down due to an issue between bgpd and SNMP AgentX when the IP-FORWARD-MIB is also polled.
To work around this issue, avoid polling IP-FORWARD-MIB objects. | 3.7.12-3.7.16 | | | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | -| [2553001](#2553001)
| When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094):
* clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)

* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs

This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing.

To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses. | 3.7.12-4.1.1 | 4.2.0-4.4.5| +| [2553001, 2552742](#2553001, 2552742)
| When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094):
* clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)

* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs

This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing.

To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses. | 3.7.12-4.1.1 | 4.2.0-4.4.5| | [2552939](#2552939)
| RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5| -| [2552925](#2552925)
| On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue.
These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch. | 3.7.12-3.7.13 | 3.7.14-3.7.16| +| [2552925, 2552378](#2552925, 2552378)
| On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue.
These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch. | 3.7.12-3.7.13 | 3.7.14-3.7.16| | [2552881](#2552881)
| IPv6 TCP or UDP connections (sourcing from an ephemeral port in the range 34048 to 35071) are not forwarded if the switch has more than one layer 2 VNI defined. The traffic might be locally switched on the bridge and dropped.
To work around this issue, disable ARP/ND suppression to remove the internal ACL rule that affects the ports. | 3.7.13-4.2.1 | 4.3.0-4.4.5| | [2552869](#2552869)
| On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5| | [2552859](#2552859)
| Mellanox switches with the Spectrum ASIC fail to read PSU Fan/Temp sensors and report them as Absent. The following messages are observed in syslog:

2020-08-21T07:17:39.068160+00:00 cumulus : /usr/sbin/smond : : PSU1Temp1(PSU1 Temp Sensor): state changed from UNKNOWN to ABSENT
2020-08-21T07:17:39.068911+00:00 cumulus : /usr/sbin/smond : : PSU2Temp1(PSU2 Temp Sensor): state changed from UNKNOWN to ABSENT
| 3.7.13 | 3.7.14-3.7.16| -| [2552742](#2552742)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2552742, 2553000, 2553936](#2552742, 2553000, 2553936)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552739](#2552739)
| Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | | | [2552647](#2552647)
| When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding.
To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond. | 3.7.10-4.2.0 | 4.2.1-4.4.5| | [2552528](#2552528)
| Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-4.2.1 | 4.3.0-4.4.5| -| [2552506](#2552506)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-4.2.0 | 4.2.1-4.4.5| +| [2552506, 2552604](#2552506, 2552604)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-4.2.0 | 4.2.1-4.4.5| | [2552301](#2552301)
| On a Mellanox switch with the Spectrum ASIC, you see LPC I2C driver errors similar to the following during boot:

Jul 30 23:49:41.651453 mlx-switch systemd[1]: Started udev Kernel Device Manager.
Jul 30 23:49:41.654978 mlx-switch systemd[1]: Starting LSB: Set preliminary keymap...
Jul 30 23:49:41.668214 mlx-switch kernel: LPCI2C ERR: Invalid flag 0x4 in msg 0
Jul 30 23:49:41.668265 mlx-switch kernel: LPCI2C ERR: Incorrect message
...
| 3.7.13 | 3.7.14-3.7.16| | [2552294](#2552294)
| NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | -| [2552214](#2552214)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14.2, 4.1.1-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| +| [2552214, 2553637](#2552214, 2553637)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14.2, 4.1.1-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| | [2552205](#2552205)
| If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer's SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.
To work around this issue, ifdown/ifup the SVI when a MAC address changes. | 3.7.12-4.2.0 | 4.2.1-4.4.5| | [2551911](#2551911)
| ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5| | [2551748](#2551748)
| In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings. | 3.7.12-4.2.1 | 4.3.0-4.4.5| @@ -1127,7 +1127,7 @@ pdfhidden: True | [2547799](#2547799)
| An error similar to the following shows in syslog for Mellanox switches:

2020-02-12T19:59:22.208012+08:00 leaf01 sx_sdk: RM_TABLE: No resources available to add 1 entries to KVD hash Table HW resource
2020-02-12T19:59:22.208124+08:00 leaf01 sx_sdk: PORT: __port_vport_fid_set err = (No More Resources)

To work around this issue, reboot the switch. | 3.7.11-4.0.1 | 4.1.0-4.4.5| | [2547784](#2547784)
| PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547659](#2547659)
| On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5| | [2547573](#2547573)
| On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | | | [2547443](#2547443)
| On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5| @@ -1144,9 +1144,9 @@ pdfhidden: True | [2546577](#2546577)
| A traditional bridge with QinQ and a VNI does not work for tagged traffic. | 3.7.10-4.0.1 | 4.1.0-4.4.5| | [2546450](#2546450)
| On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold. | 3.7.11-3.7.16 | | | [2546385](#2546385)
| SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546203](#2546203)
| When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior:
* Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet.
* If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet. | 3.7.11-3.7.16 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546010](#2546010)
| When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | | | [2545997](#2545997)
| The NCLU command net show interface produces an error if bonds with no members exist.
To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | | | [2545934](#2545934)
| Mellanox switches might experience higher CPU usage from the sx_sdk service or when BFD is in use.
To work around this issue, disable BFD to alleviate some of the CPU load. | 3.7.13-4.1.1 | 4.2.0-4.4.5| @@ -1162,27 +1162,27 @@ pdfhidden: True | [2544829](#2544829)
| Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | | | [2544556](#2544556)
| If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543840](#2543840)
| On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

| 3.7.6-3.7.16 | | | [2543800](#2543800)
| When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
| 3.7.8-3.7.16 | 4.0.0-4.4.5| | [2543647](#2543647)
| ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-4.2.1 | 4.3.0-4.4.5| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543627](#2543627)
| Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5| -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543058](#2543058)
| The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2543052](#2543052)
| Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as "inactive" in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2542310](#2542310)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | +| [2542310, 2523456](#2542310, 2523456)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | | [2542305](#2542305)
| If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2541212](#2541212)
| The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | @@ -1196,7 +1196,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -1215,12 +1215,12 @@ pdfhidden: True | [2538302](#2538302)
| portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
| 3.7.0-3.7.16 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | @@ -1233,19 +1233,19 @@ pdfhidden: True ### Fixed Issues in 3.7.13 | Issue ID | Description | Affects | |--- |--- |--- | -| [2552134](#2552134)
| When the MLAG peerlink flaps on Broadcom Trident3 platforms, switchd might continually sync route and neighbor entries to hardware. This can be observed in /var/log/switchd.log with repeated Neighbor Summary and IPv4 Route Summary updates:
sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 589761 usecs
  sync_route.c:2123 IPv4 Route Summary (29279) : 0 Added, 0 Deleted, 1732 Updated, 0 Skipped in 589820 usecs
  sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 606689 usecs
  sync_route.c:2123 IPv4 Route Summary (29280) : 0 Added, 0 Deleted, 1732 Updated, 0 Skipped in 596760 usecs
| 3.7.12 | | -| [2551708](#2551708)
| On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | | | -| [2551543](#2551543)
| switchd might crash if more than 16 IPv6 default route next hops are installed in the kernel routing table and those 16 next hops recurse to MAC address table entries reachable over VXLAN VNI interfaces. This can occur when many IPv6 router advertisements (RAs) are received across VLAN interfaces that have IPv6 forwarding disabled.
To work around this issue, add the following parameters to the /etc/sysctl.conf file to disable IPv6 default route installation from received router advertisements, then run the sudo sysctl -p --system command.

net.ipv6.conf.all.accept_ra_defrtr = 0 
net.ipv6.conf.default.accept_ra_defrtr = 0
| 3.7.12 | | -| [2551161](#2551161)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.2.0 | | +| [2552134, 2722515](#2552134, 2722515)
| When the MLAG peerlink flaps on Broadcom Trident3 platforms, switchd might continually sync route and neighbor entries to hardware. This can be observed in /var/log/switchd.log with repeated Neighbor Summary and IPv4 Route Summary updates:
sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 589761 usecs
  sync_route.c:2123 IPv4 Route Summary (29279) : 0 Added, 0 Deleted, 1732 Updated, 0 Skipped in 589820 usecs
  sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 606689 usecs
  sync_route.c:2123 IPv4 Route Summary (29280) : 0 Added, 0 Deleted, 1732 Updated, 0 Skipped in 596760 usecs
| 3.7.12 | | +| [2551708, 2545503](#2551708, 2545503)
| On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | | | +| [2551543, 2552147](#2551543, 2552147)
| switchd might crash if more than 16 IPv6 default route next hops are installed in the kernel routing table and those 16 next hops recurse to MAC address table entries reachable over VXLAN VNI interfaces. This can occur when many IPv6 router advertisements (RAs) are received across VLAN interfaces that have IPv6 forwarding disabled.
To work around this issue, add the following parameters to the /etc/sysctl.conf file to disable IPv6 default route installation from received router advertisements, then run the sudo sysctl -p --system command.

net.ipv6.conf.all.accept_ra_defrtr = 0 
net.ipv6.conf.default.accept_ra_defrtr = 0
| 3.7.12 | | +| [2551161, 2550590](#2551161, 2550590)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.2.0 | | | [2550323](#2550323)
| After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host's originated prefix is not advertised.
To work around this issue, recreate the neighbor entry and flap the interface to the host.
Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry. | 3.7.3-3.7.12 | | | [2550274](#2550274)
| If packets with an invalid checksum are received, the cumulus-poe service might restart and you see log messages similar to the following:
May 20 10:48:04.665635 leaf01 poed[8012]: ERROR : invalid checksum in response [0xC2:0x00]
May 20 10:48:04.671299 leaf01 poed[8012]: poed : ERROR : invalid checksum in response [0xC2:0x00]
May 20 10:48:04.708620 leaf01 systemd[1]: cumulus-poe.service: main process exited, code=exited, status=1/FAILURE
The service starts automatically but there is an impact to POE devices momentarily. | 3.7.12, 4.0.0-4.1.1 | | | [2549676](#2549676)
| After you add or remove a bridge VLAN identifier (VID) on a trunk port, the layer 2 VNI is put into VLAN 1.
To work around this issue, revert the configuration change. | 3.7.10-3.7.12, 4.0.0-4.1.1 | | | [2549397](#2549397)
| When the BGP Multi-protocol Unreach NLRI attribute is received in a BGP update without a next hop attribute, the BGP session is brought down unexpectedly. RFC 4760 defines that the next-hop attribute is not required for updates containing MP_UNREACH_NLRI. | 3.7.12 | | | [2548673](#2548673)
| A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact.
To work around this issue, restart FRR. | 3.7.11-3.7.12, 4.0.0-4.1.1 | | | [2548659](#2548659)
| When a link flap occurs while IPv6 traffic traverses interfaces, a kernel panic may occur with the following logs printed to the console:

[1675080.282051] BUG: unable to handle kernel NULL pointer dereference at 0000000000000110
[1675080.291007] IP: [] fib6_lookup_1+0xac/0x170
...
[1675080.757405] Kernel panic - not syncing: Fatal exception in interrupt
| 3.7.12 | | -| [2548585](#2548585)
| After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
*Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.1.1 | | +| [2548585, 2549256](#2548585, 2549256)
| After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
*Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.1.1 | | | [2548382](#2548382)
| The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 | | -| [2548372](#2548372)
| On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.1.1 | | +| [2548372, 2548371](#2548372, 2548371)
| On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.1.1 | | | [2548307](#2548307)
| When the garbage collector does not release memory back to the operating system, clagd might consume a large amount of memory. As a result of low system memory, systemd might shut down services to reclaim memory.
| 3.7.11-3.7.12, 4.1.0-4.1.1 | | | [2548116](#2548116)
| The OVSDB log contains duplicate MAC addresses with the well-known BFD MAC address (00:23:20:00:00:01). This is mainly cosmetic, but clutters the log. | 3.7.12, 4.0.0-4.0.1 | | | [2548112](#2548112)
| In OVSDB VLAN-aware mode, removing a VTEP binding on the NSX controller fails to clean up all interfaces associated with the logical switch. | 3.7.12, 4.0.0-4.1.1 | | @@ -1254,14 +1254,14 @@ pdfhidden: True | [2547666](#2547666)
| On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK. | 3.7.11-3.7.12, 4.0.0-4.1.1 | | | [2547663](#2547663)
| When traffic from a double tag interface (facing a different site) is forwarded through VXLAN, the inner tag is not removed. The destination does not know this tag, so it discards it. | 3.7.8-3.7.12, 4.0.0-4.0.1 | | | [2547658](#2547658)
| On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-3.7.12 | | -| [2547609](#2547609)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.1.1 | | +| [2547609, 2548114](#2547609, 2548114)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.1.1 | | | [2547592](#2547592)
| When you add a route map to advertise IPv4 unicast in a BGP EVPN configuration and the route map contains a set operation, BGP crashes. | 3.7.11-3.7.12 | | | [2547293](#2547293)
| On the Broadcom Trident3 switch with DHCP relay, where the DHCP server is reachable through the EVPN overlay, DHCP discover packets forwarded to the CPU might appear corrupt and might not get forwarded. | 3.7.9-3.7.12, 4.0.0-4.0.1 | | | [2547147](#2547147)
| The ospfd daemon might crash with the following kernel trace: 

2019-11-06T23:00:08.261749+09:00 cumulus ospfd[5339]: Assertion 'node' failed in file ospfd/ospf_packet.c, line 671, function ospf_write
| 3.7.11-3.7.12, 4.0.0-4.0.1 | | | [2546984](#2546984)
| On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings. | 3.7.10-3.7.12, 4.0.0-4.2.0 | | -| [2546950](#2546950)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.1.1 | | -| [2546141](#2546141)
| CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.
To check if lldpd is the heavy CPU resource user, run the following command:

cumulus@switch:~$  ps -eo user,pid,ppid,cmd,%mem,%cpu --sort=-%cpu \| head

Alternatively, check for messages in the /var/log/syslog directory similar to:

2020-02-20T15:02:12.137857-05:00 leaf01 sysmonitor: High CPU use: 87%
2020-02-20T15:02:12.482398-05:00 leaf01 sysmonitor:   PID USER      PR    VIRT    RES %CPU %MEM     TIME+ COMMAND
2020-02-20T15:02:12.483112-05:00 leaf01 sysmonitor:  1570 _lldpd    20   73244  13800 76.6  0.3   4:43.06 lldpd

*Note*: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.
To work around this issue, you can do one of the following:
* If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).
* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-3.7.12, 4.0.0-4.0.1 | | -| [2543792](#2543792)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-3.7.12, 4.0.0-4.0.1 | | +| [2546950, 2548887](#2546950, 2548887)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.1.1 | | +| [2546141, 2548774](#2546141, 2548774)
| CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.
To check if lldpd is the heavy CPU resource user, run the following command:

cumulus@switch:~$  ps -eo user,pid,ppid,cmd,%mem,%cpu --sort=-%cpu \| head

Alternatively, check for messages in the /var/log/syslog directory similar to:

2020-02-20T15:02:12.137857-05:00 leaf01 sysmonitor: High CPU use: 87%
2020-02-20T15:02:12.482398-05:00 leaf01 sysmonitor:   PID USER      PR    VIRT    RES %CPU %MEM     TIME+ COMMAND
2020-02-20T15:02:12.483112-05:00 leaf01 sysmonitor:  1570 _lldpd    20   73244  13800 76.6  0.3   4:43.06 lldpd

*Note*: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.
To work around this issue, you can do one of the following:
* If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).
* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-3.7.12, 4.0.0-4.0.1 | | +| [2543792, 2545026](#2543792, 2545026)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-3.7.12, 4.0.0-4.0.1 | | | [2543648](#2543648)
| You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:

-A FORWARD -i swp5 -s 00:25:90:b2:bd:9d -d 50:6b:4b:96:c4:04 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-3.7.12, 4.0.0-4.1.1 | | | [2543472](#2543472)
| On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly.
To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-3.7.12, 4.0.0-4.0.1 | | | [2542767](#2542767)
| If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.
To work around this issue, power cycle the switch.
| 3.7.6-3.7.12, 4.0.0-4.0.1 | | @@ -1288,18 +1288,18 @@ pdfhidden: True | [2866061](#2866061)
| On the Maverick S4148T switch with MLAG, Cumulus Linux drops LACP, ARP, LLDP and BGP traffic. | 3.7.12-3.7.16 | | | [2815592](#2815592)
| In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.16.1| | [2801262](#2801262)
| On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart. | 3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.16.1| -| [2794750](#2794750)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2794750, 2555635](#2794750, 2555635)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2736265](#2736265)
| After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5| | [2730225](#2730225)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5| | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| -| [2684452](#2684452)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | +| [2684452, 2701788, 2940067](#2684452, 2701788, 2940067)
| When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table
You can work around this issue with the following steps:1. Clear all corrupted mac entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command2. Add "vxlan-learning": "off" under /etc/network/ifupdown2/policy.d/vxlan.json
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
3. Reboot the affected switch(es) | 3.7.12-3.7.16 | | | [2669438](#2669438)
| Editing the /etc/frr/frr.conf file to add a new sequence at the beginning of an existing large prefix list changes the subsequent sequence numbers of the next entries in the list and FRR reload might fail with the error message frr.service reload operation timed out. Stopping. To work around this issue, instead of adding the new prefix using an existing sequence number and pushing other sequences forward, use a sequence number that is free; for example, instead of of using 5 -> 10 -> 15, use 5 -> 7 -> 10. | 3.7.11-3.7.16 | | | [2660582](#2660582)
| In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double failure (backup IP and peer link failure)
To recover restart the clagd service with sudo systemctl restart clagd.service | 3.7.8-3.7.15 | 3.7.16| | [2653400](#2653400)
| When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.16 | | | [2645846](#2645846)
| When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | 3.7.16, 4.3.1-4.4.5| | [2633245](#2633245)
| On the Dell N3048EP-ON switch, the SPF+ ports remain down after a power cycle. | 3.7.10-3.7.16 | | -| [2599607](#2599607)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.16.1| +| [2599607, 2545364, 3297583](#2599607, 2545364, 3297583)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.16.1| | [2595889](#2595889)
| In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-4.2.1 | 4.3.0-4.4.5| | [2595816](#2595816)
| Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2589747](#2589747)
| If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. | 3.7.12-4.2.1 | 4.3.0-4.4.5| @@ -1317,25 +1317,25 @@ pdfhidden: True | [2553748](#2553748)
| On switches with the Spectrum ASIC, the IPv6 default route is present in the kernel but missing in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2553732](#2553732)
| A ping via a dual-connected bond fails, and the audio stream is not routed or encapsulated through the layer 3 VNI. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2553588](#2553588)
| Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn't exist.
To work around this issue, disable IGMP snooping on the switch. | 3.7.12-4.2.1 | 4.3.0-4.4.5| -| [2553530](#2553530)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-4.2.1 | 4.3.0-4.4.5| +| [2553530, 2553349](#2553530, 2553349)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-4.2.1 | 4.3.0-4.4.5| | [2553450](#2553450)
| On the the Dell N3248-PXE switch, when you insert two PSUs at different times, the newly inserted PSU is detected as OK but the fan and temp sensors are ABSENT.
To work around this issue, remove power to both PSUs at the same time, then reinsert power simultaneously. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2553229](#2553229)
| On the Dell N3248PXE switch, RJ45 fixed copper ports that auto-negotiate with a 100M or 10M neighbor incorrectly negotiate a half-duplex link that generates errors. Half duplex modes are not supported on this platform. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2553219](#2553219)
| You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2553116](#2553116)
| When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2553050](#2553050)
| SNMP status might incorrectly reflect that a BGP neighbor is down due to an issue between bgpd and SNMP AgentX when the IP-FORWARD-MIB is also polled.
To work around this issue, avoid polling IP-FORWARD-MIB objects. | 3.7.12-3.7.16 | | | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | -| [2553001](#2553001)
| When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094):
* clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)

* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs

This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing.

To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses. | 3.7.12-4.1.1 | 4.2.0-4.4.5| +| [2553001, 2552742](#2553001, 2552742)
| When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094):
* clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)

* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs

This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing.

To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses. | 3.7.12-4.1.1 | 4.2.0-4.4.5| | [2552939](#2552939)
| RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5| -| [2552925](#2552925)
| On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue.
These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch. | 3.7.12-3.7.13 | 3.7.14-3.7.16| -| [2552742](#2552742)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2552925, 2552378](#2552925, 2552378)
| On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue.
These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch. | 3.7.12-3.7.13 | 3.7.14-3.7.16| +| [2552742, 2553000, 2553936](#2552742, 2553000, 2553936)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552739](#2552739)
| Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | | | [2552647](#2552647)
| When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding.
To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond. | 3.7.10-4.2.0 | 4.2.1-4.4.5| | [2552528](#2552528)
| Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-4.2.1 | 4.3.0-4.4.5| -| [2552506](#2552506)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-4.2.0 | 4.2.1-4.4.5| +| [2552506, 2552604](#2552506, 2552604)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-4.2.0 | 4.2.1-4.4.5| | [2552294](#2552294)
| NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | -| [2552214](#2552214)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14.2, 4.1.1-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| +| [2552214, 2553637](#2552214, 2553637)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14.2, 4.1.1-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| | [2552205](#2552205)
| If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer's SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.
To work around this issue, ifdown/ifup the SVI when a MAC address changes. | 3.7.12-4.2.0 | 4.2.1-4.4.5| -| [2552134](#2552134)
| When the MLAG peerlink flaps on Broadcom Trident3 platforms, switchd might continually sync route and neighbor entries to hardware. This can be observed in /var/log/switchd.log with repeated Neighbor Summary and IPv4 Route Summary updates:
sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 589761 usecs
  sync_route.c:2123 IPv4 Route Summary (29279) : 0 Added, 0 Deleted, 1732 Updated, 0 Skipped in 589820 usecs
  sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 606689 usecs
  sync_route.c:2123 IPv4 Route Summary (29280) : 0 Added, 0 Deleted, 1732 Updated, 0 Skipped in 596760 usecs
| 3.7.12 | 3.7.13-3.7.16| +| [2552134, 2722515](#2552134, 2722515)
| When the MLAG peerlink flaps on Broadcom Trident3 platforms, switchd might continually sync route and neighbor entries to hardware. This can be observed in /var/log/switchd.log with repeated Neighbor Summary and IPv4 Route Summary updates:
sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 589761 usecs
  sync_route.c:2123 IPv4 Route Summary (29279) : 0 Added, 0 Deleted, 1732 Updated, 0 Skipped in 589820 usecs
  sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 606689 usecs
  sync_route.c:2123 IPv4 Route Summary (29280) : 0 Added, 0 Deleted, 1732 Updated, 0 Skipped in 596760 usecs
| 3.7.12 | 3.7.13-3.7.16| | [2551911](#2551911)
| ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5| | [2551748](#2551748)
| In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2551731](#2551731)
| When the OVSDB VTEP scale increases, the CPU utilization increases and eventually the switch (ptmd) fails to respond to the BFD, causing the BFD session to go down. As a result OVSDB cannot read the BFD socket status and outputs a warning in the ovs-vtepd debugs: PTM socket error: Bad file descriptor. | 3.7.12-4.2.0 | 4.2.1-4.4.5| @@ -1345,10 +1345,10 @@ pdfhidden: True | [2551675](#2551675)
| When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-4.2.0 | 4.2.1-4.4.5| | [2551651](#2551651)
| The net show dot1x interface summary command output shows a MAC address with all zeros associated with a port. | 3.7.12-4.2.0 | 4.2.1-4.4.5| | [2551578](#2551578)
| When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | -| [2551543](#2551543)
| switchd might crash if more than 16 IPv6 default route next hops are installed in the kernel routing table and those 16 next hops recurse to MAC address table entries reachable over VXLAN VNI interfaces. This can occur when many IPv6 router advertisements (RAs) are received across VLAN interfaces that have IPv6 forwarding disabled.
To work around this issue, add the following parameters to the /etc/sysctl.conf file to disable IPv6 default route installation from received router advertisements, then run the sudo sysctl -p --system command.

net.ipv6.conf.all.accept_ra_defrtr = 0 
net.ipv6.conf.default.accept_ra_defrtr = 0
| 3.7.12 | 3.7.13-3.7.16| +| [2551543, 2552147](#2551543, 2552147)
| switchd might crash if more than 16 IPv6 default route next hops are installed in the kernel routing table and those 16 next hops recurse to MAC address table entries reachable over VXLAN VNI interfaces. This can occur when many IPv6 router advertisements (RAs) are received across VLAN interfaces that have IPv6 forwarding disabled.
To work around this issue, add the following parameters to the /etc/sysctl.conf file to disable IPv6 default route installation from received router advertisements, then run the sudo sysctl -p --system command.

net.ipv6.conf.all.accept_ra_defrtr = 0 
net.ipv6.conf.default.accept_ra_defrtr = 0
| 3.7.12 | 3.7.13-3.7.16| | [2551305](#2551305)
| The net show configuration command provides the wrong net add command for ACL under the VLAN interface.

| 3.7.12-3.7.16, 4.1.0-4.4.5 | | | [2551288](#2551288)
| When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.
To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file. | 3.7.7-3.7.16 | 4.0.0-4.4.5| -| [2551161](#2551161)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.2.0 | 3.7.13-3.7.16, 4.2.1-4.4.5| +| [2551161, 2550590](#2551161, 2550590)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.2.0 | 3.7.13-3.7.16, 4.2.1-4.4.5| | [2550974](#2550974)
| On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | | | [2550942](#2550942)
| NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | 4.2.1-4.4.5| | [2550796](#2550796)
| On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero.
To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs. | 3.7.12-4.2.1 | 4.3.0-4.4.5| @@ -1381,12 +1381,12 @@ pdfhidden: True | [2548673](#2548673)
| A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact.
To work around this issue, restart FRR. | 3.7.11-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2548659](#2548659)
| When a link flap occurs while IPv6 traffic traverses interfaces, a kernel panic may occur with the following logs printed to the console:

[1675080.282051] BUG: unable to handle kernel NULL pointer dereference at 0000000000000110
[1675080.291007] IP: [] fib6_lookup_1+0xac/0x170
...
[1675080.757405] Kernel panic - not syncing: Fatal exception in interrupt
| 3.7.12 | 3.7.13-3.7.16| | [2548657](#2548657)
| When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | -| [2548585](#2548585)
| After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
*Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| +| [2548585, 2549256](#2548585, 2549256)
| After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
*Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2548490](#2548490)
| A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.
To work around this issue, reenter the redistribute route-map statement in the configuration. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2548485](#2548485)
| If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
 aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Path*> 50.0.0.0         0.0.0.0                            32768 is> 50.0.0.1/32      0.0.0.0                  0         32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Paths> 50.0.0.1/32      0.0.0.0                  0         32768 i
To work around this issue, remove, then re-add the component prefix routes. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2548475](#2548475)
| After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI.
To work around this issue, reboot the leaf switch or restart switchd. | 3.7.6-3.7.16 | 4.0.0-4.4.5| | [2548382](#2548382)
| The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| -| [2548372](#2548372)
| On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| +| [2548372, 2548371](#2548372, 2548371)
| On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2548307](#2548307)
| When the garbage collector does not release memory back to the operating system, clagd might consume a large amount of memory. As a result of low system memory, systemd might shut down services to reclaim memory.
| 3.7.11-3.7.12, 4.1.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2548243](#2548243)
| On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2548155](#2548155)
| The net show bgp neighbor swpX json command shows negative output for the bgpTimerUpMsec timer. | 3.7.10-3.7.16 | 4.0.0-4.4.5| @@ -1402,12 +1402,12 @@ pdfhidden: True | [2547784](#2547784)
| PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547769](#2547769)
| syslog might report a high load average with the CPU running a later microcode revision. | 3.7.4-3.7.12 | 3.7.13-3.7.16| -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547666](#2547666)
| On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK. | 3.7.11-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2547663](#2547663)
| When traffic from a double tag interface (facing a different site) is forwarded through VXLAN, the inner tag is not removed. The destination does not know this tag, so it discards it. | 3.7.8-4.0.1 | 4.1.0-4.4.5| | [2547659](#2547659)
| On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5| | [2547658](#2547658)
| On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-3.7.12 | 3.7.13-3.7.16| -| [2547609](#2547609)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| +| [2547609, 2548114](#2547609, 2548114)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2547592](#2547592)
| When you add a route map to advertise IPv4 unicast in a BGP EVPN configuration and the route map contains a set operation, BGP crashes. | 3.7.11-4.0.1 | 4.1.0-4.4.5| | [2547573](#2547573)
| On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | | | [2547443](#2547443)
| On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5| @@ -1422,15 +1422,15 @@ pdfhidden: True | [2547068](#2547068)
| Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly
To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below
To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX="cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off", change it to GRUB_CMDLINE_LINUX="cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0"2. Run sudo update-grub
3. Reboot the system with sudo reboot
To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3
2. Disable C-states by running the command ./cpupower idle-set -d 2
C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | 4.3.0-4.4.5| | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546984](#2546984)
| On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings. | 3.7.10-3.7.12, 4.0.0-4.2.0 | 3.7.13-3.7.16, 4.2.1-4.4.5| -| [2546950](#2546950)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| +| [2546950, 2548887](#2546950, 2548887)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546577](#2546577)
| A traditional bridge with QinQ and a VNI does not work for tagged traffic. | 3.7.10-4.0.1 | 4.1.0-4.4.5| | [2546450](#2546450)
| On the EdgeCore AS7326-56X switch, you might see the RPM of certain fans run over the maximum threshold. | 3.7.11-3.7.16 | | | [2546385](#2546385)
| SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546203](#2546203)
| When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior:
* Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet.
* If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet. | 3.7.11-3.7.16 | | -| [2546141](#2546141)
| CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.
To check if lldpd is the heavy CPU resource user, run the following command:

cumulus@switch:~$  ps -eo user,pid,ppid,cmd,%mem,%cpu --sort=-%cpu \| head

Alternatively, check for messages in the /var/log/syslog directory similar to:

2020-02-20T15:02:12.137857-05:00 leaf01 sysmonitor: High CPU use: 87%
2020-02-20T15:02:12.482398-05:00 leaf01 sysmonitor:   PID USER      PR    VIRT    RES %CPU %MEM     TIME+ COMMAND
2020-02-20T15:02:12.483112-05:00 leaf01 sysmonitor:  1570 _lldpd    20   73244  13800 76.6  0.3   4:43.06 lldpd

*Note*: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.
To work around this issue, you can do one of the following:
* If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).
* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-4.0.1 | 4.1.0-4.4.5| -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546141, 2548774](#2546141, 2548774)
| CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.
To check if lldpd is the heavy CPU resource user, run the following command:

cumulus@switch:~$  ps -eo user,pid,ppid,cmd,%mem,%cpu --sort=-%cpu \| head

Alternatively, check for messages in the /var/log/syslog directory similar to:

2020-02-20T15:02:12.137857-05:00 leaf01 sysmonitor: High CPU use: 87%
2020-02-20T15:02:12.482398-05:00 leaf01 sysmonitor:   PID USER      PR    VIRT    RES %CPU %MEM     TIME+ COMMAND
2020-02-20T15:02:12.483112-05:00 leaf01 sysmonitor:  1570 _lldpd    20   73244  13800 76.6  0.3   4:43.06 lldpd

*Note*: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.
To work around this issue, you can do one of the following:
* If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).
* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-4.0.1 | 4.1.0-4.4.5| +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546010](#2546010)
| When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | | | [2545997](#2545997)
| The NCLU command net show interface produces an error if bonds with no members exist.
To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | | | [2545699](#2545699)
| On the Celestica Pebble switch, if you use IPv6 routes with mask /65 to /127, the switchd log fills with errors. | 3.7.10-4.0.1 | 4.1.0-4.4.5| @@ -1445,31 +1445,31 @@ pdfhidden: True | [2544829](#2544829)
| Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | | | [2544556](#2544556)
| If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543840](#2543840)
| On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

| 3.7.6-3.7.16 | | | [2543800](#2543800)
| When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
| 3.7.8-3.7.16 | 4.0.0-4.4.5| -| [2543792](#2543792)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-4.0.1 | 4.1.0-4.4.5| +| [2543792, 2545026](#2543792, 2545026)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-4.0.1 | 4.1.0-4.4.5| | [2543648](#2543648)
| You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:

-A FORWARD -i swp5 -s 00:25:90:b2:bd:9d -d 50:6b:4b:96:c4:04 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2543647](#2543647)
| ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-4.2.1 | 4.3.0-4.4.5| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543627](#2543627)
| Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2543472](#2543472)
| On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly.
To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-4.0.1 | 4.1.0-4.4.5| -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543058](#2543058)
| The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2543052](#2543052)
| Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as "inactive" in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542767](#2542767)
| If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.
To work around this issue, power cycle the switch.
| 3.7.6-4.0.1 | 4.1.0-4.4.5| -| [2542310](#2542310)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | +| [2542310, 2523456](#2542310, 2523456)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | | [2542305](#2542305)
| If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2541212](#2541212)
| The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | @@ -1483,7 +1483,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -1502,12 +1502,12 @@ pdfhidden: True | [2538302](#2538302)
| portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
| 3.7.0-3.7.16 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | @@ -1539,12 +1539,12 @@ pdfhidden: True | [2546264](#2546264)
| Ifupdown2 does not set up the front panel interface for the dhclient to accept the DHCP OFFER.
To work around this issue, restart the networking service after ifreload -a with the systemctl restart networking command. | 3.7.10-3.7.11, 4.0.0-4.0.1 | | | [2546003](#2546003)
| On the Delta AG6248C PoE switch, if the PoE priority is set to low on some ports, other ports with a higher priority might have their requests to draw power rejected instead of the lower priority ports being brought down. | 3.7.11 | | | [2545971](#2545971)
| The ports.conf file on the Dell S5248F-ON switch does not show port ganging or breakout options. | 3.7.10-3.7.11 | | -| [2545948](#2545948)
| All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0.
To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. | 3.7.11, 4.0.0-4.0.1 | | +| [2545948, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539](#2545948, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539)
| All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0.
To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. | 3.7.11, 4.0.0-4.0.1 | | | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | | | [2545599](#2545599)
| IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.

[ip6tables]
-A INPUT -p tcp --dport 22 -j DROP
| 3.7.2-3.7.11, 4.0.0-4.0.1 | | | [2545316](#2545316)
| When an interface flap occurs, numbered IPv6 BGP sessions might fail to establish.
To work around this issue, run the ip -6 route flush cache command to flush the IPv6 route cache. | 3.7.9-3.7.11 | | | [2544937](#2544937)
| The neighmgrd service does not ignore neighbors on reserved devices (lo and management devices). This issue is not seen when management VRF is enabled. | 3.7.8-3.7.11 | | -| [2544853](#2544853)
| On the Dell S5248F-ON switch, CPU core temp sensors may show as ABSENT. | 4.0.0-4.0.1 | | +| [2544853, 2545726](#2544853, 2545726)
| On the Dell S5248F-ON switch, CPU core temp sensors may show as ABSENT. | 4.0.0-4.0.1 | | | [2544012](#2544012)
| After you remove a subinterface, the BGP session stays in a Connect state. | 3.7.8-3.7.11 | | | [2543903](#2543903)
| The Dell N3048EP, N3048UP, and N3248PXE switches do not report the class correctly when the powered device (PD) requests a class that is greater than four. The actual power grant is correct; however, poectl displays the class as 4 for a PD requesting anything above that value. | | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | | @@ -1575,16 +1575,16 @@ pdfhidden: True | [2554785](#2554785)
| After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX="cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2553887](#2553887)
| When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2553748](#2553748)
| On switches with the Spectrum ASIC, the IPv6 default route is present in the kernel but missing in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5| -| [2553530](#2553530)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-4.2.1 | 4.3.0-4.4.5| +| [2553530, 2553349](#2553530, 2553349)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-4.2.1 | 4.3.0-4.4.5| | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552739](#2552739)
| Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | | | [2552647](#2552647)
| When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding.
To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond. | 3.7.10-4.2.0 | 4.2.1-4.4.5| | [2552528](#2552528)
| Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-4.2.1 | 4.3.0-4.4.5| -| [2552506](#2552506)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-4.2.0 | 4.2.1-4.4.5| -| [2552214](#2552214)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14.2, 4.1.1-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| +| [2552506, 2552604](#2552506, 2552604)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-4.2.0 | 4.2.1-4.4.5| +| [2552214, 2553637](#2552214, 2553637)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14.2, 4.1.1-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| | [2551675](#2551675)
| When you restart clagd, the edge port setting on the peer link changes. | 3.7.2-4.2.0 | 4.2.1-4.4.5| | [2551288](#2551288)
| When you remove BFD configuration by editing the /etc/frr/frr.conf file and restarting FRR, you see a traceback.
To work around this issue, either use NCLU or vtysh commands to remove the BFD configuration, or restart FRR with the new /etc/frr/frr.conf file. | 3.7.7-3.7.16 | 4.0.0-4.4.5| -| [2551161](#2551161)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.2.0 | 3.7.13-3.7.16, 4.2.1-4.4.5| +| [2551161, 2550590](#2551161, 2550590)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.2.0 | 3.7.13-3.7.16, 4.2.1-4.4.5| | [2550974](#2550974)
| On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | | | [2550942](#2550942)
| NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | 4.2.1-4.4.5| | [2550600](#2550600)
| The received PVST BPDU for a VLAN is flooded even though the ingress port doesn't have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| @@ -1599,7 +1599,7 @@ pdfhidden: True | [2548930](#2548930)
| On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2548746](#2548746)
| On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2548673](#2548673)
| A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact.
To work around this issue, restart FRR. | 3.7.11-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| -| [2548585](#2548585)
| After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
*Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| +| [2548585, 2549256](#2548585, 2549256)
| After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
*Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2548490](#2548490)
| A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.
To work around this issue, reenter the redistribute route-map statement in the configuration. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2548475](#2548475)
| After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI.
To work around this issue, reboot the leaf switch or restart switchd. | 3.7.6-3.7.16 | 4.0.0-4.4.5| | [2548382](#2548382)
| The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| @@ -1614,12 +1614,12 @@ pdfhidden: True | [2547784](#2547784)
| PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547769](#2547769)
| syslog might report a high load average with the CPU running a later microcode revision. | 3.7.4-3.7.12 | 3.7.13-3.7.16| -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547666](#2547666)
| On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK. | 3.7.11-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2547663](#2547663)
| When traffic from a double tag interface (facing a different site) is forwarded through VXLAN, the inner tag is not removed. The destination does not know this tag, so it discards it. | 3.7.8-4.0.1 | 4.1.0-4.4.5| | [2547659](#2547659)
| On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5| | [2547658](#2547658)
| On the Lenovo NE0152T switch, one power supply (PSU2) always show as ABSENT in smonctl. | 3.7.11-3.7.12 | 3.7.13-3.7.16| -| [2547609](#2547609)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| +| [2547609, 2548114](#2547609, 2548114)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2547592](#2547592)
| When you add a route map to advertise IPv4 unicast in a BGP EVPN configuration and the route map contains a set operation, BGP crashes. | 3.7.11-4.0.1 | 4.1.0-4.4.5| | [2547573](#2547573)
| On Tomahawk switches, when the vxlan_tnl_arp_punt_disable option is set to FALSE, ARP packets are not forwarded to the CPU. | 3.7.9-3.7.16 | | | [2547557](#2547557)
| On the EdgeCore Wedge100 and Facebook Wedge-100S switch, certain physical ports are not correctly mapped to the logical ones. For example:
Logical swp39 controls physical swp41
Logical swp40 controls physical swp42
Logical swp43 controls physical swp45
Logical swp44 controls physical swp46
This might causes incorrect forwarding behavior. | 3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5| @@ -1644,7 +1644,7 @@ pdfhidden: True | [2546998](#2546998)
| When you configure Cumulus Linux with a /32 address on a switch port with a configured peer address (for example, to connect to a device using IP unnumbered), the switch sends GARPs for the peer address. | 3.7.5-3.7.11 | 3.7.12-3.7.16, 4.1.0-4.4.5| | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546984](#2546984)
| On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings. | 3.7.10-3.7.12, 4.0.0-4.2.0 | 3.7.13-3.7.16, 4.2.1-4.4.5| -| [2546950](#2546950)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| +| [2546950, 2548887](#2546950, 2548887)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546868](#2546868)
| Broadcom Field Alert - SID - MMU 2B Errors
A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5| | [2546815](#2546815)
| On the Delta AG6248C switch, the NCLU net show system sensors command shows an error:

Could not collect output from command: ['/usr/sbin/smonctl']

To work around this issue, run the net show system sensors json command instead. | 3.7.11 | 3.7.12-3.7.16| @@ -1656,15 +1656,15 @@ pdfhidden: True | [2546385](#2546385)
| SNMP ifLastChange reports link transitions when there are none. | 3.7.6-3.7.16 | | | [2546328](#2546328)
| A memory leak in switchd might occur, which causes switchd to restart. | 3.7.10-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5| | [2546264](#2546264)
| Ifupdown2 does not set up the front panel interface for the dhclient to accept the DHCP OFFER.
To work around this issue, restart the networking service after ifreload -a with the systemctl restart networking command. | 3.7.10-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5| -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546203](#2546203)
| When using QinQ with a traditional bridge, if you enable the LLDP dot1 TLV option, you see the following suboptimal behavior:
* Both the inner and outer VLAN information is sent as part of VLAN TLVs in the LLDP packet.
* If the outer VLAN ID is the same as the inner VLAN ID, only one VLAN TLV is sent with that VLAN ID in the LLDP packet. | 3.7.11-3.7.16 | | -| [2546141](#2546141)
| CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.
To check if lldpd is the heavy CPU resource user, run the following command:

cumulus@switch:~$  ps -eo user,pid,ppid,cmd,%mem,%cpu --sort=-%cpu \| head

Alternatively, check for messages in the /var/log/syslog directory similar to:

2020-02-20T15:02:12.137857-05:00 leaf01 sysmonitor: High CPU use: 87%
2020-02-20T15:02:12.482398-05:00 leaf01 sysmonitor:   PID USER      PR    VIRT    RES %CPU %MEM     TIME+ COMMAND
2020-02-20T15:02:12.483112-05:00 leaf01 sysmonitor:  1570 _lldpd    20   73244  13800 76.6  0.3   4:43.06 lldpd

*Note*: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.
To work around this issue, you can do one of the following:
* If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).
* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-4.0.1 | 4.1.0-4.4.5| -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546141, 2548774](#2546141, 2548774)
| CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.
To check if lldpd is the heavy CPU resource user, run the following command:

cumulus@switch:~$  ps -eo user,pid,ppid,cmd,%mem,%cpu --sort=-%cpu \| head

Alternatively, check for messages in the /var/log/syslog directory similar to:

2020-02-20T15:02:12.137857-05:00 leaf01 sysmonitor: High CPU use: 87%
2020-02-20T15:02:12.482398-05:00 leaf01 sysmonitor:   PID USER      PR    VIRT    RES %CPU %MEM     TIME+ COMMAND
2020-02-20T15:02:12.483112-05:00 leaf01 sysmonitor:  1570 _lldpd    20   73244  13800 76.6  0.3   4:43.06 lldpd

*Note*: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.
To work around this issue, you can do one of the following:
* If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).
* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-4.0.1 | 4.1.0-4.4.5| +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546010](#2546010)
| When hal.bcm.per_vlan_router_mac_lookup is set to TRUE in the /etc/cumulus/switchd.conf file, inter-VLAN traffic is forwarded to the CPU when associated VNI interfaces exist. | 3.7.10-3.7.16 | | | [2546003](#2546003)
| On the Delta AG6248C PoE switch, if the PoE priority is set to low on some ports, other ports with a higher priority might have their requests to draw power rejected instead of the lower priority ports being brought down. | 3.7.11 | 3.7.12-3.7.16| | [2545997](#2545997)
| The NCLU command net show interface produces an error if bonds with no members exist.
To work around this issue, remove the empty Bond interfaces from the /etc/network/interfaces file and run sudo ifreload -a. | 3.7.10-3.7.16 | | | [2545971](#2545971)
| The ports.conf file on the Dell S5248F-ON switch does not show port ganging or breakout options. | 3.7.10-3.7.11 | 3.7.12-3.7.16, 4.1.0-4.4.5| -| [2545948](#2545948)
| All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0.
To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. | 3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5| +| [2545948, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539](#2545948, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539)
| All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0.
To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. | 3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5| | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545699](#2545699)
| On the Celestica Pebble switch, if you use IPv6 routes with mask /65 to /127, the switchd log fills with errors. | 3.7.10-4.0.1 | 4.1.0-4.4.5| | [2545599](#2545599)
| IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.

[ip6tables]
-A INPUT -p tcp --dport 22 -j DROP
| 3.7.2-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5| @@ -1680,34 +1680,34 @@ pdfhidden: True | [2544829](#2544829)
| Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | | | [2544556](#2544556)
| If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544012](#2544012)
| After you remove a subinterface, the BGP session stays in a Connect state. | 3.7.8-3.7.11 | 3.7.12-3.7.16| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543840](#2543840)
| On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

| 3.7.6-3.7.16 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543800](#2543800)
| When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
| 3.7.8-3.7.16 | 4.0.0-4.4.5| -| [2543792](#2543792)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-4.0.1 | 4.1.0-4.4.5| +| [2543792, 2545026](#2543792, 2545026)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-4.0.1 | 4.1.0-4.4.5| | [2543648](#2543648)
| You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:

-A FORWARD -i swp5 -s 00:25:90:b2:bd:9d -d 50:6b:4b:96:c4:04 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2543647](#2543647)
| ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-4.2.1 | 4.3.0-4.4.5| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543627](#2543627)
| Tomahawk 40G DACs cannot disable auto-negotiation. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2543472](#2543472)
| On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly.
To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-4.0.1 | 4.1.0-4.4.5| -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543058](#2543058)
| The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2543052](#2543052)
| Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as "inactive" in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542823](#2542823)
| On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur:
- VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts.
- VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack.

To work around this issue, either:
- Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port)
- Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5| | [2542767](#2542767)
| If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.
To work around this issue, power cycle the switch.
| 3.7.6-4.0.1 | 4.1.0-4.4.5| -| [2542310](#2542310)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | +| [2542310, 2523456](#2542310, 2523456)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | | [2542305](#2542305)
| If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2541212](#2541212)
| The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | @@ -1721,7 +1721,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -1740,12 +1740,12 @@ pdfhidden: True | [2538302](#2538302)
| portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
| 3.7.0-3.7.16 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | @@ -1775,7 +1775,7 @@ pdfhidden: True | [2544815](#2544815)
| If a router MAC address changes on a VTEP, other VTEPs might still point to the previous router MAC address. | 3.7.10 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | | | [2544624](#2544624)
| VXLAN encapsulated ICMP packets hit the catchall EFP policer instead of the ICMP policer and you might experience partial packet loss.
| 3.7.9-3.7.10, 4.0.0-4.0.1 | | -| [2544609](#2544609)
| BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.10 | | +| [2544609, 2550042](#2544609, 2550042)
| BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.10 | | | [2544559](#2544559)
| When you install a large number of new rules with nonatomic mode enabled, there is a chance that you install more rules than the number of available slots in the slice, which results in the slice being completely wiped and reinstalled. This causes a large drop increase, including to cpu0, and might cause a major outage by dropping all BGP sessions. | 3.7.8-3.7.10 | | | [2544385](#2544385)
| The QCT QuantaMesh BMS T7032-IX7 switch may report "failed to request GPIO pin" errors during the boot up. | 3.7.5-3.7.10 | | | [2544328](#2544328)
| When an MLAG peerlink frequently alternates states between learning and blocking, an excessive number of TCP sessions might be created, which results in the following error display:

OSError: [Errno 24] Too many open files
| 4.0.0-4.0.1 | | @@ -1798,23 +1798,23 @@ pdfhidden: True | [2543113](#2543113)
| NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh.
| 3.7.3-3.7.10 | | | [2542958](#2542958)
| When transitioning from a down state to an up state due to peerlink failure and recovery, MLAG does not start the initDelay timer before trying to bring everything back up. | 3.7.7-3.7.10 | | | [2542913](#2542913)
| IF-MIB::ifHCInOctets reports significantly lower values than reported by interface counters seen elsewhere. | 3.7.6-3.7.10 | | -| [2542871](#2542871)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | | +| [2542871, 2542901, 2542901](#2542871, 2542901, 2542901)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | | | [2542835](#2542835)
| snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.10 | | | [2542765](#2542765)
| When you configure the switch to send an EAP request with the net add dot1x send-eap-request-id command, the switch ignores re-authentication attempts and does not send back an EAPol.
| 3.7.6-3.7.10 | | | [2542509](#2542509)
| In EVPN symmetric or centralized configurations with BGP peering over a peer link, VXLAN routed packets transiting an MLAG peer are dropped until the clagd init-delay timer expires during the bring-up sequence following a reboot.
The problem is caused by a race condition when programming the anycast IP address (used to terminate VXLAN tunnels), where the hardware is programmed before the software by clagd.
To work around this issue, configure the BGP path across the peer link to be less preferred. The example below uses AS path prepending and the MLAG switches are iBGP neighbors. However, other BGP configurations achieve the same result.
In the /etc/frr/frr.conf file, make a new AS path access list and route map to apply BGP pre-pending of the local ASN one or more times. For example: 
 
ip as-path access-list MY_ASN permit ^$ 

route-map peerlink-add-asn permit 10 
match as-path MY_ASN 
set as-path prepend 4200000101 
route-map peerlink-add-asn permit 20
| 3.7.6-3.7.10, 4.0.0-4.0.1 | | | [2542384](#2542384)
| When you define a trap destination using @mgmt, snmpd indicates that the network is unreachable even though the IP address is reachable in the management VRF.
To work around this issue, remove @mgmt vrf references in the /etc/snmp/snmpd.conf file, stop snmpd, then start snmpd manually in the management VRF with the systemctl start snmpd@mgmt command.
| 3.7.6-3.7.10 | | | [2542248](#2542248)
| When you generate a cl-support file, clagd.service prints log messages similar to the following: 
 
 019-03-21T07:18:15.727581+00:00 leaf01 clagd[20912]: DumpThreadStacks - start 
 2019-03-21T07:18:15.728157+00:00 leaf01 clagd[20912]: #012thread: CollectSysInfo (140608446367488) 
 2019-03-21T07:18:15.735986+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 783, in __bootstrap 
 2019-03-21T07:18:15.736585+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 810, in __bootstrap_inner 
 2019-03-21T07:18:15.737045+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 763, in run 
 2019-03-21T07:18:15.737933+00:00 leaf01 clagd[20912]: file: /usr/sbin/clagd, line 930, in CollectSysInfoT 
 2019-03-21T07:18:15.739527+00:00 leaf01 clagd[20912]: file: /usr/sbin/clagd, line 187, in CollectSysInfo 
 2019-03-21T07:18:15.740540+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 621, in wait 
 2019-03-21T07:18:15.742293+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/dist-packages/clag/clagthread.py, line 48, in wait 
 . 
 . 
 2019-03-21T07:18:16.456061+00:00 leaf01 clagd[20912]: DumpThreadStacks - end

| 3.7.6-3.7.10 | | -| [2542100](#2542100)
| On the EdgeCore AS7816 switch, PCIE errors cause switchd startup to fail. | 3.7.9-3.7.10 | | +| [2542100, 2544399](#2542100, 2544399)
| On the EdgeCore AS7816 switch, PCIE errors cause switchd startup to fail. | 3.7.9-3.7.10 | | | [2537536](#2537536)
| When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.10 | | | [2536639](#2536639)
| On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.
To work around this issue:
* If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000).
* If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.10 | | | [2536559](#2536559)
| When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error: 

 /etc/frr/daemons was modified by another user.

Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | | -| [2536230](#2536230)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | | +| [2536230, 2545399](#2536230, 2545399)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | | | [2535209](#2535209)
| The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | | | [2534450](#2534450)
| The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.10 | | | [2534040](#2534040)
| On Trident2 switches running 802.3x regular link pause, pause frames are accounted in HwIfInDiscards counters and are dropped instead of processed. | | | | [2532592](#2532592)
| On the Mellanox SN-2100 switch, unicast packets are counted in multicast queue counters. | | | -| [2528990](#2528990)
| During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | | -| [2526985](#2526985)
| When you try to remove a VNI from a bridge using a regex match, the VNI is added back when you run the ifreload -a command. | | | +| [2528990, 2523824, 2523824, 2542431](#2528990, 2523824, 2523824, 2542431)
| During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | | +| [2526985, 2528127](#2526985, 2528127)
| When you try to remove a VNI from a bridge using a regex match, the VNI is added back when you run the ifreload -a command. | | | ## 3.7.10 Release Notes ### Open Issues in 3.7.10 @@ -1838,7 +1838,7 @@ pdfhidden: True | [2556037](#2556037)
| After you add an interface to the bridge, an OSPF session flap might occur
| 3.7.9-4.2.0 | 4.2.1-4.4.5| | [2556019](#2556019)
| After you add an interface to a bridge using the NCLU net add bridge bridge ports command, the bridge can go down and its MAC address changes
To work around this issue, use Linux commands to add an interface to a bridge. | 3.7.9-3.7.13 | 3.7.14-3.7.16| | [2553887](#2553887)
| When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | -| [2553530](#2553530)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-4.2.1 | 4.3.0-4.4.5| +| [2553530, 2553349](#2553530, 2553349)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-4.2.1 | 4.3.0-4.4.5| | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552739](#2552739)
| Counters for IPROUTER rules do not increase when traffic is forwarded to the CPU because there is no IP neighbor. | 3.7.2-3.7.16 | | | [2552647](#2552647)
| When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding.
To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond. | 3.7.10-4.2.0 | 4.2.1-4.4.5| @@ -1851,7 +1851,7 @@ pdfhidden: True | [2550350](#2550350)
| Unicast traffic from downlink hosts is flooded to multiple remote VTEPs, which might also cause high HwIfOutQDrops/TX_DRP on the uplink ports.
To work around this issue, restart switchd. | 3.7.10-4.1.1 | 4.2.0-4.4.5| | [2550323](#2550323)
| After a neighbor is removed, the redistributed neighbor entry is withdrawn from the BGP table, but the prefix might still be selected as the bestpath when the host's originated prefix is not advertised.
To work around this issue, recreate the neighbor entry and flap the interface to the host.
Or, if the host is already down, manually create a neighbor entry with an invalid MAC address, which forces redistribute neighbor to re-withdraw the entry. | 3.7.3-3.7.16 | 4.0.0-4.4.5| | [2549676](#2549676)
| After you add or remove a bridge VLAN identifier (VID) on a trunk port, the layer 2 VNI is put into VLAN 1.
To work around this issue, revert the configuration change. | 3.7.10-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| -| [2548585](#2548585)
| After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
*Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| +| [2548585, 2549256](#2548585, 2549256)
| After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
*Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2548475](#2548475)
| After you add a new VNI and a layer 3 SVI to a set of leafs, certain leafs might not be able to communicate on the layer 3 VNI.
To work around this issue, reboot the leaf switch or restart switchd. | 3.7.6-3.7.16 | 4.0.0-4.4.5| | [2548382](#2548382)
| The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2548243](#2548243)
| On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | | @@ -1868,7 +1868,7 @@ pdfhidden: True | [2547012](#2547012)
| On the Mellanox Spectrum switch, switchd can sometimes fail when PBR rules are installed or removed from hardware if the rule is setting a next hop learned via a routing protocol. | 3.7.7-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5| | [2546998](#2546998)
| When you configure Cumulus Linux with a /32 address on a switch port with a configured peer address (for example, to connect to a device using IP unnumbered), the switch sends GARPs for the peer address. | 3.7.5-3.7.11 | 3.7.12-3.7.16, 4.1.0-4.4.5| | [2546984](#2546984)
| On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings. | 3.7.10-3.7.12, 4.0.0-4.2.0 | 3.7.13-3.7.16, 4.2.1-4.4.5| -| [2546950](#2546950)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| +| [2546950, 2548887](#2546950, 2548887)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.1.1 | 3.7.13-3.7.16, 4.2.0-4.4.5| | [2546868](#2546868)
| Broadcom Field Alert - SID - MMU 2B Errors
A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5| | [2546702](#2546702)
| The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load.
To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5| | [2546577](#2546577)
| A traditional bridge with QinQ and a VNI does not work for tagged traffic. | 3.7.10-4.0.1 | 4.1.0-4.4.5| @@ -1911,11 +1911,11 @@ pdfhidden: True | [2544815](#2544815)
| If a router MAC address changes on a VTEP, other VTEPs might still point to the previous router MAC address. | 3.7.10-3.7.16 | 4.0.0-4.4.5| | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544624](#2544624)
| VXLAN encapsulated ICMP packets hit the catchall EFP policer instead of the ICMP policer and you might experience partial packet loss.
| 3.7.9-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| -| [2544609](#2544609)
| BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.16 | 4.0.0-4.4.5| +| [2544609, 2550042](#2544609, 2550042)
| BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2544559](#2544559)
| When you install a large number of new rules with nonatomic mode enabled, there is a chance that you install more rules than the number of available slots in the slice, which results in the slice being completely wiped and reinstalled. This causes a large drop increase, including to cpu0, and might cause a major outage by dropping all BGP sessions. | 3.7.8-3.7.16 | 4.0.0-4.4.5| | [2544556](#2544556)
| If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544385](#2544385)
| The QCT QuantaMesh BMS T7032-IX7 switch may report "failed to request GPIO pin" errors during the boot up. | 3.7.5-3.7.10 | 3.7.11-3.7.16| | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544212](#2544212)
| Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| @@ -1928,11 +1928,11 @@ pdfhidden: True | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543875](#2543875)
| On the Mellanox Spectrum switch, a route withdrawal might cause the associated next hop neighbor entry to be deleted in hardware but remain in the kernel. This can cause traffic going through the directly connected route to the removed neighbor entry to be forwarded to the CPU. | 3.7.6-3.7.16 | 4.0.0-4.4.5| -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543840](#2543840)
| On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

| 3.7.6-3.7.16 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543800](#2543800)
| When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
| 3.7.8-3.7.16 | 4.0.0-4.4.5| -| [2543792](#2543792)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-4.0.1 | 4.1.0-4.4.5| +| [2543792, 2545026](#2543792, 2545026)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-4.0.1 | 4.1.0-4.4.5| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543727](#2543727)
| ACL rules, such as the following, fail to install if you use swp+ (interfaces mentioned as wildcards).

-A FORWARD -i swp+ -j LOG
-A FORWARD -i swp+ -j DROP

You can now install such rules with swp+. | 3.7.3-3.7.16 | 4.0.0-4.4.5| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| @@ -1948,7 +1948,7 @@ pdfhidden: True | [2543472](#2543472)
| On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly.
To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-4.0.1 | 4.1.0-4.4.5| | [2543374](#2543374)
| After a remote VTEP peer link goes down, the tunnel destination IP address might be incorrect in hardware, which might cause loss of overlay communication between VTEPs. | 3.7.8-3.7.16 | 4.0.0-4.4.5| | [2543325](#2543325)
| Lenovo switches do not send or receive LLDP on eth0 interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5| -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543113](#2543113)
| NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh.
| 3.7.3-3.7.16 | 4.0.0-4.4.5| @@ -1956,22 +1956,22 @@ pdfhidden: True | [2543058](#2543058)
| The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2543052](#2543052)
| Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as "inactive" in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542958](#2542958)
| When transitioning from a down state to an up state due to peerlink failure and recovery, MLAG does not start the initDelay timer before trying to bring everything back up. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542913](#2542913)
| IF-MIB::ifHCInOctets reports significantly lower values than reported by interface counters seen elsewhere. | 3.7.6-3.7.16 | 4.0.0-4.4.5| -| [2542871](#2542871)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2542871, 2542901, 2542901](#2542871, 2542901, 2542901)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2542835](#2542835)
| snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.16 | 4.0.0-4.4.5| | [2542823](#2542823)
| On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur:
- VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts.
- VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack.

To work around this issue, either:
- Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port)
- Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5| | [2542767](#2542767)
| If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.
To work around this issue, power cycle the switch.
| 3.7.6-4.0.1 | 4.1.0-4.4.5| | [2542765](#2542765)
| When you configure the switch to send an EAP request with the net add dot1x send-eap-request-id command, the switch ignores re-authentication attempts and does not send back an EAPol.
| 3.7.6-3.7.10 | 3.7.11-3.7.16| | [2542509](#2542509)
| In EVPN symmetric or centralized configurations with BGP peering over a peer link, VXLAN routed packets transiting an MLAG peer are dropped until the clagd init-delay timer expires during the bring-up sequence following a reboot.
The problem is caused by a race condition when programming the anycast IP address (used to terminate VXLAN tunnels), where the hardware is programmed before the software by clagd.
To work around this issue, configure the BGP path across the peer link to be less preferred. The example below uses AS path prepending and the MLAG switches are iBGP neighbors. However, other BGP configurations achieve the same result.
In the /etc/frr/frr.conf file, make a new AS path access list and route map to apply BGP pre-pending of the local ASN one or more times. For example: 
 
ip as-path access-list MY_ASN permit ^$ 

route-map peerlink-add-asn permit 10 
match as-path MY_ASN 
set as-path prepend 4200000101 
route-map peerlink-add-asn permit 20
| 3.7.6-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2542384](#2542384)
| When you define a trap destination using @mgmt, snmpd indicates that the network is unreachable even though the IP address is reachable in the management VRF.
To work around this issue, remove @mgmt vrf references in the /etc/snmp/snmpd.conf file, stop snmpd, then start snmpd manually in the management VRF with the systemctl start snmpd@mgmt command.
| 3.7.6-3.7.16 | 4.0.0-4.4.5| -| [2542310](#2542310)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | +| [2542310, 2523456](#2542310, 2523456)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | | [2542305](#2542305)
| If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2542248](#2542248)
| When you generate a cl-support file, clagd.service prints log messages similar to the following: 
 
 019-03-21T07:18:15.727581+00:00 leaf01 clagd[20912]: DumpThreadStacks - start 
 2019-03-21T07:18:15.728157+00:00 leaf01 clagd[20912]: #012thread: CollectSysInfo (140608446367488) 
 2019-03-21T07:18:15.735986+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 783, in __bootstrap 
 2019-03-21T07:18:15.736585+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 810, in __bootstrap_inner 
 2019-03-21T07:18:15.737045+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 763, in run 
 2019-03-21T07:18:15.737933+00:00 leaf01 clagd[20912]: file: /usr/sbin/clagd, line 930, in CollectSysInfoT 
 2019-03-21T07:18:15.739527+00:00 leaf01 clagd[20912]: file: /usr/sbin/clagd, line 187, in CollectSysInfo 
 2019-03-21T07:18:15.740540+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 621, in wait 
 2019-03-21T07:18:15.742293+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/dist-packages/clag/clagthread.py, line 48, in wait 
 . 
 . 
 2019-03-21T07:18:16.456061+00:00 leaf01 clagd[20912]: DumpThreadStacks - end

| 3.7.6-3.7.16 | 4.0.0-4.4.5| -| [2542100](#2542100)
| On the EdgeCore AS7816 switch, PCIE errors cause switchd startup to fail. | 3.7.9-3.7.16 | 4.0.0-4.4.5| +| [2542100, 2544399](#2542100, 2544399)
| On the EdgeCore AS7816 switch, PCIE errors cause switchd startup to fail. | 3.7.9-3.7.16 | 4.0.0-4.4.5| | [2541212](#2541212)
| The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2541165](#2541165)
| On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false.
| 3.7.6-3.7.16 | | | [2541029](#2541029)
| On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
This issue only affects QinQ configurations.
| 3.7.5-3.7.16, 4.0.0-4.4.5 | | @@ -1983,7 +1983,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -2002,25 +2002,25 @@ pdfhidden: True | [2538302](#2538302)
| portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
| 3.7.0-3.7.16 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537536](#2537536)
| When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536639](#2536639)
| On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.
To work around this issue:
* If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000).
* If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536559](#2536559)
| When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error: 

 /etc/frr/daemons was modified by another user.

Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16| | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | -| [2536230](#2536230)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2536230, 2545399](#2536230, 2545399)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2536179](#2536179)
| On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535986](#2535986)
| At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535965](#2535965)
| On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535209](#2535209)
| The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2534450](#2534450)
| The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5| -| [2528990](#2528990)
| During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16| +| [2528990, 2523824, 2523824, 2542431](#2528990, 2523824, 2523824, 2542431)
| During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16| ### Fixed Issues in 3.7.10 | Issue ID | Description | Affects | @@ -2087,11 +2087,11 @@ pdfhidden: True | [2544829](#2544829)
| Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544624](#2544624)
| VXLAN encapsulated ICMP packets hit the catchall EFP policer instead of the ICMP policer and you might experience partial packet loss.
| 3.7.9-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| -| [2544609](#2544609)
| BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.16 | 4.0.0-4.4.5| +| [2544609, 2550042](#2544609, 2550042)
| BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2544559](#2544559)
| When you install a large number of new rules with nonatomic mode enabled, there is a chance that you install more rules than the number of available slots in the slice, which results in the slice being completely wiped and reinstalled. This causes a large drop increase, including to cpu0, and might cause a major outage by dropping all BGP sessions. | 3.7.8-3.7.16 | 4.0.0-4.4.5| | [2544556](#2544556)
| If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544385](#2544385)
| The QCT QuantaMesh BMS T7032-IX7 switch may report "failed to request GPIO pin" errors during the boot up. | 3.7.5-3.7.10 | 3.7.11-3.7.16| | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544212](#2544212)
| Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| @@ -2105,11 +2105,11 @@ pdfhidden: True | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543875](#2543875)
| On the Mellanox Spectrum switch, a route withdrawal might cause the associated next hop neighbor entry to be deleted in hardware but remain in the kernel. This can cause traffic going through the directly connected route to the removed neighbor entry to be forwarded to the CPU. | 3.7.6-3.7.16 | 4.0.0-4.4.5| -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543840](#2543840)
| On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

| 3.7.6-3.7.16 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543800](#2543800)
| When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
| 3.7.8-3.7.16 | 4.0.0-4.4.5| -| [2543792](#2543792)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-4.0.1 | 4.1.0-4.4.5| +| [2543792, 2545026](#2543792, 2545026)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-4.0.1 | 4.1.0-4.4.5| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543727](#2543727)
| ACL rules, such as the following, fail to install if you use swp+ (interfaces mentioned as wildcards).

-A FORWARD -i swp+ -j LOG
-A FORWARD -i swp+ -j DROP

You can now install such rules with swp+. | 3.7.3-3.7.16 | 4.0.0-4.4.5| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| @@ -2125,7 +2125,7 @@ pdfhidden: True | [2543472](#2543472)
| On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly.
To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-4.0.1 | 4.1.0-4.4.5| | [2543374](#2543374)
| After a remote VTEP peer link goes down, the tunnel destination IP address might be incorrect in hardware, which might cause loss of overlay communication between VTEPs. | 3.7.8-3.7.16 | 4.0.0-4.4.5| | [2543325](#2543325)
| Lenovo switches do not send or receive LLDP on eth0 interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5| -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543113](#2543113)
| NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh.
| 3.7.3-3.7.16 | 4.0.0-4.4.5| @@ -2133,22 +2133,22 @@ pdfhidden: True | [2543058](#2543058)
| The IP neighbor entry for a link-local next hop is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which might be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2543052](#2543052)
| Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as "inactive" in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542958](#2542958)
| When transitioning from a down state to an up state due to peerlink failure and recovery, MLAG does not start the initDelay timer before trying to bring everything back up. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542913](#2542913)
| IF-MIB::ifHCInOctets reports significantly lower values than reported by interface counters seen elsewhere. | 3.7.6-3.7.16 | 4.0.0-4.4.5| -| [2542871](#2542871)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2542871, 2542901, 2542901](#2542871, 2542901, 2542901)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2542835](#2542835)
| snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.16 | 4.0.0-4.4.5| | [2542823](#2542823)
| On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur:
- VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts.
- VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack.

To work around this issue, either:
- Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port)
- Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5| | [2542767](#2542767)
| If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.
To work around this issue, power cycle the switch.
| 3.7.6-4.0.1 | 4.1.0-4.4.5| | [2542765](#2542765)
| When you configure the switch to send an EAP request with the net add dot1x send-eap-request-id command, the switch ignores re-authentication attempts and does not send back an EAPol.
| 3.7.6-3.7.10 | 3.7.11-3.7.16| | [2542509](#2542509)
| In EVPN symmetric or centralized configurations with BGP peering over a peer link, VXLAN routed packets transiting an MLAG peer are dropped until the clagd init-delay timer expires during the bring-up sequence following a reboot.
The problem is caused by a race condition when programming the anycast IP address (used to terminate VXLAN tunnels), where the hardware is programmed before the software by clagd.
To work around this issue, configure the BGP path across the peer link to be less preferred. The example below uses AS path prepending and the MLAG switches are iBGP neighbors. However, other BGP configurations achieve the same result.
In the /etc/frr/frr.conf file, make a new AS path access list and route map to apply BGP pre-pending of the local ASN one or more times. For example: 
 
ip as-path access-list MY_ASN permit ^$ 

route-map peerlink-add-asn permit 10 
match as-path MY_ASN 
set as-path prepend 4200000101 
route-map peerlink-add-asn permit 20
| 3.7.6-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2542384](#2542384)
| When you define a trap destination using @mgmt, snmpd indicates that the network is unreachable even though the IP address is reachable in the management VRF.
To work around this issue, remove @mgmt vrf references in the /etc/snmp/snmpd.conf file, stop snmpd, then start snmpd manually in the management VRF with the systemctl start snmpd@mgmt command.
| 3.7.6-3.7.16 | 4.0.0-4.4.5| -| [2542310](#2542310)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | +| [2542310, 2523456](#2542310, 2523456)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | | [2542305](#2542305)
| If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2542248](#2542248)
| When you generate a cl-support file, clagd.service prints log messages similar to the following: 
 
 019-03-21T07:18:15.727581+00:00 leaf01 clagd[20912]: DumpThreadStacks - start 
 2019-03-21T07:18:15.728157+00:00 leaf01 clagd[20912]: #012thread: CollectSysInfo (140608446367488) 
 2019-03-21T07:18:15.735986+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 783, in __bootstrap 
 2019-03-21T07:18:15.736585+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 810, in __bootstrap_inner 
 2019-03-21T07:18:15.737045+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 763, in run 
 2019-03-21T07:18:15.737933+00:00 leaf01 clagd[20912]: file: /usr/sbin/clagd, line 930, in CollectSysInfoT 
 2019-03-21T07:18:15.739527+00:00 leaf01 clagd[20912]: file: /usr/sbin/clagd, line 187, in CollectSysInfo 
 2019-03-21T07:18:15.740540+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 621, in wait 
 2019-03-21T07:18:15.742293+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/dist-packages/clag/clagthread.py, line 48, in wait 
 . 
 . 
 2019-03-21T07:18:16.456061+00:00 leaf01 clagd[20912]: DumpThreadStacks - end

| 3.7.6-3.7.16 | 4.0.0-4.4.5| -| [2542100](#2542100)
| On the EdgeCore AS7816 switch, PCIE errors cause switchd startup to fail. | 3.7.9-3.7.16 | 4.0.0-4.4.5| +| [2542100, 2544399](#2542100, 2544399)
| On the EdgeCore AS7816 switch, PCIE errors cause switchd startup to fail. | 3.7.9-3.7.16 | 4.0.0-4.4.5| | [2541212](#2541212)
| The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2541165](#2541165)
| On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false.
| 3.7.6-3.7.16 | | | [2541029](#2541029)
| On switches with the Trident2 ASIC, 802.1Q-encapsulated control plane traffic received on an interface with 802.1AD configured subinterfaces might be dropped.
This issue only affects QinQ configurations.
| 3.7.5-3.7.16, 4.0.0-4.4.5 | | @@ -2160,7 +2160,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -2179,25 +2179,25 @@ pdfhidden: True | [2538302](#2538302)
| portwd allows an error to change the module type based on the error. For example, a bad write to a module might cause the module type to flap, which causes the link itself to flap.
| 3.7.0-3.7.16 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537536](#2537536)
| When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536639](#2536639)
| On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.
To work around this issue:
* If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000).
* If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536559](#2536559)
| When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error: 

 /etc/frr/daemons was modified by another user.

Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16| | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | -| [2536230](#2536230)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2536230, 2545399](#2536230, 2545399)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2536179](#2536179)
| On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535986](#2535986)
| At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535965](#2535965)
| On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535209](#2535209)
| The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2534450](#2534450)
| The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5| -| [2528990](#2528990)
| During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16| +| [2528990, 2523824, 2523824, 2542431](#2528990, 2523824, 2523824, 2542431)
| During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16| ### Fixed Issues in 3.7.9 | Issue ID | Description | Affects | @@ -2216,7 +2216,7 @@ pdfhidden: True | [2542726](#2542726)
| After configuring switchd hal.bcm.per_vlan_router_mac_lookup to TRUE on a Broadcom switch, layer 2 traffic works over VXLAN but the host is not able to ping the locally connected gateway and loses routing ability to other IPs and subnets. | 3.7.5-3.7.8 | | | [2542711](#2542711)
| BGP update packets are sometimes missing the mandatory nexthop attribute, which causes connections to reset. For example, this issue is seen when using VRF route leaking with a mix of BGP unnumbered and BGP numbered peers. | 3.7.6-3.7.8 | | | [2542480](#2542480)
| When BGP remove-private-AS replace-AS is configured under the BGP IPv4 or IPv6 address family between a pair of switches configured as BGP peers, a BGP route update might cause the BGP session to flap.
To work around this issue, do not configure remove-private-AS replace-AS in the BGP IPv4 or IPv6 address family. | 3.7.6-3.7.8 | | -| [2542472](#2542472)
| On Broadcom-based VXLAN routing capable platforms, VXLAN traffic received at the egress VTEP might drop because the hardware is mis-programming. This issue is related to timing and is not easily reproduced.
This issue might occur after a VXLAN interface (VNI) state transition (the peerlink goes down and puts VNI into a protodown state, then the peerlink comes back and the VNI returns to UP) and is related to how the next-hop information is programmed in hardware. Sometimes the host routes corresponding to this VXLAN segment are mis-programmed with the wrong next hop information.
To work around this issue, restart the switchd service with the sudo systemctl restart switchd.service command. | | | +| [2542472, 2544615](#2542472, 2544615)
| On Broadcom-based VXLAN routing capable platforms, VXLAN traffic received at the egress VTEP might drop because the hardware is mis-programming. This issue is related to timing and is not easily reproduced.
This issue might occur after a VXLAN interface (VNI) state transition (the peerlink goes down and puts VNI into a protodown state, then the peerlink comes back and the VNI returns to UP) and is related to how the next-hop information is programmed in hardware. Sometimes the host routes corresponding to this VXLAN segment are mis-programmed with the wrong next hop information.
To work around this issue, restart the switchd service with the sudo systemctl restart switchd.service command. | | | | [2542365](#2542365)
| The snmpd service frequently crashes due to double free or corruption. | 3.7.6-3.7.8 | | | [2542341](#2542341)
| The IP neighbor entry for a link-local next hop (169.254.x.x) is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which can be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.8 | | | [2542336](#2542336)
| On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 | | @@ -2229,17 +2229,17 @@ pdfhidden: True | [2541003](#2541003)
| NCLU is unable to delete a BGP neighbor configuration if there is a VRF VNI mapping in the /etc/frr/frr.conf file. For example, the following NCLU command produces an error: 
 
cumulus@leaf01$ net del bgp neighbor swp5 interface peer-group spine 
'router bgp 65001' configuration does not have 'neighbor swp5 interface peer-group spine'
| 3.7.7-3.7.8 | | | [2540684](#2540684)
| On a Dell S5248F (Trident3) switch, packets from switch ports are forwarded to the CPU and are sometimes corrupted. The corruption might result in BGP peerings being down, which can lead to all VXLAN traffic to and from a node to be lost, causing an outage to dually connected hosts in a rack. To work around this issue, restart switchd. | 3.7.3-3.7.8 | | | [2540600](#2540600)
| If the clagd-vxlan-anycast-ip is removed from the /etc/network/interfaces file (either with the NCLU command or by editing the file manually), MLAG still believes it is present until clagd restarts. | 3.7.3-3.7.8 | | -| [2540359](#2540359)
| bgpd creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. | 3.7.6-3.7.8 | | +| [2540359, 2540806](#2540359, 2540806)
| bgpd creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. | 3.7.6-3.7.8 | | | [2538741](#2538741)
| The NCLU command net show bridge spanning-tree does not show the MLAG peer link as part of the STP forwarding instance.
To work around this issue, use the mstpctl command to confirm the STP status of the port. | 3.7.2-3.7.8 | | | [2538480](#2538480)
| Modifying the /etc/netd.conf file to set show_linux_command = True does not take effect. | 3.7.2-3.7.8 | | -| [2538321](#2538321)
| On the Trident3 switch, the input chain ACLs drop action forwards packets if the traffic is destined to the CPU on an SVI. | | | +| [2538321, 2543029](#2538321, 2543029)
| On the Trident3 switch, the input chain ACLs drop action forwards packets if the traffic is destined to the CPU on an SVI. | | | | [2538022](#2538022)
| When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically.
To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 | | -| [2537153](#2537153)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | | +| [2537153, 2540994](#2537153, 2540994)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | | | [2536650](#2536650)
| Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters).
While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation\|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | | | [2536154](#2536154)
| By default, the nginx server used for the HTTP API on port 8080 is enabled, but does not listen to external requests. However, it appears to be listening and answering external requests. | | | | [2535445](#2535445)
| If a VNI is configured before the bridge in /etc/network/interfaces, the switch does not send IGMP queries.
To work around this issue, edit the /etc/network/interfaces file to define the bridge before the VNI. For example: 
 
# The primary network interface 
auto eth0 
iface eth0 inet dhcp 

auto lo 
iface lo inet loopback 
address 10.26.10.11/32 

auto swp9 
iface swp9 
bridge-access 100 

auto swp10 
iface swp10 
bridge-access 100 

auto bridge 
iface bridge 
bridge-ports swp9 swp10 vni-10 
bridge-vids 100 
bridge-vlan-aware yes 
bridge-mcquerier 1 

auto vni-10 
iface vni-10 
vxlan-id 10 
vxlan-local-tunnelip 10.0.0.11 
bridge-access 100 

auto bridge.100 
vlan bridge.100 
bridge-igmp-querier-src 123.1.1.1 

auto vlan100 
iface vlan100 
address 10.26.100.2/24 
vlan-id 100 
vlan-raw-device bridge

. | | | | [2534887](#2534887)
| The NCLU net show lldp and net show interface commands do not show LLDP information for swp* (eth is unaffected). | | | -| [2532395](#2532395)
| Drops due to congestion do not appear to be counted on a Mellanox switch. To work around this issue, run the sudo ethtool -S swp1 command to collect interface traffic statistics. | | | +| [2532395, 2529029](#2532395, 2529029)
| Drops due to congestion do not appear to be counted on a Mellanox switch. To work around this issue, run the sudo ethtool -S swp1 command to collect interface traffic statistics. | | | ## 3.7.8 Release Notes ### Open Issues in 3.7.8 @@ -2281,7 +2281,7 @@ pdfhidden: True | [2544846](#2544846)
| You might experience a bgpd memory usage increase and significant update exchanges due to host moves between VTEPs. | 3.7.7-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2544829](#2544829)
| Frames received with a VLAN tag of 0 on an interface configured as a bridge port and forwarded to the CPU for processing might appear tagged with the native VLAN when viewed with tcpdump. | 3.7.8-3.7.16 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| -| [2544609](#2544609)
| BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.16 | 4.0.0-4.4.5| +| [2544609, 2550042](#2544609, 2550042)
| BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2544559](#2544559)
| When you install a large number of new rules with nonatomic mode enabled, there is a chance that you install more rules than the number of available slots in the slice, which results in the slice being completely wiped and reinstalled. This causes a large drop increase, including to cpu0, and might cause a major outage by dropping all BGP sessions. | 3.7.8-3.7.16 | 4.0.0-4.4.5| | [2544385](#2544385)
| The QCT QuantaMesh BMS T7032-IX7 switch may report "failed to request GPIO pin" errors during the boot up. | 3.7.5-3.7.10 | 3.7.11-3.7.16| | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | @@ -2291,7 +2291,7 @@ pdfhidden: True | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543875](#2543875)
| On the Mellanox Spectrum switch, a route withdrawal might cause the associated next hop neighbor entry to be deleted in hardware but remain in the kernel. This can cause traffic going through the directly connected route to the removed neighbor entry to be forwarded to the CPU. | 3.7.6-3.7.16 | 4.0.0-4.4.5| -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543840](#2543840)
| On the Mellanox SN2700 switch, you cannot enable resilient hashing (RASH) and set the bucket size to 64 in the traffic.conf file.

| 3.7.6-3.7.16 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543800](#2543800)
| When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
| 3.7.8-3.7.16 | 4.0.0-4.4.5| @@ -2312,7 +2312,7 @@ pdfhidden: True | [2543389](#2543389)
| Dynamic route-leaking works as expected until FRR is restarted or the switch is rebooted. After the restart or reboot, the import RT under the VRF where routes are being imported is incorrect. | 3.7.7-3.7.8 | 3.7.9-3.7.16| | [2543374](#2543374)
| After a remote VTEP peer link goes down, the tunnel destination IP address might be incorrect in hardware, which might cause loss of overlay communication between VTEPs. | 3.7.8-3.7.16 | 4.0.0-4.4.5| | [2543325](#2543325)
| Lenovo switches do not send or receive LLDP on eth0 interfaces. | 3.7.7-3.7.16 | 4.0.0-4.4.5| -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543113](#2543113)
| NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh.
| 3.7.3-3.7.16 | 4.0.0-4.4.5| @@ -2322,12 +2322,12 @@ pdfhidden: True | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2543004](#2543004)
| Cumulus Linux installer images have a shell script that validates checksum integrity. When you run onie-install, this check is run but the installer is still staged even if the checksum validation fails.
To work around this issue, perform your own checksum validation before staging a new image with onie-install. | 3.7.7-3.7.8 | 3.7.9-3.7.16| | [2542985](#2542985)
| On a Tomahawk switch, the 5m 40G DACs (40G CR4) do not come up when both sides have auto-negotiation enabled. | 3.7.7-3.7.8 | 3.7.9-3.7.16| -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542958](#2542958)
| When transitioning from a down state to an up state due to peerlink failure and recovery, MLAG does not start the initDelay timer before trying to bring everything back up. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542938](#2542938)
| When MLAG is re-establishing its peering after a member reboot, the VNIs on the peer briefly go into a protodown state. This can cause complete downtime to dually connected hosts as the member coming back up is still in initDelay. This issue does resolve itself as the VNIs do come back up within ten seconds. | 3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5| | [2542913](#2542913)
| IF-MIB::ifHCInOctets reports significantly lower values than reported by interface counters seen elsewhere. | 3.7.6-3.7.16 | 4.0.0-4.4.5| -| [2542871](#2542871)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2542871, 2542901, 2542901](#2542871, 2542901, 2542901)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2542853](#2542853)
| For interfaces configured with RS FEC, when switchd is restarted, the link goes down but does not automatically come back up. This occurs because the FEC status is not replayed correctly into the kernel.
To work around this issue, run the ifreload -a command to bring up the interface after switchd is restarted. | 3.7.6-3.7.8 | 3.7.9-3.7.16| | [2542837](#2542837)
| On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16| | [2542835](#2542835)
| snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.16 | 4.0.0-4.4.5| @@ -2344,7 +2344,7 @@ pdfhidden: True | [2542365](#2542365)
| The snmpd service frequently crashes due to double free or corruption. | 3.7.6-3.7.8 | 3.7.9-3.7.16| | [2542341](#2542341)
| The IP neighbor entry for a link-local next hop (169.254.x.x) is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which can be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.8 | 3.7.9-3.7.16| | [2542336](#2542336)
| On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2542310](#2542310)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | +| [2542310, 2523456](#2542310, 2523456)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | | [2542305](#2542305)
| If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2542297](#2542297)
| When you run the NCLU net del all command, the exec-timeout setting changes in the /etc/frr.frr.conf file. | 3.7.6-3.7.8 | 3.7.9-3.7.16| @@ -2365,11 +2365,11 @@ pdfhidden: True | [2540684](#2540684)
| On a Dell S5248F (Trident3) switch, packets from switch ports are forwarded to the CPU and are sometimes corrupted. The corruption might result in BGP peerings being down, which can lead to all VXLAN traffic to and from a node to be lost, causing an outage to dually connected hosts in a rack. To work around this issue, restart switchd. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5| | [2540600](#2540600)
| If the clagd-vxlan-anycast-ip is removed from the /etc/network/interfaces file (either with the NCLU command or by editing the file manually), MLAG still believes it is present until clagd restarts. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5| | [2540444](#2540444)
| SNMP incorrectly requires engine ID specification.
| 3.7.4-3.7.16, 4.0.0-4.4.5 | | -| [2540359](#2540359)
| bgpd creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. | 3.7.6-3.7.8 | 3.7.9-3.7.16| +| [2540359, 2540806](#2540359, 2540806)
| bgpd creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. | 3.7.6-3.7.8 | 3.7.9-3.7.16| | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -2391,27 +2391,27 @@ pdfhidden: True | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| | [2538022](#2538022)
| When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically.
To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537536](#2537536)
| When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537153](#2537153)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537153, 2540994](#2537153, 2540994)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536650](#2536650)
| Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters).
While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation\|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5| | [2536639](#2536639)
| On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.
To work around this issue:
* If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000).
* If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536559](#2536559)
| When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error: 

 /etc/frr/daemons was modified by another user.

Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16| | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | -| [2536230](#2536230)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2536230, 2545399](#2536230, 2545399)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2536179](#2536179)
| On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535986](#2535986)
| At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535965](#2535965)
| On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535209](#2535209)
| The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2534450](#2534450)
| The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5| -| [2528990](#2528990)
| During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16| +| [2528990, 2523824, 2523824, 2542431](#2528990, 2523824, 2523824, 2542431)
| During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16| ### Fixed Issues in 3.7.8 | Issue ID | Description | Affects | @@ -2452,7 +2452,7 @@ pdfhidden: True | [2545132](#2545132)
| On the Mellanox switch, ACL lookups are performed for VLAN matches when no rules with UNTAGGED match are present. | 3.7.2-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2544846](#2544846)
| You might experience a bgpd memory usage increase and significant update exchanges due to host moves between VTEPs. | 3.7.7-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| -| [2544609](#2544609)
| BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.16 | 4.0.0-4.4.5| +| [2544609, 2550042](#2544609, 2550042)
| BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2544385](#2544385)
| The QCT QuantaMesh BMS T7032-IX7 switch may report "failed to request GPIO pin" errors during the boot up. | 3.7.5-3.7.10 | 3.7.11-3.7.16| | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544212](#2544212)
| Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| @@ -2483,11 +2483,11 @@ pdfhidden: True | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2543004](#2543004)
| Cumulus Linux installer images have a shell script that validates checksum integrity. When you run onie-install, this check is run but the installer is still staged even if the checksum validation fails.
To work around this issue, perform your own checksum validation before staging a new image with onie-install. | 3.7.7-3.7.8 | 3.7.9-3.7.16| | [2542985](#2542985)
| On a Tomahawk switch, the 5m 40G DACs (40G CR4) do not come up when both sides have auto-negotiation enabled. | 3.7.7-3.7.8 | 3.7.9-3.7.16| -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542958](#2542958)
| When transitioning from a down state to an up state due to peerlink failure and recovery, MLAG does not start the initDelay timer before trying to bring everything back up. | 3.7.7-3.7.16 | 4.0.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542913](#2542913)
| IF-MIB::ifHCInOctets reports significantly lower values than reported by interface counters seen elsewhere. | 3.7.6-3.7.16 | 4.0.0-4.4.5| -| [2542871](#2542871)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2542871, 2542901, 2542901](#2542871, 2542901, 2542901)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2542853](#2542853)
| For interfaces configured with RS FEC, when switchd is restarted, the link goes down but does not automatically come back up. This occurs because the FEC status is not replayed correctly into the kernel.
To work around this issue, run the ifreload -a command to bring up the interface after switchd is restarted. | 3.7.6-3.7.8 | 3.7.9-3.7.16| | [2542837](#2542837)
| On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16| | [2542835](#2542835)
| snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.16 | 4.0.0-4.4.5| @@ -2504,7 +2504,7 @@ pdfhidden: True | [2542365](#2542365)
| The snmpd service frequently crashes due to double free or corruption. | 3.7.6-3.7.8 | 3.7.9-3.7.16| | [2542341](#2542341)
| The IP neighbor entry for a link-local next hop (169.254.x.x) is not installed by FRR, which results in a forwarding failure for routes via that next hop. This is a rare problem that occurs with IPv4 route exchange over IPv6 GUA peering with no IPv4 addresses on the interfaces.
To work around this issue, flap the peering to the peer router (which can be a route reflector) to recover. To avoid this issue, configure IPv6 router advertisements on the connecting interfaces. | 3.7.7-3.7.8 | 3.7.9-3.7.16| | [2542336](#2542336)
| On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2542310](#2542310)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | +| [2542310, 2523456](#2542310, 2523456)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | | [2542305](#2542305)
| If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2542297](#2542297)
| When you run the NCLU net del all command, the exec-timeout setting changes in the /etc/frr.frr.conf file. | 3.7.6-3.7.8 | 3.7.9-3.7.16| @@ -2525,11 +2525,11 @@ pdfhidden: True | [2540684](#2540684)
| On a Dell S5248F (Trident3) switch, packets from switch ports are forwarded to the CPU and are sometimes corrupted. The corruption might result in BGP peerings being down, which can lead to all VXLAN traffic to and from a node to be lost, causing an outage to dually connected hosts in a rack. To work around this issue, restart switchd. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5| | [2540600](#2540600)
| If the clagd-vxlan-anycast-ip is removed from the /etc/network/interfaces file (either with the NCLU command or by editing the file manually), MLAG still believes it is present until clagd restarts. | 3.7.3-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5| | [2540444](#2540444)
| SNMP incorrectly requires engine ID specification.
| 3.7.4-3.7.16, 4.0.0-4.4.5 | | -| [2540359](#2540359)
| bgpd creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. | 3.7.6-3.7.8 | 3.7.9-3.7.16| +| [2540359, 2540806](#2540359, 2540806)
| bgpd creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. | 3.7.6-3.7.8 | 3.7.9-3.7.16| | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -2551,35 +2551,35 @@ pdfhidden: True | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| | [2538022](#2538022)
| When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically.
To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537536](#2537536)
| When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537153](#2537153)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537153, 2540994](#2537153, 2540994)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536650](#2536650)
| Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters).
While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation\|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5| | [2536639](#2536639)
| On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.
To work around this issue:
* If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000).
* If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536559](#2536559)
| When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error: 

 /etc/frr/daemons was modified by another user.

Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16| | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | -| [2536230](#2536230)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2536230, 2545399](#2536230, 2545399)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2536179](#2536179)
| On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535986](#2535986)
| At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535965](#2535965)
| On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535209](#2535209)
| The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2534450](#2534450)
| The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5| -| [2528990](#2528990)
| During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16| +| [2528990, 2523824, 2523824, 2542431](#2528990, 2523824, 2523824, 2542431)
| During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16| ### Fixed Issues in 3.7.7 | Issue ID | Description | Affects | |--- |--- |--- | | [2542338](#2542338)
| In a typical CLOS network, each leaf is connected to all spine nodes; VXLAN packets follow leaf-spine links. However certain failure scenarios or maintenance activity might result in the MLAG primary switch being isolated from the spine layer (the only available network path is now across the peer link). As a result, the MLAG primary switch fails to transmit VXLAN encapsulated packets out on the peer link. It is also possible for the MLAG secondary switch to be isolated from the spine layer and then the problem is seen on the MLAG secondary switch.
The issue occurs because the Broadcom Trident3 switch does not perform VLAN translation for VXLAN encapsulated packets where the tunnel is not terminated.
To work around this issue, configure the BGP peering on a _new_ VLAN interface (for example, vlan4093) instead of the peer link sub-interface (peerlink.4094).
| 3.7.6 | | -| [2542309](#2542309)
| When all ports are split into 4X on the EdgeCore AS7726 switch, switchd fails to start up and a crash is seen in syslog. | 3.7.5-3.7.6 | | +| [2542309, 2540999](#2542309, 2540999)
| When all ports are split into 4X on the EdgeCore AS7726 switch, switchd fails to start up and a crash is seen in syslog. | 3.7.5-3.7.6 | | | [2541869](#2541869)
| SNMP shows 0 for all swp interfaces in the ifSpeed field (bond interfaces, lo and eth0 are not affected and show a value). | 3.7.6 | | -| [2541805](#2541805)
| The clear bgp command does not support multiple address families. For example, the following command clears IPv6 unicast and ignores IPv4 unicast: 
 
cumulus@switch:~$ clear bgp l2vpn evpn

To clear IPv4 unicast, use the clear ip bgp command. For example, the following command clears IPv4 unicast and ignores IPv6 unicast: 
 
cumulus@switch:~$ clear ip bgp l2vpn evpn
| | | +| [2541805, 2526644](#2541805, 2526644)
| The clear bgp command does not support multiple address families. For example, the following command clears IPv6 unicast and ignores IPv4 unicast: 
 
cumulus@switch:~$ clear bgp l2vpn evpn

To clear IPv4 unicast, use the clear ip bgp command. For example, the following command clears IPv4 unicast and ignores IPv6 unicast: 
 
cumulus@switch:~$ clear ip bgp l2vpn evpn
| | | | [2541791](#2541791)
| In Cumulus Linux 3.7.6 and earlier, ifupdown2 does a string comparison to see if two addresses are the same. In Cumulus Linux 3.7.7, ifupdown2 does an integer comparison. For example, in Cumulus Linux 3.7.6 and earlier, hwaddress 00:00:5e:62:f8:02 and hwaddress 00:00:5e:62:f8:2 are not considered to be equal. In Cumulus Linux 3.7.7 and later, they are considered equal since 2 implies a leading zero. | 3.7.5-3.7.6 | | | [2541761](#2541761)
| A TACACS privilege level 15 user mapped to tacacs15 cannot use net commands even though the user is part of the netedit and/or netshow user group. | 3.7.2-3.7.6 | | | [2541749](#2541749)
| In a highly-scaled environment, while BGP is undergoing initial convergence, watchfrr times out and bgpd stops responding. | 3.7.5-3.7.6 | | @@ -2587,10 +2587,10 @@ pdfhidden: True | [2541654](#2541654)
| On the Dell N3048EP switch, the I2C bus might lock and when you log into the console, you see the following message.
bcm-iproc-i2c 1803b000.i2c: bus is busy
As a result, temperatures cannot be monitored. However, traffic is not affected (links do not go down). | 3.7.6 | | | [2541645](#2541645)
| Received EVPN type-5 routes are not installed into the kernel VRF routing table even though the route appears to be correct. The failure to install the default route makes the rack unreachable from the external world. | 3.7.5-3.7.6 | | | [2541505](#2541505)
| The vtep-ctl list-ports returns ports with the fully qualified domain name of the switch instead of the short hostname. | 3.7.6 | | -| [2541494](#2541494)
| Under certain circumstances (when you reboot or restart the switchd service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface.
To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example: 
 
ifdown vlan123 ; sleep 2 ; ifup vlan123

Run the net show vrf vni command to show a mapping of the layer 3 VNI to layer 3 SVI for the VRF.
*Note*: This workaround is not guaranteed because the race condition cannot be always be avoided. | 3.7.4-3.7.6 | | +| [2541494, 2541496](#2541494, 2541496)
| Under certain circumstances (when you reboot or restart the switchd service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface.
To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example: 
 
ifdown vlan123 ; sleep 2 ; ifup vlan123

Run the net show vrf vni command to show a mapping of the layer 3 VNI to layer 3 SVI for the VRF.
*Note*: This workaround is not guaranteed because the race condition cannot be always be avoided. | 3.7.4-3.7.6 | | | [2541362](#2541362)
| If you configure bridge-learning off on a host-facing link in a VXLAN/EVPN environment and are using static FDB entries instead, when you turn bridge-learning on and delete those static entries, they are re-learned as expected in the bridge FDB table, however they are not installed into FRR and a log message is recorded in /var/log/frr/frr.log. | 3.7.5 | | -| [2541294](#2541294)
| In an EVPN configuration, the old MAC/IP route is present in the routing table after an IP mobility event. | 3.7.5-3.7.6 | | -| [2541213](#2541213)
| On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD. | 3.7.5-3.7.6 | | +| [2541294, 2541786](#2541294, 2541786)
| In an EVPN configuration, the old MAC/IP route is present in the routing table after an IP mobility event. | 3.7.5-3.7.6 | | +| [2541213, 2541027](#2541213, 2541027)
| On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD. | 3.7.5-3.7.6 | | | [2541134](#2541134)
| On the Broadcom switch, TPID programming is not reset when there is a configuration change. As a result, you see unexpected packet drops. | | | | [2541107](#2541107)
| The poectl -j command output does not show the correct port numbering in JSON; it is off by one. | 3.7.6 | | | [2541095](#2541095)
| The RADIUS AAA client does the source IP address bind first, then the setsockopt VRF, which causes a failure due to a kernel check for an address mismatch with the VRF. | 3.7.4-3.7.6 | | @@ -2616,9 +2616,9 @@ pdfhidden: True | [2538910](#2538910)
| In a layer 2 VXLAN configuration, where each ECMP path is a layer 3 LACP bond with multiple port members, ECMP hash appears fine for data traffic over VXLAN from one VTEP to another, but the LACP hash is unbalanced. | 3.7.1-3.7.6 | | | [2538756](#2538756)
| When you flap a VNI with ifdown vni and ifup vni, the value of all MTUs for the SVI lowers to 1500 regardless of the default value set in the /etc/network/ifupdown2/policy.d/mtu.json file. This behavior does not occur if you flap the link with ip link set vni down. | 3.7.2-3.7.6 | | | [2537806](#2537806)
| Bridging ISIS traffic fails because layer 2 cache rules forward ISIS traffic to the CPU, where it is then dropped.
To work around this issue, contact Customer Support. | 3.7.2-3.7.6 | | -| [2536266](#2536266)
| When a VXLAN SVI transitions to a non-VXLAN SVI, the associated VRRP MAC addresses are not removed. After the transition happens, the removal fails as the VXLAN context is lost and you see the following switchd error: 
 
2018-09-06T20:38:20.682916+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 224 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.686105+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 223 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.773581+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 112 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.776986+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 111 mac: 00:00:5e:00:01:01 (-7)
| 3.7.5-3.7.6 | | +| [2536266, 2535677](#2536266, 2535677)
| When a VXLAN SVI transitions to a non-VXLAN SVI, the associated VRRP MAC addresses are not removed. After the transition happens, the removal fails as the VXLAN context is lost and you see the following switchd error: 
 
2018-09-06T20:38:20.682916+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 224 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.686105+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 223 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.773581+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 112 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.776986+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 111 mac: 00:00:5e:00:01:01 (-7)
| 3.7.5-3.7.6 | | | [2535795](#2535795)
| The Trident3 switch does not send out sflow flow samples; only counter samples are sent. | 3.7.6 | | -| [2534134](#2534134)
| During system boot, Cumulus Linux reads the /etc/cumulus/ports.conf file to obtain the port speed. The port speed is programmed into the ASIC and synchronized to the kernel. After system boot, the kernel speed shows correctly as it matches the ASIC speed that is derived from the /etc/cumulus/ports.conf file and the cable type. However, if you restart switchd without rebooting the system, switchd synchronizes the speed from the kernel and uses it to program the ASIC. When you change the port speed in the /etc/cumulus/ports.conf file to ether a higher or lower speed (for example from 100G to 40G or from 40G to 100G) and the attached cable can support both speeds, the pre-existing speed is synchronized from the kernel. Consequently, the kernel speed remains at the pre-existing (incorrect) speed. | | | +| [2534134, 2534640, 2539619](#2534134, 2534640, 2539619)
| During system boot, Cumulus Linux reads the /etc/cumulus/ports.conf file to obtain the port speed. The port speed is programmed into the ASIC and synchronized to the kernel. After system boot, the kernel speed shows correctly as it matches the ASIC speed that is derived from the /etc/cumulus/ports.conf file and the cable type. However, if you restart switchd without rebooting the system, switchd synchronizes the speed from the kernel and uses it to program the ASIC. When you change the port speed in the /etc/cumulus/ports.conf file to ether a higher or lower speed (for example from 100G to 40G or from 40G to 100G) and the attached cable can support both speeds, the pre-existing speed is synchronized from the kernel. Consequently, the kernel speed remains at the pre-existing (incorrect) speed. | | | | [2534100](#2534100)
| The clagd process might occasionally leak memory, eventually crash, and then restart. During this time, traffic flows over this switch are impacted temporarily. The /var/log/clagd.log file shows a message similar to the following: 
 
 clagd[1824]: OSError: [Errno 12] Cannot allocate memory
| | | | [2532924](#2532924)
| The NetQ agent is bundled with Cumulus VX 3.4.3 and later; however, the NetQ agent is not bundled with Cumulus Linux 3.4.3 and later. The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bundled with Cumulus Linux in a future release. | 3.7.0-3.7.6 | | | [2528678](#2528678)
| On Dell S6000 switches, switchd CPU utilization is high (50% and above) even when there is no configuration and it is idle. | | | @@ -2671,7 +2671,7 @@ pdfhidden: True | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542913](#2542913)
| IF-MIB::ifHCInOctets reports significantly lower values than reported by interface counters seen elsewhere. | 3.7.6-3.7.16 | 4.0.0-4.4.5| -| [2542871](#2542871)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2542871, 2542901, 2542901](#2542871, 2542901, 2542901)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2542853](#2542853)
| For interfaces configured with RS FEC, when switchd is restarted, the link goes down but does not automatically come back up. This occurs because the FEC status is not replayed correctly into the kernel.
To work around this issue, run the ifreload -a command to bring up the interface after switchd is restarted. | 3.7.6-3.7.8 | 3.7.9-3.7.16| | [2542837](#2542837)
| On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16| | [2542835](#2542835)
| snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.16 | 4.0.0-4.4.5| @@ -2687,8 +2687,8 @@ pdfhidden: True | [2542365](#2542365)
| The snmpd service frequently crashes due to double free or corruption. | 3.7.6-3.7.8 | 3.7.9-3.7.16| | [2542338](#2542338)
| In a typical CLOS network, each leaf is connected to all spine nodes; VXLAN packets follow leaf-spine links. However certain failure scenarios or maintenance activity might result in the MLAG primary switch being isolated from the spine layer (the only available network path is now across the peer link). As a result, the MLAG primary switch fails to transmit VXLAN encapsulated packets out on the peer link. It is also possible for the MLAG secondary switch to be isolated from the spine layer and then the problem is seen on the MLAG secondary switch.
The issue occurs because the Broadcom Trident3 switch does not perform VLAN translation for VXLAN encapsulated packets where the tunnel is not terminated.
To work around this issue, configure the BGP peering on a _new_ VLAN interface (for example, vlan4093) instead of the peer link sub-interface (peerlink.4094).
| 3.7.6 | 3.7.7-3.7.16, 4.0.0-4.4.5| | [2542336](#2542336)
| On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2542310](#2542310)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | -| [2542309](#2542309)
| When all ports are split into 4X on the EdgeCore AS7726 switch, switchd fails to start up and a crash is seen in syslog. | 3.7.5-3.7.6 | 3.7.7-3.7.16| +| [2542310, 2523456](#2542310, 2523456)
| hsflow disregards the setting for agent.cidr in the /etc/hsflowd.conf file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the hsflow payload shows IPv6.
| 3.7.6-3.7.16 | | +| [2542309, 2540999](#2542309, 2540999)
| When all ports are split into 4X on the EdgeCore AS7726 switch, switchd fails to start up and a crash is seen in syslog. | 3.7.5-3.7.6 | 3.7.7-3.7.16| | [2542305](#2542305)
| If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2542297](#2542297)
| When you run the NCLU net del all command, the exec-timeout setting changes in the /etc/frr.frr.conf file. | 3.7.6-3.7.8 | 3.7.9-3.7.16| @@ -2706,9 +2706,9 @@ pdfhidden: True | [2541645](#2541645)
| Received EVPN type-5 routes are not installed into the kernel VRF routing table even though the route appears to be correct. The failure to install the default route makes the rack unreachable from the external world. | 3.7.5-3.7.16 | | | [2541604](#2541604)
| The snmpd service exits with a message similar to the following: 
 
Error in '/usr/sbin/snmpd': double free or corruption (fasttop): 0x00000000018a4e50 ***

This problem might occur during or after network convergence events. For example, when bgpd needs to process a high number of updates and the CPU cannot keep up, bgpd is disconnected and agentx generates a core dump in snmpd due to a memory allocation problem.
To work around this issue, disable agentx by commenting out the following lines in the /etc/snmp/snmpd.conf file. Then, restart the snmpd service with the systemctl restart snmpd command. 
 
agentxperms 777 777 snmp snmp 
agentxsocket /var/agentx/master

If you still want to poll the BGP4-MIB information, re-enable the bgp pass persist script by adding the following line in the /etc/snmp/snmpd.conf file: 
 
pass_persist 1.3.6.1.2.1.15 /usr/share/snmp/bgp4_pp.py
| 3.7.2-3.7.8 | 3.7.9-3.7.16| | [2541505](#2541505)
| The vtep-ctl list-ports returns ports with the fully qualified domain name of the switch instead of the short hostname. | 3.7.6 | 3.7.7-3.7.16| -| [2541494](#2541494)
| Under certain circumstances (when you reboot or restart the switchd service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface.
To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example: 
 
ifdown vlan123 ; sleep 2 ; ifup vlan123

Run the net show vrf vni command to show a mapping of the layer 3 VNI to layer 3 SVI for the VRF.
*Note*: This workaround is not guaranteed because the race condition cannot be always be avoided. | 3.7.4-3.7.16 | | -| [2541294](#2541294)
| In an EVPN configuration, the old MAC/IP route is present in the routing table after an IP mobility event. | 3.7.5-3.7.16 | | -| [2541213](#2541213)
| On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD. | 3.7.5-3.7.6 | 3.7.7-3.7.16| +| [2541494, 2541496](#2541494, 2541496)
| Under certain circumstances (when you reboot or restart the switchd service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface.
To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example: 
 
ifdown vlan123 ; sleep 2 ; ifup vlan123

Run the net show vrf vni command to show a mapping of the layer 3 VNI to layer 3 SVI for the VRF.
*Note*: This workaround is not guaranteed because the race condition cannot be always be avoided. | 3.7.4-3.7.16 | | +| [2541294, 2541786](#2541294, 2541786)
| In an EVPN configuration, the old MAC/IP route is present in the routing table after an IP mobility event. | 3.7.5-3.7.16 | | +| [2541213, 2541027](#2541213, 2541027)
| On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD. | 3.7.5-3.7.6 | 3.7.7-3.7.16| | [2541212](#2541212)
| The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2541165](#2541165)
| On the Dell N3048EP-ON switch, UPOE is supported only on ports 1 thru 12. (UPOE uses all four pairs of standard Ethernet cabling whereas PoE delivers power over two twisted pairs.) When you plug a UPOE device in a port higher than port 12, poectl reports that four_pair_mode_enabled is true. However, this configuration is not supported on the port so poectl should report that four_pair_mode_enabled is false.
| 3.7.6-3.7.16 | | | [2541107](#2541107)
| The poectl -j command output does not show the correct port numbering in JSON; it is off by one. | 3.7.6 | 3.7.7-3.7.16| @@ -2730,12 +2730,12 @@ pdfhidden: True | [2540557](#2540557)
| On Trident3 switches, transit packets larger than 1500 bytes(DF) routed between SVIs is unexpectedly forwarded to the CPU even when the MTU is greater than 9000. This severely limits throughput for routed jumbo frames as packets arriving at a high interval are dropped to the CPU. | 3.7.0-3.7.16 | | | [2540464](#2540464)
| If you have dynamic route leaking configured between any two VRFs and the BGP instance for the default VRF is not defined, removing an import vrf statement crashes bgpd. This occurs even if neither of the leaking VRFs are the default VRF. | 3.7.4-3.7.6 | 3.7.7-3.7.16| | [2540444](#2540444)
| SNMP incorrectly requires engine ID specification.
| 3.7.4-3.7.16, 4.0.0-4.4.5 | | -| [2540359](#2540359)
| bgpd creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. | 3.7.6-3.7.8 | 3.7.9-3.7.16| +| [2540359, 2540806](#2540359, 2540806)
| bgpd creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. | 3.7.6-3.7.8 | 3.7.9-3.7.16| | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2540268](#2540268)
| An incorrect readout of the optical transceiver high temperature alarm threshold (read as 17 degrees centigrade), disables a 100G optical module on Mellanox Spectrum switches. | 3.7.2-3.7.6 | 3.7.7-3.7.16| -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -2767,23 +2767,23 @@ pdfhidden: True | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| | [2538022](#2538022)
| When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically.
To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537806](#2537806)
| Bridging ISIS traffic fails because layer 2 cache rules forward ISIS traffic to the CPU, where it is then dropped.
To work around this issue, contact Customer Support. | 3.7.2-3.7.6 | 3.7.7-3.7.16| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537536](#2537536)
| When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537153](#2537153)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537153, 2540994](#2537153, 2540994)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536650](#2536650)
| Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters).
While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation\|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5| | [2536639](#2536639)
| On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.
To work around this issue:
* If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000).
* If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536559](#2536559)
| When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error: 

 /etc/frr/daemons was modified by another user.

Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16| | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | -| [2536266](#2536266)
| When a VXLAN SVI transitions to a non-VXLAN SVI, the associated VRRP MAC addresses are not removed. After the transition happens, the removal fails as the VXLAN context is lost and you see the following switchd error: 
 
2018-09-06T20:38:20.682916+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 224 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.686105+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 223 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.773581+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 112 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.776986+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 111 mac: 00:00:5e:00:01:01 (-7)
| 3.7.5-3.7.6 | 3.7.7-3.7.16| -| [2536230](#2536230)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2536266, 2535677](#2536266, 2535677)
| When a VXLAN SVI transitions to a non-VXLAN SVI, the associated VRRP MAC addresses are not removed. After the transition happens, the removal fails as the VXLAN context is lost and you see the following switchd error: 
 
2018-09-06T20:38:20.682916+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 224 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.686105+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 223 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.773581+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 112 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.776986+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 111 mac: 00:00:5e:00:01:01 (-7)
| 3.7.5-3.7.6 | 3.7.7-3.7.16| +| [2536230, 2545399](#2536230, 2545399)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2536179](#2536179)
| On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535986](#2535986)
| At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535965](#2535965)
| On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | @@ -2791,7 +2791,7 @@ pdfhidden: True | [2535209](#2535209)
| The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2534450](#2534450)
| The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5| | [2532924](#2532924)
| The NetQ agent is bundled with Cumulus VX 3.4.3 and later; however, the NetQ agent is not bundled with Cumulus Linux 3.4.3 and later. The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bundled with Cumulus Linux in a future release. | 3.7.0-3.7.6 | 3.7.7-3.7.16| -| [2528990](#2528990)
| During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16| +| [2528990, 2523824, 2523824, 2542431](#2528990, 2523824, 2523824, 2542431)
| During a link flap test, you might occasionally see a message similar to: warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use. | 3.7.6-3.7.10 | 3.7.11-3.7.16| ### Fixed Issues in 3.7.6 | Issue ID | Description | Affects | @@ -2844,22 +2844,22 @@ pdfhidden: True | [2543113](#2543113)
| NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh.
| 3.7.3-3.7.16 | 4.0.0-4.4.5| | [2543052](#2543052)
| Received EVPN type-5 and type-2 MACIP routes are not installed in the kernel (and hardware) routing tables for the associated VRF, which causes traffic to be blackholed. The failure to install the default route causes complete reachability failure for the particular tenant on the affected racks. The routes that are not installed are seen as "inactive" in the routing subsystem (FRR) VRF routing table. This problem is rare and can occur only in EVPN configurations that have user-configured route targets (RTs) for tenant VRFs, and only following a restart of FRR.
To work around this issue, either restart the FRR service on the affected switch with the sudo systemctl restart frr.service command or bounce the layer 3 SVI for the affected VRF; for example:

ifdown vlan123 ; sleep 2 ; ifup vlan123

You can run the net show vrf vni command to print a mapping of VRF : L3-VNI : L3-SVI. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| -| [2542871](#2542871)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2542871, 2542901, 2542901](#2542871, 2542901, 2542901)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2542835](#2542835)
| snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.16 | 4.0.0-4.4.5| | [2542823](#2542823)
| On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur:
- VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts.
- VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack.

To work around this issue, either:
- Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port)
- Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.0.1 | 3.7.12-3.7.16, 4.1.0-4.4.5| | [2542726](#2542726)
| After configuring switchd hal.bcm.per_vlan_router_mac_lookup to TRUE on a Broadcom switch, layer 2 traffic works over VXLAN but the host is not able to ping the locally connected gateway and loses routing ability to other IPs and subnets. | 3.7.5-3.7.8 | 3.7.9-3.7.16| | [2542336](#2542336)
| On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2542309](#2542309)
| When all ports are split into 4X on the EdgeCore AS7726 switch, switchd fails to start up and a crash is seen in syslog. | 3.7.5-3.7.6 | 3.7.7-3.7.16| +| [2542309, 2540999](#2542309, 2540999)
| When all ports are split into 4X on the EdgeCore AS7726 switch, switchd fails to start up and a crash is seen in syslog. | 3.7.5-3.7.6 | 3.7.7-3.7.16| | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2541791](#2541791)
| In Cumulus Linux 3.7.6 and earlier, ifupdown2 does a string comparison to see if two addresses are the same. In Cumulus Linux 3.7.7, ifupdown2 does an integer comparison. For example, in Cumulus Linux 3.7.6 and earlier, hwaddress 00:00:5e:62:f8:02 and hwaddress 00:00:5e:62:f8:2 are not considered to be equal. In Cumulus Linux 3.7.7 and later, they are considered equal since 2 implies a leading zero. | 3.7.5-3.7.6 | 3.7.7-3.7.16| | [2541761](#2541761)
| A TACACS privilege level 15 user mapped to tacacs15 cannot use net commands even though the user is part of the netedit and/or netshow user group. | 3.7.2-3.7.6 | 3.7.7-3.7.16| | [2541749](#2541749)
| In a highly-scaled environment, while BGP is undergoing initial convergence, watchfrr times out and bgpd stops responding. | 3.7.5-3.7.6 | 3.7.7-3.7.16| | [2541645](#2541645)
| Received EVPN type-5 routes are not installed into the kernel VRF routing table even though the route appears to be correct. The failure to install the default route makes the rack unreachable from the external world. | 3.7.5-3.7.16 | | | [2541604](#2541604)
| The snmpd service exits with a message similar to the following: 
 
Error in '/usr/sbin/snmpd': double free or corruption (fasttop): 0x00000000018a4e50 ***

This problem might occur during or after network convergence events. For example, when bgpd needs to process a high number of updates and the CPU cannot keep up, bgpd is disconnected and agentx generates a core dump in snmpd due to a memory allocation problem.
To work around this issue, disable agentx by commenting out the following lines in the /etc/snmp/snmpd.conf file. Then, restart the snmpd service with the systemctl restart snmpd command. 
 
agentxperms 777 777 snmp snmp 
agentxsocket /var/agentx/master

If you still want to poll the BGP4-MIB information, re-enable the bgp pass persist script by adding the following line in the /etc/snmp/snmpd.conf file: 
 
pass_persist 1.3.6.1.2.1.15 /usr/share/snmp/bgp4_pp.py
| 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2541494](#2541494)
| Under certain circumstances (when you reboot or restart the switchd service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface.
To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example: 
 
ifdown vlan123 ; sleep 2 ; ifup vlan123

Run the net show vrf vni command to show a mapping of the layer 3 VNI to layer 3 SVI for the VRF.
*Note*: This workaround is not guaranteed because the race condition cannot be always be avoided. | 3.7.4-3.7.16 | | +| [2541494, 2541496](#2541494, 2541496)
| Under certain circumstances (when you reboot or restart the switchd service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface.
To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example: 
 
ifdown vlan123 ; sleep 2 ; ifup vlan123

Run the net show vrf vni command to show a mapping of the layer 3 VNI to layer 3 SVI for the VRF.
*Note*: This workaround is not guaranteed because the race condition cannot be always be avoided. | 3.7.4-3.7.16 | | | [2541362](#2541362)
| If you configure bridge-learning off on a host-facing link in a VXLAN/EVPN environment and are using static FDB entries instead, when you turn bridge-learning on and delete those static entries, they are re-learned as expected in the bridge FDB table, however they are not installed into FRR and a log message is recorded in /var/log/frr/frr.log. | 3.7.5 | 3.7.6-3.7.16| -| [2541294](#2541294)
| In an EVPN configuration, the old MAC/IP route is present in the routing table after an IP mobility event. | 3.7.5-3.7.16 | | -| [2541213](#2541213)
| On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD. | 3.7.5-3.7.6 | 3.7.7-3.7.16| +| [2541294, 2541786](#2541294, 2541786)
| In an EVPN configuration, the old MAC/IP route is present in the routing table after an IP mobility event. | 3.7.5-3.7.16 | | +| [2541213, 2541027](#2541213, 2541027)
| On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD. | 3.7.5-3.7.6 | 3.7.7-3.7.16| | [2541212](#2541212)
| The maximum-prefix configuration under the IPv4 address family has an optional restart value, which you can configure. This configuration is ignored and, instead of restarting the sessions every x minutes, the peer constantly changes between established and idle due to the prefix count being exceeded. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2541095](#2541095)
| The RADIUS AAA client does the source IP address bind first, then the setsockopt VRF, which causes a failure due to a kernel check for an address mismatch with the VRF. | 3.7.4-3.7.6 | 3.7.7-3.7.16| | [2541090](#2541090)
| The dhcrelay service crashes when the DHCP relay packet comes back from the server. To work around this issue, remove the --nl flag from the dhcrelay service. | 3.7.3-3.7.6 | 3.7.7-3.7.16| @@ -2890,7 +2890,7 @@ pdfhidden: True | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2540268](#2540268)
| An incorrect readout of the optical transceiver high temperature alarm threshold (read as 17 degrees centigrade), disables a 100G optical module on Mellanox Spectrum switches. | 3.7.2-3.7.6 | 3.7.7-3.7.16| | [2540254](#2540254)
| In an EVPN centralized routing deployment, the border leaf sends out incorrect packets when flapping the VLAN interface. | 3.7.2-3.7.5 | 3.7.6-3.7.16| -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540122](#2540122)
| The snmpd daemon sometimes crashes with the error Unknown operation 6 in agentx_got_response. | 3.7.2-3.7.5 | 3.7.6-3.7.16| @@ -2924,23 +2924,23 @@ pdfhidden: True | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| | [2538022](#2538022)
| When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically.
To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537806](#2537806)
| Bridging ISIS traffic fails because layer 2 cache rules forward ISIS traffic to the CPU, where it is then dropped.
To work around this issue, contact Customer Support. | 3.7.2-3.7.6 | 3.7.7-3.7.16| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537536](#2537536)
| When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.16 | 4.0.0-4.4.5| | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537153](#2537153)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537153, 2540994](#2537153, 2540994)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536650](#2536650)
| Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters).
While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation\|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5| | [2536639](#2536639)
| On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.
To work around this issue:
* If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000).
* If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536559](#2536559)
| When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error: 

 /etc/frr/daemons was modified by another user.

Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16| | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | -| [2536266](#2536266)
| When a VXLAN SVI transitions to a non-VXLAN SVI, the associated VRRP MAC addresses are not removed. After the transition happens, the removal fails as the VXLAN context is lost and you see the following switchd error: 
 
2018-09-06T20:38:20.682916+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 224 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.686105+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 223 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.773581+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 112 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.776986+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 111 mac: 00:00:5e:00:01:01 (-7)
| 3.7.5-3.7.6 | 3.7.7-3.7.16| -| [2536230](#2536230)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2536266, 2535677](#2536266, 2535677)
| When a VXLAN SVI transitions to a non-VXLAN SVI, the associated VRRP MAC addresses are not removed. After the transition happens, the removal fails as the VXLAN context is lost and you see the following switchd error: 
 
2018-09-06T20:38:20.682916+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 224 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.686105+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 223 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.773581+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 112 mac: 00:00:5e:00:01:01 (-7) 
2018-09-06T20:38:20.776986+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 111 mac: 00:00:5e:00:01:01 (-7)
| 3.7.5-3.7.6 | 3.7.7-3.7.16| +| [2536230, 2545399](#2536230, 2545399)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2536179](#2536179)
| On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535986](#2535986)
| At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535965](#2535965)
| On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | @@ -2980,13 +2980,13 @@ pdfhidden: True | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543113](#2543113)
| NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh.
| 3.7.3-3.7.16 | 4.0.0-4.4.5| | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| -| [2542871](#2542871)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2542871, 2542901, 2542901](#2542871, 2542901, 2542901)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2542835](#2542835)
| snmpd fails because NCLU does not remove agentaddress @vrf lines when running the net add snmp-server listening-address all command. | 3.7.4-3.7.16 | 4.0.0-4.4.5| | [2542336](#2542336)
| On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 | 3.7.9-3.7.16| | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2541761](#2541761)
| A TACACS privilege level 15 user mapped to tacacs15 cannot use net commands even though the user is part of the netedit and/or netshow user group. | 3.7.2-3.7.6 | 3.7.7-3.7.16| | [2541604](#2541604)
| The snmpd service exits with a message similar to the following: 
 
Error in '/usr/sbin/snmpd': double free or corruption (fasttop): 0x00000000018a4e50 ***

This problem might occur during or after network convergence events. For example, when bgpd needs to process a high number of updates and the CPU cannot keep up, bgpd is disconnected and agentx generates a core dump in snmpd due to a memory allocation problem.
To work around this issue, disable agentx by commenting out the following lines in the /etc/snmp/snmpd.conf file. Then, restart the snmpd service with the systemctl restart snmpd command. 
 
agentxperms 777 777 snmp snmp 
agentxsocket /var/agentx/master

If you still want to poll the BGP4-MIB information, re-enable the bgp pass persist script by adding the following line in the /etc/snmp/snmpd.conf file: 
 
pass_persist 1.3.6.1.2.1.15 /usr/share/snmp/bgp4_pp.py
| 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2541494](#2541494)
| Under certain circumstances (when you reboot or restart the switchd service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface.
To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example: 
 
ifdown vlan123 ; sleep 2 ; ifup vlan123

Run the net show vrf vni command to show a mapping of the layer 3 VNI to layer 3 SVI for the VRF.
*Note*: This workaround is not guaranteed because the race condition cannot be always be avoided. | 3.7.4-3.7.16 | | +| [2541494, 2541496](#2541494, 2541496)
| Under certain circumstances (when you reboot or restart the switchd service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface.
To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example: 
 
ifdown vlan123 ; sleep 2 ; ifup vlan123

Run the net show vrf vni command to show a mapping of the layer 3 VNI to layer 3 SVI for the VRF.
*Note*: This workaround is not guaranteed because the race condition cannot be always be avoided. | 3.7.4-3.7.16 | | | [2541095](#2541095)
| The RADIUS AAA client does the source IP address bind first, then the setsockopt VRF, which causes a failure due to a kernel check for an address mismatch with the VRF. | 3.7.4-3.7.6 | 3.7.7-3.7.16| | [2541090](#2541090)
| The dhcrelay service crashes when the DHCP relay packet comes back from the server. To work around this issue, remove the --nl flag from the dhcrelay service. | 3.7.3-3.7.6 | 3.7.7-3.7.16| | [2540950](#2540950)
| On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status.
| 3.7.3-4.1.1 | 4.2.0-4.4.5| @@ -3011,7 +3011,7 @@ pdfhidden: True | [2540288](#2540288)
| The switchd service crashes when you add a route with a nexhop label. | 3.7.3-3.7.5 | 3.7.6-3.7.16| | [2540268](#2540268)
| An incorrect readout of the optical transceiver high temperature alarm threshold (read as 17 degrees centigrade), disables a 100G optical module on Mellanox Spectrum switches. | 3.7.2-3.7.6 | 3.7.7-3.7.16| | [2540254](#2540254)
| In an EVPN centralized routing deployment, the border leaf sends out incorrect packets when flapping the VLAN interface. | 3.7.2-3.7.5 | 3.7.6-3.7.16| -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540122](#2540122)
| The snmpd daemon sometimes crashes with the error Unknown operation 6 in agentx_got_response. | 3.7.2-3.7.5 | 3.7.6-3.7.16| @@ -3045,21 +3045,21 @@ pdfhidden: True | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| | [2538022](#2538022)
| When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically.
To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537806](#2537806)
| Bridging ISIS traffic fails because layer 2 cache rules forward ISIS traffic to the CPU, where it is then dropped.
To work around this issue, contact Customer Support. | 3.7.2-3.7.6 | 3.7.7-3.7.16| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537153](#2537153)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16| -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537153, 2540994](#2537153, 2540994)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536650](#2536650)
| Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters).
While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation\|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5| | [2536639](#2536639)
| On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.
To work around this issue:
* If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000).
* If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536559](#2536559)
| When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error: 

 /etc/frr/daemons was modified by another user.

Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16| | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | -| [2536230](#2536230)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2536230, 2545399](#2536230, 2545399)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2536179](#2536179)
| On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535986](#2535986)
| At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535965](#2535965)
| On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | @@ -3084,7 +3084,7 @@ pdfhidden: True | [2538977](#2538977)
| The Dell Z9264F and Edgecore AS7816 switch does not support QSFP optical modules broken out to 4x individual interfaces. | | | | [2538965](#2538965)
| On the Edgecore AS7816 switch, when you configure ports as 4x, the links for the ports do not come up and the port EEPROM cannot be read. | | | | [2538942](#2538942)
| The EEPROM information changed on the Dell S5048F switch, which causes PCIe Bus Errors. | 3.7.2-3.7.3 | | -| [2538884](#2538884)
| cl-acltool -i fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as: 
 
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j LOG --log-prefix "DROP: " 
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j DROP

You see errors similar to the following: 
 
error: hw sync failed (Cannot process iptables,FORWARD,46,Rule with LOG must be followed by same rule with DROP) 
error: hw sync failed (Cannot process ip6tables,FORWARD,30,Rule with LOG must be followed by same rule with DROP)
| 3.7.2-3.7.3 | | +| [2538884, 2538887](#2538884, 2538887)
| cl-acltool -i fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as: 
 
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j LOG --log-prefix "DROP: " 
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j DROP

You see errors similar to the following: 
 
error: hw sync failed (Cannot process iptables,FORWARD,46,Rule with LOG must be followed by same rule with DROP) 
error: hw sync failed (Cannot process ip6tables,FORWARD,30,Rule with LOG must be followed by same rule with DROP)
| 3.7.2-3.7.3 | | | [2538814](#2538814)
| The permanent MAC entry that corresponds to the SVI of the layer 3 VNI (corresponding VLAN) is missing in the bridge FDB. | 3.7.0-3.7.3 | | | [2538737](#2538737)
| When a MAC address is frozen, if the switch receives an update for that MAC address from a remote VTEP and the remote sequence number of that update is higher than its local sequence number, the switch programs that MAC address in the kernel bridge FDB as an offload entry reachable behind that remote VTEP. This occurs only when the MAC is moving across three or more VTEPs. | | | | [2538686](#2538686)
| On Trident3 switches, not all ping requests match on the ingress ACL rule. | 3.7.3 | | @@ -3095,11 +3095,11 @@ pdfhidden: True | [2538013](#2538013)
| When the peer link is lost and the backup IP address becomes inactive, the MLAG secondary switch brings up bonds but not VXLAN VNIs. | 3.7.1-3.7.3 | | | [2537918](#2537918)
| When the Cumulus Linux switch has a BGP neighbor to a host running FRR 5.0, if the host FRR syslog is set to debugging and FRR is restarted, the BGP neighbor comes up according to the frr.log but on the switch, the BGP neighbor does not show in the show ip bgp vrf all summary command output (and other neighbor command output). Routes from the host appear fine, but the route map fails to get applied.
To work around this issue, either run FRR 6.0 on host or avoid running debug logging.
| | | | [2537805](#2537805)
| When you configure an IPv6 only neighbor with NCLU without the peer-group command, then execute the same commands again, the BGP session is reset.
For example, if you run the following commands: 
 
cumulus@switch:~$ net add bgp neighbor swp29 interface remote-as external 
cumulus@switch:~$ net add bgp neighbor swp29 interface v6only

Cumulus Linux removes the net commands and adds the following line to FRR (using v6only remote-as), which causes BGP to flap. 
 
neighbor swp29 interface v6only remote-as external

This issue does not occur if you add the peer-group command; for example: 
 
cumulus@switch:~$ net add bgp neighbor external peer-group 
cumulus@switch:~$ net add bgp neighbor external remote-as external 
cumulus@switch:~$ net add bgp neighbor swp29 interface v6only peer-group external

. | 3.7.0-3.7.3 | | -| [2537409](#2537409)
| It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware. | 3.7.1-3.7.3 | | +| [2537409, 2538035](#2537409, 2538035)
| It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware. | 3.7.1-3.7.3 | | | [2537111](#2537111)
| The gshut community is not removed after you commit the configuration.
| 3.7.0-3.7.3 | | | [2536470](#2536470)
| Full support for resilient hashing on Broadcom Trident 3 switches is not yet available. | | | | [2536329](#2536329)
| If a packet to an unknown IP address (but known network) enters the switch and matches an INPUT ACL rule, it is redirected for ARP and the counters increment for that rule, but it does not perform the action. This only happens until the ARP reply is sent, and then the traffic is forwarded properly.
To work around this issue, change the rules to INPUT,FORWARD instead of INPUT. Drops should then be logged properly. | | | -| [2536107](#2536107)
| On Tomahawk+ switches, the switchd process is unable to restart after configuring 2x25G in the /etc/cumulus/ports.conf file. | | | +| [2536107, 2539595](#2536107, 2539595)
| On Tomahawk+ switches, the switchd process is unable to restart after configuring 2x25G in the /etc/cumulus/ports.conf file. | | | | [2535216](#2535216)
| If you add a bridge configuration on a routed (BGP unnumbered) switch port on a Mellanox switch, BGP remains up with routes exchanged or sent from the control plane, but packets received on this interface in the data plane are discarded in hardware. | 3.7.2-3.7.3 | | | [2535006](#2535006)
| Virtual device counters are not working as expected. The TX counter increments but the RX counter does not. | | | @@ -3128,7 +3128,7 @@ pdfhidden: True | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543113](#2543113)
| NCLU restarts FRR when attempting to remove a BGP VRF stanza. This happens regardless of whether the VRF is valid/configured elsewhere on the switch or the removal is successful. To work around this issue, remove the stanza using vtysh.
| 3.7.3-3.7.16 | 4.0.0-4.4.5| | [2543044](#2543044)
| Under certain conditions, EVPN next hops might not be removed when the contributing peer goes down or might not be populated when the BGP session to the contributing peer comes up.
You can prevent EVPN next hops from not being removed when the contributing peer goes down by specifying static MAC addresses on all layer 3 VNIs. There is no workaround for preventing EVPN next hops from not being populated when the BGP session to the contributing peer comes up. | 3.7.2-3.7.16 | 4.0.0-4.4.5| -| [2542871](#2542871)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2542871, 2542901, 2542901](#2542871, 2542901, 2542901)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2542336](#2542336)
| On the Mellanox SN2410 switch, switchd does not start. | 3.7.2-3.7.8 | 3.7.9-3.7.16| | [2542301](#2542301)
| When first creating a bond and enslaving an interface, NCLU hides some of the bridge command suggestions, although they are still accepted.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2541761](#2541761)
| A TACACS privilege level 15 user mapped to tacacs15 cannot use net commands even though the user is part of the netedit and/or netshow user group. | 3.7.2-3.7.6 | 3.7.7-3.7.16| @@ -3178,7 +3178,7 @@ pdfhidden: True | [2538980](#2538980)
| A dummy interface does not inherit the MTU from a defaults file in /etc/network/ifupdown2/policy.d. A dummy interface is typically used to keep SVI interfaces up when there are no switch ports up that are associated with that VLAN. | 3.7.2-3.7.6 | 3.7.7-3.7.16| | [2538942](#2538942)
| The EEPROM information changed on the Dell S5048F switch, which causes PCIe Bus Errors. | 3.7.2-3.7.3 | 3.7.4-3.7.16| | [2538910](#2538910)
| In a layer 2 VXLAN configuration, where each ECMP path is a layer 3 LACP bond with multiple port members, ECMP hash appears fine for data traffic over VXLAN from one VTEP to another, but the LACP hash is unbalanced. | 3.7.1-3.7.6 | 3.7.7-3.7.16| -| [2538884](#2538884)
| cl-acltool -i fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as: 
 
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j LOG --log-prefix "DROP: " 
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j DROP

You see errors similar to the following: 
 
error: hw sync failed (Cannot process iptables,FORWARD,46,Rule with LOG must be followed by same rule with DROP) 
error: hw sync failed (Cannot process ip6tables,FORWARD,30,Rule with LOG must be followed by same rule with DROP)
| 3.7.2-3.7.3 | 3.7.4-3.7.16| +| [2538884, 2538887](#2538884, 2538887)
| cl-acltool -i fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as: 
 
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j LOG --log-prefix "DROP: " 
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j DROP

You see errors similar to the following: 
 
error: hw sync failed (Cannot process iptables,FORWARD,46,Rule with LOG must be followed by same rule with DROP) 
error: hw sync failed (Cannot process ip6tables,FORWARD,30,Rule with LOG must be followed by same rule with DROP)
| 3.7.2-3.7.3 | 3.7.4-3.7.16| | [2538875](#2538875)
| IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file.
| 3.7.2-3.7.16 | | | [2538814](#2538814)
| The permanent MAC entry that corresponds to the SVI of the layer 3 VNI (corresponding VLAN) is missing in the bridge FDB. | 3.7.0-3.7.16 | | | [2538790](#2538790)
| NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan bridge access . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | @@ -3197,24 +3197,24 @@ pdfhidden: True | [2538054](#2538054)
| On the Dell S4148 switch, if link pause is enabled in the /etc/cumulus/datapath/traffic.conf file, switchd fails to restart. | 3.7.0-3.7.3 | 3.7.4-3.7.16| | [2538022](#2538022)
| When you remove an interface from a bridge and add it to a VRF in the same commit/ifreload, the IPv6 link-local address is not created automatically.
To work around this issue, do the change in two separate commits. First, remove the interface from the bridge, which causes it to be a layer 2 interface. Then, enslave the interface to the VRF. | 3.7.2-3.7.8 | 3.7.9-3.7.16| | [2538013](#2538013)
| When the peer link is lost and the backup IP address becomes inactive, the MLAG secondary switch brings up bonds but not VXLAN VNIs. | 3.7.1-3.7.3 | 3.7.4-3.7.16| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537806](#2537806)
| Bridging ISIS traffic fails because layer 2 cache rules forward ISIS traffic to the CPU, where it is then dropped.
To work around this issue, contact Customer Support. | 3.7.2-3.7.6 | 3.7.7-3.7.16| | [2537805](#2537805)
| When you configure an IPv6 only neighbor with NCLU without the peer-group command, then execute the same commands again, the BGP session is reset.
For example, if you run the following commands: 
 
cumulus@switch:~$ net add bgp neighbor swp29 interface remote-as external 
cumulus@switch:~$ net add bgp neighbor swp29 interface v6only

Cumulus Linux removes the net commands and adds the following line to FRR (using v6only remote-as), which causes BGP to flap. 
 
neighbor swp29 interface v6only remote-as external

This issue does not occur if you add the peer-group command; for example: 
 
cumulus@switch:~$ net add bgp neighbor external peer-group 
cumulus@switch:~$ net add bgp neighbor external remote-as external 
cumulus@switch:~$ net add bgp neighbor swp29 interface v6only peer-group external

. | 3.7.0-3.7.3 | 3.7.4-3.7.16| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537409](#2537409)
| It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware. | 3.7.1-3.7.3 | 3.7.4-3.7.16| +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537409, 2538035](#2537409, 2538035)
| It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware. | 3.7.1-3.7.3 | 3.7.4-3.7.16| | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537153](#2537153)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16| +| [2537153, 2540994](#2537153, 2540994)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16| | [2537111](#2537111)
| The gshut community is not removed after you commit the configuration.
| 3.7.0-3.7.3 | 3.7.4-3.7.16| -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536650](#2536650)
| Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters).
While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation\|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | 3.7.9-3.7.16, 4.0.0-4.4.5| | [2536639](#2536639)
| On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.
To work around this issue:
* If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000).
* If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.16 | 4.0.0-4.4.5| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536559](#2536559)
| When deleting an interface using NCLU, if the /etc/network/interfaces alias is different than the /etc/frr/frr.conf description, the net commit command returns the following error: 

 /etc/frr/daemons was modified by another user.

Despite this error, the change is made and the description is removed from the frr.conf file. | 3.7.3-3.7.10 | 3.7.11-3.7.16| | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | -| [2536230](#2536230)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| +| [2536230, 2545399](#2536230, 2545399)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | 3.7.11-3.7.16, 4.1.0-4.4.5| | [2536179](#2536179)
| On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535986](#2535986)
| At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535965](#2535965)
| On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | @@ -3255,11 +3255,11 @@ pdfhidden: True | [2536730](#2536730)
| When you run the net show counters json command, you see the following error if any value is Unknown: 
 
ERROR: Execution of the command failed. 
"/usr/cumulus/bin/cl-netstat -j" failed. 
Traceback (most recent call last): 
File "/usr/cumulus/bin/cl-netstat", line 292, in  
cnstat_diff_print(cnstat_dict, cnstat_cached_dict, use_json) 
File "/usr/cumulus/bin/cl-netstat", line 135, in cnstat_diff_print 
print table_as_json(table) 
File "/usr/cumulus/bin/cl-netstat", line 62, in table_as_json 
header[3] : int(line[3]), 
ValueError: invalid literal for int() with base 10: 'Unknown'

To work around this issue, run the following command to clear out the semaphore file created by cl-netstat -c: 
 
cumulus@switch:~$ rm /tmp/cl-netstat-$UID/$UID
| 3.7.0-3.7.2 | | | [2536615](#2536615)
| NCLU net show configuration commands does not display any output for IPv6 rsyslog hosts. | 3.7.0-3.7.2 | | | [2536614](#2536614)
| NCLU net show configuration commands displays a net add syslog command with invalid syntax. For example, if you run the following commands: 
 
cumulus@switch:~$ net add syslog host ipv4 10.0.0.1 port udp 514 
cumulus@switch:~$ net commit

then run��net show configuration commands, the output of the command syntax is invalid. | 3.7.0-3.7.2 | | -| [2536245](#2536245)
| When using dynamic route leaking, software forwarding of packets fails between the connected source and destination.
To work around this issue, configure the leak on a switch that does not have any locally-connected hosts. | 3.7.1-3.7.2 | | +| [2536245, 2536488, 2537976](#2536245, 2536488, 2537976)
| When using dynamic route leaking, software forwarding of packets fails between the connected source and destination.
To work around this issue, configure the leak on a switch that does not have any locally-connected hosts. | 3.7.1-3.7.2 | | | [2536167](#2536167)
| When RASH is enabled and an ECMP path is taken away using the ip link set down command, traffic using that ECMP path is never moved to another path and is dropped permanently. | | | | [2536070](#2536070)
| This is due to a limitation between Cumulus Linux and the Mellanox hardware. Currently, on a Mellanox switch, Cumulus Linux supports only four ECMP containers with 1000 hash entries per container. | | | -| [2535751](#2535751)
| The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes. | 3.7.0-3.7.2 | | -| [2535415](#2535415)
| The wrong route target/route distinguisher is sent in an EVPN advertisement after a port flap. | | | +| [2535751, 2535802](#2535751, 2535802)
| The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes. | 3.7.0-3.7.2 | | +| [2535415, 2539088](#2535415, 2539088)
| The wrong route target/route distinguisher is sent in an EVPN advertisement after a port flap. | | | | [2535331](#2535331)
| If you use NCLU to configure an ACL for eth0, you cannot designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file. | | | | [2535279](#2535279)
| When links are not synchronized before associated routes, switchd shows the following error log: 
 
hal_bcm_l3.c:1364 ERR cannot find if for next hop, BOND: bond 2, vlan 1004.0 unit 0 nh_unit 0
| | | | [2534444](#2534444)
| When an interface is configured for OSPF/BGP unnumbered, the net show interface command shows NotConfigured instead of showing that it is unnumbered. | | | @@ -3316,7 +3316,7 @@ pdfhidden: True | [2538980](#2538980)
| A dummy interface does not inherit the MTU from a defaults file in /etc/network/ifupdown2/policy.d. A dummy interface is typically used to keep SVI interfaces up when there are no switch ports up that are associated with that VLAN. | 3.7.2-3.7.6 | 3.7.7-3.7.16| | [2538942](#2538942)
| The EEPROM information changed on the Dell S5048F switch, which causes PCIe Bus Errors. | 3.7.2-3.7.3 | 3.7.4-3.7.16| | [2538910](#2538910)
| In a layer 2 VXLAN configuration, where each ECMP path is a layer 3 LACP bond with multiple port members, ECMP hash appears fine for data traffic over VXLAN from one VTEP to another, but the LACP hash is unbalanced. | 3.7.1-3.7.6 | 3.7.7-3.7.16| -| [2538884](#2538884)
| cl-acltool -i fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as: 
 
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j LOG --log-prefix "DROP: " 
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j DROP

You see errors similar to the following: 
 
error: hw sync failed (Cannot process iptables,FORWARD,46,Rule with LOG must be followed by same rule with DROP) 
error: hw sync failed (Cannot process ip6tables,FORWARD,30,Rule with LOG must be followed by same rule with DROP)
| 3.7.2-3.7.3 | 3.7.4-3.7.16| +| [2538884, 2538887](#2538884, 2538887)
| cl-acltool -i fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as: 
 
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j LOG --log-prefix "DROP: " 
-A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j DROP

You see errors similar to the following: 
 
error: hw sync failed (Cannot process iptables,FORWARD,46,Rule with LOG must be followed by same rule with DROP) 
error: hw sync failed (Cannot process ip6tables,FORWARD,30,Rule with LOG must be followed by same rule with DROP)
| 3.7.2-3.7.3 | 3.7.4-3.7.16| | [2538875](#2538875)
| IPv6 multicast traffic destined to an unregistered multicast group is flooded to all ports in a bridge despite the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/swichd.conf file.
| 3.7.2-3.7.16 | | | [2538814](#2538814)
| The permanent MAC entry that corresponds to the SVI of the layer 3 VNI (corresponding VLAN) is missing in the bridge FDB. | 3.7.0-3.7.16 | | | [2538790](#2538790)
| NCLU automatically adds the VLAN ID (for the layer 3 VNI/SVI) to the bridge when you run net add vxlan bridge access . This configuration breaks network connectivity in an EVPN symmetric routing configuration using MLAG.
To restore connectivity, remove the VLAN ID from the bridge. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | @@ -3348,19 +3348,19 @@ pdfhidden: True | [2537977](#2537977)
| After upgrading to Cumulus Linux 3.7.2, the BGP route map does not filter type-5 routes. | 3.7.2 | 3.7.3-3.7.16| | [2537919](#2537919)
| In Cumulus Linux 3.7.2 and earlier, an ACL entry containing 0.0.0.0 as a match parameter is interpreted as a catchall address (0.0.0.0 = 0.0.0.0/0). However in Cumulus Linux 3.7.3 and later, an ACL entry containing 0.0.0.0 as a match parameter is interpreted as a single address (0.0.0.0 = 0.0.0.0/32).
Review your ACLs and update as necessary to include the proper subnet mask. | 3.7.2 | 3.7.3-3.7.16| | [2537836](#2537836)
| Running ifdown vlan or ip link set vlan down brings down a virtual interface but the interface always comes back up after you run the ifreload -a or net commit command. | 3.7.1-3.7.2 | 3.7.3-3.7.16| -| [2537819](#2537819)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| +| [2537819, 2542964](#2537819, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | 4.0.0-4.4.5| | [2537806](#2537806)
| Bridging ISIS traffic fails because layer 2 cache rules forward ISIS traffic to the CPU, where it is then dropped.
To work around this issue, contact Customer Support. | 3.7.2-3.7.6 | 3.7.7-3.7.16| | [2537805](#2537805)
| When you configure an IPv6 only neighbor with NCLU without the peer-group command, then execute the same commands again, the BGP session is reset.
For example, if you run the following commands: 
 
cumulus@switch:~$ net add bgp neighbor swp29 interface remote-as external 
cumulus@switch:~$ net add bgp neighbor swp29 interface v6only

Cumulus Linux removes the net commands and adds the following line to FRR (using v6only remote-as), which causes BGP to flap. 
 
neighbor swp29 interface v6only remote-as external

This issue does not occur if you add the peer-group command; for example: 
 
cumulus@switch:~$ net add bgp neighbor external peer-group 
cumulus@switch:~$ net add bgp neighbor external remote-as external 
cumulus@switch:~$ net add bgp neighbor swp29 interface v6only peer-group external

. | 3.7.0-3.7.3 | 3.7.4-3.7.16| | [2537776](#2537776)
| BGP crashes with the error bgp_parse_nexthop_update. | 3.7.2 | 3.7.3-3.7.16| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537641](#2537641)
| On the Celestica RedstoneV switch, the hardware settings are incorrect on swp14 and swp22. | 3.7.0-3.7.2 | 3.7.3-3.7.16| -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537409](#2537409)
| It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware. | 3.7.1-3.7.3 | 3.7.4-3.7.16| +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537409, 2538035](#2537409, 2538035)
| It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware. | 3.7.1-3.7.3 | 3.7.4-3.7.16| | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537188](#2537188)
| When an event in the network, such as a switchd or networking service restart, leads to an OVSDB server high availability transition, an ovs-vtepd core might occur.
This core generation has no effect on the functionality of high availability when the active OVSDB server is back in the network.
| 3.7.2-3.7.16 | | -| [2537153](#2537153)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16| +| [2537153, 2540994](#2537153, 2540994)
| In rare cases, certain IPv6 BGP peers fail to reestablish after switchd restarts. | 3.7.2-3.7.8 | 3.7.9-3.7.16| | [2537111](#2537111)
| The gshut community is not removed after you commit the configuration.
| 3.7.0-3.7.3 | 3.7.4-3.7.16| -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537085](#2537085)
| When you run the net add (bond\|interface) bridge pvid command, NCLU does not add the port as a slave of the VLAN-aware bridge. | 3.7.1-3.7.2 | 3.7.3-3.7.16| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536730](#2536730)
| When you run the net show counters json command, you see the following error if any value is Unknown: 
 
ERROR: Execution of the command failed. 
"/usr/cumulus/bin/cl-netstat -j" failed. 
Traceback (most recent call last): 
File "/usr/cumulus/bin/cl-netstat", line 292, in  
cnstat_diff_print(cnstat_dict, cnstat_cached_dict, use_json) 
File "/usr/cumulus/bin/cl-netstat", line 135, in cnstat_diff_print 
print table_as_json(table) 
File "/usr/cumulus/bin/cl-netstat", line 62, in table_as_json 
header[3] : int(line[3]), 
ValueError: invalid literal for int() with base 10: 'Unknown'

To work around this issue, run the following command to clear out the semaphore file created by cl-netstat -c: 
 
cumulus@switch:~$ rm /tmp/cl-netstat-$UID/$UID
| 3.7.0-3.7.2 | 3.7.3-3.7.16| @@ -3370,11 +3370,11 @@ pdfhidden: True | [2536614](#2536614)
| NCLU net show configuration commands displays a net add syslog command with invalid syntax. For example, if you run the following commands: 
 
cumulus@switch:~$ net add syslog host ipv4 10.0.0.1 port udp 514 
cumulus@switch:~$ net commit

then run��net show configuration commands, the output of the command syntax is invalid. | 3.7.0-3.7.2 | 3.7.3-3.7.16| | [2536608](#2536608)
| Single tagged ARP requests received on a QinQ-over-VXLAN access port are dropped if ARP suppression is enabled on an unrelated VNI.
| 3.7.0-3.7.16 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | -| [2536245](#2536245)
| When using dynamic route leaking, software forwarding of packets fails between the connected source and destination.
To work around this issue, configure the leak on a switch that does not have any locally-connected hosts. | 3.7.1-3.7.2 | 3.7.3-3.7.16| +| [2536245, 2536488, 2537976](#2536245, 2536488, 2537976)
| When using dynamic route leaking, software forwarding of packets fails between the connected source and destination.
To work around this issue, configure the leak on a switch that does not have any locally-connected hosts. | 3.7.1-3.7.2 | 3.7.3-3.7.16| | [2536179](#2536179)
| On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535986](#2535986)
| At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535965](#2535965)
| On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | -| [2535751](#2535751)
| The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes. | 3.7.0-3.7.2 | 3.7.3-3.7.16| +| [2535751, 2535802](#2535751, 2535802)
| The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes. | 3.7.0-3.7.2 | 3.7.3-3.7.16| | [2535216](#2535216)
| If you add a bridge configuration on a routed (BGP unnumbered) switch port on a Mellanox switch, BGP remains up with routes exchanged or sent from the control plane, but packets received on this interface in the data plane are discarded in hardware. | 3.7.2-3.7.3 | 3.7.4-3.7.16| | [2534450](#2534450)
| The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5| | [2533039](#2533039)
| Currently, Cumulus Linux does not program the remote network SVI IP address in the route table. As a result, you can't ping the remote network gateway address; however, you can ping the hosts in that remote network. | 3.7.0-3.7.2 | 3.7.3-3.7.16| @@ -3391,33 +3391,33 @@ pdfhidden: True | [2537038](#2537038)
| When you run the NCLU net show system command on the Dell S5248F-ON switch, the output shows blank values for both CPU and Chipset: 
 
cumulus@switch:~$ net show system 
Dellemc S5248F 
... 

Chipset: 
Port Config: 48 x 25G-SFP28 & 4 x 100G-QSFP28 & 2 x 200G-QSFP-DD 
CPU: 
Uptime: 0:37:19.280000
| 3.7.0-3.7.1 | | | [2537028](#2537028)
| Under certain conditions, DHCP relay produces a segmentation fault when used in an EVPN symmetric environment with the -U option. | 3.7.1 | | | [2536975](#2536975)
| When you have certain options configured (such as PIM, MSDP, or ssmping), exit-vrf is copied beneath the vni line within the vrf stanza in the running vtysh configuration and in the /etc/frr/frr.conf file. This can cause a conflict; for example, if you are running PIM in the same VRF, the vni line is added above the ip pim rp line: 
 
vrf evpn-vrf 
vni 104001 
exit-vrf 
ip pim rp 2.2.2.2 224.0.0.0/4
| 3.7.0-3.7.1 | | -| [2536934](#2536934)
| When installing an IPv6 onlink route, if the kernel has a default route and the gateway resolves out of the default route, the route is rejected if the passed in ifindex does not match. With IPv4, the default route match is ignored and the onlink based route is installed. | | | +| [2536934, 2536180, 2536181](#2536934, 2536180, 2536181)
| When installing an IPv6 onlink route, if the kernel has a default route and the gateway resolves out of the default route, the route is rejected if the passed in ifindex does not match. With IPv4, the default route match is ignored and the onlink based route is installed. | | | | [2536833](#2536833)
| When you use a Trident3 switch as the exit node, which is playing the role of the spine, pings to external hosts fail after a systemctl restart networking event. | | | | [2536686](#2536686)
| If you add the MTU to a VLAN with the NCLU net add vlan mtu command, Cumulus Linux adds extra mtu lines in the /etc/network/interfaces file when there are defined bridge ports that do not exist elsewhere in the file. | 3.7.0-3.7.1 | | | [2536669](#2536669)
| After attempting to install unsupported ICMPv6-type rules, the hardware sync fails with an Out of table resource message even after you correct the rules. | 3.7.0-3.7.1 | | | [2536520](#2536520)
| When you run the net show system command on a Facebook Backpack switch, you see an error in netd.log: 
 
2018-09-21T03:10:20.476355+00:00 cel-bs02-fc1 netd: INFO: RXed: user cumulus, command "/usr/bin/net show system" 
2018-09-21T03:10:20.559883+00:00 cel-bs02-fc1 netd: WARNING: Could not detect platform information for "cel,bigstone_g_fab1"
| 3.7.0-3.7.1 | | -| [2536489](#2536489)
| On a Mellanox switch, when using an ECMP route over /31 interfaces, incorrect layer 3 neighbor and layer 3 route entries are shown. | | | +| [2536489, 2537568](#2536489, 2537568)
| On a Mellanox switch, when using an ECMP route over /31 interfaces, incorrect layer 3 neighbor and layer 3 route entries are shown. | | | | [2536481](#2536481)
| On Mellanox switches, BFD packets share the same TRAP group (Trap Group 8) as other bulk IP2ME traffic. If traffic is flooded to the CPU (for example, because of route withdrawal) BFD packets are dropped. | | | | [2536463](#2536463)
| The NCLU net del command fails to remove a message-digest-key from a subinterface in a VRF and displays an error message. | | | -| [2536454](#2536454)
| Input chain ACLs do not apply in hardware on Broadcom platforms and input packets are processed against rules in the kernel instead. This can result in rules with the drop action not applying in hardware and the packets reaching the kernel.
for platforms that do _not_ provide native support for VXLAN routing (non-RIOT platforms). | | | +| [2536454, 2536940](#2536454, 2536940)
| Input chain ACLs do not apply in hardware on Broadcom platforms and input packets are processed against rules in the kernel instead. This can result in rules with the drop action not applying in hardware and the packets reaching the kernel.
for platforms that do _not_ provide native support for VXLAN routing (non-RIOT platforms). | | | | [2536447](#2536447)
| Add the DAS listener service to the /etc/vrf/systemd.conf file so it can be started in the management VRF as needed. | 3.7.0-3.7.1 | | | [2536412](#2536412)
| If you configure a BGP community list using NCLU, it should set bgpd=yes if it is not already enabled. Communities are only used with BGP. If you try to configure a community (or extcommunity) before enabling bgpd (either by editing the /etc/frr/daemons file or by running other BGP NCLU commands), NCLU accepts the configuration and no warning is reported when committed. However, the configuration is not accepted by FRR. | | | | [2536392](#2536392)
| NCLU currently supports BGP prefix filtering via community and extcommunity, but not large-community, which are common in 4-Byte ASN environments. NCLU now supports large-community. | | | | [2536366](#2536366)
| When programming policy-based routing (PBR), if you change the input interface from a physical interface to a subinterface, the traffic is not properly redirected. You must flap the nexthop interface to reprogram the PBR.
| | | -| [2536210](#2536210)
| When you add ports as bridge ports multiple times with the NCLU command, the commits succeed without error.
To work around this issue, remove the extra interfaces with the net del bridge bridge ports command. | | | +| [2536210, 2536835](#2536210, 2536835)
| When you add ports as bridge ports multiple times with the NCLU command, the commits succeed without error.
To work around this issue, remove the extra interfaces with the net del bridge bridge ports command. | | | | [2536188](#2536188)
| When you configure SNMP with NCLU commands, the SNMP server does not restart and you see a warning: 
 WARNING: snmpd is not running. Run "journalctl -u snmpd" for error messages.
To work around this issue, start SNMP manually. | | | | [2536033](#2536033)
| NCLU does not allow for configuration of link-speed 10 and does not parse any unrelated NCLU configuration when link-speed 10 is detected in the /etc/network/interfaces file. | | | | [2535990](#2535990)
| SNMPv3 TRAP passwords or encryption keys longer then 16 characters might result in a core dump. For example: 
 
net add snmp-server trap-destination 3.3.3.3 username 
verlongtrapusername auth-md5 verylongmd52345678901234567890 
encrypt-aes verylongencrypt567890123456789012345678 
engine-id 0x80001f8880f49b75319690895b00000000 

# this results in a core dump: 
root@cel-redxp-01:/home/cumulus# systemctl status snmpd 
snmpd.service - Simple Network Management Protocol (SNMP) Daemon. 
Loaded: loaded (/lib/systemd/system/snmpd.service; enabled) 
Active: failed (Result: core-dump) since Wed 2018-09-05 16:18:05 UTC; 1min 25s ago 
Process: 21163 ExecStart=/usr/sbin/snmpd $SNMPDOPTS -f (code=dumped, signal=SEGV) 
Main PID: 21163 (code=dumped, signal=SEGV) 
Sep 05 16:18:05 cel-redxp-01 systemd[1]: Started Simple Network Management Protocol (SNMP) Daemon.. 

Sep 05 16:18:05 cel-redxp-01 systemd[1]: snmpd.service: main process exited, code=dumped, status=11/SEGV 
Sep 05 16:18:05 cel-redxp-01 systemd[1]: Unit snmpd.service entered failed state.

To work around this issue, use SNMPv3 TRAP passwords and encryption keys that are 16 characters or shorter. | | | | [2535977](#2535977)
| On the Trident 3 switch, cl-ecmpcalc returns invalid entries (two entries for MAC address 00:00:00:00:00:00) that cause script failures. | | | | [2535947](#2535947)
| ARP reply packets are flooded to all remote VTEPs when the ARP reply arrives on a different MLAG peer than the one where the permanent MAC exits.
To work around this issue:
# Manually define the MAC address for the SVI.
The MAC address allocated to the SVI is inherited by the bridge (by default). The bridge inherits the MAC address from a physical interface (swp*). This inheritance might result in a different SVI MAC address after a reboot (for example, a configuration change might result in the port being removed from the bridge).
For this example, the MAC address of SVI vlan123 is statically configured as sw01 = MM:MM:MM:11:11:11 and sw02 = MM:MM:MM:22:22:22.
# Program a static entry on sw01 pointing to sw02 over the _peerlink_ bond in VLAN 123: 
 
iface vlan123 
post-up bridge fdb add MM:MM:MM:22:22:22 dev peerlink vlan 123 master static

# Configure a static MAC address on sw02 pointing to the SVI owned by sw01 over the _peerlink_ bond in VLAN 123: 
 
iface vlan123 
post-up bridge fdb add MM:MM:MM:11:11:11 dev peerlink vlan 123 master static

# Repeat steps above for each VLAN. | | | -| [2535877](#2535877)
| Mellanox switches prefer a MAC entry learned through the VNI over a permanent entry for the corresponding SVI. | | | +| [2535877, 2535399](#2535877, 2535399)
| Mellanox switches prefer a MAC entry learned through the VNI over a permanent entry for the corresponding SVI. | | | | [2535799](#2535799)
| On the Mellanox Spectrum switch, VXLAN-encapsulated packets are not being forwarded. | | | | [2535733](#2535733)
| If you insert a 1G LX module into an Edgecore 4610 or 5812 switch or reboot the switch with this module installed, no traffic is passed on the switch port when auto-negotiation is enabled. Flapping the link down or up does not repair it.
To work around this issue, disable auto-negotiation, then re-enable it to repair the link; otherwise, disable auto-negotiation permanently. For example, if swp1 has the 1G module, disable then re-enable auto-negotiation as follows: 
 
cumulus@switch:~$ net add interface swp1 link autoneg off 
cumulus@switch:~$ net commit 
cumulus@switch:~$ net add interface swp1 link autoneg on 
cumulus@switch:~$ net commit
| | | | [2535078](#2535078)
| When you use NCLU to delete an interface, the associated configuration is not removed from the /etc/frr/frr.conf file. | | | | [2534900](#2534900)
| Removing a VLAN from a bridge configured with VXLAN causes a network service outage until the configuration change is reverted with the net rollback last command. To work around this issue, remove the VNI interface first, then remove the unused VLAN from the bridge. | | | | [2533615](#2533615)
| Configuring an IP address on any local layer 3 interface causes the interface IP address to be placed in the BGP martian next hop table. However, subsequent removal of that address from an interface does not remove it from the BGP martian next hop table. | | | | [2532608](#2532608)
| On rare occasions, duplicate packets are seen in an EVPN configuration when routing between a dual-attached local host in one subnet and a remote host in another subnet. This is because the gateway VTEP does not have its VRR MAC address (anycast MAC address) configured on all gateway VTEPs in the bridge forwarding table
Run the ifreload -a -X eth0 command to update the interface configuration on all gateway VTEPs. | | | -| [2531159](#2531159)
| MLAG does not sync permanent MAC addresses between peers and nolearning is turned on; traffic with a next-hop pointing to the peerlink is forwarded to the CPU and throughput is limited.
Permanent MAC address sync between MLAG peers is now supported. | | | +| [2531159, 2531602](#2531159, 2531602)
| MLAG does not sync permanent MAC addresses between peers and nolearning is turned on; traffic with a next-hop pointing to the peerlink is forwarded to the CPU and throughput is limited.
Permanent MAC address sync between MLAG peers is now supported. | | | | [2529692](#2529692)
| In some instances, ARP requests are not suppressed in a VXLAN active-active configuration but get flooded over VXLAN tunnels instead. This issue occurs because there is no control plane syncing the snooped local neighbor entries between the MLAG pair; MLAG does not perform this sync and neither does EVPN. | | | ## 3.7.1 Release Notes @@ -3454,11 +3454,11 @@ pdfhidden: True | [2537805](#2537805)
| When you configure an IPv6 only neighbor with NCLU without the peer-group command, then execute the same commands again, the BGP session is reset.
For example, if you run the following commands: 
 
cumulus@switch:~$ net add bgp neighbor swp29 interface remote-as external 
cumulus@switch:~$ net add bgp neighbor swp29 interface v6only

Cumulus Linux removes the net commands and adds the following line to FRR (using v6only remote-as), which causes BGP to flap. 
 
neighbor swp29 interface v6only remote-as external

This issue does not occur if you add the peer-group command; for example: 
 
cumulus@switch:~$ net add bgp neighbor external peer-group 
cumulus@switch:~$ net add bgp neighbor external remote-as external 
cumulus@switch:~$ net add bgp neighbor swp29 interface v6only peer-group external

. | 3.7.0-3.7.3 | 3.7.4-3.7.16| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537641](#2537641)
| On the Celestica RedstoneV switch, the hardware settings are incorrect on swp14 and swp22. | 3.7.0-3.7.2 | 3.7.3-3.7.16| -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537409](#2537409)
| It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware. | 3.7.1-3.7.3 | 3.7.4-3.7.16| +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537409, 2538035](#2537409, 2538035)
| It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to on in hardware. | 3.7.1-3.7.3 | 3.7.4-3.7.16| | [2537378](#2537378)
| NCLU SNMPv3 user configuration (add, delete, modify) does not complete. Changes are made to the /etc/snmp/snmpd.conf file but the SNMPv3 user cache file /var/lib/snmp/snmpd.conf fails to update correctly and the configuration does not reflect in operation.
To work around this issue, stop snmpd, remove the cache file, then restart snmpd.
| 3.7.1-3.7.16 | | | [2537111](#2537111)
| The gshut community is not removed after you commit the configuration.
| 3.7.0-3.7.3 | 3.7.4-3.7.16| -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | 4.0.0-4.4.5| | [2537085](#2537085)
| When you run the net add (bond\|interface) bridge pvid command, NCLU does not add the port as a slave of the VLAN-aware bridge. | 3.7.1-3.7.2 | 3.7.3-3.7.16| | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2537038](#2537038)
| When you run the NCLU net show system command on the Dell S5248F-ON switch, the output shows blank values for both CPU and Chipset: 
 
cumulus@switch:~$ net show system 
Dellemc S5248F 
... 

Chipset: 
Port Config: 48 x 25G-SFP28 & 4 x 100G-QSFP28 & 2 x 200G-QSFP-DD 
CPU: 
Uptime: 0:37:19.280000
| 3.7.0-3.7.1 | 3.7.2-3.7.16| @@ -3475,11 +3475,11 @@ pdfhidden: True | [2536520](#2536520)
| When you run the net show system command on a Facebook Backpack switch, you see an error in netd.log: 
 
2018-09-21T03:10:20.476355+00:00 cel-bs02-fc1 netd: INFO: RXed: user cumulus, command "/usr/bin/net show system" 
2018-09-21T03:10:20.559883+00:00 cel-bs02-fc1 netd: WARNING: Could not detect platform information for "cel,bigstone_g_fab1"
| 3.7.0-3.7.1 | 3.7.2-3.7.16| | [2536447](#2536447)
| Add the DAS listener service to the /etc/vrf/systemd.conf file so it can be started in the management VRF as needed. | 3.7.0-3.7.1 | 3.7.2-3.7.16| | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | -| [2536245](#2536245)
| When using dynamic route leaking, software forwarding of packets fails between the connected source and destination.
To work around this issue, configure the leak on a switch that does not have any locally-connected hosts. | 3.7.1-3.7.2 | 3.7.3-3.7.16| +| [2536245, 2536488, 2537976](#2536245, 2536488, 2537976)
| When using dynamic route leaking, software forwarding of packets fails between the connected source and destination.
To work around this issue, configure the leak on a switch that does not have any locally-connected hosts. | 3.7.1-3.7.2 | 3.7.3-3.7.16| | [2536179](#2536179)
| On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535986](#2535986)
| At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535965](#2535965)
| On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | -| [2535751](#2535751)
| The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes. | 3.7.0-3.7.2 | 3.7.3-3.7.16| +| [2535751, 2535802](#2535751, 2535802)
| The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes. | 3.7.0-3.7.2 | 3.7.3-3.7.16| | [2534450](#2534450)
| The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5| | [2533039](#2533039)
| Currently, Cumulus Linux does not program the remote network SVI IP address in the route table. As a result, you can't ping the remote network gateway address; however, you can ping the hosts in that remote network. | 3.7.0-3.7.2 | 3.7.3-3.7.16| | [2532924](#2532924)
| The NetQ agent is bundled with Cumulus VX 3.4.3 and later; however, the NetQ agent is not bundled with Cumulus Linux 3.4.3 and later. The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bundled with Cumulus Linux in a future release. | 3.7.0-3.7.6 | 3.7.7-3.7.16| @@ -3546,7 +3546,7 @@ pdfhidden: True | [2536179](#2536179)
| On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535986](#2535986)
| At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535965](#2535965)
| On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | -| [2535751](#2535751)
| The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes. | 3.7.0-3.7.2 | 3.7.3-3.7.16| +| [2535751, 2535802](#2535751, 2535802)
| The NCLU net add and net commit commands change the interfaces file even if you add a service like snmp/hostname/etc. This causes an issue with automation. For example, Ansible runs handlers (ifreload -a for interfaces) during each push if the file being edited changes. | 3.7.0-3.7.2 | 3.7.3-3.7.16| | [2534450](#2534450)
| The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.16 | 4.0.0-4.4.5| | [2533039](#2533039)
| Currently, Cumulus Linux does not program the remote network SVI IP address in the route table. As a result, you can't ping the remote network gateway address; however, you can ping the hosts in that remote network. | 3.7.0-3.7.2 | 3.7.3-3.7.16| | [2532924](#2532924)
| The NetQ agent is bundled with Cumulus VX 3.4.3 and later; however, the NetQ agent is not bundled with Cumulus Linux 3.4.3 and later. The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bundled with Cumulus Linux in a future release. | 3.7.0-3.7.6 | 3.7.7-3.7.16| @@ -3562,12 +3562,12 @@ pdfhidden: True | [2536069](#2536069)
| The link-down yes configuration in the /etc/network/interfaces file does not work for eth0 or eth1 configured in the management VRF. This issue is not observed if the Ethernet interface is in the default VRF. | | | | [2536041](#2536041)
| When you start an Ansible playbook on an unlicensed Mellanox switch, a kernel fault occurs when setup script is being executed. | | | | [2536034](#2536034)
| After a sequence of MAC moves and IP moves, the leaf switches behind which the host is present point to the old MAC address associated with that IP address. | | | -| [2536011](#2536011)
| When you run an NCLU command from the command line, the command hangs without a response. | | | +| [2536011, 2535885](#2536011, 2535885)
| When you run an NCLU command from the command line, the command hangs without a response. | | | | [2535951](#2535951)
| If a bond is configured with NCLU, incorrect configuration is generated on the system so that when you run net show config commands, you see a message stating that the vid and pvid commands are not supported and incorrect commands are provided to configure them. | | | | [2535939](#2535939)
| When you add a new peer group, then change the AFIs associated with that peer group, the frr-reload script fails with the error Specify remote-as or peer-group commands first.
To work around this issue, perform the configuration in two separate commits. First, create the peer groups and commit, then change the AFIs in a second commit. | | | | [2535912](#2535912)
| The BFD UDP source port range is incorrect. | | | | [2535873](#2535873)
| An ML2 REST API call to add a host to the bridge fails with an error. | | | -| [2535869](#2535869)
| When you configure a breakout port using NCLU, the configuration is not successful. | | | +| [2535869, 2532116, 2536110, 2536485](#2535869, 2532116, 2536110, 2536485)
| When you configure a breakout port using NCLU, the configuration is not successful. | | | | [2535841](#2535841)
| When a BGP peer is created with max med on startup, a timer is created. Deleting the BGP instance that contains that peer during the window in which the timer is still running results in a BGPd crash. | | | | [2535774](#2535774)
| For hosts (virtual machines) that rely on VRR, it is expected that the virtual-address is periodically sent by the gateway to avoid flooding on kvm/libvirt.
Cumulus Linux sends GARP messages every 150 seconds out of the -v0 interface so the packet is not transmitted on the physical VLAN interface. | | | | [2535744](#2535744)
| NCLU mistakenly believes the FRR reload state is not active and restarts the service. | | | @@ -3581,7 +3581,7 @@ pdfhidden: True | [2535087](#2535087)
| When you use the net del all command in a configuration that is run by an Ansible script, the peerlink.4094 interface remains in the configuration, which prevents the commit from completing because the configured MTU is not accepted. | | | | [2534865](#2534865)
| On Maverick 100G switches, after enabling FEC on links with 100G AOC cables, random links do not come up after a reboot. To work around this issue, disable FEC on 100G AOC links. | | | | [2534556](#2534556)
| After moving an IP address to a new host, the neighbor table and EVPN routes do not update properly after receiving a GARP from the new MAC address to which the previously-active IP address has been moved. This issue is being investigated at this time. | | | -| [2534230](#2534230)
| On a Cumulus Linux switch, if a bridge has VXLAN interfaces, then the arp_accept and arp_ignore options do not work for any switch virtual interfaces (SVIs).
To work around this issue, disable ARP suppression on the VXLAN interfaces. For example, if the VXLAN is named vni100, disable ARP suppression on it with the following command: 
 
cumulus@switch:~$ net add vxlan vni100 bridge arp-nd-suppress off 
cumulus@switch:~$ net commit

This issue should be fixed in a future release of Cumulus Linux. | | | +| [2534230, 2537771](#2534230, 2537771)
| On a Cumulus Linux switch, if a bridge has VXLAN interfaces, then the arp_accept and arp_ignore options do not work for any switch virtual interfaces (SVIs).
To work around this issue, disable ARP suppression on the VXLAN interfaces. For example, if the VXLAN is named vni100, disable ARP suppression on it with the following command: 
 
cumulus@switch:~$ net add vxlan vni100 bridge arp-nd-suppress off 
cumulus@switch:~$ net commit

This issue should be fixed in a future release of Cumulus Linux. | | | | [2534087](#2534087)
| In a VXLAN centralized routing configuration, IPv6 hosts (auto-configured using SLAAC) might experience intermittent connectivity loss between VXLAN segments (inter-subnet routing) within the data center fabric (EVPN type-5 external routes are not affected). The NA message has the wrong flag set (the router flag is not set, which is incorrect behavior based on RFC 4861, Section 4.4). To work around this issue, configure bridge-arp-nd-suppress off under VNI interfaces for all VTEP devices. | | | | [2533775](#2533775)
| The Edgecore AS4610-54T switch always displays a yellow system LED. | | | | [2527924](#2527924)
| When adding applying an anycast IP address in a VXLAN configuration to a pair of switches, the clagd process stops. | | | diff --git a/content/cumulus-linux-37/rn.xml b/content/cumulus-linux-37/rn.xml index f25fcb8db4..dfd5d4863a 100644 --- a/content/cumulus-linux-37/rn.xml +++ b/content/cumulus-linux-37/rn.xml @@ -75,7 +75,7 @@ To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl- 4.3.1, 5.3.0-5.16.1 -3129819 +3129819, 3040075 On the EdgeCore AS4610 switch, the {{clagd}} service loses communication after 198 days of uptime. 3.7.15-3.7.16 @@ -233,7 +233,7 @@ This example assumes no other static routes are present. Otherwise, you might ne 4.4.3-4.4.5, 5.1.0-5.16.1 -2899413 +2899413, 3036049, 3069904 Broadcom switches return a table full error when creating VXLAN gports, which causes {{switchd}} to crash. 3.7.15-4.3.0 4.3.1-4.4.5 @@ -327,7 +327,7 @@ To work around this issue, run the {{net add bond <name> bond mode balance -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -339,13 +339,13 @@ To work around this issue, run the {{net add bond <name> bond mode balance 4.3.1-4.4.5, 4.4.2-4.4.5 -2716822 +2716822, 2710844 The {{/etc/cumulus/ports.conf}} file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. 3.7.15-4.3.0 4.3.1-4.4.5 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -388,7 +388,7 @@ This example assumes no other static routes are present. Otherwise, you might ne 4.3.0-4.4.5 -2684452 +2684452, 2701788, 2940067 When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table. You can work around this issue with the following steps: @@ -479,7 +479,7 @@ To work around this issue, increase the burst value of the ARP policers to 200 o 4.3.0-4.4.5 -2555175 +2555175, 3195351, 2672721 Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. 3.7.15-4.3.1 4.3.2-4.4.5 @@ -616,7 +616,7 @@ To work around this issue, use the {{ethtool -m <interface>}} command.4.3.0-4.4.5 -2552742 +2552742, 2553000, 2553936 On the Mellanox SN2410 switch, you see {{switchd}} core and {{GBIN_MALLOC}} errors. To work around this issue, restart {{switchd}}. 3.7.12-4.2.1 @@ -912,7 +912,7 @@ To work around this issue, move 100G SR4 modules to one of the ports not affecte -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -1026,7 +1026,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -1045,7 +1045,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -1144,7 +1144,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -1177,7 +1177,7 @@ To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -1220,7 +1220,7 @@ To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge 4.0.0-4.4.5 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 @@ -1273,7 +1273,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 4.0.0-4.4.5 -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -1289,7 +1289,7 @@ cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad -2542310 +2542310, 2523456 {{hsflow}} disregards the setting for {{agent.cidr}} in the {{/etc/hsflowd.conf}} file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the {{hsflow}} payload shows IPv6. 3.7.6-3.7.16 @@ -1402,7 +1402,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -1576,7 +1576,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 4.1.0-4.4.5 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -1595,7 +1595,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -1617,7 +1617,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -1691,7 +1691,7 @@ When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow 3.7.12-3.7.15 -2973714 +2973714, 2826122 When you configure 199 VXLANs plus 199 VLANs, {{clagd}} crashes every few seconds. 3.7.15, 4.3.0, 4.4.0-4.4.1 @@ -1726,7 +1726,7 @@ The problem is seen on the switch that experiences the {{clagd}} state transitio 3.7.12-3.7.15, 4.1.1-4.3.0 -2940052 +2940052, 2748965 When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. 3.7.15, 4.2.1-4.3.0 @@ -1757,7 +1757,7 @@ This operation is not supported in the kernel without recreating the SVI. To app 3.7.15 -2879645 +2879645, 2879646 When you add a new VLAN, the VLAN interface type shows as {{unknown}} and cannot be reached. 3.7.15 @@ -1820,7 +1820,7 @@ MemoryError 4.2.1-4.3.0 -2794750 +2794750, 2555635 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. 3.7.12-3.7.15, 4.0.0-4.2.1 @@ -1879,7 +1879,7 @@ sudo systemctl restart clagd.service 3.7.10-3.7.15 -2638400 +2638400, 3348697 When you stop {{clagd}} on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the {{clagd}} priorities to ensure that you only reboot a switch that is in the MLAG secondary role. 3.7.15, 4.3.0 @@ -1962,7 +1962,7 @@ When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow 4.3.1-4.4.5 -3129819 +3129819, 3040075 On the EdgeCore AS4610 switch, the {{clagd}} service loses communication after 198 days of uptime. 3.7.15-3.7.16 @@ -2045,7 +2045,7 @@ The following attribute: {{vxlan-purge-remotes yes}} is intended to fix the issu 4.3.1-4.4.5 -2973714 +2973714, 2826122 When you configure 199 VXLANs plus 199 VLANs, {{clagd}} crashes every few seconds. 3.7.15-4.3.0, 4.4.0-4.4.1 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1 @@ -2116,7 +2116,7 @@ The problem is seen on the switch that experiences the {{clagd}} state transitio 3.7.16, 4.3.1-4.4.5, 5.0.0-5.16.1 -2940052 +2940052, 2748965 When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. 3.7.15-4.3.0 4.3.1-4.4.5 @@ -2192,13 +2192,13 @@ This example assumes no other static routes are present. Otherwise, you might ne 4.4.3-4.4.5, 5.1.0-5.16.1 -2899413 +2899413, 3036049, 3069904 Broadcom switches return a table full error when creating VXLAN gports, which causes {{switchd}} to crash. 3.7.15-4.3.0 4.3.1-4.4.5 -2879645 +2879645, 2879646 When you add a new VLAN, the VLAN interface type shows as {{unknown}} and cannot be reached. 3.7.15 3.7.16 @@ -2328,7 +2328,7 @@ MemoryError -2794750 +2794750, 2555635 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. 3.7.12-4.2.1 @@ -2347,7 +2347,7 @@ To work around this issue, remove the unnecessary eBGP IPv4 peering. -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -2371,13 +2371,13 @@ To work around this issue, remove the unnecessary eBGP IPv4 peering. 3.7.16 -2716822 +2716822, 2710844 The {{/etc/cumulus/ports.conf}} file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. 3.7.15-4.3.0 4.3.1-4.4.5 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -2437,7 +2437,7 @@ This example assumes no other static routes are present. Otherwise, you might ne 4.3.0-4.4.5 -2684452 +2684452, 2701788, 2940067 When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table. You can work around this issue with the following steps: @@ -2513,7 +2513,7 @@ sudo systemctl restart clagd.service 3.7.16, 4.3.1-4.4.5 -2638400 +2638400, 3348697 When you stop {{clagd}} on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the {{clagd}} priorities to ensure that you only reboot a switch that is in the MLAG secondary role. 3.7.15, 4.3.0 3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 @@ -2572,7 +2572,7 @@ To work around this issue, increase the burst value of the ARP policers to 200 o 4.3.0-4.4.5 -2555175 +2555175, 3195351, 2672721 Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. 3.7.15-4.3.1 4.3.2-4.4.5 @@ -2709,7 +2709,7 @@ To work around this issue, use the {{ethtool -m <interface>}} command.4.3.0-4.4.5 -2552742 +2552742, 2553000, 2553936 On the Mellanox SN2410 switch, you see {{switchd}} core and {{GBIN_MALLOC}} errors. To work around this issue, restart {{switchd}}. 3.7.12-4.2.1 @@ -3011,7 +3011,7 @@ To work around this issue, move 100G SR4 modules to one of the ports not affecte -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -3125,7 +3125,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -3144,7 +3144,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -3243,7 +3243,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -3276,7 +3276,7 @@ To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -3319,7 +3319,7 @@ To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge 4.0.0-4.4.5 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 @@ -3372,7 +3372,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 4.0.0-4.4.5 -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -3388,7 +3388,7 @@ cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad -2542310 +2542310, 2523456 {{hsflow}} disregards the setting for {{agent.cidr}} in the {{/etc/hsflowd.conf}} file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the {{hsflow}} payload shows IPv6. 3.7.6-3.7.16 @@ -3501,7 +3501,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -3675,7 +3675,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 4.1.0-4.4.5 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -3694,7 +3694,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -3716,7 +3716,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -3784,7 +3784,7 @@ To work around this issue, correct the bridge VIDs and restart {{switchd}} or de Affects -2599607 +2599607, 2545364, 3297583 In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it 3.7.12-3.7.14.2 @@ -3827,13 +3827,13 @@ To work around this issue, disable ARP suppression. 3.7.9-3.7.14.2 -2556023 +2556023, 2555201 After upgrading Cumulus Linux with the {{apt-upgrade}} command, then rebooting an MLAG pair, if there are no bonds configured with a {{clag-id}}, the {{clagd}} service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down state. To work around this issue, after upgrading both switches, restart the {{clagd}} service with the {{sudo systemctl restart clagd}} command on each MLAG pair. 3.7.14-3.7.14.2 -2556011 +2556011, 2556276 On Broadcom switches, after repeated VLAN or VXLAN configuration changes, {{switchd}} memory might not free up appropriately, which can lead to a crash. 3.7.14, 4.0.0-4.2.1 @@ -3881,7 +3881,7 @@ To work around this issue, reboot the switch. 3.7.11-3.7.14.2, 4.2.1 -2552213 +2552213, 2553637 The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with {{Unable to read from device/fan1_input/pwm1}} syslog messages. 3.7.11-3.7.14, 4.1.1-4.3.0 @@ -4097,7 +4097,7 @@ Reboot the affected switches. 3.7.16, 4.3.1, 5.0.0-5.16.1 -2794750 +2794750, 2555635 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. 3.7.12-4.2.1 @@ -4167,7 +4167,7 @@ This example assumes no other static routes are present. Otherwise, you might ne 4.3.0-4.4.5 -2684452 +2684452, 2701788, 2940067 When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table. You can work around this issue with the following steps: @@ -4249,7 +4249,7 @@ sudo systemctl restart clagd.service -2599607 +2599607, 2545364, 3297583 In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it 3.7.12-4.3.0 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.16.1 @@ -4320,7 +4320,7 @@ To work around this issue, disable ARP suppression. 4.2.1-4.4.5 -2556023 +2556023, 2555201 After upgrading Cumulus Linux with the {{apt-upgrade}} command, then rebooting an MLAG pair, if there are no bonds configured with a {{clag-id}}, the {{clagd}} service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down state. To work around this issue, after upgrading both switches, restart the {{clagd}} service with the {{sudo systemctl restart clagd}} command on each MLAG pair. 3.7.14-3.7.14.2 @@ -4511,7 +4511,7 @@ To work around this issue, use the {{ethtool -m <interface>}} command.4.3.0-4.4.5 -2552742 +2552742, 2553000, 2553936 On the Mellanox SN2410 switch, you see {{switchd}} core and {{GBIN_MALLOC}} errors. To work around this issue, restart {{switchd}}. 3.7.12-4.2.1 @@ -4830,7 +4830,7 @@ To work around this issue, move 100G SR4 modules to one of the ports not affecte -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -4944,7 +4944,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -4963,7 +4963,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -5062,7 +5062,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -5095,7 +5095,7 @@ To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -5138,7 +5138,7 @@ To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge 4.0.0-4.4.5 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 @@ -5191,7 +5191,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 4.0.0-4.4.5 -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -5207,7 +5207,7 @@ cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad -2542310 +2542310, 2523456 {{hsflow}} disregards the setting for {{agent.cidr}} in the {{/etc/hsflowd.conf}} file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the {{hsflow}} payload shows IPv6. 3.7.6-3.7.16 @@ -5320,7 +5320,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -5494,7 +5494,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 4.1.0-4.4.5 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -5513,7 +5513,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -5535,7 +5535,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -5603,7 +5603,7 @@ To work around this issue, correct the bridge VIDs and restart {{switchd}} or de Affects -2556012 +2556012, 2556276 On Broadcom switches, after repeated VLAN or VXLAN configuration changes, {{switchd}} memory might not free up appropriately, which can lead to a crash. 3.7.14, 4.0.0-4.2.1 @@ -5619,7 +5619,7 @@ You can see the temperature reading in the output of the {{sensors}} command.3.7.14 -2552214 +2552214, 2553637 The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with {{Unable to read from device/fan1_input/pwm1}} syslog messages. 3.7.11-3.7.14, 4.1.1-4.3.0 @@ -5789,7 +5789,7 @@ Reboot the affected switches. 3.7.16, 4.3.1, 5.0.0-5.16.1 -2794750 +2794750, 2555635 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. 3.7.12-4.2.1 @@ -5847,7 +5847,7 @@ This example assumes no other static routes are present. Otherwise, you might ne 4.3.0-4.4.5 -2684452 +2684452, 2701788, 2940067 When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table. You can work around this issue with the following steps: @@ -5912,7 +5912,7 @@ sudo systemctl restart clagd.service -2599607 +2599607, 2545364, 3297583 In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it 3.7.12-4.3.0 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.16.1 @@ -5977,14 +5977,14 @@ To work around this issue, disable ARP suppression. 4.2.1-4.4.5 -2556023 +2556023, 2555201 After upgrading Cumulus Linux with the {{apt-upgrade}} command, then rebooting an MLAG pair, if there are no bonds configured with a {{clag-id}}, the {{clagd}} service has difficulty peering, and holds all MLAG interfaces and VNIs in a proto down state. To work around this issue, after upgrading both switches, restart the {{clagd}} service with the {{sudo systemctl restart clagd}} command on each MLAG pair. 3.7.14-3.7.14.2 3.7.15-3.7.16 -2556012 +2556012, 2556276 On Broadcom switches, after repeated VLAN or VXLAN configuration changes, {{switchd}} memory might not free up appropriately, which can lead to a crash. 3.7.14-3.7.14.2, 4.0.0-4.2.1 3.7.15-3.7.16, 4.3.0-4.4.5 @@ -6181,7 +6181,7 @@ To work around this issue, use the {{ethtool -m <interface>}} command.4.3.0-4.4.5 -2552742 +2552742, 2553000, 2553936 On the Mellanox SN2410 switch, you see {{switchd}} core and {{GBIN_MALLOC}} errors. To work around this issue, restart {{switchd}}. 3.7.12-4.2.1 @@ -6201,7 +6201,7 @@ To work around this issue, restart {{switchd}}. -2552214 +2552214, 2553637 The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with {{Unable to read from device/fan1_input/pwm1}} syslog messages. 3.7.11-3.7.14.2, 4.1.1-4.3.0 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 @@ -6506,7 +6506,7 @@ To work around this issue, move 100G SR4 modules to one of the ports not affecte -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -6620,7 +6620,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -6639,7 +6639,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -6738,7 +6738,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -6771,7 +6771,7 @@ To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -6814,7 +6814,7 @@ To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge 4.0.0-4.4.5 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 @@ -6867,7 +6867,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 4.0.0-4.4.5 -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -6883,7 +6883,7 @@ cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad -2542310 +2542310, 2523456 {{hsflow}} disregards the setting for {{agent.cidr}} in the {{/etc/hsflowd.conf}} file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the {{hsflow}} payload shows IPv6. 3.7.6-3.7.16 @@ -6996,7 +6996,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -7170,7 +7170,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 4.1.0-4.4.5 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -7189,7 +7189,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -7211,7 +7211,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -7308,7 +7308,7 @@ To work around this issue, disable IGMP snooping on the switch. 3.7.12-3.7.13, 4.0.0-4.2.1 -2553530 +2553530, 2553349 In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the {{sudo systemctl restart frr.service}} command. @@ -7327,7 +7327,7 @@ To work around this issue, remove power to both PSUs at the same time, then rein 3.7.12-3.7.13, 4.2.1 -2553001 +2553001, 2552742 When the following conditions exist, {{clagd}} might fail to establish a TCP control session across the subinterface (such as, peerlink.4094): * {{clagd}} uses an IPv6 link-local address (LLA) to establish the TCP connection (the {{clagd-peer-ip linklocal}} command configures an IPv6 LLA connection) @@ -7339,7 +7339,7 @@ To workaround this issue, use IPv4 addresses under {{peerlink.4094}} and configu 3.7.12-3.7.13 -2552925 +2552925, 2552378 On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue. These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch. 3.7.12-3.7.13 @@ -7371,7 +7371,7 @@ To work around this issue, bounce the bond or shutdown the new interface and use 3.7.7-3.7.13, 4.0.0-4.2.1 -2552506 +2552506, 2552604 Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding {{hwaddress <mac-address>}} to the bridge stanza in the {{/etc/network/interfaces}} file. 3.7.11-3.7.13, 4.0.0-4.2.0 @@ -7530,7 +7530,7 @@ To work around this issue, disable BFD to alleviate some of the CPU load. 3.7.10-3.7.13 -2545537 +2545537, 2545503 On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. 4.0.0-4.1.1 @@ -7545,12 +7545,12 @@ To work around this issue, disable BFD to alleviate some of the CPU load. 4.0.0-4.1.1 -2534978 +2534978, 2535424 On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. 4.0.0-4.2.1 -2529322 +2529322, 2528139 On a Mellanox switch in an MLAG configuration, routed packets that arrive on one switch to be forwarded to a destination MAC across the peer link are dropped due to MLAG loop prevention. This affects both routed unicast and multicast packets. To work around this issue, modify the routing design or policy such that routes do not have a next hop of an MLAG peer switch that traverses the MLAG peer link. @@ -7722,7 +7722,7 @@ Reboot the affected switches. 3.7.16, 4.3.1, 5.0.0-5.16.1 -2794750 +2794750, 2555635 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. 3.7.12-4.2.1 @@ -7780,7 +7780,7 @@ This example assumes no other static routes are present. Otherwise, you might ne 4.3.0-4.4.5 -2684452 +2684452, 2701788, 2940067 When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table. You can work around this issue with the following steps: @@ -7845,7 +7845,7 @@ sudo systemctl restart clagd.service -2599607 +2599607, 2545364, 3297583 In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it 3.7.12-4.3.0 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.16.1 @@ -8050,7 +8050,7 @@ To work around this issue, disable IGMP snooping on the switch. 4.3.0-4.4.5 -2553530 +2553530, 2553349 In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the {{sudo systemctl restart frr.service}} command. @@ -8098,7 +8098,7 @@ To work around this issue, avoid polling IP-FORWARD-MIB objects. -2553001 +2553001, 2552742 When the following conditions exist, {{clagd}} might fail to establish a TCP control session across the subinterface (such as, peerlink.4094): * {{clagd}} uses an IPv6 link-local address (LLA) to establish the TCP connection (the {{clagd-peer-ip linklocal}} command configures an IPv6 LLA connection) @@ -8117,7 +8117,7 @@ To workaround this issue, use IPv4 addresses under {{peerlink.4094}} and configu 4.3.0-4.4.5 -2552925 +2552925, 2552378 On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue. These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch. 3.7.12-3.7.13 @@ -8148,7 +8148,7 @@ To work around this issue, use the {{ethtool -m <interface>}} command.3.7.14-3.7.16 -2552742 +2552742, 2553000, 2553936 On the Mellanox SN2410 switch, you see {{switchd}} core and {{GBIN_MALLOC}} errors. To work around this issue, restart {{switchd}}. 3.7.12-4.2.1 @@ -8174,7 +8174,7 @@ To work around this issue, bounce the bond or shutdown the new interface and use 4.3.0-4.4.5 -2552506 +2552506, 2552604 Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding {{hwaddress <mac-address>}} to the bridge stanza in the {{/etc/network/interfaces}} file. 3.7.11-4.2.0 @@ -8201,7 +8201,7 @@ Jul 30 23:49:41.668265 mlx-switch kernel: LPCI2C ERR: Incorrect message -2552214 +2552214, 2553637 The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with {{Unable to read from device/fan1_input/pwm1}} syslog messages. 3.7.11-3.7.14.2, 4.1.1-4.3.0 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 @@ -8620,7 +8620,7 @@ To work around this issue, reboot the switch. -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -8758,7 +8758,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -8777,7 +8777,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -8895,7 +8895,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -8928,7 +8928,7 @@ To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -8971,7 +8971,7 @@ To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge 4.0.0-4.4.5 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 @@ -9024,7 +9024,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 4.0.0-4.4.5 -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -9040,7 +9040,7 @@ cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad -2542310 +2542310, 2523456 {{hsflow}} disregards the setting for {{agent.cidr}} in the {{/etc/hsflowd.conf}} file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the {{hsflow}} payload shows IPv6. 3.7.6-3.7.16 @@ -9153,7 +9153,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -9327,7 +9327,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 4.1.0-4.4.5 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -9346,7 +9346,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -9368,7 +9368,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -9436,7 +9436,7 @@ To work around this issue, correct the bridge VIDs and restart {{switchd}} or de Affects -2552134 +2552134, 2722515 When the MLAG peerlink flaps on Broadcom Trident3 platforms, switchd might continually sync route and neighbor entries to hardware. This can be observed in {{/var/log/switchd.log}} with repeated {{Neighbor Summary}} and {{IPv4 Route Summary}} updates: sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 589761 usecs sync_route.c:2123 IPv4 Route Summary (29279) : 0 Added, 0 Deleted, 1732 Updated, 0 Skipped in 589820 usecs @@ -9445,12 +9445,12 @@ To work around this issue, correct the bridge VIDs and restart {{switchd}} or de 3.7.12 -2551708 +2551708, 2545503 On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. -2551543 +2551543, 2552147 {{switchd}} might crash if more than 16 IPv6 default route next hops are installed in the kernel routing table and those 16 next hops recurse to MAC address table entries reachable over VXLAN VNI interfaces. This can occur when many IPv6 router advertisements (RAs) are received across VLAN interfaces that have IPv6 forwarding disabled. To work around this issue, add the following parameters to the {{/etc/sysctl.conf}} file to disable IPv6 default route installation from received router advertisements, then run the {{sudo sysctl -p --system}} command. @@ -9460,7 +9460,7 @@ net.ipv6.conf.default.accept_ra_defrtr = 0 3.7.12 -2551161 +2551161, 2550590 {{switchd}} memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time. To work around this issue, correct the cause of the frequent link flaps. You can restart {{switchd}} with the {{sudo systemctl restart switchd}} command to recover memory; this operation is impactful to all traffic on the switch during the restart. 3.7.11-3.7.12, 4.0.0-4.2.0 @@ -9510,7 +9510,7 @@ To work around this issue, restart FRR. 3.7.12 -2548585 +2548585, 2549256 After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors. *Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active. To recover from this condition, restart {{switchd}} with the {{sudo systemctl restart switchd}} command. @@ -9522,7 +9522,7 @@ To recover from this condition, restart {{switchd}} with the {{sudo systemctl re 3.7.5-3.7.12, 4.0.0-4.1.1 -2548372 +2548372, 2548371 On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. 3.7.12, 4.0.0-4.1.1 @@ -9568,7 +9568,7 @@ To recover from this condition, restart {{switchd}} with the {{sudo systemctl re 3.7.11-3.7.12 -2547609 +2547609, 2548114 Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work. Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. 3.7.11-3.7.12, 4.0.0-4.1.1 @@ -9597,7 +9597,7 @@ Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. 3.7.10-3.7.12, 4.0.0-4.2.0 -2546950 +2546950, 2548887 {{switchd}} crashes when dynamic VRF route leaking is enabled and the following is true: * The default route is leaked from VRF1 to VRF2 * Hardware-based dynamic VRF route leaking is configured ({{vrf_route_leak_enable_dynamic}} is set to TRUE in the {{/etc/cumulus/switchd.conf}} file). @@ -9609,7 +9609,7 @@ To work around this issue, use a route map to filter the default route (the sour 3.7.10-3.7.12, 4.0.0-4.1.1 -2546141 +2546141, 2548774 CPU usage might be higher than normal if you have a high number of interfaces x VLANs and {{lldpd}} is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled. To check if {{lldpd}} is the heavy CPU resource user, run the following command: @@ -9628,7 +9628,7 @@ To work around this issue, you can do one of the following: 3.7.11-3.7.12, 4.0.0-4.0.1 -2543792 +2543792, 2545026 On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following: 2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2 @@ -9827,7 +9827,7 @@ Reboot the affected switches. 3.7.16, 4.3.1, 5.0.0-5.16.1 -2794750 +2794750, 2555635 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. 3.7.12-4.2.1 @@ -9885,7 +9885,7 @@ This example assumes no other static routes are present. Otherwise, you might ne 4.3.0-4.4.5 -2684452 +2684452, 2701788, 2940067 When a VTEP is rebooted, MAC address entries might become out of sync between the kernel fdb table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries will be installed against the rebooted VTEP IP in the kernel fdb and the correct VTEP IP will be present in the EVPN MAC VNI table. You can work around this issue with the following steps: @@ -9944,7 +9944,7 @@ sudo systemctl restart clagd.service -2599607 +2599607, 2545364, 3297583 In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it 3.7.12-4.3.0 4.3.1-4.4.5, 4.4.4-4.4.5, 5.0.0-5.16.1 @@ -10089,7 +10089,7 @@ To work around this issue, disable IGMP snooping on the switch. 4.3.0-4.4.5 -2553530 +2553530, 2553349 In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the {{sudo systemctl restart frr.service}} command. @@ -10137,7 +10137,7 @@ To work around this issue, avoid polling IP-FORWARD-MIB objects. -2553001 +2553001, 2552742 When the following conditions exist, {{clagd}} might fail to establish a TCP control session across the subinterface (such as, peerlink.4094): * {{clagd}} uses an IPv6 link-local address (LLA) to establish the TCP connection (the {{clagd-peer-ip linklocal}} command configures an IPv6 LLA connection) @@ -10156,14 +10156,14 @@ To workaround this issue, use IPv4 addresses under {{peerlink.4094}} and configu 4.3.0-4.4.5 -2552925 +2552925, 2552378 On the EdgeCore AS-6712-32X, AS5812-54X and AS5812-54T switch models, the temp sensors (DIMM temp sensor) show ABSENT. The amber diagnostic light on the front of the switch might also be turned on due to this issue. These messages and the light are cosmetic issues only and do not otherwise impact the function of the switch. 3.7.12-3.7.13 3.7.14-3.7.16 -2552742 +2552742, 2553000, 2553936 On the Mellanox SN2410 switch, you see {{switchd}} core and {{GBIN_MALLOC}} errors. To work around this issue, restart {{switchd}}. 3.7.12-4.2.1 @@ -10189,7 +10189,7 @@ To work around this issue, bounce the bond or shutdown the new interface and use 4.3.0-4.4.5 -2552506 +2552506, 2552604 Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding {{hwaddress <mac-address>}} to the bridge stanza in the {{/etc/network/interfaces}} file. 3.7.11-4.2.0 @@ -10203,7 +10203,7 @@ To work around this issue, manually set the MAC address of the bridge interface -2552214 +2552214, 2553637 The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with {{Unable to read from device/fan1_input/pwm1}} syslog messages. 3.7.11-3.7.14.2, 4.1.1-4.3.0 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 @@ -10216,7 +10216,7 @@ To work around this issue, ifdown/ifup the SVI when a MAC address changes. 4.2.1-4.4.5 -2552134 +2552134, 2722515 When the MLAG peerlink flaps on Broadcom Trident3 platforms, switchd might continually sync route and neighbor entries to hardware. This can be observed in {{/var/log/switchd.log}} with repeated {{Neighbor Summary}} and {{IPv4 Route Summary}} updates: sync_route.c:2063 Neighbor Summary : 0 Added, 0 Deleted, 501 Updated, 0 Skipped in 589761 usecs sync_route.c:2123 IPv4 Route Summary (29279) : 0 Added, 0 Deleted, 1732 Updated, 0 Skipped in 589820 usecs @@ -10281,7 +10281,7 @@ To work around this issue, manually delete the dynamic FDB entry that is associa -2551543 +2551543, 2552147 {{switchd}} might crash if more than 16 IPv6 default route next hops are installed in the kernel routing table and those 16 next hops recurse to MAC address table entries reachable over VXLAN VNI interfaces. This can occur when many IPv6 router advertisements (RAs) are received across VLAN interfaces that have IPv6 forwarding disabled. To work around this issue, add the following parameters to the {{/etc/sysctl.conf}} file to disable IPv6 default route installation from received router advertisements, then run the {{sudo sysctl -p --system}} command. @@ -10307,7 +10307,7 @@ To work around this issue, either use NCLU or vtysh commands to remove the BFD c 4.0.0-4.4.5 -2551161 +2551161, 2550590 {{switchd}} memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time. To work around this issue, correct the cause of the frequent link flaps. You can restart {{switchd}} with the {{sudo systemctl restart switchd}} command to recover memory; this operation is impactful to all traffic on the switch during the restart. 3.7.11-3.7.12, 4.0.0-4.2.0 @@ -10575,7 +10575,7 @@ You can safely ignore these error messages. -2548585 +2548585, 2549256 After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors. *Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active. To recover from this condition, restart {{switchd}} with the {{sudo systemctl restart switchd}} command. @@ -10634,7 +10634,7 @@ To work around this issue, reboot the leaf switch or restart {{switchd}}. 3.7.13-3.7.16, 4.2.0-4.4.5 -2548372 +2548372, 2548371 On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. 3.7.12, 4.0.0-4.1.1 3.7.13-3.7.16, 4.2.0-4.4.5 @@ -10738,7 +10738,7 @@ To work around this issue, reboot the switch. 3.7.13-3.7.16 -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -10769,7 +10769,7 @@ To work around this issue, reboot the switch. 3.7.13-3.7.16 -2547609 +2547609, 2548114 Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work. Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. 3.7.11-3.7.12, 4.0.0-4.1.1 @@ -10886,7 +10886,7 @@ To work around this issue, execute the {{vtysh -f <file>}} command in the 3.7.13-3.7.16, 4.2.1-4.4.5 -2546950 +2546950, 2548887 {{switchd}} crashes when dynamic VRF route leaking is enabled and the following is true: * The default route is leaked from VRF1 to VRF2 * Hardware-based dynamic VRF route leaking is configured ({{vrf_route_leak_enable_dynamic}} is set to TRUE in the {{/etc/cumulus/switchd.conf}} file). @@ -10932,7 +10932,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -10951,7 +10951,7 @@ To increase the {{systemd}} timeout: -2546141 +2546141, 2548774 CPU usage might be higher than normal if you have a high number of interfaces x VLANs and {{lldpd}} is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled. To check if {{lldpd}} is the heavy CPU resource user, run the following command: @@ -10971,7 +10971,7 @@ To work around this issue, you can do one of the following: 4.1.0-4.4.5 -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -11082,7 +11082,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -11115,7 +11115,7 @@ To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -11137,7 +11137,7 @@ To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge 4.0.0-4.4.5 -2543792 +2543792, 2545026 On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following: 2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2 @@ -11186,7 +11186,7 @@ To work around this issue, configure the ECMP hash seed to the same value on the 4.1.0-4.4.5 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 @@ -11239,7 +11239,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 4.0.0-4.4.5 -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -11263,7 +11263,7 @@ To work around this issue, power cycle the switch. 4.1.0-4.4.5 -2542310 +2542310, 2523456 {{hsflow}} disregards the setting for {{agent.cidr}} in the {{/etc/hsflowd.conf}} file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the {{hsflow}} payload shows IPv6. 3.7.6-3.7.16 @@ -11376,7 +11376,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -11550,7 +11550,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 4.1.0-4.4.5 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -11569,7 +11569,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -11591,7 +11591,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -11768,7 +11768,7 @@ To work around this issue, restart the networking service after {{ifreload -a}} 3.7.10-3.7.11 -2545948 +2545948, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539 All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0. To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. 3.7.11, 4.0.0-4.0.1 @@ -11800,7 +11800,7 @@ To work around this issue, run the {{ip -6 route flush cache <IPv6-address> 3.7.8-3.7.11 -2544853 +2544853, 2545726 On the Dell S5248F-ON switch, CPU core temp sensors may show as ABSENT. 4.0.0-4.0.1 @@ -12003,7 +12003,7 @@ To work around this issue, remove the DEFAULT user from the TACACS+ server. 4.3.0-4.4.5 -2553530 +2553530, 2553349 In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the {{sudo systemctl restart frr.service}} command. @@ -12037,14 +12037,14 @@ To work around this issue, bounce the bond or shutdown the new interface and use 4.3.0-4.4.5 -2552506 +2552506, 2552604 Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding {{hwaddress <mac-address>}} to the bridge stanza in the {{/etc/network/interfaces}} file. 3.7.11-4.2.0 4.2.1-4.4.5 -2552214 +2552214, 2553637 The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with {{Unable to read from device/fan1_input/pwm1}} syslog messages. 3.7.11-3.7.14.2, 4.1.1-4.3.0 3.7.15-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 @@ -12063,7 +12063,7 @@ To work around this issue, either use NCLU or vtysh commands to remove the BFD c 4.0.0-4.4.5 -2551161 +2551161, 2550590 {{switchd}} memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time. To work around this issue, correct the cause of the frequent link flaps. You can restart {{switchd}} with the {{sudo systemctl restart switchd}} command to recover memory; this operation is impactful to all traffic on the switch during the restart. 3.7.11-3.7.12, 4.0.0-4.2.0 @@ -12174,7 +12174,7 @@ To work around this issue, restart FRR. 3.7.13-3.7.16, 4.2.0-4.4.5 -2548585 +2548585, 2549256 After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors. *Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active. To recover from this condition, restart {{switchd}} with the {{sudo systemctl restart switchd}} command. @@ -12276,7 +12276,7 @@ To work around this issue, reboot the switch. 3.7.13-3.7.16 -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -12307,7 +12307,7 @@ To work around this issue, reboot the switch. 3.7.13-3.7.16 -2547609 +2547609, 2548114 Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work. Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. 3.7.11-3.7.12, 4.0.0-4.1.1 @@ -12491,7 +12491,7 @@ To work around this issue, execute the {{vtysh -f <file>}} command in the 3.7.13-3.7.16, 4.2.1-4.4.5 -2546950 +2546950, 2548887 {{switchd}} crashes when dynamic VRF route leaking is enabled and the following is true: * The default route is leaked from VRF1 to VRF2 * Hardware-based dynamic VRF route leaking is configured ({{vrf_route_leak_enable_dynamic}} is set to TRUE in the {{/etc/cumulus/switchd.conf}} file). @@ -12586,7 +12586,7 @@ To work around this issue, restart the networking service after {{ifreload -a}} 3.7.12-3.7.16, 4.1.0-4.4.5 -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -12605,7 +12605,7 @@ To work around this issue, restart the networking service after {{ifreload -a}} -2546141 +2546141, 2548774 CPU usage might be higher than normal if you have a high number of interfaces x VLANs and {{lldpd}} is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled. To check if {{lldpd}} is the heavy CPU resource user, run the following command: @@ -12625,7 +12625,7 @@ To work around this issue, you can do one of the following: 4.1.0-4.4.5 -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -12658,7 +12658,7 @@ To work around this issue, remove the empty Bond interfaces from the {{/etc/netw 3.7.12-3.7.16, 4.1.0-4.4.5 -2545948 +2545948, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539 All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0. To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. 3.7.11, 4.0.0-4.0.1 @@ -12779,7 +12779,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -12818,7 +12818,7 @@ To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -12847,7 +12847,7 @@ To work around this issue, disable MAC learning on QinQ VLANs by adding {{bridge 4.0.0-4.4.5 -2543792 +2543792, 2545026 On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following: 2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2 @@ -12896,7 +12896,7 @@ To work around this issue, configure the ECMP hash seed to the same value on the 4.1.0-4.4.5 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 @@ -12949,7 +12949,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 4.0.0-4.4.5 -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -12985,7 +12985,7 @@ To work around this issue, power cycle the switch. 4.1.0-4.4.5 -2542310 +2542310, 2523456 {{hsflow}} disregards the setting for {{agent.cidr}} in the {{/etc/hsflowd.conf}} file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the {{hsflow}} payload shows IPv6. 3.7.6-3.7.16 @@ -13098,7 +13098,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -13272,7 +13272,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 4.1.0-4.4.5 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -13291,7 +13291,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -13313,7 +13313,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -13469,7 +13469,7 @@ To work around this issue, reboot the switch, then remove the static routes or s 3.7.9-3.7.10, 4.0.0-4.0.1 -2544609 +2544609, 2550042 BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. 3.7.7-3.7.10 @@ -13637,7 +13637,7 @@ To work around this issue, remove the stanza using vtysh. 3.7.6-3.7.10 -2542871 +2542871, 2542901, 2542901 After you issue the NCLU {{net del bgp vrf <vrf> autonomous-system <AS>}} command and commit the change, Cumulus Linux does not remove the configuration from the {{/etc/frr/frr.conf}} file or the {{net show config commands}}. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -13697,7 +13697,7 @@ route-map peerlink-add-asn permit 20 3.7.6-3.7.10 -2542100 +2542100, 2544399 On the EdgeCore AS7816 switch, PCIE errors cause {{switchd}} startup to fail. 3.7.9-3.7.10 @@ -13724,7 +13724,7 @@ Despite this error, the change is made and the description is removed from the { 3.7.3-3.7.10 -2536230 +2536230, 2545399 On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -13752,12 +13752,12 @@ To work around this issue, use {{net show interface}} command for LLDP output wh -2528990 +2528990, 2523824, 2523824, 2542431 During a link flap test, you might occasionally see a message similar to: {{warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use}}. 3.7.6-3.7.10 -2526985 +2526985, 2528127 When you try to remove a VNI from a bridge using a regex match, the VNI is added back when you run the {{ifreload -a}} command. @@ -13892,7 +13892,7 @@ To work around this issue, remove the DEFAULT user from the TACACS+ server. -2553530 +2553530, 2553349 In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the {{sudo systemctl restart frr.service}} command. @@ -13981,7 +13981,7 @@ To work around this issue, revert the configuration change. 3.7.13-3.7.16, 4.2.0-4.4.5 -2548585 +2548585, 2549256 After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors. *Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active. To recover from this condition, restart {{switchd}} with the {{sudo systemctl restart switchd}} command. @@ -14101,7 +14101,7 @@ C-states are disabled by default in Cumulus Linux 4.3.0 and later. 3.7.13-3.7.16, 4.2.1-4.4.5 -2546950 +2546950, 2548887 {{switchd}} crashes when dynamic VRF route leaking is enabled and the following is true: * The default route is leaked from VRF1 to VRF2 * Hardware-based dynamic VRF route leaking is configured ({{vrf_route_leak_enable_dynamic}} is set to TRUE in the {{/etc/cumulus/switchd.conf}} file). @@ -14391,7 +14391,7 @@ To work around this issue, restart FRR after removing the IPv6 numbered configur 3.7.11-3.7.16, 4.1.0-4.4.5 -2544609 +2544609, 2550042 BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. 3.7.7-3.7.16 4.0.0-4.4.5 @@ -14423,7 +14423,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -14514,7 +14514,7 @@ To work around this issue, remove the interface alias description from {{iproute 4.0.0-4.4.5 -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -14543,7 +14543,7 @@ To work around this issue, remove the interface alias description from {{iproute 4.0.0-4.4.5 -2543792 +2543792, 2545026 On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following: 2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2 @@ -14690,7 +14690,7 @@ To work around this issue, configure the ECMP hash seed to the same value on the 4.0.0-4.4.5 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 @@ -14751,7 +14751,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 4.0.0-4.4.5 -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -14779,7 +14779,7 @@ cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad 4.0.0-4.4.5 -2542871 +2542871, 2542901, 2542901 After you issue the NCLU {{net del bgp vrf <vrf> autonomous-system <AS>}} command and commit the change, Cumulus Linux does not remove the configuration from the {{/etc/frr/frr.conf}} file or the {{net show config commands}}. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -14844,7 +14844,7 @@ route-map peerlink-add-asn permit 20 4.0.0-4.4.5 -2542310 +2542310, 2523456 {{hsflow}} disregards the setting for {{agent.cidr}} in the {{/etc/hsflowd.conf}} file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the {{hsflow}} payload shows IPv6. 3.7.6-3.7.16 @@ -14886,7 +14886,7 @@ route-map peerlink-add-asn permit 20 4.0.0-4.4.5 -2542100 +2542100, 2544399 On the EdgeCore AS7816 switch, PCIE errors cause {{switchd}} startup to fail. 3.7.9-3.7.16 4.0.0-4.4.5 @@ -14984,7 +14984,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -15158,7 +15158,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 4.1.0-4.4.5 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -15177,7 +15177,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -15205,7 +15205,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -15252,7 +15252,7 @@ Despite this error, the change is made and the description is removed from the { -2536230 +2536230, 2545399 On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -15293,7 +15293,7 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 4.0.0-4.4.5 -2528990 +2528990, 2523824, 2523824, 2542431 During a link flap test, you might occasionally see a message similar to: {{warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use}}. 3.7.6-3.7.10 3.7.11-3.7.16 @@ -15705,7 +15705,7 @@ To work around this issue, restart FRR after removing the IPv6 numbered configur 3.7.11-3.7.16, 4.1.0-4.4.5 -2544609 +2544609, 2550042 BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. 3.7.7-3.7.16 4.0.0-4.4.5 @@ -15737,7 +15737,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -15834,7 +15834,7 @@ To work around this issue, remove the interface alias description from {{iproute 4.0.0-4.4.5 -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -15863,7 +15863,7 @@ To work around this issue, remove the interface alias description from {{iproute 4.0.0-4.4.5 -2543792 +2543792, 2545026 On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following: 2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2 @@ -16010,7 +16010,7 @@ To work around this issue, configure the ECMP hash seed to the same value on the 4.0.0-4.4.5 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 @@ -16071,7 +16071,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 4.0.0-4.4.5 -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -16099,7 +16099,7 @@ cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad 4.0.0-4.4.5 -2542871 +2542871, 2542901, 2542901 After you issue the NCLU {{net del bgp vrf <vrf> autonomous-system <AS>}} command and commit the change, Cumulus Linux does not remove the configuration from the {{/etc/frr/frr.conf}} file or the {{net show config commands}}. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -16164,7 +16164,7 @@ route-map peerlink-add-asn permit 20 4.0.0-4.4.5 -2542310 +2542310, 2523456 {{hsflow}} disregards the setting for {{agent.cidr}} in the {{/etc/hsflowd.conf}} file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the {{hsflow}} payload shows IPv6. 3.7.6-3.7.16 @@ -16206,7 +16206,7 @@ route-map peerlink-add-asn permit 20 4.0.0-4.4.5 -2542100 +2542100, 2544399 On the EdgeCore AS7816 switch, PCIE errors cause {{switchd}} startup to fail. 3.7.9-3.7.16 4.0.0-4.4.5 @@ -16304,7 +16304,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -16478,7 +16478,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 4.1.0-4.4.5 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -16497,7 +16497,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -16525,7 +16525,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -16572,7 +16572,7 @@ Despite this error, the change is made and the description is removed from the { -2536230 +2536230, 2545399 On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -16613,7 +16613,7 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 4.0.0-4.4.5 -2528990 +2528990, 2523824, 2523824, 2542431 During a link flap test, you might occasionally see a message similar to: {{warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use}}. 3.7.6-3.7.10 3.7.11-3.7.16 @@ -16699,7 +16699,7 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 3.7.6-3.7.8 -2542472 +2542472, 2544615 On Broadcom-based VXLAN routing capable platforms, VXLAN traffic received at the egress VTEP might drop because the hardware is mis-programming. This issue is related to timing and is not easily reproduced. This issue might occur after a VXLAN interface (VNI) state transition (the peerlink goes down and puts VNI into a protodown state, then the peerlink comes back and the VNI returns to UP) and is related to how the next-hop information is programmed in hardware. Sometimes the host routes corresponding to this VXLAN segment are mis-programmed with the wrong next hop information. To work around this issue, restart the {{switchd}} service with the {{sudo systemctl restart switchd.service}} command. @@ -16789,7 +16789,7 @@ To work around this issue, restart {{switchd}}. 3.7.3-3.7.8 -2540359 +2540359, 2540806 {{bgpd}} creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. 3.7.6-3.7.8 @@ -16805,7 +16805,7 @@ To work around this issue, use the {{mstpctl}} command to confirm the STP status 3.7.2-3.7.8 -2538321 +2538321, 2543029 On the Trident3 switch, the input chain ACLs drop action forwards packets if the traffic is destined to the CPU on an SVI. @@ -16816,7 +16816,7 @@ To work around this issue, use the {{mstpctl}} command to confirm the STP status 3.7.2-3.7.8 -2537153 +2537153, 2540994 In rare cases, certain IPv6 BGP peers fail to reestablish after {{switchd}} restarts. 3.7.2-3.7.8 @@ -16884,7 +16884,7 @@ While this issue is fixed for switches with the Spectrum ASIC, this is a [known -2532395 +2532395, 2529029 Drops due to congestion do not appear to be counted on a Mellanox switch. To work around this issue, run the {{sudo ethtool -S swp1}} command to collect interface traffic statistics. @@ -17135,7 +17135,7 @@ To work around this issue, run the {{cl-support -M}} command to disable timeouts 3.7.11-3.7.16 -2544609 +2544609, 2550042 BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. 3.7.7-3.7.16 4.0.0-4.4.5 @@ -17198,7 +17198,7 @@ To work around this issue, remove the interface alias description from {{iproute 4.0.0-4.4.5 -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -17373,7 +17373,7 @@ To work around this issue, configure the ECMP hash seed to the same value on the 4.0.0-4.4.5 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 @@ -17447,7 +17447,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 3.7.9-3.7.16 -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -17481,7 +17481,7 @@ cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad 4.0.0-4.4.5 -2542871 +2542871, 2542901, 2542901 After you issue the NCLU {{net del bgp vrf <vrf> autonomous-system <AS>}} command and commit the change, Cumulus Linux does not remove the configuration from the {{/etc/frr/frr.conf}} file or the {{net show config commands}}. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -17609,7 +17609,7 @@ route-map peerlink-add-asn permit 20 3.7.9-3.7.16 -2542310 +2542310, 2523456 {{hsflow}} disregards the setting for {{agent.cidr}} in the {{/etc/hsflowd.conf}} file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the {{hsflow}} payload shows IPv6. 3.7.6-3.7.16 @@ -17786,7 +17786,7 @@ To work around this issue, restart {{switchd}}. -2540359 +2540359, 2540806 {{bgpd}} creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. 3.7.6-3.7.8 3.7.9-3.7.16 @@ -17825,7 +17825,7 @@ To work around this issue, restart {{switchd}}. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -18019,7 +18019,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 3.7.9-3.7.16 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -18038,7 +18038,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -18066,13 +18066,13 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537153 +2537153, 2540994 In rare cases, certain IPv6 BGP peers fail to reestablish after {{switchd}} restarts. 3.7.2-3.7.8 3.7.9-3.7.16 -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -18126,7 +18126,7 @@ Despite this error, the change is made and the description is removed from the { -2536230 +2536230, 2545399 On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -18167,7 +18167,7 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 4.0.0-4.4.5 -2528990 +2528990, 2523824, 2523824, 2542431 During a link flap test, you might occasionally see a message similar to: {{warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use}}. 3.7.6-3.7.10 3.7.11-3.7.16 @@ -18391,7 +18391,7 @@ To work around this issue, run the {{cl-support -M}} command to disable timeouts 3.7.11-3.7.16 -2544609 +2544609, 2550042 BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. 3.7.7-3.7.16 4.0.0-4.4.5 @@ -18638,7 +18638,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 3.7.9-3.7.16 -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -18666,7 +18666,7 @@ cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad 4.0.0-4.4.5 -2542871 +2542871, 2542901, 2542901 After you issue the NCLU {{net del bgp vrf <vrf> autonomous-system <AS>}} command and commit the change, Cumulus Linux does not remove the configuration from the {{/etc/frr/frr.conf}} file or the {{net show config commands}}. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -18794,7 +18794,7 @@ route-map peerlink-add-asn permit 20 3.7.9-3.7.16 -2542310 +2542310, 2523456 {{hsflow}} disregards the setting for {{agent.cidr}} in the {{/etc/hsflowd.conf}} file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the {{hsflow}} payload shows IPv6. 3.7.6-3.7.16 @@ -18971,7 +18971,7 @@ To work around this issue, restart {{switchd}}. -2540359 +2540359, 2540806 {{bgpd}} creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. 3.7.6-3.7.8 3.7.9-3.7.16 @@ -19010,7 +19010,7 @@ To work around this issue, restart {{switchd}}. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -19204,7 +19204,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 3.7.9-3.7.16 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -19223,7 +19223,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -19251,13 +19251,13 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537153 +2537153, 2540994 In rare cases, certain IPv6 BGP peers fail to reestablish after {{switchd}} restarts. 3.7.2-3.7.8 3.7.9-3.7.16 -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -19311,7 +19311,7 @@ Despite this error, the change is made and the description is removed from the { -2536230 +2536230, 2545399 On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -19352,7 +19352,7 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 4.0.0-4.4.5 -2528990 +2528990, 2523824, 2523824, 2542431 During a link flap test, you might occasionally see a message similar to: {{warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use}}. 3.7.6-3.7.10 3.7.11-3.7.16 @@ -19373,7 +19373,7 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 3.7.6 -2542309 +2542309, 2540999 When all ports are split into 4X on the EdgeCore AS7726 switch, {{switchd}} fails to start up and a crash is seen in syslog. 3.7.5-3.7.6 @@ -19383,7 +19383,7 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 3.7.6 -2541805 +2541805, 2526644 The {{clear bgp command}} does not support multiple address families. For example, the following command clears IPv6 unicast and ignores IPv4 unicast: cumulus@switch:~$ clear bgp l2vpn evpn @@ -19432,7 +19432,7 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 3.7.6 -2541494 +2541494, 2541496 Under certain circumstances (when you reboot or restart the {{switchd}} service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface. To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example: @@ -19448,12 +19448,12 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 3.7.5 -2541294 +2541294, 2541786 In an EVPN configuration, the old MAC/IP route is present in the routing table after an IP mobility event. 3.7.5-3.7.6 -2541213 +2541213, 2541027 On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD. 3.7.5-3.7.6 @@ -19610,7 +19610,7 @@ However, you might have to explicitly disable auto-negotiation and FEC in this s 3.7.2-3.7.6 -2536266 +2536266, 2535677 When a VXLAN SVI transitions to a non-VXLAN SVI, the associated VRRP MAC addresses are not removed. After the transition happens, the removal fails as the VXLAN context is lost and you see the following {{switchd}} error: 2018-09-06T20:38:20.682916+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 224 mac: 00:00:5e:00:01:01 (-7) @@ -19626,7 +19626,7 @@ However, you might have to explicitly disable auto-negotiation and FEC in this s 3.7.6 -2534134 +2534134, 2534640, 2539619 During system boot, Cumulus Linux reads the {{/etc/cumulus/ports.conf}} file to obtain the port speed. The port speed is programmed into the ASIC and synchronized to the kernel. After system boot, the kernel speed shows correctly as it matches the ASIC speed that is derived from the {{/etc/cumulus/ports.conf}} file and the cable type. However, if you restart {{switchd}} without rebooting the system, {{switchd}} synchronizes the speed from the kernel and uses it to program the ASIC. When you change the port speed in the {{/etc/cumulus/ports.conf}} file to ether a higher or lower speed (for example from 100G to 40G or from 40G to 100G) and the attached cable can support both speeds, the pre-existing speed is synchronized from the kernel. Consequently, the kernel speed remains at the pre-existing (incorrect) speed. @@ -19981,7 +19981,7 @@ cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad 4.0.0-4.4.5 -2542871 +2542871, 2542901, 2542901 After you issue the NCLU {{net del bgp vrf <vrf> autonomous-system <AS>}} command and commit the change, Cumulus Linux does not remove the configuration from the {{/etc/frr/frr.conf}} file or the {{net show config commands}}. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -20105,14 +20105,14 @@ route-map peerlink-add-asn permit 20 3.7.9-3.7.16 -2542310 +2542310, 2523456 {{hsflow}} disregards the setting for {{agent.cidr}} in the {{/etc/hsflowd.conf}} file and selects an IPv6 agent address. The source IP address of the hsflowd packet is IPv4, but the agent address in the {{hsflow}} payload shows IPv6. 3.7.6-3.7.16 -2542309 +2542309, 2540999 When all ports are split into 4X on the EdgeCore AS7726 switch, {{switchd}} fails to start up and a crash is seen in syslog. 3.7.5-3.7.6 3.7.7-3.7.16 @@ -20256,7 +20256,7 @@ route-map peerlink-add-asn permit 20 3.7.7-3.7.16 -2541494 +2541494, 2541496 Under certain circumstances (when you reboot or restart the {{switchd}} service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface. To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example: @@ -20268,13 +20268,13 @@ route-map peerlink-add-asn permit 20 -2541294 +2541294, 2541786 In an EVPN configuration, the old MAC/IP route is present in the routing table after an IP mobility event. 3.7.5-3.7.16 -2541213 +2541213, 2541027 On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD. 3.7.5-3.7.6 3.7.7-3.7.16 @@ -20423,7 +20423,7 @@ To work around this issue, restart {{switchd}}. -2540359 +2540359, 2540806 {{bgpd}} creates a core dump at zclient_send_interface_radv_req. This is an issue with how FRRouting checks next hops and has been pushed upstream to FRRouting. 3.7.6-3.7.8 3.7.9-3.7.16 @@ -20468,7 +20468,7 @@ To work around this issue, restart {{switchd}}. 3.7.7-3.7.16 -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -20743,7 +20743,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 3.7.9-3.7.16 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -20769,7 +20769,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -20797,13 +20797,13 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537153 +2537153, 2540994 In rare cases, certain IPv6 BGP peers fail to reestablish after {{switchd}} restarts. 3.7.2-3.7.8 3.7.9-3.7.16 -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -20857,7 +20857,7 @@ Despite this error, the change is made and the description is removed from the { -2536266 +2536266, 2535677 When a VXLAN SVI transitions to a non-VXLAN SVI, the associated VRRP MAC addresses are not removed. After the transition happens, the removal fails as the VXLAN context is lost and you see the following {{switchd}} error: 2018-09-06T20:38:20.682916+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 224 mac: 00:00:5e:00:01:01 (-7) @@ -20869,7 +20869,7 @@ Despite this error, the change is made and the description is removed from the { 3.7.7-3.7.16 -2536230 +2536230, 2545399 On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -20923,7 +20923,7 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu 3.7.7-3.7.16 -2528990 +2528990, 2523824, 2523824, 2542431 During a link flap test, you might occasionally see a message similar to: {{warning: swp6: netlink: cannot set link swp6 down: [Errno 98] Address already in use}}. 3.7.6-3.7.10 3.7.11-3.7.16 @@ -21233,7 +21233,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 4.0.0-4.4.5 -2542871 +2542871, 2542901, 2542901 After you issue the NCLU {{net del bgp vrf <vrf> autonomous-system <AS>}} command and commit the change, Cumulus Linux does not remove the configuration from the {{/etc/frr/frr.conf}} file or the {{net show config commands}}. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -21270,7 +21270,7 @@ To work around this issue, either: 3.7.9-3.7.16 -2542309 +2542309, 2540999 When all ports are split into 4X on the EdgeCore AS7726 switch, {{switchd}} fails to start up and a crash is seen in syslog. 3.7.5-3.7.6 3.7.7-3.7.16 @@ -21326,7 +21326,7 @@ To work around this issue, either: 3.7.9-3.7.16 -2541494 +2541494, 2541496 Under certain circumstances (when you reboot or restart the {{switchd}} service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface. To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example: @@ -21344,13 +21344,13 @@ To work around this issue, either: 3.7.6-3.7.16 -2541294 +2541294, 2541786 In an EVPN configuration, the old MAC/IP route is present in the routing table after an IP mobility event. 3.7.5-3.7.16 -2541213 +2541213, 2541027 On Trident2 switches, egress double-tagged frames incorrectly use 802.1Q outer ethertype instead of 802.1AD. 3.7.5-3.7.6 3.7.7-3.7.16 @@ -21573,7 +21573,7 @@ This issue was discovered on the Helix4 switch but applies to all switches. 3.7.6-3.7.16 -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -21860,7 +21860,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 3.7.9-3.7.16 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -21886,7 +21886,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -21914,13 +21914,13 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537153 +2537153, 2540994 In rare cases, certain IPv6 BGP peers fail to reestablish after {{switchd}} restarts. 3.7.2-3.7.8 3.7.9-3.7.16 -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -21974,7 +21974,7 @@ Despite this error, the change is made and the description is removed from the { -2536266 +2536266, 2535677 When a VXLAN SVI transitions to a non-VXLAN SVI, the associated VRRP MAC addresses are not removed. After the transition happens, the removal fails as the VXLAN context is lost and you see the following {{switchd}} error: 2018-09-06T20:38:20.682916+00:00 dell-s6010-01 switchd[5445]: hal_bcm_l3.c:3436 ERR cannot find l3 intf for vlan: 224 mac: 00:00:5e:00:01:01 (-7) @@ -21986,7 +21986,7 @@ Despite this error, the change is made and the description is removed from the { 3.7.7-3.7.16 -2536230 +2536230, 2545399 On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -22215,7 +22215,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 4.0.0-4.4.5 -2542871 +2542871, 2542901, 2542901 After you issue the NCLU {{net del bgp vrf <vrf> autonomous-system <AS>}} command and commit the change, Cumulus Linux does not remove the configuration from the {{/etc/frr/frr.conf}} file or the {{net show config commands}}. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -22266,7 +22266,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 3.7.9-3.7.16 -2541494 +2541494, 2541496 Under certain circumstances (when you reboot or restart the {{switchd}} service), a race condition might occur which causes a synchronization issue resulting in hardware misprogramming of the VXLAN tunnel endpoint interface (VTEP). Packets destined out this tunnel are dropped in the egress direction. Packets arriving on this tunnel are dropped in the ingress direction. This is due to a race condition between ASIC and kernel programming that causes the kernel to incorrectly process the link state of a VXLAN interface. To work around this issue, you can bounce the layer 3 SVI for the affected VRF. For example: @@ -22450,7 +22450,7 @@ This issue was discovered on the Helix4 switch but applies to all switches. 3.7.6-3.7.16 -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -22737,7 +22737,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 3.7.9-3.7.16 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -22763,7 +22763,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -22785,13 +22785,13 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537153 +2537153, 2540994 In rare cases, certain IPv6 BGP peers fail to reestablish after {{switchd}} restarts. 3.7.2-3.7.8 3.7.9-3.7.16 -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -22845,7 +22845,7 @@ Despite this error, the change is made and the description is removed from the { -2536230 +2536230, 2545399 On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -22982,7 +22982,7 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu 3.7.2-3.7.3 -2538884 +2538884, 2538887 {{cl-acltool -i}} fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as: -A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j LOG --log-prefix "DROP: " @@ -23064,7 +23064,7 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu 3.7.0-3.7.3 -2537409 +2537409, 2538035 It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to {{on}} in hardware. 3.7.1-3.7.3 @@ -23086,7 +23086,7 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu -2536107 +2536107, 2539595 On Tomahawk+ switches, the {{switchd}} process is unable to restart after configuring 2x25G in the {{/etc/cumulus/ports.conf}} file. @@ -23254,7 +23254,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 4.0.0-4.4.5 -2542871 +2542871, 2542901, 2542901 After you issue the NCLU {{net del bgp vrf <vrf> autonomous-system <AS>}} command and commit the change, Cumulus Linux does not remove the configuration from the {{/etc/frr/frr.conf}} file or the {{net show config commands}}. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -23633,7 +23633,7 @@ However, you might have to explicitly disable auto-negotiation and FEC in this s 3.7.7-3.7.16 -2538884 +2538884, 2538887 {{cl-acltool -i}} fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as: -A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j LOG --log-prefix "DROP: " @@ -23766,7 +23766,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 3.7.4-3.7.16 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -23814,13 +23814,13 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 -2537409 +2537409, 2538035 It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to {{on}} in hardware. 3.7.1-3.7.3 3.7.4-3.7.16 @@ -23842,7 +23842,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537153 +2537153, 2540994 In rare cases, certain IPv6 BGP peers fail to reestablish after {{switchd}} restarts. 3.7.2-3.7.8 3.7.9-3.7.16 @@ -23855,7 +23855,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 3.7.4-3.7.16 -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -23909,7 +23909,7 @@ Despite this error, the change is made and the description is removed from the { -2536230 +2536230, 2545399 On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -24188,7 +24188,7 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu 3.7.0-3.7.2 -2536245 +2536245, 2536488, 2537976 When using dynamic route leaking, software forwarding of packets fails between the connected source and destination. To work around this issue, configure the leak on a switch that does not have any locally-connected hosts. 3.7.1-3.7.2 @@ -24204,12 +24204,12 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu -2535751 +2535751, 2535802 The NCLU {{net add}} and {{net commit}} commands change the interfaces file even if you add a service like {{snmp/hostname/etc}}. This causes an issue with automation. For example, Ansible runs handlers ({{ifreload -a}} for interfaces) during each push if the file being edited changes. 3.7.0-3.7.2 -2535415 +2535415, 2539088 The wrong route target/route distinguisher is sent in an EVPN advertisement after a port flap. @@ -24576,7 +24576,7 @@ However, you might have to explicitly disable auto-negotiation and FEC in this s 3.7.7-3.7.16 -2538884 +2538884, 2538887 {{cl-acltool -i}} fails to install LOG rules if either the source or destination (-d or -s) has multiple comma-separated values, such as: -A FORWARD -s "192.168.0.0/16" -d "192.168.0.0/16,172.16.0.0/12" -j LOG --log-prefix "DROP: " @@ -24837,7 +24837,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 3.7.3-3.7.16 -2537819 +2537819, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -24897,13 +24897,13 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 3.7.3-3.7.16 -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 -2537409 +2537409, 2538035 It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to {{on}} in hardware. 3.7.1-3.7.3 3.7.4-3.7.16 @@ -24925,7 +24925,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537153 +2537153, 2540994 In rare cases, certain IPv6 BGP peers fail to reestablish after {{switchd}} restarts. 3.7.2-3.7.8 3.7.9-3.7.16 @@ -24938,7 +24938,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal 3.7.4-3.7.16 -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -25027,7 +25027,7 @@ To work around this issue: -2536245 +2536245, 2536488, 2537976 When using dynamic route leaking, software forwarding of packets fails between the connected source and destination. To work around this issue, configure the leak on a switch that does not have any locally-connected hosts. 3.7.1-3.7.2 @@ -25054,7 +25054,7 @@ To work around this issue, use dynamic signaling (joins) to manage IP multicast -2535751 +2535751, 2535802 The NCLU {{net add}} and {{net commit}} commands change the interfaces file even if you add a service like {{snmp/hostname/etc}}. This causes an issue with automation. For example, Ansible runs handlers ({{ifreload -a}} for interfaces) during each push if the file being edited changes. 3.7.0-3.7.2 3.7.3-3.7.16 @@ -25151,7 +25151,7 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu 3.7.0-3.7.1 -2536934 +2536934, 2536180, 2536181 When installing an IPv6 onlink route, if the kernel has a default route and the gateway resolves out of the default route, the route is rejected if the passed in {{ifindex}} does not match. With IPv4, the default route match is ignored and the onlink based route is installed. @@ -25180,7 +25180,7 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu 3.7.0-3.7.1 -2536489 +2536489, 2537568 On a Mellanox switch, when using an ECMP route over /31 interfaces, incorrect layer 3 neighbor and layer 3 route entries are shown. @@ -25195,7 +25195,7 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu -2536454 +2536454, 2536940 Input chain ACLs do not apply in hardware on Broadcom platforms and input packets are processed against rules in the kernel instead. This can result in rules with the drop action not applying in hardware and the packets reaching the kernel. for platforms that do _not_ provide native support for VXLAN routing (non-RIOT platforms). @@ -25223,7 +25223,7 @@ NCLU now supports {{large-community}}. -2536210 +2536210, 2536835 When you add ports as bridge ports multiple times with the NCLU command, the commits succeed without error. To work around this issue, remove the extra interfaces with the {{net del bridge bridge ports <interface>}} command. @@ -25292,7 +25292,7 @@ To work around this issue, start SNMP manually. -2535877 +2535877, 2535399 Mellanox switches prefer a MAC entry learned through the VNI over a permanent entry for the corresponding SVI. @@ -25337,7 +25337,7 @@ Run the {{ifreload -a -X eth0}} command to update the interface configuration on -2531159 +2531159, 2531602 MLAG does not sync permanent MAC addresses between peers and {{nolearning}} is turned on; traffic with a next-hop pointing to the peerlink is forwarded to the CPU and throughput is limited. Permanent MAC address sync between MLAG peers is now supported. @@ -25580,13 +25580,13 @@ To work around this issue, run the {{cl-support -M}} command to disable timeouts 3.7.3-3.7.16 -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 -2537409 +2537409, 2538035 It is not currently possible to bring up some 10G LR interfaces on Mellanox switches as auto-negotiation is set to {{on}} in hardware. 3.7.1-3.7.3 3.7.4-3.7.16 @@ -25607,7 +25607,7 @@ To work around this issue, run the {{cl-support -M}} command to disable timeouts 3.7.4-3.7.16 -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -25758,7 +25758,7 @@ To work around this issue: -2536245 +2536245, 2536488, 2537976 When using dynamic route leaking, software forwarding of packets fails between the connected source and destination. To work around this issue, configure the leak on a switch that does not have any locally-connected hosts. 3.7.1-3.7.2 @@ -25785,7 +25785,7 @@ To work around this issue, use dynamic signaling (joins) to manage IP multicast -2535751 +2535751, 2535802 The NCLU {{net add}} and {{net commit}} commands change the interfaces file even if you add a service like {{snmp/hostname/etc}}. This causes an issue with automation. For example, Ansible runs handlers ({{ifreload -a}} for interfaces) during each push if the file being edited changes. 3.7.0-3.7.2 3.7.3-3.7.16 @@ -26244,7 +26244,7 @@ To work around this issue, use dynamic signaling (joins) to manage IP multicast -2535751 +2535751, 2535802 The NCLU {{net add}} and {{net commit}} commands change the interfaces file even if you add a service like {{snmp/hostname/etc}}. This causes an issue with automation. For example, Ansible runs handlers ({{ifreload -a}} for interfaces) during each push if the file being edited changes. 3.7.0-3.7.2 3.7.3-3.7.16 @@ -26318,7 +26318,7 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu -2536011 +2536011, 2535885 When you run an NCLU command from the command line, the command hangs without a response. @@ -26344,7 +26344,7 @@ The NetQ agent has been removed from Cumulus VX 3.7.7. The NetQ agent will be bu -2535869 +2535869, 2532116, 2536110, 2536485 When you configure a breakout port using NCLU, the configuration is not successful. @@ -26420,7 +26420,7 @@ This issue is being investigated at this time. -2534230 +2534230, 2537771 On a Cumulus Linux switch, if a bridge has VXLAN interfaces, then the {{arp_accept}} and {{arp_ignore}} options do not work for any switch virtual interfaces (SVIs). To work around this issue, disable ARP suppression on the VXLAN interfaces. For example, if the VXLAN is named vni100, disable ARP suppression on it with the following command: diff --git a/content/cumulus-linux-40/Whats-New/rn.md b/content/cumulus-linux-40/Whats-New/rn.md index 3c38162a18..81f577195a 100644 --- a/content/cumulus-linux-40/Whats-New/rn.md +++ b/content/cumulus-linux-40/Whats-New/rn.md @@ -33,10 +33,10 @@ pdfhidden: True | [2866084](#2866084)
| When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command, then add "vxlan-learning": "off" in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
Reboot the affected switches. | 3.7.12-4.3.0 | 4.3.1-4.4.5| | [2792750](#2792750)
| If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. | 3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1| | [2754723](#2754723)
| When you set route_preferred_over_neigh to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. | 4.0.0-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2730225](#2730225)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5| -| [2716822](#2716822)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2716822, 2710844](#2716822, 2710844)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2699399](#2699399)
| When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

spine01# show bgp vrf all ipv6 unicast statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

To workaround this issue, run the command against each VRF independently. | 3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | 5.1.0-5.16.1| @@ -44,11 +44,11 @@ pdfhidden: True | [2556764](#2556764)
| In a configuration with both traditional and VLAN-aware bridges, the VLAN membership check on a VLAN-aware bridge does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-3.7.14.2, 4.0.0-4.3.4 | 3.7.15-3.7.16, 4.4.0-4.4.5| | [2556500](#2556500)
| Cumulus Linux does not support bond members at 200G or greater. | 4.0.0-4.3.4 | 4.4.0-4.4.5| | [2556037](#2556037)
| After you add an interface to the bridge, an OSPF session flap might occur
| 3.7.9-4.2.0 | 4.2.1-4.4.5| -| [2556010](#2556010)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | 3.7.14.2-3.7.16, 4.3.0-4.4.5| +| [2556010, 2556276](#2556010, 2556276)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | 3.7.14.2-3.7.16, 4.3.0-4.4.5| | [2555908](#2555908)
| If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up
To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5| | [2555528](#2555528)
| In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer's ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5| | [2555400](#2555400)
| On the Edgecore AS7312 switch, eth0 and swp use the same MAC address. | 3.7.14-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| -| [2555175](#2555175)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| +| [2555175, 3195351, 2672721](#2555175, 3195351, 2672721)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| | [2554990](#2554990)
| When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes.
To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond. | 3.7.13-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2554785](#2554785)
| After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX="cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2554720](#2554720)
| If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| @@ -65,10 +65,10 @@ pdfhidden: True | [2552939](#2552939)
| RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552869](#2552869)
| On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5| | [2552853](#2552853)
| Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| -| [2552742](#2552742)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2552742, 2553000, 2553936](#2552742, 2553000, 2553936)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552704](#2552704)
| In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2552527](#2552527)
| Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-3.7.13, 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| -| [2552505](#2552505)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| +| [2552505, 2552604](#2552505, 2552604)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| | [2552294](#2552294)
| NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2552204](#2552204)
| If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer's SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.
To work around this issue, ifdown/ifup the SVI when a MAC address changes. | 3.7.12-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| | [2551911](#2551911)
| ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5| @@ -82,7 +82,7 @@ pdfhidden: True | [2551650](#2551650)
| The net show dot1x interface summary command output shows a MAC address with all zeros associated with a port. | 3.7.12-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| | [2551578](#2551578)
| When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2551335](#2551335)
| When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands. | 4.0.0-4.4.5 | | -| [2551162](#2551162)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2551162, 2550590](#2551162, 2550590)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2551124](#2551124)
| When the dynamic or static flag on a bridge fdb (MAC) entry is changed to the opposite state, the new flag is not set appropriately in hardware. This can allow a static fdb entry to be unexpectedly learned dynamically on a different interface, or can prevent a dynamic entry from being updated or learned elsewhere.
This condition can occur during a manual replacement of a local MAC address or when EVPN updates a dynamic MAC address to add or remove the Sticky Mac flag. Either situation results in the MAC address keeping the original flag in hardware.
To work around this issue, delete or withdraw the fdb entry, then add the static MAC address directly. For example:

bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static \| dynamic ]

If you are unable to delete an EVPN-learned remote MAC address, you can replace the dynamic MAC address with a local static one, then delete the static MAC address. For example:

bridge fdb replace 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master static
bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static \| dynamic ]
| 4.0.0-4.2.1 | 4.3.0-4.4.5| | [2551111](#2551111)
| If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state.
zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address. | 4.0.0-4.4.5 | | | [2550942](#2550942)
| NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | 4.2.1-4.4.5| @@ -110,7 +110,7 @@ pdfhidden: True | [2548930](#2548930)
| On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2548746](#2548746)
| On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2548674](#2548674)
| A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact.
To work around this issue, restart FRR. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2548672](#2548672)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | 3.7.16, 4.3.0-4.4.5| +| [2548672, 2555635](#2548672, 2555635)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | 3.7.16, 4.3.0-4.4.5| | [2548657](#2548657)
| When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2548655](#2548655)
| When using apt-get update && apt-get upgrade to upgrade from Cumulus Linux 4.0.0 or 4.1.0 to version 4.1.1 or later, a message similar to the following may appear. 

Reading package lists... Done
E: Repository 'http://apt.cumulusnetworks.com/repo CumulusLinux-4-latest InRelease' changed its 'Label' value from 'cumulus-repository-4.0.0' to 'cumulus-repository-4.1.0'
E: Repository 'http://apt.cumulusnetworks.com/repo CumulusLinux-4-latest InRelease' changed its 'Codename' value from 'CumulusLinux-4.0.0' to 'CumulusLinux-4.1.0'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.

To work around this issue and proceed with the upgrade, run apt-get update --allow-releaseinfo-change. | 4.0.0-4.1.0 | 4.1.1-4.4.5| | [2548561](#2548561)
| On the EdgeCore Minipack-AS8000, when you try to configure ROCEv2, you see errors indicating that PFC is not working properly. | 4.0.0-4.1.1 | 4.2.0-4.4.5| @@ -118,9 +118,9 @@ pdfhidden: True | [2548485](#2548485)
| If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
 aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Path*> 50.0.0.0         0.0.0.0                            32768 is> 50.0.0.1/32      0.0.0.0                  0         32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Paths> 50.0.0.1/32      0.0.0.0                  0         32768 i
To work around this issue, remove, then re-add the component prefix routes. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2548422](#2548422)
| You might see a core file in FRRouting related to OSPFv3 if the switch is configured as both an OSPFv3 ABR and ASBR, and other switches in the same area are also configured as both ABR and ASBR. This issue is not seen with a single ABR or ASBR in an area or if there are multiple ASBRs in an area not acting as ABRs. To work around this issue, do not perform redistribution on more than one ABR in the same area. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2548383](#2548383)
| The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2548373](#2548373)
| On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2548373, 2548371](#2548373, 2548371)
| On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2548324](#2548324)
| hostapd is not installed in Cumulus Linux 4.0.0 by default.
To work around this issue, run the following commands to install the package:

cumulus@switch:~$ sudo apt-get update -y
cumulus@switch:~$ sudo apt-get install hostapd -y
| 4.0.0-4.0.1 | 4.1.0-4.4.5| -| [2548320](#2548320)
| When configuring VRF route leaking, if you define import vrf route-map but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. | 4.0.0-4.1.1 | 4.2.0-4.4.5| +| [2548320, 2543525](#2548320, 2543525)
| When configuring VRF route leaking, if you define import vrf route-map but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2548289](#2548289)
| When the NETQ agent is active, you see the following errors in in the FFR log file: 

2020-03-05T16:00:05.036398+09:00 [switch01][bgpd][err] [EC 100663314] Attempting to process an I/O event but for fd: 29(4) no thread to handle this!
2020-03-05T16:01:30.841455+09:00 [switch01[bgpd][err] [EC 100663314] Attempting to process an I/O event but for fd: 29(4) no thread to handle this!

You also see the following errors in the ptmd log file:

2020-03-05T15:59:12.877549+09:00 [switch01][ptmd][info] New client connection fd[17] tot[1]
2020-03-05T15:59:12.899906+09:00 [switch01][ptmd][info] Free client connection fd[17] tot[0]

You can ignore these errors. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2548260](#2548260)
| The net add routing route-map permit set community command does not add the set statement into the /etc/frr/frr.conf file. | 4.0.0-4.4.5 | | | [2548243](#2548243)
| On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | | @@ -135,11 +135,11 @@ pdfhidden: True | [2547798](#2547798)
| An error similar to the following shows in syslog for Mellanox switches:

2020-02-12T19:59:22.208012+08:00 leaf01 sx_sdk: RM_TABLE: No resources available to add 1 entries to KVD hash Table HW resource
2020-02-12T19:59:22.208124+08:00 leaf01 sx_sdk: PORT: __port_vport_fid_set err = (No More Resources)

To work around this issue, reboot the switch. | 3.7.11-3.7.13, 4.0.0-4.0.1 | 3.7.14-3.7.16, 4.1.0-4.4.5| | [2547783](#2547783)
| PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status. | 3.7.11-3.7.13, 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547667](#2547667)
| On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2547662](#2547662)
| When traffic from a double tag interface (facing a different site) is forwarded through VXLAN, the inner tag is not removed. The destination does not know this tag, so it discards it. | 3.7.8-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| | [2547659](#2547659)
| On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5| -| [2547610](#2547610)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2547610, 2548114](#2547610, 2548114)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2547558](#2547558)
| On the EdgeCore Wedge100 and Facebook Wedge-100S switch, certain physical ports are not correctly mapped to the logical ones. For example:
Logical swp39 controls physical swp41
Logical swp40 controls physical swp42
Logical swp43 controls physical swp45
Logical swp44 controls physical swp46
This might causes incorrect forwarding behavior. | 3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2547509](#2547509)
| When a Trident3 switch receives packets containing an IP checksum value that is not compliant with RFC 1624, the TTL is decremented after a routing operation but the checksum is not recalculated. This results in the IP checksum value being invalid as the packet leaves the switch. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2547443](#2547443)
| On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5| @@ -151,10 +151,10 @@ pdfhidden: True | [2547286](#2547286)
| NCLU crashes when you run the net add interface storage-optimized pfc command because non-ASCII quotes exist in the datapath.conf file.
To work around this issue, manually edit the /usr/lib/python2.7/dist-packages/cumulus/__chip_config/mlx/datapath.conf file and replace the non-ASCII single quotes with ASCII single quotes (standard single quote on the keyboard). | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2547266](#2547266)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2547245](#2547245)
| The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:

RTM_NEWNEIGH with unconfigured vlan XXXX on port peerlink
| 3.7.10-3.7.13, 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| -| [2547205](#2547205)
| On the Delta AG6248C switch, the NCLU net show system sensors command shows an error:

Could not collect output from command: ['/usr/sbin/smonctl']

To work around this issue, run the net show system sensors json command instead. | 4.0.0-4.0.1 | 4.1.0-4.4.5| +| [2547205, 2548334](#2547205, 2548334)
| On the Delta AG6248C switch, the NCLU net show system sensors command shows an error:

Could not collect output from command: ['/usr/sbin/smonctl']

To work around this issue, run the net show system sensors json command instead. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2547149](#2547149)
| The last eight ports of the EdgeCore AS4610-54P switch (swp41 through swp48) do not power UPOE access points. | 3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2547146](#2547146)
| The ospfd daemon might crash with the following kernel trace: 

2019-11-06T23:00:08.261749+09:00 cumulus ospfd[5339]: Assertion 'node' failed in file ospfd/ospf_packet.c, line 671, function ospf_write
| 3.7.11-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| -| [2547128](#2547128)
| The cumulus-overrides package contains the /etc/apt/preferences.d/20_prefer_cumulus file that pins packages from specific release names. The pinning file contains the wrong name.
To work around this issue, use the origin instead of the release name. | 4.0.0-4.0.1 | 4.1.0-4.4.5| +| [2547128, 2549785](#2547128, 2549785)
| The cumulus-overrides package contains the /etc/apt/preferences.d/20_prefer_cumulus file that pins packages from specific release names. The pinning file contains the wrong name.
To work around this issue, use the origin instead of the release name. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2547123](#2547123)
| On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2547120](#2547120)
| After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547100](#2547100)
| On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5| @@ -164,38 +164,38 @@ pdfhidden: True | [2547013](#2547013)
| On the Mellanox Spectrum switch, switchd can sometimes fail when PBR rules are installed or removed from hardware if the rule is setting a next hop learned via a routing protocol. | 3.7.7-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546985](#2546985)
| On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings. | 3.7.10-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2546951](#2546951)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2546951, 2548887](#2546951, 2548887)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546869](#2546869)
| Broadcom Field Alert - SID - MMU 2B Errors
A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2546739](#2546739)
| The Mellanox SN3700C switch does not forward LLDP or LACP traffic. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2546703](#2546703)
| The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load.
To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2546576](#2546576)
| A traditional bridge with QinQ and a VNI does not work for tagged traffic. | 3.7.10-3.7.13, 4.0.0-4.0.1 | 3.7.14-3.7.16, 4.1.0-4.4.5| -| [2546559](#2546559)
| On the Mellanox SN3700C switch, if you try to break out 100G switch ports into 2x50G, the configuration fails and switchd does not restart. Breaking out the ports into 4x25G works without issue. | 4.0.0-4.0.1 | 4.1.0-4.4.5| +| [2546559, 2544914, 2544984](#2546559, 2544914, 2544984)
| On the Mellanox SN3700C switch, if you try to break out 100G switch ports into 2x50G, the configuration fails and switchd does not restart. Breaking out the ports into 4x25G works without issue. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2546502](#2546502)
| On the EdgeCore AS7326-56X switch, eth0 and swp1 use the same MAC address. | 3.7.9-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2546485](#2546485)
| The EdgeCore Minipack-AS8000 switch supports FEC RS by default; you cannot disable this setting. However, the ethtool --show-fec command output indicates that FEC is disabled. Also, if you try to change the FEC setting, Cumulus Linux reports an error. For example:

cumulus@switch:~$  net add interface swp23 link speed 100000
cumulus@switch:~$  net add interface swp23 link autoneg off
cumulus@switch:~$  net add interface swp23 link fec rs
"/sbin/ifreload -a" failed:
error: swp23: cmd '/sbin/ethtool --set-fec swp23 encoding rs' failed: returned 255 (Cannot set FEC settings: Operation not supported)
Command '['/sbin/ifreload', '-a']' returned non-zero exit status 1
| 4.0.0-4.1.1 | 4.2.0-4.4.5| -| [2546454](#2546454)
| When you run the NCLU net del all command to delete all configuration on the switch, you see an error similar to the following:

ERROR: [Errno 2] No such file or directory: '/cumulus/switchd/config/interface//port_security/enable'#012Traceback
| 4.0.0-4.0.1 | 4.1.0-4.4.5| +| [2546454, 2548291](#2546454, 2548291)
| When you run the NCLU net del all command to delete all configuration on the switch, you see an error similar to the following:

ERROR: [Errno 2] No such file or directory: '/cumulus/switchd/config/interface//port_security/enable'#012Traceback
| 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2546389](#2546389)
| In a default VX instance, a ping to a device's hostname fails.
To work around this issue, edit the /etc/gai.conf file and uncomment precedence ::ffff:0:0/96 10.
| 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2546337](#2546337)
| The net show bridge macs command returns an empty interface column.
To work around this issue, run the bridge fdb show command to show the interface. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2546329](#2546329)
| A memory leak in switchd might occur, which causes switchd to restart. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2546265](#2546265)
| Ifupdown2 does not set up the front panel interface for the dhclient to accept the DHCP OFFER.
To work around this issue, restart the networking service after ifreload -a with the systemctl restart networking command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546140](#2546140)
| CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.
To check if lldpd is the heavy CPU resource user, run the following command:

cumulus@switch:~$  ps -eo user,pid,ppid,cmd,%mem,%cpu --sort=-%cpu \| head

Alternatively, check for messages in the /var/log/syslog directory similar to:

2020-02-20T15:02:12.137857-05:00 leaf01 sysmonitor: High CPU use: 87%
2020-02-20T15:02:12.482398-05:00 leaf01 sysmonitor:   PID USER      PR    VIRT    RES %CPU %MEM     TIME+ COMMAND
2020-02-20T15:02:12.483112-05:00 leaf01 sysmonitor:  1570 _lldpd    20   73244  13800 76.6  0.3   4:43.06 lldpd

*Note*: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.
To work around this issue, you can do one of the following:
* If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).
* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546140, 2548774](#2546140, 2548774)
| CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.
To check if lldpd is the heavy CPU resource user, run the following command:

cumulus@switch:~$  ps -eo user,pid,ppid,cmd,%mem,%cpu --sort=-%cpu \| head

Alternatively, check for messages in the /var/log/syslog directory similar to:

2020-02-20T15:02:12.137857-05:00 leaf01 sysmonitor: High CPU use: 87%
2020-02-20T15:02:12.482398-05:00 leaf01 sysmonitor:   PID USER      PR    VIRT    RES %CPU %MEM     TIME+ COMMAND
2020-02-20T15:02:12.483112-05:00 leaf01 sysmonitor:  1570 _lldpd    20   73244  13800 76.6  0.3   4:43.06 lldpd

*Note*: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.
To work around this issue, you can do one of the following:
* If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).
* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546061](#2546061)
| Trident2+ switches do not enable DFE for 10G and 4x10G DACs. As a result, longer or marginal 10G DACs might not link up reliably.
To work around this issue, run the following command after a reboot.
On the SFP side:

echo CR > /cumulus/switchd/config/interface/swp${port}/interface_mode ; done

On the QSFP side:

echo CR > /cumulus/switchd/config/interface/swp${port}/interface_mode ; done
| 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2545988](#2545988)
| When hsflowd is used on the switch, you might experience a kernel panic. | 4.0.0-4.0.1 | 4.1.0-4.4.5| -| [2545949](#2545949)
| All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0.
To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. | 3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| +| [2545949, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539](#2545949, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539)
| All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0.
To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. | 3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545933](#2545933)
| Mellanox switches might experience higher CPU usage from the sx_sdk service or when BFD is in use.
To work around this issue, disable BFD to alleviate some of the CPU load. | 3.7.13, 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2545868](#2545868)
| If you delete, then re-add a PBR policy on an interface, the configured PBR policy is not programmed in the kernel or switchd. | 3.7.9-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545866](#2545866)
| After making a series of PBR configuration changes using NCLU commands, the stale PBR entry is still present in the kernel. | 3.7.9-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545851](#2545851)
| The Mellanox minimal platform module driver probe does not handle error conditions correctly.
To work around this issue, power cycle the switch. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| -| [2545724](#2545724)
| On the Mellanox switch with the Spectrum or Spectrum-2 ASIC, switchd might crash, then restart under certain conditions. | 4.0.0-4.0.1 | 4.1.0-4.4.5| +| [2545724, 2545163](#2545724, 2545163)
| On the Mellanox switch with the Spectrum or Spectrum-2 ASIC, switchd might crash, then restart under certain conditions. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2545608](#2545608)
| The protocol daemon bgpd crashes when a link/neighbor flaps if static routes pointing to Null0 are advertising through BGP.
To work around this issue, reboot the switch, then remove the static routes or stop advertising these routes. | 3.7.9-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545600](#2545600)
| IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.

[ip6tables]
-A INPUT -p tcp --dport 22 -j DROP
| 3.7.2-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545566](#2545566)
| The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT. | 3.7.12-4.0.1 | 4.1.0-4.4.5| -| [2545536](#2545536)
| On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| +| [2545536, 2545503](#2545536, 2545503)
| On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545501](#2545501)
| On a traditional bridge, VLAN tagged traffic is not discarded when it exceeds the port security MAC limit. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2545448](#2545448)
| The l1-show command prints a traceback for switch ports that have sub-interfaces configured. There is no functional impact to traffic but the l1-show troubleshooting and validation command does not execute on switch ports that have VLAN sub-interfaces. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| @@ -211,24 +211,24 @@ pdfhidden: True | [2545133](#2545133)
| On the Mellanox switch, ACL lookups are performed for VLAN matches when no rules with UNTAGGED match are present. | 3.7.2-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545125](#2545125)
| If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | | [2545087](#2545087)
| On the Mellanox switch with the Spectrum ASIC, the --set-burst parameter in an iptables rule does not take effect. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| -| [2545054](#2545054)
| When you run the NCLU net del interface command to delete an interface that has a description in the /etc/frr/frr.conf file but the /etc/frr/daemons file does not contain zebra=yes}, all running FRR daemons (bgpd, ospfd, ospf6d) restart
To work around this issue, remove all interfaces from the /etc/frr/frr.conf file that are unrelated to routing. | 4.0.0-4.1.1 | 4.2.0-4.4.5| +| [2545054, 2552126](#2545054, 2552126)
| When you run the NCLU net del interface command to delete an interface that has a description in the /etc/frr/frr.conf file but the /etc/frr/daemons file does not contain zebra=yes}, all running FRR daemons (bgpd, ospfd, ospf6d) restart
To work around this issue, remove all interfaces from the /etc/frr/frr.conf file that are unrelated to routing. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2545049](#2545049)
| When networking fails to start properly, an MLAG memory leak occurs, which might cause memory issues. | 3.7.9-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545040](#2545040)
| On the Mellanox switch, error messages with hw-management-thermal-events.sh are displayed on shutdown. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2544978](#2544978)
| If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2544914](#2544914)
| On the NVIDIA SN3700C switch, when you split ports from 100G to 2x50G, switchd fails to start. | 4.0.0-4.0.1 | 4.1.0-4.4.5| +| [2544914, 2546559](#2544914, 2546559)
| On the NVIDIA SN3700C switch, when you split ports from 100G to 2x50G, switchd fails to start. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2544904](#2544904)
| After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements.
To work around this issue, restart FRR after removing the IPv6 numbered configuration. | 3.7.9-4.1.1 | 4.2.0-4.4.5| -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544856](#2544856)
| In the ethool -m output, the Revision Compliance field might show Unallocated when the SFF-8363 Revision Compliance value is SFF-8636 version 2.8 or later. | 4.0.0-4.1.1 | 4.2.0-4.4.5| -| [2544854](#2544854)
| On the Dell S5248F-ON switch, CPU core temp sensors may show as ABSENT. | 4.0.0-4.4.5 | 3.7.12-3.7.16| +| [2544854, 2545726](#2544854, 2545726)
| On the Dell S5248F-ON switch, CPU core temp sensors may show as ABSENT. | 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2544847](#2544847)
| You might experience a bgpd memory usage increase and significant update exchanges due to host moves between VTEPs. | 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544625](#2544625)
| VXLAN encapsulated ICMP packets hit the catchall EFP policer instead of the ICMP policer and you might experience partial packet loss.
| 3.7.9-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544556](#2544556)
| If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544329](#2544329)
| When an MLAG peerlink frequently alternates states between learning and blocking, an excessive number of TCP sessions might be created, which results in the following error display:

OSError: [Errno 24] Too many open files
| 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544213](#2544213)
| Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| @@ -238,9 +238,9 @@ pdfhidden: True | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| -| [2543791](#2543791)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| +| [2543791, 2545026](#2543791, 2545026)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543690](#2543690)
| On the Mellanox switch, UFT profiles are unable to support the documented capacity for routes to addresses that are more than 64 bits in length. The listed capacities assume 64-bit destination IP addresses. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| @@ -248,14 +248,14 @@ pdfhidden: True | [2543647](#2543647)
| ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-4.2.1 | 4.3.0-4.4.5| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543471](#2543471)
| On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly.
To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2542872](#2542872)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| +| [2542872, 2542901, 2542901](#2542872, 2542901, 2542901)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2542837](#2542837)
| On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16| | [2542824](#2542824)
| On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur:
- VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts.
- VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack.

To work around this issue, either:
- Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port)
- Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2542766](#2542766)
| If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.
To work around this issue, power cycle the switch.
| 3.7.6-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| @@ -271,7 +271,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -288,13 +288,13 @@ pdfhidden: True | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | | [2536242](#2536242)
| On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes. | 4.0.0-4.4.5 | | -| [2536231](#2536231)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| +| [2536231, 2545399](#2536231, 2545399)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2536179](#2536179)
| On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535986](#2535986)
| At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535965](#2535965)
| On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | @@ -303,7 +303,7 @@ pdfhidden: True | [2535706](#2535706)
| On the Mellanox switch, GRE tunneling does not work if the tunnel source is configured on an SVI interface. If the tunnel source is configured on a physical switch port, then tunneling works as expected. | 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2535605](#2535605)
| FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor.
To work around this issue, add ttl-security to individual neighbors instead of the peer group. | 4.0.0-4.4.5 | | | [2535209](#2535209)
| The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| -| [2534977](#2534977)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| +| [2534977, 2535424](#2534977, 2535424)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2534734](#2534734)
| Span rules matching the out-interface as a bond do not mirror packets. | 4.0.0-4.4.5 | | | [2533691](#2533691)
| If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2533625](#2533625)
| PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. | 4.0.0-4.4.5 | | @@ -339,10 +339,10 @@ pdfhidden: True | [2866084](#2866084)
| When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command, then add "vxlan-learning": "off" in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
Reboot the affected switches. | 3.7.12-4.3.0 | 4.3.1-4.4.5| | [2792750](#2792750)
| If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. | 3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1| | [2754723](#2754723)
| When you set route_preferred_over_neigh to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. | 4.0.0-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2730225](#2730225)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5| -| [2716822](#2716822)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2716822, 2710844](#2716822, 2710844)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2699399](#2699399)
| When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

spine01# show bgp vrf all ipv6 unicast statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

To workaround this issue, run the command against each VRF independently. | 3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | 5.1.0-5.16.1| @@ -350,11 +350,11 @@ pdfhidden: True | [2556764](#2556764)
| In a configuration with both traditional and VLAN-aware bridges, the VLAN membership check on a VLAN-aware bridge does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-3.7.14.2, 4.0.0-4.3.4 | 3.7.15-3.7.16, 4.4.0-4.4.5| | [2556500](#2556500)
| Cumulus Linux does not support bond members at 200G or greater. | 4.0.0-4.3.4 | 4.4.0-4.4.5| | [2556037](#2556037)
| After you add an interface to the bridge, an OSPF session flap might occur
| 3.7.9-4.2.0 | 4.2.1-4.4.5| -| [2556010](#2556010)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | 3.7.14.2-3.7.16, 4.3.0-4.4.5| +| [2556010, 2556276](#2556010, 2556276)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | 3.7.14.2-3.7.16, 4.3.0-4.4.5| | [2555908](#2555908)
| If the you add the MLAG backup IP address to the MLAG peer in the secondary role while the peer link is down, the LACP sys-mac does not use the MLAG system MAC address (clagd-sys-mac) when the peer link comes back up
To work around this issue, wait until the peer link is up to add the MLAG backup IP address. To recover from this condition, restart clagd with the sudo systemctl restart clagd command. | 3.7.12-4.0.1 | 4.1.0-4.4.5| | [2555528](#2555528)
| In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer's ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5| | [2555400](#2555400)
| On the Edgecore AS7312 switch, eth0 and swp use the same MAC address. | 3.7.14-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| -| [2555175](#2555175)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| +| [2555175, 3195351, 2672721](#2555175, 3195351, 2672721)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| | [2554990](#2554990)
| When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes.
To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond. | 3.7.13-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2554785](#2554785)
| After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX="cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2554720](#2554720)
| If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| @@ -371,10 +371,10 @@ pdfhidden: True | [2552939](#2552939)
| RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552869](#2552869)
| On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5| | [2552853](#2552853)
| Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| -| [2552742](#2552742)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2552742, 2553000, 2553936](#2552742, 2553000, 2553936)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552704](#2552704)
| In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2552527](#2552527)
| Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-3.7.13, 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| -| [2552505](#2552505)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| +| [2552505, 2552604](#2552505, 2552604)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| | [2552294](#2552294)
| NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2552204](#2552204)
| If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer's SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.
To work around this issue, ifdown/ifup the SVI when a MAC address changes. | 3.7.12-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| | [2551911](#2551911)
| ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5| @@ -388,7 +388,7 @@ pdfhidden: True | [2551650](#2551650)
| The net show dot1x interface summary command output shows a MAC address with all zeros associated with a port. | 3.7.12-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| | [2551578](#2551578)
| When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2551335](#2551335)
| When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands. | 4.0.0-4.4.5 | | -| [2551162](#2551162)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2551162, 2550590](#2551162, 2550590)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2551124](#2551124)
| When the dynamic or static flag on a bridge fdb (MAC) entry is changed to the opposite state, the new flag is not set appropriately in hardware. This can allow a static fdb entry to be unexpectedly learned dynamically on a different interface, or can prevent a dynamic entry from being updated or learned elsewhere.
This condition can occur during a manual replacement of a local MAC address or when EVPN updates a dynamic MAC address to add or remove the Sticky Mac flag. Either situation results in the MAC address keeping the original flag in hardware.
To work around this issue, delete or withdraw the fdb entry, then add the static MAC address directly. For example:

bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static \| dynamic ]

If you are unable to delete an EVPN-learned remote MAC address, you can replace the dynamic MAC address with a local static one, then delete the static MAC address. For example:

bridge fdb replace 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master static
bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static \| dynamic ]
| 4.0.0-4.2.1 | 4.3.0-4.4.5| | [2551111](#2551111)
| If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state.
zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address. | 4.0.0-4.4.5 | | | [2550942](#2550942)
| NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | 4.2.1-4.4.5| @@ -416,7 +416,7 @@ pdfhidden: True | [2548930](#2548930)
| On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2548746](#2548746)
| On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2548674](#2548674)
| A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact.
To work around this issue, restart FRR. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2548672](#2548672)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | 3.7.16, 4.3.0-4.4.5| +| [2548672, 2555635](#2548672, 2555635)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | 3.7.16, 4.3.0-4.4.5| | [2548657](#2548657)
| When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2548655](#2548655)
| When using apt-get update && apt-get upgrade to upgrade from Cumulus Linux 4.0.0 or 4.1.0 to version 4.1.1 or later, a message similar to the following may appear. 

Reading package lists... Done
E: Repository 'http://apt.cumulusnetworks.com/repo CumulusLinux-4-latest InRelease' changed its 'Label' value from 'cumulus-repository-4.0.0' to 'cumulus-repository-4.1.0'
E: Repository 'http://apt.cumulusnetworks.com/repo CumulusLinux-4-latest InRelease' changed its 'Codename' value from 'CumulusLinux-4.0.0' to 'CumulusLinux-4.1.0'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.

To work around this issue and proceed with the upgrade, run apt-get update --allow-releaseinfo-change. | 4.0.0-4.1.0 | 4.1.1-4.4.5| | [2548561](#2548561)
| On the EdgeCore Minipack-AS8000, when you try to configure ROCEv2, you see errors indicating that PFC is not working properly. | 4.0.0-4.1.1 | 4.2.0-4.4.5| @@ -424,9 +424,9 @@ pdfhidden: True | [2548485](#2548485)
| If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
 aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Path*> 50.0.0.0         0.0.0.0                            32768 is> 50.0.0.1/32      0.0.0.0                  0         32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Paths> 50.0.0.1/32      0.0.0.0                  0         32768 i
To work around this issue, remove, then re-add the component prefix routes. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2548422](#2548422)
| You might see a core file in FRRouting related to OSPFv3 if the switch is configured as both an OSPFv3 ABR and ASBR, and other switches in the same area are also configured as both ABR and ASBR. This issue is not seen with a single ABR or ASBR in an area or if there are multiple ASBRs in an area not acting as ABRs. To work around this issue, do not perform redistribution on more than one ABR in the same area. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2548383](#2548383)
| The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2548373](#2548373)
| On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2548373, 2548371](#2548373, 2548371)
| On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2548324](#2548324)
| hostapd is not installed in Cumulus Linux 4.0.0 by default.
To work around this issue, run the following commands to install the package:

cumulus@switch:~$ sudo apt-get update -y
cumulus@switch:~$ sudo apt-get install hostapd -y
| 4.0.0-4.0.1 | 4.1.0-4.4.5| -| [2548320](#2548320)
| When configuring VRF route leaking, if you define import vrf route-map but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. | 4.0.0-4.1.1 | 4.2.0-4.4.5| +| [2548320, 2543525](#2548320, 2543525)
| When configuring VRF route leaking, if you define import vrf route-map but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2548289](#2548289)
| When the NETQ agent is active, you see the following errors in in the FFR log file: 

2020-03-05T16:00:05.036398+09:00 [switch01][bgpd][err] [EC 100663314] Attempting to process an I/O event but for fd: 29(4) no thread to handle this!
2020-03-05T16:01:30.841455+09:00 [switch01[bgpd][err] [EC 100663314] Attempting to process an I/O event but for fd: 29(4) no thread to handle this!

You also see the following errors in the ptmd log file:

2020-03-05T15:59:12.877549+09:00 [switch01][ptmd][info] New client connection fd[17] tot[1]
2020-03-05T15:59:12.899906+09:00 [switch01][ptmd][info] Free client connection fd[17] tot[0]

You can ignore these errors. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2548260](#2548260)
| The net add routing route-map permit set community command does not add the set statement into the /etc/frr/frr.conf file. | 4.0.0-4.4.5 | | | [2548243](#2548243)
| On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | | @@ -441,11 +441,11 @@ pdfhidden: True | [2547798](#2547798)
| An error similar to the following shows in syslog for Mellanox switches:

2020-02-12T19:59:22.208012+08:00 leaf01 sx_sdk: RM_TABLE: No resources available to add 1 entries to KVD hash Table HW resource
2020-02-12T19:59:22.208124+08:00 leaf01 sx_sdk: PORT: __port_vport_fid_set err = (No More Resources)

To work around this issue, reboot the switch. | 3.7.11-3.7.13, 4.0.0-4.0.1 | 3.7.14-3.7.16, 4.1.0-4.4.5| | [2547783](#2547783)
| PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status. | 3.7.11-3.7.13, 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547667](#2547667)
| On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2547662](#2547662)
| When traffic from a double tag interface (facing a different site) is forwarded through VXLAN, the inner tag is not removed. The destination does not know this tag, so it discards it. | 3.7.8-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| | [2547659](#2547659)
| On the EdgeCore AS7326-56X switch, the default fan speed, which is defined in the thermal specification, results in excessive fan noise. | 3.7.11-4.0.1 | 4.1.0-4.4.5| -| [2547610](#2547610)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2547610, 2548114](#2547610, 2548114)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2547558](#2547558)
| On the EdgeCore Wedge100 and Facebook Wedge-100S switch, certain physical ports are not correctly mapped to the logical ones. For example:
Logical swp39 controls physical swp41
Logical swp40 controls physical swp42
Logical swp43 controls physical swp45
Logical swp44 controls physical swp46
This might causes incorrect forwarding behavior. | 3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2547509](#2547509)
| When a Trident3 switch receives packets containing an IP checksum value that is not compliant with RFC 1624, the TTL is decremented after a routing operation but the checksum is not recalculated. This results in the IP checksum value being invalid as the packet leaves the switch. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2547443](#2547443)
| On the Dell N3248PXE-ON switch, 25G SFP ports do not work in 10G mode. | 3.7.11-4.0.1 | 4.1.0-4.4.5| @@ -457,10 +457,10 @@ pdfhidden: True | [2547286](#2547286)
| NCLU crashes when you run the net add interface storage-optimized pfc command because non-ASCII quotes exist in the datapath.conf file.
To work around this issue, manually edit the /usr/lib/python2.7/dist-packages/cumulus/__chip_config/mlx/datapath.conf file and replace the non-ASCII single quotes with ASCII single quotes (standard single quote on the keyboard). | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2547266](#2547266)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2547245](#2547245)
| The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:

RTM_NEWNEIGH with unconfigured vlan XXXX on port peerlink
| 3.7.10-3.7.13, 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| -| [2547205](#2547205)
| On the Delta AG6248C switch, the NCLU net show system sensors command shows an error:

Could not collect output from command: ['/usr/sbin/smonctl']

To work around this issue, run the net show system sensors json command instead. | 4.0.0-4.0.1 | 4.1.0-4.4.5| +| [2547205, 2548334](#2547205, 2548334)
| On the Delta AG6248C switch, the NCLU net show system sensors command shows an error:

Could not collect output from command: ['/usr/sbin/smonctl']

To work around this issue, run the net show system sensors json command instead. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2547149](#2547149)
| The last eight ports of the EdgeCore AS4610-54P switch (swp41 through swp48) do not power UPOE access points. | 3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2547146](#2547146)
| The ospfd daemon might crash with the following kernel trace: 

2019-11-06T23:00:08.261749+09:00 cumulus ospfd[5339]: Assertion 'node' failed in file ospfd/ospf_packet.c, line 671, function ospf_write
| 3.7.11-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| -| [2547128](#2547128)
| The cumulus-overrides package contains the /etc/apt/preferences.d/20_prefer_cumulus file that pins packages from specific release names. The pinning file contains the wrong name.
To work around this issue, use the origin instead of the release name. | 4.0.0-4.0.1 | 4.1.0-4.4.5| +| [2547128, 2549785](#2547128, 2549785)
| The cumulus-overrides package contains the /etc/apt/preferences.d/20_prefer_cumulus file that pins packages from specific release names. The pinning file contains the wrong name.
To work around this issue, use the origin instead of the release name. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2547123](#2547123)
| On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2547120](#2547120)
| After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547100](#2547100)
| On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | 4.2.0-4.4.5| @@ -470,38 +470,38 @@ pdfhidden: True | [2547013](#2547013)
| On the Mellanox Spectrum switch, switchd can sometimes fail when PBR rules are installed or removed from hardware if the rule is setting a next hop learned via a routing protocol. | 3.7.7-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546985](#2546985)
| On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings. | 3.7.10-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2546951](#2546951)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2546951, 2548887](#2546951, 2548887)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546869](#2546869)
| Broadcom Field Alert - SID - MMU 2B Errors
A few of the MMU memories on Broadcom switches are grouped together with single parity control. During SER correction when a parity error occurs on one of those groups, other memory in that group might also report a SER error. This occurs when the memory is accessed either by a packet hit or through a schan operation. This issue can cause SER errors in other memory and cause traffic mis-forwarding or a packet drop. | 3.7.0-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2546739](#2546739)
| The Mellanox SN3700C switch does not forward LLDP or LACP traffic. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2546703](#2546703)
| The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load.
To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2546576](#2546576)
| A traditional bridge with QinQ and a VNI does not work for tagged traffic. | 3.7.10-3.7.13, 4.0.0-4.0.1 | 3.7.14-3.7.16, 4.1.0-4.4.5| -| [2546559](#2546559)
| On the Mellanox SN3700C switch, if you try to break out 100G switch ports into 2x50G, the configuration fails and switchd does not restart. Breaking out the ports into 4x25G works without issue. | 4.0.0-4.0.1 | 4.1.0-4.4.5| +| [2546559, 2544914, 2544984](#2546559, 2544914, 2544984)
| On the Mellanox SN3700C switch, if you try to break out 100G switch ports into 2x50G, the configuration fails and switchd does not restart. Breaking out the ports into 4x25G works without issue. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2546502](#2546502)
| On the EdgeCore AS7326-56X switch, eth0 and swp1 use the same MAC address. | 3.7.9-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2546485](#2546485)
| The EdgeCore Minipack-AS8000 switch supports FEC RS by default; you cannot disable this setting. However, the ethtool --show-fec command output indicates that FEC is disabled. Also, if you try to change the FEC setting, Cumulus Linux reports an error. For example:

cumulus@switch:~$  net add interface swp23 link speed 100000
cumulus@switch:~$  net add interface swp23 link autoneg off
cumulus@switch:~$  net add interface swp23 link fec rs
"/sbin/ifreload -a" failed:
error: swp23: cmd '/sbin/ethtool --set-fec swp23 encoding rs' failed: returned 255 (Cannot set FEC settings: Operation not supported)
Command '['/sbin/ifreload', '-a']' returned non-zero exit status 1
| 4.0.0-4.1.1 | 4.2.0-4.4.5| -| [2546454](#2546454)
| When you run the NCLU net del all command to delete all configuration on the switch, you see an error similar to the following:

ERROR: [Errno 2] No such file or directory: '/cumulus/switchd/config/interface//port_security/enable'#012Traceback
| 4.0.0-4.0.1 | 4.1.0-4.4.5| +| [2546454, 2548291](#2546454, 2548291)
| When you run the NCLU net del all command to delete all configuration on the switch, you see an error similar to the following:

ERROR: [Errno 2] No such file or directory: '/cumulus/switchd/config/interface//port_security/enable'#012Traceback
| 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2546389](#2546389)
| In a default VX instance, a ping to a device's hostname fails.
To work around this issue, edit the /etc/gai.conf file and uncomment precedence ::ffff:0:0/96 10.
| 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2546337](#2546337)
| The net show bridge macs command returns an empty interface column.
To work around this issue, run the bridge fdb show command to show the interface. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2546329](#2546329)
| A memory leak in switchd might occur, which causes switchd to restart. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2546265](#2546265)
| Ifupdown2 does not set up the front panel interface for the dhclient to accept the DHCP OFFER.
To work around this issue, restart the networking service after ifreload -a with the systemctl restart networking command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546140](#2546140)
| CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.
To check if lldpd is the heavy CPU resource user, run the following command:

cumulus@switch:~$  ps -eo user,pid,ppid,cmd,%mem,%cpu --sort=-%cpu \| head

Alternatively, check for messages in the /var/log/syslog directory similar to:

2020-02-20T15:02:12.137857-05:00 leaf01 sysmonitor: High CPU use: 87%
2020-02-20T15:02:12.482398-05:00 leaf01 sysmonitor:   PID USER      PR    VIRT    RES %CPU %MEM     TIME+ COMMAND
2020-02-20T15:02:12.483112-05:00 leaf01 sysmonitor:  1570 _lldpd    20   73244  13800 76.6  0.3   4:43.06 lldpd

*Note*: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.
To work around this issue, you can do one of the following:
* If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).
* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546140, 2548774](#2546140, 2548774)
| CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.
To check if lldpd is the heavy CPU resource user, run the following command:

cumulus@switch:~$  ps -eo user,pid,ppid,cmd,%mem,%cpu --sort=-%cpu \| head

Alternatively, check for messages in the /var/log/syslog directory similar to:

2020-02-20T15:02:12.137857-05:00 leaf01 sysmonitor: High CPU use: 87%
2020-02-20T15:02:12.482398-05:00 leaf01 sysmonitor:   PID USER      PR    VIRT    RES %CPU %MEM     TIME+ COMMAND
2020-02-20T15:02:12.483112-05:00 leaf01 sysmonitor:  1570 _lldpd    20   73244  13800 76.6  0.3   4:43.06 lldpd

*Note*: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.
To work around this issue, you can do one of the following:
* If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).
* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546061](#2546061)
| Trident2+ switches do not enable DFE for 10G and 4x10G DACs. As a result, longer or marginal 10G DACs might not link up reliably.
To work around this issue, run the following command after a reboot.
On the SFP side:

echo CR > /cumulus/switchd/config/interface/swp${port}/interface_mode ; done

On the QSFP side:

echo CR > /cumulus/switchd/config/interface/swp${port}/interface_mode ; done
| 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2545988](#2545988)
| When hsflowd is used on the switch, you might experience a kernel panic. | 4.0.0-4.0.1 | 4.1.0-4.4.5| -| [2545949](#2545949)
| All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0.
To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. | 3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| +| [2545949, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539](#2545949, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539)
| All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0.
To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. | 3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545933](#2545933)
| Mellanox switches might experience higher CPU usage from the sx_sdk service or when BFD is in use.
To work around this issue, disable BFD to alleviate some of the CPU load. | 3.7.13, 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2545868](#2545868)
| If you delete, then re-add a PBR policy on an interface, the configured PBR policy is not programmed in the kernel or switchd. | 3.7.9-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545866](#2545866)
| After making a series of PBR configuration changes using NCLU commands, the stale PBR entry is still present in the kernel. | 3.7.9-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545851](#2545851)
| The Mellanox minimal platform module driver probe does not handle error conditions correctly.
To work around this issue, power cycle the switch. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| -| [2545724](#2545724)
| On the Mellanox switch with the Spectrum or Spectrum-2 ASIC, switchd might crash, then restart under certain conditions. | 4.0.0-4.0.1 | 4.1.0-4.4.5| +| [2545724, 2545163](#2545724, 2545163)
| On the Mellanox switch with the Spectrum or Spectrum-2 ASIC, switchd might crash, then restart under certain conditions. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2545608](#2545608)
| The protocol daemon bgpd crashes when a link/neighbor flaps if static routes pointing to Null0 are advertising through BGP.
To work around this issue, reboot the switch, then remove the static routes or stop advertising these routes. | 3.7.9-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545600](#2545600)
| IPv6 table rules might affect forwarding. For example, if you create the following rule in the /etc/cumulus/acl/policy.d/03-sshd.rules file, the rule counter increments but IPv4 SSH traffic might be dropped.

[ip6tables]
-A INPUT -p tcp --dport 22 -j DROP
| 3.7.2-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545566](#2545566)
| The Dell Z9100-ON switch incorrectly reports many sensors as ABSENT. | 3.7.12-4.0.1 | 4.1.0-4.4.5| -| [2545536](#2545536)
| On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| +| [2545536, 2545503](#2545536, 2545503)
| On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545501](#2545501)
| On a traditional bridge, VLAN tagged traffic is not discarded when it exceeds the port security MAC limit. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2545448](#2545448)
| The l1-show command prints a traceback for switch ports that have sub-interfaces configured. There is no functional impact to traffic but the l1-show troubleshooting and validation command does not execute on switch ports that have VLAN sub-interfaces. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| @@ -517,24 +517,24 @@ pdfhidden: True | [2545133](#2545133)
| On the Mellanox switch, ACL lookups are performed for VLAN matches when no rules with UNTAGGED match are present. | 3.7.2-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545125](#2545125)
| If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | | [2545087](#2545087)
| On the Mellanox switch with the Spectrum ASIC, the --set-burst parameter in an iptables rule does not take effect. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| -| [2545054](#2545054)
| When you run the NCLU net del interface command to delete an interface that has a description in the /etc/frr/frr.conf file but the /etc/frr/daemons file does not contain zebra=yes}, all running FRR daemons (bgpd, ospfd, ospf6d) restart
To work around this issue, remove all interfaces from the /etc/frr/frr.conf file that are unrelated to routing. | 4.0.0-4.1.1 | 4.2.0-4.4.5| +| [2545054, 2552126](#2545054, 2552126)
| When you run the NCLU net del interface command to delete an interface that has a description in the /etc/frr/frr.conf file but the /etc/frr/daemons file does not contain zebra=yes}, all running FRR daemons (bgpd, ospfd, ospf6d) restart
To work around this issue, remove all interfaces from the /etc/frr/frr.conf file that are unrelated to routing. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2545049](#2545049)
| When networking fails to start properly, an MLAG memory leak occurs, which might cause memory issues. | 3.7.9-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545040](#2545040)
| On the Mellanox switch, error messages with hw-management-thermal-events.sh are displayed on shutdown. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2544978](#2544978)
| If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2544914](#2544914)
| On the NVIDIA SN3700C switch, when you split ports from 100G to 2x50G, switchd fails to start. | 4.0.0-4.0.1 | 4.1.0-4.4.5| +| [2544914, 2546559](#2544914, 2546559)
| On the NVIDIA SN3700C switch, when you split ports from 100G to 2x50G, switchd fails to start. | 4.0.0-4.0.1 | 4.1.0-4.4.5| | [2544904](#2544904)
| After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements.
To work around this issue, restart FRR after removing the IPv6 numbered configuration. | 3.7.9-4.1.1 | 4.2.0-4.4.5| -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544856](#2544856)
| In the ethool -m output, the Revision Compliance field might show Unallocated when the SFF-8363 Revision Compliance value is SFF-8636 version 2.8 or later. | 4.0.0-4.1.1 | 4.2.0-4.4.5| -| [2544854](#2544854)
| On the Dell S5248F-ON switch, CPU core temp sensors may show as ABSENT. | 4.0.0-4.4.5 | 3.7.12-3.7.16| +| [2544854, 2545726](#2544854, 2545726)
| On the Dell S5248F-ON switch, CPU core temp sensors may show as ABSENT. | 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2544847](#2544847)
| You might experience a bgpd memory usage increase and significant update exchanges due to host moves between VTEPs. | 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544625](#2544625)
| VXLAN encapsulated ICMP packets hit the catchall EFP policer instead of the ICMP policer and you might experience partial packet loss.
| 3.7.9-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544556](#2544556)
| If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544329](#2544329)
| When an MLAG peerlink frequently alternates states between learning and blocking, an excessive number of TCP sessions might be created, which results in the following error display:

OSError: [Errno 24] Too many open files
| 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544213](#2544213)
| Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| @@ -544,9 +544,9 @@ pdfhidden: True | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| -| [2543791](#2543791)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| +| [2543791, 2545026](#2543791, 2545026)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543690](#2543690)
| On the Mellanox switch, UFT profiles are unable to support the documented capacity for routes to addresses that are more than 64 bits in length. The listed capacities assume 64-bit destination IP addresses. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| @@ -554,14 +554,14 @@ pdfhidden: True | [2543647](#2543647)
| ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-4.2.1 | 4.3.0-4.4.5| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2543471](#2543471)
| On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly.
To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2542872](#2542872)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| +| [2542872, 2542901, 2542901](#2542872, 2542901, 2542901)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2542837](#2542837)
| On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16| | [2542824](#2542824)
| On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur:
- VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts.
- VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack.

To work around this issue, either:
- Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port)
- Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2542766](#2542766)
| If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.
To work around this issue, power cycle the switch.
| 3.7.6-3.7.12, 4.0.0-4.0.1 | 3.7.13-3.7.16, 4.1.0-4.4.5| @@ -577,7 +577,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -594,13 +594,13 @@ pdfhidden: True | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | 4.1.0-4.4.5| | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | 4.1.0-4.4.5| | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | | [2536242](#2536242)
| On the EdgeCore AS7712 (Tomahawk) switch running in atomic mode, when a layer 3 ECMP path is brought down, traffic traversing the path stops working for about four seconds. When the switch is changed to non-atomic mode, the delay is less than one second. This issue is seen across OSPF and static ECMP routes. | 4.0.0-4.4.5 | | -| [2536231](#2536231)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| +| [2536231, 2545399](#2536231, 2545399)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2536179](#2536179)
| On switches with the Trident 2+ ASIC, counters associated with VLANs and VRFs are not working. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535986](#2535986)
| At a high CPU transmit traffic rate (for example, if there is unexpected CPU generated flooding or replication in software), when the ASIC packet driver cannot keep up with the transmit rate because there are no free DMA buffers, it can back pressure by suspending the switch port transmit queues. This can fill up the application socket buffers resulting in No buffer space available error messages on protocol sockets.
When the driver recovers, it automatically resumes the transmit queues. In most cases these error messages are transient. In rare cases, the hardware queues might get stuck, which you can recover with a switchd restart. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2535965](#2535965)
| On the Trident3 switch, static PIM with IIF based on a layer 2 bridge does not work reliably. PIM Join via signaling is required for IPMC to work properly.
To work around this issue, use dynamic signaling (joins) to manage IP multicast traffic. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | @@ -609,7 +609,7 @@ pdfhidden: True | [2535706](#2535706)
| On the Mellanox switch, GRE tunneling does not work if the tunnel source is configured on an SVI interface. If the tunnel source is configured on a physical switch port, then tunneling works as expected. | 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2535605](#2535605)
| FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor.
To work around this issue, add ttl-security to individual neighbors instead of the peer group. | 4.0.0-4.4.5 | | | [2535209](#2535209)
| The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| -| [2534977](#2534977)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| +| [2534977, 2535424](#2534977, 2535424)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2534734](#2534734)
| Span rules matching the out-interface as a bond do not mirror packets. | 4.0.0-4.4.5 | | | [2533691](#2533691)
| If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2533625](#2533625)
| PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. | 4.0.0-4.4.5 | | @@ -630,7 +630,7 @@ pdfhidden: True | [2547349](#2547349)
| When you change an interface IP address, then change it back, static routes are misprogrammed
One of the following actions recovers the routes:- Bounce both layer 3 interfaces- Remove or add static routes in FRR- Restart FRR | 3.7.11-3.7.16 | | | [2545192](#2545192)
| switchd does not program multicast routes 224/8 into hardware. | 3.7.9-3.7.10 | | | [2544814](#2544814)
| If a router MAC address changes on a VTEP, other VTEPs might still point to the previous router MAC address. | 3.7.10 | | -| [2544608](#2544608)
| BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.10 | | +| [2544608, 2550042](#2544608, 2550042)
| BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. | 3.7.7-3.7.10 | | | [2544558](#2544558)
| When you install a large number of new rules with nonatomic mode enabled, there is a chance that you install more rules than the number of available slots in the slice, which results in the slice being completely wiped and reinstalled. This causes a large drop increase, including to cpu0, and might cause a major outage by dropping all BGP sessions. | 3.7.8-3.7.10 | | | [2543874](#2543874)
| On the Mellanox Spectrum switch, a route withdrawal might cause the associated next hop neighbor entry to be deleted in hardware but remain in the kernel. This can cause traffic going through the directly connected route to the removed neighbor entry to be forwarded to the CPU. | 3.7.6-3.7.10 | | | [2543800](#2543800)
| When local-tunnelip is an SVI, the static VXLAN tunnel does not work; the next hop router receives the packet but drops it as it does not know where to forward the packet. The static VXLAN tunnel does works if local-tunnelip is a loopback or a physical layer 3 interface.
| 3.7.8-3.7.16 | | @@ -653,22 +653,22 @@ pdfhidden: True | [2542383](#2542383)
| When you define a trap destination using @mgmt, snmpd indicates that the network is unreachable even though the IP address is reachable in the management VRF.
To work around this issue, remove @mgmt vrf references in the /etc/snmp/snmpd.conf file, stop snmpd, then start snmpd manually in the management VRF with the systemctl start snmpd@mgmt command.
| 3.7.6-3.7.10 | | | [2542339](#2542339)
| In a typical CLOS network, each leaf is connected to all spine nodes; VXLAN packets follow leaf-spine links. However certain failure scenarios or maintenance activity might result in the MLAG primary switch being isolated from the spine layer (the only available network path is now across the peer link). As a result, the MLAG primary switch fails to transmit VXLAN encapsulated packets out on the peer link. It is also possible for the MLAG secondary switch to be isolated from the spine layer and then the problem is seen on the MLAG secondary switch.
The issue occurs because the Broadcom Trident3 switch does not perform VLAN translation for VXLAN encapsulated packets where the tunnel is not terminated.
To work around this issue, configure the BGP peering on a _new_ VLAN interface (for example, vlan4093) instead of the peer link sub-interface (peerlink.4094).
| 3.7.6 | | | [2542247](#2542247)
| When you generate a cl-support file, clagd.service prints log messages similar to the following: 
 
 019-03-21T07:18:15.727581+00:00 leaf01 clagd[20912]: DumpThreadStacks - start 
 2019-03-21T07:18:15.728157+00:00 leaf01 clagd[20912]: #012thread: CollectSysInfo (140608446367488) 
 2019-03-21T07:18:15.735986+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 783, in __bootstrap 
 2019-03-21T07:18:15.736585+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 810, in __bootstrap_inner 
 2019-03-21T07:18:15.737045+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 763, in run 
 2019-03-21T07:18:15.737933+00:00 leaf01 clagd[20912]: file: /usr/sbin/clagd, line 930, in CollectSysInfoT 
 2019-03-21T07:18:15.739527+00:00 leaf01 clagd[20912]: file: /usr/sbin/clagd, line 187, in CollectSysInfo 
 2019-03-21T07:18:15.740540+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/threading.py, line 621, in wait 
 2019-03-21T07:18:15.742293+00:00 leaf01 clagd[20912]: file: /usr/lib/python2.7/dist-packages/clag/clagthread.py, line 48, in wait 
 . 
 . 
 2019-03-21T07:18:16.456061+00:00 leaf01 clagd[20912]: DumpThreadStacks - end

| 3.7.6-3.7.10 | | -| [2542099](#2542099)
| On the EdgeCore AS7816 switch, PCIE errors cause switchd startup to fail. | 3.7.9-3.7.10 | | +| [2542099, 2544399](#2542099, 2544399)
| On the EdgeCore AS7816 switch, PCIE errors cause switchd startup to fail. | 3.7.9-3.7.10 | | | [2541005](#2541005)
| NCLU is unable to delete a BGP neighbor configuration if there is a VRF VNI mapping in the /etc/frr/frr.conf file. For example, the following NCLU command produces an error: 
 
cumulus@leaf01$ net del bgp neighbor swp5 interface peer-group spine 
'router bgp 65001' configuration does not have 'neighbor swp5 interface peer-group spine'
| 3.7.7-3.7.8 | | | [2540685](#2540685)
| On a Dell S5248F (Trident3) switch, packets from switch ports are forwarded to the CPU and are sometimes corrupted. The corruption might result in BGP peerings being down, which can lead to all VXLAN traffic to and from a node to be lost, causing an outage to dually connected hosts in a rack. To work around this issue, restart switchd. | 3.7.3-3.7.8 | | | [2540601](#2540601)
| If the clagd-vxlan-anycast-ip is removed from the /etc/network/interfaces file (either with the NCLU command or by editing the file manually), MLAG still believes it is present until clagd restarts. | 3.7.3-3.7.8 | | | [2539081](#2539081)
| When you delete post-up and pre-down IP peer entries from the etc/network/interfaces file, then run the ifreload command, the IP addresses are not removed and the route remains in the route table.
To work around this issue, either delete the IP addresses without the /32 mask component or flush the IP addresses for the interface with the ip addr flush dev command.
| 3.7.0-3.7.16 | | | [2538345](#2538345)
| In an EVPN symmetric routing deployment with active-active anycast IP configured, the next hop attribute is sometimes set to a unique address instead of the anycast IP address.
To work around this issue, do not use default-originate ipv4; instead configure the network statements (recommended for small scale deployments).
| 3.7.2 | | -| [2537820](#2537820)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | | +| [2537820, 2542964](#2537820, 2542964)
| When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none.
| 3.7.2-3.7.16 | | | [2537535](#2537535)
| When FRR restarts, snmp[err] dev/kmem: Permission denied error messages are recorded in the log file and SNMPd might crash periodically. | 3.7.5-3.7.10 | | -| [2537104](#2537104)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | | +| [2537104, 2534061](#2537104, 2534061)
| When you try to stop hsflowd on the Trident II+ switch with the systemctl stop hsflowd command, the process hangs until you stop it with SIGKILL.
| 3.7.1-3.7.16 | | | [2536651](#2536651)
| Mellanox Spectrum and Helix4 switches occasionally send malformed packets and do not send any flow samples (only counters).
While this issue is fixed for switches with the Spectrum ASIC, this is a [known limitation\|https://docs.cumulusnetworks.com/cumulus-linux/Monitoring-and-Troubleshooting/Network-Troubleshooting/Monitoring-System-Statistics-and-Network-Traffic-with-sFlow/#caveats-and-errata] on this Helix4 platform. | 3.7.0-3.7.8 | | | [2536638](#2536638)
| On a Dell S4048 switch, when you set the eth0 speed to 100, either with NCLU or by editing the /etc/network/interfaces file, the igb driver crashes, which brings down eth0.
To work around this issue:
* If eth0 is configured in the management VRF, power cycle the switch; the eth0 configuration fails and reverts back to the default (auto-negotiation/1000).
* If eth0 is configured in the default VRF and you power cycle after the crash, igb continues to crash on boot up (before getting to login prompt); power-cycle the switch, select the Advanced option in GRUB to boot to recovery mode, then modify the /etc/network/interfaces file. | 3.7.0-3.7.10 | | | [2534982](#2534982)
| The advertised routes list may be empty for an EVPN peering even though the remote switch reports received routes.
| | | | [2534449](#2534449)
| The default BGP instance must be provisioned and always exist for proper operation of dynamic leaking of routes between VRFs. | 3.7.0-3.7.10 | | | [2534039](#2534039)
| On Trident2 switches running 802.3x regular link pause, pause frames are accounted in HwIfInDiscards counters and are dropped instead of processed. | | | -| [2532396](#2532396)
| Drops due to congestion do not appear to be counted on a Mellanox switch. To work around this issue, run the sudo ethtool -S swp1 command to collect interface traffic statistics. | | | +| [2532396, 2529029](#2532396, 2529029)
| Drops due to congestion do not appear to be counted on a Mellanox switch. To work around this issue, run the sudo ethtool -S swp1 command to collect interface traffic statistics. | | | | [2531343](#2531343)
| When sFlow is enabled, some sampled packets, such as IPMC, are forwarded twice (in the ASIC and then again through the kernel networking stack). | | | -| [2529321](#2529321)
| On a Mellanox switch in an MLAG configuration, routed packets that arrive on one switch to be forwarded to a destination MAC across the peer link are dropped due to MLAG loop prevention. This affects both routed unicast and multicast packets.

To work around this issue, modify the routing design or policy such that routes do not have a next hop of an MLAG peer switch that traverses the MLAG peer link. | | | +| [2529321, 2528139](#2529321, 2528139)
| On a Mellanox switch in an MLAG configuration, routed packets that arrive on one switch to be forwarded to a destination MAC across the peer link are dropped due to MLAG loop prevention. This affects both routed unicast and multicast packets.

To work around this issue, modify the routing design or policy such that routes do not have a next hop of an MLAG peer switch that traverses the MLAG peer link. | | | | [2528800](#2528800)
| Counter samples for an 80G bond (2 x 40G) exported from the switch show an interface speed (ifSpeed) of 14.464Gbps.
| | | diff --git a/content/cumulus-linux-40/rn.xml b/content/cumulus-linux-40/rn.xml index bb0a54705e..40d9503bb0 100644 --- a/content/cumulus-linux-40/rn.xml +++ b/content/cumulus-linux-40/rn.xml @@ -150,7 +150,7 @@ Reboot the affected switches. 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -162,13 +162,13 @@ Reboot the affected switches. 4.3.1-4.4.5, 4.4.2-4.4.5 -2716822 +2716822, 2710844 The {{/etc/cumulus/ports.conf}} file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. 3.7.15-4.3.0 4.3.1-4.4.5 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -258,7 +258,7 @@ cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 4.2.1-4.4.5 -2556010 +2556010, 2556276 On Broadcom switches, after repeated VLAN or VXLAN configuration changes, {{switchd}} memory might not free up appropriately, which can lead to a crash. 3.7.14, 4.0.0-4.2.1 3.7.14.2-3.7.16, 4.3.0-4.4.5 @@ -285,7 +285,7 @@ To work around this issue, increase the burst value of the ARP policers to 200 o 3.7.15-3.7.16, 4.3.0-4.4.5 -2555175 +2555175, 3195351, 2672721 Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. 3.7.15-4.3.1 4.3.2-4.4.5 @@ -440,7 +440,7 @@ To work around this issue, use the {{ethtool -m <interface>}} command.3.7.15-3.7.16, 4.3.0-4.4.5 -2552742 +2552742, 2553000, 2553936 On the Mellanox SN2410 switch, you see {{switchd}} core and {{GBIN_MALLOC}} errors. To work around this issue, restart {{switchd}}. 3.7.12-4.2.1 @@ -459,7 +459,7 @@ To work around this issue, restart {{switchd}}. 3.7.14-3.7.16, 4.3.0-4.4.5 -2552505 +2552505, 2552604 Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding {{hwaddress <mac-address>}} to the bridge stanza in the {{/etc/network/interfaces}} file. 3.7.11-3.7.13, 4.0.0-4.2.0 @@ -547,7 +547,7 @@ To workaround this issue, downgrade to Cumulus Linux 3.7 ESR. -2551162 +2551162, 2550590 {{switchd}} memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time. To work around this issue, correct the cause of the frequent link flaps. You can restart {{switchd}} with the {{sudo systemctl restart switchd}} command to recover memory; this operation is impactful to all traffic on the switch during the restart. 3.7.11-3.7.12, 4.0.0-4.4.5 @@ -771,7 +771,7 @@ To work around this issue, restart FRR. 3.7.13-3.7.16 -2548672 +2548672, 2555635 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. 3.7.12-3.7.15, 4.0.0-4.2.1 @@ -859,7 +859,7 @@ To work around this issue, remove, then re-add the component prefix routes. 3.7.13-3.7.16 -2548373 +2548373, 2548371 On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. 3.7.12, 4.0.0-4.4.5 3.7.13-3.7.16 @@ -876,7 +876,7 @@ cumulus@switch:~$ sudo apt-get install hostapd -y 4.1.0-4.4.5 -2548320 +2548320, 2543525 When configuring VRF route leaking, if you define {{import vrf route-map <name>}} but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. 4.0.0-4.1.1 4.2.0-4.4.5 @@ -983,7 +983,7 @@ To work around this issue, reboot the switch. -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -1008,7 +1008,7 @@ To work around this issue, reboot the switch. 4.1.0-4.4.5 -2547610 +2547610, 2548114 Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work. Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. 3.7.11-3.7.12, 4.0.0-4.4.5 @@ -1097,7 +1097,7 @@ RTM_NEWNEIGH with unconfigured vlan XXXX on port peerlink 3.7.14-3.7.16, 4.2.0-4.4.5 -2547205 +2547205, 2548334 On the Delta AG6248C switch, the NCLU {{net show system sensors}} command shows an error: Could not collect output from command: ['/usr/sbin/smonctl'] @@ -1122,7 +1122,7 @@ To work around this issue, run the {{net show system sensors json}} command inst 3.7.13-3.7.16, 4.1.0-4.4.5 -2547128 +2547128, 2549785 The cumulus-overrides package contains the {{/etc/apt/preferences.d/20_prefer_cumulus}} file that pins packages from specific release names. The pinning file contains the wrong name. To work around this issue, use the origin instead of the release name. 4.0.0-4.0.1 @@ -1196,7 +1196,7 @@ To work around this issue, execute the {{vtysh -f <file>}} command in the 3.7.13-3.7.16 -2546951 +2546951, 2548887 {{switchd}} crashes when dynamic VRF route leaking is enabled and the following is true: * The default route is leaked from VRF1 to VRF2 * Hardware-based dynamic VRF route leaking is configured ({{vrf_route_leak_enable_dynamic}} is set to TRUE in the {{/etc/cumulus/switchd.conf}} file). @@ -1256,7 +1256,7 @@ To work around this issue, run the {{cl-support -M}} command to disable timeouts 3.7.14-3.7.16, 4.1.0-4.4.5 -2546559 +2546559, 2544914, 2544984 On the Mellanox SN3700C switch, if you try to break out 100G switch ports into 2x50G, the configuration fails and {{switchd}} does not restart. Breaking out the ports into 4x25G works without issue. 4.0.0-4.0.1 4.1.0-4.4.5 @@ -1282,7 +1282,7 @@ Command '['/sbin/ifreload', '-a']' returned non-zero exit status 1 4.2.0-4.4.5 -2546454 +2546454, 2548291 When you run the NCLU {{net del all}} command to delete all configuration on the switch, you see an error similar to the following: ERROR: [Errno 2] No such file or directory: '/cumulus/switchd/config/interface/<swp>/port_security/enable'#012Traceback @@ -1325,7 +1325,7 @@ To work around this issue, restart the networking service after {{ifreload -a}} -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -1336,7 +1336,7 @@ To work around this issue, restart the networking service after {{ifreload -a}} -2546140 +2546140, 2548774 CPU usage might be higher than normal if you have a high number of interfaces x VLANs and {{lldpd}} is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled. To check if {{lldpd}} is the heavy CPU resource user, run the following command: @@ -1356,7 +1356,7 @@ To work around this issue, you can do one of the following: 3.7.13-3.7.16, 4.1.0-4.4.5 -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -1385,7 +1385,7 @@ echo CR > /cumulus/switchd/config/interface/swp${port}/interface_mode ; done 4.1.0-4.4.5 -2545949 +2545949, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539 All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0. To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. 3.7.11, 4.0.0-4.4.5 @@ -1425,7 +1425,7 @@ To work around this issue, run the {{net add time ntp server <server> ibur 3.7.12-3.7.16 -2545724 +2545724, 2545163 On the Mellanox switch with the Spectrum or Spectrum-2 ASIC, {{switchd}} might crash, then restart under certain conditions. 4.0.0-4.0.1 4.1.0-4.4.5 @@ -1454,7 +1454,7 @@ To work around this issue, reboot the switch, then remove the static routes or s 4.1.0-4.4.5 -2545536 +2545536, 2545503 On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. 4.0.0-4.1.1 3.7.14-3.7.16, 4.2.0-4.4.5 @@ -1555,7 +1555,7 @@ To work around this issue and bring the interfaces up, perform the following con 3.7.11-3.7.16 -2545054 +2545054, 2552126 When you run the NCLU {{net del interface}} command to delete an interface that has a description in the {{/etc/frr/frr.conf}} file but the {{/etc/frr/daemons}} file does not contain {{zebra=yes}, all running FRR daemons ({{bgpd}}, {{ospfd}}, {{ospf6d}}) restart. To work around this issue, remove all interfaces from the {{/etc/frr/frr.conf}} file that are unrelated to routing. 4.0.0-4.1.1 @@ -1607,7 +1607,7 @@ To work around this issue, run the {{sudo systemctl restart lldpd.service}} comm -2544914 +2544914, 2546559 On the NVIDIA SN3700C switch, when you split ports from 100G to 2x50G, {{switchd}} fails to start. 4.0.0-4.0.1 4.1.0-4.4.5 @@ -1620,7 +1620,7 @@ To work around this issue, restart FRR after removing the IPv6 numbered configur 4.2.0-4.4.5 -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -1632,7 +1632,7 @@ To work around this issue, restart FRR after removing the IPv6 numbered configur 4.2.0-4.4.5 -2544854 +2544854, 2545726 On the Dell S5248F-ON switch, CPU core temp sensors may show as ABSENT. 4.0.0-4.4.5 3.7.12-3.7.16 @@ -1677,7 +1677,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -1756,7 +1756,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -1770,7 +1770,7 @@ You can safely ignore this warning. 3.7.12-3.7.16 -2543791 +2543791, 2545026 On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following: 2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2 @@ -1846,14 +1846,14 @@ To work around this issue, configure the ECMP hash seed to the same value on the 3.7.13-3.7.16, 4.1.0-4.4.5 -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 @@ -1881,7 +1881,7 @@ To work around this issue, change the MTU on all SVIs and the bridge manually in -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -1897,7 +1897,7 @@ cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad -2542872 +2542872, 2542901, 2542901 After you issue the NCLU {{net del bgp vrf <vrf> autonomous-system <AS>}} command and commit the change, Cumulus Linux does not remove the configuration from the {{/etc/frr/frr.conf}} file or the {{net show config commands}}. 3.7.3-3.7.10, 4.0.0-4.4.5 @@ -2044,7 +2044,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -2208,7 +2208,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -2254,7 +2254,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2536231 +2536231, 2545399 On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. 3.7.3-3.7.10, 4.0.0-4.4.5 @@ -2317,7 +2317,7 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 3.7.11-3.7.16 -2534977 +2534977, 2535424 On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. 4.0.0-4.2.1 3.7.14-3.7.16, 4.3.0-4.4.5 @@ -2520,7 +2520,7 @@ Reboot the affected switches. 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -2532,13 +2532,13 @@ Reboot the affected switches. 4.3.1-4.4.5, 4.4.2-4.4.5 -2716822 +2716822, 2710844 The {{/etc/cumulus/ports.conf}} file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. 3.7.15-4.3.0 4.3.1-4.4.5 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -2628,7 +2628,7 @@ cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 4.2.1-4.4.5 -2556010 +2556010, 2556276 On Broadcom switches, after repeated VLAN or VXLAN configuration changes, {{switchd}} memory might not free up appropriately, which can lead to a crash. 3.7.14, 4.0.0-4.2.1 3.7.14.2-3.7.16, 4.3.0-4.4.5 @@ -2655,7 +2655,7 @@ To work around this issue, increase the burst value of the ARP policers to 200 o 3.7.15-3.7.16, 4.3.0-4.4.5 -2555175 +2555175, 3195351, 2672721 Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. 3.7.15-4.3.1 4.3.2-4.4.5 @@ -2810,7 +2810,7 @@ To work around this issue, use the {{ethtool -m <interface>}} command.3.7.15-3.7.16, 4.3.0-4.4.5 -2552742 +2552742, 2553000, 2553936 On the Mellanox SN2410 switch, you see {{switchd}} core and {{GBIN_MALLOC}} errors. To work around this issue, restart {{switchd}}. 3.7.12-4.2.1 @@ -2829,7 +2829,7 @@ To work around this issue, restart {{switchd}}. 3.7.14-3.7.16, 4.3.0-4.4.5 -2552505 +2552505, 2552604 Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding {{hwaddress <mac-address>}} to the bridge stanza in the {{/etc/network/interfaces}} file. 3.7.11-3.7.13, 4.0.0-4.2.0 @@ -2917,7 +2917,7 @@ To workaround this issue, downgrade to Cumulus Linux 3.7 ESR. -2551162 +2551162, 2550590 {{switchd}} memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time. To work around this issue, correct the cause of the frequent link flaps. You can restart {{switchd}} with the {{sudo systemctl restart switchd}} command to recover memory; this operation is impactful to all traffic on the switch during the restart. 3.7.11-3.7.12, 4.0.0-4.4.5 @@ -3141,7 +3141,7 @@ To work around this issue, restart FRR. 3.7.13-3.7.16 -2548672 +2548672, 2555635 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. 3.7.12-3.7.15, 4.0.0-4.2.1 @@ -3229,7 +3229,7 @@ To work around this issue, remove, then re-add the component prefix routes. 3.7.13-3.7.16 -2548373 +2548373, 2548371 On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. 3.7.12, 4.0.0-4.4.5 3.7.13-3.7.16 @@ -3246,7 +3246,7 @@ cumulus@switch:~$ sudo apt-get install hostapd -y 4.1.0-4.4.5 -2548320 +2548320, 2543525 When configuring VRF route leaking, if you define {{import vrf route-map <name>}} but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. 4.0.0-4.1.1 4.2.0-4.4.5 @@ -3353,7 +3353,7 @@ To work around this issue, reboot the switch. -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -3378,7 +3378,7 @@ To work around this issue, reboot the switch. 4.1.0-4.4.5 -2547610 +2547610, 2548114 Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work. Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. 3.7.11-3.7.12, 4.0.0-4.4.5 @@ -3467,7 +3467,7 @@ RTM_NEWNEIGH with unconfigured vlan XXXX on port peerlink 3.7.14-3.7.16, 4.2.0-4.4.5 -2547205 +2547205, 2548334 On the Delta AG6248C switch, the NCLU {{net show system sensors}} command shows an error: Could not collect output from command: ['/usr/sbin/smonctl'] @@ -3492,7 +3492,7 @@ To work around this issue, run the {{net show system sensors json}} command inst 3.7.13-3.7.16, 4.1.0-4.4.5 -2547128 +2547128, 2549785 The cumulus-overrides package contains the {{/etc/apt/preferences.d/20_prefer_cumulus}} file that pins packages from specific release names. The pinning file contains the wrong name. To work around this issue, use the origin instead of the release name. 4.0.0-4.0.1 @@ -3566,7 +3566,7 @@ To work around this issue, execute the {{vtysh -f <file>}} command in the 3.7.13-3.7.16 -2546951 +2546951, 2548887 {{switchd}} crashes when dynamic VRF route leaking is enabled and the following is true: * The default route is leaked from VRF1 to VRF2 * Hardware-based dynamic VRF route leaking is configured ({{vrf_route_leak_enable_dynamic}} is set to TRUE in the {{/etc/cumulus/switchd.conf}} file). @@ -3626,7 +3626,7 @@ To work around this issue, run the {{cl-support -M}} command to disable timeouts 3.7.14-3.7.16, 4.1.0-4.4.5 -2546559 +2546559, 2544914, 2544984 On the Mellanox SN3700C switch, if you try to break out 100G switch ports into 2x50G, the configuration fails and {{switchd}} does not restart. Breaking out the ports into 4x25G works without issue. 4.0.0-4.0.1 4.1.0-4.4.5 @@ -3652,7 +3652,7 @@ Command '['/sbin/ifreload', '-a']' returned non-zero exit status 1 4.2.0-4.4.5 -2546454 +2546454, 2548291 When you run the NCLU {{net del all}} command to delete all configuration on the switch, you see an error similar to the following: ERROR: [Errno 2] No such file or directory: '/cumulus/switchd/config/interface/<swp>/port_security/enable'#012Traceback @@ -3695,7 +3695,7 @@ To work around this issue, restart the networking service after {{ifreload -a}} -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -3706,7 +3706,7 @@ To work around this issue, restart the networking service after {{ifreload -a}} -2546140 +2546140, 2548774 CPU usage might be higher than normal if you have a high number of interfaces x VLANs and {{lldpd}} is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled. To check if {{lldpd}} is the heavy CPU resource user, run the following command: @@ -3726,7 +3726,7 @@ To work around this issue, you can do one of the following: 3.7.13-3.7.16, 4.1.0-4.4.5 -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -3755,7 +3755,7 @@ echo CR > /cumulus/switchd/config/interface/swp${port}/interface_mode ; done 4.1.0-4.4.5 -2545949 +2545949, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539 All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0. To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. 3.7.11, 4.0.0-4.4.5 @@ -3795,7 +3795,7 @@ To work around this issue, run the {{net add time ntp server <server> ibur 3.7.12-3.7.16 -2545724 +2545724, 2545163 On the Mellanox switch with the Spectrum or Spectrum-2 ASIC, {{switchd}} might crash, then restart under certain conditions. 4.0.0-4.0.1 4.1.0-4.4.5 @@ -3824,7 +3824,7 @@ To work around this issue, reboot the switch, then remove the static routes or s 4.1.0-4.4.5 -2545536 +2545536, 2545503 On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. 4.0.0-4.1.1 3.7.14-3.7.16, 4.2.0-4.4.5 @@ -3925,7 +3925,7 @@ To work around this issue and bring the interfaces up, perform the following con 3.7.11-3.7.16 -2545054 +2545054, 2552126 When you run the NCLU {{net del interface}} command to delete an interface that has a description in the {{/etc/frr/frr.conf}} file but the {{/etc/frr/daemons}} file does not contain {{zebra=yes}, all running FRR daemons ({{bgpd}}, {{ospfd}}, {{ospf6d}}) restart. To work around this issue, remove all interfaces from the {{/etc/frr/frr.conf}} file that are unrelated to routing. 4.0.0-4.1.1 @@ -3977,7 +3977,7 @@ To work around this issue, run the {{sudo systemctl restart lldpd.service}} comm -2544914 +2544914, 2546559 On the NVIDIA SN3700C switch, when you split ports from 100G to 2x50G, {{switchd}} fails to start. 4.0.0-4.0.1 4.1.0-4.4.5 @@ -3990,7 +3990,7 @@ To work around this issue, restart FRR after removing the IPv6 numbered configur 4.2.0-4.4.5 -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -4002,7 +4002,7 @@ To work around this issue, restart FRR after removing the IPv6 numbered configur 4.2.0-4.4.5 -2544854 +2544854, 2545726 On the Dell S5248F-ON switch, CPU core temp sensors may show as ABSENT. 4.0.0-4.4.5 3.7.12-3.7.16 @@ -4047,7 +4047,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -4126,7 +4126,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -4140,7 +4140,7 @@ You can safely ignore this warning. 3.7.12-3.7.16 -2543791 +2543791, 2545026 On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following: 2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2 @@ -4216,14 +4216,14 @@ To work around this issue, configure the ECMP hash seed to the same value on the 3.7.13-3.7.16, 4.1.0-4.4.5 -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 @@ -4251,7 +4251,7 @@ To work around this issue, change the MTU on all SVIs and the bridge manually in -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -4267,7 +4267,7 @@ cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad -2542872 +2542872, 2542901, 2542901 After you issue the NCLU {{net del bgp vrf <vrf> autonomous-system <AS>}} command and commit the change, Cumulus Linux does not remove the configuration from the {{/etc/frr/frr.conf}} file or the {{net show config commands}}. 3.7.3-3.7.10, 4.0.0-4.4.5 @@ -4414,7 +4414,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -4578,7 +4578,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -4624,7 +4624,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2536231 +2536231, 2545399 On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. 3.7.3-3.7.10, 4.0.0-4.4.5 @@ -4687,7 +4687,7 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 3.7.11-3.7.16 -2534977 +2534977, 2535424 On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. 4.0.0-4.2.1 3.7.14-3.7.16, 4.3.0-4.4.5 @@ -4801,7 +4801,7 @@ One of the following actions recovers the routes: 3.7.10 -2544608 +2544608, 2550042 BGP is configured with soft reconfiguration-in for its peers, which is not working correctly and causes routes to have an unexpected label. As a result, transit traffic is not forwarded by the switch. 3.7.7-3.7.10 @@ -4953,7 +4953,7 @@ You can prevent EVPN next hops from not being removed when the contributing peer 3.7.6-3.7.10 -2542099 +2542099, 2544399 On the EdgeCore AS7816 switch, PCIE errors cause {{switchd}} startup to fail. 3.7.9-3.7.10 @@ -4992,7 +4992,7 @@ To work around this issue, restart {{switchd}}. 3.7.2 -2537820 +2537820, 2542964 When you enable FEC (RS or BaseR) on an interface, removing the configuration from that interface does not revert the FEC status to off/none. 3.7.2-3.7.16 @@ -5003,7 +5003,7 @@ To work around this issue, restart {{switchd}}. 3.7.5-3.7.10 -2537104 +2537104, 2534061 When you try to stop {{hsflowd}} on the Trident II+ switch with the {{systemctl stop hsflowd}} command, the process hangs until you stop it with {{SIGKILL}}. 3.7.1-3.7.16 @@ -5040,7 +5040,7 @@ To work around this issue: -2532396 +2532396, 2529029 Drops due to congestion do not appear to be counted on a Mellanox switch. To work around this issue, run the {{sudo ethtool -S swp1}} command to collect interface traffic statistics. @@ -5051,7 +5051,7 @@ To work around this issue, run the {{sudo ethtool -S swp1}} command to collect i -2529321 +2529321, 2528139 On a Mellanox switch in an MLAG configuration, routed packets that arrive on one switch to be forwarded to a destination MAC across the peer link are dropped due to MLAG loop prevention. This affects both routed unicast and multicast packets. To work around this issue, modify the routing design or policy such that routes do not have a next hop of an MLAG peer switch that traverses the MLAG peer link. diff --git a/content/cumulus-linux-41/Whats-New/rn.md b/content/cumulus-linux-41/Whats-New/rn.md index e7d6203f02..37164c3a19 100644 --- a/content/cumulus-linux-41/Whats-New/rn.md +++ b/content/cumulus-linux-41/Whats-New/rn.md @@ -36,10 +36,10 @@ pdfhidden: True | [2866084](#2866084)
| When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command, then add "vxlan-learning": "off" in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
Reboot the affected switches. | 3.7.12-4.3.0 | 4.3.1-4.4.5| | [2792750](#2792750)
| If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. | 3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1| | [2754723](#2754723)
| When you set route_preferred_over_neigh to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. | 4.0.0-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2730225](#2730225)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5| -| [2716822](#2716822)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2716822, 2710844](#2716822, 2710844)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2699399](#2699399)
| When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

spine01# show bgp vrf all ipv6 unicast statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

To workaround this issue, run the command against each VRF independently. | 3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | 5.1.0-5.16.1| @@ -49,10 +49,10 @@ pdfhidden: True | [2556500](#2556500)
| Cumulus Linux does not support bond members at 200G or greater. | 4.0.0-4.3.4 | 4.4.0-4.4.5| | [2556081](#2556081)
| You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | | | [2556037](#2556037)
| After you add an interface to the bridge, an OSPF session flap might occur
| 3.7.9-4.2.0 | 4.2.1-4.4.5| -| [2556010](#2556010)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | 3.7.14.2-3.7.16, 4.3.0-4.4.5| +| [2556010, 2556276](#2556010, 2556276)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | 3.7.14.2-3.7.16, 4.3.0-4.4.5| | [2555528](#2555528)
| In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer's ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5| | [2555400](#2555400)
| On the Edgecore AS7312 switch, eth0 and swp use the same MAC address. | 3.7.14-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| -| [2555175](#2555175)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| +| [2555175, 3195351, 2672721](#2555175, 3195351, 2672721)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| | [2554990](#2554990)
| When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes.
To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond. | 3.7.13-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2554785](#2554785)
| After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX="cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2554720](#2554720)
| If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| @@ -66,18 +66,18 @@ pdfhidden: True | [2553677](#2553677)
| When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | | [2553586](#2553586)
| Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn't exist.
To work around this issue, disable IGMP snooping on the switch. | 3.7.12-3.7.13, 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2553568](#2553568)
| After a MAC address moves from one remote VTEP to another, the MAC address continues to point to the old VTEP IP address in hardware. | 4.1.1-4.2.1 | 4.3.0-4.4.5| -| [2553529](#2553529)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-3.7.13, 4.1.1-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| +| [2553529, 2553349](#2553529, 2553349)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-3.7.13, 4.1.1-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2553219](#2553219)
| You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2553116](#2553116)
| When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2552939](#2552939)
| RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552869](#2552869)
| On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5| | [2552853](#2552853)
| Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| -| [2552742](#2552742)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2552742, 2553000, 2553936](#2552742, 2553000, 2553936)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552704](#2552704)
| In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2552527](#2552527)
| Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-3.7.13, 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| -| [2552505](#2552505)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| +| [2552505, 2552604](#2552505, 2552604)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| | [2552294](#2552294)
| NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | -| [2552212](#2552212)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | 3.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| +| [2552212, 2553637](#2552212, 2553637)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | 3.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| | [2552204](#2552204)
| If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer's SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.
To work around this issue, ifdown/ifup the SVI when a MAC address changes. | 3.7.12-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| | [2551911](#2551911)
| ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5| | [2551771](#2551771)
| When a specific PIM join/prune packet is received from a PIM neighbor the pimd process might crash with a core file. | 4.0.0-4.1.1 | 4.2.0-4.4.5| @@ -98,11 +98,11 @@ pdfhidden: True | [2551290](#2551290)
| Non SFF-8634/SFF-8636 compliant 40G AOC modules might not link up when inserted into the Mellanox SN3700 switch. The EEPROM bytes for RX amplitude control (page 03h, bytes #236-239) are defined as volatile in the SFF specification (SFF-8634/8636); after the module power is off, the EEPROM values should return to their defaults. However, these bytes are observed to be non-volatile in the modules listed below.
- Mellanox MFP4R12CB-0XX (Luxtera)
- AVAGO AFBR-79Q4PACXXZ

https://www.finisar.com/sites/default/files/downloads/fcbg410qb1cxx_quadwire_40gbs_parallel_active_optical_cable_product_spec_revb7.pdf
https://www.mouser.com/ProductDetail/Finisar/FCBN410QB1C03?qs=D%252B6gCNt%2Fg2BZq7qPdKrYVA%3D%3D
Because the modules listed above do not return to their default values correctly when they are unplugged and re-inserted, a cable might become unusable until it is reprogramed. | 4.1.1-4.2.0 | 4.2.1-4.4.5| | [2551273](#2551273)
| On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux. | 4.1.0-4.4.5 | | | [2551187](#2551187)
| dot1qVlanIndex in the dot1qVlanStaticTable of the SNMP Q-BRIDGE-MIB does not use VLAN ID and does not comply with RFC 4363. | 4.1.1-4.2.1 | 4.3.0-4.4.5| -| [2551162](#2551162)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2551162, 2550590](#2551162, 2550590)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2551124](#2551124)
| When the dynamic or static flag on a bridge fdb (MAC) entry is changed to the opposite state, the new flag is not set appropriately in hardware. This can allow a static fdb entry to be unexpectedly learned dynamically on a different interface, or can prevent a dynamic entry from being updated or learned elsewhere.
This condition can occur during a manual replacement of a local MAC address or when EVPN updates a dynamic MAC address to add or remove the Sticky Mac flag. Either situation results in the MAC address keeping the original flag in hardware.
To work around this issue, delete or withdraw the fdb entry, then add the static MAC address directly. For example:

bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static \| dynamic ]

If you are unable to delete an EVPN-learned remote MAC address, you can replace the dynamic MAC address with a local static one, then delete the static MAC address. For example:

bridge fdb replace 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master static
bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static \| dynamic ]
| 4.0.0-4.2.1 | 4.3.0-4.4.5| | [2551111](#2551111)
| If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state.
zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address. | 4.0.0-4.4.5 | | | [2550974](#2550974)
| On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | | -| [2550973](#2550973)
| After you enable ROCE with the net add interface storage-optimized pfc command, you cannot verify the command because it is not shown in the net show config command output. | 4.1.1-4.2.1 | 4.3.0-4.4.5| +| [2550973, 2548408](#2550973, 2548408)
| After you enable ROCE with the net add interface storage-optimized pfc command, you cannot verify the command because it is not shown in the net show config command output. | 4.1.1-4.2.1 | 4.3.0-4.4.5| | [2550942](#2550942)
| NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | 4.2.1-4.4.5| | [2550906](#2550906)
| After you delete a bond, the deleted bond members have the deleted bond MAC address instead of their original MAC address, which might result in traffic being discarded.
To work around this issue, perform a full switch restart. | 4.1.1-4.2.1 | 4.3.0-4.4.5| | [2550872](#2550872)
| In an MLAG configuration with static VXLAN, static tunnels become unreachable. | 3.7.13, 4.1.1-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| @@ -120,7 +120,7 @@ pdfhidden: True | [2550324](#2550324)
| On the Mellanox switches with BFD configured, you might see high load averages. | 4.1.1 | 4.2.0-4.4.5| | [2550276](#2550276)
| In LLDP, the snmp subagent loses all subsequent lldpRemSysName (1.0.8802.1.1.2.1.4.1.1.9) entries after an entry with a missing SysName is added.
All the information from lldpctl is correct. Only the entries after the entry that is missing a SysName in lldpRemSysName disappear from the snmp subagent. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2550275](#2550275)
| If packets with an invalid checksum are received, the cumulus-poe service might restart and you see log messages similar to the following:
May 20 10:48:04.665635 leaf01 poed[8012]: ERROR : invalid checksum in response [0xC2:0x00]
May 20 10:48:04.671299 leaf01 poed[8012]: poed : ERROR : invalid checksum in response [0xC2:0x00]
May 20 10:48:04.708620 leaf01 systemd[1]: cumulus-poe.service: main process exited, code=exited, status=1/FAILURE
The service starts automatically but there is an impact to POE devices momentarily. | 3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2550264](#2550264)
| The sx_sdk service may log errors and/or generate a core file when configuring breakout ports on Mellanox Spectrum platforms. The error message observed will be similar to the following:

sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error

This issue is resolved in Cumulus Linux 4.2.0 and above. | 4.1.1 | 4.2.0-4.4.5| +| [2550264, 2550998](#2550264, 2550998)
| The sx_sdk service may log errors and/or generate a core file when configuring breakout ports on Mellanox Spectrum platforms. The error message observed will be similar to the following:

sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error

This issue is resolved in Cumulus Linux 4.2.0 and above. | 4.1.1 | 4.2.0-4.4.5| | [2550243](#2550243)
| When you use nginx and restserver in management VRF to provide a REST API for the switch, nginx starts but restserver fails to start.
To work around this issue, comment out the Requires= line in the /lib/systemd/system/restserver.service. For example:

#Requires=nginx.service restserver.socket
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2550056](#2550056)
| The ACCTON-DIAG option under the Cumulus Linux GRUB menu does not work. When you select this option, you see the following error:

error: invalid signature.
Press any key to continue...
| 3.7.12-3.7.16, 4.1.1-4.4.5 | | | [2549958](#2549958)
| When you move an interface from one VRF to another and modify the description in the same configuration operation, FRR crashes and restarts during a service reload. If these two changes occur in separate reloads, FRR does not crash. | 4.1.1 | 4.2.0-4.4.5| @@ -141,7 +141,7 @@ pdfhidden: True | [2549392](#2549392)
| When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file.
To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command. | 4.1.0-4.4.5 | | | [2549385](#2549385)
| FRR incorrectly orders advertise-all-vni to be later in the configuration than manual rd or route-target definitions. This causes the rd or route-target configuration to be misapplied or not applied at all.
To work around this issue, when you manually configure the rd or route-target for a VNI, you must manually edit the /etc/frr/frr.conf file to define advertise-all-vni before the rd or route-target configuration within the l2vpn evpn address family. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2549371](#2549371)
| When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.4 | 4.4.0-4.4.5| -| [2549269](#2549269)
| On Mellanox switches with the Spectrum-2 ASIC, when you use more than 16 bonds on the switch, you might experience forwarding issues or see an error similar to the following in switchd.log:

2020-04-07T15:59:27.345421+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1696 ERR member_fwd_update_cb spartan-bm87 collector set failed for swp3s0: Driver's Return Status is Non-Zero
2020-04-07T15:59:27.345557+10:00 le-266-q14-2-res switchd[8422]:
2020-04-07T15:59:27.348432+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1705 ERR member_fwd_update_cb spartan-bm87 distributor set failed for swp3s0: Driver's Return Status is Non-Zero

To work around this issue, configure fewer than 16 bonds on a switch. | 4.1.0-4.1.1 | 4.2.0-4.4.5| +| [2549269, 2551467](#2549269, 2551467)
| On Mellanox switches with the Spectrum-2 ASIC, when you use more than 16 bonds on the switch, you might experience forwarding issues or see an error similar to the following in switchd.log:

2020-04-07T15:59:27.345421+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1696 ERR member_fwd_update_cb spartan-bm87 collector set failed for swp3s0: Driver's Return Status is Non-Zero
2020-04-07T15:59:27.345557+10:00 le-266-q14-2-res switchd[8422]:
2020-04-07T15:59:27.348432+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1705 ERR member_fwd_update_cb spartan-bm87 distributor set failed for swp3s0: Driver's Return Status is Non-Zero

To work around this issue, configure fewer than 16 bonds on a switch. | 4.1.0-4.1.1 | 4.2.0-4.4.5| | [2549225](#2549225)
| You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2548998](#2548998)
| On the Mellanox SN2010 and SN2100 switch, the fan speed might ramp up and down. | 4.1.0-4.1.1 | 4.2.0-4.4.5| | [2548988](#2548988)
| On Mellanox switches, the thermal monitoring script starts in suspended mode and, as a result, the fans run at sixty percent. You also see the following log message:

hw-management.sh[847]: Thermal algorithm is manually suspend.

To work around this issue, run the following command to enable thermal monitoring:

cumulus@switch:~$ sudo echo 0 > /var/run/hw-management/config/suspend
| 4.0.0-4.1.1 | 4.2.0-4.4.5| @@ -149,26 +149,26 @@ pdfhidden: True | [2548930](#2548930)
| On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2548924](#2548924)
| On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic. | 4.1.1-4.4.5 | | | [2548920](#2548920)
| If you try to remove BFD configuration with a reload, the FRR service fails. The reload action results in a TypeError: expected string or bytes-like object error.
You see this issue only if there is default configuration, such as configuration in the /etc/frr/frr.conf file that is suppressed from view in the FRR running configuration.
To work around this issue, remove the default configuration lines; for example: 

username cumulus nopassword
| 4.1.0-4.1.1 | 4.2.0-4.4.5| -| [2548892](#2548892)
| NTP does not start when you use the default VRF instead of the management VRF. | 4.1.0-4.1.1 | 4.2.0-4.4.5| +| [2548892, 2549358, 2555149](#2548892, 2549358, 2555149)
| NTP does not start when you use the default VRF instead of the management VRF. | 4.1.0-4.1.1 | 4.2.0-4.4.5| | [2548746](#2548746)
| On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2548674](#2548674)
| A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact.
To work around this issue, restart FRR. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2548672](#2548672)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | 3.7.16, 4.3.0-4.4.5| +| [2548672, 2555635](#2548672, 2555635)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | 3.7.16, 4.3.0-4.4.5| | [2548657](#2548657)
| When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2548595](#2548595)
| The net show config and net show time ntp server commands do not show NTP server configuration. | 4.1.0-4.2.0 | 4.2.1-4.4.5| -| [2548586](#2548586)
| After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
*Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.4.5 | 3.7.13-3.7.16| +| [2548586, 2549256](#2548586, 2549256)
| After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
*Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.4.5 | 3.7.13-3.7.16| | [2548561](#2548561)
| On the EdgeCore Minipack-AS8000, when you try to configure ROCEv2, you see errors indicating that PFC is not working properly. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2548496](#2548496)
| Cumulus Linux supports a maximum of 300 ACLs for use with 802.1X interfaces. This limit encompasses the default ACLs, pre-auth ACLs and dynamic ACLs. Exceeding this limit can affect the performance of the switch. | 4.1.0-4.1.1 | 4.2.0-4.4.5| | [2548490](#2548490)
| A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.
To work around this issue, reenter the redistribute route-map statement in the configuration. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2548485](#2548485)
| If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
 aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Path*> 50.0.0.0         0.0.0.0                            32768 is> 50.0.0.1/32      0.0.0.0                  0         32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Paths> 50.0.0.1/32      0.0.0.0                  0         32768 i
To work around this issue, remove, then re-add the component prefix routes. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2548457](#2548457)
| The global MTU setting in the mtu.json file does not take effect on SVI interfaces after ifreload -a.
To work around this issue, run sudo systemctl restart networking or restart the switch.
Note: A network restart is a disruptive operation. | 4.1.0-4.1.1 | 4.2.0-4.4.5| | [2548422](#2548422)
| You might see a core file in FRRouting related to OSPFv3 if the switch is configured as both an OSPFv3 ABR and ASBR, and other switches in the same area are also configured as both ABR and ASBR. This issue is not seen with a single ABR or ASBR in an area or if there are multiple ASBRs in an area not acting as ABRs. To work around this issue, do not perform redistribution on more than one ABR in the same area. | 4.0.0-4.1.1 | 4.2.0-4.4.5| -| [2548408](#2548408)
| net show configuration commands does not show the RoCE net add interface storage-optimized pfc configuration. | 4.1.0-4.2.1 | 4.3.0-4.4.5| +| [2548408, 2550973](#2548408, 2550973)
| net show configuration commands does not show the RoCE net add interface storage-optimized pfc configuration. | 4.1.0-4.2.1 | 4.3.0-4.4.5| | [2548383](#2548383)
| The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2548373](#2548373)
| On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2548320](#2548320)
| When configuring VRF route leaking, if you define import vrf route-map but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. | 4.0.0-4.1.1 | 4.2.0-4.4.5| +| [2548373, 2548371](#2548373, 2548371)
| On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2548320, 2543525](#2548320, 2543525)
| When configuring VRF route leaking, if you define import vrf route-map but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2548310](#2548310)
| When the system boots, we might see " cumulus systemd-udevd[7566]: Process '/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25' failed with exit code 1" errors.

These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later;
| 4.1.0-4.4.5 | | | [2548308](#2548308)
| When the garbage collector does not release memory back to the operating system, clagd might consume a large amount of memory. As a result of low system memory, systemd might shut down services to reclaim memory.
| 3.7.11-3.7.12, 4.1.0-4.4.5 | 3.7.13-3.7.16| -| [2548275](#2548275)
| On the QuantaMesh BMS T5032-LY6 switch, when you run the hwclock command, you might see the error hwclock: select() to /dev/rtc0 to wait for clock tick timed out. | 4.1.0-4.1.1 | 4.2.0-4.4.5| +| [2548275, 2548503, 2556077](#2548275, 2548503, 2556077)
| On the QuantaMesh BMS T5032-LY6 switch, when you run the hwclock command, you might see the error hwclock: select() to /dev/rtc0 to wait for clock tick timed out. | 4.1.0-4.1.1 | 4.2.0-4.4.5| | [2548260](#2548260)
| The net add routing route-map permit set community command does not add the set statement into the /etc/frr/frr.conf file. | 4.0.0-4.4.5 | | | [2548243](#2548243)
| On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2548242](#2548242)
| On the Mellanox SN3800 switch, when you run sudo -E apt-get update, then sudo -E apt get upgrade, you see a dialog prompting you for the interface on which to run DHCP, followed by a request for DHCP relay options. You can ignore this dialog and press enter to continue with the upgrade. | 4.1.0-4.1.1 | 4.2.0-4.4.5| @@ -184,9 +184,9 @@ pdfhidden: True | [2547839](#2547839)
| When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2547783](#2547783)
| PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status. | 3.7.11-3.7.13, 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547667](#2547667)
| On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2547610](#2547610)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2547610, 2548114](#2547610, 2548114)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2547405](#2547405)
| When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | | [2547340](#2547340)
| When host-resources and ucd-snmp-mib are polled, you see permission denied messages similar to the following:

Jan 30 19:22:53 switch123 snmpd[23172]: Cannot statfs /sys/kernel/debug/tracing: Permission denied
| 3.7.13, 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2547245](#2547245)
| The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:

RTM_NEWNEIGH with unconfigured vlan XXXX on port peerlink
| 3.7.10-3.7.13, 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| @@ -196,42 +196,42 @@ pdfhidden: True | [2547068](#2547068)
| Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly
To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below
To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX="cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off", change it to GRUB_CMDLINE_LINUX="cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0"2. Run sudo update-grub
3. Reboot the system with sudo reboot
To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3
2. Disable C-states by running the command ./cpupower idle-set -d 2
C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | 4.3.0-4.4.5| | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546985](#2546985)
| On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings. | 3.7.10-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2546951](#2546951)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2546951, 2548887](#2546951, 2548887)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546485](#2546485)
| The EdgeCore Minipack-AS8000 switch supports FEC RS by default; you cannot disable this setting. However, the ethtool --show-fec command output indicates that FEC is disabled. Also, if you try to change the FEC setting, Cumulus Linux reports an error. For example:

cumulus@switch:~$  net add interface swp23 link speed 100000
cumulus@switch:~$  net add interface swp23 link autoneg off
cumulus@switch:~$  net add interface swp23 link fec rs
"/sbin/ifreload -a" failed:
error: swp23: cmd '/sbin/ethtool --set-fec swp23 encoding rs' failed: returned 255 (Cannot set FEC settings: Operation not supported)
Command '['/sbin/ifreload', '-a']' returned non-zero exit status 1
| 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2546337](#2546337)
| The net show bridge macs command returns an empty interface column.
To work around this issue, run the bridge fdb show command to show the interface. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545933](#2545933)
| Mellanox switches might experience higher CPU usage from the sx_sdk service or when BFD is in use.
To work around this issue, disable BFD to alleviate some of the CPU load. | 3.7.13, 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| -| [2545536](#2545536)
| On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| +| [2545536, 2545503](#2545536, 2545503)
| On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545352](#2545352)
| With a high number of active routes (20K or more), when you perform a networking restart, the FRR log files might become flooded with error messages associated with the restart. These logs are normal and are not directly a problem. However, the large number of messages can cause the logs to _rotate away_ any previous history, which prevents you from tracing back events leading up to the restart. In a troubleshooting environment, this can be problematic. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2545239](#2545239)
| On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.4 | 4.4.0-4.4.5| | [2545233](#2545233)
| On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | | | [2545164](#2545164)
| On the Mellanox switch with the Spectrum 2 ASIC, interfaces using 100G or 200G Direct Attach Cables (DACs) do not come up with the interface default configuration.
To work around this issue and bring the interfaces up, perform the following configuration on both sides of the link:
* Set the interface speed to the desired speed
* Set link auto-negotiation to _off_
* Set link FEC to RS mode | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2545125](#2545125)
| If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2545054](#2545054)
| When you run the NCLU net del interface command to delete an interface that has a description in the /etc/frr/frr.conf file but the /etc/frr/daemons file does not contain zebra=yes}, all running FRR daemons (bgpd, ospfd, ospf6d) restart
To work around this issue, remove all interfaces from the /etc/frr/frr.conf file that are unrelated to routing. | 4.0.0-4.1.1 | 4.2.0-4.4.5| +| [2545054, 2552126](#2545054, 2552126)
| When you run the NCLU net del interface command to delete an interface that has a description in the /etc/frr/frr.conf file but the /etc/frr/daemons file does not contain zebra=yes}, all running FRR daemons (bgpd, ospfd, ospf6d) restart
To work around this issue, remove all interfaces from the /etc/frr/frr.conf file that are unrelated to routing. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2544978](#2544978)
| If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | | [2544904](#2544904)
| After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements.
To work around this issue, restart FRR after removing the IPv6 numbered configuration. | 3.7.9-4.1.1 | 4.2.0-4.4.5| -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544856](#2544856)
| In the ethool -m output, the Revision Compliance field might show Unallocated when the SFF-8363 Revision Compliance value is SFF-8636 version 2.8 or later. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544556](#2544556)
| If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| @@ -239,12 +239,12 @@ pdfhidden: True | [2543649](#2543649)
| You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:

-A FORWARD -i swp5 -s 00:25:90:b2:bd:9d -d 50:6b:4b:96:c4:04 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2543647](#2543647)
| ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-4.2.1 | 4.3.0-4.4.5| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542837](#2542837)
| On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16| | [2542305](#2542305)
| If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | @@ -257,7 +257,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -273,7 +273,7 @@ pdfhidden: True | [2538562](#2538562)
| On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | @@ -285,7 +285,7 @@ pdfhidden: True | [2535706](#2535706)
| On the Mellanox switch, GRE tunneling does not work if the tunnel source is configured on an SVI interface. If the tunnel source is configured on a physical switch port, then tunneling works as expected. | 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2535605](#2535605)
| FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor.
To work around this issue, add ttl-security to individual neighbors instead of the peer group. | 4.0.0-4.4.5 | | | [2535209](#2535209)
| The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| -| [2534977](#2534977)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| +| [2534977, 2535424](#2534977, 2535424)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2534734](#2534734)
| Span rules matching the out-interface as a bond do not mirror packets. | 4.0.0-4.4.5 | | | [2533691](#2533691)
| If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2533625](#2533625)
| PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. | 4.0.0-4.4.5 | | @@ -321,10 +321,10 @@ pdfhidden: True | [2866084](#2866084)
| When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command, then add "vxlan-learning": "off" in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
Reboot the affected switches. | 3.7.12-4.3.0 | 4.3.1-4.4.5| | [2792750](#2792750)
| If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. | 3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1| | [2754723](#2754723)
| When you set route_preferred_over_neigh to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. | 4.0.0-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2730225](#2730225)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5| -| [2716822](#2716822)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2716822, 2710844](#2716822, 2710844)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2699399](#2699399)
| When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

spine01# show bgp vrf all ipv6 unicast statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

To workaround this issue, run the command against each VRF independently. | 3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | 5.1.0-5.16.1| @@ -332,10 +332,10 @@ pdfhidden: True | [2556764](#2556764)
| In a configuration with both traditional and VLAN-aware bridges, the VLAN membership check on a VLAN-aware bridge does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-3.7.14.2, 4.0.0-4.3.4 | 3.7.15-3.7.16, 4.4.0-4.4.5| | [2556500](#2556500)
| Cumulus Linux does not support bond members at 200G or greater. | 4.0.0-4.3.4 | 4.4.0-4.4.5| | [2556037](#2556037)
| After you add an interface to the bridge, an OSPF session flap might occur
| 3.7.9-4.2.0 | 4.2.1-4.4.5| -| [2556010](#2556010)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | 3.7.14.2-3.7.16, 4.3.0-4.4.5| +| [2556010, 2556276](#2556010, 2556276)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | 3.7.14.2-3.7.16, 4.3.0-4.4.5| | [2555528](#2555528)
| In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer's ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5| | [2555400](#2555400)
| On the Edgecore AS7312 switch, eth0 and swp use the same MAC address. | 3.7.14-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| -| [2555175](#2555175)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| +| [2555175, 3195351, 2672721](#2555175, 3195351, 2672721)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| | [2554990](#2554990)
| When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes.
To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond. | 3.7.13-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2554785](#2554785)
| After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX="cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2554720](#2554720)
| If switchd successfully signals clagd that it is going down, clagd stops responding to keepalive echo requests from the peer instead of sending a good bye to the peer over both the peerlink and the backup switch. Eventually, the keepalive timer expires and the secondary switch becomes the primary, and brings the bonds and VNIs back up. However, if switchd does not successfully signal it is going down, (in the event of a crash), the primary switch continues to respond to keepalives, and the bonds and VNIs are down on both peers. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| @@ -352,10 +352,10 @@ pdfhidden: True | [2552939](#2552939)
| RX_DRP on a bond interface increases without any data traffic while the slave port does not increase. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552869](#2552869)
| On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5| | [2552853](#2552853)
| Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| -| [2552742](#2552742)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2552742, 2553000, 2553936](#2552742, 2553000, 2553936)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552704](#2552704)
| In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2552527](#2552527)
| Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-3.7.13, 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| -| [2552505](#2552505)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| +| [2552505, 2552604](#2552505, 2552604)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| | [2552294](#2552294)
| NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2552204](#2552204)
| If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer's SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.
To work around this issue, ifdown/ifup the SVI when a MAC address changes. | 3.7.12-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| | [2551911](#2551911)
| ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5| @@ -372,7 +372,7 @@ pdfhidden: True | [2551335](#2551335)
| When TACACS+ is configured and the management VRF is enabled, users with privilege level 13 are prevented from running ip and cat commands. | 4.0.0-4.4.5 | | | [2551305](#2551305)
| The net show configuration command provides the wrong net add command for ACL under the VLAN interface.

| 3.7.12-3.7.16, 4.1.0-4.4.5 | | | [2551273](#2551273)
| On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux. | 4.1.0-4.4.5 | | -| [2551162](#2551162)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2551162, 2550590](#2551162, 2550590)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2551124](#2551124)
| When the dynamic or static flag on a bridge fdb (MAC) entry is changed to the opposite state, the new flag is not set appropriately in hardware. This can allow a static fdb entry to be unexpectedly learned dynamically on a different interface, or can prevent a dynamic entry from being updated or learned elsewhere.
This condition can occur during a manual replacement of a local MAC address or when EVPN updates a dynamic MAC address to add or remove the Sticky Mac flag. Either situation results in the MAC address keeping the original flag in hardware.
To work around this issue, delete or withdraw the fdb entry, then add the static MAC address directly. For example:

bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static \| dynamic ]

If you are unable to delete an EVPN-learned remote MAC address, you can replace the dynamic MAC address with a local static one, then delete the static MAC address. For example:

bridge fdb replace 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master static
bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static \| dynamic ]
| 4.0.0-4.2.1 | 4.3.0-4.4.5| | [2551111](#2551111)
| If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state.
zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address. | 4.0.0-4.4.5 | | | [2550942](#2550942)
| NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | 4.2.1-4.4.5| @@ -401,34 +401,34 @@ pdfhidden: True | [2549392](#2549392)
| When you configure an RD or RT with NCLU, you see duplicate VNI stanzas in the /etc/frr/frr.conf file.
To work around this issue, manually edit the etc/frr/frr.conf file to define advertise-all-vni before the RD or RT configuration within the l2vpn EVPN address family, then reload the FRR service with the sudo systemctl reload frr command. | 4.1.0-4.4.5 | | | [2549385](#2549385)
| FRR incorrectly orders advertise-all-vni to be later in the configuration than manual rd or route-target definitions. This causes the rd or route-target configuration to be misapplied or not applied at all.
To work around this issue, when you manually configure the rd or route-target for a VNI, you must manually edit the /etc/frr/frr.conf file to define advertise-all-vni before the rd or route-target configuration within the l2vpn evpn address family. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2549371](#2549371)
| When Optimized Multicast Flooding (OMF) is enabled with the bridge.optimized_mcast_flood = TRUE setting in the /etc/cumulus/switchd.conf file, the switch continues to flood IPv6 multicast traffic to all slave ports when there is no MLD join receive. | 3.7.11-4.3.4 | 4.4.0-4.4.5| -| [2549269](#2549269)
| On Mellanox switches with the Spectrum-2 ASIC, when you use more than 16 bonds on the switch, you might experience forwarding issues or see an error similar to the following in switchd.log:

2020-04-07T15:59:27.345421+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1696 ERR member_fwd_update_cb spartan-bm87 collector set failed for swp3s0: Driver's Return Status is Non-Zero
2020-04-07T15:59:27.345557+10:00 le-266-q14-2-res switchd[8422]:
2020-04-07T15:59:27.348432+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1705 ERR member_fwd_update_cb spartan-bm87 distributor set failed for swp3s0: Driver's Return Status is Non-Zero

To work around this issue, configure fewer than 16 bonds on a switch. | 4.1.0-4.1.1 | 4.2.0-4.4.5| +| [2549269, 2551467](#2549269, 2551467)
| On Mellanox switches with the Spectrum-2 ASIC, when you use more than 16 bonds on the switch, you might experience forwarding issues or see an error similar to the following in switchd.log:

2020-04-07T15:59:27.345421+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1696 ERR member_fwd_update_cb spartan-bm87 collector set failed for swp3s0: Driver's Return Status is Non-Zero
2020-04-07T15:59:27.345557+10:00 le-266-q14-2-res switchd[8422]:
2020-04-07T15:59:27.348432+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1705 ERR member_fwd_update_cb spartan-bm87 distributor set failed for swp3s0: Driver's Return Status is Non-Zero

To work around this issue, configure fewer than 16 bonds on a switch. | 4.1.0-4.1.1 | 4.2.0-4.4.5| | [2549225](#2549225)
| You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2548998](#2548998)
| On the Mellanox SN2010 and SN2100 switch, the fan speed might ramp up and down. | 4.1.0-4.1.1 | 4.2.0-4.4.5| | [2548988](#2548988)
| On Mellanox switches, the thermal monitoring script starts in suspended mode and, as a result, the fans run at sixty percent. You also see the following log message:

hw-management.sh[847]: Thermal algorithm is manually suspend.

To work around this issue, run the following command to enable thermal monitoring:

cumulus@switch:~$ sudo echo 0 > /var/run/hw-management/config/suspend
| 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2548962](#2548962)
| With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | 4.2.0-4.4.5| | [2548930](#2548930)
| On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2548920](#2548920)
| If you try to remove BFD configuration with a reload, the FRR service fails. The reload action results in a TypeError: expected string or bytes-like object error.
You see this issue only if there is default configuration, such as configuration in the /etc/frr/frr.conf file that is suppressed from view in the FRR running configuration.
To work around this issue, remove the default configuration lines; for example: 

username cumulus nopassword
| 4.1.0-4.1.1 | 4.2.0-4.4.5| -| [2548892](#2548892)
| NTP does not start when you use the default VRF instead of the management VRF. | 4.1.0-4.1.1 | 4.2.0-4.4.5| +| [2548892, 2549358, 2555149](#2548892, 2549358, 2555149)
| NTP does not start when you use the default VRF instead of the management VRF. | 4.1.0-4.1.1 | 4.2.0-4.4.5| | [2548746](#2548746)
| On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2548674](#2548674)
| A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact.
To work around this issue, restart FRR. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2548672](#2548672)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | 3.7.16, 4.3.0-4.4.5| +| [2548672, 2555635](#2548672, 2555635)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | 3.7.16, 4.3.0-4.4.5| | [2548657](#2548657)
| When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2548655](#2548655)
| When using apt-get update && apt-get upgrade to upgrade from Cumulus Linux 4.0.0 or 4.1.0 to version 4.1.1 or later, a message similar to the following may appear. 

Reading package lists... Done
E: Repository 'http://apt.cumulusnetworks.com/repo CumulusLinux-4-latest InRelease' changed its 'Label' value from 'cumulus-repository-4.0.0' to 'cumulus-repository-4.1.0'
E: Repository 'http://apt.cumulusnetworks.com/repo CumulusLinux-4-latest InRelease' changed its 'Codename' value from 'CumulusLinux-4.0.0' to 'CumulusLinux-4.1.0'
N: This must be accepted explicitly before updates for this repository can be applied. See apt-secure(8) manpage for details.

To work around this issue and proceed with the upgrade, run apt-get update --allow-releaseinfo-change. | 4.0.0-4.1.0 | 4.1.1-4.4.5| | [2548595](#2548595)
| The net show config and net show time ntp server commands do not show NTP server configuration. | 4.1.0-4.2.0 | 4.2.1-4.4.5| -| [2548586](#2548586)
| After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
*Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.4.5 | 3.7.13-3.7.16| +| [2548586, 2549256](#2548586, 2549256)
| After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
*Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.4.5 | 3.7.13-3.7.16| | [2548561](#2548561)
| On the EdgeCore Minipack-AS8000, when you try to configure ROCEv2, you see errors indicating that PFC is not working properly. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2548496](#2548496)
| Cumulus Linux supports a maximum of 300 ACLs for use with 802.1X interfaces. This limit encompasses the default ACLs, pre-auth ACLs and dynamic ACLs. Exceeding this limit can affect the performance of the switch. | 4.1.0-4.1.1 | 4.2.0-4.4.5| | [2548490](#2548490)
| A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.
To work around this issue, reenter the redistribute route-map statement in the configuration. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2548485](#2548485)
| If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
 aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Path*> 50.0.0.0         0.0.0.0                            32768 is> 50.0.0.1/32      0.0.0.0                  0         32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Paths> 50.0.0.1/32      0.0.0.0                  0         32768 i
To work around this issue, remove, then re-add the component prefix routes. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2548457](#2548457)
| The global MTU setting in the mtu.json file does not take effect on SVI interfaces after ifreload -a.
To work around this issue, run sudo systemctl restart networking or restart the switch.
Note: A network restart is a disruptive operation. | 4.1.0-4.1.1 | 4.2.0-4.4.5| | [2548422](#2548422)
| You might see a core file in FRRouting related to OSPFv3 if the switch is configured as both an OSPFv3 ABR and ASBR, and other switches in the same area are also configured as both ABR and ASBR. This issue is not seen with a single ABR or ASBR in an area or if there are multiple ASBRs in an area not acting as ABRs. To work around this issue, do not perform redistribution on more than one ABR in the same area. | 4.0.0-4.1.1 | 4.2.0-4.4.5| -| [2548408](#2548408)
| net show configuration commands does not show the RoCE net add interface storage-optimized pfc configuration. | 4.1.0-4.2.1 | 4.3.0-4.4.5| +| [2548408, 2550973](#2548408, 2550973)
| net show configuration commands does not show the RoCE net add interface storage-optimized pfc configuration. | 4.1.0-4.2.1 | 4.3.0-4.4.5| | [2548383](#2548383)
| The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2548373](#2548373)
| On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2548320](#2548320)
| When configuring VRF route leaking, if you define import vrf route-map but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. | 4.0.0-4.1.1 | 4.2.0-4.4.5| +| [2548373, 2548371](#2548373, 2548371)
| On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2548320, 2543525](#2548320, 2543525)
| When configuring VRF route leaking, if you define import vrf route-map but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2548310](#2548310)
| When the system boots, we might see " cumulus systemd-udevd[7566]: Process '/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25' failed with exit code 1" errors.

These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later;
| 4.1.0-4.4.5 | | | [2548308](#2548308)
| When the garbage collector does not release memory back to the operating system, clagd might consume a large amount of memory. As a result of low system memory, systemd might shut down services to reclaim memory.
| 3.7.11-3.7.12, 4.1.0-4.4.5 | 3.7.13-3.7.16| -| [2548275](#2548275)
| On the QuantaMesh BMS T5032-LY6 switch, when you run the hwclock command, you might see the error hwclock: select() to /dev/rtc0 to wait for clock tick timed out. | 4.1.0-4.1.1 | 4.2.0-4.4.5| +| [2548275, 2548503, 2556077](#2548275, 2548503, 2556077)
| On the QuantaMesh BMS T5032-LY6 switch, when you run the hwclock command, you might see the error hwclock: select() to /dev/rtc0 to wait for clock tick timed out. | 4.1.0-4.1.1 | 4.2.0-4.4.5| | [2548260](#2548260)
| The net add routing route-map permit set community command does not add the set statement into the /etc/frr/frr.conf file. | 4.0.0-4.4.5 | | | [2548243](#2548243)
| On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2548242](#2548242)
| On the Mellanox SN3800 switch, when you run sudo -E apt-get update, then sudo -E apt get upgrade, you see a dialog prompting you for the interface on which to run DHCP, followed by a request for DHCP relay options. You can ignore this dialog and press enter to continue with the upgrade. | 4.1.0-4.1.1 | 4.2.0-4.4.5| @@ -444,9 +444,9 @@ pdfhidden: True | [2547839](#2547839)
| When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. | 3.7.11-4.1.1 | 4.2.0-4.4.5| | [2547783](#2547783)
| PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status. | 3.7.11-3.7.13, 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547667](#2547667)
| On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2547610](#2547610)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2547610, 2548114](#2547610, 2548114)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2547405](#2547405)
| When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | | [2547340](#2547340)
| When host-resources and ucd-snmp-mib are polled, you see permission denied messages similar to the following:

Jan 30 19:22:53 switch123 snmpd[23172]: Cannot statfs /sys/kernel/debug/tracing: Permission denied
| 3.7.13, 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2547245](#2547245)
| The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:

RTM_NEWNEIGH with unconfigured vlan XXXX on port peerlink
| 3.7.10-3.7.13, 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| @@ -456,42 +456,42 @@ pdfhidden: True | [2547068](#2547068)
| Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly
To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below
To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX="cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off", change it to GRUB_CMDLINE_LINUX="cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0"2. Run sudo update-grub
3. Reboot the system with sudo reboot
To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3
2. Disable C-states by running the command ./cpupower idle-set -d 2
C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | 4.3.0-4.4.5| | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546985](#2546985)
| On the EdgeCore AS7326-56X switch, the PSU fans show constant LOW warnings. | 3.7.10-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| -| [2546951](#2546951)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2546951, 2548887](#2546951, 2548887)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546485](#2546485)
| The EdgeCore Minipack-AS8000 switch supports FEC RS by default; you cannot disable this setting. However, the ethtool --show-fec command output indicates that FEC is disabled. Also, if you try to change the FEC setting, Cumulus Linux reports an error. For example:

cumulus@switch:~$  net add interface swp23 link speed 100000
cumulus@switch:~$  net add interface swp23 link autoneg off
cumulus@switch:~$  net add interface swp23 link fec rs
"/sbin/ifreload -a" failed:
error: swp23: cmd '/sbin/ethtool --set-fec swp23 encoding rs' failed: returned 255 (Cannot set FEC settings: Operation not supported)
Command '['/sbin/ifreload', '-a']' returned non-zero exit status 1
| 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2546337](#2546337)
| The net show bridge macs command returns an empty interface column.
To work around this issue, run the bridge fdb show command to show the interface. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545933](#2545933)
| Mellanox switches might experience higher CPU usage from the sx_sdk service or when BFD is in use.
To work around this issue, disable BFD to alleviate some of the CPU load. | 3.7.13, 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| -| [2545536](#2545536)
| On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| +| [2545536, 2545503](#2545536, 2545503)
| On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545352](#2545352)
| With a high number of active routes (20K or more), when you perform a networking restart, the FRR log files might become flooded with error messages associated with the restart. These logs are normal and are not directly a problem. However, the large number of messages can cause the logs to _rotate away_ any previous history, which prevents you from tracing back events leading up to the restart. In a troubleshooting environment, this can be problematic. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2545239](#2545239)
| On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.4 | 4.4.0-4.4.5| | [2545233](#2545233)
| On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | | | [2545164](#2545164)
| On the Mellanox switch with the Spectrum 2 ASIC, interfaces using 100G or 200G Direct Attach Cables (DACs) do not come up with the interface default configuration.
To work around this issue and bring the interfaces up, perform the following configuration on both sides of the link:
* Set the interface speed to the desired speed
* Set link auto-negotiation to _off_
* Set link FEC to RS mode | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2545125](#2545125)
| If you configure more than one VRR interface on an SVI interface, deleting one of the VRR addresses does not remove the interface/address. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2545054](#2545054)
| When you run the NCLU net del interface command to delete an interface that has a description in the /etc/frr/frr.conf file but the /etc/frr/daemons file does not contain zebra=yes}, all running FRR daemons (bgpd, ospfd, ospf6d) restart
To work around this issue, remove all interfaces from the /etc/frr/frr.conf file that are unrelated to routing. | 4.0.0-4.1.1 | 4.2.0-4.4.5| +| [2545054, 2552126](#2545054, 2552126)
| When you run the NCLU net del interface command to delete an interface that has a description in the /etc/frr/frr.conf file but the /etc/frr/daemons file does not contain zebra=yes}, all running FRR daemons (bgpd, ospfd, ospf6d) restart
To work around this issue, remove all interfaces from the /etc/frr/frr.conf file that are unrelated to routing. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2544978](#2544978)
| If you delete an undefined bond, then add a bond slave, the net commit command fails. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | | [2544904](#2544904)
| After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements.
To work around this issue, restart FRR after removing the IPv6 numbered configuration. | 3.7.9-4.1.1 | 4.2.0-4.4.5| -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544856](#2544856)
| In the ethool -m output, the Revision Compliance field might show Unallocated when the SFF-8363 Revision Compliance value is SFF-8636 version 2.8 or later. | 4.0.0-4.1.1 | 4.2.0-4.4.5| | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544556](#2544556)
| If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | 4.2.0-4.4.5| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| @@ -499,12 +499,12 @@ pdfhidden: True | [2543649](#2543649)
| You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:

-A FORWARD -i swp5 -s 00:25:90:b2:bd:9d -d 50:6b:4b:96:c4:04 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2543647](#2543647)
| ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-4.2.1 | 4.3.0-4.4.5| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | 4.2.0-4.4.5| | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | 4.2.0-4.4.5| | [2542945](#2542945)
| On the Broadcom Maverick switch with a QinQ configuration, the packets coming into the CPU might be tagged incorrectly; for example, 802.1ad + 802.1q tags are expected in the packets but the packets have 802.1q + 802.1q tags.
To work around this issue, configure the bridge with bridge-vlan-protocol 802.1ad: 

cumulus@switch:~$ net add bridge mybridge vlan-protocol 802.1ad
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | | [2542837](#2542837)
| On Mellanox switches, policer iptables are not working as expected. For example, when using a policer with mode KB/MB/GB to rate-limit interfaces, the syntax is accepted but the data plane transfer speed is not affected by the rule. | 3.7.6-3.7.8, 4.0.0-4.4.5 | 3.7.9-3.7.16| | [2542305](#2542305)
| If an SVI exists in the configuration before you assign it an IP address, when you do assign the IP address with the NCLU command, the vlan-id and the raw-device bridge stanzas are not added automatically.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | @@ -517,7 +517,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -533,7 +533,7 @@ pdfhidden: True | [2538562](#2538562)
| On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | @@ -545,7 +545,7 @@ pdfhidden: True | [2535706](#2535706)
| On the Mellanox switch, GRE tunneling does not work if the tunnel source is configured on an SVI interface. If the tunnel source is configured on a physical switch port, then tunneling works as expected. | 4.0.0-4.1.1 | 3.7.14-3.7.16, 4.2.0-4.4.5| | [2535605](#2535605)
| FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor.
To work around this issue, add ttl-security to individual neighbors instead of the peer group. | 4.0.0-4.4.5 | | | [2535209](#2535209)
| The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| -| [2534977](#2534977)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| +| [2534977, 2535424](#2534977, 2535424)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2534734](#2534734)
| Span rules matching the out-interface as a bond do not mirror packets. | 4.0.0-4.4.5 | | | [2533691](#2533691)
| If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2533625](#2533625)
| PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. | 4.0.0-4.4.5 | | @@ -575,10 +575,10 @@ pdfhidden: True | [2547292](#2547292)
| On the Broadcom Trident3 switch with DHCP relay, where the DHCP server is reachable through the EVPN overlay, DHCP discover packets forwarded to the CPU might appear corrupt and might not get forwarded. | 3.7.9-3.7.12, 4.0.0-4.0.1 | | | [2547286](#2547286)
| NCLU crashes when you run the net add interface storage-optimized pfc command because non-ASCII quotes exist in the datapath.conf file.
To work around this issue, manually edit the /usr/lib/python2.7/dist-packages/cumulus/__chip_config/mlx/datapath.conf file and replace the non-ASCII single quotes with ASCII single quotes (standard single quote on the keyboard). | 4.0.0-4.0.1 | | | [2547266](#2547266)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. | 4.0.0-4.0.1 | | -| [2547205](#2547205)
| On the Delta AG6248C switch, the NCLU net show system sensors command shows an error:

Could not collect output from command: ['/usr/sbin/smonctl']

To work around this issue, run the net show system sensors json command instead. | 4.0.0-4.0.1 | | +| [2547205, 2548334](#2547205, 2548334)
| On the Delta AG6248C switch, the NCLU net show system sensors command shows an error:

Could not collect output from command: ['/usr/sbin/smonctl']

To work around this issue, run the net show system sensors json command instead. | 4.0.0-4.0.1 | | | [2547149](#2547149)
| The last eight ports of the EdgeCore AS4610-54P switch (swp41 through swp48) do not power UPOE access points. | 3.7.11, 4.0.0-4.0.1 | | | [2547146](#2547146)
| The ospfd daemon might crash with the following kernel trace: 

2019-11-06T23:00:08.261749+09:00 cumulus ospfd[5339]: Assertion 'node' failed in file ospfd/ospf_packet.c, line 671, function ospf_write
| 3.7.11-3.7.12, 4.0.0-4.0.1 | | -| [2547128](#2547128)
| The cumulus-overrides package contains the /etc/apt/preferences.d/20_prefer_cumulus file that pins packages from specific release names. The pinning file contains the wrong name.
To work around this issue, use the origin instead of the release name. | 4.0.0-4.0.1 | | +| [2547128, 2549785](#2547128, 2549785)
| The cumulus-overrides package contains the /etc/apt/preferences.d/20_prefer_cumulus file that pins packages from specific release names. The pinning file contains the wrong name.
To work around this issue, use the origin instead of the release name. | 4.0.0-4.0.1 | | | [2547122](#2547122)
| An unhandled exception might occur after you run the sudo poectl -i command. In addition, random poed daemon restarts can occur without any unhandled exceptions but with an invalid response length error. Both issues can occur due to a SerialException.
To work around this issue, power cycle the switch. A software reboot does not resolve the issue. | 3.7.10-3.7.11 | | | [2547071](#2547071)
| On the Lenovo NE2580 switch, the fan speeds are higher than expected within normal operating conditions. | 3.7.11, 4.0.0-4.0.1 | | | [2547043](#2547043)
| After you convert a bond back to a layer 2 access port, ifupdown2 changes all SVI MTUs to 1500.
To work around this issue, run ifreload -a a second time. | 3.7.11, 4.0.0-4.0.1 | | @@ -589,21 +589,21 @@ pdfhidden: True | [2546739](#2546739)
| The Mellanox SN3700C switch does not forward LLDP or LACP traffic. | 4.0.0-4.0.1 | | | [2546703](#2546703)
| The FRR cl-support module times out on switches on the ARM platform even when the switch is not under heavy load.
To work around this issue, run the cl-support -M command to disable timeouts. | 3.7.0-3.7.11, 4.0.0-4.0.1 | | | [2546576](#2546576)
| A traditional bridge with QinQ and a VNI does not work for tagged traffic. | 3.7.10-3.7.13, 4.0.0-4.0.1 | | -| [2546559](#2546559)
| On the Mellanox SN3700C switch, if you try to break out 100G switch ports into 2x50G, the configuration fails and switchd does not restart. Breaking out the ports into 4x25G works without issue. | 4.0.0-4.0.1 | | +| [2546559, 2544914, 2544984](#2546559, 2544914, 2544984)
| On the Mellanox SN3700C switch, if you try to break out 100G switch ports into 2x50G, the configuration fails and switchd does not restart. Breaking out the ports into 4x25G works without issue. | 4.0.0-4.0.1 | | | [2546502](#2546502)
| On the EdgeCore AS7326-56X switch, eth0 and swp1 use the same MAC address. | 3.7.9-3.7.11, 4.0.0-4.0.1 | | -| [2546454](#2546454)
| When you run the NCLU net del all command to delete all configuration on the switch, you see an error similar to the following:

ERROR: [Errno 2] No such file or directory: '/cumulus/switchd/config/interface//port_security/enable'#012Traceback
| 4.0.0-4.0.1 | | +| [2546454, 2548291](#2546454, 2548291)
| When you run the NCLU net del all command to delete all configuration on the switch, you see an error similar to the following:

ERROR: [Errno 2] No such file or directory: '/cumulus/switchd/config/interface//port_security/enable'#012Traceback
| 4.0.0-4.0.1 | | | [2546389](#2546389)
| In a default VX instance, a ping to a device's hostname fails.
To work around this issue, edit the /etc/gai.conf file and uncomment precedence ::ffff:0:0/96 10.
| 4.0.0-4.0.1 | | | [2546329](#2546329)
| A memory leak in switchd might occur, which causes switchd to restart. | 3.7.10-3.7.11, 4.0.0-4.0.1 | | | [2546265](#2546265)
| Ifupdown2 does not set up the front panel interface for the dhclient to accept the DHCP OFFER.
To work around this issue, restart the networking service after ifreload -a with the systemctl restart networking command. | 3.7.10-3.7.11, 4.0.0-4.0.1 | | -| [2546140](#2546140)
| CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.
To check if lldpd is the heavy CPU resource user, run the following command:

cumulus@switch:~$  ps -eo user,pid,ppid,cmd,%mem,%cpu --sort=-%cpu \| head

Alternatively, check for messages in the /var/log/syslog directory similar to:

2020-02-20T15:02:12.137857-05:00 leaf01 sysmonitor: High CPU use: 87%
2020-02-20T15:02:12.482398-05:00 leaf01 sysmonitor:   PID USER      PR    VIRT    RES %CPU %MEM     TIME+ COMMAND
2020-02-20T15:02:12.483112-05:00 leaf01 sysmonitor:  1570 _lldpd    20   73244  13800 76.6  0.3   4:43.06 lldpd

*Note*: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.
To work around this issue, you can do one of the following:
* If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).
* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-3.7.12, 4.0.0-4.0.1 | | +| [2546140, 2548774](#2546140, 2548774)
| CPU usage might be higher than normal if you have a high number of interfaces x VLANs and lldpd is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled.
To check if lldpd is the heavy CPU resource user, run the following command:

cumulus@switch:~$  ps -eo user,pid,ppid,cmd,%mem,%cpu --sort=-%cpu \| head

Alternatively, check for messages in the /var/log/syslog directory similar to:

2020-02-20T15:02:12.137857-05:00 leaf01 sysmonitor: High CPU use: 87%
2020-02-20T15:02:12.482398-05:00 leaf01 sysmonitor:   PID USER      PR    VIRT    RES %CPU %MEM     TIME+ COMMAND
2020-02-20T15:02:12.483112-05:00 leaf01 sysmonitor:  1570 _lldpd    20   73244  13800 76.6  0.3   4:43.06 lldpd

*Note*: The exact amount of CPU usage varies in each network based on a number of factors; however, it is unusual for lldpd to consume more than 30% CPU for an extended period of time.
To work around this issue, you can do one of the following:
* If the large number of VLANs is not absolutely necessary, manually prune the VLAN allowed list (if you use the range 1-2999, modify the bridge-vids list to include the VLANs being used).
* Stop the lldpd service. (This approach might be undesirable if the switch is providing services that rely on LLDP such as Voice VLAN.) To stop the lldpd service (runtime setting), run the sudo systemctl stop lldpd.service command. To disable the lldpd service upon boot, run sudo systemctl disable lldpd.service. | 3.7.11-3.7.12, 4.0.0-4.0.1 | | | [2546061](#2546061)
| Trident2+ switches do not enable DFE for 10G and 4x10G DACs. As a result, longer or marginal 10G DACs might not link up reliably.
To work around this issue, run the following command after a reboot.
On the SFP side:

echo CR > /cumulus/switchd/config/interface/swp${port}/interface_mode ; done

On the QSFP side:

echo CR > /cumulus/switchd/config/interface/swp${port}/interface_mode ; done
| 4.0.0-4.0.1 | | | [2545988](#2545988)
| When hsflowd is used on the switch, you might experience a kernel panic. | 4.0.0-4.0.1 | | | [2545972](#2545972)
| The ports.conf file on the Dell S5248F-ON switch does not show port ganging or breakout options. | 3.7.10-3.7.11 | | -| [2545949](#2545949)
| All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0.
To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. | 3.7.11, 4.0.0-4.0.1 | | +| [2545949, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539](#2545949, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539)
| All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0.
To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. | 3.7.11, 4.0.0-4.0.1 | | | [2545868](#2545868)
| If you delete, then re-add a PBR policy on an interface, the configured PBR policy is not programmed in the kernel or switchd. | 3.7.9-3.7.10, 4.0.0-4.0.1 | | | [2545866](#2545866)
| After making a series of PBR configuration changes using NCLU commands, the stale PBR entry is still present in the kernel. | 3.7.9-3.7.10, 4.0.0-4.0.1 | | | [2545851](#2545851)
| The Mellanox minimal platform module driver probe does not handle error conditions correctly.
To work around this issue, power cycle the switch. | 4.0.0-4.0.1 | | -| [2545724](#2545724)
| On the Mellanox switch with the Spectrum or Spectrum-2 ASIC, switchd might crash, then restart under certain conditions. | 4.0.0-4.0.1 | | +| [2545724, 2545163](#2545724, 2545163)
| On the Mellanox switch with the Spectrum or Spectrum-2 ASIC, switchd might crash, then restart under certain conditions. | 4.0.0-4.0.1 | | | [2545698](#2545698)
| On the Celestica Pebble switch, if you use IPv6 routes with mask /65 to /127, the switchd log fills with errors. | 3.7.10-3.7.13 | | | [2545694](#2545694)
| On rare occasions, after rebooting the MLAG secondary switch, one MLAG device might see the peer as down, which can cause traffic disruption to connected hosts. | 3.7.7-3.7.10 | | | [2545608](#2545608)
| The protocol daemon bgpd crashes when a link/neighbor flaps if static routes pointing to Null0 are advertising through BGP.
To work around this issue, reboot the switch, then remove the static routes or stop advertising these routes. | 3.7.9-3.7.10, 4.0.0-4.0.1 | | @@ -620,24 +620,24 @@ pdfhidden: True | [2545087](#2545087)
| On the Mellanox switch with the Spectrum ASIC, the --set-burst parameter in an iptables rule does not take effect. | 3.7.10, 4.0.0-4.0.1 | | | [2545049](#2545049)
| When networking fails to start properly, an MLAG memory leak occurs, which might cause memory issues. | 3.7.9-3.7.10, 4.0.0-4.0.1 | | | [2545040](#2545040)
| On the Mellanox switch, error messages with hw-management-thermal-events.sh are displayed on shutdown. | 4.0.0-4.0.1 | | -| [2544914](#2544914)
| On the NVIDIA SN3700C switch, when you split ports from 100G to 2x50G, switchd fails to start. | 4.0.0-4.0.1 | | -| [2544854](#2544854)
| On the Dell S5248F-ON switch, CPU core temp sensors may show as ABSENT. | 4.0.0-4.0.1 | | +| [2544914, 2546559](#2544914, 2546559)
| On the NVIDIA SN3700C switch, when you split ports from 100G to 2x50G, switchd fails to start. | 4.0.0-4.0.1 | | +| [2544854, 2545726](#2544854, 2545726)
| On the Dell S5248F-ON switch, CPU core temp sensors may show as ABSENT. | 4.0.0-4.0.1 | | | [2544847](#2544847)
| You might experience a bgpd memory usage increase and significant update exchanges due to host moves between VTEPs. | 3.7.7-3.7.10, 4.0.0-4.0.1 | | | [2544625](#2544625)
| VXLAN encapsulated ICMP packets hit the catchall EFP policer instead of the ICMP policer and you might experience partial packet loss.
| 3.7.9-3.7.10, 4.0.0-4.0.1 | | | [2544329](#2544329)
| When an MLAG peerlink frequently alternates states between learning and blocking, an excessive number of TCP sessions might be created, which results in the following error display:

OSError: [Errno 24] Too many open files
| 4.0.0-4.0.1 | | | [2544213](#2544213)
| Cumulus Linux poed generates excessive debug log entries. These will be reduced in a future release. | 3.7.3-3.7.10, 4.0.0-4.0.1 | | | [2544200](#2544200)
| Traffic sent to the SVI IP address of a switch might be lost if all of the following conditions are met:
* The switch is a member of an MLAG pair
* The traffic is sourced from a layer 2 adjacent host
* The host is located within a VRF of the MLAG pair
* The traffic from the source crosses the peer link
* VXLAN is configured on the MLAG pair

This issue does not impact transit traffic or traffic that does not meet all of the described conditions.
To workaround this issue, restart switchd. | 3.7.9-3.7.10, 4.0.0-4.0.1 | | -| [2543791](#2543791)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-3.7.12, 4.0.0-4.0.1 | | +| [2543791, 2545026](#2543791, 2545026)
| On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following:

2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.274521+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
2019-09-05T05:15:17.469556+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2
2019-09-05T05:15:17.497514+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/12-0053/eeprom for psu2
| 3.7.9-3.7.12, 4.0.0-4.0.1 | | | [2543690](#2543690)
| On the Mellanox switch, UFT profiles are unable to support the documented capacity for routes to addresses that are more than 64 bits in length. The listed capacities assume 64-bit destination IP addresses. | 3.7.8-3.7.10, 4.0.0-4.0.1 | | | [2543471](#2543471)
| On switches with the Spectrum ASIC, the underlay hashes VXLAN packets for a given overlay flow randomly.
To work around this issue, configure the ECMP hash seed to the same value on the EVPN egress leaf switches. | 3.7.7-3.7.12, 4.0.0-4.0.1 | | -| [2542872](#2542872)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | | +| [2542872, 2542901, 2542901](#2542872, 2542901, 2542901)
| After you issue the NCLU net del bgp vrf autonomous-system command and commit the change, Cumulus Linux does not remove the configuration from the /etc/frr/frr.conf file or the net show config commands.
| 3.7.3-3.7.10, 4.0.0-4.0.1 | | | [2542824](#2542824)
| On the Broadcom Trident 3 switch, VXLAN encapsulated packets are dropped on the ingress port (tagged layer 2 port) during transit forwarding (the local switch does not terminate the VXLAN tunnel). An example of where this two-layer VXLAN inside VXLAN encapsulation might occur:
- VXLAN tunnel (#1) between two servers (different racks) to provide layer 2 extension for containers or VM hosts.
- VXLAN tunnel (#2) between the TOR switch in rack 1 to the TOR switch located in the remote rack.

To work around this issue, either:
- Configure the edge port (facing the servers) to be an access port (instead of a trunk/tagged port)
- Change the destination port from 4789 to something else (VXLAN tunnel terminated by the servers) | 3.7.5-3.7.11, 4.0.0-4.0.1 | | | [2542766](#2542766)
| If the BMC operating system fails to respond to IPMI, you see a traceback in bmcd and all the sensors might report ABSENT devices in smonctl.
To work around this issue, power cycle the switch.
| 3.7.6-3.7.12, 4.0.0-4.0.1 | | | [2542510](#2542510)
| In EVPN symmetric or centralized configurations with BGP peering over a peer link, VXLAN routed packets transiting an MLAG peer are dropped until the clagd init-delay timer expires during the bring-up sequence following a reboot.
The problem is caused by a race condition when programming the anycast IP address (used to terminate VXLAN tunnels), where the hardware is programmed before the software by clagd.
To work around this issue, configure the BGP path across the peer link to be less preferred. The example below uses AS path prepending and the MLAG switches are iBGP neighbors. However, other BGP configurations achieve the same result.
In the /etc/frr/frr.conf file, make a new AS path access list and route map to apply BGP pre-pending of the local ASN one or more times. For example: 
 
ip as-path access-list MY_ASN permit ^$ 

route-map peerlink-add-asn permit 10 
match as-path MY_ASN 
set as-path prepend 4200000101 
route-map peerlink-add-asn permit 20
| 3.7.6-3.7.10, 4.0.0-4.0.1 | | | [2541428](#2541428)
| When you try to change the NTP time zone with the NCLU net add time zone command or by editing the /etc/timezone file manually, the configuration does not take effect.
To work around this issue, change the time zone with the sudo timedatectl set-timezone command. For example:

cumulus@switch:~$ sudo timedatectl set-timezone US/Eastern

| 4.0.0-4.0.1 | | | [2538256](#2538256)
| On the Broadcom switch, when a link-local multicast frame is received on an access port with a VNI in the bridge, two copies of the packet are sent across the VNI to remote VTEPs and the receiving hosts observe duplicate packets.
| 3.7.2-4.0.1 | | | [2537061](#2537061)
| The Dell S5048F-ON switch (with reverse airflow, rear to front), shows the Temp-3 sensor as absent.
| 3.7.1-4.0.1 | | -| [2536231](#2536231)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | | +| [2536231, 2545399](#2536231, 2545399)
| On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature.
In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. | 3.7.3-3.7.10, 4.0.0-4.0.1 | | | [2535844](#2535844)
| On a Trident3 switch, IGMP packets are not policed by the police rule in the 00control ACL file. The packets are policed by the catchall policer in the 99control ACL file instead.
-A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police --set-mode pkt --set-rate 100 --set-burst 100
To work around this issue, let the CPU bound IGMP packet hit the following rule and change the policer rate to a desired value for IGMP packets:
-A $INGRESS_CHAIN -p ipv4 -d 01:00:5e:00:00:00/ff:ff:ff:80:00:00 -j police --set-mode pkt --set-rate 100 --set-burst 100
Typically, the destination MAC address 01:00:5e:xx:xx:xx is used only for PIM/IGMP control and data stream packets. However, this workaround cannot handle data stream multicast packets that are not TCP/UDP; this is not typically done. | 4.0.0-4.0.1 | | | [2532593](#2532593)
| On the Mellanox SN-2100 switch, unicast packets are counted in multicast queue counters. | | | | [2532017](#2532017)
| In FRR, bgp_snmp does not show all BGP peers when peer groups used. | 3.7.11-4.0.1 | | diff --git a/content/cumulus-linux-41/rn.xml b/content/cumulus-linux-41/rn.xml index bf0f60e875..c398b8d851 100644 --- a/content/cumulus-linux-41/rn.xml +++ b/content/cumulus-linux-41/rn.xml @@ -168,7 +168,7 @@ Reboot the affected switches. 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -180,13 +180,13 @@ Reboot the affected switches. 4.3.1-4.4.5, 4.4.2-4.4.5 -2716822 +2716822, 2710844 The {{/etc/cumulus/ports.conf}} file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. 3.7.15-4.3.0 4.3.1-4.4.5 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -289,7 +289,7 @@ To work around this issue, either use the {{vtysh}} commands or edit the {{/etc/ 4.2.1-4.4.5 -2556010 +2556010, 2556276 On Broadcom switches, after repeated VLAN or VXLAN configuration changes, {{switchd}} memory might not free up appropriately, which can lead to a crash. 3.7.14, 4.0.0-4.2.1 3.7.14.2-3.7.16, 4.3.0-4.4.5 @@ -308,7 +308,7 @@ To work around this issue, increase the burst value of the ARP policers to 200 o 3.7.15-3.7.16, 4.3.0-4.4.5 -2555175 +2555175, 3195351, 2672721 Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. 3.7.15-4.3.1 4.3.2-4.4.5 @@ -443,7 +443,7 @@ To work around this issue, disable IGMP snooping on the switch. 4.3.0-4.4.5 -2553529 +2553529, 2553349 In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the {{sudo systemctl restart frr.service}} command. @@ -484,7 +484,7 @@ To work around this issue, use the {{ethtool -m <interface>}} command.3.7.15-3.7.16, 4.3.0-4.4.5 -2552742 +2552742, 2553000, 2553936 On the Mellanox SN2410 switch, you see {{switchd}} core and {{GBIN_MALLOC}} errors. To work around this issue, restart {{switchd}}. 3.7.12-4.2.1 @@ -503,7 +503,7 @@ To work around this issue, restart {{switchd}}. 3.7.14-3.7.16, 4.3.0-4.4.5 -2552505 +2552505, 2552604 Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding {{hwaddress <mac-address>}} to the bridge stanza in the {{/etc/network/interfaces}} file. 3.7.11-3.7.13, 4.0.0-4.2.0 @@ -517,7 +517,7 @@ To work around this issue, manually set the MAC address of the bridge interface -2552212 +2552212, 2553637 The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with {{Unable to read from device/fan1_input/pwm1}} syslog messages. 3.7.11-3.7.14, 4.1.1-4.3.0 3.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 @@ -658,7 +658,7 @@ Because the modules listed above do not return to their default values correctly 4.3.0-4.4.5 -2551162 +2551162, 2550590 {{switchd}} memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time. To work around this issue, correct the cause of the frequent link flaps. You can restart {{switchd}} with the {{sudo systemctl restart switchd}} command to recover memory; this operation is impactful to all traffic on the switch during the restart. 3.7.11-3.7.12, 4.0.0-4.4.5 @@ -696,7 +696,7 @@ zebra increments the local MAC mobility sequence number and considers the MAC ad -2550973 +2550973, 2548408 After you enable ROCE with the {{net add interface <switch-port> storage-optimized pfc}} command, you cannot verify the command because it is not shown in the {{net show config}} command output. 4.1.1-4.2.1 4.3.0-4.4.5 @@ -822,7 +822,7 @@ The service starts automatically but there is an impact to POE devices momentari 3.7.13-3.7.16 -2550264 +2550264, 2550998 The sx_sdk service may log errors and/or generate a core file when configuring breakout ports on Mellanox Spectrum platforms. The error message observed will be similar to the following: {{sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error}} @@ -1018,7 +1018,7 @@ To work around this issue, when you manually configure the {{rd}} or {{route-tar 4.4.0-4.4.5 -2549269 +2549269, 2551467 On Mellanox switches with the Spectrum-2 ASIC, when you use more than 16 bonds on the switch, you might experience forwarding issues or see an error similar to the following in {{switchd.log}}: 2020-04-07T15:59:27.345421+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1696 ERR member_fwd_update_cb spartan-bm87 collector set failed for swp3s0: Driver's Return Status is Non-Zero @@ -1089,7 +1089,7 @@ username cumulus nopassword 4.2.0-4.4.5 -2548892 +2548892, 2549358, 2555149 NTP does not start when you use the default VRF instead of the management VRF. 4.1.0-4.1.1 4.2.0-4.4.5 @@ -1108,7 +1108,7 @@ To work around this issue, restart FRR. 3.7.13-3.7.16 -2548672 +2548672, 2555635 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. 3.7.12-3.7.15, 4.0.0-4.2.1 @@ -1133,7 +1133,7 @@ You can safely ignore these error messages. 4.2.1-4.4.5 -2548586 +2548586, 2549256 After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors. *Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active. To recover from this condition, restart {{switchd}} with the {{sudo systemctl restart switchd}} command. @@ -1205,7 +1205,7 @@ Note: A network restart is a disruptive operation. 4.2.0-4.4.5 -2548408 +2548408, 2550973 {{net show configuration commands}} does not show the RoCE {{net add interface <swp> storage-optimized pfc}} configuration. 4.1.0-4.2.1 4.3.0-4.4.5 @@ -1217,13 +1217,13 @@ Note: A network restart is a disruptive operation. 3.7.13-3.7.16 -2548373 +2548373, 2548371 On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. 3.7.12, 4.0.0-4.4.5 3.7.13-3.7.16 -2548320 +2548320, 2543525 When configuring VRF route leaking, if you define {{import vrf route-map <name>}} but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. 4.0.0-4.1.1 4.2.0-4.4.5 @@ -1245,7 +1245,7 @@ These errors are result of user space acting on kernel events a bit slow. The m 3.7.13-3.7.16 -2548275 +2548275, 2548503, 2556077 On the QuantaMesh BMS T5032-LY6 switch, when you run the {{hwclock}} command, you might see the error {{hwclock: select() to /dev/rtc0 to wait for clock tick timed out}}. 4.1.0-4.1.1 4.2.0-4.4.5 @@ -1343,7 +1343,7 @@ To work around this issue, move 100G SR4 modules to one of the ports not affecte -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -1356,7 +1356,7 @@ To work around this issue, reboot the switch. 3.7.13-3.7.16 -2547610 +2547610, 2548114 Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work. Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. 3.7.11-3.7.12, 4.0.0-4.4.5 @@ -1438,7 +1438,7 @@ To work around this issue, execute the {{vtysh -f <file>}} command in the 3.7.13-3.7.16 -2546951 +2546951, 2548887 {{switchd}} crashes when dynamic VRF route leaking is enabled and the following is true: * The default route is leaked from VRF1 to VRF2 * Hardware-based dynamic VRF route leaking is configured ({{vrf_route_leak_enable_dynamic}} is set to TRUE in the {{/etc/cumulus/switchd.conf}} file). @@ -1499,7 +1499,7 @@ To work around this issue, run the {{bridge fdb show}} command to show the inter -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -1510,7 +1510,7 @@ To work around this issue, run the {{bridge fdb show}} command to show the inter -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -1532,7 +1532,7 @@ To work around this issue, run the {{net add time ntp server <server> ibur 3.7.12-3.7.16 -2545536 +2545536, 2545503 On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. 4.0.0-4.1.1 3.7.14-3.7.16, 4.2.0-4.4.5 @@ -1578,7 +1578,7 @@ To work around this issue and bring the interfaces up, perform the following con -2545054 +2545054, 2552126 When you run the NCLU {{net del interface}} command to delete an interface that has a description in the {{/etc/frr/frr.conf}} file but the {{/etc/frr/daemons}} file does not contain {{zebra=yes}, all running FRR daemons ({{bgpd}}, {{ospfd}}, {{ospf6d}}) restart. To work around this issue, remove all interfaces from the {{/etc/frr/frr.conf}} file that are unrelated to routing. 4.0.0-4.1.1 @@ -1625,7 +1625,7 @@ To work around this issue, restart FRR after removing the IPv6 numbered configur 4.2.0-4.4.5 -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -1663,7 +1663,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -1713,7 +1713,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -1799,14 +1799,14 @@ See /var/log/netd.log for more details. -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 @@ -1834,7 +1834,7 @@ To work around this issue, change the MTU on all SVIs and the bridge manually in -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -1942,7 +1942,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -2099,7 +2099,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -2184,7 +2184,7 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 3.7.11-3.7.16 -2534977 +2534977, 2535424 On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. 4.0.0-4.2.1 3.7.14-3.7.16, 4.3.0-4.4.5 @@ -2393,7 +2393,7 @@ Reboot the affected switches. 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -2405,13 +2405,13 @@ Reboot the affected switches. 4.3.1-4.4.5, 4.4.2-4.4.5 -2716822 +2716822, 2710844 The {{/etc/cumulus/ports.conf}} file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. 3.7.15-4.3.0 4.3.1-4.4.5 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -2501,7 +2501,7 @@ cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32 4.2.1-4.4.5 -2556010 +2556010, 2556276 On Broadcom switches, after repeated VLAN or VXLAN configuration changes, {{switchd}} memory might not free up appropriately, which can lead to a crash. 3.7.14, 4.0.0-4.2.1 3.7.14.2-3.7.16, 4.3.0-4.4.5 @@ -2520,7 +2520,7 @@ To work around this issue, increase the burst value of the ARP policers to 200 o 3.7.15-3.7.16, 4.3.0-4.4.5 -2555175 +2555175, 3195351, 2672721 Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. 3.7.15-4.3.1 4.3.2-4.4.5 @@ -2675,7 +2675,7 @@ To work around this issue, use the {{ethtool -m <interface>}} command.3.7.15-3.7.16, 4.3.0-4.4.5 -2552742 +2552742, 2553000, 2553936 On the Mellanox SN2410 switch, you see {{switchd}} core and {{GBIN_MALLOC}} errors. To work around this issue, restart {{switchd}}. 3.7.12-4.2.1 @@ -2694,7 +2694,7 @@ To work around this issue, restart {{switchd}}. 3.7.14-3.7.16, 4.3.0-4.4.5 -2552505 +2552505, 2552604 Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding {{hwaddress <mac-address>}} to the bridge stanza in the {{/etc/network/interfaces}} file. 3.7.11-3.7.13, 4.0.0-4.2.0 @@ -2806,7 +2806,7 @@ To workaround this issue, downgrade to Cumulus Linux 3.7 ESR. -2551162 +2551162, 2550590 {{switchd}} memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time. To work around this issue, correct the cause of the frequent link flaps. You can restart {{switchd}} with the {{sudo systemctl restart switchd}} command to recover memory; this operation is impactful to all traffic on the switch during the restart. 3.7.11-3.7.12, 4.0.0-4.4.5 @@ -3051,7 +3051,7 @@ To work around this issue, when you manually configure the {{rd}} or {{route-tar 4.4.0-4.4.5 -2549269 +2549269, 2551467 On Mellanox switches with the Spectrum-2 ASIC, when you use more than 16 bonds on the switch, you might experience forwarding issues or see an error similar to the following in {{switchd.log}}: 2020-04-07T15:59:27.345421+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1696 ERR member_fwd_update_cb spartan-bm87 collector set failed for swp3s0: Driver's Return Status is Non-Zero @@ -3116,7 +3116,7 @@ username cumulus nopassword 4.2.0-4.4.5 -2548892 +2548892, 2549358, 2555149 NTP does not start when you use the default VRF instead of the management VRF. 4.1.0-4.1.1 4.2.0-4.4.5 @@ -3135,7 +3135,7 @@ To work around this issue, restart FRR. 3.7.13-3.7.16 -2548672 +2548672, 2555635 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. 3.7.12-3.7.15, 4.0.0-4.2.1 @@ -3173,7 +3173,7 @@ To work around this issue and proceed with the upgrade, run {{apt-get update --a 4.2.1-4.4.5 -2548586 +2548586, 2549256 After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors. *Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active. To recover from this condition, restart {{switchd}} with the {{sudo systemctl restart switchd}} command. @@ -3245,7 +3245,7 @@ Note: A network restart is a disruptive operation. 4.2.0-4.4.5 -2548408 +2548408, 2550973 {{net show configuration commands}} does not show the RoCE {{net add interface <swp> storage-optimized pfc}} configuration. 4.1.0-4.2.1 4.3.0-4.4.5 @@ -3257,13 +3257,13 @@ Note: A network restart is a disruptive operation. 3.7.13-3.7.16 -2548373 +2548373, 2548371 On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. 3.7.12, 4.0.0-4.4.5 3.7.13-3.7.16 -2548320 +2548320, 2543525 When configuring VRF route leaking, if you define {{import vrf route-map <name>}} but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. 4.0.0-4.1.1 4.2.0-4.4.5 @@ -3285,7 +3285,7 @@ These errors are result of user space acting on kernel events a bit slow. The m 3.7.13-3.7.16 -2548275 +2548275, 2548503, 2556077 On the QuantaMesh BMS T5032-LY6 switch, when you run the {{hwclock}} command, you might see the error {{hwclock: select() to /dev/rtc0 to wait for clock tick timed out}}. 4.1.0-4.1.1 4.2.0-4.4.5 @@ -3383,7 +3383,7 @@ To work around this issue, move 100G SR4 modules to one of the ports not affecte -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -3396,7 +3396,7 @@ To work around this issue, reboot the switch. 3.7.13-3.7.16 -2547610 +2547610, 2548114 Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work. Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. 3.7.11-3.7.12, 4.0.0-4.4.5 @@ -3478,7 +3478,7 @@ To work around this issue, execute the {{vtysh -f <file>}} command in the 3.7.13-3.7.16 -2546951 +2546951, 2548887 {{switchd}} crashes when dynamic VRF route leaking is enabled and the following is true: * The default route is leaked from VRF1 to VRF2 * Hardware-based dynamic VRF route leaking is configured ({{vrf_route_leak_enable_dynamic}} is set to TRUE in the {{/etc/cumulus/switchd.conf}} file). @@ -3539,7 +3539,7 @@ To work around this issue, run the {{bridge fdb show}} command to show the inter -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -3550,7 +3550,7 @@ To work around this issue, run the {{bridge fdb show}} command to show the inter -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -3572,7 +3572,7 @@ To work around this issue, run the {{net add time ntp server <server> ibur 3.7.12-3.7.16 -2545536 +2545536, 2545503 On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. 4.0.0-4.1.1 3.7.14-3.7.16, 4.2.0-4.4.5 @@ -3618,7 +3618,7 @@ To work around this issue and bring the interfaces up, perform the following con -2545054 +2545054, 2552126 When you run the NCLU {{net del interface}} command to delete an interface that has a description in the {{/etc/frr/frr.conf}} file but the {{/etc/frr/daemons}} file does not contain {{zebra=yes}, all running FRR daemons ({{bgpd}}, {{ospfd}}, {{ospf6d}}) restart. To work around this issue, remove all interfaces from the {{/etc/frr/frr.conf}} file that are unrelated to routing. 4.0.0-4.1.1 @@ -3665,7 +3665,7 @@ To work around this issue, restart FRR after removing the IPv6 numbered configur 4.2.0-4.4.5 -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -3703,7 +3703,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -3753,7 +3753,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -3839,14 +3839,14 @@ See /var/log/netd.log for more details. -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 @@ -3874,7 +3874,7 @@ To work around this issue, change the MTU on all SVIs and the bridge manually in -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 4.2.0-4.4.5 @@ -3982,7 +3982,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -4139,7 +4139,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -4224,7 +4224,7 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 3.7.11-3.7.16 -2534977 +2534977, 2535424 On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. 4.0.0-4.2.1 3.7.14-3.7.16, 4.3.0-4.4.5 @@ -4400,7 +4400,7 @@ To work around this issue, manually edit the {{/usr/lib/python2.7/dist-packages/ 4.0.0-4.0.1 -2547205 +2547205, 2548334 On the Delta AG6248C switch, the NCLU {{net show system sensors}} command shows an error: Could not collect output from command: ['/usr/sbin/smonctl'] @@ -4422,7 +4422,7 @@ To work around this issue, run the {{net show system sensors json}} command inst 3.7.11-3.7.12, 4.0.0-4.0.1 -2547128 +2547128, 2549785 The cumulus-overrides package contains the {{/etc/apt/preferences.d/20_prefer_cumulus}} file that pins packages from specific release names. The pinning file contains the wrong name. To work around this issue, use the origin instead of the release name. 4.0.0-4.0.1 @@ -4482,7 +4482,7 @@ To work around this issue, run the {{cl-support -M}} command to disable timeouts 3.7.10-3.7.13, 4.0.0-4.0.1 -2546559 +2546559, 2544914, 2544984 On the Mellanox SN3700C switch, if you try to break out 100G switch ports into 2x50G, the configuration fails and {{switchd}} does not restart. Breaking out the ports into 4x25G works without issue. 4.0.0-4.0.1 @@ -4492,7 +4492,7 @@ To work around this issue, run the {{cl-support -M}} command to disable timeouts 3.7.9-3.7.11, 4.0.0-4.0.1 -2546454 +2546454, 2548291 When you run the NCLU {{net del all}} command to delete all configuration on the switch, you see an error similar to the following: ERROR: [Errno 2] No such file or directory: '/cumulus/switchd/config/interface/<swp>/port_security/enable'#012Traceback @@ -4518,7 +4518,7 @@ To work around this issue, restart the networking service after {{ifreload -a}} 3.7.10-3.7.11, 4.0.0-4.0.1 -2546140 +2546140, 2548774 CPU usage might be higher than normal if you have a high number of interfaces x VLANs and {{lldpd}} is active. This issue is introduced with code changes in Cumulus Linux 3.7.11, where VLAN information is now available for LLDP to advertise to neighbors ([https://docs.cumulusnetworks.com/version/cumulus-linux-37/Layer-2/Link-Layer-Discovery-Protocol/#vlan-dot1-tlv]). You might see high CPU usage even if VLAN (dot1) TLV configuration is disabled. To check if {{lldpd}} is the heavy CPU resource user, run the following command: @@ -4561,7 +4561,7 @@ echo CR > /cumulus/switchd/config/interface/swp${port}/interface_mode ; done 3.7.10-3.7.11 -2545949 +2545949, 2546356, 2546370, 2546539, 2546711, 2546712, 2546916, 2545172, 2546539 All Broadcom Trident3 X7 switches contain PCIE firmware, which is programmed by the vendor when the switch is manufactured. The latest version of this firmware (2.6) is incompatible with Cumulus Linux 3.7.11 and earlier, and Cumulus Linux 4.0. To work around this issue, downgrade the Broadcom ASIC firmware to an earlier version. 3.7.11, 4.0.0-4.0.1 @@ -4583,7 +4583,7 @@ To work around this issue, power cycle the switch. 4.0.0-4.0.1 -2545724 +2545724, 2545163 On the Mellanox switch with the Spectrum or Spectrum-2 ASIC, {{switchd}} might crash, then restart under certain conditions. 4.0.0-4.0.1 @@ -4674,12 +4674,12 @@ To avoid this issue, wait 15 seconds before insertion and before removal of the 4.0.0-4.0.1 -2544914 +2544914, 2546559 On the NVIDIA SN3700C switch, when you split ports from 100G to 2x50G, {{switchd}} fails to start. 4.0.0-4.0.1 -2544854 +2544854, 2545726 On the Dell S5248F-ON switch, CPU core temp sensors may show as ABSENT. 4.0.0-4.0.1 @@ -4721,7 +4721,7 @@ To workaround this issue, restart {{switchd}}. 3.7.9-3.7.10, 4.0.0-4.0.1 -2543791 +2543791, 2545026 On the EdgeCore AS5712, AS6712, AS5812 and AS6812 switch, support for multiple PSU types results in log messages similar to the following: 2019-09-05T05:15:17.246597+00:00 hp-6712-03 decode-syseeprom: Unable to find eeprom at /sys/bus/i2c/devices/11-0050/eeprom for psu2 @@ -4743,7 +4743,7 @@ To work around this issue, configure the ECMP hash seed to the same value on the 3.7.7-3.7.12, 4.0.0-4.0.1 -2542872 +2542872, 2542901, 2542901 After you issue the NCLU {{net del bgp vrf <vrf> autonomous-system <AS>}} command and commit the change, Cumulus Linux does not remove the configuration from the {{/etc/frr/frr.conf}} file or the {{net show config commands}}. 3.7.3-3.7.10, 4.0.0-4.0.1 @@ -4805,7 +4805,7 @@ cumulus@switch:~$ sudo timedatectl set-timezone US/Eastern 3.7.1-4.0.1 -2536231 +2536231, 2545399 On the Broadcom switch with the Trident3 ASIC, the ECN-CE bit is set by default on transit traffic. This might result in hosts adjusting traffic behavior if they are configured for the ECN feature. In Cumulus Linux 3.7.11, the default behavior changed; the ECN-CE bit is _no longer_ set by default on transit traffic. 3.7.3-3.7.10, 4.0.0-4.0.1 diff --git a/content/cumulus-linux-42/Whats-New/rn.md b/content/cumulus-linux-42/Whats-New/rn.md index 63e9fdcee7..5d9343112a 100644 --- a/content/cumulus-linux-42/Whats-New/rn.md +++ b/content/cumulus-linux-42/Whats-New/rn.md @@ -18,7 +18,7 @@ pdfhidden: True | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| | [3410952](#3410952)
| If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.16.1| -| [3390022](#3390022)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | +| [3390022, 3323138](#3390022, 3323138)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | | [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3339249](#3339249)
| The sensors.conf files in Cumulus Linux are out of date. | 4.2.1-4.4.5 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.16.1| @@ -27,13 +27,13 @@ pdfhidden: True | [3211369](#3211369)
| The NCLU net show interface pluggables command takes a long time (approximately five minutes) to complete. | 4.2.1-4.4.5 | | | [3209699](#3209699)
| RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.16.1| | [3120423](#3120423)
| When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. | 3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.16.1| -| [3108491](#3108491)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| +| [3108491, 2434628](#3108491, 2434628)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [3089165](#3089165)
| A slow memory leak might occur in switchd} if the route fails to install in hardware when hardware resources are exhausted. | 4.2.1-4.4.3 | 4.4.4-4.4.5| | [3072674](#3072674)
| In an MLAG configuration, if you put a single connected interface into an admin down state, any dynamic MAC addresses on the peer link are flushed, then added back, which causes momentary traffic disruption. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [3068962](#3068962)
| ONIE installation over HTTP fails if the web server hosting the installation image returns valid HTML content when ONIE requests an optional_pkgs file that does not exist. To work around this issue, configure the hosting web server to return an HTTP 404 code when the non-existant file is requested, or host an empty file on the web server with the format .optional_pkgs. | 4.2.1-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5, 5.2.0-5.16.1| | [3066704](#3066704)
| The hostapd service stops working if an 802.1X interface goes up and down many times over a long period of time
To work around this issue, restart the hostapd service with the systemctl restart hostapd command. | 3.7.15-4.3.0 | 4.3.1-4.4.5| | [3053063](#3053063)
| The update-ports.service fails because a blank space in the comment lines of the /etc/cumulus/ports.conf file causes parsing errors. To work around this issue, remove the blank spaces in the commented lines, then restart the update-ports and switchd services. | 3.7.15-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5| -| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| +| [3046023, 3096918](#3046023, 3096918)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| | [3020254](#3020254)
| When ARP suppression is off, GARPs from neighmgrd for remote neighbors are sent over VXLAN. | 3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.3.1, 4.4.4-4.4.5, 5.2.0-5.16.1| | [2993719](#2993719)
| After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. This is issue is impacting all Cumulus Linux releases. The following attribute: vxlan-purge-remotes yes is intended to fix the issue (this attribute has been available since CL2). It was decided to change ifupdown2's default behavior to automatically purge BUM entries added by ifup/ifreload. | 3.7.15-5.0.1 | 5.1.0-5.16.1, 5.2.0-5.16.1| | [2991514](#2991514)
| Cumulus Linux can take a long time (100 seconds) to sync a large number of VNIs on a bridge. | 3.7.15-4.3.0 | 4.3.1-4.4.5| @@ -55,12 +55,12 @@ pdfhidden: True | [2792750](#2792750)
| If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. | 3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1| | [2754723](#2754723)
| When you set route_preferred_over_neigh to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. | 4.0.0-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1| | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| -| [2738625](#2738625)
| When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. | 3.7.15, 4.2.1-4.3.0 | 3.7.16, 4.3.1-4.4.5| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2738625, 2748965](#2738625, 2748965)
| When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. | 3.7.15, 4.2.1-4.3.0 | 3.7.16, 4.3.1-4.4.5| | [2736260](#2736260)
| After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-3.7.15, 4.2.1-4.3.4 | 3.7.16, 4.4.0-4.4.5| | [2730225](#2730225)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5| -| [2716822](#2716822)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2716822, 2710844](#2716822, 2710844)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2711533](#2711533)
| On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | | | [2710208](#2710208)
| The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. | 4.2.1-4.4.5 | | | [2699399](#2699399)
| When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

spine01# show bgp vrf all ipv6 unicast statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

To workaround this issue, run the command against each VRF independently. | 3.7.15, 4.0.0-4.4.5 | 3.7.16| @@ -81,7 +81,7 @@ pdfhidden: True | [2556082](#2556082)
| The NCLU net del vrf command does not delete a numbered VRF. For example:

cumulus@leaf01:~$ net del vrf 55
ERROR: Command not found
| 4.2.1-4.4.5 | | | [2556081](#2556081)
| You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | | | [2556061](#2556061)
| On the Edgecore AS4610 switch, the historic CPU usage displayed in /run/sysmonitor/history sometimes shows as a negative value. | 4.2.1-4.3.0 | 3.7.16, 4.3.1-4.4.5| -| [2556010](#2556010)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | 3.7.14.2-3.7.16, 4.3.0-4.4.5| +| [2556010, 2556276](#2556010, 2556276)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | 3.7.14.2-3.7.16, 4.3.0-4.4.5| | [2555932](#2555932)
| On Mellanox switches, you can't ping the SVI of the MLAG peer over the peer link after the packet is VXLAN decapsulated. | 4.2.1-4.3.0 | 4.3.1-4.4.5| | [2555613](#2555613)
| The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | | [2555588](#2555588)
| You can't delete a BGP community list created with NCLU. | 4.2.1 | 4.3.0-4.4.5| @@ -94,7 +94,7 @@ pdfhidden: True | [2555400](#2555400)
| On the Edgecore AS7312 switch, eth0 and swp use the same MAC address. | 3.7.14-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2555380](#2555380)
| When you start asic-monitor, you might see increasing memory usage. | 4.2.1 | 4.3.0-4.4.5| | [2555223](#2555223)
| An EVPN route map filter matching a VNI on egress on the originating router might not set a large-community correctly:

route-map TEST-TAG permit 10
  match evpn vni 109001
  set large-community 20:20:333
!

To work around this issue, remove the VNI match to allow the tag to be applied on egress.
The VNI match works if applied at some other non-originating router either in the ingress or egress direction. | 4.2.1 | 4.3.0-4.4.5| -| [2555175](#2555175)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| +| [2555175, 3195351, 2672721](#2555175, 3195351, 2672721)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| | [2554990](#2554990)
| When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes.
To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond. | 3.7.13-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2554986](#2554986)
| The ethtool utility doesn't contain the latest values, as a result the Revision Compliance field shows Unallocated. | 4.2.1-4.4.5 | | | [2554866](#2554866)
| On the Mellanox SN3420 switch, 1000BaseT and 1000Base-SX/LX modules do not link up. | 4.2.1 | 4.3.0-4.4.5| @@ -119,11 +119,11 @@ pdfhidden: True | [2554299](#2554299)
| In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.2.0-4.3.4 | 4.4.0-4.4.5| | [2554292](#2554292)
| With traditional bridges, a race condition occurs when Cumulus Linux tries to derive MAC addresses.
To work around this issue, use a static MAC address; specify a MAC address in the /etc/network/interfaces file under the bridge's stanza. | 4.2.1 | 4.3.0-4.4.5| | [2554258](#2554258)
| ifupdown2 removes the dhclient instance if DHCP times out. | 4.2.1 | 4.3.0-4.4.5| -| [2554253](#2554253)
| After upgrading the Mellanox SN2410 switch, the FAN is set to full speed. | 4.2.1 | 4.3.0-4.4.5| +| [2554253, 2554353](#2554253, 2554353)
| After upgrading the Mellanox SN2410 switch, the FAN is set to full speed. | 4.2.1 | 4.3.0-4.4.5| | [2554246](#2554246)
| When you back up and restore a configuration using the conf-backup utility, the switch might hang when rebooted. | 4.1.1-4.2.1 | 4.3.0-4.4.5| -| [2554222](#2554222)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | +| [2554222, 2614073](#2554222, 2614073)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | | [2554218](#2554218)
| MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | | -| [2554202](#2554202)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | +| [2554202, 2544880](#2554202, 2544880)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | | [2553989](#2553989)
| Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | | | [2553952](#2553952)
| On Mellanox Spectrum based switches running 4.1.0 or higher, if FORWARD chain ACLs are configured on the system, a switch port breakout action applied with a reload of the switchd service may cause switchd to crash. | 4.2.0-4.2.1 | 4.3.0-4.4.5| | [2553887](#2553887)
| When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | @@ -133,12 +133,12 @@ pdfhidden: True | [2553677](#2553677)
| When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | | [2553586](#2553586)
| Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn't exist.
To work around this issue, disable IGMP snooping on the switch. | 3.7.12-3.7.13, 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2553568](#2553568)
| After a MAC address moves from one remote VTEP to another, the MAC address continues to point to the old VTEP IP address in hardware. | 4.1.1-4.2.1 | 4.3.0-4.4.5| -| [2553529](#2553529)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-3.7.13, 4.1.1-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| +| [2553529, 2553349](#2553529, 2553349)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-3.7.13, 4.1.1-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2553468](#2553468)
| Digital Optical Monitoring (DOM) Data is displayed incorrectly on SFP fiber modules inserted in the Fiberstore N8500-48B6C, Celestica Questone, and Celestica RedstoneV switches. | 4.2.0-4.2.1 | 4.3.0-4.4.5| | [2553449](#2553449)
| On the the Dell N3248-PXE switch, when you insert two PSUs at different times, the newly inserted PSU is detected as OK but the fan and temp sensors are ABSENT.
To work around this issue, remove power to both PSUs at the same time, then reinsert power simultaneously. | 3.7.12-3.7.13, 4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| -| [2553349](#2553349)
| When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number.
To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI. | 4.2.0-4.2.1 | 4.3.0-4.4.5| +| [2553349, 2553529](#2553349, 2553529)
| When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number.
To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI. | 4.2.0-4.2.1 | 4.3.0-4.4.5| | [2553278](#2553278)
| Leaked routes are sometimes missing from the destination VRF after a reboot. | 4.2.0-4.2.1 | 4.3.0-4.4.5| -| [2553237](#2553237)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | +| [2553237, 2552950](#2553237, 2552950)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | | [2553228](#2553228)
| On the Dell N3248PXE switch, RJ45 fixed copper ports that auto-negotiate with a 100M or 10M neighbor incorrectly negotiate a half-duplex link that generates errors. Half duplex modes are not supported on this platform. | 3.7.12-3.7.13, 4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2553219](#2553219)
| You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2553118](#2553118)
| The Dell 100G-LR4 (Innolight) transceiver cannot link up due to a power budget exceeded error on the Mellanox SN4600C switch. | 4.2.0-4.2.1 | 4.3.0-4.4.5| @@ -148,7 +148,7 @@ pdfhidden: True | [2552880](#2552880)
| IPv6 TCP or UDP connections (sourcing from an ephemeral port in the range 34048 to 35071) are not forwarded if the switch has more than one layer 2 VNI defined. The traffic might be locally switched on the bridge and dropped.
To work around this issue, disable ARP/ND suppression to remove the internal ACL rule that affects the ports. | 3.7.13, 4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2552869](#2552869)
| On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5| | [2552853](#2552853)
| Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| -| [2552742](#2552742)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2552742, 2553000, 2553936](#2552742, 2553000, 2553936)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552710](#2552710)
| The MLAG bonds on a secondary switch do not change to a unique MAC address on the peerlink. As a result, a backup double failure can occur where both peers go down. | 4.2.0-4.2.1 | 4.3.0-4.4.5| | [2552704](#2552704)
| In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2552691](#2552691)
| On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. | 4.2.0-4.4.5 | | @@ -158,7 +158,7 @@ pdfhidden: True | [2552354](#2552354)
| On the Mellanox SN4700 switch, you might see _Bad signal integrity_ issues on 200G and 400G ports. | 4.2.1 | 4.3.0-4.4.5| | [2552309](#2552309)
| The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:


Hal_bcm_console.c:294 MMU config profile 0 prigroup 0: Service Pool 0 has no space and cannot be assigned
Hal_bcm_console.c:294 MMU config port 0 idx 0: Pool 0 has no space and cannot be assigned


These messages are for internal validation purposes only and can be safely ignored.

| 4.2.0-4.4.5 | | | [2552294](#2552294)
| NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | -| [2552212](#2552212)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | 3.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| +| [2552212, 2553637](#2552212, 2553637)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | 3.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| | [2551873](#2551873)
| If you have an existing community list of any type, redefining the same sequence number results in the entire community list being deleted.
To work around this issue, delete the community list sequence before trying to adjust it. | 4.2.0-4.2.1 | 4.3.0-4.4.5| | [2551747](#2551747)
| In OVSDB high availability mode, deleting > 200 VLAN bindings might cause ovs-vtepd to crash. Limit the deletion to 200 or fewer VLAN bindings. | 3.7.12-3.7.13, 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2551687](#2551687)
| When you run cl-ecmpcalc to determine a hardware hash result, tests might fail. | 4.2.0-4.2.1 | 4.3.0-4.4.5| @@ -174,7 +174,7 @@ pdfhidden: True | [2551124](#2551124)
| When the dynamic or static flag on a bridge fdb (MAC) entry is changed to the opposite state, the new flag is not set appropriately in hardware. This can allow a static fdb entry to be unexpectedly learned dynamically on a different interface, or can prevent a dynamic entry from being updated or learned elsewhere.
This condition can occur during a manual replacement of a local MAC address or when EVPN updates a dynamic MAC address to add or remove the Sticky Mac flag. Either situation results in the MAC address keeping the original flag in hardware.
To work around this issue, delete or withdraw the fdb entry, then add the static MAC address directly. For example:

bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static \| dynamic ]

If you are unable to delete an EVPN-learned remote MAC address, you can replace the dynamic MAC address with a local static one, then delete the static MAC address. For example:

bridge fdb replace 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master static
bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static \| dynamic ]
| 4.0.0-4.2.1 | 4.3.0-4.4.5| | [2551111](#2551111)
| If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state.
zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address. | 4.0.0-4.4.5 | | | [2550974](#2550974)
| On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | | -| [2550973](#2550973)
| After you enable ROCE with the net add interface storage-optimized pfc command, you cannot verify the command because it is not shown in the net show config command output. | 4.1.1-4.2.1 | 4.3.0-4.4.5| +| [2550973, 2548408](#2550973, 2548408)
| After you enable ROCE with the net add interface storage-optimized pfc command, you cannot verify the command because it is not shown in the net show config command output. | 4.1.1-4.2.1 | 4.3.0-4.4.5| | [2550906](#2550906)
| After you delete a bond, the deleted bond members have the deleted bond MAC address instead of their original MAC address, which might result in traffic being discarded.
To work around this issue, perform a full switch restart. | 4.1.1-4.2.1 | 4.3.0-4.4.5| | [2550796](#2550796)
| On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero.
To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2550793](#2550793)
| The NCLU net show bridge spanning-tree command displays the aging timer incorrectly. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | @@ -199,10 +199,10 @@ pdfhidden: True | [2549225](#2549225)
| You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2548930](#2548930)
| On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2548924](#2548924)
| On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic. | 4.1.1-4.4.5 | | -| [2548672](#2548672)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | 3.7.16, 4.3.0-4.4.5| +| [2548672, 2555635](#2548672, 2555635)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | 3.7.16, 4.3.0-4.4.5| | [2548657](#2548657)
| When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2548485](#2548485)
| If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
 aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Path*> 50.0.0.0         0.0.0.0                            32768 is> 50.0.0.1/32      0.0.0.0                  0         32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Paths> 50.0.0.1/32      0.0.0.0                  0         32768 i
To work around this issue, remove, then re-add the component prefix routes. | 3.7.12-4.2.1 | 4.3.0-4.4.5| -| [2548408](#2548408)
| net show configuration commands does not show the RoCE net add interface storage-optimized pfc configuration. | 4.1.0-4.2.1 | 4.3.0-4.4.5| +| [2548408, 2550973](#2548408, 2550973)
| net show configuration commands does not show the RoCE net add interface storage-optimized pfc configuration. | 4.1.0-4.2.1 | 4.3.0-4.4.5| | [2548310](#2548310)
| When the system boots, we might see " cumulus systemd-udevd[7566]: Process '/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25' failed with exit code 1" errors.

These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later;
| 4.1.0-4.4.5 | | | [2548260](#2548260)
| The net add routing route-map permit set community command does not add the set statement into the /etc/frr/frr.conf file. | 4.0.0-4.4.5 | | | [2548243](#2548243)
| On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | | @@ -211,7 +211,7 @@ pdfhidden: True | [2548044](#2548044)
| When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2547890](#2547890)
| QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | | | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547405](#2547405)
| When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | | [2547120](#2547120)
| After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547068](#2547068)
| Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly
To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below
To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX="cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off", change it to GRUB_CMDLINE_LINUX="cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0"2. Run sudo update-grub
3. Reboot the system with sudo reboot
To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3
2. Disable C-states by running the command ./cpupower idle-set -d 2
C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | 4.3.0-4.4.5| @@ -219,8 +219,8 @@ pdfhidden: True | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545239](#2545239)
| On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.4 | 4.4.0-4.4.5| @@ -230,23 +230,23 @@ pdfhidden: True | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543647](#2543647)
| ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-4.2.1 | 4.3.0-4.4.5| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | @@ -261,7 +261,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -277,7 +277,7 @@ pdfhidden: True | [2538562](#2538562)
| On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | @@ -288,7 +288,7 @@ pdfhidden: True | [2535723](#2535723)
| The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF. | 4.0.0-4.4.5 | | | [2535605](#2535605)
| FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor.
To work around this issue, add ttl-security to individual neighbors instead of the peer group. | 4.0.0-4.4.5 | | | [2535209](#2535209)
| The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| -| [2534977](#2534977)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| +| [2534977, 2535424](#2534977, 2535424)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2534734](#2534734)
| Span rules matching the out-interface as a bond do not mirror packets. | 4.0.0-4.4.5 | | | [2533691](#2533691)
| If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2533625](#2533625)
| PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. | 4.0.0-4.4.5 | | @@ -299,12 +299,12 @@ pdfhidden: True | Issue ID | Description | Affects | |--- |--- |--- | | [2556037](#2556037)
| After you add an interface to the bridge, an OSPF session flap might occur
| 3.7.9-4.2.0 | | -| [2553301](#2553301)
| Certain IPv6 routes may be present in the kernel but missing in hardware, and you may also see the following log messages in /var/log/switchd.log:sync_route.c 5255 WARN 3 routes reverted to non-ECMP due to NH table capacityeven though cl-resources-query does not reflect that the ECMP NH table is full. The reason is that a temporary/artificial ECMP container exhaustion occurs due to a churn in routes and how switchd cleans up the routes, nexthops and RIFs. While performing this route cleanup operation, if switchd tries to delete a RIF and is unable to (since there are ECMP next-hops pointing to it which are yet to be deleted) it puts the RIF in a pending list. So, as a result, all of the ECMP next-hops pointing to the RIF also would be pending deletion. As a result, RIFs and dependent ECMP next-hops linger on the pending list until the next RIF sync is done, at which point the next-hops are freed up and the routes get installed as expected. | 4.2.0 | | +| [2553301, 2754876](#2553301, 2754876)
| Certain IPv6 routes may be present in the kernel but missing in hardware, and you may also see the following log messages in /var/log/switchd.log:sync_route.c 5255 WARN 3 routes reverted to non-ECMP due to NH table capacityeven though cl-resources-query does not reflect that the ECMP NH table is full. The reason is that a temporary/artificial ECMP container exhaustion occurs due to a churn in routes and how switchd cleans up the routes, nexthops and RIFs. While performing this route cleanup operation, if switchd tries to delete a RIF and is unable to (since there are ECMP next-hops pointing to it which are yet to be deleted) it puts the RIF in a pending list. So, as a result, all of the ECMP next-hops pointing to the RIF also would be pending deletion. As a result, RIFs and dependent ECMP next-hops linger on the pending list until the next RIF sync is done, at which point the next-hops are freed up and the routes get installed as expected. | 4.2.0 | | | [2553115](#2553115)
| On the Mellanox SN4700 switch, certain port speeds operate in both NRZ and PAM4 mode. However, Cumulus Linux currently supports only one of the two possible modes listed below. Use the optics accordingly.
* Port speeds 40G, 2x40G, 50G, 2x50G, 100G, 2x100G work in NRZ mode.
* Port speeds 4x50G, 8x50G, 4x100G, 200G, 2x200G, 400G work in PAM4 mode. | | | | [2552855](#2552855)
| FDB entries with type _static_ are installed in hardware as dynamic entries with no aging instead of truly static, which might result in the entries being occasionally flushed from hardware and the kernel. For example, this might happen when a port is in the STP Blocking state during a MAC sync. | 4.2.0 | | | [2552646](#2552646)
| When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding.
To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond. | 3.7.10-3.7.13, 4.2.0 | | | [2552524](#2552524)
| If you edit a Cumulus Linux install image directly and provide a ZTP script within the "CL_INSTALLER_ZTP_CONTENT" variable, the ZTP shell script fails to run. | 4.2.0 | | -| [2552505](#2552505)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 | | +| [2552505, 2552604](#2552505, 2552604)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 | | | [2552452](#2552452)
| When a bond name is too long, ifupdown2 creates the bond devices in the kernel with truncated names. | 4.2.0 | | | [2552204](#2552204)
| If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer's SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.
To work around this issue, ifdown/ifup the SVI when a MAC address changes. | 3.7.12-3.7.13, 4.0.0-4.2.0 | | | [2551911](#2551911)
| ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | | @@ -319,7 +319,7 @@ pdfhidden: True | [2551650](#2551650)
| The net show dot1x interface summary command output shows a MAC address with all zeros associated with a port. | 3.7.12-3.7.13, 4.0.0-4.2.0 | | | [2551507](#2551507)
| After adding an interface to a VRF, the routing information field (RIF) is missing. | 4.2.0 | | | [2551290](#2551290)
| Non SFF-8634/SFF-8636 compliant 40G AOC modules might not link up when inserted into the Mellanox SN3700 switch. The EEPROM bytes for RX amplitude control (page 03h, bytes #236-239) are defined as volatile in the SFF specification (SFF-8634/8636); after the module power is off, the EEPROM values should return to their defaults. However, these bytes are observed to be non-volatile in the modules listed below.
- Mellanox MFP4R12CB-0XX (Luxtera)
- AVAGO AFBR-79Q4PACXXZ

https://www.finisar.com/sites/default/files/downloads/fcbg410qb1cxx_quadwire_40gbs_parallel_active_optical_cable_product_spec_revb7.pdf
https://www.mouser.com/ProductDetail/Finisar/FCBN410QB1C03?qs=D%252B6gCNt%2Fg2BZq7qPdKrYVA%3D%3D
Because the modules listed above do not return to their default values correctly when they are unplugged and re-inserted, a cable might become unusable until it is reprogramed. | 4.1.1-4.2.0 | | -| [2551162](#2551162)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.2.0 | | +| [2551162, 2550590](#2551162, 2550590)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.2.0 | | | [2550942](#2550942)
| NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | | | [2550872](#2550872)
| In an MLAG configuration with static VXLAN, static tunnels become unreachable. | 3.7.13, 4.1.1-4.2.0 | | | [2550605](#2550605)
| A VRRP role change over the EVPN network causes excessive BGP updates and connectivity issues to VIP for about one minute. | 4.1.1-4.2.0 | | @@ -356,10 +356,10 @@ pdfhidden: True | [2866084](#2866084)
| When you reboot a VTEP, MAC address entries might become out of sync between the kernel FDB table and the EVPN MAC VNI table on remote VTEPs. The impacted MAC entries are installed against the rebooted VTEP IP address in the kernel FDB and the correct VTEP IP is present in the EVPN MAC VNI table. To work around this issue, clear all corrupted MAC address entries in the kernel FDB with the bridge fdb del
dev [dst\|via] command, then add "vxlan-learning": "off" in the /etc/network/ifupdown2/policy.d/vxlan.json file:
$ cat /etc/network/ifupdown2/policy.d/vxlan.json
  {
       "vxlan": {
           "module_globals": { "vxlan-purge-remotes": "no" },
           "defaults": {
               "vxlan-ageing": "1800",
               "vxlan-port": "4789", <==== This comma needs to be added at the end of this line
               "vxlan-learning": "off" <= This line needs to be added
            }
       }
  }
Reboot the affected switches. | 3.7.12-4.3.0 | 4.3.1-4.4.5| | [2792750](#2792750)
| If you change the clagd-vxlan-anycast-ip setting on both MLAG peers at the same time, both peers use their unique VTEP address indefinitely. | 3.7.15-4.3.0, 4.4.0-4.4.5 | 4.3.1| | [2754723](#2754723)
| When you set route_preferred_over_neigh to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. | 4.0.0-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2730225](#2730225)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5| -| [2716822](#2716822)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2716822, 2710844](#2716822, 2710844)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2699399](#2699399)
| When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

spine01# show bgp vrf all ipv6 unicast statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

To workaround this issue, run the command against each VRF independently. | 3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | 5.1.0-5.16.1| @@ -372,13 +372,13 @@ pdfhidden: True | [2556500](#2556500)
| Cumulus Linux does not support bond members at 200G or greater. | 4.0.0-4.3.4 | 4.4.0-4.4.5| | [2556081](#2556081)
| You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | | | [2556037](#2556037)
| After you add an interface to the bridge, an OSPF session flap might occur
| 3.7.9-4.2.0 | 4.2.1-4.4.5| -| [2556010](#2556010)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | 3.7.14.2-3.7.16, 4.3.0-4.4.5| +| [2556010, 2556276](#2556010, 2556276)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | 3.7.14.2-3.7.16, 4.3.0-4.4.5| | [2555531](#2555531)
| QinQ (802.1Q) packets routed to a layer 3 subinterface are still double tagged with the VLAN of the subinterface and the original inner VLAN when they leave the subinterface. | 4.2.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2555528](#2555528)
| In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer's ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | 4.3.0-4.4.5| | [2555492](#2555492)
| On Broadcom switches, when WARN level switchd log messages are generated, switchd might crash resulting in a core file generated on the system. | 4.2.0-4.2.1 | 3.7.14.2-3.7.16, 4.3.0-4.4.5| | [2555484](#2555484)
| ospf6d restarts when you run the NCLU net show ospf6 databse command or the vtysh show ipv6 ospf6 database command. | 4.2.0-4.2.1 | 4.3.0-4.4.5| | [2555400](#2555400)
| On the Edgecore AS7312 switch, eth0 and swp use the same MAC address. | 3.7.14-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| -| [2555175](#2555175)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| +| [2555175, 3195351, 2672721](#2555175, 3195351, 2672721)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| | [2554990](#2554990)
| When running traditional mode bridges at scale (for example, when you have more than 200 bridges and a large number of MAC addresses), MLAG bonds flap intermittently from dual to single connected, then back to dual connected, which causes a layer 2 loop and STP state changes.
To work around this issue, either shut down one side of the MLAG bond or prune out VLANS over the bond. | 3.7.13-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2554798](#2554798)
| On the Mellanox SN3700C switch, PIM multicast packets are duplicated at the egress VTEP. | 4.2.0-4.3.4 | 4.4.0-4.4.5| | [2554785](#2554785)
| After you reboot a Broadcom switch, switchd might fail to restart and you see logs in switchd.log similar to the following:
Nov 12 12:20:05.063876 leaf01 switchd[9867]:Nov 12 12:20:05.064310 leaf01 switchd[9867]: hal_bcm_console.c:294 0:system_init:Nov 12 12:20:05.064428 leaf01 switchd[9867]: hal_bcm_console.c:294 system_init: Misc init failed: Operation timed outNov 12 12:20:05.064464 leaf01 switchd[9867]:Nov 12 12:20:05.091995 leaf01 switchd[9867]: hal_bcm_console.c:294 LED: Loading 256 bytes into LED program memoryNov 12 12:20:05.092029 leaf01 switchd[9867]:Nov 12 12:20:05.099547 leaf01 switchd[9867]: hal_bcm_console.c:294 PORT: Error: bcm ports not initializedNov 12 12:20:05.099579 leaf01 switchd[9867]:Nov 12 12:20:05.099646 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /var/lib/cumulus/rc.datapath_0: line 81 (error code -1): script terminatedNov 12 12:20:05.099667 leaf01 switchd[9867]:Nov 12 12:20:05.099775 leaf01 switchd[9867]: hal_bcm_console.c:294 Error: file /etc/bcm.d/rc.soc: line 70 (error code -1): script terminatedNov 12 12:20:05.099798 leaf01 switchd[9867]:Nov 12 12:20:05.099871 leaf01 switchd[9867]: hal_bcm_console.c:294 ERROR loading rc script on unit 0Nov 12 12:20:05.099892 leaf01 switchd[9867]:Nov 12 12:20:05.099943 leaf01 switchd[9867]: hal_bcm_console.c:299 CRIT loading of rc script failed, aborting!
To work around this issue, configure Cumulus Linux to boot with the ntel_iommu=off kernel command option:1. Open the /etc/default/grub file with a text editor
2. Edit the GRUB_CMDLINE_LINUX variable by adding the string intel_iommu=off at the end. For example: GRUB_CMDLINE_LINUX="cl_platform=cel_e1031 console=ttyS1,115200n8 intel_iommu=off"3. Run the update-grub command
4. Reboot the switch. | 3.7.11-4.2.1 | 4.3.0-4.4.5| @@ -398,12 +398,12 @@ pdfhidden: True | [2553677](#2553677)
| When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | | [2553586](#2553586)
| Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn't exist.
To work around this issue, disable IGMP snooping on the switch. | 3.7.12-3.7.13, 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2553568](#2553568)
| After a MAC address moves from one remote VTEP to another, the MAC address continues to point to the old VTEP IP address in hardware. | 4.1.1-4.2.1 | 4.3.0-4.4.5| -| [2553529](#2553529)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-3.7.13, 4.1.1-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| +| [2553529, 2553349](#2553529, 2553349)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-3.7.13, 4.1.1-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2553468](#2553468)
| Digital Optical Monitoring (DOM) Data is displayed incorrectly on SFP fiber modules inserted in the Fiberstore N8500-48B6C, Celestica Questone, and Celestica RedstoneV switches. | 4.2.0-4.2.1 | 4.3.0-4.4.5| -| [2553349](#2553349)
| When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number.
To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI. | 4.2.0-4.2.1 | 4.3.0-4.4.5| -| [2553301](#2553301)
| Certain IPv6 routes may be present in the kernel but missing in hardware, and you may also see the following log messages in /var/log/switchd.log:sync_route.c 5255 WARN 3 routes reverted to non-ECMP due to NH table capacityeven though cl-resources-query does not reflect that the ECMP NH table is full. The reason is that a temporary/artificial ECMP container exhaustion occurs due to a churn in routes and how switchd cleans up the routes, nexthops and RIFs. While performing this route cleanup operation, if switchd tries to delete a RIF and is unable to (since there are ECMP next-hops pointing to it which are yet to be deleted) it puts the RIF in a pending list. So, as a result, all of the ECMP next-hops pointing to the RIF also would be pending deletion. As a result, RIFs and dependent ECMP next-hops linger on the pending list until the next RIF sync is done, at which point the next-hops are freed up and the routes get installed as expected. | 4.2.0 | 4.2.1-4.4.5| +| [2553349, 2553529](#2553349, 2553529)
| When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number.
To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI. | 4.2.0-4.2.1 | 4.3.0-4.4.5| +| [2553301, 2754876](#2553301, 2754876)
| Certain IPv6 routes may be present in the kernel but missing in hardware, and you may also see the following log messages in /var/log/switchd.log:sync_route.c 5255 WARN 3 routes reverted to non-ECMP due to NH table capacityeven though cl-resources-query does not reflect that the ECMP NH table is full. The reason is that a temporary/artificial ECMP container exhaustion occurs due to a churn in routes and how switchd cleans up the routes, nexthops and RIFs. While performing this route cleanup operation, if switchd tries to delete a RIF and is unable to (since there are ECMP next-hops pointing to it which are yet to be deleted) it puts the RIF in a pending list. So, as a result, all of the ECMP next-hops pointing to the RIF also would be pending deletion. As a result, RIFs and dependent ECMP next-hops linger on the pending list until the next RIF sync is done, at which point the next-hops are freed up and the routes get installed as expected. | 4.2.0 | 4.2.1-4.4.5| | [2553278](#2553278)
| Leaked routes are sometimes missing from the destination VRF after a reboot. | 4.2.0-4.2.1 | 4.3.0-4.4.5| -| [2553237](#2553237)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | +| [2553237, 2552950](#2553237, 2552950)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | | [2553219](#2553219)
| You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2553118](#2553118)
| The Dell 100G-LR4 (Innolight) transceiver cannot link up due to a power budget exceeded error on the Mellanox SN4600C switch. | 4.2.0-4.2.1 | 4.3.0-4.4.5| | [2553116](#2553116)
| When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | @@ -412,7 +412,7 @@ pdfhidden: True | [2552869](#2552869)
| On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | 4.3.0-4.4.5| | [2552855](#2552855)
| FDB entries with type _static_ are installed in hardware as dynamic entries with no aging instead of truly static, which might result in the entries being occasionally flushed from hardware and the kernel. For example, this might happen when a port is in the STP Blocking state during a MAC sync. | 4.2.0 | 4.2.1-4.4.5| | [2552853](#2552853)
| Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| -| [2552742](#2552742)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| +| [2552742, 2553000, 2553936](#2552742, 2553000, 2553936)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | 4.3.0-4.4.5| | [2552710](#2552710)
| The MLAG bonds on a secondary switch do not change to a unique MAC address on the peerlink. As a result, a backup double failure can occur where both peers go down. | 4.2.0-4.2.1 | 4.3.0-4.4.5| | [2552704](#2552704)
| In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2552691](#2552691)
| On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. | 4.2.0-4.4.5 | | @@ -420,12 +420,12 @@ pdfhidden: True | [2552646](#2552646)
| When you add a member to a bond that has a subinterface configured (such as peerlink.4094), the new member is assigned only the VLAN of the subinterface for forwarding.
To work around this issue, bounce the bond or shutdown the new interface and use the remaining members over the bond. | 3.7.10-3.7.13, 4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| | [2552527](#2552527)
| Ingress SPAN/ERSPAN does not mirror packets when the next hop is EVPN encapsulated. | 3.7.7-3.7.13, 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2552524](#2552524)
| If you edit a Cumulus Linux install image directly and provide a ZTP script within the "CL_INSTALLER_ZTP_CONTENT" variable, the ZTP shell script fails to run. | 4.2.0 | 4.2.1-4.4.5| -| [2552505](#2552505)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| +| [2552505, 2552604](#2552505, 2552604)
| Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports.
To work around this issue, manually set the MAC address of the bridge interface by adding hwaddress to the bridge stanza in the /etc/network/interfaces file. | 3.7.11-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| | [2552453](#2552453)
| On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.
To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file. | 4.2.0-4.4.5 | | | [2552452](#2552452)
| When a bond name is too long, ifupdown2 creates the bond devices in the kernel with truncated names. | 4.2.0 | 4.2.1-4.4.5| | [2552309](#2552309)
| The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:


Hal_bcm_console.c:294 MMU config profile 0 prigroup 0: Service Pool 0 has no space and cannot be assigned
Hal_bcm_console.c:294 MMU config port 0 idx 0: Pool 0 has no space and cannot be assigned


These messages are for internal validation purposes only and can be safely ignored.

| 4.2.0-4.4.5 | | | [2552294](#2552294)
| NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | -| [2552212](#2552212)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | 3.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| +| [2552212, 2553637](#2552212, 2553637)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | 3.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| | [2552204](#2552204)
| If the MAC address of an SVI changes, clagd does not update its permanent neighbor entry for the local interface, and it does not report the change to its MLAG peer. This leaves the MLAG peer in a state where its permanent neighbor for the MLAG peer's SVI IP address continues to use the old MAC address, which causes routed traffic over this SVI to be dropped.
To work around this issue, ifdown/ifup the SVI when a MAC address changes. | 3.7.12-3.7.13, 4.0.0-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| | [2551911](#2551911)
| ifupdown2 does not account for link status or link down configuration when running dhclient. For example, ifupdown2 ignores link-down yes during ifup/ifreload and runs the DHCP module if inet dhcp is configured on the interface. ifupdown2 also runs the DHCP module even when the physical link configured for DHCP is down. | 3.7.12-4.2.0 | 4.2.1-4.4.5| | [2551887](#2551887)
| On Mellanox switches, when you change the breakout configuration from 4x to 2x or from 2x to 4x, LLDP discovery fails.
To resolve this issue, restart the LLDP service. | 4.2.0 | 4.2.1-4.4.5| @@ -451,11 +451,11 @@ pdfhidden: True | [2551273](#2551273)
| On a Mellanox SN2010 switch, the Locator LED is on after you upgrade Cumulus Linux. | 4.1.0-4.4.5 | | | [2551221](#2551221)
| When span-to-cpu is enabled on L3 swp interface with an IP address configured, packets with destination IP as switchport's IP address don't reach switchport. To capture packets directed towards switcport's IP, disable span-to-cpu and use tcpdump on swichport instead. | 4.2.0-4.4.5 | | | [2551187](#2551187)
| dot1qVlanIndex in the dot1qVlanStaticTable of the SNMP Q-BRIDGE-MIB does not use VLAN ID and does not comply with RFC 4363. | 4.1.1-4.2.1 | 4.3.0-4.4.5| -| [2551162](#2551162)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| +| [2551162, 2550590](#2551162, 2550590)
| switchd memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time.
To work around this issue, correct the cause of the frequent link flaps. You can restart switchd with the sudo systemctl restart switchd command to recover memory; this operation is impactful to all traffic on the switch during the restart. | 3.7.11-3.7.12, 4.0.0-4.4.5 | 3.7.13-3.7.16| | [2551124](#2551124)
| When the dynamic or static flag on a bridge fdb (MAC) entry is changed to the opposite state, the new flag is not set appropriately in hardware. This can allow a static fdb entry to be unexpectedly learned dynamically on a different interface, or can prevent a dynamic entry from being updated or learned elsewhere.
This condition can occur during a manual replacement of a local MAC address or when EVPN updates a dynamic MAC address to add or remove the Sticky Mac flag. Either situation results in the MAC address keeping the original flag in hardware.
To work around this issue, delete or withdraw the fdb entry, then add the static MAC address directly. For example:

bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static \| dynamic ]

If you are unable to delete an EVPN-learned remote MAC address, you can replace the dynamic MAC address with a local static one, then delete the static MAC address. For example:

bridge fdb replace 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master static
bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static \| dynamic ]
| 4.0.0-4.2.1 | 4.3.0-4.4.5| | [2551111](#2551111)
| If a remote EVPN Sticky MAC [Static MAC address] is unexpectedly learned dynamically on a local interface, the selected entries in zebra and BGP are in an inconsistent state.
zebra increments the local MAC mobility sequence number and considers the MAC address to be local, but BGP maintains the remote Sticky MAC as the best path selected. This results in zebra installing the local MAC address and BGP not updating the route for the MAC address. | 4.0.0-4.4.5 | | | [2550974](#2550974)
| On the Dell S3000 switch, after installing the Cumulus Linux 4.1.1 disk image without a license, the switch sends a link beat if a remote host port is configured. | 3.7.11-3.7.16, 4.1.1-4.4.5 | | -| [2550973](#2550973)
| After you enable ROCE with the net add interface storage-optimized pfc command, you cannot verify the command because it is not shown in the net show config command output. | 4.1.1-4.2.1 | 4.3.0-4.4.5| +| [2550973, 2548408](#2550973, 2548408)
| After you enable ROCE with the net add interface storage-optimized pfc command, you cannot verify the command because it is not shown in the net show config command output. | 4.1.1-4.2.1 | 4.3.0-4.4.5| | [2550942](#2550942)
| NCLU tab completion for net show displays the text add help text instead of system Information for the system option. | 3.7.11-4.2.0 | 4.2.1-4.4.5| | [2550906](#2550906)
| After you delete a bond, the deleted bond members have the deleted bond MAC address instead of their original MAC address, which might result in traffic being discarded.
To work around this issue, perform a full switch restart. | 4.1.1-4.2.1 | 4.3.0-4.4.5| | [2550872](#2550872)
| In an MLAG configuration with static VXLAN, static tunnels become unreachable. | 3.7.13, 4.1.1-4.2.0 | 3.7.14-3.7.16, 4.2.1-4.4.5| @@ -486,11 +486,11 @@ pdfhidden: True | [2549225](#2549225)
| You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | 3.7.15-3.7.16, 4.3.0-4.4.5| | [2548930](#2548930)
| On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | 4.3.0-4.4.5| | [2548924](#2548924)
| On the EdgeCore Minipack AS8000, storm control does not restrict unknown unicast, broadcast, or multicast traffic. | 4.1.1-4.4.5 | | -| [2548672](#2548672)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | 3.7.16, 4.3.0-4.4.5| +| [2548672, 2555635](#2548672, 2555635)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | 3.7.16, 4.3.0-4.4.5| | [2548657](#2548657)
| When you upgrade Cumulus Linux on the EdgeCore AS7726-32X or AS7326-56X switch, you might see firmware errors similar to the following:

W: Possible missing firmware /lib/firmware/tigon/tg3_tso5.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3_tso.bin for module tg3
W: Possible missing firmware /lib/firmware/tigon/tg3.bin for module tg3

You can safely ignore these error messages. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2548595](#2548595)
| The net show config and net show time ntp server commands do not show NTP server configuration. | 4.1.0-4.2.0 | 4.2.1-4.4.5| | [2548485](#2548485)
| If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
 aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Path*> 50.0.0.0         0.0.0.0                            32768 is> 50.0.0.1/32      0.0.0.0                  0         32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Paths> 50.0.0.1/32      0.0.0.0                  0         32768 i
To work around this issue, remove, then re-add the component prefix routes. | 3.7.12-4.2.1 | 4.3.0-4.4.5| -| [2548408](#2548408)
| net show configuration commands does not show the RoCE net add interface storage-optimized pfc configuration. | 4.1.0-4.2.1 | 4.3.0-4.4.5| +| [2548408, 2550973](#2548408, 2550973)
| net show configuration commands does not show the RoCE net add interface storage-optimized pfc configuration. | 4.1.0-4.2.1 | 4.3.0-4.4.5| | [2548310](#2548310)
| When the system boots, we might see " cumulus systemd-udevd[7566]: Process '/usr/bin/hw-management-thermal-events.sh add thermal_zone /sys /devices/virtual/thermal/thermal_zone25 thermal_zone25' failed with exit code 1" errors.

These errors are result of user space acting on kernel events a bit slow. The mlxsw_minimal driver is added during kernel boot; An SDK reset causes the driver to be deleted and re-instantiated; User space handler for thermal zone add sees the add first; But the underlying device is deleted before it can act on it. This situation is rectified as the mlxsw_minimal driver is re-instantiated later;
| 4.1.0-4.4.5 | | | [2548260](#2548260)
| The net add routing route-map permit set community command does not add the set statement into the /etc/frr/frr.conf file. | 4.0.0-4.4.5 | | | [2548243](#2548243)
| On switches with the Trident2+ ASIC, adding SPAN rules disables PBR rules. | 3.7.3-3.7.16, 4.0.0-4.4.5 | | @@ -499,7 +499,7 @@ pdfhidden: True | [2548044](#2548044)
| When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2547890](#2547890)
| QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | | | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547405](#2547405)
| When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | | [2547120](#2547120)
| After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547068](#2547068)
| Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly
To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below
To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX="cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off", change it to GRUB_CMDLINE_LINUX="cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0"2. Run sudo update-grub
3. Reboot the system with sudo reboot
To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3
2. Disable C-states by running the command ./cpupower idle-set -d 2
C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | 4.3.0-4.4.5| @@ -508,8 +508,8 @@ pdfhidden: True | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545239](#2545239)
| On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.4 | 4.4.0-4.4.5| @@ -519,23 +519,23 @@ pdfhidden: True | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543647](#2543647)
| ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-4.2.1 | 4.3.0-4.4.5| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | @@ -550,7 +550,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -566,7 +566,7 @@ pdfhidden: True | [2538562](#2538562)
| On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | @@ -577,7 +577,7 @@ pdfhidden: True | [2535723](#2535723)
| The source address of the ICMPv6 time exceeded message (traceroute hop) is sourced from the wrong VRF when the traceroute target resides on the same switch but in a different VRF. | 4.0.0-4.4.5 | | | [2535605](#2535605)
| FRR does not add BGP ttl-security to either the running configuration or to the /etc/frr/frr.conf file when configured on a peer group instead of a specific neighbor.
To work around this issue, add ttl-security to individual neighbors instead of the peer group. | 4.0.0-4.4.5 | | | [2535209](#2535209)
| The net show lldp command sometimes shows the port description in the Remote Port field. The net show interface command shows the correct value in the Remote Host field.
To work around this issue, use net show interface command for LLDP output when connected to Cisco equipment. | 3.7.5-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| -| [2534977](#2534977)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| +| [2534977, 2535424](#2534977, 2535424)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | 3.7.14-3.7.16, 4.3.0-4.4.5| | [2534734](#2534734)
| Span rules matching the out-interface as a bond do not mirror packets. | 4.0.0-4.4.5 | | | [2533691](#2533691)
| If you configure a VLAN under a VLAN-aware bridge and create a subinterface of the same VLAN on one of the bridge ports, the bridge and interface compete for the same VLAN and if the interface is flapped, it stops working. Correcting the configuration and running the ifreload command does not resolve the conflict.
To work around this issue, correct the bridge VIDs and restart switchd or delete the subinterface. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2533625](#2533625)
| PIM and MSDP entries are set to the internal COS value of 6 so they are grouped together with the bulk traffic priority group in the default traffic.conf file. However, PIM, IGMP, and MSDP are considered control-plane and should be set to the internal COS value of 7. | 4.0.0-4.4.5 | | @@ -587,7 +587,7 @@ pdfhidden: True ### Fixed Issues in 4.2.0 | Issue ID | Description | Affects | |--- |--- |--- | -| [2553000](#2553000)
| When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094):
* clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)

* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs

This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing.

To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses. | 3.7.12-3.7.13 | | +| [2553000, 2552742](#2553000, 2552742)
| When the following conditions exist, clagd might fail to establish a TCP control session across the subinterface (such as, peerlink.4094):
* clagd uses an IPv6 link-local address (LLA) to establish the TCP connection (the clagd-peer-ip linklocal command configures an IPv6 LLA connection)

* Subsequent VLAN changes are made to VLAN sub-interfaces or adding or removing SVIs

This issue occurs because the hardware stores one entry per VRF to represent the IPv6 LLA. The hardware entry for the LLA is removed when another interface is changed because the software interfaces are represented by a single entity in hardware. As a result, packets destined to the local IPv6 LLA address are received on the port but do not get forwarded to CPU for further processing.

To workaround this issue, use IPv4 addresses under peerlink.4094 and configure clagd to peer on IPv4 addresses. | 3.7.12-3.7.13 | | | [2551771](#2551771)
| When a specific PIM join/prune packet is received from a PIM neighbor the pimd process might crash with a core file. | 4.0.0-4.1.1 | | | [2551551](#2551551)
| Some Dell N3048EP switches ship with an incompatible ONIE version. To install Cumulus Linux on the switch, you must upgrade ONIE to version 4.39.1.0-9. To download this version of ONIE, contact Dell. | | | | [2551429](#2551429)
| Static routes in FRR with their next hop defined as a local IPv4 or IPv6 address are rejected with the following message: 

% Warning!! Local connected address is configured as Gateway

To work around this issue, make sure to define static routes that are intended to point directly at a particular interface with the interface itself as the next hop instead of the address on that interface. For example:

switch(config)# ipv6 route 2001:bee:bee:3::/64 swp1/1
| | | @@ -596,7 +596,7 @@ pdfhidden: True | [2550349](#2550349)
| Unicast traffic from downlink hosts is flooded to multiple remote VTEPs, which might also cause high HwIfOutQDrops/TX_DRP on the uplink ports.
To work around this issue, restart switchd. | 3.7.10-3.7.13, 4.0.0-4.1.1 | | | [2550324](#2550324)
| On the Mellanox switches with BFD configured, you might see high load averages. | 4.1.1 | | | [2550275](#2550275)
| If packets with an invalid checksum are received, the cumulus-poe service might restart and you see log messages similar to the following:
May 20 10:48:04.665635 leaf01 poed[8012]: ERROR : invalid checksum in response [0xC2:0x00]
May 20 10:48:04.671299 leaf01 poed[8012]: poed : ERROR : invalid checksum in response [0xC2:0x00]
May 20 10:48:04.708620 leaf01 systemd[1]: cumulus-poe.service: main process exited, code=exited, status=1/FAILURE
The service starts automatically but there is an impact to POE devices momentarily. | 3.7.12, 4.0.0-4.1.1 | | -| [2550264](#2550264)
| The sx_sdk service may log errors and/or generate a core file when configuring breakout ports on Mellanox Spectrum platforms. The error message observed will be similar to the following:

sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error

This issue is resolved in Cumulus Linux 4.2.0 and above. | 4.1.1 | | +| [2550264, 2550998](#2550264, 2550998)
| The sx_sdk service may log errors and/or generate a core file when configuring breakout ports on Mellanox Spectrum platforms. The error message observed will be similar to the following:

sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error

This issue is resolved in Cumulus Linux 4.2.0 and above. | 4.1.1 | | | [2549958](#2549958)
| When you move an interface from one VRF to another and modify the description in the same configuration operation, FRR crashes and restarts during a service reload. If these two changes occur in separate reloads, FRR does not crash. | 4.1.1 | | | [2549894](#2549894)
| The Conntrack table fills up with OFFLOAD entries for flows that do not match the NAT rules in iptables. | 4.1.0-4.1.1 | | | [2549878](#2549878)
| When NAT is configured, non-NAT traffic is incorrectly forwarded to the CPU. | 4.1.0-4.1.1 | | @@ -606,25 +606,25 @@ pdfhidden: True | [2549577](#2549577)
| When you configure the management interface class (as shown below), eth0 remains in an admin down state on subsequent reboots:

allow-mgmt eth0
iface eth0 inet dhcp
    vrf mgmt
allow-mgmt mgmt
iface mgmt
    address 127.0.0.1/8
    address ::1/128
    vrf-table auto
| 4.1.0-4.1.1 | | | [2549472](#2549472)
| On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | | | [2549385](#2549385)
| FRR incorrectly orders advertise-all-vni to be later in the configuration than manual rd or route-target definitions. This causes the rd or route-target configuration to be misapplied or not applied at all.
To work around this issue, when you manually configure the rd or route-target for a VNI, you must manually edit the /etc/frr/frr.conf file to define advertise-all-vni before the rd or route-target configuration within the l2vpn evpn address family. | 4.0.0-4.1.1 | | -| [2549269](#2549269)
| On Mellanox switches with the Spectrum-2 ASIC, when you use more than 16 bonds on the switch, you might experience forwarding issues or see an error similar to the following in switchd.log:

2020-04-07T15:59:27.345421+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1696 ERR member_fwd_update_cb spartan-bm87 collector set failed for swp3s0: Driver's Return Status is Non-Zero
2020-04-07T15:59:27.345557+10:00 le-266-q14-2-res switchd[8422]:
2020-04-07T15:59:27.348432+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1705 ERR member_fwd_update_cb spartan-bm87 distributor set failed for swp3s0: Driver's Return Status is Non-Zero

To work around this issue, configure fewer than 16 bonds on a switch. | 4.1.0-4.1.1 | | +| [2549269, 2551467](#2549269, 2551467)
| On Mellanox switches with the Spectrum-2 ASIC, when you use more than 16 bonds on the switch, you might experience forwarding issues or see an error similar to the following in switchd.log:

2020-04-07T15:59:27.345421+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1696 ERR member_fwd_update_cb spartan-bm87 collector set failed for swp3s0: Driver's Return Status is Non-Zero
2020-04-07T15:59:27.345557+10:00 le-266-q14-2-res switchd[8422]:
2020-04-07T15:59:27.348432+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1705 ERR member_fwd_update_cb spartan-bm87 distributor set failed for swp3s0: Driver's Return Status is Non-Zero

To work around this issue, configure fewer than 16 bonds on a switch. | 4.1.0-4.1.1 | | | [2548998](#2548998)
| On the Mellanox SN2010 and SN2100 switch, the fan speed might ramp up and down. | 4.1.0-4.1.1 | | | [2548988](#2548988)
| On Mellanox switches, the thermal monitoring script starts in suspended mode and, as a result, the fans run at sixty percent. You also see the following log message:

hw-management.sh[847]: Thermal algorithm is manually suspend.

To work around this issue, run the following command to enable thermal monitoring:

cumulus@switch:~$ sudo echo 0 > /var/run/hw-management/config/suspend
| 4.0.0-4.1.1 | | | [2548962](#2548962)
| With FRR or OSPF, you might see an inconsistent link-state advertisement. For example, when you configure the OSPF default originate route as metric-type 1 with a specific metric, Cumulus Linux shows the default originate route as an external metric-type 2 route with the default metric in the database. This issue typically occurs when both IPv4 and IPv6 default routes exist in the routing table. | 3.7.12-4.1.1 | | | [2548920](#2548920)
| If you try to remove BFD configuration with a reload, the FRR service fails. The reload action results in a TypeError: expected string or bytes-like object error.
You see this issue only if there is default configuration, such as configuration in the /etc/frr/frr.conf file that is suppressed from view in the FRR running configuration.
To work around this issue, remove the default configuration lines; for example: 

username cumulus nopassword
| 4.1.0-4.1.1 | | -| [2548892](#2548892)
| NTP does not start when you use the default VRF instead of the management VRF. | 4.1.0-4.1.1 | | +| [2548892, 2549358, 2555149](#2548892, 2549358, 2555149)
| NTP does not start when you use the default VRF instead of the management VRF. | 4.1.0-4.1.1 | | | [2548746](#2548746)
| On the Broadcom switch with the Trident3 ASIC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | | | [2548674](#2548674)
| A large number of flapping peers causes FRR to require a corresponding update to internal data structures that track peer information. Updating this internal data structure does not delete links that are down due to the flapping. The size of this array then grows to contain both current peers as well as peers that should have been deleted during the flap processing. The contents of this array is processed by FRR to poll the links, which consumes CPU for all items in the array. This additional polling consumes more CPU than necessary but has no functional impact.
To work around this issue, restart FRR. | 3.7.11-3.7.12, 4.0.0-4.1.1 | | -| [2548586](#2548586)
| After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
*Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.1.1 | | +| [2548586, 2549256](#2548586, 2549256)
| After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors.
*Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active.
To recover from this condition, restart switchd with the sudo systemctl restart switchd command. | 3.7.10-3.7.12, 4.1.0-4.1.1 | | | [2548561](#2548561)
| On the EdgeCore Minipack-AS8000, when you try to configure ROCEv2, you see errors indicating that PFC is not working properly. | 4.0.0-4.1.1 | | | [2548496](#2548496)
| Cumulus Linux supports a maximum of 300 ACLs for use with 802.1X interfaces. This limit encompasses the default ACLs, pre-auth ACLs and dynamic ACLs. Exceeding this limit can affect the performance of the switch. | 4.1.0-4.1.1 | | | [2548490](#2548490)
| A change in a route map prefix list that should remove a route might not be reflected in the ospf6 database or in peers, and the route might not be deleted.
To work around this issue, reenter the redistribute route-map statement in the configuration. | 3.7.11-4.1.1 | | | [2548457](#2548457)
| The global MTU setting in the mtu.json file does not take effect on SVI interfaces after ifreload -a.
To work around this issue, run sudo systemctl restart networking or restart the switch.
Note: A network restart is a disruptive operation. | 4.1.0-4.1.1 | | | [2548422](#2548422)
| You might see a core file in FRRouting related to OSPFv3 if the switch is configured as both an OSPFv3 ABR and ASBR, and other switches in the same area are also configured as both ABR and ASBR. This issue is not seen with a single ABR or ASBR in an area or if there are multiple ASBRs in an area not acting as ABRs. To work around this issue, do not perform redistribution on more than one ABR in the same area. | 4.0.0-4.1.1 | | | [2548383](#2548383)
| The QuantaMesh BMS T3048-LY8 switch shows a low fan RPM in syslog. | 3.7.5-3.7.12, 4.0.0-4.1.1 | | -| [2548373](#2548373)
| On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.1.1 | | -| [2548320](#2548320)
| When configuring VRF route leaking, if you define import vrf route-map but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. | 4.0.0-4.1.1 | | +| [2548373, 2548371](#2548373, 2548371)
| On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. | 3.7.12, 4.0.0-4.1.1 | | +| [2548320, 2543525](#2548320, 2543525)
| When configuring VRF route leaking, if you define import vrf route-map but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. | 4.0.0-4.1.1 | | | [2548308](#2548308)
| When the garbage collector does not release memory back to the operating system, clagd might consume a large amount of memory. As a result of low system memory, systemd might shut down services to reclaim memory.
| 3.7.11-3.7.12, 4.1.0-4.1.1 | | -| [2548275](#2548275)
| On the QuantaMesh BMS T5032-LY6 switch, when you run the hwclock command, you might see the error hwclock: select() to /dev/rtc0 to wait for clock tick timed out. | 4.1.0-4.1.1 | | +| [2548275, 2548503, 2556077](#2548275, 2548503, 2556077)
| On the QuantaMesh BMS T5032-LY6 switch, when you run the hwclock command, you might see the error hwclock: select() to /dev/rtc0 to wait for clock tick timed out. | 4.1.0-4.1.1 | | | [2548242](#2548242)
| On the Mellanox SN3800 switch, when you run sudo -E apt-get update, then sudo -E apt get upgrade, you see a dialog prompting you for the interface on which to run DHCP, followed by a request for DHCP relay options. You can ignore this dialog and press enter to continue with the upgrade. | 4.1.0-4.1.1 | | | [2548197](#2548197)
| On the Mellanox SN3800 switch, when you remove the PSU, smonctl reports that the PSU is BAD instead of ABSENT. | 4.1.0-4.1.1 | | | [2548194](#2548194)
| On the Mellanox SN3800 switch, when you remove a fan tray, smonctl reports that the fan is LOW instead of ABSENT. | 4.1.0-4.1.1 | | @@ -634,26 +634,26 @@ pdfhidden: True | [2547839](#2547839)
| When you try to configure link-down on a parent interface of a subinterface configured in a VRF, you encounter an error. | 3.7.11-4.1.1 | | | [2547783](#2547783)
| PTM mis-detects incorrect hostnames of LLDP neighbors and does not fail them as expected. Instead they end up in an N/A cabling status. | 3.7.11-3.7.13, 4.0.0-4.1.1 | | | [2547667](#2547667)
| On the Dell S5232F-ON switch, the output of ledmgrd shows amber_blinking but smonctl shows all OK. | 3.7.11-3.7.12, 4.0.0-4.1.1 | | -| [2547610](#2547610)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.1.1 | | +| [2547610, 2548114](#2547610, 2548114)
| Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work.
Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. | 3.7.11-3.7.12, 4.0.0-4.1.1 | | | [2547340](#2547340)
| When host-resources and ucd-snmp-mib are polled, you see permission denied messages similar to the following:

Jan 30 19:22:53 switch123 snmpd[23172]: Cannot statfs /sys/kernel/debug/tracing: Permission denied
| 3.7.13, 4.0.0-4.1.1 | | | [2547245](#2547245)
| The MLAG switch pair has VLANs defined that are not used on MLAG bonds. These VLANs still synchronize MAC addresses across to the peer switch. This results in log messages that indicate a MAC address is installed and the VLAN is not defined; for example:

RTM_NEWNEIGH with unconfigured vlan XXXX on port peerlink
| 3.7.10-3.7.13, 4.0.0-4.1.1 | | | [2547123](#2547123)
| On the Broadcom switch with the Trident3 ASC, packet priority remark values assigned from each internal CoS value continue to work with default values; if you change the internal CoS value, the change does not take effect. | 3.7.11-4.1.1 | | | [2547100](#2547100)
| On switches with the Trident3 ASIC, PFC is not working as expected. If you set the PFC for only one CoS, pause frames are sent for all CoS traffic. | 3.7.11-4.1.1 | | -| [2546951](#2546951)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.1.1 | | +| [2546951, 2548887](#2546951, 2548887)
| switchd crashes when dynamic VRF route leaking is enabled and the following is true:
* The default route is leaked from VRF1 to VRF2
* Hardware-based dynamic VRF route leaking is configured (vrf_route_leak_enable_dynamic is set to TRUE in the /etc/cumulus/switchd.conf file).
You might see logs similar to the following in /var/log/syslog:

kernel: [159400.526241] switchd[21374]: segfault at 1229cdd84 ip 00000000004142ca sp 00007ffd557a86d0 error 4 in switchd[400000+71000]

To work around this issue, use a route map to filter the default route (the source VRF is imported into the destination VRF). | 3.7.10-3.7.12, 4.0.0-4.1.1 | | | [2546485](#2546485)
| The EdgeCore Minipack-AS8000 switch supports FEC RS by default; you cannot disable this setting. However, the ethtool --show-fec command output indicates that FEC is disabled. Also, if you try to change the FEC setting, Cumulus Linux reports an error. For example:

cumulus@switch:~$  net add interface swp23 link speed 100000
cumulus@switch:~$  net add interface swp23 link autoneg off
cumulus@switch:~$  net add interface swp23 link fec rs
"/sbin/ifreload -a" failed:
error: swp23: cmd '/sbin/ethtool --set-fec swp23 encoding rs' failed: returned 255 (Cannot set FEC settings: Operation not supported)
Command '['/sbin/ifreload', '-a']' returned non-zero exit status 1
| 4.0.0-4.1.1 | | | [2546337](#2546337)
| The net show bridge macs command returns an empty interface column.
To work around this issue, run the bridge fdb show command to show the interface. | 4.0.0-4.1.1 | | | [2545933](#2545933)
| Mellanox switches might experience higher CPU usage from the sx_sdk service or when BFD is in use.
To work around this issue, disable BFD to alleviate some of the CPU load. | 3.7.13, 4.0.0-4.1.1 | | -| [2545536](#2545536)
| On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | 4.0.0-4.1.1 | | +| [2545536, 2545503](#2545536, 2545503)
| On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. | 4.0.0-4.1.1 | | | [2545352](#2545352)
| With a high number of active routes (20K or more), when you perform a networking restart, the FRR log files might become flooded with error messages associated with the restart. These logs are normal and are not directly a problem. However, the large number of messages can cause the logs to _rotate away_ any previous history, which prevents you from tracing back events leading up to the restart. In a troubleshooting environment, this can be problematic. | 4.0.0-4.1.1 | | | [2545164](#2545164)
| On the Mellanox switch with the Spectrum 2 ASIC, interfaces using 100G or 200G Direct Attach Cables (DACs) do not come up with the interface default configuration.
To work around this issue and bring the interfaces up, perform the following configuration on both sides of the link:
* Set the interface speed to the desired speed
* Set link auto-negotiation to _off_
* Set link FEC to RS mode | 4.0.0-4.1.1 | | -| [2545054](#2545054)
| When you run the NCLU net del interface command to delete an interface that has a description in the /etc/frr/frr.conf file but the /etc/frr/daemons file does not contain zebra=yes}, all running FRR daemons (bgpd, ospfd, ospf6d) restart
To work around this issue, remove all interfaces from the /etc/frr/frr.conf file that are unrelated to routing. | 4.0.0-4.1.1 | | +| [2545054, 2552126](#2545054, 2552126)
| When you run the NCLU net del interface command to delete an interface that has a description in the /etc/frr/frr.conf file but the /etc/frr/daemons file does not contain zebra=yes}, all running FRR daemons (bgpd, ospfd, ospf6d) restart
To work around this issue, remove all interfaces from the /etc/frr/frr.conf file that are unrelated to routing. | 4.0.0-4.1.1 | | | [2544904](#2544904)
| After you delete an IPv6 numbered BGP peer group neighbor, Cumulus Linux might continue to send route advertisements.
To work around this issue, restart FRR after removing the IPv6 numbered configuration. | 3.7.9-4.1.1 | | | [2544856](#2544856)
| In the ethool -m output, the Revision Compliance field might show Unallocated when the SFF-8363 Revision Compliance value is SFF-8636 version 2.8 or later. | 4.0.0-4.1.1 | | | [2544556](#2544556)
| If you reconfigure an NTP server with NCLU using different trailing options after the IP address (such as iburst), an invalid configuration is added to the /etc/ntp.conf file. For example:

net add time ntp server 1.2.3.4 iburst
net commit
net add time ntp server 1.2.3.4
net commit

If you need to alter existing server configurations, first remove the server, commit, then re-add the server with any trailing options. | 3.7.9-4.1.1 | | | [2543668](#2543668)
| On the EdgeCore AS4610 switch, the ping command fails unless you run the command with sudo.
To work around this issue, run the following commands: 

 cumulus@switch:~$ sudo setcap cap_net_raw+ep /usr/share/mgmt-vrf/bin/ping 
 cumulus@switch:~$ sudo setcap cap_net_raw+ep /usr/share/mgmt-vrf/bin/ping6

Run the following command to verify the workaround: 
 
 cumulus@switch:~$ getcap /usr/share/mgmt-vrf/bin/ping*

You should see the following output: 
 
 /usr/share/mgmt-vrf/bin/ping = cap_net_raw+ep 
 /usr/share/mgmt-vrf/bin/ping6 = cap_net_raw+ep

| 3.7.6-3.7.10, 4.1.0-4.1.1 | | | [2543649](#2543649)
| You cannot specify a source and destination MAC address in an ERSPAN ebtables rule. For example, the following rule does not work:

-A FORWARD -i swp5 -s 00:25:90:b2:bd:9d -d 50:6b:4b:96:c4:04 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-3.7.12, 4.0.0-4.1.1 | | -| [2543270](#2543270)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | | -| [2542979](#2542979)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | | +| [2543270, 2549352](#2543270, 2549352)
| The default route injected through OSPF when you configure default-information originate always is unreliable and might age out unexpectedly.
To work around this issue, rely on a different source of default route other than injection with default-information originate. | 3.7.8-4.1.1 | | +| [2542979, 2546131](#2542979, 2546131)
| On the Dell-N3048EP-ON switch, when you run the sudo -E apt upgrade command, the upgrade does not work. | 3.7.7-4.1.1 | | | [2540950](#2540950)
| On the QuantaMesh T4048-IX8 or EdgeCore AS7326-56X switch, when using a 1000BASE-T SFP module, the module LEDs do not light to reflect link status.
| 3.7.3-4.1.1 | | | [2535706](#2535706)
| On the Mellanox switch, GRE tunneling does not work if the tunnel source is configured on an SVI interface. If the tunnel source is configured on a physical switch port, then tunneling works as expected. | 4.0.0-4.1.1 | | diff --git a/content/cumulus-linux-42/rn.xml b/content/cumulus-linux-42/rn.xml index fa88aca11d..64172f2395 100644 --- a/content/cumulus-linux-42/rn.xml +++ b/content/cumulus-linux-42/rn.xml @@ -37,7 +37,7 @@ cumulus@switch:~$ sudo apt upgrade 4.3.2-4.4.5, 5.5.0-5.16.1 -3390022 +3390022, 3323138 When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the {{peerlink.4095}} interface stanza are duplicated. Subsequent {{ifreloads}}, or {{net commit}} commands fail until you manually remove the duplicated lines from this interface and run {{ifreload -a}}. 4.2.1-4.4.5 @@ -97,7 +97,7 @@ MAC learning looks correct, but traffic does not flow as expected. 4.3.1, 5.2.0-5.16.1 -3108491 +3108491, 2434628 In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart {{switchd}}. 4.2.1-4.4.5 5.0.0-5.16.1 @@ -134,7 +134,7 @@ To work around this issue, restart the {{hostapd}} service with the {{systemctl 4.3.1-4.4.5, 4.4.4-4.4.5 -3046023 +3046023, 3096918 The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install. 4.2.1-5.1.0 5.2.0-5.16.1 @@ -283,13 +283,13 @@ Reboot the affected switches. 5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 -2738625 +2738625, 2748965 When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. 3.7.15, 4.2.1-4.3.0 3.7.16, 4.3.1-4.4.5 @@ -307,13 +307,13 @@ Reboot the affected switches. 4.3.1-4.4.5, 4.4.2-4.4.5 -2716822 +2716822, 2710844 The {{/etc/cumulus/ports.conf}} file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. 3.7.15-4.3.0 4.3.1-4.4.5 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -491,7 +491,7 @@ ERROR: Command not found 3.7.16, 4.3.1-4.4.5 -2556010 +2556010, 2556276 On Broadcom switches, after repeated VLAN or VXLAN configuration changes, {{switchd}} memory might not free up appropriately, which can lead to a crash. 3.7.14, 4.0.0-4.2.1 3.7.14.2-3.7.16, 4.3.0-4.4.5 @@ -585,7 +585,7 @@ The VNI match works if applied at some other non-originating router either in th 4.3.0-4.4.5 -2555175 +2555175, 3195351, 2672721 Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. 3.7.15-4.3.1 4.3.2-4.4.5 @@ -777,7 +777,7 @@ To work around this issue, use a static MAC address; specify a MAC address in th 4.3.0-4.4.5 -2554253 +2554253, 2554353 After upgrading the Mellanox SN2410 switch, the FAN is set to full speed. 4.2.1 4.3.0-4.4.5 @@ -789,7 +789,7 @@ To work around this issue, use a static MAC address; specify a MAC address in th 4.3.0-4.4.5 -2554222 +2554222, 2614073 The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the {{/etc/network/interface}} file. For example: @@ -814,7 +814,7 @@ iface vni-30 -2554202 +2554202, 2544880 The output of the {{net show commit}} command does not show the last commit or the specified commit number but is empty instead. 4.2.1-4.4.5 @@ -893,7 +893,7 @@ To work around this issue, disable IGMP snooping on the switch. 4.3.0-4.4.5 -2553529 +2553529, 2553349 In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the {{sudo systemctl restart frr.service}} command. @@ -915,7 +915,7 @@ To work around this issue, remove power to both PSUs at the same time, then rein 3.7.14-3.7.16, 4.3.0-4.4.5 -2553349 +2553349, 2553529 When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number. To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI. 4.2.0-4.2.1 @@ -928,7 +928,7 @@ To work around this issue, either restart FRR or delete the VNI interface first, 4.3.0-4.4.5 -2553237 +2553237, 2552950 The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. @@ -994,7 +994,7 @@ To work around this issue, use the {{ethtool -m <interface>}} command.3.7.15-3.7.16, 4.3.0-4.4.5 -2552742 +2552742, 2553000, 2553936 On the Mellanox SN2410 switch, you see {{switchd}} core and {{GBIN_MALLOC}} errors. To work around this issue, restart {{switchd}}. 3.7.12-4.2.1 @@ -1068,7 +1068,7 @@ These messages are for internal validation purposes only and can be safely ignor -2552212 +2552212, 2553637 The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with {{Unable to read from device/fan1_input/pwm1}} syslog messages. 3.7.11-3.7.14, 4.1.1-4.3.0 3.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 @@ -1185,7 +1185,7 @@ zebra increments the local MAC mobility sequence number and considers the MAC ad -2550973 +2550973, 2548408 After you enable ROCE with the {{net add interface <switch-port> storage-optimized pfc}} command, you cannot verify the command because it is not shown in the {{net show config}} command output. 4.1.1-4.2.1 4.3.0-4.4.5 @@ -1377,7 +1377,7 @@ These messages are harmless and can be ignored. -2548672 +2548672, 2555635 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. 3.7.12-3.7.15, 4.0.0-4.2.1 @@ -1427,7 +1427,7 @@ To work around this issue, remove, then re-add the component prefix routes. 4.3.0-4.4.5 -2548408 +2548408, 2550973 {{net show configuration commands}} does not show the RoCE {{net add interface <swp> storage-optimized pfc}} configuration. 4.1.0-4.2.1 4.3.0-4.4.5 @@ -1484,7 +1484,7 @@ These errors are result of user space acting on kernel events a bit slow. The m -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -1557,7 +1557,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -1568,7 +1568,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -1640,7 +1640,7 @@ To work around this issue, run the {{sudo systemctl restart lldpd.service}} comm -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -1659,7 +1659,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -1709,7 +1709,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -1765,7 +1765,7 @@ See /var/log/netd.log for more details. -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 @@ -1888,7 +1888,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -2045,7 +2045,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -2124,7 +2124,7 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 3.7.11-3.7.16 -2534977 +2534977, 2535424 On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. 4.0.0-4.2.1 3.7.14-3.7.16, 4.3.0-4.4.5 @@ -2177,7 +2177,7 @@ To work around this issue, change the value of {{arp_ignore}} to 2. See [Address 3.7.9-4.2.0 -2553301 +2553301, 2754876 Certain IPv6 routes may be present in the kernel but missing in hardware, and you may also see the following log messages in /var/log/switchd.log: sync_route.c 5255 WARN 3 routes reverted to non-ECMP due to NH table capacity @@ -2209,7 +2209,7 @@ To work around this issue, bounce the bond or shutdown the new interface and use 4.2.0 -2552505 +2552505, 2552604 Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding {{hwaddress <mac-address>}} to the bridge stanza in the {{/etc/network/interfaces}} file. 3.7.11-3.7.13, 4.0.0-4.2.0 @@ -2295,7 +2295,7 @@ Because the modules listed above do not return to their default values correctly 4.1.1-4.2.0 -2551162 +2551162, 2550590 {{switchd}} memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time. To work around this issue, correct the cause of the frequent link flaps. You can restart {{switchd}} with the {{sudo systemctl restart switchd}} command to recover memory; this operation is impactful to all traffic on the switch during the restart. 3.7.11-3.7.12, 4.0.0-4.2.0 @@ -2523,7 +2523,7 @@ Reboot the affected switches. 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -2535,13 +2535,13 @@ Reboot the affected switches. 4.3.1-4.4.5, 4.4.2-4.4.5 -2716822 +2716822, 2710844 The {{/etc/cumulus/ports.conf}} file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. 3.7.15-4.3.0 4.3.1-4.4.5 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -2663,7 +2663,7 @@ To work around this issue, either use the {{vtysh}} commands or edit the {{/etc/ 4.2.1-4.4.5 -2556010 +2556010, 2556276 On Broadcom switches, after repeated VLAN or VXLAN configuration changes, {{switchd}} memory might not free up appropriately, which can lead to a crash. 3.7.14, 4.0.0-4.2.1 3.7.14.2-3.7.16, 4.3.0-4.4.5 @@ -2700,7 +2700,7 @@ To work around this issue, increase the burst value of the ARP policers to 200 o 3.7.15-3.7.16, 4.3.0-4.4.5 -2555175 +2555175, 3195351, 2672721 Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. 3.7.15-4.3.1 4.3.2-4.4.5 @@ -2874,7 +2874,7 @@ To work around this issue, disable IGMP snooping on the switch. 4.3.0-4.4.5 -2553529 +2553529, 2553349 In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the {{sudo systemctl restart frr.service}} command. @@ -2889,14 +2889,14 @@ To work around this issue, restart FRR with the {{sudo systemctl restart frr.ser 4.3.0-4.4.5 -2553349 +2553349, 2553529 When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number. To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI. 4.2.0-4.2.1 4.3.0-4.4.5 -2553301 +2553301, 2754876 Certain IPv6 routes may be present in the kernel but missing in hardware, and you may also see the following log messages in /var/log/switchd.log: sync_route.c 5255 WARN 3 routes reverted to non-ECMP due to NH table capacity @@ -2912,7 +2912,7 @@ even though cl-resources-query does not reflect that the ECMP NH table is full. 4.3.0-4.4.5 -2553237 +2553237, 2552950 The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. @@ -2971,7 +2971,7 @@ To work around this issue, use the {{ethtool -m <interface>}} command.3.7.15-3.7.16, 4.3.0-4.4.5 -2552742 +2552742, 2553000, 2553936 On the Mellanox SN2410 switch, you see {{switchd}} core and {{GBIN_MALLOC}} errors. To work around this issue, restart {{switchd}}. 3.7.12-4.2.1 @@ -3023,7 +3023,7 @@ To work around this issue, bounce the bond or shutdown the new interface and use 4.2.1-4.4.5 -2552505 +2552505, 2552604 Changing the order of the bridge ports might cause the bridge MAC address to change, which flaps the bridge and its ports. To work around this issue, manually set the MAC address of the bridge interface by adding {{hwaddress <mac-address>}} to the bridge stanza in the {{/etc/network/interfaces}} file. 3.7.11-3.7.13, 4.0.0-4.2.0 @@ -3065,7 +3065,7 @@ These messages are for internal validation purposes only and can be safely ignor -2552212 +2552212, 2553637 The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with {{Unable to read from device/fan1_input/pwm1}} syslog messages. 3.7.11-3.7.14, 4.1.1-4.3.0 3.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 @@ -3239,7 +3239,7 @@ Because the modules listed above do not return to their default values correctly 4.3.0-4.4.5 -2551162 +2551162, 2550590 {{switchd}} memory utilization might continue to increase if there are excessive and continuous link flaps over a long period of time. To work around this issue, correct the cause of the frequent link flaps. You can restart {{switchd}} with the {{sudo systemctl restart switchd}} command to recover memory; this operation is impactful to all traffic on the switch during the restart. 3.7.11-3.7.12, 4.0.0-4.4.5 @@ -3277,7 +3277,7 @@ zebra increments the local MAC mobility sequence number and considers the MAC ad -2550973 +2550973, 2548408 After you enable ROCE with the {{net add interface <switch-port> storage-optimized pfc}} command, you cannot verify the command because it is not shown in the {{net show config}} command output. 4.1.1-4.2.1 4.3.0-4.4.5 @@ -3518,7 +3518,7 @@ These messages are harmless and can be ignored. -2548672 +2548672, 2555635 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. 3.7.12-3.7.15, 4.0.0-4.2.1 @@ -3574,7 +3574,7 @@ To work around this issue, remove, then re-add the component prefix routes. 4.3.0-4.4.5 -2548408 +2548408, 2550973 {{net show configuration commands}} does not show the RoCE {{net add interface <swp> storage-optimized pfc}} configuration. 4.1.0-4.2.1 4.3.0-4.4.5 @@ -3631,7 +3631,7 @@ These errors are result of user space acting on kernel events a bit slow. The m -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -3710,7 +3710,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -3721,7 +3721,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -3793,7 +3793,7 @@ To work around this issue, run the {{sudo systemctl restart lldpd.service}} comm -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -3812,7 +3812,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -3862,7 +3862,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -3918,7 +3918,7 @@ See /var/log/netd.log for more details. -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 @@ -4041,7 +4041,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -4198,7 +4198,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -4277,7 +4277,7 @@ To work around this issue, use {{net show interface}} command for LLDP output wh 3.7.11-3.7.16 -2534977 +2534977, 2535424 On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. 4.0.0-4.2.1 3.7.14-3.7.16, 4.3.0-4.4.5 @@ -4323,7 +4323,7 @@ To work around this issue, change the value of {{arp_ignore}} to 2. See [Address Affects -2553000 +2553000, 2552742 When the following conditions exist, {{clagd}} might fail to establish a TCP control session across the subinterface (such as, peerlink.4094): * {{clagd}} uses an IPv6 link-local address (LLA) to establish the TCP connection (the {{clagd-peer-ip linklocal}} command configures an IPv6 LLA connection) @@ -4392,7 +4392,7 @@ The service starts automatically but there is an impact to POE devices momentari 3.7.12, 4.0.0-4.1.1 -2550264 +2550264, 2550998 The sx_sdk service may log errors and/or generate a core file when configuring breakout ports on Mellanox Spectrum platforms. The error message observed will be similar to the following: {{sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error}} @@ -4471,7 +4471,7 @@ To work around this issue, when you manually configure the {{rd}} or {{route-tar 4.0.0-4.1.1 -2549269 +2549269, 2551467 On Mellanox switches with the Spectrum-2 ASIC, when you use more than 16 bonds on the switch, you might experience forwarding issues or see an error similar to the following in {{switchd.log}}: 2020-04-07T15:59:27.345421+10:00 le-266-q14-2-res switchd[8422]: hal_mlx_bond.c:1696 ERR member_fwd_update_cb spartan-bm87 collector set failed for swp3s0: Driver's Return Status is Non-Zero @@ -4514,7 +4514,7 @@ username cumulus nopassword 4.1.0-4.1.1 -2548892 +2548892, 2549358, 2555149 NTP does not start when you use the default VRF instead of the management VRF. 4.1.0-4.1.1 @@ -4530,7 +4530,7 @@ To work around this issue, restart FRR. 3.7.11-3.7.12, 4.0.0-4.1.1 -2548586 +2548586, 2549256 After you flap an MLAG peerlink, a rare condition might occur where routes and neighbors for VXLAN-enabled VLANs are misprogrammed as non-VXLAN routes and neighbors due to VNI state transitions. This results in a forwarding failure for traffic destined to these misprogrammed routes and neighbors. *Note*: Do not flap a VNI interface manually. The only expected time for a VNI interface to go down is when the MLAG secondary switch brings the VNIs protodown during a peer link failure where the backup IP address is still active. To recover from this condition, restart {{switchd}} with the {{sudo systemctl restart switchd}} command. @@ -4570,12 +4570,12 @@ Note: A network restart is a disruptive operation. 3.7.5-3.7.12, 4.0.0-4.1.1 -2548373 +2548373, 2548371 On the Edgecore AS5812 switch, the Innodisk DIMM causes a DIMM temperature sensor absent alert. 3.7.12, 4.0.0-4.1.1 -2548320 +2548320, 2543525 When configuring VRF route leaking, if you define {{import vrf route-map <name>}} but do not have any imported VRFs, the route map command displays incorrectly, and as a result, FRR fails to reload. 4.0.0-4.1.1 @@ -4586,7 +4586,7 @@ Note: A network restart is a disruptive operation. 3.7.11-3.7.12, 4.1.0-4.1.1 -2548275 +2548275, 2548503, 2556077 On the QuantaMesh BMS T5032-LY6 switch, when you run the {{hwclock}} command, you might see the error {{hwclock: select() to /dev/rtc0 to wait for clock tick timed out}}. 4.1.0-4.1.1 @@ -4638,7 +4638,7 @@ To work around this issue, move 100G SR4 modules to one of the ports not affecte 3.7.11-3.7.12, 4.0.0-4.1.1 -2547610 +2547610, 2548114 Mellanox switches with the Spectrum A0 ASIC that are integrated with VMware NSX experience BFD connectivity issues with service nodes. As a result, VXLAN tunnels do not work. Mellanox switches with the Spectrum A1 ASIC do **not** have this issue. 3.7.11-3.7.12, 4.0.0-4.1.1 @@ -4670,7 +4670,7 @@ RTM_NEWNEIGH with unconfigured vlan XXXX on port peerlink 3.7.11-4.1.1 -2546951 +2546951, 2548887 {{switchd}} crashes when dynamic VRF route leaking is enabled and the following is true: * The default route is leaked from VRF1 to VRF2 * Hardware-based dynamic VRF route leaking is configured ({{vrf_route_leak_enable_dynamic}} is set to TRUE in the {{/etc/cumulus/switchd.conf}} file). @@ -4707,7 +4707,7 @@ To work around this issue, disable BFD to alleviate some of the CPU load. 3.7.13, 4.0.0-4.1.1 -2545536 +2545536, 2545503 On the Mellanox switch with the Spectrum and Spectrum-2 ASIC, IPv6 egress ACLs are not supported on subinterfaces. 4.0.0-4.1.1 @@ -4726,7 +4726,7 @@ To work around this issue and bring the interfaces up, perform the following con 4.0.0-4.1.1 -2545054 +2545054, 2552126 When you run the NCLU {{net del interface}} command to delete an interface that has a description in the {{/etc/frr/frr.conf}} file but the {{/etc/frr/daemons}} file does not contain {{zebra=yes}, all running FRR daemons ({{bgpd}}, {{ospfd}}, {{ospf6d}}) restart. To work around this issue, remove all interfaces from the {{/etc/frr/frr.conf}} file that are unrelated to routing. 4.0.0-4.1.1 @@ -4783,13 +4783,13 @@ If you need to alter existing server configurations, first remove the server, co 3.7.6-3.7.12, 4.0.0-4.1.1 -2543270 +2543270, 2549352 The default route injected through OSPF when you configure {{default-information originate always}} is unreliable and might age out unexpectedly. To work around this issue, rely on a different source of default route other than injection with {{default-information originate}}. 3.7.8-4.1.1 -2542979 +2542979, 2546131 On the Dell-N3048EP-ON switch, when you run the {{sudo -E apt upgrade}} command, the upgrade does not work. 3.7.7-4.1.1 diff --git a/content/cumulus-linux-43/Whats-New/rn.md b/content/cumulus-linux-43/Whats-New/rn.md index a1a7e4b20c..75b33a1128 100644 --- a/content/cumulus-linux-43/Whats-New/rn.md +++ b/content/cumulus-linux-43/Whats-New/rn.md @@ -325,10 +325,10 @@ pdfhidden: True | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3528464](#3528464)
| Cumulus Linux might mark a layer 2 VLAN-tagged packet as a packet to CPU and the INPUT chain ACL might drop the packet. To work around this issue, add an additional addrtype match on the ACL to prevent an erroneous ACL match; for example:
[iptables]
-A INPUT -i swp+ -m addrtype --dst-type LOCAL -p tcp --sport 22 -j DROP
| 4.3.0-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| | [3400244](#3400244)
| NCLU accepts multiple instances of same net add bgp commands and stores the configuration in the /etc/frr/frr.conf file when you run the net commit command. As a result, unintended commands might be processed during frr-reload. To work around this issue, edit the /etc/frr/frr.conf file to remove the duplicated entries. | 4.3.1-4.4.5 | | -| [3390022](#3390022)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | +| [3390022, 3323138](#3390022, 3323138)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | | [3339249](#3339249)
| The sensors.conf files in Cumulus Linux are out of date. | 4.2.1-4.4.5 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.16.1| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.16.1 | | @@ -336,20 +336,20 @@ pdfhidden: True | [3216921](#3216921)
| RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-3.7.16, 4.3.0-4.4.5 | | | [3216759](#3216759)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3211369](#3211369)
| The NCLU net show interface pluggables command takes a long time (approximately five minutes) to complete. | 4.2.1-4.4.5 | | -| [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | +| [3168564, 3198302](#3168564, 3198302)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | | [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | | [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3131423](#3131423)
| During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3117340](#3117340)
| When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3108491](#3108491)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| +| [3108491, 2434628](#3108491, 2434628)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [3093966](#3093966)
| On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3089165](#3089165)
| A slow memory leak might occur in switchd} if the route fails to install in hardware when hardware resources are exhausted. | 4.2.1-4.4.3 | 4.4.4-4.4.5| | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | | [3073668](#3073668)
| On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | | | [3072674](#3072674)
| In an MLAG configuration, if you put a single connected interface into an admin down state, any dynamic MAC addresses on the peer link are flushed, then added back, which causes momentary traffic disruption. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [3072613](#3072613)
| When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | -| [3059135](#3059135)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| +| [3059135, 3060400](#3059135, 3060400)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| +| [3046023, 3096918](#3046023, 3096918)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| | [2993719](#2993719)
| After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. This is issue is impacting all Cumulus Linux releases. The following attribute: vxlan-purge-remotes yes is intended to fix the issue (this attribute has been available since CL2). It was decided to change ifupdown2's default behavior to automatically purge BUM entries added by ifup/ifreload. | 3.7.15-5.0.1 | 5.1.0-5.16.1, 5.2.0-5.16.1| | [2952117](#2952117)
| If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it. | 4.2.1-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.16.1| | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | @@ -369,17 +369,17 @@ pdfhidden: True | [2770226](#2770226)
| In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.16.1| | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2739402](#2739402)
| The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2734103](#2734103)
| ACL [No More Resources] messages keep appearing and you can't reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [2732605](#2732605)
| The ESI line of show bgp l2vpn evpn route command always shows VNI: 0. This is a cosmetic software issue. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2728119](#2728119)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2728119, 2729309](#2728119, 2729309)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2711533](#2711533)
| On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | | | [2710208](#2710208)
| The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. | 4.2.1-4.4.5 | | | [2706744](#2706744)
| In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event. | 4.3.0-4.4.1 | 4.4.2-4.4.5| | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| -| [2690017](#2690017)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.4 | 4.4.0-4.4.5| +| [2690017, 3431625](#2690017, 3431625)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | 5.1.0-5.16.1| | [2682780](#2682780)
| Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly
To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file. | 4.2.0-4.3.4 | 4.4.0-4.4.5| | [2669873](#2669873)
| In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. | 4.3.0-4.3.4 | 4.4.0-4.4.5| @@ -391,7 +391,7 @@ pdfhidden: True | [2618227](#2618227)
| The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. | 4.3.0-4.4.5 | | | [2614016](#2614016)
| The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module. | 4.2.0-4.3.4 | 4.4.0-4.4.5| | [2599274](#2599274)
| On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown ; sleep 1 ; ifup . | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2578814](#2578814)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.4 | 4.4.0-4.4.5| +| [2578814, 2644181](#2578814, 2644181)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2577499](#2577499)
| QSFP+ 40G optics do not work on Spectrum platforms. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2574368](#2574368)
| When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr. | 4.1.1-4.4.5 | | | [2556772](#2556772)
| The net show clag verify-vlans command fails with the following log: 

WARNING: '/usr/bin/clagctl verifyvlans' failed due to:
Command '['/usr/bin/clagctl', 'verifyvlans']' returned non-zero exit status 1

To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command. | 4.2.1-4.4.5 | | @@ -411,13 +411,13 @@ pdfhidden: True | [2554533](#2554533)
| On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | | | [2554466](#2554466)
| Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
| 4.2.1-4.4.5 | | | [2554299](#2554299)
| In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.2.0-4.3.4 | 4.4.0-4.4.5| -| [2554222](#2554222)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | +| [2554222, 2614073](#2554222, 2614073)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | | [2554218](#2554218)
| MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | | -| [2554202](#2554202)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | +| [2554202, 2544880](#2554202, 2544880)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | | [2553989](#2553989)
| Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | | | [2553887](#2553887)
| When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2553677](#2553677)
| When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | -| [2553237](#2553237)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | +| [2553237, 2552950](#2553237, 2552950)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | | [2553116](#2553116)
| When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552691](#2552691)
| On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. | 4.2.0-4.4.5 | | @@ -457,15 +457,15 @@ pdfhidden: True | [2548044](#2548044)
| When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2547890](#2547890)
| QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | | | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547405](#2547405)
| When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | | [2547120](#2547120)
| After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545239](#2545239)
| On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.4 | 4.4.0-4.4.5| @@ -475,22 +475,22 @@ pdfhidden: True | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | @@ -505,7 +505,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -521,7 +521,7 @@ pdfhidden: True | [2538562](#2538562)
| On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | @@ -557,10 +557,10 @@ pdfhidden: True | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3528464](#3528464)
| Cumulus Linux might mark a layer 2 VLAN-tagged packet as a packet to CPU and the INPUT chain ACL might drop the packet. To work around this issue, add an additional addrtype match on the ACL to prevent an erroneous ACL match; for example:
[iptables]
-A INPUT -i swp+ -m addrtype --dst-type LOCAL -p tcp --sport 22 -j DROP
| 4.3.0-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| | [3400244](#3400244)
| NCLU accepts multiple instances of same net add bgp commands and stores the configuration in the /etc/frr/frr.conf file when you run the net commit command. As a result, unintended commands might be processed during frr-reload. To work around this issue, edit the /etc/frr/frr.conf file to remove the duplicated entries. | 4.3.1-4.4.5 | | -| [3390022](#3390022)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | +| [3390022, 3323138](#3390022, 3323138)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | | [3339249](#3339249)
| The sensors.conf files in Cumulus Linux are out of date. | 4.2.1-4.4.5 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.16.1| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.16.1 | | @@ -568,20 +568,20 @@ pdfhidden: True | [3216921](#3216921)
| RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-3.7.16, 4.3.0-4.4.5 | | | [3216759](#3216759)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3211369](#3211369)
| The NCLU net show interface pluggables command takes a long time (approximately five minutes) to complete. | 4.2.1-4.4.5 | | -| [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | +| [3168564, 3198302](#3168564, 3198302)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | | [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | | [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3131423](#3131423)
| During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3117340](#3117340)
| When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3108491](#3108491)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| +| [3108491, 2434628](#3108491, 2434628)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [3093966](#3093966)
| On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3089165](#3089165)
| A slow memory leak might occur in switchd} if the route fails to install in hardware when hardware resources are exhausted. | 4.2.1-4.4.3 | 4.4.4-4.4.5| | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | | [3073668](#3073668)
| On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | | | [3072674](#3072674)
| In an MLAG configuration, if you put a single connected interface into an admin down state, any dynamic MAC addresses on the peer link are flushed, then added back, which causes momentary traffic disruption. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [3072613](#3072613)
| When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | -| [3059135](#3059135)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| +| [3059135, 3060400](#3059135, 3060400)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| +| [3046023, 3096918](#3046023, 3096918)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| | [2993719](#2993719)
| After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. This is issue is impacting all Cumulus Linux releases. The following attribute: vxlan-purge-remotes yes is intended to fix the issue (this attribute has been available since CL2). It was decided to change ifupdown2's default behavior to automatically purge BUM entries added by ifup/ifreload. | 3.7.15-5.0.1 | 5.1.0-5.16.1, 5.2.0-5.16.1| | [2952117](#2952117)
| If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it. | 4.2.1-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.16.1| | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | @@ -601,17 +601,17 @@ pdfhidden: True | [2770226](#2770226)
| In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.16.1| | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2739402](#2739402)
| The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2734103](#2734103)
| ACL [No More Resources] messages keep appearing and you can't reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [2732605](#2732605)
| The ESI line of show bgp l2vpn evpn route command always shows VNI: 0. This is a cosmetic software issue. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2728119](#2728119)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2728119, 2729309](#2728119, 2729309)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2711533](#2711533)
| On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | | | [2710208](#2710208)
| The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. | 4.2.1-4.4.5 | | | [2706744](#2706744)
| In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event. | 4.3.0-4.4.1 | 4.4.2-4.4.5| | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| -| [2690017](#2690017)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.4 | 4.4.0-4.4.5| +| [2690017, 3431625](#2690017, 3431625)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | 5.1.0-5.16.1| | [2682780](#2682780)
| Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly
To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file. | 4.2.0-4.3.4 | 4.4.0-4.4.5| | [2669873](#2669873)
| In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. | 4.3.0-4.3.4 | 4.4.0-4.4.5| @@ -623,7 +623,7 @@ pdfhidden: True | [2618227](#2618227)
| The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. | 4.3.0-4.4.5 | | | [2614016](#2614016)
| The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module. | 4.2.0-4.3.4 | 4.4.0-4.4.5| | [2599274](#2599274)
| On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown ; sleep 1 ; ifup . | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2578814](#2578814)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.4 | 4.4.0-4.4.5| +| [2578814, 2644181](#2578814, 2644181)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2577499](#2577499)
| QSFP+ 40G optics do not work on Spectrum platforms. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2574368](#2574368)
| When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr. | 4.1.1-4.4.5 | | | [2556772](#2556772)
| The net show clag verify-vlans command fails with the following log: 

WARNING: '/usr/bin/clagctl verifyvlans' failed due to:
Command '['/usr/bin/clagctl', 'verifyvlans']' returned non-zero exit status 1

To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command. | 4.2.1-4.4.5 | | @@ -643,13 +643,13 @@ pdfhidden: True | [2554533](#2554533)
| On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | | | [2554466](#2554466)
| Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
| 4.2.1-4.4.5 | | | [2554299](#2554299)
| In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.2.0-4.3.4 | 4.4.0-4.4.5| -| [2554222](#2554222)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | +| [2554222, 2614073](#2554222, 2614073)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | | [2554218](#2554218)
| MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | | -| [2554202](#2554202)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | +| [2554202, 2544880](#2554202, 2544880)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | | [2553989](#2553989)
| Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | | | [2553887](#2553887)
| When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2553677](#2553677)
| When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | -| [2553237](#2553237)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | +| [2553237, 2552950](#2553237, 2552950)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | | [2553116](#2553116)
| When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552691](#2552691)
| On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. | 4.2.0-4.4.5 | | @@ -689,15 +689,15 @@ pdfhidden: True | [2548044](#2548044)
| When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2547890](#2547890)
| QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | | | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547405](#2547405)
| When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | | [2547120](#2547120)
| After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545239](#2545239)
| On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.4 | 4.4.0-4.4.5| @@ -707,22 +707,22 @@ pdfhidden: True | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | @@ -737,7 +737,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -753,7 +753,7 @@ pdfhidden: True | [2538562](#2538562)
| On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | @@ -781,9 +781,9 @@ pdfhidden: True | [3455998](#3455998)
| When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the bgpun_pp.py pass persist script in the /etc/snmpd/snmpd.conf file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the sudo chmod +x /usr/share/snmp/bgpun_pp.py command. | 4.3.1 | | | [3448171](#3448171)
| If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter
This only impacts the default VRF and a default route learned dynamically
In order to recover from this condition: 1. Restart switchd.service (sudo systemctl restart switchd.service)OR 2. Reboot the switch (sudo reboot) | 4.3.1 | | | [3434315](#3434315)
| IPv6 BGP sessions in a VRF do not be establish with MD5 authentication. | 4.3.0-4.3.1 | | -| [3419962](#3419962)
| On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the /var/log/switchd.log file similar to the following:
switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11
| 4.3.1 | | +| [3419962, 3626533](#3419962, 3626533)
| On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the /var/log/switchd.log file similar to the following:
switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11
| 4.3.1 | | | [3419953](#3419953)
| If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a switchd crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the /etc/network/interfaces file. | 4.3.1 | | -| [3413826](#3413826)
| During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. | 4.4.0-5.4.0 | | +| [3413826, 3323143](#3413826, 3323143)
| During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. | 4.4.0-5.4.0 | | | [3410952](#3410952)
| If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | | | [3401121](#3401121)
| sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the hsflowd.conf file to enable egress sampling:
samplingDirection=outpsample { group=1 }
| 4.3.0-4.3.1 | | | [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | | @@ -801,7 +801,7 @@ pdfhidden: True | [3235956](#3235956)
| With certain triggers on Broadcom switches, such as adding or deleting a VNI or reloading the network, Cumulus Linux might consider the underlay routes as overlay routes. In this case, switchd allocates the overlay next hop, which is incorrect and might affect traffic forwarding. | 4.3.0-4.3.1 | | | [3234031](#3234031)
| If BGP neighbor allowas-in is set, negating with no no neighbor allowas-in does not disable the setting. To work around this issue and disable the setting, restart the FRR service. | 5.1.0-5.2.1 | | | [3191517](#3191517)
| When a switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | | -| [2555175](#2555175)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | | +| [2555175, 3195351, 2672721](#2555175, 3195351, 2672721)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | | ## 4.3.1.1 Release Notes ### Open Issues in 4.3.1.1 @@ -815,10 +815,10 @@ pdfhidden: True | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3528464](#3528464)
| Cumulus Linux might mark a layer 2 VLAN-tagged packet as a packet to CPU and the INPUT chain ACL might drop the packet. To work around this issue, add an additional addrtype match on the ACL to prevent an erroneous ACL match; for example:
[iptables]
-A INPUT -i swp+ -m addrtype --dst-type LOCAL -p tcp --sport 22 -j DROP
| 4.3.0-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| | [3400244](#3400244)
| NCLU accepts multiple instances of same net add bgp commands and stores the configuration in the /etc/frr/frr.conf file when you run the net commit command. As a result, unintended commands might be processed during frr-reload. To work around this issue, edit the /etc/frr/frr.conf file to remove the duplicated entries. | 4.3.1-4.4.5 | | -| [3390022](#3390022)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | +| [3390022, 3323138](#3390022, 3323138)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | | [3339249](#3339249)
| The sensors.conf files in Cumulus Linux are out of date. | 4.2.1-4.4.5 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.16.1| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.16.1 | | @@ -826,20 +826,20 @@ pdfhidden: True | [3216921](#3216921)
| RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-3.7.16, 4.3.0-4.4.5 | | | [3216759](#3216759)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3211369](#3211369)
| The NCLU net show interface pluggables command takes a long time (approximately five minutes) to complete. | 4.2.1-4.4.5 | | -| [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | +| [3168564, 3198302](#3168564, 3198302)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | | [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | | [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3131423](#3131423)
| During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3117340](#3117340)
| When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3108491](#3108491)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| +| [3108491, 2434628](#3108491, 2434628)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [3093966](#3093966)
| On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3089165](#3089165)
| A slow memory leak might occur in switchd} if the route fails to install in hardware when hardware resources are exhausted. | 4.2.1-4.4.3 | 4.4.4-4.4.5| | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | | [3073668](#3073668)
| On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | | | [3072674](#3072674)
| In an MLAG configuration, if you put a single connected interface into an admin down state, any dynamic MAC addresses on the peer link are flushed, then added back, which causes momentary traffic disruption. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [3072613](#3072613)
| When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | -| [3059135](#3059135)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| +| [3059135, 3060400](#3059135, 3060400)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| +| [3046023, 3096918](#3046023, 3096918)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| | [2993719](#2993719)
| After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. This is issue is impacting all Cumulus Linux releases. The following attribute: vxlan-purge-remotes yes is intended to fix the issue (this attribute has been available since CL2). It was decided to change ifupdown2's default behavior to automatically purge BUM entries added by ifup/ifreload. | 3.7.15-5.0.1 | 5.1.0-5.16.1, 5.2.0-5.16.1| | [2952117](#2952117)
| If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it. | 4.2.1-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.16.1| | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | @@ -859,17 +859,17 @@ pdfhidden: True | [2770226](#2770226)
| In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.16.1| | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2739402](#2739402)
| The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2734103](#2734103)
| ACL [No More Resources] messages keep appearing and you can't reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [2732605](#2732605)
| The ESI line of show bgp l2vpn evpn route command always shows VNI: 0. This is a cosmetic software issue. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2728119](#2728119)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2728119, 2729309](#2728119, 2729309)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2711533](#2711533)
| On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | | | [2710208](#2710208)
| The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. | 4.2.1-4.4.5 | | | [2706744](#2706744)
| In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event. | 4.3.0-4.4.1 | 4.4.2-4.4.5| | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| -| [2690017](#2690017)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.4 | 4.4.0-4.4.5| +| [2690017, 3431625](#2690017, 3431625)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | 5.1.0-5.16.1| | [2682780](#2682780)
| Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly
To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file. | 4.2.0-4.3.4 | 4.4.0-4.4.5| | [2669873](#2669873)
| In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. | 4.3.0-4.3.4 | 4.4.0-4.4.5| @@ -881,7 +881,7 @@ pdfhidden: True | [2618227](#2618227)
| The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. | 4.3.0-4.4.5 | | | [2614016](#2614016)
| The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module. | 4.2.0-4.3.4 | 4.4.0-4.4.5| | [2599274](#2599274)
| On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown ; sleep 1 ; ifup . | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2578814](#2578814)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.4 | 4.4.0-4.4.5| +| [2578814, 2644181](#2578814, 2644181)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2577499](#2577499)
| QSFP+ 40G optics do not work on Spectrum platforms. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2574368](#2574368)
| When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr. | 4.1.1-4.4.5 | | | [2556772](#2556772)
| The net show clag verify-vlans command fails with the following log: 

WARNING: '/usr/bin/clagctl verifyvlans' failed due to:
Command '['/usr/bin/clagctl', 'verifyvlans']' returned non-zero exit status 1

To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command. | 4.2.1-4.4.5 | | @@ -901,13 +901,13 @@ pdfhidden: True | [2554533](#2554533)
| On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | | | [2554466](#2554466)
| Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
| 4.2.1-4.4.5 | | | [2554299](#2554299)
| In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.2.0-4.3.4 | 4.4.0-4.4.5| -| [2554222](#2554222)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | +| [2554222, 2614073](#2554222, 2614073)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | | [2554218](#2554218)
| MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | | -| [2554202](#2554202)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | +| [2554202, 2544880](#2554202, 2544880)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | | [2553989](#2553989)
| Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | | | [2553887](#2553887)
| When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2553677](#2553677)
| When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | -| [2553237](#2553237)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | +| [2553237, 2552950](#2553237, 2552950)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | | [2553116](#2553116)
| When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552691](#2552691)
| On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. | 4.2.0-4.4.5 | | @@ -947,15 +947,15 @@ pdfhidden: True | [2548044](#2548044)
| When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2547890](#2547890)
| QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | | | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547405](#2547405)
| When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | | [2547120](#2547120)
| After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545239](#2545239)
| On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.4 | 4.4.0-4.4.5| @@ -965,22 +965,22 @@ pdfhidden: True | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | @@ -995,7 +995,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -1011,7 +1011,7 @@ pdfhidden: True | [2538562](#2538562)
| On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | @@ -1049,17 +1049,17 @@ pdfhidden: True | [3528464](#3528464)
| Cumulus Linux might mark a layer 2 VLAN-tagged packet as a packet to CPU and the INPUT chain ACL might drop the packet. To work around this issue, add an additional addrtype match on the ACL to prevent an erroneous ACL match; for example:
[iptables]
-A INPUT -i swp+ -m addrtype --dst-type LOCAL -p tcp --sport 22 -j DROP
| 4.3.0-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0-5.16.1| | [3479967](#3479967)
| When you remove VRF configuration, the systemctl reload frr.service command returns a non zero exit code after erroneously running the invalid command no exit-vrf. | 4.3.1 | 4.3.2-4.4.5| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3455998](#3455998)
| When you poll the BGP unnumbered MIB object 1.3.6.1.4.1.40310.4 after uncommenting the bgpun_pp.py pass persist script in the /etc/snmpd/snmpd.conf file, BGP session information is not retrieved. To work around this issue, add executable permissions to the script with the sudo chmod +x /usr/share/snmp/bgpun_pp.py command. | 4.3.1 | 4.3.2-4.4.5| | [3448171](#3448171)
| If a default route is withdrawn from the routing table and then learned again, traffic matching this entry will be software (cpu) forwarded.  This will cause intermittent drops due to the CPU the rate-limiter
This only impacts the default VRF and a default route learned dynamically
In order to recover from this condition: 1. Restart switchd.service (sudo systemctl restart switchd.service)OR 2. Reboot the switch (sudo reboot) | 4.3.1 | 4.3.2-4.4.5| | [3434315](#3434315)
| IPv6 BGP sessions in a VRF do not be establish with MD5 authentication. | 4.3.0-4.3.1 | 4.3.2-4.4.5| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| -| [3419962](#3419962)
| On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the /var/log/switchd.log file similar to the following:
switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11
| 4.3.1 | 4.3.2-4.4.5| +| [3419962, 3626533](#3419962, 3626533)
| On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the /var/log/switchd.log file similar to the following:
switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11
| 4.3.1 | 4.3.2-4.4.5| | [3419953](#3419953)
| If you remove a double tagged bridge port from a bridge when a different interface exists with the same port and virtual ID, you might see a segmentation fault and a switchd crash due to incorrect initialization when Cumulus Linux creates the second double-tagged interface. To work around this issue, make sure you remove the double-tagged interfaces from the bridge in the /etc/network/interfaces file. | 4.3.1 | 4.3.2-4.4.5| | [3410952](#3410952)
| If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.16.1| | [3401121](#3401121)
| sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the hsflowd.conf file to enable egress sampling:
samplingDirection=outpsample { group=1 }
| 4.3.0-4.3.1 | 4.3.2-4.4.5| | [3400244](#3400244)
| NCLU accepts multiple instances of same net add bgp commands and stores the configuration in the /etc/frr/frr.conf file when you run the net commit command. As a result, unintended commands might be processed during frr-reload. To work around this issue, edit the /etc/frr/frr.conf file to remove the duplicated entries. | 4.3.1-4.4.5 | | -| [3390022](#3390022)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | +| [3390022, 3323138](#3390022, 3323138)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | | [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3364996](#3364996)
| Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops. | 4.3.0-4.3.1 | 4.3.2-4.4.5| | [3364717](#3364717)
| On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options. | 4.3.0-4.3.1 | 4.3.2-4.4.5| @@ -1077,20 +1077,20 @@ pdfhidden: True | [3216759](#3216759)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3211369](#3211369)
| The NCLU net show interface pluggables command takes a long time (approximately five minutes) to complete. | 4.2.1-4.4.5 | | | [3191517](#3191517)
| When a switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.16.1| -| [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | +| [3168564, 3198302](#3168564, 3198302)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | | [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | | [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3131423](#3131423)
| During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3117340](#3117340)
| When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3108491](#3108491)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| +| [3108491, 2434628](#3108491, 2434628)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [3093966](#3093966)
| On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3089165](#3089165)
| A slow memory leak might occur in switchd} if the route fails to install in hardware when hardware resources are exhausted. | 4.2.1-4.4.3 | 4.4.4-4.4.5| | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | | [3073668](#3073668)
| On the EdgeCore AS4610 switch, when you change the speed of any of the SFP+ ports, the other SFP+ ports flap. | 3.7.12-3.7.16, 4.3.0-4.4.5 | | | [3072674](#3072674)
| In an MLAG configuration, if you put a single connected interface into an admin down state, any dynamic MAC addresses on the peer link are flushed, then added back, which causes momentary traffic disruption. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [3072613](#3072613)
| When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | -| [3059135](#3059135)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| +| [3059135, 3060400](#3059135, 3060400)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| +| [3046023, 3096918](#3046023, 3096918)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| | [2993719](#2993719)
| After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. This is issue is impacting all Cumulus Linux releases. The following attribute: vxlan-purge-remotes yes is intended to fix the issue (this attribute has been available since CL2). It was decided to change ifupdown2's default behavior to automatically purge BUM entries added by ifup/ifreload. | 3.7.15-5.0.1 | 5.1.0-5.16.1, 5.2.0-5.16.1| | [2952117](#2952117)
| If switchd requires more time to update port or bond configuration after the port or bond flaps, the systemd watchdog times out. As result, systemd might assume that switchd is unresponsive and restarts it. | 4.2.1-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.16.1| | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | @@ -1110,17 +1110,17 @@ pdfhidden: True | [2770226](#2770226)
| In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.16.1| | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2739402](#2739402)
| The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2734103](#2734103)
| ACL [No More Resources] messages keep appearing and you can't reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [2732605](#2732605)
| The ESI line of show bgp l2vpn evpn route command always shows VNI: 0. This is a cosmetic software issue. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2728119](#2728119)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2728119, 2729309](#2728119, 2729309)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2711533](#2711533)
| On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | | | [2710208](#2710208)
| The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. | 4.2.1-4.4.5 | | | [2706744](#2706744)
| In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event. | 4.3.0-4.4.1 | 4.4.2-4.4.5| | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| -| [2690017](#2690017)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.4 | 4.4.0-4.4.5| +| [2690017, 3431625](#2690017, 3431625)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | 5.1.0-5.16.1| | [2682780](#2682780)
| Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly
To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file. | 4.2.0-4.3.4 | 4.4.0-4.4.5| | [2669873](#2669873)
| In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. | 4.3.0-4.3.4 | 4.4.0-4.4.5| @@ -1132,7 +1132,7 @@ pdfhidden: True | [2618227](#2618227)
| The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. | 4.3.0-4.4.5 | | | [2614016](#2614016)
| The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module. | 4.2.0-4.3.4 | 4.4.0-4.4.5| | [2599274](#2599274)
| On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown ; sleep 1 ; ifup . | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2578814](#2578814)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.4 | 4.4.0-4.4.5| +| [2578814, 2644181](#2578814, 2644181)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2577499](#2577499)
| QSFP+ 40G optics do not work on Spectrum platforms. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2574368](#2574368)
| When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr. | 4.1.1-4.4.5 | | | [2556772](#2556772)
| The net show clag verify-vlans command fails with the following log: 

WARNING: '/usr/bin/clagctl verifyvlans' failed due to:
Command '['/usr/bin/clagctl', 'verifyvlans']' returned non-zero exit status 1

To work around this issue, run the /usr/bin/clagctl verifyvlans command or the net show clag verbose command. | 4.2.1-4.4.5 | | @@ -1143,7 +1143,7 @@ pdfhidden: True | [2555763](#2555763)
| The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline   2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad    2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor. | 4.3.0-4.4.5 | | | [2555613](#2555613)
| The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | | [2555318](#2555318)
| If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:

2020-12-07T19:20:26.004333+00:00 cumulus bgpd[4954]: VRF default: Handle GR command GLOBAL_GR_CMD, current GR state GLOBAL_GR, new GR state GLOBAL_INVALID

This error has no functional impact. | 4.3.0-4.4.5 | | -| [2555175](#2555175)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| +| [2555175, 3195351, 2672721](#2555175, 3195351, 2672721)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| | [2554986](#2554986)
| The ethtool utility doesn't contain the latest values, as a result the Revision Compliance field shows Unallocated. | 4.2.1-4.4.5 | | | [2554812](#2554812)
| If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. | 4.2.1-4.4.5 | | | [2554783](#2554783)
| If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. | 4.2.1-4.4.5 | 5.0.0-5.16.1| @@ -1153,13 +1153,13 @@ pdfhidden: True | [2554533](#2554533)
| On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | | | [2554466](#2554466)
| Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
| 4.2.1-4.4.5 | | | [2554299](#2554299)
| In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.2.0-4.3.4 | 4.4.0-4.4.5| -| [2554222](#2554222)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | +| [2554222, 2614073](#2554222, 2614073)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | | [2554218](#2554218)
| MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | | -| [2554202](#2554202)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | +| [2554202, 2544880](#2554202, 2544880)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | | [2553989](#2553989)
| Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | | | [2553887](#2553887)
| When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2553677](#2553677)
| When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | -| [2553237](#2553237)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | +| [2553237, 2552950](#2553237, 2552950)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | | [2553116](#2553116)
| When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552691](#2552691)
| On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. | 4.2.0-4.4.5 | | @@ -1199,15 +1199,15 @@ pdfhidden: True | [2548044](#2548044)
| When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2547890](#2547890)
| QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | | | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547405](#2547405)
| When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | | [2547120](#2547120)
| After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545239](#2545239)
| On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.4 | 4.4.0-4.4.5| @@ -1217,22 +1217,22 @@ pdfhidden: True | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | @@ -1247,7 +1247,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -1263,7 +1263,7 @@ pdfhidden: True | [2538562](#2538562)
| On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | @@ -1290,7 +1290,7 @@ pdfhidden: True | [3136940](#3136940)
| The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error. | 3.7.16-4.3.0 | | | [3120423](#3120423)
| When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. | 3.7.15-4.3.0, 4.4.0-5.1.0 | | | [3110729](#3110729)
| When you change the time with NTP or manually, the clagd service stops. | 5.0.1 | | -| [3089474](#3089474)
| The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error
This issue impacts customers with these conditions: CL 5.1.0, CLAG, NTP, and a switch that has been powered off for some time (i.e. the clock may have drifted) prior to initial boot. | 5.1.0 | | +| [3089474, 3334028](#3089474, 3334028)
| The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error
This issue impacts customers with these conditions: CL 5.1.0, CLAG, NTP, and a switch that has been powered off for some time (i.e. the clock may have drifted) prior to initial boot. | 5.1.0 | | | [3068962](#3068962)
| ONIE installation over HTTP fails if the web server hosting the installation image returns valid HTML content when ONIE requests an optional_pkgs file that does not exist. To work around this issue, configure the hosting web server to return an HTTP 404 code when the non-existant file is requested, or host an empty file on the web server with the format .optional_pkgs. | 4.2.1-4.3.0 | | | [3066704](#3066704)
| The hostapd service stops working if an 802.1X interface goes up and down many times over a long period of time
To work around this issue, restart the hostapd service with the systemctl restart hostapd command. | 3.7.15-4.3.0 | | | [3053063](#3053063)
| The update-ports.service fails because a blank space in the comment lines of the /etc/cumulus/ports.conf file causes parsing errors. To work around this issue, remove the blank spaces in the commented lines, then restart the update-ports and switchd services. | 3.7.15-4.3.0 | | @@ -1301,14 +1301,14 @@ pdfhidden: True | [2991501](#2991501)
| Slow memory leak caused by snmpd process using Zabbix template "Template Net Mellanox SNMP" | 4.2.1-4.3.0, 4.4.0-5.0.1 | | | [2949512](#2949512)
| On the EdgeCore AS4610-54T switch, the fan speed reports a minimum threshold in the logs. | 4.3.0 | | | [2943222](#2943222)
| Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN. | 3.7.15, 4.2.1-4.3.0, 4.4.2-5.0.1 | | -| [2935121](#2935121)
| When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15, 4.3.0, 4.4.0-4.4.1 | | +| [2935121, 2826122](#2935121, 2826122)
| When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15, 4.3.0, 4.4.0-4.4.1 | | | [2932121](#2932121)
| When switchd restarts, the port watch daemon (portwd) attempts to send requests to switchd before switchd is ready. As a result, portwd goes into a failed state because there is no response from switchd. | 3.7.15 | | | [2906967](#2906967)
| You can't have more than one VLAN subinterface on the same port on the same bridge. | 4.1.1-4.3.0 | | -| [2899422](#2899422)
| Broadcom switches return a table full error when creating VXLAN gports, which causes switchd to crash. | 3.7.15-4.3.0 | | +| [2899422, 3036049, 3069904](#2899422, 3036049, 3069904)
| Broadcom switches return a table full error when creating VXLAN gports, which causes switchd to crash. | 3.7.15-4.3.0 | | | [2896733](#2896733)
| Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send
To work around this issue, run the vtysh clear ip mroute command. | 3.7.15-4.3.0, 4.4.0-5.0.1 | | | [2875337](#2875337)
| In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-5.0.1 | | | [2875301](#2875301)
| When an IPv4 address is not configured on a tenant VRF loopback interface, the switchd process slowly leaks memory, which results in unresolved next hops. To work around this issue, configure an IPv4 address on all VRF interfaces. | 4.3.0 | | -| [2875300](#2875300)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-3.7.14.2 | | +| [2875300, 2545364, 3297583](#2875300, 2545364, 3297583)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-3.7.14.2 | | | [2875296](#2875296)
| On the Mellanox Spectrum-2 switches, after running the systemctl restart networking service command on the MLAG primary switch, the secondary switch also closes its ports.
To work around this issue, run the ifreload -a command to restart networking. | 4.2.1-4.3.0 | | | [2867058](#2867058)
| On the Dell Z9264F-ON switch, interfaces that use the QSFP28 module remain down after you restart switchd. | 4.3.0 | | | [2866097](#2866097)
| Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file. | 3.7.12-3.7.15, 4.1.1-4.3.0 | | @@ -1325,26 +1325,26 @@ pdfhidden: True | [2770030](#2770030)
| When you modify the default pre-auth policy located in /etc/cumulus/acl/policy.d/dot1x_preauth_dacl, after restarting hostapd the /etc/cumulus/acl/policy.d/dot1x_preauth_dacl directory is deleted and recreated with the default rule set that comes from the hostapd binary. | 4.3.0 | | | [2754723](#2754723)
| When you set route_preferred_over_neigh to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. | 4.0.0-4.3.0, 4.4.0-4.4.1 | | | [2739398](#2739398)
| Cumulus Linux does not support a bond or bond member as a SPAN destination. | 4.4.0-4.4.5 | | -| [2738625](#2738625)
| When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. | 3.7.15, 4.2.1-4.3.0 | | +| [2738625, 2748965](#2738625, 2748965)
| When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. | 3.7.15, 4.2.1-4.3.0 | | | [2736260](#2736260)
| After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-3.7.15, 4.2.1-4.3.0 | | | [2730447](#2730447)
| The bridge MAC address is updated during a port change on bridge interfaces. | 4.3.0, 4.4.0-4.4.5 | | | [2730225](#2730225)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | | | [2724191](#2724191)
| On the Celestica Seastone switch, when you run smonctl -v, the DIMM 1 Temp Sensor shows as absent
This is a cosmetic software issue and not indicative of a hardware failure on the system. | 4.3.0 | | -| [2716822](#2716822)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | | +| [2716822, 2710844](#2716822, 2710844)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | | | [2705160](#2705160)
| Zebra rejects MAC IP updates from BGP when the MAC mobility sequence number that BGP sends is lower than the sequence number known to zebra
When the MAC mobility sequence that BGP knows legitimately lowers (due to narrow timing conditions during convergence or after rebooting an MLAG pair one VTEP at a time), zebra rejects these updates and maintains a stale state. If the stale information that zebra uses points to the wrong VTEP address, traffic goes to the wrong VTEP and might drop. | 3.7.12-3.7.15 | | | [2701000](#2701000)
| A default route learned from DHCP on eth0 in the management VRF might install in the default VRF if eth0 is disconnected and the original next hop is reachable in the default VRF.
To work around this issue, delete the DHCP lease file for eth0 with the sudo rm /var/lib/dhcp/dhclient.eth0.leases command. | 4.3.0 | | | [2699399](#2699399)
| When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

spine01# show bgp vrf all ipv6 unicast statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

To workaround this issue, run the command against each VRF independently. | 3.7.15, 4.0.0-4.3.0 | | -| [2699378](#2699378)
| After an event that causes the peer link bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a "peer-ip-mismatch." This behavior is seen in a clagd-peer-ip linklocal configuration. | 4.3.0 | | +| [2699378, 2684428](#2699378, 2684428)
| After an event that causes the peer link bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a "peer-ip-mismatch." This behavior is seen in a clagd-peer-ip linklocal configuration. | 4.3.0 | | | [2695314](#2695314)
| In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.3.0 | | | [2685584](#2685584)
| A host migrated to an 802.1x port within the same broadcast domain does not have the correct static FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain. | 4.2.1-4.3.0 | | | [2682792](#2682792)
| If you configure items in a VRF that has been created, deleted, then re-created, staticd crashes. | 4.3.0 | | -| [2668543](#2668543)
| SVIs do not inherit the pinned MAC address of the bridge. | 4.3.0 | | +| [2668543, 3061431](#2668543, 3061431)
| SVIs do not inherit the pinned MAC address of the bridge. | 4.3.0 | | | [2663119](#2663119)
| If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent FDB entry for the old MAC address. | 3.7.15, 4.3.0, 4.4.0-4.4.3, 5.0.0-5.0.1 | | | [2660583](#2660583)
| In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double-failure (peer link failure and backup IP failure) | 4.3.0 | | | [2654715](#2654715)
| The cl-acltool takes a significant amount of time to run, which can slow down automation scripts. | 4.2.0-4.3.0 | | | [2652003](#2652003)
| When 802.1x MAB and a parking VLAN are configured on an interface, hostapd might install a static fdb entry if the interface is down. To work around this issue, delete 802.1x from the interface with the net del interface dot1x command, then add back the 802.1x configuration. | 3.7.10-3.7.15 | | | [2645609](#2645609)
| The NCLU net show route vrf summary and vtysh show ip route vrf summary commands don't return any output. | 4.3.0 | | -| [2644071](#2644071)
| When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role. | 3.7.15, 4.3.0 | | +| [2644071, 3348697](#2644071, 3348697)
| When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role. | 3.7.15, 4.3.0 | | | [2628493](#2628493)
| On a PFC configured switch, non PFC enabled ports might transmit or receive traffic incorrectly after a reboot. To work around this issue, either run the echo 1 > /cumulus/switchd/config/traffic/reload command or the sudo systemctl restart switchd.service command. | 4.3.0 | | | [2613119](#2613119)
| The Mellanox 100G transceiver MMA1L30-CM is not recognized on the SN4600 switch even though the link is up. The ethtool output shows the error Cannot get Module EEPROM data: Invalid argument. | | | | [2556816](#2556816)
| When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP.
To work around this issue, disable ARP suppression. | 3.7.14-3.7.14.2, 4.3.0 | | @@ -1358,7 +1358,7 @@ pdfhidden: True | [2555932](#2555932)
| On Mellanox switches, you can't ping the SVI of the MLAG peer over the peer link after the packet is VXLAN decapsulated. | 4.2.1-4.3.0 | | | [2554798](#2554798)
| On the Mellanox SN3700C switch, PIM multicast packets are duplicated at the egress VTEP. | 4.2.0-4.3.0 | | | [2554261](#2554261)
| On Broadcom switches, when you create a VNI interface, switchd might crash with the following log message:
switchd[6628]: log.c:72 CRIT backend/bcm/hal_bcm_vxlan.c:1285: : Assertion '0' failed. | 4.3.0 | | -| [2552212](#2552212)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | | +| [2552212, 2553637](#2552212, 2553637)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | | | [2550601](#2550601)
| The received PVST BPDU for a VLAN is flooded even though the ingress port doesn't have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | | ## 4.3.0 Release Notes @@ -1377,7 +1377,7 @@ pdfhidden: True | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| | [3410952](#3410952)
| If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | 4.3.2-4.4.5, 5.5.0-5.16.1| | [3401121](#3401121)
| sFlow is not able to sample packets in the egress direction. To work around this issue, add the following to the hsflowd.conf file to enable egress sampling:
samplingDirection=outpsample { group=1 }
| 4.3.0-4.3.1 | 4.3.2-4.4.5| -| [3390022](#3390022)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | +| [3390022, 3323138](#3390022, 3323138)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | | [3376798](#3376798)
| On Broadcom switches, Cumulus Linux does not create the hardware bridging domain for a traditional bridge with a VXLAN interface during switchd restart. The /var/log/switchd.log file includes the following exception logs shortly after switchd restarts:
switchd[30158]: hal_bcm_l3.c:1617 find_egr_path_if_vxlan_overlay:vxlan overlay : nh PORT: port <#>, vlan . not yet ready
MAC learning looks correct, but traffic does not flow as expected. | 3.7.0-4.3.1 | 4.3.2-4.4.5| | [3364996](#3364996)
| Under certain conditions, BGP can allow a combination of EVPN and non-EVPN paths to be put into a multipath group together. This results in erroneous programming of EVPN symmetric next hops and RMACs, which can result in momentary traffic drops. | 4.3.0-4.3.1 | 4.3.2-4.4.5| | [3364717](#3364717)
| On the Trident 2+ and Trident 3 switch when using VXLAN layer 2 VPNs and sending tunneled traffic where the inner IP header has a TTL of 1, the egress VTEP incorrectly forwards this traffic through the software path instead of the hardware data plane. This traffic is rate-limited to 100pps by default. To work around this issue, ensure that the traffic traversing the layer 2 tunnel has an inner IP header TTL value that is more than 1. If this workaround is not possible, contact Nvidia Support to determine other options. | 4.3.0-4.3.1 | 4.3.2-4.4.5| @@ -1399,7 +1399,7 @@ pdfhidden: True | [3131423](#3131423)
| During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3120423](#3120423)
| When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. | 3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.16.1| | [3117340](#3117340)
| When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3108491](#3108491)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| +| [3108491, 2434628](#3108491, 2434628)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [3093966](#3093966)
| On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3089165](#3089165)
| A slow memory leak might occur in switchd} if the route fails to install in hardware when hardware resources are exhausted. | 4.2.1-4.4.3 | 4.4.4-4.4.5| | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | @@ -1408,9 +1408,9 @@ pdfhidden: True | [3072613](#3072613)
| When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3068962](#3068962)
| ONIE installation over HTTP fails if the web server hosting the installation image returns valid HTML content when ONIE requests an optional_pkgs file that does not exist. To work around this issue, configure the hosting web server to return an HTTP 404 code when the non-existant file is requested, or host an empty file on the web server with the format .optional_pkgs. | 4.2.1-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5, 5.2.0-5.16.1| | [3066704](#3066704)
| The hostapd service stops working if an 802.1X interface goes up and down many times over a long period of time
To work around this issue, restart the hostapd service with the systemctl restart hostapd command. | 3.7.15-4.3.0 | 4.3.1-4.4.5| -| [3059135](#3059135)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| +| [3059135, 3060400](#3059135, 3060400)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3053063](#3053063)
| The update-ports.service fails because a blank space in the comment lines of the /etc/cumulus/ports.conf file causes parsing errors. To work around this issue, remove the blank spaces in the commented lines, then restart the update-ports and switchd services. | 3.7.15-4.3.0 | 4.3.1-4.4.5, 4.4.4-4.4.5| -| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| +| [3046023, 3096918](#3046023, 3096918)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| | [3020254](#3020254)
| When ARP suppression is off, GARPs from neighmgrd for remote neighbors are sent over VXLAN. | 3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.3.1, 4.4.4-4.4.5, 5.2.0-5.16.1| | [2993719](#2993719)
| After you delete the last vxlan-remoteip configuration line from the /etc/network/interfaces file and run the ifreload -a command, the corresponding BUM flood entry is not removed. This is issue is impacting all Cumulus Linux releases. The following attribute: vxlan-purge-remotes yes is intended to fix the issue (this attribute has been available since CL2). It was decided to change ifupdown2's default behavior to automatically purge BUM entries added by ifup/ifreload. | 3.7.15-5.0.1 | 5.1.0-5.16.1, 5.2.0-5.16.1| | [2993469](#2993469)
| If you remove NGINX from the switch, then run apt autoremove, switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. | 4.3.0 | 4.3.1-4.4.5, 5.1.0-5.16.1| @@ -1420,11 +1420,11 @@ pdfhidden: True | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | | [2949512](#2949512)
| On the EdgeCore AS4610-54T switch, the fan speed reports a minimum threshold in the logs. | 4.3.0 | 4.3.1-4.4.5| | [2943222](#2943222)
| Cumulus Linux lets you add more than one VXLAN interface to same VLAN on the same bridge. This is an invalid configuration as certain Cumulus Linux components, such as switchd, expect a single VNI for a given bridge or VLAN. | 3.7.15, 4.2.1-4.3.0, 4.4.2-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.16.1| -| [2935121](#2935121)
| When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15, 4.3.0-4.4.1 | 3.7.16, 4.4.2-4.4.5, 5.0.0-5.16.1| +| [2935121, 2826122](#2935121, 2826122)
| When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15, 4.3.0-4.4.1 | 3.7.16, 4.4.2-4.4.5, 5.0.0-5.16.1| | [2910017](#2910017)
| SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. | 3.7.15-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.16.1| | [2906967](#2906967)
| You can't have more than one VLAN subinterface on the same port on the same bridge. | 4.1.1-4.3.0 | 4.3.1-4.4.5| | [2902013](#2902013)
| The NCLU commit command adds a five second delay. | 4.2.1-4.4.5 | | -| [2899422](#2899422)
| Broadcom switches return a table full error when creating VXLAN gports, which causes switchd to crash. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | +| [2899422, 3036049, 3069904](#2899422, 3036049, 3069904)
| Broadcom switches return a table full error when creating VXLAN gports, which causes switchd to crash. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [2896733](#2896733)
| Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send
To work around this issue, run the vtysh clear ip mroute command. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2875337](#2875337)
| In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-5.0.1 | 3.7.16, 5.1.0-5.16.1| | [2875301](#2875301)
| When an IPv4 address is not configured on a tenant VRF loopback interface, the switchd process slowly leaks memory, which results in unresolved next hops. To work around this issue, configure an IPv4 address on all VRF interfaces. | 4.3.0 | 4.3.1-4.4.5| @@ -1456,40 +1456,40 @@ pdfhidden: True | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2754723](#2754723)
| When you set route_preferred_over_neigh to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. | 4.0.0-4.3.0, 4.4.0-4.4.1 | 4.3.1, 4.4.2-4.4.5, 5.0.0-5.16.1| | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2739402](#2739402)
| The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2738625](#2738625)
| When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. | 3.7.15, 4.2.1-4.3.0 | 3.7.16, 4.3.1-4.4.5| +| [2738625, 2748965](#2738625, 2748965)
| When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. | 3.7.15, 4.2.1-4.3.0 | 3.7.16, 4.3.1-4.4.5| | [2736260](#2736260)
| After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-3.7.15, 4.2.1-4.3.4 | 3.7.16, 4.4.0-4.4.5| | [2734103](#2734103)
| ACL [No More Resources] messages keep appearing and you can't reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [2732605](#2732605)
| The ESI line of show bgp l2vpn evpn route command always shows VNI: 0. This is a cosmetic software issue. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2730447](#2730447)
| The bridge MAC address is updated during a port change on bridge interfaces. | 4.3.0, 4.4.0-4.4.5 | 4.3.1, 5.0.0-5.16.1| | [2730225](#2730225)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | 4.3.1-4.4.5, 4.4.2-4.4.5| -| [2728119](#2728119)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| +| [2728119, 2729309](#2728119, 2729309)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2724191](#2724191)
| On the Celestica Seastone switch, when you run smonctl -v, the DIMM 1 Temp Sensor shows as absent
This is a cosmetic software issue and not indicative of a hardware failure on the system. | 4.3.0 | 4.3.1-4.4.5| -| [2716822](#2716822)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2716822, 2710844](#2716822, 2710844)
| The /etc/cumulus/ports.conf file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. | 3.7.15-4.3.0 | 4.3.1-4.4.5| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2711533](#2711533)
| On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | | | [2710208](#2710208)
| The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. | 4.2.1-4.4.5 | | | [2706744](#2706744)
| In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event. | 4.3.0-4.4.1 | 4.4.2-4.4.5| | [2701000](#2701000)
| A default route learned from DHCP on eth0 in the management VRF might install in the default VRF if eth0 is disconnected and the original next hop is reachable in the default VRF.
To work around this issue, delete the DHCP lease file for eth0 with the sudo rm /var/lib/dhcp/dhclient.eth0.leases command. | 4.3.0 | 4.3.1-4.4.5| | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| | [2699399](#2699399)
| When you run the vtysh show ip bgp vrf statistics command, the bgpd service crashes if you use vrf all. For example:
spine01# show ip bgp vrf all statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

spine01# show bgp vrf all ipv6 unicast statistics 
vtysh: error reading from bgpd: Success (0)Warning: closing connection to bgpd because of an I/O error!

To workaround this issue, run the command against each VRF independently. | 3.7.15, 4.0.0-4.4.5 | 3.7.16| -| [2699378](#2699378)
| After an event that causes the peer link bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a "peer-ip-mismatch." This behavior is seen in a clagd-peer-ip linklocal configuration. | 4.3.0-4.3.4 | 4.4.0-4.4.5| +| [2699378, 2684428](#2699378, 2684428)
| After an event that causes the peer link bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a "peer-ip-mismatch." This behavior is seen in a clagd-peer-ip linklocal configuration. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2695314](#2695314)
| In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.3.0-4.3.4 | 4.4.0-4.4.5| -| [2690017](#2690017)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.4 | 4.4.0-4.4.5| +| [2690017, 3431625](#2690017, 3431625)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | 5.1.0-5.16.1| | [2685584](#2685584)
| A host migrated to an 802.1x port within the same broadcast domain does not have the correct static FDB entry installed if a dynamic FDB entry for that MAC address exists from previous connectivity in the broadcast domain. | 4.2.1-4.3.0 | 4.3.1-4.4.5| | [2682792](#2682792)
| If you configure items in a VRF that has been created, deleted, then re-created, staticd crashes. | 4.3.0 | 4.3.1-4.4.5, 4.4.0-4.4.5| | [2682780](#2682780)
| Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly
To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file. | 4.2.0-4.3.4 | 4.4.0-4.4.5| | [2669873](#2669873)
| In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2669073](#2669073)
| On Spectrum, Spectrum-2, and Spectrum-3 switches, the l1-show command shows the wrong data when the MST service is stopped
To work around this issue, start the MST service with the sudo mst start command. | 4.3.0-4.3.4 | 4.4.0-4.4.5| -| [2668543](#2668543)
| SVIs do not inherit the pinned MAC address of the bridge. | 4.3.0 | 4.3.1-4.4.5, 5.10.0-5.16.1| +| [2668543, 3061431](#2668543, 3061431)
| SVIs do not inherit the pinned MAC address of the bridge. | 4.3.0 | 4.3.1-4.4.5, 5.10.0-5.16.1| | [2663119](#2663119)
| If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent FDB entry for the old MAC address. | 3.7.15, 4.3.0, 4.4.0-4.4.3, 5.0.0-5.0.1 | 3.7.16, 4.3.1, 4.4.4-4.4.5, 5.1.0-5.16.1| | [2660583](#2660583)
| In an MLAG configuration, the secondary MLAG switch does not use a unique address instead of the MLAG system MAC address when there is a double-failure (peer link failure and backup IP failure) | 4.3.0 | 4.3.1-4.4.5| | [2654715](#2654715)
| The cl-acltool takes a significant amount of time to run, which can slow down automation scripts. | 4.2.0-4.3.4 | 4.4.0-4.4.5| | [2648658](#2648658)
| If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.4 | 4.4.0-4.4.5| | [2645609](#2645609)
| The NCLU net show route vrf summary and vtysh show ip route vrf summary commands don't return any output. | 4.3.0-4.3.4 | 4.4.0-4.4.5| -| [2644071](#2644071)
| When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role. | 3.7.15, 4.3.0-4.3.4 | 3.7.16, 4.4.0-4.4.5| +| [2644071, 3348697](#2644071, 3348697)
| When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role. | 3.7.15, 4.3.0-4.3.4 | 3.7.16, 4.4.0-4.4.5| | [2639303](#2639303)
| When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:
ERROR: 'NoneType' object has no attribute 'conf_key_value_multiple_values'See /var/log/netd.log for more details.
| 4.3.0-4.4.5 | | | [2632379](#2632379)
| When you upgrade the switch with apt-get upgrade, the kexec-tools package is not installed, which causes the Smart System Manager fast restart mode to work incorrectly. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2628493](#2628493)
| On a PFC configured switch, non PFC enabled ports might transmit or receive traffic incorrectly after a reboot. To work around this issue, either run the echo 1 > /cumulus/switchd/config/traffic/reload command or the sudo systemctl restart switchd.service command. | 4.3.0 | 4.3.1-4.4.5| @@ -1497,7 +1497,7 @@ pdfhidden: True | [2618227](#2618227)
| The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. | 4.3.0-4.4.5 | | | [2614016](#2614016)
| The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module. | 4.2.0-4.3.4 | 4.4.0-4.4.5| | [2599274](#2599274)
| On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown ; sleep 1 ; ifup . | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2578814](#2578814)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.4 | 4.4.0-4.4.5| +| [2578814, 2644181](#2578814, 2644181)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2577499](#2577499)
| QSFP+ 40G optics do not work on Spectrum platforms. | 4.3.0-4.3.4 | 4.4.0-4.4.5| | [2574368](#2574368)
| When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr. | 4.1.1-4.4.5 | | | [2556816](#2556816)
| When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP.
To work around this issue, disable ARP suppression. | 3.7.14-3.7.14.2, 4.3.0-4.3.4 | 3.7.15-3.7.16, 4.4.0-4.4.5| @@ -1517,7 +1517,7 @@ pdfhidden: True | [2555763](#2555763)
| The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline   2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad    2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor. | 4.3.0-4.4.5 | | | [2555613](#2555613)
| The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | | [2555318](#2555318)
| If you try to enable BGP graceful restart when it is already enabled, you see an error similar to the following in the frr.log file:

2020-12-07T19:20:26.004333+00:00 cumulus bgpd[4954]: VRF default: Handle GR command GLOBAL_GR_CMD, current GR state GLOBAL_GR, new GR state GLOBAL_INVALID

This error has no functional impact. | 4.3.0-4.4.5 | | -| [2555175](#2555175)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| +| [2555175, 3195351, 2672721](#2555175, 3195351, 2672721)
| Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. | 3.7.15-4.3.1 | 4.3.2-4.4.5| | [2554986](#2554986)
| The ethtool utility doesn't contain the latest values, as a result the Revision Compliance field shows Unallocated. | 4.2.1-4.4.5 | | | [2554812](#2554812)
| If the RMAC of a layer 3 SVI changes, the show vrf vni command is not updated with the new value. However, the new RMAC is seen in the show evpn vni command and is present on self-originated EVPN routes. | 4.2.1-4.4.5 | | | [2554798](#2554798)
| On the Mellanox SN3700C switch, PIM multicast packets are duplicated at the egress VTEP. | 4.2.0-4.3.4 | 4.4.0-4.4.5| @@ -1529,20 +1529,20 @@ pdfhidden: True | [2554466](#2554466)
| Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
| 4.2.1-4.4.5 | | | [2554299](#2554299)
| In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.2.0-4.3.4 | 4.4.0-4.4.5| | [2554261](#2554261)
| On Broadcom switches, when you create a VNI interface, switchd might crash with the following log message:
switchd[6628]: log.c:72 CRIT backend/bcm/hal_bcm_vxlan.c:1285: : Assertion '0' failed. | 4.3.0 | 4.3.1-4.4.5| -| [2554222](#2554222)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | +| [2554222, 2614073](#2554222, 2614073)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | | [2554218](#2554218)
| MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | | -| [2554202](#2554202)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | +| [2554202, 2544880](#2554202, 2544880)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | | [2553989](#2553989)
| Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | | | [2553887](#2553887)
| When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2553677](#2553677)
| When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | -| [2553237](#2553237)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | +| [2553237, 2552950](#2553237, 2552950)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | | [2553116](#2553116)
| When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552691](#2552691)
| On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. | 4.2.0-4.4.5 | | | [2552453](#2552453)
| On the Mellanox switch, RoCE with PFC configuration is not applied to all ports in hardware when a range is used in the traffic.conf file.
To work around this issue, use NCLU to configure RoCE with PFC or list individual ports in the traffic.conf file. | 4.2.0-4.4.5 | | | [2552309](#2552309)
| The following messages are seen on an Edgecord Minipack-AS8000 running Cumulus Linux 4.2.0:


Hal_bcm_console.c:294 MMU config profile 0 prigroup 0: Service Pool 0 has no space and cannot be assigned
Hal_bcm_console.c:294 MMU config port 0 idx 0: Pool 0 has no space and cannot be assigned


These messages are for internal validation purposes only and can be safely ignored.

| 4.2.0-4.4.5 | | | [2552294](#2552294)
| NCLU restarts FRR when removing a BGP VRF IPv4 aggregate-address command.
| 3.7.12-3.7.16, 4.0.0-4.4.5 | | -| [2552212](#2552212)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | 3.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| +| [2552212, 2553637](#2552212, 2553637)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | 3.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5| | [2551666](#2551666)
| If you modify an interface name, then reuse the previous interface name for a different VLAN, the ifreload -a command generates an error similar to the following:

warning: : interface not recognized - please check interface configuration

| 4.1.0-4.4.5 | | | [2551578](#2551578)
| When you configure a bridge in the /etc/network/interfaces file, then try to reconfigure the bridge to be a VRF interface with the same name, ifreload/ifup commands fail with an invalid table id or unable to get vrf table id error. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2551565](#2551565)
| If you toggle VRRP priority values between VRRP routers, then restart switchd, a few IPv6 VRRP instances might not converge. As a result, both the VRRP routers act as master routers for the impacted IPv6 VRRP instances. IPv4 VRRP instances are not affected
To work around this issue, remove, then add back the VRRP configuration with NCLU or vtysh commands. | 3.7.13-3.7.16, 4.2.0-4.4.5 | | @@ -1577,15 +1577,15 @@ pdfhidden: True | [2548044](#2548044)
| When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2547890](#2547890)
| QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | | | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547405](#2547405)
| When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | | [2547120](#2547120)
| After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545239](#2545239)
| On the Mellanox switch with the Spectrum-2 ASIC, Precision Time Protocol (PTP) is not currently supported. | 4.0.0-4.3.4 | 4.4.0-4.4.5| @@ -1595,22 +1595,22 @@ pdfhidden: True | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | @@ -1625,7 +1625,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -1641,7 +1641,7 @@ pdfhidden: True | [2538562](#2538562)
| On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | @@ -1663,9 +1663,9 @@ pdfhidden: True |--- |--- |--- | | [2959067](#2959067)
| ECMP produces errors indicating No More Resources and switchd crashes even when ECMP utilization is low. | 3.7.14.2-4.2.1 | | | [2687332](#2687332)
| When you configure BGP aggregate-address summary-only and any component route within the summary updates, all component routes within the summary update in the RIB on the device advertising the summary. This condition might result in increased CPU usage
To workaround this issue, remove the aggregate-address summary-only configuration, add a static route to Null0 for the prefix, and configure an outbound route map to restrict anything more specific than the desired prefix from being advertised. For example: Before:
address-family ipv4 unicast
  aggregate-address 10.10.0.0/16 summary-only
  redistribute connected
After:
ip route 10.10.0.0/16 Null0
  !
  address-family ipv4 unicast
  redistribute connected route-map DENY-COMPONENTS
  redistribute static
   exit-address-family
  ip prefix-list NO-COMPONENTS seq 5 permit 10.10.0.0/16 ge 17
  !
  route-map DENY-COMPONENTS deny 10
   match ip address prefix-list NO-COMPONENTS
  !
  route-map DENY-COMPONENTS permit 20
This example assumes no other static routes are present. Otherwise, you might need to configure additional route maps to limit the static routes being redistributed. | 3.7.12-4.2.1 | | -| [2556334](#2556334)
| On the Mellanox SN-4700 switch, when you use a 2x100G configuration, the links do not come up. | | | +| [2556334, 2555514](#2556334, 2555514)
| On the Mellanox SN-4700 switch, when you use a 2x100G configuration, the links do not come up. | | | | [2556215](#2556215)
| When you run any of the vtysh show bgp ipv4 or show bgp ipv6 statistics commands, the bgpd service crashes. | 4.2.1 | | -| [2556010](#2556010)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | | +| [2556010, 2556276](#2556010, 2556276)
| On Broadcom switches, after repeated VLAN or VXLAN configuration changes, switchd memory might not free up appropriately, which can lead to a crash. | 3.7.14, 4.0.0-4.2.1 | | | [2555588](#2555588)
| You can't delete a BGP community list created with NCLU. | 4.2.1 | | | [2555531](#2555531)
| QinQ (802.1Q) packets routed to a layer 3 subinterface are still double tagged with the VLAN of the subinterface and the original inner VLAN when they leave the subinterface. | 4.2.0-4.2.1 | | | [2555528](#2555528)
| In an EVPN Active/Active configuration, when one of the peers reboots and begins to refresh IP neighbor entries shared by the MLAG peer, some of these ARP messages might be dropped by the MLAG peer's ARP policer.
To work around this issue, increase the burst value of the ARP policers to 200 or higher. | 3.7.14-4.2.1 | | @@ -1691,7 +1691,7 @@ pdfhidden: True | [2554333](#2554333)
| The INPUT chain POLICE target acts as ACCEPT instead of continue. | 4.2.1 | | | [2554292](#2554292)
| With traditional bridges, a race condition occurs when Cumulus Linux tries to derive MAC addresses.
To work around this issue, use a static MAC address; specify a MAC address in the /etc/network/interfaces file under the bridge's stanza. | 4.2.1 | | | [2554258](#2554258)
| ifupdown2 removes the dhclient instance if DHCP times out. | 4.2.1 | | -| [2554253](#2554253)
| After upgrading the Mellanox SN2410 switch, the FAN is set to full speed. | 4.2.1 | | +| [2554253, 2554353](#2554253, 2554353)
| After upgrading the Mellanox SN2410 switch, the FAN is set to full speed. | 4.2.1 | | | [2554246](#2554246)
| When you back up and restore a configuration using the conf-backup utility, the switch might hang when rebooted. | 4.1.1-4.2.1 | | | [2553952](#2553952)
| On Mellanox Spectrum based switches running 4.1.0 or higher, if FORWARD chain ACLs are configured on the system, a switch port breakout action applied with a reload of the switchd service may cause switchd to crash. | 4.2.0-4.2.1 | | | [2553747](#2553747)
| On switches with the Spectrum ASIC, the IPv6 default route is present in the kernel but missing in hardware. | 3.7.11-3.7.14.2, 4.2.1 | | @@ -1699,10 +1699,10 @@ pdfhidden: True | [2553731](#2553731)
| A ping via a dual-connected bond fails, and the audio stream is not routed or encapsulated through the layer 3 VNI. | 3.7.12-3.7.13, 4.0.0-4.2.1 | | | [2553586](#2553586)
| Multicast traffic on a VPN is sent to remote VTEPs that are not part of the VPN and the remote VTEPs receive multicast traffic encapsulated in a VXLAN ID that doesn't exist.
To work around this issue, disable IGMP snooping on the switch. | 3.7.12-3.7.13, 4.0.0-4.2.1 | | | [2553568](#2553568)
| After a MAC address moves from one remote VTEP to another, the MAC address continues to point to the old VTEP IP address in hardware. | 4.1.1-4.2.1 | | -| [2553529](#2553529)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-3.7.13, 4.1.1-4.2.1 | | +| [2553529, 2553349](#2553529, 2553349)
| In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated.
To work around this issue, restart FRR with the sudo systemctl restart frr.service command.

| 3.7.10-3.7.13, 4.1.1-4.2.1 | | | [2553468](#2553468)
| Digital Optical Monitoring (DOM) Data is displayed incorrectly on SFP fiber modules inserted in the Fiberstore N8500-48B6C, Celestica Questone, and Celestica RedstoneV switches. | 4.2.0-4.2.1 | | | [2553449](#2553449)
| On the the Dell N3248-PXE switch, when you insert two PSUs at different times, the newly inserted PSU is detected as OK but the fan and temp sensors are ABSENT.
To work around this issue, remove power to both PSUs at the same time, then reinsert power simultaneously. | 3.7.12-3.7.13, 4.2.1 | | -| [2553349](#2553349)
| When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number.
To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI. | 4.2.0-4.2.1 | | +| [2553349, 2553529](#2553349, 2553529)
| When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number.
To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI. | 4.2.0-4.2.1 | | | [2553278](#2553278)
| Leaked routes are sometimes missing from the destination VRF after a reboot. | 4.2.0-4.2.1 | | | [2553228](#2553228)
| On the Dell N3248PXE switch, RJ45 fixed copper ports that auto-negotiate with a 100M or 10M neighbor incorrectly negotiate a half-duplex link that generates errors. Half duplex modes are not supported on this platform. | 3.7.12-3.7.13, 4.2.1 | | | [2553219](#2553219)
| You cannot configure SNMPv3 trap-destinations in non-default VRFs with an authentication username that contains fewer than eight characters. | 3.7.12-4.2.1 | | @@ -1711,7 +1711,7 @@ pdfhidden: True | [2552880](#2552880)
| IPv6 TCP or UDP connections (sourcing from an ephemeral port in the range 34048 to 35071) are not forwarded if the switch has more than one layer 2 VNI defined. The traffic might be locally switched on the bridge and dropped.
To work around this issue, disable ARP/ND suppression to remove the internal ACL rule that affects the ports. | 3.7.13, 4.2.1 | | | [2552869](#2552869)
| On the Dell N3048EP switch, the module information from SFP ports is not displayed in the l1-show command.
To work around this issue, use the ethtool -m command. | 3.7.13-4.2.1 | | | [2552853](#2552853)
| Tenant VRF BGP peers appear in the EVPN RMAC and nexthop tables, which causes the kernel RMAC to point at invalid IP address. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | | -| [2552742](#2552742)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | | +| [2552742, 2553000, 2553936](#2552742, 2553000, 2553936)
| On the Mellanox SN2410 switch, you see switchd core and GBIN_MALLOC errors.
To work around this issue, restart switchd. | 3.7.12-4.2.1 | | | [2552710](#2552710)
| The MLAG bonds on a secondary switch do not change to a unique MAC address on the peerlink. As a result, a backup double failure can occur where both peers go down. | 4.2.0-4.2.1 | | | [2552704](#2552704)
| In a traditional bridge configuration with ip-forward off, neighbors are synchronized to hardware with a switchd restart but are cleared when you flap the bridge interface. | 3.7.10-3.7.14.2, 4.0.0-4.2.1 | | | [2552687](#2552687)
| When you boot Cumulus VX 4.2 for the first time, ZTP does not execute because it thinks that the /etc/shadow file has been modified. This is due to the default password change implemented in CL 4.2.
To work around this issue, boot the switch, manually change the password, then run sudo ztp -R to reset the ZTP script. | 4.2.0-4.2.1 | | @@ -1723,7 +1723,7 @@ pdfhidden: True | [2551422](#2551422)
| On Mellanox switches with the Spectrum-2 switch, the lpm-balanced forwarding profile does not work. | 4.1.1-4.2.1 | | | [2551187](#2551187)
| dot1qVlanIndex in the dot1qVlanStaticTable of the SNMP Q-BRIDGE-MIB does not use VLAN ID and does not comply with RFC 4363. | 4.1.1-4.2.1 | | | [2551124](#2551124)
| When the dynamic or static flag on a bridge fdb (MAC) entry is changed to the opposite state, the new flag is not set appropriately in hardware. This can allow a static fdb entry to be unexpectedly learned dynamically on a different interface, or can prevent a dynamic entry from being updated or learned elsewhere.
This condition can occur during a manual replacement of a local MAC address or when EVPN updates a dynamic MAC address to add or remove the Sticky Mac flag. Either situation results in the MAC address keeping the original flag in hardware.
To work around this issue, delete or withdraw the fdb entry, then add the static MAC address directly. For example:

bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static \| dynamic ]

If you are unable to delete an EVPN-learned remote MAC address, you can replace the dynamic MAC address with a local static one, then delete the static MAC address. For example:

bridge fdb replace 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master static
bridge fdb del 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master
bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static \| dynamic ]
| 4.0.0-4.2.1 | | -| [2550973](#2550973)
| After you enable ROCE with the net add interface storage-optimized pfc command, you cannot verify the command because it is not shown in the net show config command output. | 4.1.1-4.2.1 | | +| [2550973, 2548408](#2550973, 2548408)
| After you enable ROCE with the net add interface storage-optimized pfc command, you cannot verify the command because it is not shown in the net show config command output. | 4.1.1-4.2.1 | | | [2550906](#2550906)
| After you delete a bond, the deleted bond members have the deleted bond MAC address instead of their original MAC address, which might result in traffic being discarded.
To work around this issue, perform a full switch restart. | 4.1.1-4.2.1 | | | [2550796](#2550796)
| On a Broadcom switch with the Trident2+ ASIC, ACL rules for VLANs are not applied after a reboot and the counters remain at zero.
To work around this issue, either do not set acl.non_atomic_update_mode = TRUE in the /etc/cumulus/switchd.conf file or run the cl-acltool -i command after the reboot to install the ACLs. | 3.7.12-4.2.1 | | | [2550478](#2550478)
| VXLAN interface as in-interface or out-interface in an ACL is not supported in Spectrum-based switches. | 3.7.7-4.2.0 | | @@ -1734,10 +1734,10 @@ pdfhidden: True | [2549784](#2549784)
| On Mellanox switches, when the networking service and switchd starts up, a rare condition might occur where switchd crashes and the following log message is generated:

CRIT backend/mlx/hal_mlx_nexthop.c:294: hal_mlx_ecmp_data_reinit: Assertion '(num_next_hops)' failed.
| 4.1.0-4.2.1 | | | [2549225](#2549225)
| You might see the following gport error messages in switchd.log:

2020-04-10T19:50:01.011224+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x800007a find failed
2020-04-10T19:50:01.011631+09:00 E1PDX0V1ELF0001 6 switchd[925]: hal_bcm_mdb.c:530 gport 0x8000009 find failed

These messages are harmless and can be ignored. | 3.7.12-3.7.14.2, 4.0.0-4.2.1 | | | [2548930](#2548930)
| On Mellanox Spectrum switches that contain an OSPF IP unnumbered neighborship with a high scale of prefixes being learned, a link flap might cause the neighbor entry to not be programmed in hardware. | 3.7.11-4.2.1 | | -| [2548672](#2548672)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | | +| [2548672, 2555635](#2548672, 2555635)
| When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF.
To work around this issue, remove the unnecessary eBGP IPv4 peering. | 3.7.12-3.7.15, 4.0.0-4.2.1 | | | [2548485](#2548485)
| If you configure the aggregate-address
summary-only option before injecting a component of the same aggregate into the BGP table with the network or redistribute command, when you remove the aggregate-address configuration, the component stays suppressed; it is not advertised to peers. For example:Existing configuration:
router bgp 1
address-family ipv4 unicast
 aggregate-address 50.0.0.0/8 summary-only
exit-address-family
If you add network 50.0.0.1/32, you see the following (expected) BGP table entries:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Path*> 50.0.0.0         0.0.0.0                            32768 is> 50.0.0.1/32      0.0.0.0                  0         32768 i
Removing aggregate-address 50.0.0.0/8 summary-only at this point results in the following (unexpected) BGP table entry:
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
             i internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete
  Network          Next Hop            Metric LocPrf Weight Paths> 50.0.0.1/32      0.0.0.0                  0         32768 i
To work around this issue, remove, then re-add the component prefix routes. | 3.7.12-4.2.1 | | -| [2548408](#2548408)
| net show configuration commands does not show the RoCE net add interface storage-optimized pfc configuration. | 4.1.0-4.2.1 | | +| [2548408, 2550973](#2548408, 2550973)
| net show configuration commands does not show the RoCE net add interface storage-optimized pfc configuration. | 4.1.0-4.2.1 | | | [2547068](#2547068)
| Hardware platforms using the Intel D-1500 CPU series might reboot unexpectedly
To work around this issue, contact your hardware vendor to inquire if a new version of BIOS with a microcode fix is available or manually disable CPU C-states in the kernel as outlined below
To permanently disable C-states using a kernel boot parameter:1. Edit /etc/default/grub to add the argument processor.max_cstate=0 to the variable GRUB_CMDLINE_LINUX. For example, if /etc/default/grub file contains the line GRUB_CMDLINE_LINUX="cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off", change it to GRUB_CMDLINE_LINUX="cl_platform=accton_as7726_32x console=tty0 console=ttyS0,115200n8 intel_iommu=off pcie_aspm=off processor.max_cstate=0"2. Run sudo update-grub
3. Reboot the system with sudo reboot
To disable cstates in realtime on the current system, which does not persist through a reboot:1. Confirm that the libpci3 package is installed. Run dpkg-query -l libpci3 and confirm the following line is displayed:ii libpci3:amd64 1:3.2.1-3 amd64 Linux PCI Utilities (shared library)The first field above should read ii. If not, install the libpci3 package by running sudo apt upgrade;sudo apt install libpci3
2. Disable C-states by running the command ./cpupower idle-set -d 2
C-states are disabled by default in Cumulus Linux 4.3.0 and later. | 3.7.9-4.2.1 | | | [2543647](#2543647)
| ERSPAN in ebtables does not work for VNIs. For example, the following rule does not work:

-A FORWARD -i vni10 -j erspan --src-ip 100.1.1.2 --dst-ip 100.1.1.1 --ttl 64
| 3.7.6-4.2.1 | | -| [2534977](#2534977)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | | +| [2534977, 2535424](#2534977, 2535424)
| On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. | 4.0.0-4.2.1 | | diff --git a/content/cumulus-linux-43/rn.xml b/content/cumulus-linux-43/rn.xml index 8a1fb63a1e..cab1ebd853 100644 --- a/content/cumulus-linux-43/rn.xml +++ b/content/cumulus-linux-43/rn.xml @@ -2304,7 +2304,7 @@ cumulus@switch:~$ sudo apt upgrade 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -2322,7 +2322,7 @@ cumulus@switch:~$ sudo apt upgrade -3390022 +3390022, 3323138 When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the {{peerlink.4095}} interface stanza are duplicated. Subsequent {{ifreloads}}, or {{net commit}} commands fail until you manually remove the duplicated lines from this interface and run {{ifreload -a}}. 4.2.1-4.4.5 @@ -2375,7 +2375,7 @@ To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl- -3168564 +3168564, 3198302 In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), {{switchd}} might crash when you restart {{clagd}} or when all bonds go operationally down, then up. On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. 4.3.1-4.4.5 @@ -2406,7 +2406,7 @@ On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scal 5.2.0-5.16.1 -3108491 +3108491, 2434628 In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart {{switchd}}. 4.2.1-4.4.5 5.0.0-5.16.1 @@ -2448,14 +2448,14 @@ On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scal -3059135 +3059135, 3060400 In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route. To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-5.1.0 5.2.0-5.16.1 -3046023 +3046023, 3096918 The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install. 4.2.1-5.1.0 5.2.0-5.16.1 @@ -2593,7 +2593,7 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -2617,14 +2617,14 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.5.0.0-5.16.1 -2728119 +2728119, 2729309 When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-4.4.5 5.0.0-5.16.1 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -2658,7 +2658,7 @@ To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl- 3.7.16 -2690017 +2690017, 3431625 When you remove a bond member, then re-add it, you might see a {{Parameter Error}} failure in {{{syslog}} and {{switchd.log}}: sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error). @@ -2744,7 +2744,7 @@ To recover from this state, flap the bond interface (not the physical swp) by ru 5.0.0-5.16.1 -2578814 +2578814, 2644181 On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. 4.3.0-4.3.4 4.4.0-4.4.5 @@ -2893,7 +2893,7 @@ To work around this issue, configure a static route in FRR. 4.4.0-4.4.5 -2554222 +2554222, 2614073 The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the {{/etc/network/interface}} file. For example: @@ -2918,7 +2918,7 @@ iface vni-30 -2554202 +2554202, 2544880 The output of the {{net show commit}} command does not show the last commit or the specified commit number but is empty instead. 4.2.1-4.4.5 @@ -2960,7 +2960,7 @@ Alternatively, directly edit the {{/etc/snmp/snmpd.conf}} file as described in t -2553237 +2553237, 2552950 The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. @@ -3254,7 +3254,7 @@ These errors are result of user space acting on kernel events a bit slow. The m -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -3310,7 +3310,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -3321,7 +3321,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -3393,7 +3393,7 @@ To work around this issue, run the {{sudo systemctl restart lldpd.service}} comm -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -3412,7 +3412,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -3462,7 +3462,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -3509,7 +3509,7 @@ See /var/log/netd.log for more details. -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 @@ -3632,7 +3632,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -3789,7 +3789,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -3984,7 +3984,7 @@ cumulus@switch:~$ sudo apt upgrade 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -4002,7 +4002,7 @@ cumulus@switch:~$ sudo apt upgrade -3390022 +3390022, 3323138 When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the {{peerlink.4095}} interface stanza are duplicated. Subsequent {{ifreloads}}, or {{net commit}} commands fail until you manually remove the duplicated lines from this interface and run {{ifreload -a}}. 4.2.1-4.4.5 @@ -4055,7 +4055,7 @@ To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl- -3168564 +3168564, 3198302 In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), {{switchd}} might crash when you restart {{clagd}} or when all bonds go operationally down, then up. On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. 4.3.1-4.4.5 @@ -4086,7 +4086,7 @@ On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scal 5.2.0-5.16.1 -3108491 +3108491, 2434628 In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart {{switchd}}. 4.2.1-4.4.5 5.0.0-5.16.1 @@ -4128,14 +4128,14 @@ On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scal -3059135 +3059135, 3060400 In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route. To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-5.1.0 5.2.0-5.16.1 -3046023 +3046023, 3096918 The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install. 4.2.1-5.1.0 5.2.0-5.16.1 @@ -4273,7 +4273,7 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -4297,14 +4297,14 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.5.0.0-5.16.1 -2728119 +2728119, 2729309 When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-4.4.5 5.0.0-5.16.1 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -4338,7 +4338,7 @@ To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl- 3.7.16 -2690017 +2690017, 3431625 When you remove a bond member, then re-add it, you might see a {{Parameter Error}} failure in {{{syslog}} and {{switchd.log}}: sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error). @@ -4424,7 +4424,7 @@ To recover from this state, flap the bond interface (not the physical swp) by ru 5.0.0-5.16.1 -2578814 +2578814, 2644181 On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. 4.3.0-4.3.4 4.4.0-4.4.5 @@ -4573,7 +4573,7 @@ To work around this issue, configure a static route in FRR. 4.4.0-4.4.5 -2554222 +2554222, 2614073 The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the {{/etc/network/interface}} file. For example: @@ -4598,7 +4598,7 @@ iface vni-30 -2554202 +2554202, 2544880 The output of the {{net show commit}} command does not show the last commit or the specified commit number but is empty instead. 4.2.1-4.4.5 @@ -4640,7 +4640,7 @@ Alternatively, directly edit the {{/etc/snmp/snmpd.conf}} file as described in t -2553237 +2553237, 2552950 The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. @@ -4934,7 +4934,7 @@ These errors are result of user space acting on kernel events a bit slow. The m -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -4990,7 +4990,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -5001,7 +5001,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -5073,7 +5073,7 @@ To work around this issue, run the {{sudo systemctl restart lldpd.service}} comm -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -5092,7 +5092,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -5142,7 +5142,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -5189,7 +5189,7 @@ See /var/log/netd.log for more details. -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 @@ -5312,7 +5312,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -5469,7 +5469,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -5642,7 +5642,7 @@ OR 4.3.0-4.3.1 -3419962 +3419962, 3626533 On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the {{/var/log/switchd.log}} file similar to the following: switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11 @@ -5655,7 +5655,7 @@ switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ex 4.3.1 -3413826 +3413826, 3323143 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. 4.4.0-5.4.0 @@ -5766,7 +5766,7 @@ ValueError: invalid literal for int() with base 10: ‘0t 4.3.0-4.3.1, 4.4.0-5.2.1 -2555175 +2555175, 3195351, 2672721 Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. 3.7.15-4.3.1 @@ -5831,7 +5831,7 @@ cumulus@switch:~$ sudo apt upgrade 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -5849,7 +5849,7 @@ cumulus@switch:~$ sudo apt upgrade -3390022 +3390022, 3323138 When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the {{peerlink.4095}} interface stanza are duplicated. Subsequent {{ifreloads}}, or {{net commit}} commands fail until you manually remove the duplicated lines from this interface and run {{ifreload -a}}. 4.2.1-4.4.5 @@ -5902,7 +5902,7 @@ To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl- -3168564 +3168564, 3198302 In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), {{switchd}} might crash when you restart {{clagd}} or when all bonds go operationally down, then up. On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. 4.3.1-4.4.5 @@ -5933,7 +5933,7 @@ On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scal 5.2.0-5.16.1 -3108491 +3108491, 2434628 In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart {{switchd}}. 4.2.1-4.4.5 5.0.0-5.16.1 @@ -5975,14 +5975,14 @@ On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scal -3059135 +3059135, 3060400 In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route. To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-5.1.0 5.2.0-5.16.1 -3046023 +3046023, 3096918 The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install. 4.2.1-5.1.0 5.2.0-5.16.1 @@ -6120,7 +6120,7 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -6144,14 +6144,14 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.5.0.0-5.16.1 -2728119 +2728119, 2729309 When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-4.4.5 5.0.0-5.16.1 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -6185,7 +6185,7 @@ To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl- 3.7.16 -2690017 +2690017, 3431625 When you remove a bond member, then re-add it, you might see a {{Parameter Error}} failure in {{{syslog}} and {{switchd.log}}: sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error). @@ -6271,7 +6271,7 @@ To recover from this state, flap the bond interface (not the physical swp) by ru 5.0.0-5.16.1 -2578814 +2578814, 2644181 On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. 4.3.0-4.3.4 4.4.0-4.4.5 @@ -6420,7 +6420,7 @@ To work around this issue, configure a static route in FRR. 4.4.0-4.4.5 -2554222 +2554222, 2614073 The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the {{/etc/network/interface}} file. For example: @@ -6445,7 +6445,7 @@ iface vni-30 -2554202 +2554202, 2544880 The output of the {{net show commit}} command does not show the last commit or the specified commit number but is empty instead. 4.2.1-4.4.5 @@ -6487,7 +6487,7 @@ Alternatively, directly edit the {{/etc/snmp/snmpd.conf}} file as described in t -2553237 +2553237, 2552950 The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. @@ -6781,7 +6781,7 @@ These errors are result of user space acting on kernel events a bit slow. The m -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -6837,7 +6837,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -6848,7 +6848,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -6920,7 +6920,7 @@ To work around this issue, run the {{sudo systemctl restart lldpd.service}} comm -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -6939,7 +6939,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -6989,7 +6989,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -7036,7 +7036,7 @@ See /var/log/netd.log for more details. -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 @@ -7159,7 +7159,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -7316,7 +7316,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -7531,7 +7531,7 @@ This configuration is not allowed; it is considered to be eBGP and local prefere 4.3.2-4.4.5 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -7571,7 +7571,7 @@ OR 5.5.0-5.16.1 -3419962 +3419962, 3626533 On a Broadcom switch, if you remove a double-tagged interface from a bridge that contains other double-tagged interfaces built on the same physical port (for example, you remove swp1.10.100 when swp1.10.200 is also a bridge port), traffic forwarding within the bridge might fail and you see critical warnings in the {{/var/log/switchd.log}} file similar to the following: switchd[8587]: hal_bcm.c:2207 CRIT knet_vlan_translate_delete(update): port 1 ext_vlan 10.100 int_vlan 2132: -11 @@ -7608,7 +7608,7 @@ psample { group=1 } -3390022 +3390022, 3323138 When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the {{peerlink.4095}} interface stanza are duplicated. Subsequent {{ifreloads}}, or {{net commit}} commands fail until you manually remove the duplicated lines from this interface and run {{ifreload -a}}. 4.2.1-4.4.5 @@ -7729,7 +7729,7 @@ To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl- 4.3.2, 5.3.0-5.16.1 -3168564 +3168564, 3198302 In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), {{switchd}} might crash when you restart {{clagd}} or when all bonds go operationally down, then up. On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. 4.3.1-4.4.5 @@ -7760,7 +7760,7 @@ On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scal 5.2.0-5.16.1 -3108491 +3108491, 2434628 In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart {{switchd}}. 4.2.1-4.4.5 5.0.0-5.16.1 @@ -7802,14 +7802,14 @@ On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scal -3059135 +3059135, 3060400 In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route. To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-5.1.0 5.2.0-5.16.1 -3046023 +3046023, 3096918 The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install. 4.2.1-5.1.0 5.2.0-5.16.1 @@ -7947,7 +7947,7 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -7971,14 +7971,14 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.5.0.0-5.16.1 -2728119 +2728119, 2729309 When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-4.4.5 5.0.0-5.16.1 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -8012,7 +8012,7 @@ To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl- 3.7.16 -2690017 +2690017, 3431625 When you remove a bond member, then re-add it, you might see a {{Parameter Error}} failure in {{{syslog}} and {{switchd.log}}: sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error). @@ -8098,7 +8098,7 @@ To recover from this state, flap the bond interface (not the physical swp) by ru 5.0.0-5.16.1 -2578814 +2578814, 2644181 On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. 4.3.0-4.3.4 4.4.0-4.4.5 @@ -8189,7 +8189,7 @@ This error has no functional impact. -2555175 +2555175, 3195351, 2672721 Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. 3.7.15-4.3.1 4.3.2-4.4.5 @@ -8253,7 +8253,7 @@ To work around this issue, configure a static route in FRR. 4.4.0-4.4.5 -2554222 +2554222, 2614073 The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the {{/etc/network/interface}} file. For example: @@ -8278,7 +8278,7 @@ iface vni-30 -2554202 +2554202, 2544880 The output of the {{net show commit}} command does not show the last commit or the specified commit number but is empty instead. 4.2.1-4.4.5 @@ -8320,7 +8320,7 @@ Alternatively, directly edit the {{/etc/snmp/snmpd.conf}} file as described in t -2553237 +2553237, 2552950 The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. @@ -8614,7 +8614,7 @@ These errors are result of user space acting on kernel events a bit slow. The m -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -8670,7 +8670,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -8681,7 +8681,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -8753,7 +8753,7 @@ To work around this issue, run the {{sudo systemctl restart lldpd.service}} comm -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -8772,7 +8772,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -8822,7 +8822,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -8869,7 +8869,7 @@ See /var/log/netd.log for more details. -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 @@ -8992,7 +8992,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -9149,7 +9149,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -9311,7 +9311,7 @@ For Mellanox switches, the above procedure does not upgrade to Cumulus Linux 4.3 5.0.1 -3089474 +3089474, 3334028 The {{clagd}} process uses 100 percent CPU and eventually crashes with an {{Unable to allocate memory}} error. This issue impacts customers with these conditions: CL 5.1.0, CLAG, NTP, and a switch that has been powered off for some time (i.e. the clock may have drifted) prior to initial boot. @@ -9372,7 +9372,7 @@ warning: vni10: possible mis-configuration detected: l2-vni configured with brid 3.7.15, 4.2.1-4.3.0, 4.4.2-5.0.1 -2935121 +2935121, 2826122 When you configure 199 VXLANs plus 199 VLANs, {{clagd}} crashes every few seconds. 3.7.15, 4.3.0, 4.4.0-4.4.1 @@ -9387,7 +9387,7 @@ warning: vni10: possible mis-configuration detected: l2-vni configured with brid 4.1.1-4.3.0 -2899422 +2899422, 3036049, 3069904 Broadcom switches return a table full error when creating VXLAN gports, which causes {{switchd}} to crash. 3.7.15-4.3.0 @@ -9409,7 +9409,7 @@ To work around this issue, configure an IPv4 address on all VRF interfaces. 4.3.0 -2875300 +2875300, 2545364, 3297583 In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it 3.7.12-3.7.14.2 @@ -9510,7 +9510,7 @@ To work around this issue, manually restart WJH with the {{sudo systemctl restar 4.4.0-4.4.5 -2738625 +2738625, 2748965 When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. 3.7.15, 4.2.1-4.3.0 @@ -9536,7 +9536,7 @@ This is a cosmetic software issue and not indicative of a hardware failure on th 4.3.0 -2716822 +2716822, 2710844 The {{/etc/cumulus/ports.conf}} file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. 3.7.15-4.3.0 @@ -9563,7 +9563,7 @@ To workaround this issue, run the command against each VRF independently. 3.7.15, 4.0.0-4.3.0 -2699378 +2699378, 2684428 After an event that causes the peer link bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a "peer-ip-mismatch." This behavior is seen in a {{clagd-peer-ip linklocal}} configuration. 4.3.0 @@ -9583,7 +9583,7 @@ To workaround this issue, run the command against each VRF independently. 4.3.0 -2668543 +2668543, 3061431 SVIs do not inherit the pinned MAC address of the bridge. 4.3.0 @@ -9613,7 +9613,7 @@ To workaround this issue, run the command against each VRF independently. 4.3.0 -2644071 +2644071, 3348697 When you stop {{clagd}} on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the {{clagd}} priorities to ensure that you only reboot a switch that is in the MLAG secondary role. 3.7.15, 4.3.0 @@ -9699,7 +9699,7 @@ To work around this issue, run the {{sudo ifreload -a}} command on both peers, o 4.3.0 -2552212 +2552212, 2553637 The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with {{Unable to read from device/fan1_input/pwm1}} syslog messages. 3.7.11-3.7.14, 4.1.1-4.3.0 @@ -9801,7 +9801,7 @@ psample { group=1 } 4.3.2-4.4.5 -3390022 +3390022, 3323138 When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the {{peerlink.4095}} interface stanza are duplicated. Subsequent {{ifreloads}}, or {{net commit}} commands fail until you manually remove the duplicated lines from this interface and run {{ifreload -a}}. 4.2.1-4.4.5 @@ -9944,7 +9944,7 @@ To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl- 5.2.0-5.16.1 -3108491 +3108491, 2434628 In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart {{switchd}}. 4.2.1-4.4.5 5.0.0-5.16.1 @@ -9999,7 +9999,7 @@ To work around this issue, restart the {{hostapd}} service with the {{systemctl 4.3.1-4.4.5 -3059135 +3059135, 3060400 In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route. To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-5.1.0 @@ -10012,7 +10012,7 @@ To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} comma 4.3.1-4.4.5, 4.4.4-4.4.5 -3046023 +3046023, 3096918 The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install. 4.2.1-5.1.0 5.2.0-5.16.1 @@ -10073,7 +10073,7 @@ The following attribute: {{vxlan-purge-remotes yes}} is intended to fix the issu 3.7.16, 4.3.1, 5.1.0-5.16.1 -2935121 +2935121, 2826122 When you configure 199 VXLANs plus 199 VLANs, {{clagd}} crashes every few seconds. 3.7.15, 4.3.0-4.4.1 3.7.16, 4.4.2-4.4.5, 5.0.0-5.16.1 @@ -10097,7 +10097,7 @@ The following attribute: {{vxlan-purge-remotes yes}} is intended to fix the issu -2899422 +2899422, 3036049, 3069904 Broadcom switches return a table full error when creating VXLAN gports, which causes {{switchd}} to crash. 3.7.15-3.7.16, 4.3.0-4.4.5 @@ -10324,7 +10324,7 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -10336,7 +10336,7 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.5.0.0-5.16.1 -2738625 +2738625, 2748965 When you configure the switch with the minimum reserved VLAN of 150 and the internal VLANs are exhausted, the MLAG peer does not forward the VLAN. 3.7.15, 4.2.1-4.3.0 3.7.16, 4.3.1-4.4.5 @@ -10372,7 +10372,7 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.4.3.1-4.4.5, 4.4.2-4.4.5 -2728119 +2728119, 2729309 When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-4.4.5 @@ -10386,13 +10386,13 @@ This is a cosmetic software issue and not indicative of a hardware failure on th 4.3.1-4.4.5 -2716822 +2716822, 2710844 The {{/etc/cumulus/ports.conf}} file on the Dell Z9264F-ON switch does not show that Cumulus Linux does not support the 2x10G SFP+ ports. 3.7.15-4.3.0 4.3.1-4.4.5 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -10444,7 +10444,7 @@ To workaround this issue, run the command against each VRF independently. 3.7.16 -2699378 +2699378, 2684428 After an event that causes the peer link bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a "peer-ip-mismatch." This behavior is seen in a {{clagd-peer-ip linklocal}} configuration. 4.3.0-4.3.4 4.4.0-4.4.5 @@ -10456,7 +10456,7 @@ To workaround this issue, run the command against each VRF independently. 4.4.0-4.4.5 -2690017 +2690017, 3431625 When you remove a bond member, then re-add it, you might see a {{Parameter Error}} failure in {{{syslog}} and {{switchd.log}}: sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error). @@ -10509,7 +10509,7 @@ To work around this issue, start the MST service with the {{sudo mst start}} com 4.4.0-4.4.5 -2668543 +2668543, 3061431 SVIs do not inherit the pinned MAC address of the bridge. 4.3.0 4.3.1-4.4.5, 5.10.0-5.16.1 @@ -10545,7 +10545,7 @@ To work around this issue, start the MST service with the {{sudo mst start}} com 4.4.0-4.4.5 -2644071 +2644071, 3348697 When you stop {{clagd}} on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the {{clagd}} priorities to ensure that you only reboot a switch that is in the MLAG secondary role. 3.7.15, 4.3.0-4.3.4 3.7.16, 4.4.0-4.4.5 @@ -10596,7 +10596,7 @@ To recover from this state, flap the bond interface (not the physical swp) by ru 5.0.0-5.16.1 -2578814 +2578814, 2644181 On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. 4.3.0-4.3.4 4.4.0-4.4.5 @@ -10755,7 +10755,7 @@ This error has no functional impact. -2555175 +2555175, 3195351, 2672721 Control plane traffic (such as BGP peering from leaf to spine) goes down on the leaf due to the peer Hold Down timer expiration following prolonged link flaps on down links when VXLAN enabled VLANs are carried on the flapping link. Be sure to correct layer 1 issues, configuration issues, or misbehaving link partners that are causing the link flaps. 3.7.15-4.3.1 4.3.2-4.4.5 @@ -10833,7 +10833,7 @@ To work around this issue, configure a static route in FRR. 4.3.1-4.4.5 -2554222 +2554222, 2614073 The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the {{/etc/network/interface}} file. For example: @@ -10858,7 +10858,7 @@ iface vni-30 -2554202 +2554202, 2544880 The output of the {{net show commit}} command does not show the last commit or the specified commit number but is empty instead. 4.2.1-4.4.5 @@ -10900,7 +10900,7 @@ Alternatively, directly edit the {{/etc/snmp/snmpd.conf}} file as described in t -2553237 +2553237, 2552950 The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. @@ -10958,7 +10958,7 @@ These messages are for internal validation purposes only and can be safely ignor -2552212 +2552212, 2553637 The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with {{Unable to read from device/fan1_input/pwm1}} syslog messages. 3.7.11-3.7.14, 4.1.1-4.3.0 3.7.14.2-3.7.16, 4.3.1-4.4.5, 4.4.0-4.4.5 @@ -11206,7 +11206,7 @@ These errors are result of user space acting on kernel events a bit slow. The m -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -11262,7 +11262,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -11273,7 +11273,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -11345,7 +11345,7 @@ To work around this issue, run the {{sudo systemctl restart lldpd.service}} comm -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -11364,7 +11364,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -11414,7 +11414,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -11461,7 +11461,7 @@ See /var/log/netd.log for more details. -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 @@ -11584,7 +11584,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -11741,7 +11741,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -11897,7 +11897,7 @@ This example assumes no other static routes are present. Otherwise, you might ne 3.7.12-4.2.1 -2556334 +2556334, 2555514 On the Mellanox SN-4700 switch, when you use a 2x100G configuration, the links do not come up. @@ -11907,7 +11907,7 @@ This example assumes no other static routes are present. Otherwise, you might ne 4.2.1 -2556010 +2556010, 2556276 On Broadcom switches, after repeated VLAN or VXLAN configuration changes, {{switchd}} memory might not free up appropriately, which can lead to a crash. 3.7.14, 4.0.0-4.2.1 @@ -12086,7 +12086,7 @@ To work around this issue, use a static MAC address; specify a MAC address in th 4.2.1 -2554253 +2554253, 2554353 After upgrading the Mellanox SN2410 switch, the FAN is set to full speed. 4.2.1 @@ -12127,7 +12127,7 @@ To work around this issue, disable IGMP snooping on the switch. 4.1.1-4.2.1 -2553529 +2553529, 2553349 In an MLAG configuration with a layer 3 VNI, when you bounce the peer link, all layer 2 VNIs listed under the layer 3 VNI are duplicated. To work around this issue, restart FRR with the {{sudo systemctl restart frr.service}} command. @@ -12146,7 +12146,7 @@ To work around this issue, remove power to both PSUs at the same time, then rein 3.7.12-3.7.13, 4.2.1 -2553349 +2553349, 2553529 When you delete a layer 2 VNI and VLAN, the layer 3 VNI reports an incorrect layer 2 VNI number. To work around this issue, either restart FRR or delete the VNI interface first, then delete the VLAN/SVI. 4.2.0-4.2.1 @@ -12194,7 +12194,7 @@ To work around this issue, use the {{ethtool -m <interface>}} command.3.7.12-3.7.14.2, 4.0.0-4.2.1 -2552742 +2552742, 2553000, 2553936 On the Mellanox SN2410 switch, you see {{switchd}} core and {{GBIN_MALLOC}} errors. To work around this issue, restart {{switchd}}. 3.7.12-4.2.1 @@ -12269,7 +12269,7 @@ bridge fdb add 50:6b:4b:ee:ee:ee dev swp31 vlan 24 master [ static | dynamic ] 4.0.0-4.2.1 -2550973 +2550973, 2548408 After you enable ROCE with the {{net add interface <switch-port> storage-optimized pfc}} command, you cannot verify the command because it is not shown in the {{net show config}} command output. 4.1.1-4.2.1 @@ -12345,7 +12345,7 @@ These messages are harmless and can be ignored. 3.7.11-4.2.1 -2548672 +2548672, 2555635 When a multipath route that contains an EVPN path exists together with an IPv4 BGP path in the VRF, the RMAC to VTEP binding is incorrect. This invalid entry occurs because Cumulus Linux treats IPv4 routes received over the eBGP IPv4 peering incorrectly in the VRF. To work around this issue, remove the unnecessary eBGP IPv4 peering. 3.7.12-3.7.15, 4.0.0-4.2.1 @@ -12381,7 +12381,7 @@ To work around this issue, remove, then re-add the component prefix routes. 3.7.12-4.2.1 -2548408 +2548408, 2550973 {{net show configuration commands}} does not show the RoCE {{net add interface <swp> storage-optimized pfc}} configuration. 4.1.0-4.2.1 @@ -12410,7 +12410,7 @@ C-states are disabled by default in Cumulus Linux 4.3.0 and later. 3.7.6-4.2.1 -2534977 +2534977, 2535424 On the Mellanox switch, the destination MAC address of ERSPAN GRE packets is set to all zeros; therefore, the first transit switch might drop packets. 4.0.0-4.2.1 diff --git a/content/cumulus-linux-44/Whats-New/rn.md b/content/cumulus-linux-44/Whats-New/rn.md index b30591d8d5..e2161178ff 100644 --- a/content/cumulus-linux-44/Whats-New/rn.md +++ b/content/cumulus-linux-44/Whats-New/rn.md @@ -17,18 +17,18 @@ pdfhidden: True | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4143345](#4143345)
| On the Trident3 switch, if you use NCLU to configure BGP neighbor shutdown, NCLU stops responding when you include more than 200 neighbors per peer group. If you do not use NCLU to configure BGP neighbor shutdown, you can configure a maximum of 300 neighbors per peer group. | 4.3.0-4.4.5 | | | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3528464](#3528464)
| Cumulus Linux might mark a layer 2 VLAN-tagged packet as a packet to CPU and the INPUT chain ACL might drop the packet. To work around this issue, add an additional addrtype match on the ACL to prevent an erroneous ACL match; for example:
[iptables]
-A INPUT -i swp+ -m addrtype --dst-type LOCAL -p tcp --sport 22 -j DROP
| 4.3.0-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [3400244](#3400244)
| NCLU accepts multiple instances of same net add bgp commands and stores the configuration in the /etc/frr/frr.conf file when you run the net commit command. As a result, unintended commands might be processed during frr-reload. To work around this issue, edit the /etc/frr/frr.conf file to remove the duplicated entries. | 4.3.1-4.4.5 | | | [3395411](#3395411)
| For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 4.4.2-5.4.0 | 5.5.0-5.16.1| -| [3390022](#3390022)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | -| [3389994](#3389994)
| During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. | 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.16.1| +| [3390022, 3323138](#3390022, 3323138)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | +| [3389994, 3323143](#3389994, 3323143)
| During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. | 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.16.1| | [3387852](#3387852)
| If you remove NGINX from the switch, then run apt autoremove, switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. | 4.4.0-4.4.5 | | | [3368217](#3368217)
| When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5 | | | [3339249](#3339249)
| The sensors.conf files in Cumulus Linux are out of date. | 4.2.1-4.4.5 | | @@ -38,7 +38,7 @@ pdfhidden: True | [3303105](#3303105)
| Clagd crash is observed with the following traceback in /var/log/clagd.log following a clag sync event which is typically driven by a peerlink up event:
unhandled exception:
Traceback (most recent call last):
File "/usr/sbin/clagd", line 1304, in PeerRecvT
PeerRecv()
File "/usr/sbin/clagd", line 513, in PeerRecv
ParseProtoBufMessage(nlm, myPeerMsg)
File "/usr/sbin/clagd", line 853, in ParseProtoBufMessage
msgData = FdbSync.ParseProtoBufMessage(msgHdr)
File "/usr/lib/python3/dist-packages/clag/fdbsync.py", line 892, in ParseProtoBufMessage
msgData.ParseFromString(msgHdr.data)
google.protobuf.message.DecodeError: Error parsing message | 4.4.0-4.4.5 | | | [3293110](#3293110)
| You cannot set the NTF router flag (NTF_ROUTER) on neighbor entries from the user space. | 4.4.2-4.4.5 | | | [3292873](#3292873)
| When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:
[Dec-08-17:09:58] root@switch:/home/cumulus#  ztp -r http://myztp.server.local/ztp
| 4.4.2-4.4.5 | | -| [3291548](#3291548)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| +| [3291548, 2434628](#3291548, 2434628)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [3289482](#3289482)
| When the switch needs to forward a frame that has a source MAC address of 00:00:00:00:00:00, the dmesg log might report the message bridge: RTM_NEWNEIGH with invalid ether address in a loop every 30 seconds. The log message is harmless and frames with that MAC forward correctly. | 4.4.3-5.3.1 | 5.4.0-5.16.1| | [3284719](#3284719)
| Certain EVPN multihoming show commands might cause the bgpd service to crash if you use the json flag and try to reference the default VRF by name. For example: show bgp l2vpn evpn es-vrf json. | 4.4.2-4.4.5 | | | [3271684](#3271684)
| After you restart the FRR service, show commands incorrectly reflect the VLAN associated with layer 3 VNIs as 0:
# net show evpn vni 123VNI: 123Type: L3Tenant VRF: BLUEVlan: 0
| 4.4.3-5.3.1 | 5.4.0-5.16.1| @@ -57,9 +57,9 @@ pdfhidden: True | [3211054](#3211054)
| On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:

Packet size is larger than router interface MTU – Validate the router interface MTU configuration
| 4.4.2-5.2.1 | 5.3.0-5.16.1| | [3209699](#3209699)
| RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.16.1| | [3191517](#3191517)
| When a switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.16.1| -| [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | +| [3168564, 3198302](#3168564, 3198302)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | | [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | -| [3157240](#3157240)
| When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an error
sudo /usr/lib/cumulus/mlxcmd roce counters --port sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port
| 4.4.4-5.1.0 | 5.2.0-5.16.1| +| [3157240, 3173622](#3157240, 3173622)
| When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an error
sudo /usr/lib/cumulus/mlxcmd roce counters --port sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port
| 4.4.4-5.1.0 | 5.2.0-5.16.1| | [3150317](#3150317)
| During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.16.1| | [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3138057](#3138057)
| When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log. To work around this problem, restart FRR with the sudo systemctl restart frr command. | 4.4.0-5.2.1 | 5.3.0-5.16.1| @@ -77,10 +77,10 @@ pdfhidden: True | [3072613](#3072613)
| When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3071652](#3071652)
| On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. | 4.4.4-4.4.5, 5.1.0-5.16.1 | | | [3070672](#3070672)
| TACACS Command Authorization results in a traceback error and command is not executed | 4.4.0-4.4.5 | | -| [3059135](#3059135)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| -| [3034435](#3034435)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| -| [3032234](#3032234)
| In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | 5.1.0-5.16.1| +| [3059135, 3060400](#3059135, 3060400)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| +| [3046023, 3096918](#3046023, 3096918)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| +| [3034435, 3101184](#3034435, 3101184)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| +| [3032234, 3163643](#3032234, 3163643)
| In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | 5.1.0-5.16.1| | [3021838](#3021838)
| PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local. As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly. | 4.4.2-5.0.1 | 5.1.0-5.16.1| | [3008388](#3008388)
| When you set vlan-bridge-binding on for a VLAN interface, the VLAN interface status does not change to down even when all bridge member ports are down. | 4.4.3-5.0.1 | 5.1.0-5.16.1| | [2994402](#2994402)
| When you run ifquery as non-root, EVPN multihoming bond configuration fails
To work around this issue, always use sudo when running ifupdown2 commands (ifup, ifreload, ifdown, and ifquery). | 4.4.2-5.0.1 | 5.1.0-5.16.1| @@ -94,7 +94,7 @@ pdfhidden: True | [2943080](#2943080)
| The overlay ASN is removed after a route flap. | 4.4.0-5.0.1 | 5.1.0-5.16.1| | [2933466](#2933466)
| You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file. | 4.4.0-5.0.1 | 5.1.0-5.16.1| | [2913859](#2913859)
| ECMP error messages, similar to the following, show in log files:
Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container
| 4.4.0-5.0.1 | 5.1.0-5.16.1| -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2902013](#2902013)
| The NCLU commit command adds a five second delay. | 4.2.1-4.4.5 | | | [2875279](#2875279)
| In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.16.1| | [2860323](#2860323)
| If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.16.1| @@ -117,8 +117,8 @@ pdfhidden: True | [2792616](#2792616)
| If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2788780](#2788780)
| When you enable ARP and ND suppression and the switch forwards ARP and ND packets to the kernel, RX_DRP counters might increment but the packets are processed as normal. | 4.4.0-4.4.5 | | | [2781537](#2781537)
| In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2780915](#2780915)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.16.1| -| [2780834](#2780834)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2780915, 2556028](#2780915, 2556028)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2780834, 2555981](#2780834, 2555981)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2780211](#2780211)
| When you use the NVUE nv set vrf default router bgp peer local-as asn command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2771653](#2771653)
| When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more, which consumes a lot of hardware space. | 4.3.0-4.4.5 | | | [2770226](#2770226)
| In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.16.1| @@ -126,18 +126,18 @@ pdfhidden: True | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [2752330](#2752330)
| With BGP and layer 2 forwarding, Smart System Manager warm boot mode can cause packet loss. | 4.4.0-4.4.5 | 5.0.0-5.16.1| -| [2747750](#2747750)
| Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 | 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2747750, 2782819](#2747750, 2782819)
| Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 | 5.0.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2739402](#2739402)
| The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2739398](#2739398)
| Cumulus Linux does not support a bond or bond member as a SPAN destination. | 4.4.0-4.4.5 | 4.3.1| -| [2738040](#2738040)
| In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | | -| [2736244](#2736244)
| When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:
% The Graceful Restart command used is not valid at this moment.
| 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2738040, 2738041](#2738040, 2738041)
| In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | | +| [2736244, 2736249](#2736244, 2736249)
| When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:
% The Graceful Restart command used is not valid at this moment.
| 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2734103](#2734103)
| ACL [No More Resources] messages keep appearing and you can't reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [2732605](#2732605)
| The ESI line of show bgp l2vpn evpn route command always shows VNI: 0. This is a cosmetic software issue. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2730447](#2730447)
| The bridge MAC address is updated during a port change on bridge interfaces. | 4.3.0, 4.4.0-4.4.5 | 4.3.1, 5.0.0-5.16.1| -| [2728119](#2728119)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2728119, 2729309](#2728119, 2729309)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2711533](#2711533)
| On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | | | [2710208](#2710208)
| The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. | 4.2.1-4.4.5 | | | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| @@ -150,7 +150,7 @@ pdfhidden: True | [2639303](#2639303)
| When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:
ERROR: 'NoneType' object has no attribute 'conf_key_value_multiple_values'See /var/log/netd.log for more details.
| 4.3.0-4.4.5 | | | [2621244](#2621244)
| When a VRF name includes evpn, the NCLU net show bgp vrf command fails with the error ERROR: The call to /usr/bin/vtysh failed. To work around this issue, do not use evpn in the VRF name or run the desired commands directly from FRR with vtysh. | 4.3.0-4.4.5 | | | [2618227](#2618227)
| The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. | 4.3.0-4.4.5 | | -| [2606326](#2606326)
| If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | | +| [2606326, 2583925](#2606326, 2583925)
| If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | | | [2599274](#2599274)
| On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown ; sleep 1 ; ifup . | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2596458](#2596458)
| When bridge.unreg_v6_mcast_prune = TRUE is configured in the /etc/cumulus/switchd.conf file, traffic destined to IPv6 link-local multicast addresses might not be flooded within the bridge
To work around this issue, disable pruning for IPv6 multicast by setting bridge.unreg_v6_mcast_prune = FALSE in the /etc/cumulus/switchd.conf file. | 4.4.0-4.4.5 | | | [2574368](#2574368)
| When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr. | 4.1.1-4.4.5 | | @@ -158,7 +158,7 @@ pdfhidden: True | [2556369](#2556369)
| If you use NCLU to configure an ACL for eth0, you can't designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.
To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with "-A INPUT -i eth0". | 4.2.1-4.4.5 | | | [2556082](#2556082)
| The NCLU net del vrf command does not delete a numbered VRF. For example:

cumulus@leaf01:~$ net del vrf 55
ERROR: Command not found
| 4.2.1-4.4.5 | | | [2556081](#2556081)
| You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | | -| [2555981](#2555981)
| In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2555981, 2584227, 2780834](#2555981, 2584227, 2780834)
| In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2555873](#2555873)
| On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic. | 4.3.0-4.4.5 | | | [2555763](#2555763)
| The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline   2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad    2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor. | 4.3.0-4.4.5 | | | [2555613](#2555613)
| The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | @@ -171,13 +171,13 @@ pdfhidden: True | [2554582](#2554582)
| On switches with the Maverick ASIC, control traffic is dropped due to receive buffering. | 4.2.0-4.4.5 | | | [2554533](#2554533)
| On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | | | [2554466](#2554466)
| Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
| 4.2.1-4.4.5 | | -| [2554222](#2554222)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | +| [2554222, 2614073](#2554222, 2614073)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | | [2554218](#2554218)
| MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | | -| [2554202](#2554202)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | +| [2554202, 2544880](#2554202, 2544880)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | | [2553989](#2553989)
| Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | | | [2553887](#2553887)
| When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2553677](#2553677)
| When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | -| [2553237](#2553237)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | +| [2553237, 2552950](#2553237, 2552950)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | | [2553116](#2553116)
| When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552691](#2552691)
| On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. | 4.2.0-4.4.5 | | @@ -215,15 +215,15 @@ pdfhidden: True | [2548044](#2548044)
| When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2547890](#2547890)
| QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | | | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547405](#2547405)
| When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | | [2547120](#2547120)
| After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545233](#2545233)
| On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | | @@ -232,22 +232,22 @@ pdfhidden: True | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | @@ -262,7 +262,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -278,7 +278,7 @@ pdfhidden: True | [2538562](#2538562)
| On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | @@ -308,18 +308,18 @@ pdfhidden: True | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4143345](#4143345)
| On the Trident3 switch, if you use NCLU to configure BGP neighbor shutdown, NCLU stops responding when you include more than 200 neighbors per peer group. If you do not use NCLU to configure BGP neighbor shutdown, you can configure a maximum of 300 neighbors per peer group. | 4.3.0-4.4.5 | | | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3528464](#3528464)
| Cumulus Linux might mark a layer 2 VLAN-tagged packet as a packet to CPU and the INPUT chain ACL might drop the packet. To work around this issue, add an additional addrtype match on the ACL to prevent an erroneous ACL match; for example:
[iptables]
-A INPUT -i swp+ -m addrtype --dst-type LOCAL -p tcp --sport 22 -j DROP
| 4.3.0-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [3400244](#3400244)
| NCLU accepts multiple instances of same net add bgp commands and stores the configuration in the /etc/frr/frr.conf file when you run the net commit command. As a result, unintended commands might be processed during frr-reload. To work around this issue, edit the /etc/frr/frr.conf file to remove the duplicated entries. | 4.3.1-4.4.5 | | | [3395411](#3395411)
| For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 4.4.2-5.4.0 | 5.5.0-5.16.1| -| [3390022](#3390022)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | -| [3389994](#3389994)
| During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. | 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.16.1| +| [3390022, 3323138](#3390022, 3323138)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | +| [3389994, 3323143](#3389994, 3323143)
| During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. | 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.16.1| | [3387852](#3387852)
| If you remove NGINX from the switch, then run apt autoremove, switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. | 4.4.0-4.4.5 | | | [3368217](#3368217)
| When daylight saving time changes, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-4.4.5 | | | [3339249](#3339249)
| The sensors.conf files in Cumulus Linux are out of date. | 4.2.1-4.4.5 | | @@ -329,7 +329,7 @@ pdfhidden: True | [3303105](#3303105)
| Clagd crash is observed with the following traceback in /var/log/clagd.log following a clag sync event which is typically driven by a peerlink up event:
unhandled exception:
Traceback (most recent call last):
File "/usr/sbin/clagd", line 1304, in PeerRecvT
PeerRecv()
File "/usr/sbin/clagd", line 513, in PeerRecv
ParseProtoBufMessage(nlm, myPeerMsg)
File "/usr/sbin/clagd", line 853, in ParseProtoBufMessage
msgData = FdbSync.ParseProtoBufMessage(msgHdr)
File "/usr/lib/python3/dist-packages/clag/fdbsync.py", line 892, in ParseProtoBufMessage
msgData.ParseFromString(msgHdr.data)
google.protobuf.message.DecodeError: Error parsing message | 4.4.0-4.4.5 | | | [3293110](#3293110)
| You cannot set the NTF router flag (NTF_ROUTER) on neighbor entries from the user space. | 4.4.2-4.4.5 | | | [3292873](#3292873)
| When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:
[Dec-08-17:09:58] root@switch:/home/cumulus#  ztp -r http://myztp.server.local/ztp
| 4.4.2-4.4.5 | | -| [3291548](#3291548)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| +| [3291548, 2434628](#3291548, 2434628)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [3289482](#3289482)
| When the switch needs to forward a frame that has a source MAC address of 00:00:00:00:00:00, the dmesg log might report the message bridge: RTM_NEWNEIGH with invalid ether address in a loop every 30 seconds. The log message is harmless and frames with that MAC forward correctly. | 4.4.3-5.3.1 | 5.4.0-5.16.1| | [3284719](#3284719)
| Certain EVPN multihoming show commands might cause the bgpd service to crash if you use the json flag and try to reference the default VRF by name. For example: show bgp l2vpn evpn es-vrf json. | 4.4.2-4.4.5 | | | [3271684](#3271684)
| After you restart the FRR service, show commands incorrectly reflect the VLAN associated with layer 3 VNIs as 0:
# net show evpn vni 123VNI: 123Type: L3Tenant VRF: BLUEVlan: 0
| 4.4.3-5.3.1 | 5.4.0-5.16.1| @@ -348,9 +348,9 @@ pdfhidden: True | [3209699](#3209699)
| RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.16.1| | [3205701](#3205701)
| A firmware upgrade has been implemented to optimize the PCIe bus between the CPU and Spectrum ASIC on NVIDIA SN4700, SN4600, SN4600C, and SN4410 switches manufactured with 0x26 1 17 in EEPROM. Affected switches will not boot properly without this firmware upgrade. To see the EEPROM value, run the onie-syseeprom command from ONIE or run the decode-syseeprom command from Cumulus Linux. | 4.4.4-5.2.0 | 5.2.1-5.16.1| | [3191517](#3191517)
| When a switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.16.1| -| [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | +| [3168564, 3198302](#3168564, 3198302)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | | [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | -| [3157240](#3157240)
| When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an error
sudo /usr/lib/cumulus/mlxcmd roce counters --port sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port
| 4.4.4-5.1.0 | 5.2.0-5.16.1| +| [3157240, 3173622](#3157240, 3173622)
| When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an error
sudo /usr/lib/cumulus/mlxcmd roce counters --port sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port
| 4.4.4-5.1.0 | 5.2.0-5.16.1| | [3150317](#3150317)
| During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.16.1| | [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3138057](#3138057)
| When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log. To work around this problem, restart FRR with the sudo systemctl restart frr command. | 4.4.0-5.2.1 | 5.3.0-5.16.1| @@ -368,10 +368,10 @@ pdfhidden: True | [3072613](#3072613)
| When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3071652](#3071652)
| On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. | 4.4.4-4.4.5, 5.1.0-5.16.1 | | | [3070672](#3070672)
| TACACS Command Authorization results in a traceback error and command is not executed | 4.4.0-4.4.5 | | -| [3059135](#3059135)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| -| [3034435](#3034435)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| -| [3032234](#3032234)
| In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | 5.1.0-5.16.1| +| [3059135, 3060400](#3059135, 3060400)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| +| [3046023, 3096918](#3046023, 3096918)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| +| [3034435, 3101184](#3034435, 3101184)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| +| [3032234, 3163643](#3032234, 3163643)
| In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | 5.1.0-5.16.1| | [3021838](#3021838)
| PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local. As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly. | 4.4.2-5.0.1 | 5.1.0-5.16.1| | [3008388](#3008388)
| When you set vlan-bridge-binding on for a VLAN interface, the VLAN interface status does not change to down even when all bridge member ports are down. | 4.4.3-5.0.1 | 5.1.0-5.16.1| | [2994402](#2994402)
| When you run ifquery as non-root, EVPN multihoming bond configuration fails
To work around this issue, always use sudo when running ifupdown2 commands (ifup, ifreload, ifdown, and ifquery). | 4.4.2-5.0.1 | 5.1.0-5.16.1| @@ -385,7 +385,7 @@ pdfhidden: True | [2943080](#2943080)
| The overlay ASN is removed after a route flap. | 4.4.0-5.0.1 | 5.1.0-5.16.1| | [2933466](#2933466)
| You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file. | 4.4.0-5.0.1 | 5.1.0-5.16.1| | [2913859](#2913859)
| ECMP error messages, similar to the following, show in log files:
Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container
| 4.4.0-5.0.1 | 5.1.0-5.16.1| -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2902013](#2902013)
| The NCLU commit command adds a five second delay. | 4.2.1-4.4.5 | | | [2875279](#2875279)
| In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.16.1| | [2860323](#2860323)
| If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.16.1| @@ -408,8 +408,8 @@ pdfhidden: True | [2792616](#2792616)
| If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2788780](#2788780)
| When you enable ARP and ND suppression and the switch forwards ARP and ND packets to the kernel, RX_DRP counters might increment but the packets are processed as normal. | 4.4.0-4.4.5 | | | [2781537](#2781537)
| In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2780915](#2780915)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.16.1| -| [2780834](#2780834)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2780915, 2556028](#2780915, 2556028)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2780834, 2555981](#2780834, 2555981)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2780211](#2780211)
| When you use the NVUE nv set vrf default router bgp peer local-as asn command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2771653](#2771653)
| When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more, which consumes a lot of hardware space. | 4.3.0-4.4.5 | | | [2770226](#2770226)
| In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.16.1| @@ -417,18 +417,18 @@ pdfhidden: True | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [2752330](#2752330)
| With BGP and layer 2 forwarding, Smart System Manager warm boot mode can cause packet loss. | 4.4.0-4.4.5 | 5.0.0-5.16.1| -| [2747750](#2747750)
| Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 | 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2747750, 2782819](#2747750, 2782819)
| Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 | 5.0.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2739402](#2739402)
| The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2739398](#2739398)
| Cumulus Linux does not support a bond or bond member as a SPAN destination. | 4.4.0-4.4.5 | 4.3.1| -| [2738040](#2738040)
| In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | | -| [2736244](#2736244)
| When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:
% The Graceful Restart command used is not valid at this moment.
| 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2738040, 2738041](#2738040, 2738041)
| In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | | +| [2736244, 2736249](#2736244, 2736249)
| When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:
% The Graceful Restart command used is not valid at this moment.
| 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2734103](#2734103)
| ACL [No More Resources] messages keep appearing and you can't reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [2732605](#2732605)
| The ESI line of show bgp l2vpn evpn route command always shows VNI: 0. This is a cosmetic software issue. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2730447](#2730447)
| The bridge MAC address is updated during a port change on bridge interfaces. | 4.3.0, 4.4.0-4.4.5 | 4.3.1, 5.0.0-5.16.1| -| [2728119](#2728119)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2728119, 2729309](#2728119, 2729309)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2711533](#2711533)
| On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | | | [2710208](#2710208)
| The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. | 4.2.1-4.4.5 | | | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| @@ -441,7 +441,7 @@ pdfhidden: True | [2639303](#2639303)
| When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:
ERROR: 'NoneType' object has no attribute 'conf_key_value_multiple_values'See /var/log/netd.log for more details.
| 4.3.0-4.4.5 | | | [2621244](#2621244)
| When a VRF name includes evpn, the NCLU net show bgp vrf command fails with the error ERROR: The call to /usr/bin/vtysh failed. To work around this issue, do not use evpn in the VRF name or run the desired commands directly from FRR with vtysh. | 4.3.0-4.4.5 | | | [2618227](#2618227)
| The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. | 4.3.0-4.4.5 | | -| [2606326](#2606326)
| If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | | +| [2606326, 2583925](#2606326, 2583925)
| If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | | | [2599274](#2599274)
| On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown ; sleep 1 ; ifup . | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2596458](#2596458)
| When bridge.unreg_v6_mcast_prune = TRUE is configured in the /etc/cumulus/switchd.conf file, traffic destined to IPv6 link-local multicast addresses might not be flooded within the bridge
To work around this issue, disable pruning for IPv6 multicast by setting bridge.unreg_v6_mcast_prune = FALSE in the /etc/cumulus/switchd.conf file. | 4.4.0-4.4.5 | | | [2574368](#2574368)
| When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr. | 4.1.1-4.4.5 | | @@ -449,7 +449,7 @@ pdfhidden: True | [2556369](#2556369)
| If you use NCLU to configure an ACL for eth0, you can't designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.
To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with "-A INPUT -i eth0". | 4.2.1-4.4.5 | | | [2556082](#2556082)
| The NCLU net del vrf command does not delete a numbered VRF. For example:

cumulus@leaf01:~$ net del vrf 55
ERROR: Command not found
| 4.2.1-4.4.5 | | | [2556081](#2556081)
| You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | | -| [2555981](#2555981)
| In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2555981, 2584227, 2780834](#2555981, 2584227, 2780834)
| In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2555873](#2555873)
| On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic. | 4.3.0-4.4.5 | | | [2555763](#2555763)
| The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline   2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad    2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor. | 4.3.0-4.4.5 | | | [2555613](#2555613)
| The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | @@ -462,13 +462,13 @@ pdfhidden: True | [2554582](#2554582)
| On switches with the Maverick ASIC, control traffic is dropped due to receive buffering. | 4.2.0-4.4.5 | | | [2554533](#2554533)
| On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | | | [2554466](#2554466)
| Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
| 4.2.1-4.4.5 | | -| [2554222](#2554222)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | +| [2554222, 2614073](#2554222, 2614073)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | | [2554218](#2554218)
| MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | | -| [2554202](#2554202)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | +| [2554202, 2544880](#2554202, 2544880)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | | [2553989](#2553989)
| Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | | | [2553887](#2553887)
| When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2553677](#2553677)
| When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | -| [2553237](#2553237)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | +| [2553237, 2552950](#2553237, 2552950)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | | [2553116](#2553116)
| When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552691](#2552691)
| On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. | 4.2.0-4.4.5 | | @@ -506,15 +506,15 @@ pdfhidden: True | [2548044](#2548044)
| When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2547890](#2547890)
| QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | | | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547405](#2547405)
| When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | | [2547120](#2547120)
| After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545233](#2545233)
| On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | | @@ -523,22 +523,22 @@ pdfhidden: True | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | @@ -553,7 +553,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -569,7 +569,7 @@ pdfhidden: True | [2538562](#2538562)
| On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | @@ -592,9 +592,9 @@ pdfhidden: True | [3297171](#3297171)
| Restarting switchd might fail due an ACL SPAN module initialization failure. | 4.4.2-4.4.3 | | | [3107615](#3107615)
| ONIE installation over HTTP fails if the web server hosting the installation image returns valid HTML content when ONIE requests an optional_pkgs file that does not exist. To work around this issue, configure the hosting web server to return an HTTP 404 code when the non-existant file is requested, or host an empty file on the web server with the format .optional_pkgs. | 4.2.1-4.3.0 | | | [3094082](#3094082)
| If you apply a PBR policy with a next hop group but the next hop is not reachable, the PBR service crashes. | 4.4.0-4.4.3 | | -| [3091381](#3091381)
| Restarting switchd might fail due to an ACL SPAN module initialization failure. | 4.4.2-4.4.3 | | +| [3091381, 2804508](#3091381, 2804508)
| Restarting switchd might fail due to an ACL SPAN module initialization failure. | 4.4.2-4.4.3 | | | [3089165](#3089165)
| A slow memory leak might occur in switchd} if the route fails to install in hardware when hardware resources are exhausted. | 4.2.1-4.4.3 | | -| [3089148](#3089148)
| The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error
This issue impacts customers with these conditions: CL 5.1.0, CLAG, NTP, and a switch that has been powered off for some time (i.e. the clock may have drifted) prior to initial boot. | 5.1.0 | | +| [3089148, 3334028](#3089148, 3334028)
| The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error
This issue impacts customers with these conditions: CL 5.1.0, CLAG, NTP, and a switch that has been powered off for some time (i.e. the clock may have drifted) prior to initial boot. | 5.1.0 | | | [3084476](#3084476)
| After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.16.1 | | | [3083265](#3083265)
| The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command. | 4.4.0-4.4.3 | | | [3082583](#3082583)
| On the NVIDIA SN3420, the smonctl command output shows the maximum PSU temperature higher than the critical temperature. | 4.4.2-4.4.3, 5.0.0-5.1.0 | | @@ -607,7 +607,7 @@ pdfhidden: True | [3031228](#3031228)
| In a static VXLAN configuration with a traditional or single VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:
warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other
| 4.4.0-4.4.3 | | | [3023256](#3023256)
| After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON. | 4.4.3 | | | [3021887](#3021887)
| On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic. | 4.4.2-4.4.3, 5.0.0-5.0.1 | | -| [3021879](#3021879)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-3.7.14.2 | | +| [3021879, 2545364, 3297583](#3021879, 2545364, 3297583)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-3.7.14.2 | | | [3021877](#3021877)
| After you configure a new VLAN on a bond, traffic might stop forwarding on the bond interface. This issue occurs only when you specify bridge-vids on the bond. This issue does not occur when you configure VLANs only on the bridge interface and let the bond get the bridge-vids applied from the bridge. | 5.0.0-5.0.1 | | | [3021698](#3021698)
| After you convert a port from a layer 2 bond member to a layer 3 port, the switch drops transmitted untagged packets as egress VLAN membership discards. | 4.4.2-4.4.3, 5.0.0-5.0.1 | | | [3021692](#3021692)
| When ARP suppression is off, GARPs from neighmgrd for remote neighbors are sent over VXLAN. | 3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.0 | | @@ -624,18 +624,18 @@ pdfhidden: True | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4143345](#4143345)
| On the Trident3 switch, if you use NCLU to configure BGP neighbor shutdown, NCLU stops responding when you include more than 200 neighbors per peer group. If you do not use NCLU to configure BGP neighbor shutdown, you can configure a maximum of 300 neighbors per peer group. | 4.3.0-4.4.5 | | | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3528464](#3528464)
| Cumulus Linux might mark a layer 2 VLAN-tagged packet as a packet to CPU and the INPUT chain ACL might drop the packet. To work around this issue, add an additional addrtype match on the ACL to prevent an erroneous ACL match; for example:
[iptables]
-A INPUT -i swp+ -m addrtype --dst-type LOCAL -p tcp --sport 22 -j DROP
| 4.3.0-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [3400244](#3400244)
| NCLU accepts multiple instances of same net add bgp commands and stores the configuration in the /etc/frr/frr.conf file when you run the net commit command. As a result, unintended commands might be processed during frr-reload. To work around this issue, edit the /etc/frr/frr.conf file to remove the duplicated entries. | 4.3.1-4.4.5 | | | [3395411](#3395411)
| For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 4.4.2-5.4.0 | 5.5.0-5.16.1| -| [3390022](#3390022)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | -| [3389994](#3389994)
| During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. | 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.16.1| +| [3390022, 3323138](#3390022, 3323138)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | +| [3389994, 3323143](#3389994, 3323143)
| During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. | 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.16.1| | [3387852](#3387852)
| If you remove NGINX from the switch, then run apt autoremove, switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. | 4.4.0-4.4.5 | | | [3339249](#3339249)
| The sensors.conf files in Cumulus Linux are out of date. | 4.2.1-4.4.5 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.16.1| @@ -645,7 +645,7 @@ pdfhidden: True | [3297171](#3297171)
| Restarting switchd might fail due an ACL SPAN module initialization failure. | 4.4.2-4.4.3 | 4.4.4-4.4.5| | [3293110](#3293110)
| You cannot set the NTF router flag (NTF_ROUTER) on neighbor entries from the user space. | 4.4.2-4.4.5 | | | [3292873](#3292873)
| When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:
[Dec-08-17:09:58] root@switch:/home/cumulus#  ztp -r http://myztp.server.local/ztp
| 4.4.2-4.4.5 | | -| [3291548](#3291548)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| +| [3291548, 2434628](#3291548, 2434628)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [3289482](#3289482)
| When the switch needs to forward a frame that has a source MAC address of 00:00:00:00:00:00, the dmesg log might report the message bridge: RTM_NEWNEIGH with invalid ether address in a loop every 30 seconds. The log message is harmless and frames with that MAC forward correctly. | 4.4.3-5.3.1 | 5.4.0-5.16.1| | [3284719](#3284719)
| Certain EVPN multihoming show commands might cause the bgpd service to crash if you use the json flag and try to reference the default VRF by name. For example: show bgp l2vpn evpn es-vrf json. | 4.4.2-4.4.5 | | | [3271684](#3271684)
| After you restart the FRR service, show commands incorrectly reflect the VLAN associated with layer 3 VNIs as 0:
# net show evpn vni 123VNI: 123Type: L3Tenant VRF: BLUEVlan: 0
| 4.4.3-5.3.1 | 5.4.0-5.16.1| @@ -661,7 +661,7 @@ pdfhidden: True | [3211054](#3211054)
| On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:

Packet size is larger than router interface MTU – Validate the router interface MTU configuration
| 4.4.2-5.2.1 | 5.3.0-5.16.1| | [3209699](#3209699)
| RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.16.1| | [3191517](#3191517)
| When a switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.16.1| -| [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | +| [3168564, 3198302](#3168564, 3198302)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | | [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | | [3150317](#3150317)
| During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.16.1| | [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.16.1| @@ -672,7 +672,7 @@ pdfhidden: True | [3112971](#3112971)
| When you configure a VRF static route using the legacy command syntax in FRR (for example: ip route 10.0.0.0/8 172.16.1.1 vrf vrf-red), then make subsequent VRF or route configuration changes, FRR might crash. To avoid this problem, use the current method for configuring VRF routes within the VRF stanza:
vrf vrf-red
 ip route 10.0.0.0/8 172.16.1.1 vrf vrf-redend vrf
| 4.4.3-5.1.0 | 5.2.0-5.16.1| | [3094082](#3094082)
| If you apply a PBR policy with a next hop group but the next hop is not reachable, the PBR service crashes. | 4.4.0-4.4.3 | 4.4.4-4.4.5| | [3093966](#3093966)
| On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | -| [3091381](#3091381)
| Restarting switchd might fail due to an ACL SPAN module initialization failure. | 4.4.2-4.4.5 | 5.0.0-5.16.1| +| [3091381, 2804508](#3091381, 2804508)
| Restarting switchd might fail due to an ACL SPAN module initialization failure. | 4.4.2-4.4.5 | 5.0.0-5.16.1| | [3089165](#3089165)
| A slow memory leak might occur in switchd} if the route fails to install in hardware when hardware resources are exhausted. | 4.2.1-4.4.3 | 4.4.4-4.4.5| | [3084476](#3084476)
| After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.16.1 | 4.4.4-4.4.5| | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | @@ -685,10 +685,10 @@ pdfhidden: True | [3072613](#3072613)
| When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3070672](#3070672)
| TACACS Command Authorization results in a traceback error and command is not executed | 4.4.0-4.4.5 | | | [3060399](#3060399)
| When you add an interface to a layer 3 bond, traffic does not forward and you see errors similar to the following:
2022-05-02T13:14:40.118597+00:00 cumulus sx_sdk: ROUTER: Failed to delete router interface(27) ref count isn’t 0, err= Resource is in use
| 4.4.2-5.1.0 | 5.2.0-5.16.1| -| [3059135](#3059135)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| +| [3059135, 3060400](#3059135, 3060400)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| +| [3046023, 3096918](#3046023, 3096918)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| | [3041306](#3041306)
| If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent FDB entry for the old MAC address. | 3.7.15, 4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.16.1| -| [3032234](#3032234)
| In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | 5.1.0-5.16.1| +| [3032234, 3163643](#3032234, 3163643)
| In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | 5.1.0-5.16.1| | [3031228](#3031228)
| In a static VXLAN configuration with a traditional or single VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:
warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other
| 4.4.0-4.4.3 | 4.3.1, 4.4.4-4.4.5| | [3023256](#3023256)
| After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON. | 4.4.3 | 4.4.4-4.4.5| | [3021887](#3021887)
| On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic. | 4.4.2-4.4.3, 5.0.0-5.0.1 | 4.4.4-4.4.5, 5.1.0-5.16.1| @@ -710,7 +710,7 @@ pdfhidden: True | [2943080](#2943080)
| The overlay ASN is removed after a route flap. | 4.4.0-5.0.1 | 5.1.0-5.16.1| | [2933466](#2933466)
| You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file. | 4.4.0-5.0.1 | 5.1.0-5.16.1| | [2913859](#2913859)
| ECMP error messages, similar to the following, show in log files:
Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container
| 4.4.0-5.0.1 | 5.1.0-5.16.1| -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2902013](#2902013)
| The NCLU commit command adds a five second delay. | 4.2.1-4.4.5 | | | [2875279](#2875279)
| In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.16.1| | [2860323](#2860323)
| If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.16.1| @@ -733,8 +733,8 @@ pdfhidden: True | [2792616](#2792616)
| If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2788780](#2788780)
| When you enable ARP and ND suppression and the switch forwards ARP and ND packets to the kernel, RX_DRP counters might increment but the packets are processed as normal. | 4.4.0-4.4.5 | | | [2781537](#2781537)
| In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2780915](#2780915)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.16.1| -| [2780834](#2780834)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2780915, 2556028](#2780915, 2556028)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2780834, 2555981](#2780834, 2555981)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2780211](#2780211)
| When you use the NVUE nv set vrf default router bgp peer local-as asn command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2771653](#2771653)
| When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more, which consumes a lot of hardware space. | 4.3.0-4.4.5 | | | [2770226](#2770226)
| In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.16.1| @@ -742,18 +742,18 @@ pdfhidden: True | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [2752330](#2752330)
| With BGP and layer 2 forwarding, Smart System Manager warm boot mode can cause packet loss. | 4.4.0-4.4.5 | 5.0.0-5.16.1| -| [2747750](#2747750)
| Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 | 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2747750, 2782819](#2747750, 2782819)
| Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 | 5.0.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2739402](#2739402)
| The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2739398](#2739398)
| Cumulus Linux does not support a bond or bond member as a SPAN destination. | 4.4.0-4.4.5 | 4.3.1| -| [2738040](#2738040)
| In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | | -| [2736244](#2736244)
| When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:
% The Graceful Restart command used is not valid at this moment.
| 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2738040, 2738041](#2738040, 2738041)
| In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | | +| [2736244, 2736249](#2736244, 2736249)
| When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:
% The Graceful Restart command used is not valid at this moment.
| 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2734103](#2734103)
| ACL [No More Resources] messages keep appearing and you can't reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [2732605](#2732605)
| The ESI line of show bgp l2vpn evpn route command always shows VNI: 0. This is a cosmetic software issue. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2730447](#2730447)
| The bridge MAC address is updated during a port change on bridge interfaces. | 4.3.0, 4.4.0-4.4.5 | 4.3.1, 5.0.0-5.16.1| -| [2728119](#2728119)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2728119, 2729309](#2728119, 2729309)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2711533](#2711533)
| On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | | | [2710208](#2710208)
| The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. | 4.2.1-4.4.5 | | | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| @@ -766,7 +766,7 @@ pdfhidden: True | [2639303](#2639303)
| When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:
ERROR: 'NoneType' object has no attribute 'conf_key_value_multiple_values'See /var/log/netd.log for more details.
| 4.3.0-4.4.5 | | | [2621244](#2621244)
| When a VRF name includes evpn, the NCLU net show bgp vrf command fails with the error ERROR: The call to /usr/bin/vtysh failed. To work around this issue, do not use evpn in the VRF name or run the desired commands directly from FRR with vtysh. | 4.3.0-4.4.5 | | | [2618227](#2618227)
| The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. | 4.3.0-4.4.5 | | -| [2606326](#2606326)
| If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | | +| [2606326, 2583925](#2606326, 2583925)
| If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | | | [2599274](#2599274)
| On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown ; sleep 1 ; ifup . | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2596458](#2596458)
| When bridge.unreg_v6_mcast_prune = TRUE is configured in the /etc/cumulus/switchd.conf file, traffic destined to IPv6 link-local multicast addresses might not be flooded within the bridge
To work around this issue, disable pruning for IPv6 multicast by setting bridge.unreg_v6_mcast_prune = FALSE in the /etc/cumulus/switchd.conf file. | 4.4.0-4.4.5 | | | [2574368](#2574368)
| When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr. | 4.1.1-4.4.5 | | @@ -774,7 +774,7 @@ pdfhidden: True | [2556369](#2556369)
| If you use NCLU to configure an ACL for eth0, you can't designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.
To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with "-A INPUT -i eth0". | 4.2.1-4.4.5 | | | [2556082](#2556082)
| The NCLU net del vrf command does not delete a numbered VRF. For example:

cumulus@leaf01:~$ net del vrf 55
ERROR: Command not found
| 4.2.1-4.4.5 | | | [2556081](#2556081)
| You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | | -| [2555981](#2555981)
| In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2555981, 2584227, 2780834](#2555981, 2584227, 2780834)
| In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2555873](#2555873)
| On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic. | 4.3.0-4.4.5 | | | [2555763](#2555763)
| The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline   2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad    2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor. | 4.3.0-4.4.5 | | | [2555613](#2555613)
| The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | @@ -787,13 +787,13 @@ pdfhidden: True | [2554582](#2554582)
| On switches with the Maverick ASIC, control traffic is dropped due to receive buffering. | 4.2.0-4.4.5 | | | [2554533](#2554533)
| On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | | | [2554466](#2554466)
| Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
| 4.2.1-4.4.5 | | -| [2554222](#2554222)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | +| [2554222, 2614073](#2554222, 2614073)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | | [2554218](#2554218)
| MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | | -| [2554202](#2554202)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | +| [2554202, 2544880](#2554202, 2544880)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | | [2553989](#2553989)
| Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | | | [2553887](#2553887)
| When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2553677](#2553677)
| When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | -| [2553237](#2553237)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | +| [2553237, 2552950](#2553237, 2552950)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | | [2553116](#2553116)
| When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552691](#2552691)
| On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. | 4.2.0-4.4.5 | | @@ -831,15 +831,15 @@ pdfhidden: True | [2548044](#2548044)
| When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2547890](#2547890)
| QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | | | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547405](#2547405)
| When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | | [2547120](#2547120)
| After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545233](#2545233)
| On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | | @@ -848,22 +848,22 @@ pdfhidden: True | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | @@ -878,7 +878,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -894,7 +894,7 @@ pdfhidden: True | [2538562](#2538562)
| On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | @@ -927,18 +927,18 @@ pdfhidden: True | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4143345](#4143345)
| On the Trident3 switch, if you use NCLU to configure BGP neighbor shutdown, NCLU stops responding when you include more than 200 neighbors per peer group. If you do not use NCLU to configure BGP neighbor shutdown, you can configure a maximum of 300 neighbors per peer group. | 4.3.0-4.4.5 | | | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3528464](#3528464)
| Cumulus Linux might mark a layer 2 VLAN-tagged packet as a packet to CPU and the INPUT chain ACL might drop the packet. To work around this issue, add an additional addrtype match on the ACL to prevent an erroneous ACL match; for example:
[iptables]
-A INPUT -i swp+ -m addrtype --dst-type LOCAL -p tcp --sport 22 -j DROP
| 4.3.0-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [3400244](#3400244)
| NCLU accepts multiple instances of same net add bgp commands and stores the configuration in the /etc/frr/frr.conf file when you run the net commit command. As a result, unintended commands might be processed during frr-reload. To work around this issue, edit the /etc/frr/frr.conf file to remove the duplicated entries. | 4.3.1-4.4.5 | | | [3395411](#3395411)
| For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 4.4.2-5.4.0 | 5.5.0-5.16.1| -| [3390022](#3390022)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | -| [3389994](#3389994)
| During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. | 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.16.1| +| [3390022, 3323138](#3390022, 3323138)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | +| [3389994, 3323143](#3389994, 3323143)
| During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. | 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.16.1| | [3387852](#3387852)
| If you remove NGINX from the switch, then run apt autoremove, switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. | 4.4.0-4.4.5 | | | [3339249](#3339249)
| The sensors.conf files in Cumulus Linux are out of date. | 4.2.1-4.4.5 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.16.1| @@ -948,7 +948,7 @@ pdfhidden: True | [3297171](#3297171)
| Restarting switchd might fail due an ACL SPAN module initialization failure. | 4.4.2-4.4.3 | 4.4.4-4.4.5| | [3293110](#3293110)
| You cannot set the NTF router flag (NTF_ROUTER) on neighbor entries from the user space. | 4.4.2-4.4.5 | | | [3292873](#3292873)
| When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:
[Dec-08-17:09:58] root@switch:/home/cumulus#  ztp -r http://myztp.server.local/ztp
| 4.4.2-4.4.5 | | -| [3291548](#3291548)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| +| [3291548, 2434628](#3291548, 2434628)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [3284719](#3284719)
| Certain EVPN multihoming show commands might cause the bgpd service to crash if you use the json flag and try to reference the default VRF by name. For example: show bgp l2vpn evpn es-vrf json. | 4.4.2-4.4.5 | | | [3269537](#3269537)
| When an FRR routing service (such as bgpd) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. | 4.4.0-5.3.1 | 5.4.0-5.16.1| | [3236334](#3236334)
| Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the neighmgrd log. | 4.4.0-4.4.5 | 4.3.2| @@ -960,7 +960,7 @@ pdfhidden: True | [3211054](#3211054)
| On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:

Packet size is larger than router interface MTU – Validate the router interface MTU configuration
| 4.4.2-5.2.1 | 5.3.0-5.16.1| | [3209699](#3209699)
| RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.16.1| | [3191517](#3191517)
| When a switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.16.1| -| [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | +| [3168564, 3198302](#3168564, 3198302)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | | [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | | [3150317](#3150317)
| During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.16.1| | [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.16.1| @@ -970,7 +970,7 @@ pdfhidden: True | [3117340](#3117340)
| When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3094082](#3094082)
| If you apply a PBR policy with a next hop group but the next hop is not reachable, the PBR service crashes. | 4.4.0-4.4.3 | 4.4.4-4.4.5| | [3093966](#3093966)
| On Broadcom switches, INPUT chain iptable rules filter IPv6 packets matching the rules. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | -| [3091381](#3091381)
| Restarting switchd might fail due to an ACL SPAN module initialization failure. | 4.4.2-4.4.5 | 5.0.0-5.16.1| +| [3091381, 2804508](#3091381, 2804508)
| Restarting switchd might fail due to an ACL SPAN module initialization failure. | 4.4.2-4.4.5 | 5.0.0-5.16.1| | [3089165](#3089165)
| A slow memory leak might occur in switchd} if the route fails to install in hardware when hardware resources are exhausted. | 4.2.1-4.4.3 | 4.4.4-4.4.5| | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | | [3083265](#3083265)
| The snmpd process will slowly leak memory when you poll TCP-MIB objects. To work around this issue, restart the snmpd service to free memory with the systemctl restart snmpd command. | 4.4.0-4.4.3 | 4.4.4-4.4.5, 5.2.0-5.16.1| @@ -982,10 +982,10 @@ pdfhidden: True | [3072613](#3072613)
| When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3070672](#3070672)
| TACACS Command Authorization results in a traceback error and command is not executed | 4.4.0-4.4.5 | | | [3060399](#3060399)
| When you add an interface to a layer 3 bond, traffic does not forward and you see errors similar to the following:
2022-05-02T13:14:40.118597+00:00 cumulus sx_sdk: ROUTER: Failed to delete router interface(27) ref count isn’t 0, err= Resource is in use
| 4.4.2-5.1.0 | 5.2.0-5.16.1| -| [3059135](#3059135)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| +| [3059135, 3060400](#3059135, 3060400)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| +| [3046023, 3096918](#3046023, 3096918)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| | [3041306](#3041306)
| If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent FDB entry for the old MAC address. | 3.7.15, 4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.16.1| -| [3032234](#3032234)
| In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | 5.1.0-5.16.1| +| [3032234, 3163643](#3032234, 3163643)
| In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | 5.1.0-5.16.1| | [3031228](#3031228)
| In a static VXLAN configuration with a traditional or single VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:
warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other
| 4.4.0-4.4.3 | 4.3.1, 4.4.4-4.4.5| | [3021887](#3021887)
| On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic. | 4.4.2-4.4.3, 5.0.0-5.0.1 | 4.4.4-4.4.5, 5.1.0-5.16.1| | [3021838](#3021838)
| PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local. As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly. | 4.4.2-5.0.1 | 5.1.0-5.16.1| @@ -1007,7 +1007,7 @@ pdfhidden: True | [2943080](#2943080)
| The overlay ASN is removed after a route flap. | 4.4.0-5.0.1 | 5.1.0-5.16.1| | [2933466](#2933466)
| You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file. | 4.4.0-5.0.1 | 5.1.0-5.16.1| | [2913859](#2913859)
| ECMP error messages, similar to the following, show in log files:
Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container
| 4.4.0-5.0.1 | 5.1.0-5.16.1| -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2902013](#2902013)
| The NCLU commit command adds a five second delay. | 4.2.1-4.4.5 | | | [2875279](#2875279)
| In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.16.1| | [2860323](#2860323)
| If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.16.1| @@ -1030,8 +1030,8 @@ pdfhidden: True | [2792616](#2792616)
| If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2788780](#2788780)
| When you enable ARP and ND suppression and the switch forwards ARP and ND packets to the kernel, RX_DRP counters might increment but the packets are processed as normal. | 4.4.0-4.4.5 | | | [2781537](#2781537)
| In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2780915](#2780915)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.16.1| -| [2780834](#2780834)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2780915, 2556028](#2780915, 2556028)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2780834, 2555981](#2780834, 2555981)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2780211](#2780211)
| When you use the NVUE nv set vrf default router bgp peer local-as asn command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2771653](#2771653)
| When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more, which consumes a lot of hardware space. | 4.3.0-4.4.5 | | | [2770226](#2770226)
| In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | 3.7.16, 5.0.0-5.16.1| @@ -1039,18 +1039,18 @@ pdfhidden: True | [2754791](#2754791)
| Remote MAC addreses in zebra are out of sync with bgpd. The zebra MAC addresses point to an incorrect (old) VTEP IP address and the sequence number is one higher than in BGP. | 3.7.14.2-3.7.16, 4.3.0-4.4.5 | | | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [2752330](#2752330)
| With BGP and layer 2 forwarding, Smart System Manager warm boot mode can cause packet loss. | 4.4.0-4.4.5 | 5.0.0-5.16.1| -| [2747750](#2747750)
| Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 | 5.0.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2747750, 2782819](#2747750, 2782819)
| Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 | 5.0.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2739402](#2739402)
| The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2739398](#2739398)
| Cumulus Linux does not support a bond or bond member as a SPAN destination. | 4.4.0-4.4.5 | 4.3.1| -| [2738040](#2738040)
| In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | | -| [2736244](#2736244)
| When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:
% The Graceful Restart command used is not valid at this moment.
| 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2738040, 2738041](#2738040, 2738041)
| In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | | +| [2736244, 2736249](#2736244, 2736249)
| When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:
% The Graceful Restart command used is not valid at this moment.
| 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2734103](#2734103)
| ACL [No More Resources] messages keep appearing and you can't reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [2732605](#2732605)
| The ESI line of show bgp l2vpn evpn route command always shows VNI: 0. This is a cosmetic software issue. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2730447](#2730447)
| The bridge MAC address is updated during a port change on bridge interfaces. | 4.3.0, 4.4.0-4.4.5 | 4.3.1, 5.0.0-5.16.1| -| [2728119](#2728119)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2728119, 2729309](#2728119, 2729309)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2711533](#2711533)
| On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | | | [2710208](#2710208)
| The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. | 4.2.1-4.4.5 | | | [2700767](#2700767)
| Following an event that causes the peerlink bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a peer IP mismatch. This behavior is seen when you use a MLAG peer IP linklocal configuration. | 3.7.12-3.7.15, 4.3.0-4.4.5 | 3.7.16| @@ -1063,7 +1063,7 @@ pdfhidden: True | [2639303](#2639303)
| When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:
ERROR: 'NoneType' object has no attribute 'conf_key_value_multiple_values'See /var/log/netd.log for more details.
| 4.3.0-4.4.5 | | | [2621244](#2621244)
| When a VRF name includes evpn, the NCLU net show bgp vrf command fails with the error ERROR: The call to /usr/bin/vtysh failed. To work around this issue, do not use evpn in the VRF name or run the desired commands directly from FRR with vtysh. | 4.3.0-4.4.5 | | | [2618227](#2618227)
| The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. | 4.3.0-4.4.5 | | -| [2606326](#2606326)
| If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | | +| [2606326, 2583925](#2606326, 2583925)
| If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | | | [2599274](#2599274)
| On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown ; sleep 1 ; ifup . | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2596458](#2596458)
| When bridge.unreg_v6_mcast_prune = TRUE is configured in the /etc/cumulus/switchd.conf file, traffic destined to IPv6 link-local multicast addresses might not be flooded within the bridge
To work around this issue, disable pruning for IPv6 multicast by setting bridge.unreg_v6_mcast_prune = FALSE in the /etc/cumulus/switchd.conf file. | 4.4.0-4.4.5 | | | [2574368](#2574368)
| When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr. | 4.1.1-4.4.5 | | @@ -1071,7 +1071,7 @@ pdfhidden: True | [2556369](#2556369)
| If you use NCLU to configure an ACL for eth0, you can't designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.
To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with "-A INPUT -i eth0". | 4.2.1-4.4.5 | | | [2556082](#2556082)
| The NCLU net del vrf command does not delete a numbered VRF. For example:

cumulus@leaf01:~$ net del vrf 55
ERROR: Command not found
| 4.2.1-4.4.5 | | | [2556081](#2556081)
| You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | | -| [2555981](#2555981)
| In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2555981, 2584227, 2780834](#2555981, 2584227, 2780834)
| In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2555873](#2555873)
| On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic. | 4.3.0-4.4.5 | | | [2555763](#2555763)
| The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline   2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad    2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor. | 4.3.0-4.4.5 | | | [2555613](#2555613)
| The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | @@ -1084,13 +1084,13 @@ pdfhidden: True | [2554582](#2554582)
| On switches with the Maverick ASIC, control traffic is dropped due to receive buffering. | 4.2.0-4.4.5 | | | [2554533](#2554533)
| On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | | | [2554466](#2554466)
| Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
| 4.2.1-4.4.5 | | -| [2554222](#2554222)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | +| [2554222, 2614073](#2554222, 2614073)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | | [2554218](#2554218)
| MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | | -| [2554202](#2554202)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | +| [2554202, 2544880](#2554202, 2544880)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | | [2553989](#2553989)
| Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | | | [2553887](#2553887)
| When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2553677](#2553677)
| When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | -| [2553237](#2553237)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | +| [2553237, 2552950](#2553237, 2552950)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | | [2553116](#2553116)
| When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552691](#2552691)
| On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. | 4.2.0-4.4.5 | | @@ -1128,15 +1128,15 @@ pdfhidden: True | [2548044](#2548044)
| When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2547890](#2547890)
| QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | | | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547405](#2547405)
| When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | | [2547120](#2547120)
| After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545233](#2545233)
| On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | | @@ -1145,22 +1145,22 @@ pdfhidden: True | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | @@ -1175,7 +1175,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -1191,7 +1191,7 @@ pdfhidden: True | [2538562](#2538562)
| On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | @@ -1215,17 +1215,17 @@ pdfhidden: True | [2895333](#2895333)
| If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-4.4.1 | | | [2879712](#2879712)
| On CumulusLinux 4.4.0, attempting to install any tacplus or radius package from the CumulusLinux-4.4-latest distribution on apt.cumulusnetworks.com will fail due to incorrect package metadata (specifically a SHA512 checksum that will cause a hash sum mismatch) in the preinstalled cumulus-local-apt-archive package. The workaround is to remove /var/lib/apt/lists/_var_lib_cumulus_cumulus-local-apt-archive_dists_cumulus-local-apt-archive_main_binary-amd64_Packages or uninstall the cumulus-local-apt-archive package on the affected switch. | 4.4.0-4.4.1 | | | [2867156](#2867156)
| TACACS+ client package installation from the CumulusLinux-4.4-latest distribution on apt.cumulusnetworks.com fails because package metadata in the preinstalled cumulus-local-apt-archive package is incorrect, which causes a hash sum mismatch. | 4.4.0-4.4.1 | | -| [2854785](#2854785)
| When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15, 4.3.0, 4.4.0-4.4.1 | | +| [2854785, 2826122](#2854785, 2826122)
| When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15, 4.3.0, 4.4.0-4.4.1 | | | [2854784](#2854784)
| After building VLAN or VXLAN interfaces, MLAG becomes unstable. | 4.3.0-4.4.1 | | | [2848204](#2848204)
| FRR does not prevent EVPN routes from being imported into VNIs when they are not needed. For example, you can import a type-5 route into a layer 2 VNI if the configured import route target matches the route target on the type-5 route. When this occurs, the network address of the IP prefix carried within the type-5 route incorrectly shows as a remote VTEP for the layer 2 VNI in the net show evpn vni command output. For example:
router bgp 64100 
address-family l2vpn evpn
 vni 10 
  route-target import 9200:9204     <<<<<  l2vni import-rt
 exit-vnirouter bgp 6400 vrf RED 
address-family l2vpn evpn
 advertise ipv4 unicast
 route-target import 9200:9204    <<<<<  l3vni import-rt
exit-address-family
Imported Route:
*  [5]:[0]:[32]:[10.252.11.124]
                   10.249.129.158                         0 4200858009 64810 64819 64895 64895 64890 64893 64894 i
                   RT:9200:9204 ET:8 Rmac:c0:d6:82:56:82:a1
net show evpn vni 9204 snippet:
VNI: 9204
Type: L2
 10.252.11.124 flood: -
| 4.4.0-4.4.1 | | -| [2802207](#2802207)
| The SDK process sx_core prints the messages shown below and the switch stops forwarding traffic
kernel: sx_core: Did not receive completion for SDQ dqn (1) idx (849) after 10 secondskernel: sx_core: __sx_core_post_send: Cannot send packet on dqn [1] sdq stuck
| 4.4.0-4.4.1 | | +| [2802207, 2804044](#2802207, 2804044)
| The SDK process sx_core prints the messages shown below and the switch stops forwarding traffic
kernel: sx_core: Did not receive completion for SDQ dqn (1) idx (849) after 10 secondskernel: sx_core: __sx_core_post_send: Cannot send packet on dqn [1] sdq stuck
| 4.4.0-4.4.1 | | | [2783611](#2783611)
| If you remove ports from a bridge and add IP addresses in one ifreload, connected routes are bound to the wrong routing information field. | 4.3.0-4.4.1 | | | [2771871](#2771871)
| IPv4 and IPv6 neighbor entries in a FAILED state are incorrectly programmed into hardware as FORWARD entries instead of TRAP entries. Traffic is forwarded to these neighbors with a destination MAC address of 00:00:00:00:00:00 instead of trapping them to the CPU to resolve the correct MAC address
This affects failed neighbor entries on routed interfaces that are not SVIs. | 4.3.0-4.4.1 | | | [2755614](#2755614)
| When you set route_preferred_over_neigh to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. | 4.0.0-4.3.0, 4.4.0-4.4.1 | | | [2749106](#2749106)
| Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. | 4.4.0-4.4.1 | | | [2739647](#2739647)
| In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.1 | | | [2734107](#2734107)
| When withdrawal and advertisement processing occurs in short succession, type-2 routes with an IP are not imported into layer 2 VNIs. | 3.7.12-4.3.0 | | -| [2723603](#2723603)
| In a static VXLAN configuration, the bridge-learning on setting does not turn on VXLAN-learning. | 4.4.0-4.4.1 | | +| [2723603, 2751705](#2723603, 2751705)
| In a static VXLAN configuration, the bridge-learning on setting does not turn on VXLAN-learning. | 4.4.0-4.4.1 | | | [2719356](#2719356)
| If you reduce the reserved VLAN range in the /etc/cumulus/switchd.conf file to below 32 and you make multiple VLAN or bridge configuration changes, the VLANs might not be created in hardware and you might see the log message hal_mlx_l2.c:3045 ERR vlan create failed
The minimum supported size of the reserved VLAN range in the /etc/cumulus/switchd.conf file is 32 VLANs for single VLAN-aware bridge configurations. | 4.4.0-4.4.1 | | | [2706744](#2706744)
| In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event. | 4.3.0-4.4.1 | | @@ -1236,24 +1236,24 @@ pdfhidden: True |--- |--- |--- |--- | | [4143345](#4143345)
| On the Trident3 switch, if you use NCLU to configure BGP neighbor shutdown, NCLU stops responding when you include more than 200 neighbors per peer group. If you do not use NCLU to configure BGP neighbor shutdown, you can configure a maximum of 300 neighbors per peer group. | 4.3.0-4.4.5 | | | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3528464](#3528464)
| Cumulus Linux might mark a layer 2 VLAN-tagged packet as a packet to CPU and the INPUT chain ACL might drop the packet. To work around this issue, add an additional addrtype match on the ACL to prevent an erroneous ACL match; for example:
[iptables]
-A INPUT -i swp+ -m addrtype --dst-type LOCAL -p tcp --sport 22 -j DROP
| 4.3.0-4.4.5 | | | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [3400244](#3400244)
| NCLU accepts multiple instances of same net add bgp commands and stores the configuration in the /etc/frr/frr.conf file when you run the net commit command. As a result, unintended commands might be processed during frr-reload. To work around this issue, edit the /etc/frr/frr.conf file to remove the duplicated entries. | 4.3.1-4.4.5 | | -| [3390022](#3390022)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | -| [3389994](#3389994)
| During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. | 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.16.1| +| [3390022, 3323138](#3390022, 3323138)
| When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the peerlink.4095 interface stanza are duplicated. Subsequent ifreloads, or net commit commands fail until you manually remove the duplicated lines from this interface and run ifreload -a. | 4.2.1-4.4.5 | | +| [3389994, 3323143](#3389994, 3323143)
| During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. | 4.4.0-5.4.0 | 4.3.2, 5.5.0-5.16.1| | [3387852](#3387852)
| If you remove NGINX from the switch, then run apt autoremove, switchd does not reload because the libyaml-0-2 and python-yaml packages are missing; these packages are required for switchd consistency checking. To work around this issue, reinstall the libyaml-0-2 and python-yaml packages. | 4.4.0-4.4.5 | | | [3339249](#3339249)
| The sensors.conf files in Cumulus Linux are out of date. | 4.2.1-4.4.5 | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.16.1| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3319919](#3319919)
| Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | 4.3.2, 5.4.0-5.16.1| | [3303105](#3303105)
| Clagd crash is observed with the following traceback in /var/log/clagd.log following a clag sync event which is typically driven by a peerlink up event:
unhandled exception:
Traceback (most recent call last):
File "/usr/sbin/clagd", line 1304, in PeerRecvT
PeerRecv()
File "/usr/sbin/clagd", line 513, in PeerRecv
ParseProtoBufMessage(nlm, myPeerMsg)
File "/usr/sbin/clagd", line 853, in ParseProtoBufMessage
msgData = FdbSync.ParseProtoBufMessage(msgHdr)
File "/usr/lib/python3/dist-packages/clag/fdbsync.py", line 892, in ParseProtoBufMessage
msgData.ParseFromString(msgHdr.data)
google.protobuf.message.DecodeError: Error parsing message | 4.4.0-4.4.5 | | -| [3291548](#3291548)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| +| [3291548, 2434628](#3291548, 2434628)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [3269537](#3269537)
| When an FRR routing service (such as bgpd) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. | 4.4.0-5.3.1 | 5.4.0-5.16.1| | [3236334](#3236334)
| Using ARP suppression with a very large number of interfaces might result in missing ARP entries on the local device or buffer underrun warnings in the neighmgrd log. | 4.4.0-4.4.5 | 4.3.2| | [3221470](#3221470)
| Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:
sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error
| 4.4.0-5.1.0 | 5.2.0-5.16.1| @@ -1263,7 +1263,7 @@ pdfhidden: True | [3211369](#3211369)
| The NCLU net show interface pluggables command takes a long time (approximately five minutes) to complete. | 4.2.1-4.4.5 | | | [3209699](#3209699)
| RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-4.3.0, 4.4.0-5.2.1 | 4.3.1, 5.3.0-5.16.1| | [3191517](#3191517)
| When a switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-5.2.1 | 4.3.2, 5.3.0-5.16.1| -| [3168564](#3168564)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | +| [3168564, 3198302](#3168564, 3198302)
| In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), switchd might crash when you restart clagd or when all bonds go operationally down, then up
On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. | 4.3.1-4.4.5 | | | [3163845](#3163845)
| If bond slaves listed in the /etc/network/interfaces file are not in alphabetical order, the bond interface MAC address can change when you run ifreload. For example, if the bond slaves in the /etc/network/interfaces file are listed as swp32 swp31, the switch initially uses the MAC address for swp32 as the bond MAC address. An another ifreload can cause this to change to use the MAC address for swp31 as the bond MAC address, which can cause protocol issues, such as IPv6 link-local address changes. | 4.3.1-4.4.5 | | | [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3138057](#3138057)
| When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log. To work around this problem, restart FRR with the sudo systemctl restart frr command. | 4.4.0-5.2.1 | 5.3.0-5.16.1| @@ -1281,8 +1281,8 @@ pdfhidden: True | [3072674](#3072674)
| In an MLAG configuration, if you put a single connected interface into an admin down state, any dynamic MAC addresses on the peer link are flushed, then added back, which causes momentary traffic disruption. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [3072613](#3072613)
| When you delete a bond interface with NCLU, BGP peer group configuration is removed. | 3.7.15-3.7.16, 4.3.0-4.4.5 | | | [3070672](#3070672)
| TACACS Command Authorization results in a traceback error and command is not executed | 4.4.0-4.4.5 | | -| [3059135](#3059135)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| +| [3059135, 3060400](#3059135, 3060400)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| +| [3046023, 3096918](#3046023, 3096918)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| | [3041306](#3041306)
| If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent FDB entry for the old MAC address. | 3.7.15, 4.3.0, 4.4.0-5.0.1 | 3.7.16, 4.3.1, 5.1.0-5.16.1| | [3031228](#3031228)
| In a static VXLAN configuration with a traditional or single VXLAN device, enabling bridge learning on the VNI leads to an incorrect warning and the setting is removed in the next commit. The warning is similar to the following:
warning: vni10: possible mis-configuration detected: l2-vni configured with bridge-learning ON while EVPN is also configured - these two parameters conflict with each other
| 4.4.0-4.4.3 | 4.3.1, 4.4.4-4.4.5| | [3021692](#3021692)
| When ARP suppression is off, GARPs from neighmgrd for remote neighbors are sent over VXLAN. | 3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.16.1| @@ -1298,7 +1298,7 @@ pdfhidden: True | [2933466](#2933466)
| You cannot run NVUE commands to configure route leaking. To work around this issue, create a snippet in yaml format and add the configuration to the /etc/frr/frr.conf file. | 4.4.0-5.0.1 | 5.1.0-5.16.1| | [2923458](#2923458)
| At high interface scale (around 100 or more combined SVI and VNI interfaces), the sudo ifreload -a command might report a buffer underrun event with the message error: Buffer underrun. | 4.4.0-4.4.1 | 4.4.2-4.4.5| | [2913859](#2913859)
| ECMP error messages, similar to the following, show in log files:
Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container
| 4.4.0-5.0.1 | 5.1.0-5.16.1| -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2902013](#2902013)
| The NCLU commit command adds a five second delay. | 4.2.1-4.4.5 | | | [2895333](#2895333)
| If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-4.4.1 | 4.4.2-4.4.5| | [2879712](#2879712)
| On CumulusLinux 4.4.0, attempting to install any tacplus or radius package from the CumulusLinux-4.4-latest distribution on apt.cumulusnetworks.com will fail due to incorrect package metadata (specifically a SHA512 checksum that will cause a hash sum mismatch) in the preinstalled cumulus-local-apt-archive package. The workaround is to remove /var/lib/apt/lists/_var_lib_cumulus_cumulus-local-apt-archive_dists_cumulus-local-apt-archive_main_binary-amd64_Packages or uninstall the cumulus-local-apt-archive package on the affected switch. | 4.4.0-4.4.1 | 4.4.2-4.4.5| @@ -1306,7 +1306,7 @@ pdfhidden: True | [2867156](#2867156)
| TACACS+ client package installation from the CumulusLinux-4.4-latest distribution on apt.cumulusnetworks.com fails because package metadata in the preinstalled cumulus-local-apt-archive package is incorrect, which causes a hash sum mismatch. | 4.4.0-4.4.1 | 4.4.2-4.4.5| | [2860323](#2860323)
| If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.16.1| | [2855908](#2855908)
| Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send
To work around this issue, run the vtysh clear ip mroute command. | 3.7.15-4.3.0, 4.4.0-5.0.1 | 4.3.1, 5.1.0-5.16.1| -| [2854785](#2854785)
| When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15, 4.3.0, 4.4.0-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.16.1| +| [2854785, 2826122](#2854785, 2826122)
| When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15, 4.3.0, 4.4.0-4.4.5 | 3.7.16, 4.3.1, 5.0.0-5.16.1| | [2854784](#2854784)
| After building VLAN or VXLAN interfaces, MLAG becomes unstable. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2848204](#2848204)
| FRR does not prevent EVPN routes from being imported into VNIs when they are not needed. For example, you can import a type-5 route into a layer 2 VNI if the configured import route target matches the route target on the type-5 route. When this occurs, the network address of the IP prefix carried within the type-5 route incorrectly shows as a remote VTEP for the layer 2 VNI in the net show evpn vni command output. For example:
router bgp 64100 
address-family l2vpn evpn
 vni 10 
  route-target import 9200:9204     <<<<<  l2vni import-rt
 exit-vnirouter bgp 6400 vrf RED 
address-family l2vpn evpn
 advertise ipv4 unicast
 route-target import 9200:9204    <<<<<  l3vni import-rt
exit-address-family
Imported Route:
*  [5]:[0]:[32]:[10.252.11.124]
                   10.249.129.158                         0 4200858009 64810 64819 64895 64895 64890 64893 64894 i
                   RT:9200:9204 ET:8 Rmac:c0:d6:82:56:82:a1
net show evpn vni 9204 snippet:
VNI: 9204
Type: L2
 10.252.11.124 flood: -
| 4.4.0-4.4.1 | 4.4.2-4.4.5| | [2845531](#2845531)
| If you update the MAC address of an SVI when the SVI is in a protodown state (for example, when no bridge ports that carry this VNI are operationally up or if the MAC address of the SVI's parent bridge changes), clagd does not notice the change. The MLAG peer incorrectly maintains a PERMANENT neighbor entry for the SVI IP that points to the old MAC address. | 4.2.1-4.4.5 | 5.0.0-5.16.1| @@ -1316,7 +1316,7 @@ pdfhidden: True | [2813563](#2813563)
| When you change the port speed with the NVUE nv set interface link speed command, then run nv config apply, the port is disabled. To work around this issue, run the ifreload -a command after you apply the port speed setting. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2803428](#2803428)
| The clagctl -v -j and net show clag verbose json commands show incorrect output. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2802859](#2802859)
| When the INTF_CMD list in the /etc/default/isc-dhcp-relay file includes non-existent or partially configured interfaces from the /etc/netwwork/interfaces file, there is an open file descriptor leak in DHCP Relay; the DHCP Relay service exits and you see error messages. To work around this issue, either clean up the INTF_CMD list in the /etc/default/isc-dhcp-relay file to remove non-existent or partially configured interfaces from the /etc/network/interfaces file or correct the /etc/network/interfaces file to have a complete configuration for all interfaces defined in the INTF_CMD list in the /etc/default/isc-dhcp-relay file. | 4.4.0-4.4.5 | 5.0.0-5.16.1| -| [2802207](#2802207)
| The SDK process sx_core prints the messages shown below and the switch stops forwarding traffic
kernel: sx_core: Did not receive completion for SDQ dqn (1) idx (849) after 10 secondskernel: sx_core: __sx_core_post_send: Cannot send packet on dqn [1] sdq stuck
| 4.4.0-4.4.1 | 4.4.2-4.4.5| +| [2802207, 2804044](#2802207, 2804044)
| The SDK process sx_core prints the messages shown below and the switch stops forwarding traffic
kernel: sx_core: Did not receive completion for SDQ dqn (1) idx (849) after 10 secondskernel: sx_core: __sx_core_post_send: Cannot send packet on dqn [1] sdq stuck
| 4.4.0-4.4.1 | 4.4.2-4.4.5| | [2799575](#2799575)
| When next hop tracking fails for a global next hop, BGP invalidates the entire path instead of only invalidating the global next hop. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2799568](#2799568)
| When you add or remove a global unicast address from an interface, BGP does not update the global next hop advertised to the unnumbered BGP peer. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2798406](#2798406)
| If an MLAG failure of an EVPN Active-Active VTEP pair occurs after you disable EVPN Advertise Primary IP Address, remote VTEPs might not be able to install the anycast RMAC of the failed MLAG peers or the related bridge FDB entry
To work around this issue, do not disable EVPN Advertise Primary IP Address, which is enabled by default when you use address-virtual for layer 3 VNI SVI interfaces. | 4.4.0-4.4.5 | 5.0.0-5.16.1| @@ -1326,8 +1326,8 @@ pdfhidden: True | [2788780](#2788780)
| When you enable ARP and ND suppression and the switch forwards ARP and ND packets to the kernel, RX_DRP counters might increment but the packets are processed as normal. | 4.4.0-4.4.5 | | | [2783611](#2783611)
| If you remove ports from a bridge and add IP addresses in one ifreload, connected routes are bound to the wrong routing information field. | 4.3.0-4.4.1 | 4.4.2-4.4.5| | [2781537](#2781537)
| In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2780915](#2780915)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.16.1| -| [2780834](#2780834)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2780915, 2556028](#2780915, 2556028)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2780834, 2555981](#2780834, 2555981)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2780211](#2780211)
| When you use the NVUE nv set vrf default router bgp peer local-as asn command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2771871](#2771871)
| IPv4 and IPv6 neighbor entries in a FAILED state are incorrectly programmed into hardware as FORWARD entries instead of TRAP entries. Traffic is forwarded to these neighbors with a destination MAC address of 00:00:00:00:00:00 instead of trapping them to the CPU to resolve the correct MAC address
This affects failed neighbor entries on routed interfaces that are not SVIs. | 4.3.0-4.4.1 | 4.4.2-4.4.5| | [2771653](#2771653)
| When using W-ECMP, the weights for various BGP next hops can sometimes be in the range of 100s or more, which consumes a lot of hardware space. | 4.3.0-4.4.5 | | @@ -1338,20 +1338,20 @@ pdfhidden: True | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | 5.0.0-5.16.1| | [2752330](#2752330)
| With BGP and layer 2 forwarding, Smart System Manager warm boot mode can cause packet loss. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2749106](#2749106)
| Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. | 4.4.0-4.4.1 | 4.4.2-4.4.5| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2739647](#2739647)
| In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.1 | 4.4.2-4.4.5| | [2739402](#2739402)
| The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2739398](#2739398)
| Cumulus Linux does not support a bond or bond member as a SPAN destination. | 4.4.0-4.4.5 | 4.3.1| -| [2738040](#2738040)
| In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | | -| [2736244](#2736244)
| When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:
% The Graceful Restart command used is not valid at this moment.
| 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2738040, 2738041](#2738040, 2738041)
| In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. | 4.4.0-4.4.5 | | +| [2736244, 2736249](#2736244, 2736249)
| When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:
% The Graceful Restart command used is not valid at this moment.
| 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2734103](#2734103)
| ACL [No More Resources] messages keep appearing and you can't reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [2732605](#2732605)
| The ESI line of show bgp l2vpn evpn route command always shows VNI: 0. This is a cosmetic software issue. | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2730447](#2730447)
| The bridge MAC address is updated during a port change on bridge interfaces. | 4.3.0, 4.4.0-4.4.5 | 4.3.1, 5.0.0-5.16.1| -| [2728119](#2728119)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| -| [2723603](#2723603)
| In a static VXLAN configuration, the bridge-learning on setting does not turn on VXLAN-learning. | 4.4.0-4.4.1 | 4.4.2-4.4.5| +| [2728119, 2729309](#2728119, 2729309)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | 5.0.0-5.16.1| +| [2723603, 2751705](#2723603, 2751705)
| In a static VXLAN configuration, the bridge-learning on setting does not turn on VXLAN-learning. | 4.4.0-4.4.1 | 4.4.2-4.4.5| | [2719356](#2719356)
| If you reduce the reserved VLAN range in the /etc/cumulus/switchd.conf file to below 32 and you make multiple VLAN or bridge configuration changes, the VLANs might not be created in hardware and you might see the log message hal_mlx_l2.c:3045 ERR vlan create failed
The minimum supported size of the reserved VLAN range in the /etc/cumulus/switchd.conf file is 32 VLANs for single VLAN-aware bridge configurations. | 4.4.0-4.4.1 | 4.4.2-4.4.5| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2711533](#2711533)
| On the AS7326-56X switch, the link lights for 25G ports configured to work at 1G do not illuminate. | 4.2.1-4.4.5 | | | [2710208](#2710208)
| The net show bgp neighbor command output does not reflect the correct BFD status. This is a cosmetic issue. To work around this issue, run the NCLU net show bfd command to verify the correct state of BFD. | 4.2.1-4.4.5 | | | [2706744](#2706744)
| In an EVPN multihoming configuration, the VTEP continues to advertise a stale route after an extended MAC mobility event. | 4.3.0-4.4.1 | 4.4.2-4.4.5| @@ -1365,7 +1365,7 @@ pdfhidden: True | [2639303](#2639303)
| When you use NCLU to delete a bond, then add an interface, NCLU reports an error similar to the following:
ERROR: 'NoneType' object has no attribute 'conf_key_value_multiple_values'See /var/log/netd.log for more details.
| 4.3.0-4.4.5 | | | [2621244](#2621244)
| When a VRF name includes evpn, the NCLU net show bgp vrf command fails with the error ERROR: The call to /usr/bin/vtysh failed. To work around this issue, do not use evpn in the VRF name or run the desired commands directly from FRR with vtysh. | 4.3.0-4.4.5 | | | [2618227](#2618227)
| The NCLU net show bridge macs command displays permanent MAC addresses for trunked VLANs. | 4.3.0-4.4.5 | | -| [2606326](#2606326)
| If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | | +| [2606326, 2583925](#2606326, 2583925)
| If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. | 4.4.0-4.4.5 | | | [2599274](#2599274)
| On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown ; sleep 1 ; ifup . | 4.3.0-4.4.5 | 5.0.0-5.16.1| | [2596458](#2596458)
| When bridge.unreg_v6_mcast_prune = TRUE is configured in the /etc/cumulus/switchd.conf file, traffic destined to IPv6 link-local multicast addresses might not be flooded within the bridge
To work around this issue, disable pruning for IPv6 multicast by setting bridge.unreg_v6_mcast_prune = FALSE in the /etc/cumulus/switchd.conf file. | 4.4.0-4.4.5 | | | [2574368](#2574368)
| When you run the NCLU net add bgp maximum-paths ibgp command, FRR restarts unexpectedly
To work around this issue, either use the vtysh commands or edit the /etc/frr/frr.conf file directly, then run systemctl reload frr. | 4.1.1-4.4.5 | | @@ -1373,7 +1373,7 @@ pdfhidden: True | [2556369](#2556369)
| If you use NCLU to configure an ACL for eth0, you can't designate it as an INPUT rule; the rule is automatically created as a FORWARD rule in the /etc/cumulus/acl/policy.d/50_nclu_acl.rules file.
To work around this issue, manually create an ACL in the /etc/cumulus/acl/policy.d/ file with "-A INPUT -i eth0". | 4.2.1-4.4.5 | | | [2556082](#2556082)
| The NCLU net del vrf command does not delete a numbered VRF. For example:

cumulus@leaf01:~$ net del vrf 55
ERROR: Command not found
| 4.2.1-4.4.5 | | | [2556081](#2556081)
| You cannot set the time zone can with NCLU commands. | 4.1.1-4.4.5 | | -| [2555981](#2555981)
| In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| +| [2555981, 2584227, 2780834](#2555981, 2584227, 2780834)
| In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | 5.0.0-5.16.1| | [2555873](#2555873)
| On Mellanox switches, egress ACLs with VLAN keys do not filter layer 2 multicast or broadcast traffic. | 4.3.0-4.4.5 | | | [2555763](#2555763)
| The NCLU net del bgp neighbor command does not delete the neighbor and displays an error similar to the following:

ERROR: --- /run/nclu/frr/frr.conf.scratchpad.baseline   2021-01-04 17:23:59.250463331 +0000
+++ /run/nclu/frr/frr.conf.scratchpad    2021-01-04 17:25:59.213673980 +0000

To work around this issue, use the FRR command to delete a neighbor. | 4.3.0-4.4.5 | | | [2555613](#2555613)
| The net show configuration commands command incorrectly displays the NCLU syntax to disable IPv6 forwarding on interfaces. For example:

# net show configuration commands
net add vlan 1 ip6-forward off

The correct NCLU command to disable IPv6 forwarding is net add vlan 1 ipv6 forward off (without the hyphen). | 4.2.1-4.4.5 | | @@ -1386,13 +1386,13 @@ pdfhidden: True | [2554582](#2554582)
| On switches with the Maverick ASIC, control traffic is dropped due to receive buffering. | 4.2.0-4.4.5 | | | [2554533](#2554533)
| On the ARM platform, NTP peer associations slowly increase to larger offsets (~500ms). | 4.0.0-4.4.5 | | | [2554466](#2554466)
| Kernel routes added by iproute2 are missing in FRR after an interface flap.
To work around this issue, configure a static route in FRR.
| 4.2.1-4.4.5 | | -| [2554222](#2554222)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | +| [2554222, 2614073](#2554222, 2614073)
| The NCLU command to enable bridge learning fails.
As a work around, enable bridge learning in the /etc/network/interface file. For example:

auto vni-30
iface vni-30
    vxlan-id 30
    bridge-access 30
    bridge-arp-nd-suppress on
    bridge-learning on
    vxlan-local-tunnelip 10.10.10.1
    mstpctl-bpduguard yes
    mstpctl-portbpdufilter yes
    mtu 9166
| 4.2.1-4.4.5 | | | [2554218](#2554218)
| MLAG packets received on the peer link are dropped instead of routed. | 4.2.0-4.4.5 | | -| [2554202](#2554202)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | +| [2554202, 2544880](#2554202, 2544880)
| The output of the net show commit command does not show the last commit or the specified commit number but is empty instead. | 4.2.1-4.4.5 | | | [2553989](#2553989)
| Default policer configured for LACP as an INPUT chain rule in 00control_plane.rules is meant to protect CPU from an LACP storm. When LACP storm is originating out of a single bond or bond member interface in a switch with multiple bond interfaces, there is a possibility of other LACP bond interface(s) going down. | 4.2.1-4.4.5 | | | [2553887](#2553887)
| When using TACACS+ configured with a DEFAULT user providing privilege level lower than 16, TACACS+ configured users with privilege level 16 access might not be able to run privilege level 16 NCLU commands, such as net add and net del and see an error similar to the following:

ERROR: You do not have permission to execute that command.

To work around this issue, remove the DEFAULT user from the TACACS+ server. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2553677](#2553677)
| When you configure an SNMPv3 user with the net-snmp-config configuration command from the libsnmp-dev package, you get an error message similar to the one below:

cumulus@switch:mgmt-vrf:~$ sudo net-snmp-config --create-snmpv3-user -a shaauthpass -x aesprivpass -A SHA -X AES userSHAwithAES
adding the following line to /var/lib/snmp/snmpd.conf:           
   createUser userSHAwithAES SHA "shaauthpass" AES "aesprivpass"       
adding the following line to /snmp/snmpd.conf:                           
   rwuser userSHAwithAES                                           
touch: cannot touch ‘/snmp/snmpd.conf’: No such file or directory
/usr/bin/net-snmp-create-v3-user: 144: /usr/bin/net-snmp-create-v3-user: cannot create /snmp/snmpd.conf: Directory nonexistent

To work around this issue, use the NCLU command to configure SNMPv3 user parameters; for example:

cumulus@switch:mgmt-vrf:~$ net add snmp-server username user999 auth-md5 user999password encrypt-des user999encryption

Alternatively, directly edit the /etc/snmp/snmpd.conf file as described in the documentation. | 3.7.13-3.7.16, 4.0.0-4.4.5 | | -| [2553237](#2553237)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | +| [2553237, 2552950](#2553237, 2552950)
| The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF.
NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF.

| 4.2.0-4.4.5 | | | [2553116](#2553116)
| When you manually set the link speed or duplex mode with ethtool to an unsupported value, then run a TDR check against the interface, you encounter a switchd service heartbeat failure.
To work around this issue, reboot the switch to clear the condition. Avoid setting the interface speed or duplex mode directly with ethtool. | 3.7.12-3.7.16, 4.0.0-4.4.5 | | | [2553015](#2553015)
| If a neighbour contains a special character in PortID for LLDP, the net show interface command does not display the LLDP information or the command might fail. | 3.7.10-3.7.16, 4.2.0-4.4.5 | | | [2552691](#2552691)
| On the EdgeCore AS4610 switch, the eth0 interface remains down when physically connected to a 1G interface.
To work around this issue, configure the link speed to 1000 and set auto-negotiation on for the eth0 interface, then flap eth0 with the ip link set eth0 down/up command to bring up the port. | 4.2.0-4.4.5 | | @@ -1430,15 +1430,15 @@ pdfhidden: True | [2548044](#2548044)
| When a remote VTEP withdraws a type-3 EVPN route, Cumulus Linux purges all MAC address and neighbor entries installed in the corresponding layer 2 VNI through that remote VTEP from the local EVPN and kernel forwarding tables. This purge occurs even if the remote VTEP does not withdraw type-2 routes carrying the MAC address or neighbor entries. The entries stay missing from the local EVPN and kernel forwarding tables until BGP updates the MAC address and neighbor. | 3.7.12-3.7.15, 4.0.0-4.4.5 | 3.7.16| | [2547890](#2547890)
| QinQ across VXLAN on a traditional bridge does not work. | 4.1.0-4.4.5 | | | [2547782](#2547782)
| If a LLDP neighbor advertises a PortDescr that contains commas, ptmctl -d splits the string on the commas and misplaces its components in other columns. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2547706](#2547706)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2547706, 2544456, 2549513](#2547706, 2544456, 2549513)
| When you configure ganged ports in the ports.conf file, the change does not take effect after you restart switchd.
To work around this issue, reboot the switch. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2547405](#2547405)
| When you restart the hsflowd service, you see a systemd warning message similar to the following:

Warning: The unit file, source configuration file or drop-ins of hsflowd@mgmt.service changed on disk. Run 'systemctl daemon-reload'.
| 4.0.0-4.4.5 | | | [2547120](#2547120)
| After you hot swap a PSU, the decode-syseeprom -t psuX command shows the old PSU information (such as the serial number), until you run the decode-syseeprom --init command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546991](#2546991)
| The FRR service does not provide a way for automation to know if the configuration applied properly.
To work around this issue, execute the vtysh -f command in the automation file before starting the FRR service to validate the functional configuration and return an error code. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546895](#2546895)
| If you have configured a higher number of ports and VLANs (ports x VLANs) or the switch is a lower-powered (CPU) platform, the switchd service might fail to send a systemd keepalive within the watchdog timeout value (2 minutes by default) and you see an error similar to the following:
bq. systemd[1]: switchd.service watchdog timeout (limit 2min)!
To workaround this issue, either reduce the number of configured interfaces and, or VLANs, or increase the systemd timeout for switchd.service
To increase the systemd timeout:1.Edit the /etc/systemd/system/switchd.service.d/override.conf file and increase the WatchdogSec parameter
2.Restart the switchd service with the sudo systemctl restart switchd.service command
systemd attempts to restart the switchd service automatically (after the watchdog timeout). If the restart fails multiple times in a short time period, run the sudo systemctl reset-failed command followed by the sudo systemctl restart switchd command. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2546874](#2546874)
| On the Dell S5232F, S5248F, S5296F, and S3048 switch, using the poweroff or halt commands does not fully power off the switch. | 4.0.0-4.4.5 | | | [2546255](#2546255)
| On the EdgeCore Minipack-AS8000 switch, a 100G DAC link does not come up when auto-negotiation is enabled on the neighbor. This switch does not support 100G DAC auto-negotiation at this time. | 4.0.0-4.4.5 | | -| [2546225](#2546225)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | -| [2546131](#2546131)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546225, 2541038](#2546225, 2541038)
| When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in /var/lib/cumulus/installer, which causes issues with cl-support. 
 
 sudo onie-install -fai http:// 
 sudo reboot

To work around this issue, use the onie-select command to access ONIE, and then use the nos-install command in ONIE to install a new binary image. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | +| [2546131, 2542979](#2546131, 2542979)
| On the Delta AG-6248C PoE switch, when you run the apt upgrade command, the upgrade does not work. Cumulus Linux uses uboot directly instead of grub to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the apt upgrade command to upgrade Linux packages, uboot is unable to boot up the kernel.
To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the onie-select command to go into ONIE, and then use the nos-install command in ONIE to install a new image.
This workaround only works when an out-of-band network is present. | 3.7.11-3.7.16, 4.0.0-4.4.5 | | | [2545837](#2545837)
| If you use the NCLU commands to configure NTP and run the net add time ntp source command before you run the net add time ntp server iburst command, the /etc/ntp.conf file is misconfigured.
To work around this issue, run the net add time ntp server iburst command before you run the net add time ntp source command. | 3.7.10-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2545520](#2545520)
| The length of the netlink message is not set properly for non-bridge family type messages. The same length is used for both bridge and non-bridge even though the bridge family type message has an extra attribute. This causes extra bytes to be left over in non-bridge family type netlink messages. | 3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2545233](#2545233)
| On the Delta AG9032v1 switch, smonctl and sensors report inaccurate PSU current and power. | 4.0.0-4.4.5 | | @@ -1447,22 +1447,22 @@ pdfhidden: True | [2544968](#2544968)
| FRR configuration commands for an SVI interface might have the \n misplaced in the output. For example:

sudo sh -c "printf 'interface 50\nvrf TEST description L3 routing interface\n' >> /etc/frr/frr.conf"

should be:

sudo sh -c "printf 'interface 50 vrf TEST\ndescription L3 routing interface\n' >> /etc/frr/frr.conf"

To work around this issue, configure the interface manually in the /etc/frr/frr.conf file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544957](#2544957)
| NCLU incorrectly allows you to apply port security configuration on layer 2 and layer 3 ports that are not part of a bridge. | 4.0.0-4.4.5 | | | [2544953](#2544953)
| When you update the hostname of a switch with the NCLU net add hostname command, then run net commit, the lldpd service does not restart and other devices still see the old hostname.
To work around this issue, run the sudo systemctl restart lldpd.service command. | 3.7.10-3.7.16, 4.0.0-4.4.5 | | -| [2544880](#2544880)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | +| [2544880, 2544616, 2554202](#2544880, 2544616, 2554202)
| When you run the NCLU net show commit last or net show commit command, where is the last commit, no output is shown. | 4.0.0-4.4.5 | | | [2544723](#2544723)
| Setting ProtoDown on ports populated with SFP modules providing RJ-45 1000BASE-T interfaces does not cause the carrier to be dropped. The kernel shows carrier down; however, the remote device still shows a link. | 3.7.6-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2544463](#2544463)
| Auto-negotiation does not work with the QSFP28 cables and a remote system operating at 10G. Attempting to enable auto-negotiation with ethtool -s swp<#> autoneg on returns Operation not supported.
To work around this issue, do not use auto-negotiation and set the local port speed to 10G. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | -| [2544456](#2544456)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | +| [2544456, 2546166, 2546167, 2547706, 2549513](#2544456, 2546166, 2546167, 2547706, 2549513)
| The NCLU net show lldp command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2544311](#2544311)
| Applying a policy-based routing (PBR) rule for all traffic from a host might disrupt ARP refresh for that connected host. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544155](#2544155)
| NCLU requires you to specify an interface with multiple address-virtual statements in ascending MAC address order.

| 3.7.5-3.7.16, 4.0.0-4.4.5 | | | [2544113](#2544113)
| Mac learning is not disabled by default on a double tagged peer link interface resulting in the MAC address changing between the MLAG bond and the peer link.
To work around this issue, disable MAC learning on QinQ VLANs by adding bridge-learning off to the VLAN stanza in the etc/network/interfaces file. | 3.7.9-3.7.16, 4.0.0-4.4.5 | | | [2543937](#2543937)
| An interface alias configured outside FRR using iproute2 is imported into the FRR running configuration and overrides the internal description. After an FRR reload, this causes FRR to delete the interface alias in an inefficient way. Depending on how many interfaces with aliases you have configured, this can cause a FRR reload to time out.
To work around this issue, remove the interface alias description from iproute2. | 3.7.8-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| | [2543900](#2543900)
| On the Mellanox switch, static VXLAN tunnels incorrectly allow traffic from any remote tunnel IP address. | 3.7.8-3.7.16, 4.0.0-4.4.5 | | -| [2543841](#2543841)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | +| [2543841, 2544947](#2543841, 2544947)
| The net show evpn vni detail json command includes an extra empty dictionary at the end of the output.
| 3.7.8-3.7.16, 4.0.0-4.4.5 | | | [2543816](#2543816)
| On the Dell S5248F-ON switch, smond might generate syslog messages indicating that the fan input RPM is lower than the normal low speed of 2500 RPM. Speeds as low as 1700 RPM are acceptable in normal thermal environments; therefore, you can ignore these messages.
| 3.7.6-3.7.11, 4.0.0-4.4.5 | 3.7.12-3.7.16| | [2543781](#2543781)
| NCLU does not allow you to configure OSPF NSSAs. For example: 

cumulus@switch:~$ net add ospf area 0.0.0.1 nssa 
ERROR: Command not found. 
net add ospf area 0.0.0.1 nssa

To work around this issue, use FRR instead. For example: 

switch# configure terminal 
switch(config)# router ospf 
switch(config-router)# area 0.0.0.1 nssa
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543724](#2543724)
| If a hostname contains utf-8 characters, the NCLU net show lldp command outputs the following error: 

ERROR: 'ascii' codec can't encode character u'\xe9' in position 3: ordinal not in range(128) 
See /var/log/netd.log for more details.
| 3.7.7-3.7.10, 4.0.0-4.4.5 | 3.7.11-3.7.16| | [2543646](#2543646)
| In an ebtables rule, ERSPAN (upper case) does not work. You need to specify erspan (lower case). | 3.7.6-3.7.16, 4.0.0-4.4.5 | | -| [2543401](#2543401)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | +| [2543401, 2543014](#2543401, 2543014)
| On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to admin up until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces.
To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. | 4.0.0-4.4.5 | | | [2543211](#2543211)
| In some cases, the switchd service might warn of excessive MAC moves from one switch port to itself (for example, from swp18 to swp18).
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2543164](#2543164)
| The MTU of an SVI cannot be higher than the MTU on the bridge. Changing the MTU on the SVI with NCLU does not update the bridge MTU. The net commit command succeeds even though the MTU is not changed as expected.
To work around this issue, change the MTU on all SVIs and the bridge manually in the /etc/network/interfaces file, then apply the change with the ifreload -a command. | 3.7.7-3.7.16, 4.0.0-4.4.5 | | | [2543096](#2543096)
| When an SVI with a virtual MAC is configured with a layer 2 VNI in an EVPN environment, if you replace the /etc/network/interfaces file with a different file that does not have the SVI and layer 2 VNI configuration, the original virtual MAC is not populated through the EVPN route until FRR is restarted.
| 3.7.6-3.7.16, 4.0.0-4.4.5 | | @@ -1477,7 +1477,7 @@ pdfhidden: True | [2540352](#2540352)
| When you use NCLU to configure a route map, the parser allows for glob matching of interfaces for a _match interface_ condition when there can only be a single interface matched. The proper syntax is to use multiple route map clauses, each matching a single interface, instead of a single clause matching multiple interfaces.
For example, this command is incorrect: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9-10

These commands are correct: 
 
net add routing route-map Proxy-ARP permit 25 match interface swp9 
net add routing route-map Proxy-ARP permit 30 match interface swp10

| 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2540340](#2540340)
| NCLU allows for the configuration of addresses on VRF interfaces, but tab completion for the net add vrf command just displays . For example: 
 
 cumulus@switch:~$ net add vrf mgmt

Tab completion for the net add vrf ip address
command works correctly. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540274](#2540274)
| On the Maverick switch, CPU forwarded packets might be dropped when there is no route to a leaked host route. | 3.7.5-3.7.16, 4.0.0-4.4.5 | | -| [2540204](#2540204)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | +| [2540204, 2713883](#2540204, 2713883)
| When links come up after FRR is started, VRF connected routes do not get redistributed. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540192](#2540192)
| The net del bridge bridge mcsnoop yes command does not return the value to the default of disabled.
To work around this issue, use the net add bridge bridge mcsnoop no command to delete the mcsnoop attribute and return to the default value. | 3.7.4-3.7.16, 4.0.0-4.4.5 | | | [2540155](#2540155)
| On the Broadcom switch, when moving configuration from bridged to routed (or toggling from routed to bridged to routed), some traffic is not seen by the kernel. This can cause BGP to not establish on a transit node.
| 3.7.3-3.7.16, 4.0.0-4.4.5 | | | [2540042](#2540042)
| When you try to configure the VRRP priority and advertisement-interval with NCLU on a traditional mode bridge, the net commit command fails.
To work around this issue, use the vtysh command (inside FRR) to change the VRRP priority or advertisement-interval on traditional bridges. For example: 
 
cumulus@switch:~$ sudo vtysh 
switch# configure terminal 
switch(config)# interface br0.100 
switch(config-if)# vrrp 1 priority 110 
switch(config-if)# vrrp 1 advertisement-interval 
switch(config-if)# end 
switch# write memory 
switch# exit 
cumulus@switch:~

| 3.7.4-3.7.16, 4.0.0-4.4.5 | | @@ -1493,7 +1493,7 @@ pdfhidden: True | [2538562](#2538562)
| On an RMP/1G-T switch, when you remove link-speed 100 with the NCLU command or by editing the etc/network/interfaces file to revert the 100M interface to the default (1G auto), the interface fails to recover and does not come back up.
After you remove the link-speed, ethtool shows the advertised link modes as not reported and Speed/Duplex as unknown.
To work around this issue and bring the interface back up, either restart switchd or use ethtool to configure the speed, advertised, duplex or MDI-X settings.
Note: The advertised link mode gets set incorrectly if you include 1000baseT/Half. The port will come up successfully at 1G. | 3.7.2-3.7.16, 4.0.0-4.4.5 | | | [2538294](#2538294)
| If you use NCLU to create an iBGP peering across the peer link, running the net add bgp l2vpn evpn neighbor peerlink.4094 activate command creates a new eBGP neighborship when one has already been configured for iBGP. This is unexpected; the existing iBGP configuration is valid. | 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2537699](#2537699)
| There is a limitation on the number of SVI interfaces you can specify as DHCP relay interfaces in the /etc/default/isc-dhcp-relay file. For example, 1500 SVI interfaces causes the dhcrelay service to exit without a core file and logs similar to the following are generated for the interfaces: 
 
2018-11-10T23:35:30.992370-08:00 Dev dhcrelay: Listening on LPF/vlan.101/a0:00:00:00:00:51 
2018-11-10T23:35:30.993472-08:00 Dev dhcrelay: Sending on LPF/vlan.101/a0:00:00:00:00:51

Eventually the dhcrelay service stops.
| 3.7.1-3.7.16, 4.0.0-4.4.5 | | -| [2537544](#2537544)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | +| [2537544, 2537365](#2537544, 2537365)
| When you run the mstpctl command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of mstpctl; for example, SNMP output from the BRIDGE-MIB. | 3.7.1-3.7.16, 4.0.0-4.4.5 | | | [2536576](#2536576)
| If you try to bring down several members of a bond remotely at the same time, the link state of one of the interfaces might not transition correctly to the down state; however, all links show down in hardware.
| 4.0.0-4.4.5 | | | [2536384](#2536384)
| The BFD packet redirection logic used by OVSDB server high availability mode redirects BUM packets across the peer link. The iptables rule for redirection does differentiate between BFD and non-BFD VXLAN inner packets because the service node sends all frames with its own IP address as the tunnel source IP address. The VXLAN encapsulated BUM packets do not get forwarded to the CPU and do not go through the iptable redirection rule; only VXLAN encapsulated BFD packets get forwarded to the CPU due to the inner MAC DA lookup in hardware.
| 3.7.0-3.7.16, 4.0.0-4.4.5 | | | [2536256](#2536256)
| For an unresolved address, the IPROUTER default policer rule has been modified to _not_ match on packets exiting a TUNNEL and headed to the CPU to resolve the address via ARP. As a result, the following default rule no longer matches TUNNEL ingress packets. 
 
A $INGRESS_CHAIN --in-interface $INGRESS_INTF -m addrtype --dst-type 
IPROUTER -j POLICE --set-mode pkt --set-rate 400 --set-burst 100

These packets are now policed by catch all rules.
To work around this issue, the VPORT value on a TRIDENT switch must be changed from binary 011 to 100.
| 4.0.0-4.4.5 | | @@ -1516,15 +1516,15 @@ pdfhidden: True | [2828927](#2828927)
| An unexpected software system shutdown might occur due to a thermal zones issue in the hw-management package. You see the following message in the /var/log/syslog file before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
| 4.3.0-4.3.4 | | | [2734173](#2734173)
| The Mellanox 100G transceiver MMA1L30-CM is not recognized on the SN4600 switch even though the link is up. The ethtool output shows the error Cannot get Module EEPROM data: Invalid argument. | | | | [2691506](#2691506)
| In a VRRP configuration, BGP unnumbered sessions for VRFs fail to establish after a networking restart. | 4.3.0 | | -| [2690017](#2690017)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.4 | | +| [2690017, 3431625](#2690017, 3431625)
| When you remove a bond member, then re-add it, you might see a Parameter Error failure in {syslog and switchd.log:
sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error)
switchd[4529]: hal_mlx_bond.c:582 ERR bond32 member swp32 add failed: Parameter Error
To work around this issue, restart switchd. | 4.3.0-4.3.4 | | | [2684418](#2684418)
| If you configure items in a VRF that has been created, deleted, then re-created, staticd crashes. | 4.3.0 | | | [2682780](#2682780)
| Adding a route map configuration after a MAC access list configuration line causes the route map configuration to be applied incorrectly
To work around this issue, add the MAC access list configuration to the end of the /etc/frr/frr.conf file. | 4.2.0-4.3.4 | | -| [2679936](#2679936)
| After an event that causes the peer link bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a "peer-ip-mismatch." This behavior is seen in a clagd-peer-ip linklocal configuration. | 4.3.0 | | +| [2679936, 2684428](#2679936, 2684428)
| After an event that causes the peer link bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a "peer-ip-mismatch." This behavior is seen in a clagd-peer-ip linklocal configuration. | 4.3.0 | | | [2669873](#2669873)
| In an EVPN multihoming configuration, ARP/ND traffic coming in one switch is being sent back out the originating bond on the other switches in the ES on remote PE switches. Normally Split Horizon filtering prevents this kind of traffic at the remote PE. | 4.3.0-4.3.4 | | | [2669073](#2669073)
| On Spectrum, Spectrum-2, and Spectrum-3 switches, the l1-show command shows the wrong data when the MST service is stopped
To work around this issue, start the MST service with the sudo mst start command. | 4.3.0-4.3.4 | | | [2648658](#2648658)
| If you try to use more than one percent of max-ecmp-nexthops, you get an error indicating a failure. | 3.7.15-4.3.4 | | | [2648587](#2648587)
| The received PVST BPDU for a VLAN is flooded even though the ingress port doesn't have the VLAN tagged. | 3.7.8-3.7.14.2, 4.0.0-4.3.0 | | -| [2644072](#2644072)
| When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role. | 3.7.15, 4.3.0 | | +| [2644072, 3348697](#2644072, 3348697)
| When you stop clagd on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the clagd priorities to ensure that you only reboot a switch that is in the MLAG secondary role. | 3.7.15, 4.3.0 | | | [2643822](#2643822)
| On the Mellanox Spectrum-2 switches, after running the systemctl restart networking service command on the MLAG primary switch, the secondary switch also closes its ports.
To work around this issue, run the ifreload -a command to restart networking. | 4.2.1-4.3.0 | | | [2638106](#2638106)
| The NCLU net show route vrf summary and vtysh show ip route vrf summary commands don't return any output. | 4.3.0 | | | [2637554](#2637554)
| The cl-acltool takes a significant amount of time to run, which can slow down automation scripts. | 4.2.0-4.3.0 | | @@ -1532,8 +1532,8 @@ pdfhidden: True | [2628693](#2628693)
| After an apt upgrade, the OPTIONS configuration line in /etc/default/isc-dhcp-relay might be removed. To work around this issue, reconfigure the desired options in the file after the upgrade completes. | 3.7.12-3.7.15, 4.2.1-4.3.0 | | | [2628588](#2628588)
| After rebooting a switch with PFC configurations, non-PFC enabled ports might not send or receive traffic correctly. | | | | [2614016](#2614016)
| The switch firmware incorrectly identifies Lenovo LR4 transceivers (part number 00YD278) and does not set the laser levels properly, which can prevent the link from coming up or might cause the transceiver to be identified as a 1G module. | 4.2.0-4.3.4 | | -| [2582639](#2582639)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.4 | | -| [2578845](#2578845)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | | +| [2582639, 2644181](#2582639, 2644181)
| On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. | 4.3.0-4.3.4 | | +| [2578845, 2553637](#2578845, 2553637)
| The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with Unable to read from device/fan1_input/pwm1 syslog messages. | 3.7.11-3.7.14, 4.1.1-4.3.0 | | | [2577499](#2577499)
| QSFP+ 40G optics do not work on Spectrum platforms. | 4.3.0-4.3.4 | | | [2556814](#2556814)
| When ARP suppression is enabled, RARP packets sometimes get dropped and are not flooded by the local VTEP.
To work around this issue, disable ARP suppression. | 3.7.14-3.7.14.2, 4.3.0 | | | [2556762](#2556762)
| In a configuration with both traditional and VLAN-aware bridges, the VLAN membership check on a VLAN-aware bridge does not drop PVST BPBUs that come from a traditional bridge. | 3.7.14-3.7.14.2, 4.0.0-4.3.0 | | diff --git a/content/cumulus-linux-44/rn.xml b/content/cumulus-linux-44/rn.xml index 07a26ce3e5..01877ddddf 100644 --- a/content/cumulus-linux-44/rn.xml +++ b/content/cumulus-linux-44/rn.xml @@ -25,7 +25,7 @@ 5.9.2-5.16.1, 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -68,7 +68,7 @@ cumulus@switch:~$ sudo apt upgrade 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -103,13 +103,13 @@ ERR cannot allocate vlan for sub-interface 5.5.0-5.16.1 -3390022 +3390022, 3323138 When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the {{peerlink.4095}} interface stanza are duplicated. Subsequent {{ifreloads}}, or {{net commit}} commands fail until you manually remove the duplicated lines from this interface and run {{ifreload -a}}. 4.2.1-4.4.5 -3389994 +3389994, 3323143 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. 4.4.0-5.4.0 4.3.2, 5.5.0-5.16.1 @@ -184,7 +184,7 @@ ERR cannot allocate vlan for sub-interface -3291548 +3291548, 2434628 In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart {{switchd}}. 4.2.1-4.4.5 5.0.0-5.16.1 @@ -318,7 +318,7 @@ Packet size is larger than router interface MTU – Validate the router interfac 4.3.2, 5.3.0-5.16.1 -3168564 +3168564, 3198302 In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), {{switchd}} might crash when you restart {{clagd}} or when all bonds go operationally down, then up. On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. 4.3.1-4.4.5 @@ -331,7 +331,7 @@ On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scal -3157240 +3157240, 3173622 When you try to query REDECN counters with the {{mlxcmd}} utility on a bond member port with the following commands, syslog reports an error. sudo /usr/lib/cumulus/mlxcmd roce counters --port <swp> @@ -449,26 +449,26 @@ end vrf -3059135 +3059135, 3060400 In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route. To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-5.1.0 5.2.0-5.16.1 -3046023 +3046023, 3096918 The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install. 4.2.1-5.1.0 5.2.0-5.16.1 -3034435 +3034435, 3101184 In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. 4.4.4-5.4.0 5.5.0-5.16.1 -3032234 +3032234, 3163643 In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE {{nv unset vrf default router bgp neighbor <interface>}} command, the command fails to apply. 4.4.2-5.0.1 5.1.0-5.16.1 @@ -563,7 +563,7 @@ Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find 5.1.0-5.16.1 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -718,13 +718,13 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 5.0.0-5.16.1 -2780915 +2780915, 2556028 In NVUE, you can't deactivate the IPv4 address family per neighbor. 4.4.0-4.4.5 5.0.0-5.16.1 -2780834 +2780834, 2555981 To enable an address family on a peer, you have to enable the address family globally. 4.4.0-4.4.5 5.0.0-5.16.1 @@ -772,13 +772,13 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 5.0.0-5.16.1 -2747750 +2747750, 2782819 Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. 4.4.2-4.4.5 5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -796,13 +796,13 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 4.3.1 -2738040 +2738040, 2738041 In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. 4.4.0-4.4.5 -2736244 +2736244, 2736249 When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error: % The Graceful Restart command used is not valid at this moment. 4.4.0-4.4.5 @@ -833,14 +833,14 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 4.3.1, 5.0.0-5.16.1 -2728119 +2728119, 2729309 When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-4.4.5 5.0.0-5.16.1 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -928,7 +928,7 @@ See /var/log/netd.log for more details. -2606326 +2606326, 2583925 If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. 4.4.0-4.4.5 @@ -990,7 +990,7 @@ ERROR: Command not found -2555981 +2555981, 2584227, 2780834 In BGP, to enable an address family on a peer, you have to enable the address family globally. 4.4.0-4.4.5 5.0.0-5.16.1 @@ -1086,7 +1086,7 @@ To work around this issue, configure a static route in FRR. -2554222 +2554222, 2614073 The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the {{/etc/network/interface}} file. For example: @@ -1111,7 +1111,7 @@ iface vni-30 -2554202 +2554202, 2544880 The output of the {{net show commit}} command does not show the last commit or the specified commit number but is empty instead. 4.2.1-4.4.5 @@ -1153,7 +1153,7 @@ Alternatively, directly edit the {{/etc/snmp/snmpd.conf}} file as described in t -2553237 +2553237, 2552950 The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. @@ -1435,7 +1435,7 @@ These errors are result of user space acting on kernel events a bit slow. The m -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -1491,7 +1491,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -1502,7 +1502,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -1568,7 +1568,7 @@ To work around this issue, run the {{sudo systemctl restart lldpd.service}} comm -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -1587,7 +1587,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -1637,7 +1637,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -1684,7 +1684,7 @@ See /var/log/netd.log for more details. -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 @@ -1807,7 +1807,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -1964,7 +1964,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -2114,7 +2114,7 @@ To work around this issue, change the value of {{arp_ignore}} to 2. See [Address 5.9.2-5.16.1, 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -2157,7 +2157,7 @@ cumulus@switch:~$ sudo apt upgrade 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -2192,13 +2192,13 @@ ERR cannot allocate vlan for sub-interface 5.5.0-5.16.1 -3390022 +3390022, 3323138 When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the {{peerlink.4095}} interface stanza are duplicated. Subsequent {{ifreloads}}, or {{net commit}} commands fail until you manually remove the duplicated lines from this interface and run {{ifreload -a}}. 4.2.1-4.4.5 -3389994 +3389994, 3323143 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. 4.4.0-5.4.0 4.3.2, 5.5.0-5.16.1 @@ -2273,7 +2273,7 @@ ERR cannot allocate vlan for sub-interface -3291548 +3291548, 2434628 In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart {{switchd}}. 4.2.1-4.4.5 5.0.0-5.16.1 @@ -2407,7 +2407,7 @@ Packet size is larger than router interface MTU – Validate the router interfac 4.3.2, 5.3.0-5.16.1 -3168564 +3168564, 3198302 In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), {{switchd}} might crash when you restart {{clagd}} or when all bonds go operationally down, then up. On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. 4.3.1-4.4.5 @@ -2420,7 +2420,7 @@ On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scal -3157240 +3157240, 3173622 When you try to query REDECN counters with the {{mlxcmd}} utility on a bond member port with the following commands, syslog reports an error. sudo /usr/lib/cumulus/mlxcmd roce counters --port <swp> @@ -2538,26 +2538,26 @@ end vrf -3059135 +3059135, 3060400 In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route. To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-5.1.0 5.2.0-5.16.1 -3046023 +3046023, 3096918 The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install. 4.2.1-5.1.0 5.2.0-5.16.1 -3034435 +3034435, 3101184 In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. 4.4.4-5.4.0 5.5.0-5.16.1 -3032234 +3032234, 3163643 In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE {{nv unset vrf default router bgp neighbor <interface>}} command, the command fails to apply. 4.4.2-5.0.1 5.1.0-5.16.1 @@ -2652,7 +2652,7 @@ Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find 5.1.0-5.16.1 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -2807,13 +2807,13 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 5.0.0-5.16.1 -2780915 +2780915, 2556028 In NVUE, you can't deactivate the IPv4 address family per neighbor. 4.4.0-4.4.5 5.0.0-5.16.1 -2780834 +2780834, 2555981 To enable an address family on a peer, you have to enable the address family globally. 4.4.0-4.4.5 5.0.0-5.16.1 @@ -2861,13 +2861,13 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 5.0.0-5.16.1 -2747750 +2747750, 2782819 Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. 4.4.2-4.4.5 5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -2885,13 +2885,13 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 4.3.1 -2738040 +2738040, 2738041 In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. 4.4.0-4.4.5 -2736244 +2736244, 2736249 When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error: % The Graceful Restart command used is not valid at this moment. 4.4.0-4.4.5 @@ -2922,14 +2922,14 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 4.3.1, 5.0.0-5.16.1 -2728119 +2728119, 2729309 When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-4.4.5 5.0.0-5.16.1 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -3017,7 +3017,7 @@ See /var/log/netd.log for more details. -2606326 +2606326, 2583925 If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. 4.4.0-4.4.5 @@ -3079,7 +3079,7 @@ ERROR: Command not found -2555981 +2555981, 2584227, 2780834 In BGP, to enable an address family on a peer, you have to enable the address family globally. 4.4.0-4.4.5 5.0.0-5.16.1 @@ -3175,7 +3175,7 @@ To work around this issue, configure a static route in FRR. -2554222 +2554222, 2614073 The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the {{/etc/network/interface}} file. For example: @@ -3200,7 +3200,7 @@ iface vni-30 -2554202 +2554202, 2544880 The output of the {{net show commit}} command does not show the last commit or the specified commit number but is empty instead. 4.2.1-4.4.5 @@ -3242,7 +3242,7 @@ Alternatively, directly edit the {{/etc/snmp/snmpd.conf}} file as described in t -2553237 +2553237, 2552950 The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. @@ -3524,7 +3524,7 @@ These errors are result of user space acting on kernel events a bit slow. The m -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -3580,7 +3580,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -3591,7 +3591,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -3657,7 +3657,7 @@ To work around this issue, run the {{sudo systemctl restart lldpd.service}} comm -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -3676,7 +3676,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -3726,7 +3726,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -3773,7 +3773,7 @@ See /var/log/netd.log for more details. -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 @@ -3896,7 +3896,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -4053,7 +4053,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -4187,7 +4187,7 @@ To work around this issue, change the value of {{arp_ignore}} to 2. See [Address 4.4.0-4.4.3 -3091381 +3091381, 2804508 Restarting {{switchd}} might fail due to an ACL SPAN module initialization failure. 4.4.2-4.4.3 @@ -4197,7 +4197,7 @@ To work around this issue, change the value of {{arp_ignore}} to 2. See [Address 4.2.1-4.4.3 -3089148 +3089148, 3334028 The {{clagd}} process uses 100 percent CPU and eventually crashes with an {{Unable to allocate memory}} error. This issue impacts customers with these conditions: CL 5.1.0, CLAG, NTP, and a switch that has been powered off for some time (i.e. the clock may have drifted) prior to initial boot. @@ -4271,7 +4271,7 @@ warning: vni10: possible mis-configuration detected: l2-vni configured with brid 4.4.2-4.4.3, 5.0.0-5.0.1 -3021879 +3021879, 2545364, 3297583 In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it 3.7.12-3.7.14.2 @@ -4340,7 +4340,7 @@ resq_pp: EXCEPTION=invalid literal for int() with base 10: 'v4-lpm-heavy' 5.9.2-5.16.1, 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -4383,7 +4383,7 @@ cumulus@switch:~$ sudo apt upgrade 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -4418,13 +4418,13 @@ ERR cannot allocate vlan for sub-interface 5.5.0-5.16.1 -3390022 +3390022, 3323138 When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the {{peerlink.4095}} interface stanza are duplicated. Subsequent {{ifreloads}}, or {{net commit}} commands fail until you manually remove the duplicated lines from this interface and run {{ifreload -a}}. 4.2.1-4.4.5 -3389994 +3389994, 3323143 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. 4.4.0-5.4.0 4.3.2, 5.5.0-5.16.1 @@ -4499,7 +4499,7 @@ ERR cannot allocate vlan for sub-interface -3291548 +3291548, 2434628 In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart {{switchd}}. 4.2.1-4.4.5 5.0.0-5.16.1 @@ -4615,7 +4615,7 @@ Packet size is larger than router interface MTU – Validate the router interfac 4.3.2, 5.3.0-5.16.1 -3168564 +3168564, 3198302 In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), {{switchd}} might crash when you restart {{clagd}} or when all bonds go operationally down, then up. On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. 4.3.1-4.4.5 @@ -4687,7 +4687,7 @@ end vrf -3091381 +3091381, 2804508 Restarting {{switchd}} might fail due to an ACL SPAN module initialization failure. 4.4.2-4.4.5 5.0.0-5.16.1 @@ -4769,14 +4769,14 @@ To work around this issue, disable, then enable the port. 5.2.0-5.16.1 -3059135 +3059135, 3060400 In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route. To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-5.1.0 5.2.0-5.16.1 -3046023 +3046023, 3096918 The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install. 4.2.1-5.1.0 5.2.0-5.16.1 @@ -4788,7 +4788,7 @@ To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} comma 3.7.16, 4.3.1, 5.1.0-5.16.1 -3032234 +3032234, 3163643 In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE {{nv unset vrf default router bgp neighbor <interface>}} command, the command fails to apply. 4.4.2-5.0.1 5.1.0-5.16.1 @@ -4937,7 +4937,7 @@ Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find 5.1.0-5.16.1 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -5092,13 +5092,13 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 5.0.0-5.16.1 -2780915 +2780915, 2556028 In NVUE, you can't deactivate the IPv4 address family per neighbor. 4.4.0-4.4.5 5.0.0-5.16.1 -2780834 +2780834, 2555981 To enable an address family on a peer, you have to enable the address family globally. 4.4.0-4.4.5 5.0.0-5.16.1 @@ -5146,13 +5146,13 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 5.0.0-5.16.1 -2747750 +2747750, 2782819 Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. 4.4.2-4.4.5 5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -5170,13 +5170,13 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 4.3.1 -2738040 +2738040, 2738041 In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. 4.4.0-4.4.5 -2736244 +2736244, 2736249 When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error: % The Graceful Restart command used is not valid at this moment. 4.4.0-4.4.5 @@ -5207,14 +5207,14 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 4.3.1, 5.0.0-5.16.1 -2728119 +2728119, 2729309 When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-4.4.5 5.0.0-5.16.1 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -5302,7 +5302,7 @@ See /var/log/netd.log for more details. -2606326 +2606326, 2583925 If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. 4.4.0-4.4.5 @@ -5364,7 +5364,7 @@ ERROR: Command not found -2555981 +2555981, 2584227, 2780834 In BGP, to enable an address family on a peer, you have to enable the address family globally. 4.4.0-4.4.5 5.0.0-5.16.1 @@ -5460,7 +5460,7 @@ To work around this issue, configure a static route in FRR. -2554222 +2554222, 2614073 The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the {{/etc/network/interface}} file. For example: @@ -5485,7 +5485,7 @@ iface vni-30 -2554202 +2554202, 2544880 The output of the {{net show commit}} command does not show the last commit or the specified commit number but is empty instead. 4.2.1-4.4.5 @@ -5527,7 +5527,7 @@ Alternatively, directly edit the {{/etc/snmp/snmpd.conf}} file as described in t -2553237 +2553237, 2552950 The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. @@ -5809,7 +5809,7 @@ These errors are result of user space acting on kernel events a bit slow. The m -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -5865,7 +5865,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -5876,7 +5876,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -5942,7 +5942,7 @@ To work around this issue, run the {{sudo systemctl restart lldpd.service}} comm -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -5961,7 +5961,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -6011,7 +6011,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -6058,7 +6058,7 @@ See /var/log/netd.log for more details. -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 @@ -6181,7 +6181,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -6338,7 +6338,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -6505,7 +6505,7 @@ To work around this issue, change the value of {{arp_ignore}} to 2. See [Address 5.9.2-5.16.1, 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -6548,7 +6548,7 @@ cumulus@switch:~$ sudo apt upgrade 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -6583,13 +6583,13 @@ ERR cannot allocate vlan for sub-interface 5.5.0-5.16.1 -3390022 +3390022, 3323138 When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the {{peerlink.4095}} interface stanza are duplicated. Subsequent {{ifreloads}}, or {{net commit}} commands fail until you manually remove the duplicated lines from this interface and run {{ifreload -a}}. 4.2.1-4.4.5 -3389994 +3389994, 3323143 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. 4.4.0-5.4.0 4.3.2, 5.5.0-5.16.1 @@ -6664,7 +6664,7 @@ ERR cannot allocate vlan for sub-interface -3291548 +3291548, 2434628 In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart {{switchd}}. 4.2.1-4.4.5 5.0.0-5.16.1 @@ -6749,7 +6749,7 @@ Packet size is larger than router interface MTU – Validate the router interfac 4.3.2, 5.3.0-5.16.1 -3168564 +3168564, 3198302 In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), {{switchd}} might crash when you restart {{clagd}} or when all bonds go operationally down, then up. On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. 4.3.1-4.4.5 @@ -6810,7 +6810,7 @@ On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scal -3091381 +3091381, 2804508 Restarting {{switchd}} might fail due to an ACL SPAN module initialization failure. 4.4.2-4.4.5 5.0.0-5.16.1 @@ -6886,14 +6886,14 @@ To work around this issue, disable, then enable the port. 5.2.0-5.16.1 -3059135 +3059135, 3060400 In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route. To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-5.1.0 5.2.0-5.16.1 -3046023 +3046023, 3096918 The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install. 4.2.1-5.1.0 5.2.0-5.16.1 @@ -6905,7 +6905,7 @@ To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} comma 3.7.16, 4.3.1, 5.1.0-5.16.1 -3032234 +3032234, 3163643 In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE {{nv unset vrf default router bgp neighbor <interface>}} command, the command fails to apply. 4.4.2-5.0.1 5.1.0-5.16.1 @@ -7056,7 +7056,7 @@ Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find 5.1.0-5.16.1 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -7211,13 +7211,13 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 5.0.0-5.16.1 -2780915 +2780915, 2556028 In NVUE, you can't deactivate the IPv4 address family per neighbor. 4.4.0-4.4.5 5.0.0-5.16.1 -2780834 +2780834, 2555981 To enable an address family on a peer, you have to enable the address family globally. 4.4.0-4.4.5 5.0.0-5.16.1 @@ -7265,13 +7265,13 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 5.0.0-5.16.1 -2747750 +2747750, 2782819 Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. 4.4.2-4.4.5 5.0.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -7289,13 +7289,13 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 4.3.1 -2738040 +2738040, 2738041 In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. 4.4.0-4.4.5 -2736244 +2736244, 2736249 When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error: % The Graceful Restart command used is not valid at this moment. 4.4.0-4.4.5 @@ -7326,14 +7326,14 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 4.3.1, 5.0.0-5.16.1 -2728119 +2728119, 2729309 When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-4.4.5 5.0.0-5.16.1 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -7421,7 +7421,7 @@ See /var/log/netd.log for more details. -2606326 +2606326, 2583925 If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. 4.4.0-4.4.5 @@ -7483,7 +7483,7 @@ ERROR: Command not found -2555981 +2555981, 2584227, 2780834 In BGP, to enable an address family on a peer, you have to enable the address family globally. 4.4.0-4.4.5 5.0.0-5.16.1 @@ -7579,7 +7579,7 @@ To work around this issue, configure a static route in FRR. -2554222 +2554222, 2614073 The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the {{/etc/network/interface}} file. For example: @@ -7604,7 +7604,7 @@ iface vni-30 -2554202 +2554202, 2544880 The output of the {{net show commit}} command does not show the last commit or the specified commit number but is empty instead. 4.2.1-4.4.5 @@ -7646,7 +7646,7 @@ Alternatively, directly edit the {{/etc/snmp/snmpd.conf}} file as described in t -2553237 +2553237, 2552950 The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. @@ -7928,7 +7928,7 @@ These errors are result of user space acting on kernel events a bit slow. The m -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -7984,7 +7984,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -7995,7 +7995,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -8061,7 +8061,7 @@ To work around this issue, run the {{sudo systemctl restart lldpd.service}} comm -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -8080,7 +8080,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -8130,7 +8130,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -8177,7 +8177,7 @@ See /var/log/netd.log for more details. -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 @@ -8300,7 +8300,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -8457,7 +8457,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -8596,7 +8596,7 @@ To work around this issue, change the value of {{arp_ignore}} to 2. See [Address 4.4.0-4.4.1 -2854785 +2854785, 2826122 When you configure 199 VXLANs plus 199 VLANs, {{clagd}} crashes every few seconds. 3.7.15, 4.3.0, 4.4.0-4.4.1 @@ -8635,7 +8635,7 @@ VNI: 9204 4.4.0-4.4.1 -2802207 +2802207, 2804044 The SDK process sx_core prints the messages shown below and the switch stops forwarding traffic. kernel: sx_core: Did not receive completion for SDQ dqn (1) idx (849) after 10 seconds @@ -8676,7 +8676,7 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.3.7.12-4.3.0 -2723603 +2723603, 2751705 In a static VXLAN configuration, the {{bridge-learning on}} setting does not turn on {{VXLAN-learning}}. 4.4.0-4.4.1 @@ -8712,7 +8712,7 @@ The minimum supported size of the reserved VLAN range in the {{/etc/cumulus/swit 5.9.2-5.16.1, 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -8755,7 +8755,7 @@ cumulus@switch:~$ sudo apt upgrade 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -8780,13 +8780,13 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3390022 +3390022, 3323138 When you restore the switch configuration after upgrading from Cumulus Linux 4.2.x to 4.4.5 and later with ONIE, the configuration lines under the {{peerlink.4095}} interface stanza are duplicated. Subsequent {{ifreloads}}, or {{net commit}} commands fail until you manually remove the duplicated lines from this interface and run {{ifreload -a}}. 4.2.1-4.4.5 -3389994 +3389994, 3323143 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. 4.4.0-5.4.0 4.3.2, 5.5.0-5.16.1 @@ -8840,7 +8840,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3291548 +3291548, 2434628 In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart {{switchd}}. 4.2.1-4.4.5 5.0.0-5.16.1 @@ -8910,7 +8910,7 @@ To work around this issue, change the TCAM profile to {{acl-heavy}} or {{ip-acl- 4.3.2, 5.3.0-5.16.1 -3168564 +3168564, 3198302 In a large scale VXLAN configuration (for example if you have more than 8500 VLANs across ports), {{switchd}} might crash when you restart {{clagd}} or when all bonds go operationally down, then up. On Trident3 switches running Cumulus Linux 4.3.1, NVIDIA validates the VLAN scale limit for VXLAN deployments with 8500 VLANs across ports with LACP bypass disabled. 4.3.1-4.4.5 @@ -9020,14 +9020,14 @@ To work around this issue, disable, then enable the port. -3059135 +3059135, 3060400 In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route. To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-5.1.0 5.2.0-5.16.1 -3046023 +3046023, 3096918 The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install. 4.2.1-5.1.0 5.2.0-5.16.1 @@ -9141,7 +9141,7 @@ Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find 5.1.0-5.16.1 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -9192,7 +9192,7 @@ To work around this issue, run the vtysh {{clear ip mroute}} command. 4.3.1, 5.1.0-5.16.1 -2854785 +2854785, 2826122 When you configure 199 VXLANs plus 199 VLANs, {{clagd}} crashes every few seconds. 3.7.15, 4.3.0, 4.4.0-4.4.5 3.7.16, 4.3.1, 5.0.0-5.16.1 @@ -9288,7 +9288,7 @@ To work around this issue, run the {{sudo systemctl restart snmpd.service}} comm 5.0.0-5.16.1 -2802207 +2802207, 2804044 The SDK process sx_core prints the messages shown below and the switch stops forwarding traffic. kernel: sx_core: Did not receive completion for SDQ dqn (1) idx (849) after 10 seconds @@ -9353,13 +9353,13 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 5.0.0-5.16.1 -2780915 +2780915, 2556028 In NVUE, you can't deactivate the IPv4 address family per neighbor. 4.4.0-4.4.5 5.0.0-5.16.1 -2780834 +2780834, 2555981 To enable an address family on a peer, you have to enable the address family globally. 4.4.0-4.4.5 5.0.0-5.16.1 @@ -9427,7 +9427,7 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.4.4.2-4.4.5 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -9451,13 +9451,13 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.4.3.1 -2738040 +2738040, 2738041 In an EVPN multihoming configuration, unicast ARP requests are not forwarded when the local Ethernet segment is down. 4.4.0-4.4.5 -2736244 +2736244, 2736249 When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error: % The Graceful Restart command used is not valid at this moment. 4.4.0-4.4.5 @@ -9488,14 +9488,14 @@ This affects failed neighbor entries on routed interfaces that are not SVIs.4.3.1, 5.0.0-5.16.1 -2728119 +2728119, 2729309 When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-4.4.5 5.0.0-5.16.1 -2723603 +2723603, 2751705 In a static VXLAN configuration, the {{bridge-learning on}} setting does not turn on {{VXLAN-learning}}. 4.4.0-4.4.1 4.4.2-4.4.5 @@ -9508,7 +9508,7 @@ The minimum supported size of the reserved VLAN range in the {{/etc/cumulus/swit 4.4.2-4.4.5 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -9602,7 +9602,7 @@ See /var/log/netd.log for more details. -2606326 +2606326, 2583925 If the IGMP and MLD querier is configured on only one of the peer switches in an MLAG configuration, when IGMP packets are sent to the peer with no querier, IGMP leave messages have no effect. 4.4.0-4.4.5 @@ -9664,7 +9664,7 @@ ERROR: Command not found -2555981 +2555981, 2584227, 2780834 In BGP, to enable an address family on a peer, you have to enable the address family globally. 4.4.0-4.4.5 5.0.0-5.16.1 @@ -9760,7 +9760,7 @@ To work around this issue, configure a static route in FRR. -2554222 +2554222, 2614073 The NCLU command to enable bridge learning fails. As a work around, enable bridge learning in the {{/etc/network/interface}} file. For example: @@ -9785,7 +9785,7 @@ iface vni-30 -2554202 +2554202, 2544880 The output of the {{net show commit}} command does not show the last commit or the specified commit number but is empty instead. 4.2.1-4.4.5 @@ -9827,7 +9827,7 @@ Alternatively, directly edit the {{/etc/snmp/snmpd.conf}} file as described in t -2553237 +2553237, 2552950 The default NTP configuration is to use eth0 as the NTP source interface. In Cumulus Linux 4.0 and later, eth0 is in the management VRF by default; therefore the NTP service runs automatically in the management VRF. NVIDIA does not recommend running NTP with a source interface other than eth0 as this can expose a security vulnerability. Changing the NTP source interface name with NCLU to a non-management VRF interface might result in NTP not functioning because the NTP service is still running in the management VRF. @@ -10109,7 +10109,7 @@ These errors are result of user space acting on kernel events a bit slow. The m -2547706 +2547706, 2544456, 2549513 When you configure ganged ports in the {{ports.conf}} file, the change does not take effect after you restart {{switchd}}. To work around this issue, reboot the switch. 3.7.11-3.7.16, 4.0.0-4.4.5 @@ -10165,7 +10165,7 @@ To increase the {{systemd}} timeout: -2546225 +2546225, 2541038 When you execute the following command on the Delta AG6248C switch, the switch reboots and then comes right back into Cumulus Linux without installing the new image. The install image is still in {{/var/lib/cumulus/installer}}, which causes issues with cl-support. sudo onie-install -fai http://<path to image> @@ -10176,7 +10176,7 @@ To increase the {{systemd}} timeout: -2546131 +2546131, 2542979 On the Delta AG-6248C PoE switch, when you run the {{apt upgrade}} command, the upgrade does not work. Cumulus Linux uses {{uboot}} directly instead of {{grub}} to boot the kernel. Uboot needs a special header to boot the kernel, which is not present. Without this header, when you use the {{apt upgrade}} command to upgrade Linux packages, {{uboot}} is unable to boot up the kernel. To work around this issue, upgrade Cumulus Linux by installing the Cumulus Linux image. Run the {{onie-select}} command to go into ONIE, and then use the {{nos-install}} command in ONIE to install a new image. This workaround only works when an out-of-band network is present. @@ -10242,7 +10242,7 @@ To work around this issue, run the {{sudo systemctl restart lldpd.service}} comm -2544880 +2544880, 2544616, 2554202 When you run the NCLU {{net show commit last}} or {{net show commit <number>}} command, where {{<number>}} is the last commit, no output is shown. 4.0.0-4.4.5 @@ -10261,7 +10261,7 @@ To work around this issue, do not use auto-negotiation and set the local port sp -2544456 +2544456, 2546166, 2546167, 2547706, 2549513 The NCLU {{net show lldp}} command displays the speed of a ganged port group as the speed of one of the individual links, rather than the sum of their speeds. 3.7.9-3.7.16, 4.0.0-4.4.5 @@ -10311,7 +10311,7 @@ You can safely ignore this warning. -2543841 +2543841, 2544947 The {{net show evpn vni detail json}} command includes an extra empty dictionary at the end of the output. 3.7.8-3.7.16, 4.0.0-4.4.5 @@ -10358,7 +10358,7 @@ See /var/log/netd.log for more details. -2543401 +2543401, 2543014 On the Mellanox Spectrum-2 switch, the time required to establish a link (from the time a link is set to {{admin up}} until the link becomes operationally up) can take up to 15 seconds on 40G interfaces and up to 30 seconds on 100G interfaces. To work around this issue, wait up to 15 seconds on 40G interfaces and 30 seconds on 100G interfaces for the link to establish. 4.0.0-4.4.5 @@ -10481,7 +10481,7 @@ This issue only affects QinQ configurations. -2540204 +2540204, 2713883 When links come up after FRR is started, VRF connected routes do not get redistributed. 3.7.4-3.7.16, 4.0.0-4.4.5 @@ -10638,7 +10638,7 @@ Note: The advertised link mode gets set incorrectly if you include 1000baseT/Hal -2537544 +2537544, 2537365 When you run the {{mstpctl}} command, you might see the bridge-port state as blocking when it is actually disabled. You might see the same incorrect bridge-port state when other programs or tools use the output of {{mstpctl}}; for example, SNMP output from the BRIDGE-MIB. 3.7.1-3.7.16, 4.0.0-4.4.5 @@ -10775,7 +10775,7 @@ thermal thermal_zoneX: critical temperature reached (33 C), shutting down 4.3.0 -2690017 +2690017, 3431625 When you remove a bond member, then re-add it, you might see a {{Parameter Error}} failure in {{{syslog}} and {{switchd.log}}: sx_sdk: LAG: Can't add port (0x00012400) to lag. Port has vports configured for it (Parameter Error). @@ -10796,7 +10796,7 @@ To work around this issue, add the MAC access list configuration to the end of t 4.2.0-4.3.4 -2679936 +2679936, 2684428 After an event that causes the peer link bond MAC address to change, such as a slave port state change, MLAG interfaces might be suspended due to a "peer-ip-mismatch." This behavior is seen in a {{clagd-peer-ip linklocal}} configuration. 4.3.0 @@ -10822,7 +10822,7 @@ To work around this issue, start the MST service with the {{sudo mst start}} com 3.7.8-3.7.14.2, 4.0.0-4.3.0 -2644072 +2644072, 3348697 When you stop {{clagd}} on the MLAG primary switch (for example, when you reboot the switch), in rare conditions the MLAG secondary switch might fail to properly assert itself as the MLAG primary switch. To work around this issue, change the primary designation by configuring the {{clagd}} priorities to ensure that you only reboot a switch that is in the MLAG secondary role. 3.7.15, 4.3.0 @@ -10863,12 +10863,12 @@ To work around this issue, run the {{ifreload -a}} command to restart networking 4.2.0-4.3.4 -2582639 +2582639, 2644181 On NVIDIA Spectrum switches, BUM traffic might be dropped during VXLAN decapsulation in an EVPN multihoming environment after multiple PIM uplink interfaces flap. 4.3.0-4.3.4 -2578845 +2578845, 2553637 The Mellanox SN2700 and SN2410 switch intermittently reports PSU fan state changes with {{Unable to read from device/fan1_input/pwm1}} syslog messages. 3.7.11-3.7.14, 4.1.1-4.3.0 diff --git a/content/cumulus-linux-50/Whats-New/rn.md b/content/cumulus-linux-50/Whats-New/rn.md index 7dd2567cba..f91a5f9f10 100644 --- a/content/cumulus-linux-50/Whats-New/rn.md +++ b/content/cumulus-linux-50/Whats-New/rn.md @@ -16,10 +16,10 @@ pdfhidden: True |--- |--- |--- |--- | | [4797691](#4797691)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.9.4, 5.15.1 | 5.9.5, 5.16.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| -| [4413450](#4413450)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4413450, 4497128](#4413450, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3927016](#3927016)
| Following an EVPN extended mobility event, where a host with IP address A and MAC address A moves within the fabric and now resides at IP address A and MAC address B, you might see traffic destined to this host experience drops as the flow is software forwarded on the egress VTEP. | 5.0.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | 5.7.0-5.16.1| @@ -27,13 +27,13 @@ pdfhidden: True | [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.16.1| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0-5.16.1| | [3482006](#3482006)
| If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3445841](#3445841)
| FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.6.0 | 5.7.0-5.16.1| | [3432897](#3432897)
| When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| +| [3413785, 3424967](#3413785, 3424967)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| | [3351951](#3351951)
| Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-4.4.5, 5.0.0-5.16.1 | 4.3.2| | [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.16.1| @@ -52,13 +52,13 @@ pdfhidden: True | [3211054](#3211054)
| On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:

Packet size is larger than router interface MTU – Validate the router interface MTU configuration
| 4.4.2-5.2.1 | 5.3.0-5.16.1| | [3202991](#3202991)
| Locally generated multicast traffic including IGMPv2 GSQs do not transmit to local clients when using PIM. | 5.0.1-5.2.1 | 5.3.0-5.16.1| | [3200373](#3200373)
| After rebooting the switch, the IPv6 link local address for an SVI that belongs to non-default VRF is missing, and doesn't show on the switch. To resolve this issue, run the ifreload -a command. | 5.0.0-5.2.1 | 5.3.0-5.16.1| -| [3195345](#3195345)
| Communication between single-connected MLAG hosts on different switches fails because packets received by single-connected MLAG hosts are not forwarded over the peer link. To work around this issue, when adding a switch to an MLAG pair, enable all the interfaces. | 5.0.0-5.0.1 | 5.1.0-5.16.1| +| [3195345, 3195390](#3195345, 3195390)
| Communication between single-connected MLAG hosts on different switches fails because packets received by single-connected MLAG hosts are not forwarded over the peer link. To work around this issue, when adding a switch to an MLAG pair, enable all the interfaces. | 5.0.0-5.0.1 | 5.1.0-5.16.1| | [3192808](#3192808)
| When a switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-4.4.5, 5.0.1-5.16.1 | 4.3.2| -| [3157240](#3157240)
| When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an error
sudo /usr/lib/cumulus/mlxcmd roce counters --port sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port
| 4.4.4-5.1.0 | 5.2.0-5.16.1| +| [3157240, 3173622](#3157240, 3173622)
| When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an error
sudo /usr/lib/cumulus/mlxcmd roce counters --port sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port
| 4.4.4-5.1.0 | 5.2.0-5.16.1| | [3150317](#3150317)
| During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.16.1| | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.8.0 | 5.9.0-5.16.1| -| [3141818](#3141818)
| If there is extensive and continuous next-hop group (NHG) churn when routes keep moving from one NHG to another NHG repeatedly, switchd increases in memory allocation until memory is exhausted. Other processes might be affected as they try to acquire memory which is unavailable. | 5.0.1-5.1.0 | 5.2.0-5.16.1| +| [3141818, 3163200](#3141818, 3163200)
| If there is extensive and continuous next-hop group (NHG) churn when routes keep moving from one NHG to another NHG repeatedly, switchd increases in memory allocation until memory is exhausted. Other processes might be affected as they try to acquire memory which is unavailable. | 5.0.1-5.1.0 | 5.2.0-5.16.1| | [3139364](#3139364)
| When Cumulus Linux updates the ECMP container with a new next hop list, it allocates the flow counters for the new next hop list without deallocating the counters bound to the old next hop list. This results in resource exhaustion and you see the following error messages in the /var/log/switchd.log file:
hal_mlx_stat.c:3215 ERR Failed to allocate counter(s) for ecmp [71025:0] status: Internal Errorhal_mlx_stat.c:3196 ERR Counter set for ecmp [71025:0] idx 0 failed: Internal Errorhal_mlx_sdk_nexthop_wrap.c:1076 ERR Counter 0 alloc for ecmp next hop failed: Internal Errorhal_mlx_sdk_counter_wrap.c:54 ERR Counter alloc failed: No More Resources
This issue does not have any functional impact to forwarding. Even without the flow counters attached to the ECMP group, packet forwarding works without any issues
To avoid allocating next hop counters for any new ECMP next hop list update, set mlx.stats.ecmp.enable to FALSE in the /etc/mlx/datapath/stats.conf file, then restart switchd with the sudo systemctl reload switchd command. | 5.0.0-5.2.1 | 5.3.0-5.16.1| | [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3138057](#3138057)
| When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log. To work around this problem, restart FRR with the sudo systemctl restart frr command. | 4.4.0-5.2.1 | 5.3.0-5.16.1| @@ -66,7 +66,7 @@ pdfhidden: True | [3131423](#3131423)
| During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3123965](#3123965)
| Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:
sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error
| 4.4.0-5.1.0 | 5.2.0-5.16.1| | [3120423](#3120423)
| When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. | 3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.16.1| -| [3119673](#3119673)
| If the switch receives an EVPN route with multiple RTs that match the import policy for a local VNI, the bgpd service crashes. | 5.0.0-5.1.0 | 5.2.0-5.16.1| +| [3119673, 2888040](#3119673, 2888040)
| If the switch receives an EVPN route with multiple RTs that match the import policy for a local VNI, the bgpd service crashes. | 5.0.0-5.1.0 | 5.2.0-5.16.1| | [3117340](#3117340)
| When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3115415](#3115415)
| In the Cumulus-BGPVRF-MIB, the bgpPeerFsmEstablishedTime OID does not correctly report the time since a BGP session goes down. | 4.4.4-5.1.0 | 5.2.0-5.16.1| | [3112971](#3112971)
| When you configure a VRF static route using the legacy command syntax in FRR (for example: ip route 10.0.0.0/8 172.16.1.1 vrf vrf-red), then make subsequent VRF or route configuration changes, FRR might crash. To avoid this problem, use the current method for configuring VRF routes within the VRF stanza:
vrf vrf-red
 ip route 10.0.0.0/8 172.16.1.1 vrf vrf-redend vrf
| 4.4.3-5.1.0 | 5.2.0-5.16.1| @@ -75,26 +75,26 @@ pdfhidden: True | [3084476](#3084476)
| After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.16.1 | 4.4.4-4.4.5| | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | | [3077736](#3077736)
| When you run the NVUE command to change the minimum interval between received BFD control packets or the minimum interval for sending BFD control packets, the configuration apply fails.

cumulus@switch:~$ nv set vrf default router bgp neighbor 10.10.10.2 bfd min-rx-interval 400
cumulus@switch:~$ nv config apply
2022-05-04T21:36:10.800975+00:00 switch frrinit.sh16431: Stopped watchfrr.
| 5.0.1-5.1.0 | 5.2.0-5.16.1| -| [3077547](#3077547)
| When you configure multiple multicast RPs with groups matched by prefix lists, Cumulus Linux selects only one of the RPs and this selection is incorrect. | 5.0.1-5.1.0 | 5.2.0-5.16.1| +| [3077547, 2812075](#3077547, 2812075)
| When you configure multiple multicast RPs with groups matched by prefix lists, Cumulus Linux selects only one of the RPs and this selection is incorrect. | 5.0.1-5.1.0 | 5.2.0-5.16.1| | [3077513](#3077513)
| When a MAC address is moved to a new VTEP in an EVPN MAC mobility scenario using traditional bridges, there might be up to 30 seconds of convergence delay. | 5.0.1-5.1.0 | 5.2.0-5.16.1| -| [3074390](#3074390)
| You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the nvue account to the exclude_users line in /etc/tacplus_nss.conf:
exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,*
| 5.0.1-5.3.1 | 5.4.0-5.16.1| +| [3074390, 3055255, 2602877](#3074390, 3055255, 2602877)
| You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the nvue account to the exclude_users line in /etc/tacplus_nss.conf:
exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,*
| 5.0.1-5.3.1 | 5.4.0-5.16.1| | [3072674](#3072674)
| In an MLAG configuration, if you put a single connected interface into an admin down state, any dynamic MAC addresses on the peer link are flushed, then added back, which causes momentary traffic disruption. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [3066664](#3066664)
| In an EVPN-MH configuration, the switch fails to redirect tagged frames with the CoS bits set. | 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.16.1| | [3061445](#3061445)
| When you run the NVUE command to change the minimum interval between received BFD control packets or the minimum interval for sending BFD control packets, the configuration apply fails
cumulus@switch:~$ nv set vrf default router bgp neighbor 10.10.10.2 bfd min-rx-interval 400cumulus@switch:~$ nv config apply2022-05-04T21:36:10.800975+00:00 switch frrinit.sh16431: Stopped watchfrr
| 5.0.1-5.1.0 | 5.2.0-5.16.1| | [3059566](#3059566)
| When you add an interface to a layer 3 bond, traffic does not forward and you see errors similar to the following:
2022-05-02T13:14:40.118597+00:00 cumulus sx_sdk: ROUTER: Failed to delete router interface(27) ref count isn’t 0, err= Resource is in use
| 4.4.2-4.4.3, 5.0.1-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.16.1| | [3059380](#3059380)
| When you configure VRF leaking from the default VRF to a non-default VRF, SSH sessions originating from the switch CLI in the default VRF do not connect to devices in the non-default VRF. | 5.0.1-5.1.0 | 5.2.0-5.16.1| -| [3059135](#3059135)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3055255](#3055255)
| When you run the NVUE nv show interface command, a watchdog timeout might occur and the nvued service fails. | 5.0.1 | 5.1.0-5.16.1| -| [3054869](#3054869)
| When you run NVUE commands as part of ZTP scripts, the commands fail with errors that indicate a missing $HOME environment variable. The issue has been fixed where the ZTP module initializes the $HOME environment variable before launching the ZTP scripts. However, if you are running older releases, before you use any NVUE commands in the ZTP script, add a section and define the HOME environment variable. Populate the variable with the default expected root user home directory value (/root), then export the HOME variable so it is available globally for NVUE to use
HOME=/rootexport HOME
| 5.0.0-5.1.0 | 5.2.0-5.16.1| -| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| +| [3059135, 3060400](#3059135, 3060400)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| +| [3055255, 3074390](#3055255, 3074390)
| When you run the NVUE nv show interface command, a watchdog timeout might occur and the nvued service fails. | 5.0.1 | 5.1.0-5.16.1| +| [3054869, 3148920](#3054869, 3148920)
| When you run NVUE commands as part of ZTP scripts, the commands fail with errors that indicate a missing $HOME environment variable. The issue has been fixed where the ZTP module initializes the $HOME environment variable before launching the ZTP scripts. However, if you are running older releases, before you use any NVUE commands in the ZTP script, add a section and define the HOME environment variable. Populate the variable with the default expected root user home directory value (/root), then export the HOME variable so it is available globally for NVUE to use
HOME=/rootexport HOME
| 5.0.0-5.1.0 | 5.2.0-5.16.1| +| [3046023, 3096918](#3046023, 3096918)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| | [3044596](#3044596)
| In the non-default VRF, BFD goes down after port flap. | 5.0.1-5.1.0 | 5.2.0-5.16.1| | [3041425](#3041425)
| When you add or remove PortAutoEdge on a bond with the NVUE nv set interface bridge domain br_default stp auto-edge command, the command fails with the following error and then attempts to enable or disable PortAutoEdge on any interface also fail
cumulus@switch:~$ nv set interface swp1 bridge domain br_default stp auto-edge offcumulus@switch:~$ nv config applyUnable to reload-or-restart services (switchd,ifreload-nvue.service):[sudo] password for nvue: Job for ifreload-nvue.service failed because the control process exited with error code
Failure during apply. Ignore? [y/N]
| 5.0.1-5.1.0 | 5.2.0-5.16.1| | [3041307](#3041307)
| If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent FDB entry for the old MAC address. | 3.7.15, 4.3.0, 4.4.0-4.4.3, 5.0.0-5.16.1 | 3.7.16, 4.3.1, 4.4.4-4.4.5| | [3040080](#3040080)
| On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic. | 4.4.2-4.4.3, 5.0.0-5.16.1 | 4.4.4-4.4.5| | [3037824](#3037824)
| The NVUE nv show interface link state command shows an empty table instead of showing the port link state. | 5.0.0-5.3.1 | 5.4.0-5.16.1| | [3035855](#3035855)
| When you configure ACLs on the switch, you might see a switchd segmentation fault. | 5.0.1 | 5.1.0-5.16.1| -| [3034435](#3034435)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| -| [3032234](#3032234)
| In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | 5.1.0-5.16.1| +| [3034435, 3101184](#3034435, 3101184)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| +| [3032234, 3163643](#3032234, 3163643)
| In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | 5.1.0-5.16.1| | [3030238](#3030238)
| When you change the time with NTP or manually, the clagd service stops. | 5.0.1 | 4.3.1-4.4.5, 5.1.0-5.16.1| | [3021897](#3021897)
| After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON. | 4.4.3, 5.0.0-5.16.1 | 4.4.4-4.4.5| | [3021838](#3021838)
| PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local. As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly. | 4.4.2-5.0.1 | 5.1.0-5.16.1| @@ -125,15 +125,15 @@ pdfhidden: True | [2914835](#2914835)
| NVUE flexible snippets create invalid YAML files. | 5.0.0-5.0.1 | 5.1.0-5.16.1| | [2913859](#2913859)
| ECMP error messages, similar to the following, show in log files:
Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container
| 4.4.0-5.0.1 | 5.1.0-5.16.1| | [2910017](#2910017)
| SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. | 3.7.15-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.16.1| -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2903374](#2903374)
| The nv show interfaces command returns a 500 error and syslog shows a python error, triggered by third party devices (non CL) missing LLDP fields
To work around this issue, disable LLDP on a single interface. | 5.0.0-5.0.1 | 5.1.0-5.16.1| | [2898044](#2898044)
| NVUE commands including the nv config apply command might fail with the following error because the /etc/resolv.conf file is missing
Failed to prepare to applyUnrecoverable internal error
| 5.0.0-5.0.1 | 5.1.0-5.16.1| | [2886488](#2886488)
| NVUE commands fail to configure port mirroring. | 5.0.0-5.0.1 | 5.1.0-5.16.1| | [2886476](#2886476)
| If you enable or disable the advertise primary IP address setting when originating EVPN default type-5 routes, the default route or prefix originated from one of the MLAG peers sends a null layer 3 VNI, which prevents the remote VTEP from installing the default route. | 5.0.0-5.1.0 | 5.2.0-5.16.1| -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2885287](#2885287)
| When you change the port breakout configuration, you must restart switchd to clean up any previously-associated port states and reinitialize the ports. Reloading switchd does not work. | 5.0.0-5.0.1 | 5.1.0-5.16.1| | [2875338](#2875338)
| In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-4.4.5, 5.0.0-5.16.1 | 3.7.16, 4.3.1| -| [2867248](#2867248)
| The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file. | 5.0.0-5.1.0 | 5.2.0-5.16.1| +| [2867248, 2866947, 3124967](#2867248, 2866947, 3124967)
| The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file. | 5.0.0-5.1.0 | 5.2.0-5.16.1| | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2861989](#2861989)
| Incomplete or unnecessary configuration in FRR results in FRR restarting instead of rejecting the configuration with an error. | 5.0.0-5.0.1 | 5.1.0-5.16.1| | [2860323](#2860323)
| If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.16.1| @@ -142,11 +142,11 @@ pdfhidden: True | [2831968](#2831968)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.16.1| | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2821929](#2821929)
| FRR restarts even when the NVUE configuration overwrite mode is set. | 5.0.0-5.3.1 | 5.4.0-5.16.1| -| [2812075](#2812075)
| When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together. | 5.0.0-5.1.0 | 5.2.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2812075, 3077547](#2812075, 3077547)
| When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together. | 5.0.0-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2734103](#2734103)
| ACL [No More Resources] messages keep appearing and you can't reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | 5.1.0-5.16.1| | [2684925](#2684925)
| The NVUE nv show vrf default router bgp peer command produces a 404 not found error. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| @@ -163,9 +163,9 @@ pdfhidden: True |--- |--- |--- |--- | | [4797691](#4797691)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.9.4, 5.15.1 | 5.9.5, 5.16.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| -| [4413450](#4413450)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4413450, 4497128](#4413450, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | 5.7.0-5.16.1| @@ -173,13 +173,13 @@ pdfhidden: True | [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.16.1| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0-5.16.1| | [3482006](#3482006)
| If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3445841](#3445841)
| FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.6.0 | 5.7.0-5.16.1| | [3432897](#3432897)
| When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| +| [3413785, 3424967](#3413785, 3424967)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| | [3351951](#3351951)
| Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-4.4.5, 5.0.0-5.16.1 | 4.3.2| | [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.16.1| @@ -194,8 +194,8 @@ pdfhidden: True | [3211359](#3211359)
| The net show interface detail command output shows Type=Unknown for the specified interface. | 4.4.3-5.0.1 | 5.1.0-5.16.1| | [3211054](#3211054)
| On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:

Packet size is larger than router interface MTU – Validate the router interface MTU configuration
| 4.4.2-5.2.1 | 5.3.0-5.16.1| | [3200373](#3200373)
| After rebooting the switch, the IPv6 link local address for an SVI that belongs to non-default VRF is missing, and doesn't show on the switch. To resolve this issue, run the ifreload -a command. | 5.0.0-5.2.1 | 5.3.0-5.16.1| -| [3195345](#3195345)
| Communication between single-connected MLAG hosts on different switches fails because packets received by single-connected MLAG hosts are not forwarded over the peer link. To work around this issue, when adding a switch to an MLAG pair, enable all the interfaces. | 5.0.0-5.0.1 | 5.1.0-5.16.1| -| [3157240](#3157240)
| When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an error
sudo /usr/lib/cumulus/mlxcmd roce counters --port sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port
| 4.4.4-5.1.0 | 5.2.0-5.16.1| +| [3195345, 3195390](#3195345, 3195390)
| Communication between single-connected MLAG hosts on different switches fails because packets received by single-connected MLAG hosts are not forwarded over the peer link. To work around this issue, when adding a switch to an MLAG pair, enable all the interfaces. | 5.0.0-5.0.1 | 5.1.0-5.16.1| +| [3157240, 3173622](#3157240, 3173622)
| When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an error
sudo /usr/lib/cumulus/mlxcmd roce counters --port sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port
| 4.4.4-5.1.0 | 5.2.0-5.16.1| | [3150317](#3150317)
| During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.16.1| | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3139364](#3139364)
| When Cumulus Linux updates the ECMP container with a new next hop list, it allocates the flow counters for the new next hop list without deallocating the counters bound to the old next hop list. This results in resource exhaustion and you see the following error messages in the /var/log/switchd.log file:
hal_mlx_stat.c:3215 ERR Failed to allocate counter(s) for ecmp [71025:0] status: Internal Errorhal_mlx_stat.c:3196 ERR Counter set for ecmp [71025:0] idx 0 failed: Internal Errorhal_mlx_sdk_nexthop_wrap.c:1076 ERR Counter 0 alloc for ecmp next hop failed: Internal Errorhal_mlx_sdk_counter_wrap.c:54 ERR Counter alloc failed: No More Resources
This issue does not have any functional impact to forwarding. Even without the flow counters attached to the ECMP group, packet forwarding works without any issues
To avoid allocating next hop counters for any new ECMP next hop list update, set mlx.stats.ecmp.enable to FALSE in the /etc/mlx/datapath/stats.conf file, then restart switchd with the sudo systemctl reload switchd command. | 5.0.0-5.2.1 | 5.3.0-5.16.1| @@ -204,7 +204,7 @@ pdfhidden: True | [3131423](#3131423)
| During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3123965](#3123965)
| Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:
sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error
| 4.4.0-5.1.0 | 5.2.0-5.16.1| | [3120423](#3120423)
| When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. | 3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.16.1| -| [3119673](#3119673)
| If the switch receives an EVPN route with multiple RTs that match the import policy for a local VNI, the bgpd service crashes. | 5.0.0-5.1.0 | 5.2.0-5.16.1| +| [3119673, 2888040](#3119673, 2888040)
| If the switch receives an EVPN route with multiple RTs that match the import policy for a local VNI, the bgpd service crashes. | 5.0.0-5.1.0 | 5.2.0-5.16.1| | [3117340](#3117340)
| When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3115415](#3115415)
| In the Cumulus-BGPVRF-MIB, the bgpPeerFsmEstablishedTime OID does not correctly report the time since a BGP session goes down. | 4.4.4-5.1.0 | 5.2.0-5.16.1| | [3112971](#3112971)
| When you configure a VRF static route using the legacy command syntax in FRR (for example: ip route 10.0.0.0/8 172.16.1.1 vrf vrf-red), then make subsequent VRF or route configuration changes, FRR might crash. To avoid this problem, use the current method for configuring VRF routes within the VRF stanza:
vrf vrf-red
 ip route 10.0.0.0/8 172.16.1.1 vrf vrf-redend vrf
| 4.4.3-5.1.0 | 5.2.0-5.16.1| @@ -214,14 +214,14 @@ pdfhidden: True | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | | [3072674](#3072674)
| In an MLAG configuration, if you put a single connected interface into an admin down state, any dynamic MAC addresses on the peer link are flushed, then added back, which causes momentary traffic disruption. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [3066664](#3066664)
| In an EVPN-MH configuration, the switch fails to redirect tagged frames with the CoS bits set. | 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.16.1| -| [3059135](#3059135)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3054869](#3054869)
| When you run NVUE commands as part of ZTP scripts, the commands fail with errors that indicate a missing $HOME environment variable. The issue has been fixed where the ZTP module initializes the $HOME environment variable before launching the ZTP scripts. However, if you are running older releases, before you use any NVUE commands in the ZTP script, add a section and define the HOME environment variable. Populate the variable with the default expected root user home directory value (/root), then export the HOME variable so it is available globally for NVUE to use
HOME=/rootexport HOME
| 5.0.0-5.1.0 | 5.2.0-5.16.1| -| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| +| [3059135, 3060400](#3059135, 3060400)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| +| [3054869, 3148920](#3054869, 3148920)
| When you run NVUE commands as part of ZTP scripts, the commands fail with errors that indicate a missing $HOME environment variable. The issue has been fixed where the ZTP module initializes the $HOME environment variable before launching the ZTP scripts. However, if you are running older releases, before you use any NVUE commands in the ZTP script, add a section and define the HOME environment variable. Populate the variable with the default expected root user home directory value (/root), then export the HOME variable so it is available globally for NVUE to use
HOME=/rootexport HOME
| 5.0.0-5.1.0 | 5.2.0-5.16.1| +| [3046023, 3096918](#3046023, 3096918)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| | [3041307](#3041307)
| If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent FDB entry for the old MAC address. | 3.7.15, 4.3.0, 4.4.0-4.4.3, 5.0.0-5.16.1 | 3.7.16, 4.3.1, 4.4.4-4.4.5| | [3040080](#3040080)
| On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic. | 4.4.2-4.4.3, 5.0.0-5.16.1 | 4.4.4-4.4.5| | [3037824](#3037824)
| The NVUE nv show interface link state command shows an empty table instead of showing the port link state. | 5.0.0-5.3.1 | 5.4.0-5.16.1| -| [3034435](#3034435)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| -| [3032234](#3032234)
| In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | 5.1.0-5.16.1| +| [3034435, 3101184](#3034435, 3101184)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| +| [3032234, 3163643](#3032234, 3163643)
| In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | 5.1.0-5.16.1| | [3021897](#3021897)
| After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON. | 4.4.3, 5.0.0-5.16.1 | 4.4.4-4.4.5| | [3021838](#3021838)
| PBR rules that you apply to interfaces in the default VRF install in the kernel with the action lookup local. As a result, packets that match this rule only perform a route lookup in the local table (which contains special routes for local IP addresses and broadcast addresses) but not in the main table (which contains unicast routes). As a result, policy routing might be applied to traffic incorrectly. | 4.4.2-5.0.1 | 5.1.0-5.16.1| | [3021696](#3021696)
| On the NVIDIA SN4600C switch, when you run the /usr/share/snmp/resq_pp.py script used by SNMP, you see the following log message in syslog regardless of the forwarding table profile set in the /etc/cumulus/datapath/traffic.conf file
resq_pp: EXCEPTION=invalid literal for int() with base 10: 'v4-lpm-heavy'
| 4.4.0-4.4.3, 5.0.0-5.16.1 | 4.4.4-4.4.5| @@ -249,15 +249,15 @@ pdfhidden: True | [2913859](#2913859)
| ECMP error messages, similar to the following, show in log files:
Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:361 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:621 ERR ECMP: failed to CREATE static ecmp in hwDec 15 10:01:35 leaf01 switchd3431: hal_mlx_sdk_nexthop_wrap.c:656 ERR ECMP: cmd CREATE failed: No More Resources, nexthops 1Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1540 ERR ECMP: failed to allocate hw ecmp status No More ResourcesDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:1561 ERR ECMP: error allocating static ecmpDec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find ecmp container
| 4.4.0-5.0.1 | 5.1.0-5.16.1| | [2910017](#2910017)
| SNMP reports the same ifType of ethernetCsmacd(6) for loopback interfaces. | 3.7.15-4.4.2, 5.0.0-5.0.1 | 4.4.3-4.4.5, 5.1.0-5.16.1| | [2908541](#2908541)
| Running apt dist-upgrade causes switchd to stop and never start again. Do not use apt dist-upgrade; use apt upgrade instead. Cumulus Linux does not support apt dist-upgrade
To work around this issue, if you run apt dist-upgrade and switchd no longer works, run the apt install sx-sdk-eth-dev command (and run the command for any other removed package) or reinstall the Cumulus Linux image. | 5.0.0 | 5.0.1-5.16.1| -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2903374](#2903374)
| The nv show interfaces command returns a 500 error and syslog shows a python error, triggered by third party devices (non CL) missing LLDP fields
To work around this issue, disable LLDP on a single interface. | 5.0.0-5.0.1 | 5.1.0-5.16.1| | [2898044](#2898044)
| NVUE commands including the nv config apply command might fail with the following error because the /etc/resolv.conf file is missing
Failed to prepare to applyUnrecoverable internal error
| 5.0.0-5.0.1 | 5.1.0-5.16.1| | [2886488](#2886488)
| NVUE commands fail to configure port mirroring. | 5.0.0-5.0.1 | 5.1.0-5.16.1| | [2886476](#2886476)
| If you enable or disable the advertise primary IP address setting when originating EVPN default type-5 routes, the default route or prefix originated from one of the MLAG peers sends a null layer 3 VNI, which prevents the remote VTEP from installing the default route. | 5.0.0-5.1.0 | 5.2.0-5.16.1| -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2885287](#2885287)
| When you change the port breakout configuration, you must restart switchd to clean up any previously-associated port states and reinitialize the ports. Reloading switchd does not work. | 5.0.0-5.0.1 | 5.1.0-5.16.1| | [2875338](#2875338)
| In a scaled EVPN-MLAG configuration (observed with 400 or more VNIs and 20K or more MAC addresses – the actual scale might vary), when the peer link flaps causing all VNIs to come up at the same time, there might be high CPU utilization on the system for several minutes and the FRR service might restart. After FRR restarts or the CPU utilization settles down, the system functions normally. | 4.2.1-4.3.0, 4.4.0-4.4.5, 5.0.0-5.16.1 | 3.7.16, 4.3.1| -| [2867248](#2867248)
| The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file. | 5.0.0-5.1.0 | 5.2.0-5.16.1| +| [2867248, 2866947, 3124967](#2867248, 2866947, 3124967)
| The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file. | 5.0.0-5.1.0 | 5.2.0-5.16.1| | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2861989](#2861989)
| Incomplete or unnecessary configuration in FRR results in FRR restarting instead of rejecting the configuration with an error. | 5.0.0-5.0.1 | 5.1.0-5.16.1| | [2860323](#2860323)
| If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-5.0.1 | 5.1.0-5.16.1| @@ -266,11 +266,11 @@ pdfhidden: True | [2831968](#2831968)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.16.1| | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2821929](#2821929)
| FRR restarts even when the NVUE configuration overwrite mode is set. | 5.0.0-5.3.1 | 5.4.0-5.16.1| -| [2812075](#2812075)
| When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together. | 5.0.0-5.1.0 | 5.2.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2812075, 3077547](#2812075, 3077547)
| When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together. | 5.0.0-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2734103](#2734103)
| ACL [No More Resources] messages keep appearing and you can't reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | 5.1.0-5.16.1| | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | 5.1.0-5.16.1| | [2684925](#2684925)
| The NVUE nv show vrf default router bgp peer command produces a 404 not found error. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | 5.10.0-5.16.1| @@ -278,7 +278,7 @@ pdfhidden: True ### Fixed Issues in 5.0.0 | Issue ID | Description | Affects | |--- |--- |--- | -| [3108491](#3108491)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | | +| [3108491, 2434628](#3108491, 2434628)
| In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart switchd. | 4.2.1-4.4.5 | | | [2873186](#2873186)
| In an MLAG configuration with traditional bridges, MAC addresses are seen over peer link during ifreload when adding new VLANS or bridges. | 3.7.14.2-3.7.15, 4.3.0-4.4.5 | | | [2862211](#2862211)
| On NVIDIA Spectrum ASICs in a layer 2 bridge scaled configuration (more than 800 VLANs), clagd.service enters a failed state after a reboot or a switchd restart. | 3.7.12-3.7.15, 4.3.0, 4.4.2-4.4.5 | | | [2847618](#2847618)
| When you enable PIM on VLAN interfaces, multicast throughput might not achieve line rate depending on packet sizes in the multicast flow. | | | @@ -286,12 +286,12 @@ pdfhidden: True | [2841584](#2841584)
| After you upgrade Cumulus Linux on one of the MLAG peers, the bonds do not come up and the reason shows anycast-ip-mismatch even though there is no VXLAN configuration on the switch. To work around this issue, configure an anycast IP address under the loopback interface on both switches in the MLAG pair. | 4.4.2-4.4.5 | | | [2839140](#2839140)
| After building VLAN or VXLAN interfaces, MLAG becomes unstable. | 4.3.0-4.4.1 | | | [2835817](#2835817)
| Multicast packets are not seen on a SPAN port. | | | -| [2826121](#2826121)
| When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15, 4.3.0, 4.4.0-4.4.1 | | +| [2826121, 2826122](#2826121, 2826122)
| When you configure 199 VXLANs plus 199 VLANs, clagd crashes every few seconds. | 3.7.15, 4.3.0, 4.4.0-4.4.1 | | | [2821869](#2821869)
| The cl-route-check --layer3 command fails with a memory error. For example:
cumulus@switch:~$ sudo cl-route-check --layer3Traceback (most recent call last):
File "/usr/cumulus/bin/cl-route-check", line 1270, in 
 routing.collect_data()
File "/usr/cumulus/bin/cl-route-check", line 528, in collect_data
 self.collect_data_bgp_ipv4()
File "/usr/cumulus/bin/cl-route-check", line 711, in collect_data_bgp_ipv4
 bgp_ipv4 = json.loads(output)
File "/usr/lib/python2.7/json/__init__.py", line 338, in loads
 return _default_decoder.decode(s)
File "/usr/lib/python2.7/json/decoder.py", line 366, in decode
 obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/lib/python2.7/json/decoder.py", line 382, in raw_decode
 obj, end = self.scan_once(s, idx)MemoryError
| 3.7.15 | | | [2820565](#2820565)
| SNMP does not start and you see errors similar to the following:
cumulus@switch:~$ sudo systemctl status snmpd.service snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
  Loaded: loaded (/lib/systemd/system/snmpd.service; enabled; vendor preset: enabled)
  Active: failed (Result: exit-code) since Mon 2021-10-11 14:38:13 UTC; 1min 8s ago
 Process: 1987 ExecStart=/usr/sbin/snmpd $SNMPDOPTS -f (code=exited, status=1/FAILURE)
Main PID: 1987 (code=exited, status=1/FAILURE)
To work around this issue, run the sudo systemctl restart snmpd.service command. | 4.3.0-4.4.5 | | | [2813563](#2813563)
| When you change the port speed with the NVUE nv set interface link speed command, then run nv config apply, the port is disabled. To work around this issue, run the ifreload -a command after you apply the port speed setting. | 4.4.0-4.4.5 | | | [2803428](#2803428)
| The clagctl -v -j and net show clag verbose json commands show incorrect output. | 4.4.0-4.4.5 | | -| [2803028](#2803028)
| Restarting switchd might fail due to an ACL SPAN module initialization failure. | 4.4.2-4.4.3 | | +| [2803028, 2804508](#2803028, 2804508)
| Restarting switchd might fail due to an ACL SPAN module initialization failure. | 4.4.2-4.4.3 | | | [2802859](#2802859)
| When the INTF_CMD list in the /etc/default/isc-dhcp-relay file includes non-existent or partially configured interfaces from the /etc/netwwork/interfaces file, there is an open file descriptor leak in DHCP Relay; the DHCP Relay service exits and you see error messages. To work around this issue, either clean up the INTF_CMD list in the /etc/default/isc-dhcp-relay file to remove non-existent or partially configured interfaces from the /etc/network/interfaces file or correct the /etc/network/interfaces file to have a complete configuration for all interfaces defined in the INTF_CMD list in the /etc/default/isc-dhcp-relay file. | 4.4.0-4.4.5 | | | [2799575](#2799575)
| When next hop tracking fails for a global next hop, BGP invalidates the entire path instead of only invalidating the global next hop. | 4.4.0-4.4.5 | | | [2799568](#2799568)
| When you add or remove a global unicast address from an interface, BGP does not update the global next hop advertised to the unnumbered BGP peer. | 4.4.0-4.4.5 | | @@ -299,25 +299,25 @@ pdfhidden: True | [2794766](#2794766)
| The Mellanox 3700C switch reports a slow memory leak in sx_sdk. Memory increases by about 240B/hour and does not free up. | 4.3.0-4.4.5 | | | [2792616](#2792616)
| If a neighbor entry (ARP or NDP) is used as a next hop of a route that is synchronized into hardware, the neighbor entry is not removed from hardware after the neighbor is no longer reachable. As a result, routed traffic matching this prefix is incorrectly hardware forwarded through the stale neighbor information. | 4.3.0-4.4.5 | | | [2781537](#2781537)
| In Cumulus VX, the iptables FORWARD chain does not count hits. To work around this issue, use -t mangle -A PREROUTING instead of FORWARD. | 4.3.0-4.4.5 | | -| [2780915](#2780915)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | | -| [2780834](#2780834)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | | +| [2780915, 2556028](#2780915, 2556028)
| In NVUE, you can't deactivate the IPv4 address family per neighbor. | 4.4.0-4.4.5 | | +| [2780834, 2555981](#2780834, 2555981)
| To enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | | | [2780211](#2780211)
| When you use the NVUE nv set vrf default router bgp peer local-as asn command to configure a local AS, Cumulus Linux does not update the etc/frr/frr.conf file. | 4.4.0-4.4.5 | | | [2755615](#2755615)
| When you set route_preferred_over_neigh to FALSE in the /etc/cumulus/switchd.conf file, host routes (/32 or /128) are used for forwarding in hardware instead of a local neighbor entry. | 4.0.0-4.3.0, 4.4.0-4.4.1 | | | [2753955](#2753955)
| On the Lenovo MSN3700 switch, if you try to configure an interface with a link speed of 200G, the configuration fails. | 4.2.1-4.4.5 | | | [2752330](#2752330)
| With BGP and layer 2 forwarding, Smart System Manager warm boot mode can cause packet loss. | 4.4.0-4.4.5 | | -| [2747750](#2747750)
| Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 | | +| [2747750, 2782819](#2747750, 2782819)
| Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. | 4.4.2-4.4.5 | | | [2739402](#2739402)
| The destination MAC address of ERSPAN GRE packets is set to all zeros. | 4.3.0-4.4.5 | | -| [2736249](#2736249)
| If you configure BGP graceful restart in the /etc/frr/frr.conf file, then apply the configuration with systemctl reload frr, the configuration fails to apply and you see the following error:
Job for frr.service failed
See "systemctl status frr.service" and "journalctl -xe" for details.
| | | -| [2736244](#2736244)
| When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:
% The Graceful Restart command used is not valid at this moment.
| 4.4.0-4.4.5 | | +| [2736249, 2736244](#2736249, 2736244)
| If you configure BGP graceful restart in the /etc/frr/frr.conf file, then apply the configuration with systemctl reload frr, the configuration fails to apply and you see the following error:
Job for frr.service failed
See "systemctl status frr.service" and "journalctl -xe" for details.
| | | +| [2736244, 2736249](#2736244, 2736249)
| When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error:
% The Graceful Restart command used is not valid at this moment.
| 4.4.0-4.4.5 | | | [2734275](#2734275)
| On NVIDIA Spectrum-1, -2, and -3 switches, the decode-syseeprom command does not return the correct value
cumulus@switch:~$  decode-syseeprom -t psu1Device is not ready: absent
| | | | [2734119](#2734119)
| The ESI line of show bgp l2vpn evpn route command always shows VNI: 0. This is a cosmetic software issue. | 4.3.0-4.4.5 | | | [2732587](#2732587)
| The bridge MAC address is updated during a port change on bridge interfaces. | 4.3.0, 4.4.0-4.4.5 | | -| [2728119](#2728119)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | | +| [2728119, 2729309](#2728119, 2729309)
| When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-4.4.5 | | | [2698649](#2698649)
| When configuring a single VXLAN device in the /etc/network/interfaces file, if you edit the multicast group address in vxlan-mcastgrp-map, then revert the change, the change does not take effect. | 4.4.0-4.4.5 | | | [2687344](#2687344)
| On the NVIDIA SN3700 switch, the decode-syseeprom shows device absent for a PSU that is present. | 4.4.0-4.4.5 | | | [2599274](#2599274)
| On Mellanox Spectrum switches, when there is an MSTP forwarding state change on a bonds (for example, when the state changes from blocking to forwarding), the MSTP hardware table might set some VLANs to blocking when they should be forwarding. A a result, all packets on these VLANs drop at ingress
To recover from this state, flap the bond interface (not the physical swp) by running ifdown ; sleep 1 ; ifup . | 4.3.0-4.4.5 | | | [2556811](#2556811)
| Under certain high scale conditions, various modules might experience timetouts during cl-support collection, which results in missing data in the cl-support file. | 3.7.12-3.7.15, 4.1.1-4.3.0 | | -| [2556039](#2556039)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-3.7.14.2 | | -| [2555981](#2555981)
| In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | | +| [2556039, 2545364, 3297583](#2556039, 2545364, 3297583)
| In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it | 3.7.12-3.7.14.2 | | +| [2555981, 2584227, 2780834](#2555981, 2584227, 2780834)
| In BGP, to enable an address family on a peer, you have to enable the address family globally. | 4.4.0-4.4.5 | | | [2554783](#2554783)
| If you apply an outbound route map to a BGP peer that uses set as-path prepend last-as, advertised locally-originated routes have the ASN of the peer prepended to the AS path.
This might trigger AS path loop prevention on the peer, where the peer ignores locally-originated prefixes. | 4.2.1-4.4.5 | | diff --git a/content/cumulus-linux-50/rn.xml b/content/cumulus-linux-50/rn.xml index 5814f34024..ce5639b9e7 100644 --- a/content/cumulus-linux-50/rn.xml +++ b/content/cumulus-linux-50/rn.xml @@ -19,7 +19,7 @@ 5.15.0-5.16.1 -4413450 +4413450, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 5.11.2, 5.14.0-5.16.1 @@ -37,7 +37,7 @@ 5.9.2-5.16.1, 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -94,7 +94,7 @@ cumulus@switch:~$ sudo apt upgrade 4.3.2-4.4.5, 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -118,7 +118,7 @@ cumulus@switch:~$ sudo apt upgrade 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -131,7 +131,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3413785 +3413785, 3424967 To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE {{nv set system aaa tacacs vrf <interface>}} command (for example, {{nv set system aaa tacacs vrf swp51}}) or set the {{vrf=<interface>}} option in the {{/etc/tacplus_servers}} file (for example, {{vrf=swp51}}). A similar issue might prevent TACACS+ users with privilege level 15 from using {{sudo}} if the TACACS+ server is reachable only on the {{default}} VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use {{vrf task exec default sudo ...}} to execute the {{sudo}} command using the TACACS+ server on the {{default}} VRF. 5.0.0-5.5.1 5.6.0-5.16.1 @@ -248,7 +248,7 @@ Packet size is larger than router interface MTU – Validate the router interfac 5.3.0-5.16.1 -3195345 +3195345, 3195390 Communication between single-connected MLAG hosts on different switches fails because packets received by single-connected MLAG hosts are not forwarded over the peer link. To work around this issue, when adding a switch to an MLAG pair, enable all the interfaces. 5.0.0-5.0.1 5.1.0-5.16.1 @@ -260,7 +260,7 @@ Packet size is larger than router interface MTU – Validate the router interfac 4.3.2 -3157240 +3157240, 3173622 When you try to query REDECN counters with the {{mlxcmd}} utility on a bond member port with the following commands, syslog reports an error. sudo /usr/lib/cumulus/mlxcmd roce counters --port <swp> @@ -296,7 +296,7 @@ sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port <swp> 5.9.0-5.16.1 -3141818 +3141818, 3163200 If there is extensive and continuous next-hop group (NHG) churn when routes keep moving from one NHG to another NHG repeatedly, {{switchd}} increases in memory allocation until memory is exhausted. Other processes might be affected as they try to acquire memory which is unavailable. 5.0.1-5.1.0 5.2.0-5.16.1 @@ -355,7 +355,7 @@ sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error 4.3.1, 5.2.0-5.16.1 -3119673 +3119673, 2888040 If the switch receives an EVPN route with multiple RTs that match the import policy for a local VNI, the {{bgpd}} service crashes. 5.0.0-5.1.0 5.2.0-5.16.1 @@ -420,7 +420,7 @@ cumulus@switch:~$ nv config apply 5.2.0-5.16.1 -3077547 +3077547, 2812075 When you configure multiple multicast RPs with groups matched by prefix lists, Cumulus Linux selects only one of the RPs and this selection is incorrect. 5.0.1-5.1.0 5.2.0-5.16.1 @@ -432,7 +432,7 @@ cumulus@switch:~$ nv config apply 5.2.0-5.16.1 -3074390 +3074390, 3055255, 2602877 You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the {{nvue}} account to the {{exclude_users}} line in {{/etc/tacplus_nss.conf}}: exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,* @@ -479,20 +479,20 @@ cumulus@switch:~$ nv config apply 5.2.0-5.16.1 -3059135 +3059135, 3060400 In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route. To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-5.1.0 5.2.0-5.16.1 -3055255 +3055255, 3074390 When you run the NVUE {{nv show interface}} command, a watchdog timeout might occur and the {{nvued}} service fails. 5.0.1 5.1.0-5.16.1 -3054869 +3054869, 3148920 When you run NVUE commands as part of ZTP scripts, the commands fail with errors that indicate a missing $HOME environment variable. The issue has been fixed where the ZTP module initializes the $HOME environment variable before launching the ZTP scripts. However, if you are running older releases, before you use any NVUE commands in the ZTP script, add a section and define the {{HOME}} environment variable. Populate the variable with the default expected {{root}} user home directory value (/root), then export the {{HOME}} variable so it is available globally for NVUE to use. HOME=/root @@ -502,7 +502,7 @@ export HOME 5.2.0-5.16.1 -3046023 +3046023, 3096918 The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install. 4.2.1-5.1.0 5.2.0-5.16.1 @@ -551,13 +551,13 @@ Failure during apply. Ignore? [y/N] 5.1.0-5.16.1 -3034435 +3034435, 3101184 In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. 4.4.4-5.4.0 5.5.0-5.16.1 -3032234 +3032234, 3163643 In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE {{nv unset vrf default router bgp neighbor <interface>}} command, the command fails to apply. 4.4.2-5.0.1 5.1.0-5.16.1 @@ -771,7 +771,7 @@ Dec 15 10:01:35 leaf01 switchd3431: hal_mlx_ecmp.c:2207 ERR ECMP: failed to find 4.4.3-4.4.5, 5.1.0-5.16.1 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -809,7 +809,7 @@ Unrecoverable internal error 5.2.0-5.16.1 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -827,7 +827,7 @@ Unrecoverable internal error 3.7.16, 4.3.1 -2867248 +2867248, 2866947, 3124967 The {{validate-ports -d}} command does not return the correct speeds for ports. Use the speeds specified in the {{/etc/cumulus/ports.conf}} file. 5.0.0-5.1.0 5.2.0-5.16.1 @@ -885,13 +885,13 @@ To work around this issue, run the vtysh {{clear ip mroute}} command. 5.4.0-5.16.1 -2812075 +2812075, 3077547 When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together. 5.0.0-5.1.0 5.2.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -909,7 +909,7 @@ To work around this issue, run the vtysh {{clear ip mroute}} command. 5.2.0-5.16.1 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -978,7 +978,7 @@ To work around this issue, if you run {{apt dist-upgrade}} and {{switchd}} no lo 5.15.0-5.16.1 -4413450 +4413450, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 5.11.2, 5.14.0-5.16.1 @@ -990,7 +990,7 @@ To work around this issue, if you run {{apt dist-upgrade}} and {{switchd}} no lo 5.9.2-5.16.1, 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -1047,7 +1047,7 @@ cumulus@switch:~$ sudo apt upgrade 4.3.2-4.4.5, 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -1071,7 +1071,7 @@ cumulus@switch:~$ sudo apt upgrade 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -1084,7 +1084,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3413785 +3413785, 3424967 To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE {{nv set system aaa tacacs vrf <interface>}} command (for example, {{nv set system aaa tacacs vrf swp51}}) or set the {{vrf=<interface>}} option in the {{/etc/tacplus_servers}} file (for example, {{vrf=swp51}}). A similar issue might prevent TACACS+ users with privilege level 15 from using {{sudo}} if the TACACS+ server is reachable only on the {{default}} VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use {{vrf task exec default sudo ...}} to execute the {{sudo}} command using the TACACS+ server on the {{default}} VRF. 5.0.0-5.5.1 5.6.0-5.16.1 @@ -1177,13 +1177,13 @@ Packet size is larger than router interface MTU – Validate the router interfac 5.3.0-5.16.1 -3195345 +3195345, 3195390 Communication between single-connected MLAG hosts on different switches fails because packets received by single-connected MLAG hosts are not forwarded over the peer link. To work around this issue, when adding a switch to an MLAG pair, enable all the interfaces. 5.0.0-5.0.1 5.1.0-5.16.1 -3157240 +3157240, 3173622 When you try to query REDECN counters with the {{mlxcmd}} utility on a bond member port with the following commands, syslog reports an error. sudo /usr/lib/cumulus/mlxcmd roce counters --port <swp> @@ -1252,7 +1252,7 @@ sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error 4.3.1, 5.2.0-5.16.1 -3119673 +3119673, 2888040 If the switch receives an EVPN route with multiple RTs that match the import policy for a local VNI, the {{bgpd}} service crashes. 5.0.0-5.1.0 5.2.0-5.16.1 @@ -1318,14 +1318,14 @@ To work around this issue, set the VNI interface mapped to VLAN 1 down and up ag 4.4.4-4.4.5, 5.2.0-5.16.1 -3059135 +3059135, 3060400 In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route. To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-5.1.0 5.2.0-5.16.1 -3054869 +3054869, 3148920 When you run NVUE commands as part of ZTP scripts, the commands fail with errors that indicate a missing $HOME environment variable. The issue has been fixed where the ZTP module initializes the $HOME environment variable before launching the ZTP scripts. However, if you are running older releases, before you use any NVUE commands in the ZTP script, add a section and define the {{HOME}} environment variable. Populate the variable with the default expected {{root}} user home directory value (/root), then export the {{HOME}} variable so it is available globally for NVUE to use. HOME=/root @@ -1335,7 +1335,7 @@ export HOME 5.2.0-5.16.1 -3046023 +3046023, 3096918 The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install. 4.2.1-5.1.0 5.2.0-5.16.1 @@ -1359,13 +1359,13 @@ export HOME 5.4.0-5.16.1 -3034435 +3034435, 3101184 In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. 4.4.4-5.4.0 5.5.0-5.16.1 -3032234 +3032234, 3163643 In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE {{nv unset vrf default router bgp neighbor <interface>}} command, the command fails to apply. 4.4.2-5.0.1 5.1.0-5.16.1 @@ -1550,7 +1550,7 @@ To work around this issue, if you run {{apt dist-upgrade}} and {{switchd}} no lo 5.0.1-5.16.1 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -1588,7 +1588,7 @@ Unrecoverable internal error 5.2.0-5.16.1 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -1606,7 +1606,7 @@ Unrecoverable internal error 3.7.16, 4.3.1 -2867248 +2867248, 2866947, 3124967 The {{validate-ports -d}} command does not return the correct speeds for ports. Use the speeds specified in the {{/etc/cumulus/ports.conf}} file. 5.0.0-5.1.0 5.2.0-5.16.1 @@ -1664,13 +1664,13 @@ To work around this issue, run the vtysh {{clear ip mroute}} command. 5.4.0-5.16.1 -2812075 +2812075, 3077547 When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together. 5.0.0-5.1.0 5.2.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -1688,7 +1688,7 @@ To work around this issue, run the vtysh {{clear ip mroute}} command. 5.2.0-5.16.1 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources @@ -1731,7 +1731,7 @@ You can safely ignore this warning. Affects -3108491 +3108491, 2434628 In EVPN deployments, a buffer lockup for split or pre-split ports can occur on Spectrum-2 and Spectrum-3 switches. As result, traffic coming in on these ports is dropped in the RX buffer. To work around this issue, restart {{switchd}}. 4.2.1-4.4.5 @@ -1772,7 +1772,7 @@ To work around this issue, configure an anycast IP address under the loopback in -2826121 +2826121, 2826122 When you configure 199 VXLANs plus 199 VLANs, {{clagd}} crashes every few seconds. 3.7.15, 4.3.0, 4.4.0-4.4.1 @@ -1823,7 +1823,7 @@ To work around this issue, run the {{sudo systemctl restart snmpd.service}} comm 4.4.0-4.4.5 -2803028 +2803028, 2804508 Restarting {{switchd}} might fail due to an ACL SPAN module initialization failure. 4.4.2-4.4.3 @@ -1864,12 +1864,12 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 4.3.0-4.4.5 -2780915 +2780915, 2556028 In NVUE, you can't deactivate the IPv4 address family per neighbor. 4.4.0-4.4.5 -2780834 +2780834, 2555981 To enable an address family on a peer, you have to enable the address family globally. 4.4.0-4.4.5 @@ -1894,7 +1894,7 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 4.4.0-4.4.5 -2747750 +2747750, 2782819 Links connected between a Spectrum 2 switch configured for warm boot and Spectrum 3 switches configured for cold boot might not come up when the switches are booted. 4.4.2-4.4.5 @@ -1904,14 +1904,14 @@ To work around this issue, do not disable EVPN Advertise Primary IP Address, whi 4.3.0-4.4.5 -2736249 +2736249, 2736244 If you configure BGP graceful restart in the {{/etc/frr/frr.conf}} file, then apply the configuration with {{systemctl reload frr}}, the configuration fails to apply and you see the following error: Job for frr.service failed. See "systemctl status frr.service" and "journalctl -xe" for details. -2736244 +2736244, 2736249 When you run the vtysh command to enable BGP graceful restart on a peer multiple times, the command fails with the following error: % The Graceful Restart command used is not valid at this moment. 4.4.0-4.4.5 @@ -1936,7 +1936,7 @@ Device is not ready: absent 4.3.0, 4.4.0-4.4.5 -2728119 +2728119, 2729309 When VRF devices are deleted and reconfigured (for example, during a networking service restart), dynamic BGP neighbors might fail to reestablish. To work around this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-4.4.5 @@ -1963,12 +1963,12 @@ To recover from this state, flap the bond interface (not the physical swp) by ru 3.7.12-3.7.15, 4.1.1-4.3.0 -2556039 +2556039, 2545364, 3297583 In some corner cases, remote MAC entries may be seen as locally learnt entries in FDB table due to switchd reprogramming it 3.7.12-3.7.14.2 -2555981 +2555981, 2584227, 2780834 In BGP, to enable an address family on a peer, you have to enable the address family globally. 4.4.0-4.4.5 diff --git a/content/cumulus-linux-51/Whats-New/rn.md b/content/cumulus-linux-51/Whats-New/rn.md index 82cbe8cc77..22019d526c 100644 --- a/content/cumulus-linux-51/Whats-New/rn.md +++ b/content/cumulus-linux-51/Whats-New/rn.md @@ -16,11 +16,11 @@ pdfhidden: True |--- |--- |--- |--- | | [4797691](#4797691)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.9.4, 5.15.1 | 5.9.5, 5.16.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| -| [4413450](#4413450)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4413450, 4497128](#4413450, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4377862](#4377862)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.9.3 | 5.9.4-5.16.1, 5.11.2-5.16.1, 5.13.0-5.16.1| | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3927016](#3927016)
| Following an EVPN extended mobility event, where a host with IP address A and MAC address A moves within the fabric and now resides at IP address A and MAC address B, you might see traffic destined to this host experience drops as the flow is software forwarded on the egress VTEP. | 5.0.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3713419](#3713419)
| When monitoring system statistics and network traffic with sFlow, an aggressive link flap might produce a memory leak in the sFlow service hsflowd. | 5.1.0-5.7.0 | 5.8.0-5.16.1| | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| @@ -30,18 +30,18 @@ pdfhidden: True | [3491259](#3491259)
| When BGP receives an EVPN type-5 route with a gateway IP overlay attribute, the gateway IP overlay attribute in the attr memory (which is already inserted in the attribute hash) might change. As a result, the modified attr memory might match with another attr in the attribute hash, which produces duplicate entries in the hash table. As a result, BGP might crash when deleting one of the duplicate attr structures. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.16.1| | [3488136](#3488136)
| When zebra receives route updates that include both a route with a recursive next hop and the route used to resolve that next hop, zebra might mark the route with the recursive next hop as inactive. To work around this issue, reprocess the route updates by running the appropriate clear command for the protocol in use. For example, for BGP, clear inbound routes from the relevant neighbor using the nv action clear vrf router bgp neighbor address-family in command. | 4.2.1-5.5.1 | 5.6.0-5.16.1| | [3482006](#3482006)
| If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3445841](#3445841)
| FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.6.0 | 5.7.0-5.16.1| | [3432897](#3432897)
| When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| +| [3413785, 3424967](#3413785, 3424967)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| | [3388067](#3388067)
| TACACS+ packages in the local apt repository might be out of date; as a result, the upgrade does not install tacacs0 through tacacs15 users in the correct NVUE groups. When you run NVUE commands as a TACACS+ user, the commands fail and you see the error You do not have permission to execute that command
To obtain the correct packages, install the tacplus-client package and its dependencies from apt.cumulusnetworks.com. | 5.1.0-5.4.0 | 5.5.0-5.16.1| | [3375071](#3375071)
| On the NVIDIA SN2010 and SN2100 switch, smond indicates that the FAN status is BAD and syslog is flooded with Path /run/hw-management/thermal/fan1_status does not exist errors. When you run the smonctl -v command, the TEMP on switch looks OK
cumulus@switch:~$ smonctl -vFan1(Fan 1): BAD fan:6931 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan2(Fan 2): BAD fan:6619 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan3(Fan 3): BAD fan:6931 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan4(Fan 4): BAD fan:6720 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)
| 5.1.0-5.4.0 | 5.5.0-5.16.1| | [3351951](#3351951)
| Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-4.4.5, 5.0.0-5.16.1 | 4.3.2| | [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.16.1| -| [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.16.1| +| [3347677, 3180068](#3347677, 3180068)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.16.1| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.16.1| | [3329096](#3329096)
| The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd, then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. | 5.0.0-5.3.1 | 5.4.0-5.16.1| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.16.1 | | @@ -62,23 +62,23 @@ pdfhidden: True | [3202991](#3202991)
| Locally generated multicast traffic including IGMPv2 GSQs do not transmit to local clients when using PIM. | 5.0.1-5.2.1 | 5.3.0-5.16.1| | [3200373](#3200373)
| After rebooting the switch, the IPv6 link local address for an SVI that belongs to non-default VRF is missing, and doesn't show on the switch. To resolve this issue, run the ifreload -a command. | 5.0.0-5.2.1 | 5.3.0-5.16.1| | [3192808](#3192808)
| When a switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-4.4.5, 5.0.1-5.16.1 | 4.3.2| -| [3187469](#3187469)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0-5.16.1| +| [3187469, 3188618](#3187469, 3188618)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3180043](#3180043)
| The EVPN Multihoming ESI configuration command nv set interface evpn multihoming segment identifier does not work. | 5.1.0-5.2.1 | 5.3.0-5.16.1| | [3178090](#3178090)
| The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3176318](#3176318)
| The NVUE nv set bridge domain br_default stp priority command does not change the STP priority. | 5.1.0-5.2.1 | 5.3.0-5.16.1| | [3172295](#3172295)
| In rare cases, changing configuration on an existing bond, VLAN, or VXLAN interface can result in the MTU of that interface being reset to 0. To work around this issue, run ifreload -a a second time to set the MTU back to the configured or default value. | 5.1.0 | 5.2.0-5.16.1| | [3166746](#3166746)
| FRR does not install EVPN type-2 routes correctly after the specific operation that deletes and adds all non-uplink ports. The routes show as rejected in the zebra RIB. To work around this problem, restart FRR with the sudo systemctl restart frr command. | 5.1.0-5.2.1 | 5.3.0-5.16.1| -| [3163200](#3163200)
| If there is extensive and continuous next-hop group (NHG) churn when routes keep moving from one NHG to another NHG repeatedly, switchd increases in memory allocation until memory is exhausted. Other processes might be affected as they try to acquire memory which is unavailable. | 5.1.0 | 5.2.0-5.16.1| -| [3163159](#3163159)
| The NVUE command to disable EVPN duplicate address detection does not work. To work around this issue, use an NVUE snippet. | 5.1.0 | 5.2.0-5.16.1| -| [3157240](#3157240)
| When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an error
sudo /usr/lib/cumulus/mlxcmd roce counters --port sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port
| 4.4.4-5.1.0 | 5.2.0-5.16.1| +| [3163200, 3141818](#3163200, 3141818)
| If there is extensive and continuous next-hop group (NHG) churn when routes keep moving from one NHG to another NHG repeatedly, switchd increases in memory allocation until memory is exhausted. Other processes might be affected as they try to acquire memory which is unavailable. | 5.1.0 | 5.2.0-5.16.1| +| [3163159, 3096856](#3163159, 3096856)
| The NVUE command to disable EVPN duplicate address detection does not work. To work around this issue, use an NVUE snippet. | 5.1.0 | 5.2.0-5.16.1| +| [3157240, 3173622](#3157240, 3173622)
| When you try to query REDECN counters with the mlxcmd utility on a bond member port with the following commands, syslog reports an error
sudo /usr/lib/cumulus/mlxcmd roce counters --port sudo /usr/lib/cumulus/mlxcmd qos counters --clear --port
| 4.4.4-5.1.0 | 5.2.0-5.16.1| | [3150477](#3150477)
| Cumulus Linux incorrectly programs overlay routes in the hardware as LOCAL routes instead of pointing to the remote VTEP even though the kernel has the correct route entry and next hop. To recover from this state, restart the switchd service with the systemctl restart switchd.service command. | 5.1.0 | 5.2.0-5.16.1| | [3150317](#3150317)
| During a host failure, where a link remains up but LACP stops being sent, the EVPN multihoming ES bond goes into bypass mode active without a link state change. | 4.4.2-5.2.1 | 5.3.0-5.16.1| | [3150208](#3150208)
| When a ZTP script executes a switchd restart, the switchd service might fail with the following log message:
switchd[11549]: hal.c:1378 CRIT No backends found
To work around this issue, avoid restarting the switchd service in the ZTP script; reboot the switch instead. | 5.1.0-5.2.1 | 5.3.0-5.16.1| -| [3148920](#3148920)
| NVUE configuration commands produce errors when included as part of a ZTP script that executes automatically during the switch boot process. This occurs because the $HOME variable is not set during ZTP. This does not occur if you trigger ZTP manually from the CLI with the sudo ztp -r http://x.x.x.x/cumulus-ztp command. To work around this issue, define the $HOME variable within the ZTP script with export HOME=/root. | 5.1.0 | 5.2.0-5.16.1| +| [3148920, 3054869](#3148920, 3054869)
| NVUE configuration commands produce errors when included as part of a ZTP script that executes automatically during the switch boot process. This occurs because the $HOME variable is not set during ZTP. This does not occur if you trigger ZTP manually from the CLI with the sudo ztp -r http://x.x.x.x/cumulus-ztp command. To work around this issue, define the $HOME variable within the ZTP script with export HOME=/root. | 5.1.0 | 5.2.0-5.16.1| | [3146886](#3146886)
| FRR does not establish BGP peering with neighbors configured with a router ID that overlaps with IP addresses in the class D or E address spaces. | 5.1.0 | 5.2.0-5.16.1| | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.8.0 | 5.9.0-5.16.1| -| [3141818](#3141818)
| If there is extensive and continuous next-hop group (NHG) churn when routes keep moving from one NHG to another NHG repeatedly, switchd increases in memory allocation until memory is exhausted. Other processes might be affected as they try to acquire memory which is unavailable. | 5.0.1-5.1.0 | 5.2.0-5.16.1| +| [3141818, 3163200](#3141818, 3163200)
| If there is extensive and continuous next-hop group (NHG) churn when routes keep moving from one NHG to another NHG repeatedly, switchd increases in memory allocation until memory is exhausted. Other processes might be affected as they try to acquire memory which is unavailable. | 5.0.1-5.1.0 | 5.2.0-5.16.1| | [3139364](#3139364)
| When Cumulus Linux updates the ECMP container with a new next hop list, it allocates the flow counters for the new next hop list without deallocating the counters bound to the old next hop list. This results in resource exhaustion and you see the following error messages in the /var/log/switchd.log file:
hal_mlx_stat.c:3215 ERR Failed to allocate counter(s) for ecmp [71025:0] status: Internal Errorhal_mlx_stat.c:3196 ERR Counter set for ecmp [71025:0] idx 0 failed: Internal Errorhal_mlx_sdk_nexthop_wrap.c:1076 ERR Counter 0 alloc for ecmp next hop failed: Internal Errorhal_mlx_sdk_counter_wrap.c:54 ERR Counter alloc failed: No More Resources
This issue does not have any functional impact to forwarding. Even without the flow counters attached to the ECMP group, packet forwarding works without any issues
To avoid allocating next hop counters for any new ECMP next hop list update, set mlx.stats.ecmp.enable to FALSE in the /etc/mlx/datapath/stats.conf file, then restart switchd with the sudo systemctl reload switchd command. | 5.0.0-5.2.1 | 5.3.0-5.16.1| | [3138746](#3138746)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3138057](#3138057)
| When the next hop interface for EVPN type 5 routes flaps, FRR might uninstall the routes and Route install failed appears in /var/log/frr/frr.log. To work around this problem, restart FRR with the sudo systemctl restart frr command. | 4.4.0-5.2.1 | 5.3.0-5.16.1| @@ -88,7 +88,7 @@ pdfhidden: True | [3131423](#3131423)
| During EVPN multihoming bond failover, ARP and ND redirection fails if you configure layer 2 VNIs and ES bonds before you configure the loopback IP address of the switch. To work around this issue, configure the loopback IP address, then restart FRR with the systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3123965](#3123965)
| Under heavy system load, when many forwarding resources (routes, neighbors, ECMP groups, and so on) are removed from hardware, subsequent attempts to configure additional forwarding resources might fail and you see the following log message:
sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error
| 4.4.0-5.1.0 | 5.2.0-5.16.1| | [3120423](#3120423)
| When you configure an interface in FRR to send IPv6 RAs before you configure the interface in the /etc/network/interfaces file, the switch does not process IPv6 RAs. To work around this issue, remove the interface configuration in FRR and reapply it. | 3.7.15-4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.16.1| -| [3119673](#3119673)
| If the switch receives an EVPN route with multiple RTs that match the import policy for a local VNI, the bgpd service crashes. | 5.0.0-5.1.0 | 5.2.0-5.16.1| +| [3119673, 2888040](#3119673, 2888040)
| If the switch receives an EVPN route with multiple RTs that match the import policy for a local VNI, the bgpd service crashes. | 5.0.0-5.1.0 | 5.2.0-5.16.1| | [3117340](#3117340)
| When you edit the /usr/share/openvswitch/scripts/ovs-ctl-vtep file to change the ovs-vtepd configuration between vlan-aware and vlan-unaware mode, ovs-vtepd crashes when you restart the service. To recover, restart the networking service with the sudo systemctl restart networking command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [3115419](#3115419)
| When you configure conditional advertisement, BGP might crash when you run show commands or during a steady state. | 5.1.0 | 5.2.0-5.16.1| | [3115415](#3115415)
| In the Cumulus-BGPVRF-MIB, the bgpPeerFsmEstablishedTime OID does not correctly report the time since a BGP session goes down. | 4.4.4-5.1.0 | 5.2.0-5.16.1| @@ -98,52 +98,52 @@ pdfhidden: True | [3102128](#3102128)
| When you configure a new VNI, the VLAN 1 VNI mapping is removed from the VXLAN device. To work around this issue, set the VNI interface mapped to VLAN 1 down and up again. | 5.0.0-5.1.0 | 5.2.0-5.16.1| | [3084476](#3084476)
| After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.16.1 | 4.4.4-4.4.5| | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | -| [3084007](#3084007)
| The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error
This issue impacts customers with these conditions: CL 5.1.0, CLAG, NTP, and a switch that has been powered off for some time (i.e. the clock may have drifted) prior to initial boot. | 5.1.0 | 4.3.1-4.4.5, 5.2.0-5.16.1| -| [3082662](#3082662)
| syslog writes phcsync phc_ctl set clock time messages continuously every minute even when supervisord is not running, which prevents critical information from being logged. | 5.1.0 | 5.2.0-5.16.1| +| [3084007, 3334028](#3084007, 3334028)
| The clagd process uses 100 percent CPU and eventually crashes with an Unable to allocate memory error
This issue impacts customers with these conditions: CL 5.1.0, CLAG, NTP, and a switch that has been powered off for some time (i.e. the clock may have drifted) prior to initial boot. | 5.1.0 | 4.3.1-4.4.5, 5.2.0-5.16.1| +| [3082662, 3107641](#3082662, 3107641)
| syslog writes phcsync phc_ctl set clock time messages continuously every minute even when supervisord is not running, which prevents critical information from being logged. | 5.1.0 | 5.2.0-5.16.1| | [3082463](#3082463)
| On the NVIDIA SN4800 switch, the LED on the line cards does not match the CLI command output. | 5.1.0 | 5.2.0-5.16.1| | [3077736](#3077736)
| When you run the NVUE command to change the minimum interval between received BFD control packets or the minimum interval for sending BFD control packets, the configuration apply fails.

cumulus@switch:~$ nv set vrf default router bgp neighbor 10.10.10.2 bfd min-rx-interval 400
cumulus@switch:~$ nv config apply
2022-05-04T21:36:10.800975+00:00 switch frrinit.sh16431: Stopped watchfrr.
| 5.0.1-5.1.0 | 5.2.0-5.16.1| -| [3077547](#3077547)
| When you configure multiple multicast RPs with groups matched by prefix lists, Cumulus Linux selects only one of the RPs and this selection is incorrect. | 5.0.1-5.1.0 | 5.2.0-5.16.1| +| [3077547, 2812075](#3077547, 2812075)
| When you configure multiple multicast RPs with groups matched by prefix lists, Cumulus Linux selects only one of the RPs and this selection is incorrect. | 5.0.1-5.1.0 | 5.2.0-5.16.1| | [3077513](#3077513)
| When a MAC address is moved to a new VTEP in an EVPN MAC mobility scenario using traditional bridges, there might be up to 30 seconds of convergence delay. | 5.0.1-5.1.0 | 5.2.0-5.16.1| -| [3074390](#3074390)
| You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the nvue account to the exclude_users line in /etc/tacplus_nss.conf:
exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,*
| 5.0.1-5.3.1 | 5.4.0-5.16.1| +| [3074390, 3055255, 2602877](#3074390, 3055255, 2602877)
| You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the nvue account to the exclude_users line in /etc/tacplus_nss.conf:
exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,*
| 5.0.1-5.3.1 | 5.4.0-5.16.1| | [3072674](#3072674)
| In an MLAG configuration, if you put a single connected interface into an admin down state, any dynamic MAC addresses on the peer link are flushed, then added back, which causes momentary traffic disruption. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [3071652](#3071652)
| On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. | 4.4.4-4.4.5, 5.1.0-5.16.1 | | -| [3069069](#3069069)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | 5.6.0-5.16.1| +| [3069069, 3271536](#3069069, 3271536)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3066664](#3066664)
| In an EVPN-MH configuration, the switch fails to redirect tagged frames with the CoS bits set. | 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.16.1| | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [3061445](#3061445)
| When you run the NVUE command to change the minimum interval between received BFD control packets or the minimum interval for sending BFD control packets, the configuration apply fails
cumulus@switch:~$ nv set vrf default router bgp neighbor 10.10.10.2 bfd min-rx-interval 400cumulus@switch:~$ nv config apply2022-05-04T21:36:10.800975+00:00 switch frrinit.sh16431: Stopped watchfrr
| 5.0.1-5.1.0 | 5.2.0-5.16.1| | [3059566](#3059566)
| When you add an interface to a layer 3 bond, traffic does not forward and you see errors similar to the following:
2022-05-02T13:14:40.118597+00:00 cumulus sx_sdk: ROUTER: Failed to delete router interface(27) ref count isn’t 0, err= Resource is in use
| 4.4.2-4.4.3, 5.0.1-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.16.1| | [3059380](#3059380)
| When you configure VRF leaking from the default VRF to a non-default VRF, SSH sessions originating from the switch CLI in the default VRF do not connect to devices in the non-default VRF. | 5.0.1-5.1.0 | 5.2.0-5.16.1| -| [3059135](#3059135)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| -| [3055283](#3055283)
| After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. | 5.1.0-5.4.0 | 5.5.0-5.16.1| -| [3054869](#3054869)
| When you run NVUE commands as part of ZTP scripts, the commands fail with errors that indicate a missing $HOME environment variable. The issue has been fixed where the ZTP module initializes the $HOME environment variable before launching the ZTP scripts. However, if you are running older releases, before you use any NVUE commands in the ZTP script, add a section and define the HOME environment variable. Populate the variable with the default expected root user home directory value (/root), then export the HOME variable so it is available globally for NVUE to use
HOME=/rootexport HOME
| 5.0.0-5.1.0 | 5.2.0-5.16.1| +| [3059135, 3060400](#3059135, 3060400)
| In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route
To resolve this issue, restart FRR with the sudo systemctl restart frr command. | 4.3.0-5.1.0 | 5.2.0-5.16.1| +| [3055283, 3038763](#3055283, 3038763)
| After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. | 5.1.0-5.4.0 | 5.5.0-5.16.1| +| [3054869, 3148920](#3054869, 3148920)
| When you run NVUE commands as part of ZTP scripts, the commands fail with errors that indicate a missing $HOME environment variable. The issue has been fixed where the ZTP module initializes the $HOME environment variable before launching the ZTP scripts. However, if you are running older releases, before you use any NVUE commands in the ZTP script, add a section and define the HOME environment variable. Populate the variable with the default expected root user home directory value (/root), then export the HOME variable so it is available globally for NVUE to use
HOME=/rootexport HOME
| 5.0.0-5.1.0 | 5.2.0-5.16.1| | [3053015](#3053015)
| Spectrum-2 and Spectrum-3 switches do not support 1G speed with Cumulus Linux. | 5.1.0-5.2.1 | 5.3.0-5.16.1| -| [3046023](#3046023)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| +| [3046023, 3096918](#3046023, 3096918)
| The cl-resource-query command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the switchd.log file contains ECMP resource errors with routes and next hops failing to install. | 4.2.1-5.1.0 | 5.2.0-5.16.1| | [3045310](#3045310)
| If GTP Hashing is set to true, after more than two warm boots, switchd fails and a cl-support file is generated. | 5.1.0-5.4.0 | 5.5.0-5.16.1| | [3044596](#3044596)
| In the non-default VRF, BFD goes down after port flap. | 5.0.1-5.1.0 | 5.2.0-5.16.1| | [3043115](#3043115)
| NVUE configuration and show commands are not available for GTP hashing. To configure GTP hashing, modify the parameters in the /etc/cumulus/datapath/traffic.conf file. | 5.1.0 | 5.2.0-5.16.1| | [3041425](#3041425)
| When you add or remove PortAutoEdge on a bond with the NVUE nv set interface bridge domain br_default stp auto-edge command, the command fails with the following error and then attempts to enable or disable PortAutoEdge on any interface also fail
cumulus@switch:~$ nv set interface swp1 bridge domain br_default stp auto-edge offcumulus@switch:~$ nv config applyUnable to reload-or-restart services (switchd,ifreload-nvue.service):[sudo] password for nvue: Job for ifreload-nvue.service failed because the control process exited with error code
Failure during apply. Ignore? [y/N]
| 5.0.1-5.1.0 | 5.2.0-5.16.1| | [3040174](#3040174)
| When you configure EVPN multihoming with NVUE on a switch with the Spectrum-a1 ASIC, you must configure the following snippet to enable EVPN multihoming in hardware. This is not required for Spectrum-2 or Spectrum-3 switches
- set:
   system:
     config:
       snippet:
         switchd:
           file: "/etc/cumulus/switchd.conf"
           content: \|
             evpn.multihoming.enable=TRUE
           permissions: "0644"
           services:
             schedule:
               service: switchd
               action: restart
Apply the snippet with the nv config patch command, then run the nv config apply -y command. | 5.1.0-5.2.1 | 5.3.0-5.16.1| | [3037824](#3037824)
| The NVUE nv show interface link state command shows an empty table instead of showing the port link state. | 5.0.0-5.3.1 | 5.4.0-5.16.1| -| [3034435](#3034435)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| +| [3034435, 3101184](#3034435, 3101184)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| | [3023345](#3023345)
| When you run NVUE commands to unset one or more options associated with a field, the command fails with an error. For example:
cumulus@switch:~$ nv unset system forwarding ecmp-hash source-portusage: nv unset system forwarding ecmp-hash [options]nv unset system forwarding ecmp-hash: error: unrecognized arguments: source-port
| 5.1.0 | 5.2.0-5.16.1| | [3020254](#3020254)
| When ARP suppression is off, GARPs from neighmgrd for remote neighbors are sent over VXLAN. | 3.7.15-4.3.0, 4.4.0-4.4.3, 5.0.0-5.1.0 | 4.3.1, 4.4.4-4.4.5, 5.2.0-5.16.1| | [3016882](#3016882)
| In certain cases, when you power cycle the switch, the NVUE configuration might become corrupted, which prevents NVUE from running. You see a critical error in the log file similar to:
CRITICAL: cue_versions_v1.repo: The NVUE internal data store is corrupted or has been initialized incorrectly. The is an unrecoverable error
To work around this issue, remove the /var/lib/nvue/config and /var/lib/nvue/meta directories, then restart the nvued service with the sudo systemctl start nvued command. If possible, NVUE recovers user configuration and saves it in the /etc/nvue.d directory. The recovered configuration will be saved as YAML files, which are named as nvue-recovery-.yaml. You can reapply the recovered configuration with the nv config patch nvue-recovery-.yaml followed by nv config apply commands. | 5.0.1-5.1.0 | 5.2.0-5.16.1| | [3015393](#3015393)
| The NVUE nv show interface command shows the operational state of the tunnel as down even though the tunnel is up, and encapsulation and decapsulation occurs correctly. | 5.1.0-5.3.1 | 5.4.0-5.16.1| | [3014664](#3014664)
| On the NVIDIA SN3420, the smonctl command output shows the maximum PSU temperature higher than the critical temperature. | 4.4.2-4.4.3, 5.0.0-5.1.0 | 4.4.4-4.4.5, 5.2.0-5.16.1| -| [3007765](#3007765)
| On the NVIDIA SN2010 and SN2100 switch, smond indicates that the FAN status is BAD and syslog is flooded with Path /run/hw-management/thermal/fan1_status does not exist errors. When you run the smonctl -v command, the TEMP on switch looks OK
cumulus@switch:~$ smonctl -vFan1(Fan 1): BAD fan:6931 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan2(Fan 2): BAD fan:6619 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan3(Fan 3): BAD fan:6931 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan4(Fan 4): BAD fan:6720 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)
| 5.1.0 | 5.2.0-5.16.1| +| [3007765, 3273568](#3007765, 3273568)
| On the NVIDIA SN2010 and SN2100 switch, smond indicates that the FAN status is BAD and syslog is flooded with Path /run/hw-management/thermal/fan1_status does not exist errors. When you run the smonctl -v command, the TEMP on switch looks OK
cumulus@switch:~$ smonctl -vFan1(Fan 1): BAD fan:6931 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan2(Fan 2): BAD fan:6619 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan3(Fan 3): BAD fan:6931 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan4(Fan 4): BAD fan:6720 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)
| 5.1.0 | 5.2.0-5.16.1| | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | | [2949123](#2949123)
| The NVUE command nv show service ntp mgmt server does not show any configured servers. | 5.0.0-5.2.1 | 5.3.0-5.16.1| -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2886476](#2886476)
| If you enable or disable the advertise primary IP address setting when originating EVPN default type-5 routes, the default route or prefix originated from one of the MLAG peers sends a null layer 3 VNI, which prevents the remote VTEP from installing the default route. | 5.0.0-5.1.0 | 5.2.0-5.16.1| -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | -| [2867248](#2867248)
| The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file. | 5.0.0-5.1.0 | 5.2.0-5.16.1| +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2867248, 2866947, 3124967](#2867248, 2866947, 3124967)
| The validate-ports -d command does not return the correct speeds for ports. Use the speeds specified in the /etc/cumulus/ports.conf file. | 5.0.0-5.1.0 | 5.2.0-5.16.1| | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2831968](#2831968)
| The switch duplicates DHCP packets that pass through the VTEP. | 4.3.0, 4.4.0-5.1.0 | 4.3.1, 5.2.0-5.16.1| | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2821929](#2821929)
| FRR restarts even when the NVUE configuration overwrite mode is set. | 5.0.0-5.3.1 | 5.4.0-5.16.1| -| [2812075](#2812075)
| When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together. | 5.0.0-5.1.0 | 5.2.0-5.16.1| -| [2743186](#2743186)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| +| [2812075, 3077547](#2812075, 3077547)
| When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together. | 5.0.0-5.1.0 | 5.2.0-5.16.1| +| [2743186, 2734100, 2731464, 3438708](#2743186, 2734100, 2731464, 3438708)
| When you use MD5 passwords and you configure a non-default VRF before the default VRF in the /etc/frr/frr.conf file, numbered BGP sessions do not establish. | 3.7.15-5.1.0 | 5.2.0-5.16.1| | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [2734103](#2734103)
| ACL [No More Resources] messages keep appearing and you can't reinstall the ACL. | 4.3.0-5.1.0 | 5.2.0-5.16.1| | [2684925](#2684925)
| The NVUE nv show vrf default router bgp peer command produces a 404 not found error. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -154,13 +154,13 @@ pdfhidden: True |--- |--- |--- | | [3228899](#3228899)
| If two FDB entries are added in hardware with a single API call (at the same time), when one entry already exists in hardware and the additional entry has a tunnel type, the resulting FDB entry might be configured improperly in hardware. This can cause corruption of the packets that match the FDB entry. | 4.4.0-4.4.2 | | | [3211359](#3211359)
| The net show interface detail command output shows Type=Unknown for the specified interface. | 4.4.3-5.0.1 | | -| [3195345](#3195345)
| Communication between single-connected MLAG hosts on different switches fails because packets received by single-connected MLAG hosts are not forwarded over the peer link. To work around this issue, when adding a switch to an MLAG pair, enable all the interfaces. | 5.0.0-5.0.1 | | -| [3055255](#3055255)
| When you run the NVUE nv show interface command, a watchdog timeout might occur and the nvued service fails. | 5.0.1 | | +| [3195345, 3195390](#3195345, 3195390)
| Communication between single-connected MLAG hosts on different switches fails because packets received by single-connected MLAG hosts are not forwarded over the peer link. To work around this issue, when adding a switch to an MLAG pair, enable all the interfaces. | 5.0.0-5.0.1 | | +| [3055255, 3074390](#3055255, 3074390)
| When you run the NVUE nv show interface command, a watchdog timeout might occur and the nvued service fails. | 5.0.1 | | | [3041307](#3041307)
| If you update the MAC address of an SVI using ifreload and hwaddress, the kernel maintains a stale permanent FDB entry for the old MAC address. | 3.7.15, 4.3.0, 4.4.0-4.4.3, 5.0.0-5.0.1 | | | [3040080](#3040080)
| On Spectrum-2 switches, when a packet has a CRC and the ports are in cut-though mode, the switch might stop forwarding traffic. | 4.4.2-4.4.3, 5.0.0-5.0.1 | | | [3036114](#3036114)
| When you upgrade Cumulus Linux from 4.0 and later to Cumulus Linux 5.1.0 with package upgrade apt-get upgrade, the upgrade fails with the following error and the NVUE service does not start
Setting up python3-nvue (0.22.04.06.0-cl5.1.0u1) ..
Adding user nvue to group netshow/usr/sbin/policy-rc.d returned 101, not running 'restart nvued.service'/usr/sbin/policy-rc.d returned 101, not running 'restart nvue-startup.service'/usr/sbin/policy-rc.d returned 101, not running 'try-restart ifreload-nvue.service'To enable the newly installed bash completion for CUE in this shell, execute..
source /etc/bash_completionCreated symlink /etc/systemd/system/multi-user.target.wants/nvued.service _ /lib/systemd/system/nvued.service
Created symlink /etc/systemd/system/multi-user.target.wants/nvue-startup.service _ /lib/systemd/system/nvue-startup.service
Job for nvue-startup.service failed because the control process exited with error code
See "systemctl status nvue-startup.service" and "journalctl -xe" for details
dpkg: error processing package python3-nvue (--configure):installed python3-nvue package post-installation script subprocess returned error exit status 1
To work around this issue, reboot the system. | | | | [3035855](#3035855)
| When you configure ACLs on the switch, you might see a switchd segmentation fault. | 5.0.1 | | -| [3032234](#3032234)
| In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | | +| [3032234, 3163643](#3032234, 3163643)
| In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE nv unset vrf default router bgp neighbor command, the command fails to apply. | 4.4.2-5.0.1 | | | [3030238](#3030238)
| When you change the time with NTP or manually, the clagd service stops. | 5.0.1 | | | [3022955](#3022955)
| Docker creates a bridge called docker0 and this causes compatibility issues with WJH, which runs in a Docker container. | | | | [3021897](#3021897)
| After you remove the port from the EVPN-MH bond, the port stays in the PRTDN state with the protodown flag ON. | 4.4.3, 5.0.0-5.0.1 | | @@ -199,6 +199,6 @@ pdfhidden: True | [2855908](#2855908)
| Traffic failover in a multicast topology with redundancy has the mroute stuck in a prune state and PIM join messages continue to send
To work around this issue, run the vtysh clear ip mroute command. | 3.7.15-4.3.0, 4.4.0-5.0.1 | | | [2854787](#2854787)
| An unexpected software system shutdown might occur due to a thermal zones issue in the hw-management package. You see the following message in the /var/log/syslog file before the shutdown:
thermal thermal_zoneX: critical temperature reached (33 C), shutting down
| 4.3.0-4.3.4 | | | [2815646](#2815646)
| In an EVPN configuration, an FRR restart on a border leaf VRRP master causes a stale route for the VRRP VIP on some remote VTEPs to point to the VRRP backup after convergence. | 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 | | -| [2713888](#2713888)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | | +| [2713888, 2834357](#2713888, 2834357)
| With the ip-acl-heavy TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly
hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources
To work around this issue, change the TCAM profile to acl-heavy or ip-acl-heavy with ACL non-atomic mode. | 3.7.15-5.0.1 | | | [2685994](#2685994)
| When you use the NVUE command nv set interface lo router ospf area to configure OSPF on a loopback interface, the configuration fails to apply
To work around this issue, configure the loopback interface in the desired OSPF area with the nv set vrf default router ospf area 0 network command and reference the assigned prefix of the loopback interface. For example:
cumulus@leaf01:~$ nv set vrf default router ospf area 0 network 10.10.10.1/32
| 4.0.0-5.0.1 | | diff --git a/content/cumulus-linux-51/rn.xml b/content/cumulus-linux-51/rn.xml index 08ecc07eb2..6fb1dabf55 100644 --- a/content/cumulus-linux-51/rn.xml +++ b/content/cumulus-linux-51/rn.xml @@ -19,7 +19,7 @@ 5.15.0-5.16.1 -4413450 +4413450, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 5.11.2, 5.14.0-5.16.1 @@ -43,7 +43,7 @@ 5.9.2-5.16.1, 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -112,7 +112,7 @@ cumulus@switch:~$ sudo apt upgrade 4.3.2-4.4.5, 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -136,7 +136,7 @@ cumulus@switch:~$ sudo apt upgrade 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -149,7 +149,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3413785 +3413785, 3424967 To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE {{nv set system aaa tacacs vrf <interface>}} command (for example, {{nv set system aaa tacacs vrf swp51}}) or set the {{vrf=<interface>}} option in the {{/etc/tacplus_servers}} file (for example, {{vrf=swp51}}). A similar issue might prevent TACACS+ users with privilege level 15 from using {{sudo}} if the TACACS+ server is reachable only on the {{default}} VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use {{vrf task exec default sudo ...}} to execute the {{sudo}} command using the TACACS+ server on the {{default}} VRF. 5.0.0-5.5.1 5.6.0-5.16.1 @@ -187,7 +187,7 @@ Fan4(Fan 4): BAD fan:6720 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 5.5.0-5.16.1 -3347677 +3347677, 3180068 In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. 5.1.0-5.6.0 5.7.0-5.16.1 @@ -316,7 +316,7 @@ Packet size is larger than router interface MTU – Validate the router interfac 4.3.2 -3187469 +3187469, 3188618 At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. 5.1.0-5.5.1 5.6.0-5.16.1 @@ -352,19 +352,19 @@ Packet size is larger than router interface MTU – Validate the router interfac 5.3.0-5.16.1 -3163200 +3163200, 3141818 If there is extensive and continuous next-hop group (NHG) churn when routes keep moving from one NHG to another NHG repeatedly, {{switchd}} increases in memory allocation until memory is exhausted. Other processes might be affected as they try to acquire memory which is unavailable. 5.1.0 5.2.0-5.16.1 -3163159 +3163159, 3096856 The NVUE command to disable EVPN duplicate address detection does not work. To work around this issue, use an NVUE snippet. 5.1.0 5.2.0-5.16.1 -3157240 +3157240, 3173622 When you try to query REDECN counters with the {{mlxcmd}} utility on a bond member port with the following commands, syslog reports an error. sudo /usr/lib/cumulus/mlxcmd roce counters --port <swp> @@ -396,7 +396,7 @@ To work around this issue, avoid restarting the {{switchd}} service in the ZTP s 5.3.0-5.16.1 -3148920 +3148920, 3054869 NVUE configuration commands produce errors when included as part of a ZTP script that executes automatically during the switch boot process. This occurs because the $HOME variable is not set during ZTP. This does not occur if you trigger ZTP manually from the CLI with the {{sudo ztp -r http://x.x.x.x/cumulus-ztp}} command. To work around this issue, define the $HOME variable within the ZTP script with {{export HOME=/root}}. 5.1.0 5.2.0-5.16.1 @@ -428,7 +428,7 @@ To work around this issue, avoid restarting the {{switchd}} service in the ZTP s 5.9.0-5.16.1 -3141818 +3141818, 3163200 If there is extensive and continuous next-hop group (NHG) churn when routes keep moving from one NHG to another NHG repeatedly, {{switchd}} increases in memory allocation until memory is exhausted. Other processes might be affected as they try to acquire memory which is unavailable. 5.0.1-5.1.0 5.2.0-5.16.1 @@ -505,7 +505,7 @@ sx_sdk: EMAD_RX_THREAD: EMAD transaction FW error 4.3.1, 5.2.0-5.16.1 -3119673 +3119673, 2888040 If the switch receives an EVPN route with multiple RTs that match the import policy for a local VNI, the {{bgpd}} service crashes. 5.0.0-5.1.0 5.2.0-5.16.1 @@ -571,7 +571,7 @@ To work around this issue, set the VNI interface mapped to VLAN 1 down and up ag -3084007 +3084007, 3334028 The {{clagd}} process uses 100 percent CPU and eventually crashes with an {{Unable to allocate memory}} error. This issue impacts customers with these conditions: CL 5.1.0, CLAG, NTP, and a switch that has been powered off for some time (i.e. the clock may have drifted) prior to initial boot. @@ -579,7 +579,7 @@ This issue impacts customers with these conditions: CL 5.1.0, CLAG, NTP, and a s 4.3.1-4.4.5, 5.2.0-5.16.1 -3082662 +3082662, 3107641 {{syslog}} writes {{phcsync phc_ctl set clock time}} messages continuously every minute even when {{supervisord}} is not running, which prevents critical information from being logged. 5.1.0 5.2.0-5.16.1 @@ -602,7 +602,7 @@ cumulus@switch:~$ nv config apply 5.2.0-5.16.1 -3077547 +3077547, 2812075 When you configure multiple multicast RPs with groups matched by prefix lists, Cumulus Linux selects only one of the RPs and this selection is incorrect. 5.0.1-5.1.0 5.2.0-5.16.1 @@ -614,7 +614,7 @@ cumulus@switch:~$ nv config apply 5.2.0-5.16.1 -3074390 +3074390, 3055255, 2602877 You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the {{nvue}} account to the {{exclude_users}} line in {{/etc/tacplus_nss.conf}}: exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,* @@ -635,7 +635,7 @@ exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus, -3069069 +3069069, 3271536 When you run the {{systemctl reload switchd}} command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. 5.1.0-5.5.1 5.6.0-5.16.1 @@ -679,20 +679,20 @@ cumulus@switch:~$ nv config apply 5.2.0-5.16.1 -3059135 +3059135, 3060400 In an OSPF configuration, after you change the IPv6 subnet mask, the old address remains in the RIB as a connected OSPF route. To resolve this issue, restart FRR with the {{sudo systemctl restart frr}} command. 4.3.0-5.1.0 5.2.0-5.16.1 -3055283 +3055283, 3038763 After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the {{hash_config.enable}} or {{lag_hash_config.enable}} parameter to {{false}}, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. 5.1.0-5.4.0 5.5.0-5.16.1 -3054869 +3054869, 3148920 When you run NVUE commands as part of ZTP scripts, the commands fail with errors that indicate a missing $HOME environment variable. The issue has been fixed where the ZTP module initializes the $HOME environment variable before launching the ZTP scripts. However, if you are running older releases, before you use any NVUE commands in the ZTP script, add a section and define the {{HOME}} environment variable. Populate the variable with the default expected {{root}} user home directory value (/root), then export the {{HOME}} variable so it is available globally for NVUE to use. HOME=/root @@ -708,7 +708,7 @@ export HOME 5.3.0-5.16.1 -3046023 +3046023, 3096918 The {{cl-resource-query}} command output shows ECMP nextHop Table exhaustion (above 100 percent utilization) and the {{switchd.log}} file contains ECMP resource errors with routes and next hops failing to install. 4.2.1-5.1.0 5.2.0-5.16.1 @@ -773,7 +773,7 @@ Apply the snippet with the {{nv config patch <snippet.yaml>}} command, the 5.4.0-5.16.1 -3034435 +3034435, 3101184 In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. 4.4.4-5.4.0 5.5.0-5.16.1 @@ -821,7 +821,7 @@ If possible, NVUE recovers user configuration and saves it in the {{/etc/nvue.d} 4.4.4-4.4.5, 5.2.0-5.16.1 -3007765 +3007765, 3273568 On the NVIDIA SN2010 and SN2100 switch, {{smond}} indicates that the FAN status is {{BAD}} and syslog is flooded with {{Path /run/hw-management/thermal/fan1_status does not exist}} errors. When you run the {{smonctl -v}} command, the TEMP on switch looks OK. cumulus@switch:~$ smonctl -v @@ -852,7 +852,7 @@ Fan4(Fan 4): BAD fan:6720 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 5.3.0-5.16.1 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -866,13 +866,13 @@ Fan4(Fan 4): BAD fan:6720 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 5.2.0-5.16.1 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 -2867248 +2867248, 2866947, 3124967 The {{validate-ports -d}} command does not return the correct speeds for ports. Use the speeds specified in the {{/etc/cumulus/ports.conf}} file. 5.0.0-5.1.0 5.2.0-5.16.1 @@ -902,13 +902,13 @@ Fan4(Fan 4): BAD fan:6720 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 5.4.0-5.16.1 -2812075 +2812075, 3077547 When you configure PIM, you can either configure RP mappings for different multicast groups or use a prefix list to specify the RP to group mapping. You cannot use the two methods together. 5.0.0-5.1.0 5.2.0-5.16.1 -2743186 +2743186, 2734100, 2731464, 3438708 When you use MD5 passwords and you configure a non-default VRF before the default VRF in the {{/etc/frr/frr.conf}} file, numbered BGP sessions do not establish. 3.7.15-5.1.0 5.2.0-5.16.1 @@ -959,12 +959,12 @@ You can safely ignore this warning. 4.4.3-5.0.1 -3195345 +3195345, 3195390 Communication between single-connected MLAG hosts on different switches fails because packets received by single-connected MLAG hosts are not forwarded over the peer link. To work around this issue, when adding a switch to an MLAG pair, enable all the interfaces. 5.0.0-5.0.1 -3055255 +3055255, 3074390 When you run the NVUE {{nv show interface}} command, a watchdog timeout might occur and the {{nvued}} service fails. 5.0.1 @@ -1005,7 +1005,7 @@ To work around this issue, reboot the system. 5.0.1 -3032234 +3032234, 3163643 In BGP unnumbered, when you try to remove an interface from the underlay default VRF with the NVUE {{nv unset vrf default router bgp neighbor <interface>}} command, the command fails to apply. 4.4.2-5.0.1 @@ -1234,7 +1234,7 @@ thermal thermal_zoneX: critical temperature reached (33 C), shutting down 3.7.12-3.7.15, 4.3.0, 4.4.2-5.0.1 -2713888 +2713888, 2834357 With the {{ip-acl-heavy}} TCAM profile, the following message might appear after you install an ACL with NCLU or cl-acltool and the ACL might not work correctly. hal_flx_acl_util.c:378 ERR hal_flx_acl_resource_release resource region 0 size 7387 create failed: No More Resources diff --git a/content/cumulus-linux-510/Whats-New/rn.md b/content/cumulus-linux-510/Whats-New/rn.md index 9911be5051..bbfedf5368 100644 --- a/content/cumulus-linux-510/Whats-New/rn.md +++ b/content/cumulus-linux-510/Whats-New/rn.md @@ -190,11 +190,11 @@ pdfhidden: True | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | 5.14.0-5.16.1| | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | -| [4423336](#4423336)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| +| [4423336, 3875789, 3933038](#4423336, 3875789, 3933038)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| | [4423335](#4423335)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.16.1 | | | [4423248](#4423248)
| If you unset an interface static IP address when the interface IP gateway is configured, the nv config apply command fails with an ifreload.service error. To work around this issue, unset both the static IP address and gateway together. | 5.9.0-5.16.1 | | | [4423244](#4423244)
| When you enable, then disable adaptive routing, the BGP neighbors might go down because of an unresolved MAC address. To work around this issue, configure another attribute on the interface. | 5.9.0-5.16.1 | | -| [4422898](#4422898)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| +| [4422898, 4497128](#4422898, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| | [4220147](#4220147)
| When you bring STP down, then up on the primary MLAG peer, the STP state machine restarts and the peerlink operational edge resets. As a result, the secondary MLAG peer ends up in an STP discarding state. To work around this issue, restart the clagd service. | 5.8.0-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| | [4195240](#4195240)
| Cumulus Linux installs and runs the atftpd program by default but cannot access it because a /tftpboot directory is missing. | 5.9.2-5.11.5 | 5.12.0-5.16.1| | [4185962](#4185962)
| When you change the VRR MAC address, switchd crashes. This occurs because deleting an old VRR MAC address triggers a neighbor update that changes the ECMP container resolution, which results in route entry updates
This happens in async mode, where the end notification expected after an end of operation is missing. | 5.9.2-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| @@ -204,7 +204,7 @@ pdfhidden: True | [4151336](#4151336)
| After you reboot the switch, the ifplugd.service fails to start monitoring the interface. | 5.8.0-5.9.3, 5.10.0-5.11.0 | 5.9.4, 5.11.1-5.16.1, 5.12.0-5.16.1| | [4144021](#4144021)
| Shutting down port 65 or 66 on the NVIDIA Spectrum-4 switch leaves the opposite port up when using MLNX SFP-T and RJ45 connections. Spectrum-4 switches do not support SFP-T modules on ports 65 and 66. | 5.10.0-5.12.1 | 5.13.0-5.16.1| | [4142857](#4142857)
| The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. | 5.10.0-5.16.1 | | -| [4129699](#4129699)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| +| [4129699, 3790461](#4129699, 3790461)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4127636](#4127636)
| Multicast traffic continues to egress an interface that leaves the group. Logs and multicast data show that the IGMP group is deleted but the OIF is still listed. | 5.10.0-5.10.1 | 5.9.4, 5.11.0-5.16.1| | [4127253](#4127253)
| You might see switchd high-memory consumption and eventually switchd stops because it is out of memory due to higher tunnel (VNI x VTEP) scale. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4124831](#4124831)
| When you enable Per-VLAN Rapid Spanning Tree (PVRST) mode, bonds with LACP bypass discard ingress DHCP packets. | 5.9.1-5.10.1 | 5.11.0-5.16.1| @@ -217,7 +217,7 @@ pdfhidden: True | [4101051](#4101051)
| On rare occasion, SMBUS gateway handling causes a race condition that causes the SMBUS gateway to hang. As a result, all the ports located on the same SMBUS gateway are not able to get I2C service to the module EEPROM. | 5.10.0 | 5.10.1-5.16.1| | [4101034](#4101034)
| The I2C module read output is incorrect intermittently for modules 0-7. | 5.10.0 | 5.10.1-5.16.1| | [4086136](#4086136)
| If a Cumulus Linux 5.9.1 switch has an nv set interface lldp application-tlv configuration with an empty value, when you upgrade to Cumulus Linux 5.10, NVUE cannot apply the configuration and shows an Invalid config message. | 5.10.0-5.10.1 | 5.11.0-5.16.1| -| [4081974](#4081974)
| When you use mlxlink to check TX power, you see incorrect values for different lanes of a port. To work around this issue, either use the NVUE nv show platform transceiver command or the ethtool -m command. | 5.10.0-5.10.1 | 5.11.0-5.16.1| +| [4081974, 3905576](#4081974, 3905576)
| When you use mlxlink to check TX power, you see incorrect values for different lanes of a port. To work around this issue, either use the NVUE nv show platform transceiver command or the ethtool -m command. | 5.10.0-5.10.1 | 5.11.0-5.16.1| | [4081784](#4081784)
| If you configure an inbound route policy that drops prefixes, then run the vtysh show bgp vrf neighbours received-routes brief json command, the BGP service might crash. Avoid running a vtysh received routes brief json show command if you configure an inbound route policy that drops prefixes. Another option to avoid the issue is to run just show ip bgp neighbors received-routes without json. | 5.9.1-5.9.3, 5.10.0-5.10.1 | 5.9.4, 5.11.0-5.16.1| | [4075960](#4075960)
| When you configure the IGMP Querier on a VLAN, the switch sends IGMP Querier packets on the untagged VLAN, not the configured VLAN. Also, the source IP address is always 0.0.0.0, even though the loopback IP address is configured on the IGMP Querier. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4066219](#4066219)
| Some STP interfaces might remain in a blocking state when there are large numbers of discontiguous VLANs enabled on a port. | 5.8.0-5.9.3, 5.10.0-5.10.1 | 5.9.4, 5.11.0-5.16.1| @@ -228,9 +228,9 @@ pdfhidden: True | [4052578](#4052578)
| When you perform a binary upgrade from Cumulus Linux 5.8 or earlier to 5.9.0 or later with a pre-staged startup.yaml file, the cumulus user password is reset to the default password because there is no default startup.yaml file present in 5.8.0 or earlier. To work around this issue, generate the startup.yaml file from the existing NVUE configuration. | 5.9.2-5.11.5 | 5.12.0-5.16.1| | [4050835](#4050835)
| The NVUE Service fails to start after an upgrade from Cumulus Linux 5.9 to Cumulus Linux 5.10 because of a corrupted database. | 5.10.0-5.10.1 | 5.9.4, 5.11.0-5.16.1| | [4050801](#4050801)
| When configuring telemetry for interface statistics with ranges or lists, the lists and ranges do not expand correctly in the configuration and the configuration is rejected. Configuration example:
cumulus@leaf01:~$ nv set system telemetry interface-stats ingress-buffer priority-group 1-6
cumulus@leaf01:~$ nv set system telemetry interface-stats egress-buffer traffic-class 0,3,6

You see the following log errors:
interface_stats: [ERROR] interface_stats_collector.py:_parse_conf_file:201 — Configured ingress-priority-group 0-6 is not an integer
interface_stats: [ERROR] interface_stats_collector.py:_parse_conf_file:201 — Configured egress-traffic-class 0,3,6 is not an integer
| 5.10.0-5.10.1 | 5.11.0-5.16.1| -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4048583](#4048583)
| If there are failures in MSTPD or a port is not updated in the database, the NVUE nv show bridge domain stp command might not work and might produce errors even when STP has data for other working ports or VLANs. This is a display issue only and does not impact functionality. | 5.10.0-5.12.1 | 5.13.0-5.16.1| -| [4047829](#4047829)
| Ports can be operationally down if the switchd service fails to come UP due to certain firmware failures and you the following switchd.log messages:
PDDR long process T.O
MCIA no response
FW assert [0x8C91] detected

To work around this issue, power-cycle the switch. | 5.10.0-5.10.1 | 5.11.0-5.16.1| +| [4047829, 4040901, 4040916](#4047829, 4040901, 4040916)
| Ports can be operationally down if the switchd service fails to come UP due to certain firmware failures and you the following switchd.log messages:
PDDR long process T.O
MCIA no response
FW assert [0x8C91] detected

To work around this issue, power-cycle the switch. | 5.10.0-5.10.1 | 5.11.0-5.16.1| | [4047798](#4047798)
| Packet distribution based on ECMP hashing using GTP-TEID does not function as expected in an EVPN Clos topology. | 5.10.0-5.16.1 | | | [4042657](#4042657)
| The SDK times out with a FW FATAL health event, which requires a reboot of the system to recover. | 5.9.1-5.10.0 | 5.10.1-5.16.1| | [4042262](#4042262)
| The switchd service goes down and there is a FW Long Command Timeout. | 5.10.0 | 5.10.1-5.16.1| @@ -238,27 +238,27 @@ pdfhidden: True | [4039850](#4039850)
| When the MAC address of the neighbor changes, a possible crash might occur because the pointer to which the MAC address points is freed, resulting in a dangling pointer. | 5.3.1-5.10.1 | 5.11.0-5.16.1| | [4037462](#4037462)
| The Open telemetry interface statistic description for nvswitch_histogram_interface_egress_buffer has a typographical error; engress should be egress. | 5.10.0 | 5.10.1-5.16.1| | [4037315](#4037315)
| NVUE fails to enforce the password length limitation of 512 characters or fewer. | 5.10.0-5.10.1 | 5.11.0-5.16.1| -| [4037224](#4037224)
| ASIC monitoring histogram collection might not work because of a crash in the asic-monitor service. To work around this issue, see the Release Considerations section of the What’s New. | 5.10.0 | 5.10.1-5.16.1, 5.11.0-5.16.1| +| [4037224, 4048679](#4037224, 4048679)
| ASIC monitoring histogram collection might not work because of a crash in the asic-monitor service. To work around this issue, see the Release Considerations section of the What’s New. | 5.10.0 | 5.10.1-5.16.1, 5.11.0-5.16.1| | [4030380](#4030380)
| When you roll back interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you cannot configure FEC on the interface at the lower layers. | 5.10.0-5.16.1 | | | [4023318](#4023318)
| If you run nv set commands after you perform an upgrade but before a reboot, NVUE creates a revision based off the pre-upgrade version. After reboot, the revision contains pre-upgrade data that might cause it to fail during config apply. To work around this issue, detach the stale revision after upgrade with the nv config detach command. | 5.10.0-5.10.1 | 5.11.0-5.16.1| | [4022906](#4022906)
| If you use NVUE to configure a bond, apply a port mirror on the bond, then run the nv config apply command, the validation fails.
To work around this issue, configure the bond with a separate nv config apply command before you configure the port mirror on the bond. | 5.10.0-5.10.1 | 5.11.0-5.16.1| | [4019257](#4019257)
| Some switches start booting but stop at the boot menu because console‑port noise is misinterpreted as input. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4019256](#4019256)
| If you change the switch hostname, the histogram data producer service restarts. | 5.10.0-5.12.1 | 5.13.0-5.16.1| | [4016216](#4016216)
| If a ZTP script includes a directive to reboot, the reboot might stop the running ZTP process before it is able to disable itself from running again. As a result, the ZTP process starts again when the system comes back up. To work around this issue, run shutdown -r +1 to schedule a reboot after one minute so that the ZTP process can successfully complete disabling the ztp.service systemd service. | 5.10.0 | 5.9.2, 5.10.1-5.16.1, 5.11.0-5.16.1| -| [4005422](#4005422)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | +| [4005422, 4015452](#4005422, 4015452)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | | [4004898](#4004898)
| When you configure the SNMP server listening address to a VRF that has no interfaces, snmp.service fails.
To recover from the failure, set the SNMP server listening address back to the VRF that has interfaces. If you really want to move the SNMP server to the VRF with no interfaces, assign an interface to the VRF and move the SNMP server to the VRF. | 5.10.0-5.10.1 | 5.9.4, 5.11.0-5.16.1| | [3985682](#3985682)
| On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.16.1 | | | [3966312](#3966312)
| When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.16.1 | | -| [3955971](#3955971)
| When using the optional nslcd service, if tls_crlcheck is in the /etc/nslcd.conf file, the service fails due to a missing library. | 5.10.0-5.10.1 | 5.11.0-5.16.1| +| [3955971, 4296649, 4308856](#3955971, 4296649, 4308856)
| When using the optional nslcd service, if tls_crlcheck is in the /etc/nslcd.conf file, the service fails due to a missing library. | 5.10.0-5.10.1 | 5.11.0-5.16.1| | [3948068](#3948068)
| On the SN3700 and SN3700c switch, the nv show platform environment voltage command output shows a failed state for the PSU-n-12V-RAIL-OUT sensors. This is a known hardware limitation that cannot be corrected by the PSU vendor. | 5.10.0-5.16.1 | | | [3928905](#3928905)
| The nv show interface commands show RX and TX Power values from the wrong lanes on breakout ports. | 5.8.0-5.9.1, 5.10.0-5.10.1 | 5.9.2, 5.11.0-5.16.1| | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3879717](#3879717)
| Running snmpwalk on the switch with the management IP address does not work. To work around this issue, use the localhost option (snmpwalk -v 2c -c public28 localhost 1.3.6.1.2.1.14) or create a control plane ACL whitelist rule. | 5.10.0-5.16.1 | | -| [3878699](#3878699)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | 5.11.0-5.16.1| +| [3878699, 3939355](#3878699, 3939355)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | 5.11.0-5.16.1| | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | | [3855796](#3855796)
| When configuring a Unicast Master Table for clients, the server addresses must be reachable and the route to the destination must exist. The unicast table can have one directly-connected port for a client. This restriction is only for directly connected ports and doesn't apply to Unicast Servers on other devices or switches. | 5.9.0-5.16.1 | | @@ -273,18 +273,18 @@ pdfhidden: True | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| +| [3452681, 3465375](#3452681, 3465375)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -294,10 +294,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -307,8 +307,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -319,15 +319,15 @@ pdfhidden: True | Issue ID | Description | Affects | |--- |--- |--- | | [4023637](#4023637)
| When you disable dynamic NAT manually in the /etc/cumulus/switchd.conf file instead of using NVUE commands but the dynamic NAT rules still exist in the /etc/cumulus/acl/policy,d/.rules file, the switch encounters a memory leak. To work around this issue, remove dynamic NAT rules in rules files in /etc/cumulus/acl/policy.d before you disable dynamic NAT in the /etc/cumulus/switchd.conf file. | 5.9.0-5.9.1 | | -| [4015327](#4015327)
| If you change the hostname in the /etc/hostname file after the asic_monitor@vrf service starts, the hostname is not reflected in the Open Telemetry exported resource attribute. To work around this issue, restart the asic_monitor@vrf service. | | | +| [4015327, 4014617](#4015327, 4014617)
| If you change the hostname in the /etc/hostname file after the asic_monitor@vrf service starts, the hostname is not reflected in the Open Telemetry exported resource attribute. To work around this issue, restart the asic_monitor@vrf service. | | | | [4012011](#4012011)
| A memory corruption kernel crash might occur due to a netfilter error. The log message from netfilter might contain a warning similar to the following:
kernel: WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_core.c:1210 __nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack]kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack]
| 5.9.1 | | | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | | | [3998581](#3998581)
| When two SVIs are configured with the same VLAN ID and are assigned to separate bridges (each in a different VRF) but both bridges share the same MAC hardware address, traffic drops might occur. | 5.9.1 | | -| [3994544](#3994544)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.9.5 | | +| [3994544, 3976680](#3994544, 3976680)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.9.5 | | | [3990258](#3990258)
| Cumulus Linux incorrectly handles unnumbered neighbor types, which causes discrepancies in the running configuration and session flaps during FRR reload. | 5.9.0-5.9.1 | | | [3985600](#3985600)
| NTP initialization issues prevent the NTP service from starting on a non-default VRF. | 5.9.0-5.9.5 | | | [3982222](#3982222)
| When you enable SPAN on a bridge member, an ARP or Gratuitous ARP received during a failover event between locally attached redundant devices, such as load balancers, might fail to update the bridge MAC table to point to the interface with the newly active load balancer.

To work around this issue, remove the SPAN configuration from the bridge member or ensure that the load balancer generates non-ARP traffic after the failover to properly update the bridge MAC table. | 5.4.0-5.9.1 | | -| [3974890](#3974890)
| The ntpsec@mgmt service does not come up by default when you install an image with ONIE because the trigger to bring up the service is missing. | 5.9.1 | | +| [3974890, 3925795](#3974890, 3925795)
| The ntpsec@mgmt service does not come up by default when you install an image with ONIE because the trigger to bring up the service is missing. | 5.9.1 | | | [3972715](#3972715)
| The fans on the NVIDIA SN2410 switch (Part Number SSG7A80800) might spin at high speed. | 5.9.1 | | | [3970626](#3970626)
| When you configure the bridge.kernel_mac_refresh_interval parameter in the switchd.conf file, a switchd restart fails with a core dump. | 5.8.0-5.9.1 | | | [3966673](#3966673)
| In an EVPN multihoming configuration, if you enable multihoming without any local ESI configuration, arp-nd-redirect remains disabled unless you restart FRR with the sudo systemctl restart frr.service command. | 5.9.1 | | @@ -336,10 +336,10 @@ pdfhidden: True | [3957620](#3957620)
| On the Spectrum-4 switch, when you use PTP on a 800G link, jumbo frames traversing the same link might cause a degradation in PTP performance. | 5.9.0-5.9.1 | | | [3956091](#3956091)
| When you modify the default QoS configuration on top of the base RoCE configuration, NVUE reports an Invalid exception in the nv show qos roce command output even when the configuration is valid. | 5.8.0-5.9.1 | | | [3955615](#3955615)
| Cumulus Linux does not recognize QSFP_CMIS optical modules correctly. | 5.6.0-5.9.1 | | -| [3954026](#3954026)
| Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. | 5.8.0-5.9.1 | | +| [3954026, 3677821](#3954026, 3677821)
| Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. | 5.8.0-5.9.1 | | | [3951643](#3951643)
| The NVUE unset and set command for the same object in a patch file (nv config patch .yaml) causes a python exception. | 5.9.1 | | | [3950322](#3950322)
| After switchd restarts, the sFlow sampling rate set in the hardware might not match with the configured values for about 3 minutes. This issue occurs because interfaces are not yet up during the initial sampling rate setting. | 5.9.1 | | -| [3949367](#3949367)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | | +| [3949367, 3949366](#3949367, 3949366)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | | | [3947432](#3947432)
| In an EVPN multihoming configuration, if a host bond enters the protodown state due to a link flap, when you try to clear the protodown state, FRR reprograms it. | 5.9.1 | | | [3943834](#3943834)
| The default memory configuration for NVIDIA Cumulus VX OVA is too low and needs to be increased. | 5.9.0-5.9.1 | | | [3941608](#3941608)
| The default NIC for the VMWare OVA file is set to vmxnet3 instead of e1000. | 5.9.0-5.9.1 | | @@ -357,12 +357,12 @@ pdfhidden: True | [3897227](#3897227)
| During an LLDP update storm while deleting or adding LLPD neighbors, PTMD crashes as a result of mishandling multi-threaded LLPD processing. | 5.5.1-5.9.5 | | | [3896967](#3896967)
| PTP doesn't come up with IPv6 over a trunk port due to the IPv6 VLAN tag not being sent. PTP over an IPv4 trunk works fine. | 5.8.0-5.9.1 | | | [3895848](#3895848)
| MLAG bonds might report an LACP partner MAC mismatch unexpectedly during LACP negotation and MLAG convergence until the bond reaches a dual connected state. There is no impact to bonds when this mismatch is reported. | 5.9.0-5.9.5 | | -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | | +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | | | [3895017](#3895017)
| When ARP suppression is off, remote EVPN VTEPs duplicate ARP packets from local hosts and each remote host receives two copies of the ARP packets. The issue also applies to IPv6 ND packets. | 5.8.0-5.9.1 | | | [3890993](#3890993)
| On the NVIDIA spectrum-4 switch, l1-show command output does not show Eye opening information for an interface port. | 5.9.0-5.9.5 | | | [3881789](#3881789)
| If you configure the anycast IP address with the nv set nve vxlan mlag shared-address command after you configure MLAG, the anycast IP address configuration is not applied and the VXLAN interface is in a protodown state. To work around this issue, run sudo ifreload -a.
To avoid this issue, either apply the anycast configuration before you apply the MLAG configuration or configure the anycast IP address and MLAG together with a single nv config apply command. | 5.9.0-5.9.1 | | | [3879635](#3879635)
| ERSPAN port-mirror sessions might not come up after a switchd service restart. To work around this issue and bring up the ERSPAN session, either run switchd reload after a switchd restart or use an ACL-based ERSPAN session. | 5.9.0-5.9.1 | | -| [3878166](#3878166)
| The NVUE nv show interface eth0 and nv show vrf commands take more than two minutes to run if you have configured hundreds of interfaces because NVUE makes repetitive system calls to get vlan/link/tunnel bridge information. | 5.9.0-5.9.1 | | +| [3878166, 4023377](#3878166, 4023377)
| The NVUE nv show interface eth0 and nv show vrf commands take more than two minutes to run if you have configured hundreds of interfaces because NVUE makes repetitive system calls to get vlan/link/tunnel bridge information. | 5.9.0-5.9.1 | | | [3875589](#3875589)
| MLAG bonds might report an LACP partner MAC mismatch unexpectedly during LACP negotation and MLAG convergence until the bond reaches a dual connected state. There is no impact to bonds when this mismatch is reported. | 5.9.0-5.9.1 | | | [3873219](#3873219)
| When you remove a port from a bond and add it to the bridge in a single set of NVUE commands, then apply the configuration, the port forwarding state is blocked on all the bridge VLANs. To work around this issue, apply the configuration in two steps. First remove the port from the bond and apply the configuration, then add the port to the bridge and apply the configuration. | 5.9.0-5.9.5 | | | [3859422](#3859422)
| On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port. | 5.2.0-5.9.1 | | @@ -370,12 +370,12 @@ pdfhidden: True | [3854800](#3854800)
| The switch forwards multicast traffic to the CPU when PIM is enabled globally, regardless of the interface configuration. | 5.6.0-5.9.1 | | | [3851499](#3851499)
| On the Spectrum A1 switch, when you enable the ip-acl-heavy TCAM profile, VXLAN tunnel initialization might fail. | 5.8.0-5.9.1 | | | [3821643](#3821643)
| When using SSM and the upstream interface goes away (the source stops sending or the link goes down) the PIMREG interface is added to the outgoing interface list of the S,G and is never removed. As a result, multicast traffic that hits the impacted S,G is forwarded to the CPU and dropped by the switch. | 5.9.0-5.9.1 | | -| [3775686](#3775686)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | | +| [3775686, 3644649](#3775686, 3644649)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | | | [3763543](#3763543)
| The NVIDIA SN4600C switch fails to boot fully after you upgrade from Cumulus Linux 4.2.1 to 5.7 with ONIE install. To work around this issue, perform an intermediate step image upgrade; for example, upgrade the switch from Cumulus Linux 4.2.1 to 5.2.1 to 5.7.0. | 5.7.0-5.9.1 | | | [3711913](#3711913)
| When you set an IPv4 ACL with a log action, logs do not appear under syslog after a match. This issue affects bridged packets when the rule is installed in iptables. To work around this issue, set the ACL with a MAC rule type so that it is installed in ebtables and the packets are logged correctly in syslog.
The following shows an example configuration:
cumulus@switch:~$ nv set acl one rule 1 action log log-prefix NVIDIA
cumulus@switch:~$ nv set acl one rule 1 match ip protocol udp
cumulus@switch:~$ nv set acl one rule 1 match ip source-ip 10.0.14.2
cumulus@switch:~$ nv set acl one rule 1 match ip udp source-port 34
cumulus@switch:~$ nv set acl one rule 1 match mac protocol ipv4
cumulus@switch:~$ nv set acl one type mac
| 5.7.0-5.9.5 | | | [3636266](#3636266)
| When an unresolved next hop is present in a next hop group, especially over an SVI interface, the switch checks if the neighbor MAC address is in the forwarding table. If the neighbor's MAC address is not there, the switch skips this next hop from backend programming and you see the switchd error ERR NH: l3 nhg v6 l3 nhg contains one or more unresolvable nexthops. There is no impact to switch functionality as unresolved neighbors are not programmed in hardware until they are resolved. | 5.7.0-5.9.5 | | -| [3610591](#3610591)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | | +| [3610591, 3781456](#3610591, 3781456)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | | | [3393966](#3393966)
| When you configure OSPF network statements using NVUE with the nv set vrf router ospf area network command, subsequent configuration changes with NVUE might bring down all OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement, or use the nv set interface router ospf area command to enable OSPF on interfaces instead of using a network statement. | 5.5.0-5.9.5 | | -| [2705056](#2705056)
| SVIs do not inherit the pinned MAC address of the bridge. | 4.3.0 | | +| [2705056, 3061431](#2705056, 3061431)
| SVIs do not inherit the pinned MAC address of the bridge. | 4.3.0 | | | [2543915](#2543915)
| When you enable a service in the management VRF, systemctl issues a warning similar to the following:
Warning: The unit file, source configuration file or drop-ins of ntp@mgmt.service changed on disk. Run 'systemctl daemon-reload' to reload unit
You can safely ignore this warning. | 4.0.0-5.9.5 | | diff --git a/content/cumulus-linux-510/rn.xml b/content/cumulus-linux-510/rn.xml index 98c40033d2..7a0ca9a4b6 100644 --- a/content/cumulus-linux-510/rn.xml +++ b/content/cumulus-linux-510/rn.xml @@ -1073,7 +1073,7 @@ To work around this issue, power cycle the switch. -4423336 +4423336, 3875789, 3933038 When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the {{nv config patch}} command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with {{systemctl restart nvued.service}}. 5.9.0-5.11.5 5.12.0-5.16.1 @@ -1097,7 +1097,7 @@ To work around this issue, power cycle the switch. -4422898 +4422898, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.13.1 5.14.0-5.16.1 @@ -1158,7 +1158,7 @@ This happens in async mode, where the end notification expected after an end of -4129699 +4129699, 3790461 {{switchd}} crashes because the hardware MAC limit is higher than the maximum. 5.8.0-5.10.1 5.11.0-5.16.1 @@ -1245,7 +1245,7 @@ Save the file, run the {{nv config patch vlan-aware_bridge_snippet.yaml}} comman 5.11.0-5.16.1 -4081974 +4081974, 3905576 When you use {{mlxlink}} to check TX power, you see incorrect values for different lanes of a port. To work around this issue, either use the NVUE {{nv show platform transceiver <interface>}} command or the ethtool {{-m <interface>}} command. 5.10.0-5.10.1 5.11.0-5.16.1 @@ -1315,7 +1315,7 @@ interface_stats: [ERROR] interface_stats_collector.py:_parse_conf_file:201 — C 5.11.0-5.16.1 -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -1327,7 +1327,7 @@ interface_stats: [ERROR] interface_stats_collector.py:_parse_conf_file:201 — C 5.13.0-5.16.1 -4047829 +4047829, 4040901, 4040916 Ports can be operationally down if the {{switchd}} service fails to come UP due to certain firmware failures and you the following {{switchd.log}} messages: PDDR long process T.O MCIA no response @@ -1380,7 +1380,7 @@ To work around this issue, power-cycle the switch. 5.11.0-5.16.1 -4037224 +4037224, 4048679 ASIC monitoring histogram collection might not work because of a crash in the {{asic-monitor}} service. To work around this issue, see the <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-510/Whats-New/#release-considerations">Release Considerations section of the What’s New</a>. 5.10.0 5.10.1-5.16.1, 5.11.0-5.16.1 @@ -1422,7 +1422,7 @@ To work around this issue, power-cycle the switch. 5.9.2, 5.10.1-5.16.1, 5.11.0-5.16.1 -4005422 +4005422, 4015452 When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the {{systemctl enable ntpsec@<vrf>}} and {{systemctl restart ntpsec@<vrf>}} commands. 5.10.0-5.16.1 @@ -1446,7 +1446,7 @@ To work around this issue, power-cycle the switch. -3955971 +3955971, 4296649, 4308856 When using the optional {{nslcd}} service, if {{tls_crlcheck}} is in the {{/etc/nslcd.conf}} file, the service fails due to a missing library. 5.10.0-5.10.1 5.11.0-5.16.1 @@ -1473,7 +1473,7 @@ The logs occur because the {{rsyslog}} service starts before the networking serv -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -1485,7 +1485,7 @@ The logs occur because the {{rsyslog}} service starts before the networking serv -3878699 +3878699, 3939355 In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. 5.9.0-5.10.1 5.11.0-5.16.1 @@ -1506,7 +1506,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -1615,7 +1615,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -1627,7 +1627,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -1645,7 +1645,7 @@ To work around this issue when using fiber cables: -3452681 +3452681, 3465375 When you run the NVUE {{nv show system aaa tacacs authorization}} commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to {{Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND}}. 5.5.0-5.10.1 5.11.0-5.16.1 @@ -1657,19 +1657,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -1682,7 +1682,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -1744,7 +1744,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -1767,7 +1767,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -1830,7 +1830,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -1838,7 +1838,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -1886,7 +1886,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 5.9.0-5.9.1 -4015327 +4015327, 4014617 If you change the hostname in the {{/etc/hostname}} file after the {{asic_monitor@vrf}} service starts, the hostname is not reflected in the Open Telemetry exported resource attribute. To work around this issue, restart the {{asic_monitor@vrf}} service. @@ -1907,7 +1907,7 @@ kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack] 5.9.1 -3994544 +3994544, 3976680 Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. 5.9.1-5.9.5 @@ -1927,7 +1927,7 @@ kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack] 5.4.0-5.9.1 -3974890 +3974890, 3925795 The {{ntpsec@mgmt}} service does not come up by default when you install an image with ONIE because the trigger to bring up the service is missing. 5.9.1 @@ -1972,7 +1972,7 @@ kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack] 5.6.0-5.9.1 -3954026 +3954026, 3677821 Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. 5.8.0-5.9.1 @@ -1987,7 +1987,7 @@ kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack] 5.9.1 -3949367 +3949367, 3949366 If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. 5.3.1-5.9.1 @@ -2081,7 +2081,7 @@ You can safely ignore this error as FRR accepts and applies the new configuratio 5.9.0-5.9.5 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -2109,7 +2109,7 @@ This issue occurs because {{poectl}} is called on non-PoE switches. To work arou 5.9.0-5.9.1 -3878166 +3878166, 4023377 The NVUE {{nv show interface eth0}} and {{nv show vrf}} commands take more than two minutes to run if you have configured hundreds of interfaces because NVUE makes repetitive system calls to get {{vlan/link/tunnel}} bridge information. 5.9.0-5.9.1 @@ -2149,7 +2149,7 @@ This issue occurs because {{poectl}} is called on non-PoE switches. To work arou 5.9.0-5.9.1 -3775686 +3775686, 3644649 The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. 5.8.0-5.9.5 @@ -2177,7 +2177,7 @@ cumulus@switch:~$ nv set acl one type mac 5.7.0-5.9.5 -3610591 +3610591, 3781456 After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the {{nv unset system}} command or the {{nv config apply empty}} command. 5.7.0-5.9.5 @@ -2187,7 +2187,7 @@ cumulus@switch:~$ nv set acl one type mac 5.5.0-5.9.5 -2705056 +2705056, 3061431 SVIs do not inherit the pinned MAC address of the bridge. 4.3.0 diff --git a/content/cumulus-linux-511/Whats-New/rn.md b/content/cumulus-linux-511/Whats-New/rn.md index e885b21bc1..e32ea7f364 100644 --- a/content/cumulus-linux-511/Whats-New/rn.md +++ b/content/cumulus-linux-511/Whats-New/rn.md @@ -36,13 +36,13 @@ pdfhidden: True | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| | [4608614](#4608614)
| When setting up SSH keys, you have to run nv config apply twice for the configuration to take effect. | 5.11.3-5.16.1 | | | [4582679](#4582679)
| If a node has Suppress Route Advertisement enabled and routes are re-learned; for example, when a peer sends the route again due to route policy changes, or you enable or disable graceful shutdown, not all routes are offloaded, which might cause discrepancies in traffic. | 5.9.4-5.16.1 | | -| [4579237](#4579237)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | -| [4558846](#4558846)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.0-5.11.5 | 5.12.0-5.16.1| +| [4579237, 4579234](#4579237, 4579234)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | +| [4558846, 4237198](#4558846, 4237198)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4548512](#4548512)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.0-5.16.1 | | | [4535804](#4535804)
| If you use a bridge name other than br_default, PTP neighbors fail to establish because the PTP packets are sourced from an unexpected IP address.
To work around this issue, configure the base-interface for the VLAN interface with the nv set interface base-interface command. | 5.10.0-5.16.1 | | | [4535749](#4535749)
| The uc-discards field in the nv show interface counters qos egress-queue-stats command output is actually the number of packets discarded per queue, but it is wrongly interpreted as bytes. To work around this issue, convert the data shown in bytes to packets by multiplying by 1024 if the data is in KB, 1024x1024 if the data is in MB, and 1024x1024x1024 if the data is in GB. | 5.11.0-5.16.1 | | | [4535699](#4535699)
| When you configure the RADIUS authentication order with local first and radius second, the RADIUS user is authenticated as a default user name. | 5.11.3-5.16.1 | | -| [4531952](#4531952)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | 5.14.0-5.16.1| +| [4531952, 4518822](#4531952, 4518822)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | 5.14.0-5.16.1| | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | 5.14.0-5.16.1| | [4522594](#4522594)
| In a VXLAN environment, if the bridge MAC address changes for a VTEP, the switch drops VXLAN traffic entering this VTEP from a remote VTEP. The switch only drops layer 3 routed VXLAN traffic because the RMAC is not updated correctly in the SDK. | 5.11.1-5.11.5 | 5.9.4, 5.12.0-5.16.1| | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| @@ -51,7 +51,7 @@ pdfhidden: True | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | | [4486200](#4486200)
| If you enable dynamic NAT and try to install two identical dynamic NAT rules, switchd might crash. | 5.11.2-5.13.1 | 5.14.0-5.16.1| | [4475111](#4475111)
| When you try to convert a layer 3 port that is part of ECMP to a bond member, you might see a failure in the switchd logs. This issue does not have any functional impact. | 5.11.2-5.16.1 | 5.9.4| -| [4472414](#4472414)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| +| [4472414, 4621451](#4472414, 4621451)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| | [4461102](#4461102)
| In certain cases, when a port is down and you apply adaptive routing with the link utilization threshold setting to the port as it goes up, you might see log errors while the port is not yet up. | 5.11.0-5.13.1 | 5.14.0-5.16.1| | [4423352](#4423352)
| ZTP scripts return an error due to incorrect ASCI to UTF-8 conversion. | 5.11.0-5.16.1 | | | [4423335](#4423335)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.16.1 | | @@ -61,7 +61,7 @@ pdfhidden: True | [4423235](#4423235)
| The snmpd service generates debugging logs of sudo calls. To work around this issue, disable sudo logging for the specific commands run by the Debian-snmp user in the /etc/sudoers.d/snmp file by adding Defaults:Debian-snmp !syslog. | 5.11.0-5.16.1 | | | [4408387](#4408387)
| BGP crashes during EVPN route install due to incorrect memory access. | 5.11.0-5.13.1 | 5.14.0-5.16.1| | [4360615](#4360615)
| The control plane trap group counters are not associated correctly with the right trap group. | 5.11.0-5.12.1 | 5.13.0-5.16.1| -| [4328729](#4328729)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. | 5.10.1-5.12.1 | 5.13.0-5.16.1| +| [4328729, 4261676](#4328729, 4261676)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. | 5.10.1-5.12.1 | 5.13.0-5.16.1| | [4270957](#4270957)
| Optimized (two partition) upgrade from Cumulus Linux 5.11.0 requires approximately 2.4 Gbytes of free space in /var after downloading the image with NVUE commands instead of 1.6 Gbytes of free space. Upgrade needs the extra space for an additional copy of the downloaded image in /var . | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4220393](#4220393)
| The default GRUB timeout style changed from menu to countdown. When booting, a countdown displays on the console and you can use the escape key to break out of the countdown and show the GRUB menu. This reduces the chance of console noise halting the reboot process. If you press the escape key twice, you might go to the GRUB command line. In this case, type normal to get back to the GRUB menu or reboot to reboot the switch. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4205060](#4205060)
| Debian 12 does not support LDAP SSL CRL check. Cumulus Linux now uses CRL file. | 5.11.0-5.11.5 | 5.12.0-5.16.1| @@ -71,12 +71,12 @@ pdfhidden: True | [4183214](#4183214)
| If you upgrade the switch from Cumulus Linux 5.9.x or 5.10.x with package upgrade and Radius is enabled, you see configuration and commit errors. To avoid this issue, either disable Radius during package upgrade or disable Radius before package upgrade with the sudo adduser --system --group --home /run/nslcd --no-create-home --gecos 'nslcd name service LDAP connection daemon' nslcd command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4177067](#4177067)
| When performing a package upgrade, nslcd installation might open an interactive dialog to configure nslcd.conf .
To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:
cumulus@switch:~$ sudo apt-get update
cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
| 5.11.0-5.16.1 | | | [4176931](#4176931)
| The nv show platform firmware command results in a Python traceback and takes a long time to complete because the VX image does not support the smartctl utility. | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4174646](#4174646)
| On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. | 5.10.1-5.11.5 | 5.12.0-5.16.1| +| [4174646, 4042294](#4174646, 4042294)
| On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. | 5.10.1-5.11.5 | 5.12.0-5.16.1| | [4155957](#4155957)
| Logs from the OTLP exporter process (nv-telemetry) grow uncontrolled and result in excessive disk space usage. You can remove the large files in the /var/log/nv-telemetry folder or modify them to reduce their size. | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4154839](#4154839)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | +| [4154839, 4280933, 4291934](#4154839, 4280933, 4291934)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | | [4144021](#4144021)
| Shutting down port 65 or 66 on the NVIDIA Spectrum-4 switch leaves the opposite port up when using MLNX SFP-T and RJ45 connections. Spectrum-4 switches do not support SFP-T modules on ports 65 and 66. | 5.10.0-5.12.1 | 5.13.0-5.16.1| | [4142857](#4142857)
| The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. | 5.10.0-5.16.1 | | -| [4139511](#4139511)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | +| [4139511, 4184813, 4180112](#4139511, 4184813, 4180112)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | | [4134447](#4134447)
| The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. You can safely ignore this log message. | 5.11.0-5.16.1 | | | [4134174](#4134174)
| If you configure a route map by attaching it to a specific protocol, then you detach it from that protocol, if you then attach the same route map to all protocols, then detach it from all protocols, Cumulus Linux deletes routes from the forwarding table.
To work around this issue, either attach the route map to all protocols or attach the route map to each protocol you want to use. For example, to attach the route map to all protocols, run the nv set vrf router rib fib-filter route-map command. To attach the route map to each protocol you want to use, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4130022](#4130022)
| LDAP does not support per-command authorization. | 5.11.0-5.11.5 | 5.12.0-5.16.1| @@ -85,30 +85,30 @@ pdfhidden: True | [4128912](#4128912)
| When you use PPS IN, PTP might show a high offset. The offset might be around an offset value. For example, around 60 ns or 80 ns. To work around this issue, set the cable compensation value. For 60 ns, run the nv set platform pulse-per-second in timestamp-correction -60 command to set the compensation. | 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4127932](#4127932)
| After you run the nv action install system image command or the cl-image-upgrade -u command, if you run the command a second time to upgrade to a different image, the upgrade might fail because there are leftover /var/install/sys mounts. To resolve this issue, either reboot before you retry image upgrade or run the following commands :
cumulus@switch:~$ sudo mount --make-rslave /var/installer/sys
cumulus@switch:~$ sudo umount -R /var/installer/sys
cumulus@switch:~$ sudo umount tmpfs-installer
| 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4127315](#4127315)
| If you set BGP community-advertise large to off with NVUE, large communities are still sent to BGP peers. To resolve this issue, NVUE has changed the default value of community-advertise large from off to on. | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4124376](#4124376)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | +| [4124376, 4316163](#4124376, 4316163)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | | [4122591](#4122591)
| The NVUE nv set system aaa ldap ssl ca-list command shows the following error if you use the string option:
Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none']
| 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4118970](#4118970)
| When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.16.1 | | -| [4105127](#4105127)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | -| [4101560](#4101560)
| The nv set vrf router rib fib-filter route-map command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| +| [4105127, 4796391](#4105127, 4796391)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | +| [4101560, 4101440](#4101560, 4101440)
| The nv set vrf router rib fib-filter route-map command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4100629](#4100629)
| NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.16.1 | | | [4082210](#4082210)
| When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. | 5.11.0-5.16.1 | | | [4077921](#4077921)
| You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1 or later. You must install the Cumulus Linux image instead. | 5.10.1-5.16.1 | | | [4052578](#4052578)
| When you perform a binary upgrade from Cumulus Linux 5.8 or earlier to 5.9.0 or later with a pre-staged startup.yaml file, the cumulus user password is reset to the default password because there is no default startup.yaml file present in 5.8.0 or earlier. To work around this issue, generate the startup.yaml file from the existing NVUE configuration. | 5.9.2-5.11.5 | 5.12.0-5.16.1| -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4048583](#4048583)
| If there are failures in MSTPD or a port is not updated in the database, the NVUE nv show bridge domain stp command might not work and might produce errors even when STP has data for other working ports or VLANs. This is a display issue only and does not impact functionality. | 5.10.0-5.12.1 | 5.13.0-5.16.1| | [4047798](#4047798)
| Packet distribution based on ECMP hashing using GTP-TEID does not function as expected in an EVPN Clos topology. | 5.10.0-5.16.1 | | | [4030380](#4030380)
| When you roll back interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you cannot configure FEC on the interface at the lower layers. | 5.10.0-5.16.1 | | | [4019256](#4019256)
| If you change the switch hostname, the histogram data producer service restarts. | 5.10.0-5.12.1 | 5.13.0-5.16.1| -| [4005422](#4005422)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | +| [4005422, 4015452](#4005422, 4015452)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | | [3985682](#3985682)
| On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.16.1 | | | [3966312](#3966312)
| When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.16.1 | | | [3948068](#3948068)
| On the SN3700 and SN3700c switch, the nv show platform environment voltage command output shows a failed state for the PSU-n-12V-RAIL-OUT sensors. This is a known hardware limitation that cannot be corrected by the PSU vendor. | 5.10.0-5.16.1 | | | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3879717](#3879717)
| Running snmpwalk on the switch with the management IP address does not work. To work around this issue, use the localhost option (snmpwalk -v 2c -c public28 localhost 1.3.6.1.2.1.14) or create a control plane ACL whitelist rule. | 5.10.0-5.16.1 | | | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | | [3855796](#3855796)
| When configuring a Unicast Master Table for clients, the server addresses must be reachable and the route to the destination must exist. The unicast table can have one directly-connected port for a client. This restriction is only for directly connected ports and doesn't apply to Unicast Servers on other devices or switches. | 5.9.0-5.16.1 | | @@ -123,17 +123,17 @@ pdfhidden: True | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -143,10 +143,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -156,8 +156,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -169,7 +169,7 @@ pdfhidden: True |--- |--- |--- | | [4829843](#4829843)
| During port‑mapping configuration, an edge case might lead to an invalid configuration state, causing the system to eventually become stuck. | 5.11.3-5.11.4 | | | [4771874](#4771874)
| When you poll optical module data with ethtool -m, switchd might crash due to a firmware timeout that triggers a fatal health-check failure. | 5.11.1-5.11.4 | | -| [4717753](#4717753)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | | +| [4717753, 3963232](#4717753, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | | ## 5.11.4 Release Notes ### Open Issues in 5.11.4 @@ -199,13 +199,13 @@ pdfhidden: True | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| | [4608614](#4608614)
| When setting up SSH keys, you have to run nv config apply twice for the configuration to take effect. | 5.11.3-5.16.1 | | | [4582679](#4582679)
| If a node has Suppress Route Advertisement enabled and routes are re-learned; for example, when a peer sends the route again due to route policy changes, or you enable or disable graceful shutdown, not all routes are offloaded, which might cause discrepancies in traffic. | 5.9.4-5.16.1 | | -| [4579237](#4579237)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | -| [4558846](#4558846)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.0-5.11.5 | 5.12.0-5.16.1| +| [4579237, 4579234](#4579237, 4579234)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | +| [4558846, 4237198](#4558846, 4237198)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4548512](#4548512)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.0-5.16.1 | | | [4535804](#4535804)
| If you use a bridge name other than br_default, PTP neighbors fail to establish because the PTP packets are sourced from an unexpected IP address.
To work around this issue, configure the base-interface for the VLAN interface with the nv set interface base-interface command. | 5.10.0-5.16.1 | | | [4535749](#4535749)
| The uc-discards field in the nv show interface counters qos egress-queue-stats command output is actually the number of packets discarded per queue, but it is wrongly interpreted as bytes. To work around this issue, convert the data shown in bytes to packets by multiplying by 1024 if the data is in KB, 1024x1024 if the data is in MB, and 1024x1024x1024 if the data is in GB. | 5.11.0-5.16.1 | | | [4535699](#4535699)
| When you configure the RADIUS authentication order with local first and radius second, the RADIUS user is authenticated as a default user name. | 5.11.3-5.16.1 | | -| [4531952](#4531952)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | 5.14.0-5.16.1| +| [4531952, 4518822](#4531952, 4518822)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | 5.14.0-5.16.1| | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | 5.14.0-5.16.1| | [4522594](#4522594)
| In a VXLAN environment, if the bridge MAC address changes for a VTEP, the switch drops VXLAN traffic entering this VTEP from a remote VTEP. The switch only drops layer 3 routed VXLAN traffic because the RMAC is not updated correctly in the SDK. | 5.11.1-5.11.5 | 5.9.4, 5.12.0-5.16.1| | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| @@ -214,7 +214,7 @@ pdfhidden: True | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | | [4486200](#4486200)
| If you enable dynamic NAT and try to install two identical dynamic NAT rules, switchd might crash. | 5.11.2-5.13.1 | 5.14.0-5.16.1| | [4475111](#4475111)
| When you try to convert a layer 3 port that is part of ECMP to a bond member, you might see a failure in the switchd logs. This issue does not have any functional impact. | 5.11.2-5.16.1 | 5.9.4| -| [4472414](#4472414)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| +| [4472414, 4621451](#4472414, 4621451)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| | [4461102](#4461102)
| In certain cases, when a port is down and you apply adaptive routing with the link utilization threshold setting to the port as it goes up, you might see log errors while the port is not yet up. | 5.11.0-5.13.1 | 5.14.0-5.16.1| | [4423352](#4423352)
| ZTP scripts return an error due to incorrect ASCI to UTF-8 conversion. | 5.11.0-5.16.1 | | | [4423335](#4423335)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.16.1 | | @@ -224,7 +224,7 @@ pdfhidden: True | [4423235](#4423235)
| The snmpd service generates debugging logs of sudo calls. To work around this issue, disable sudo logging for the specific commands run by the Debian-snmp user in the /etc/sudoers.d/snmp file by adding Defaults:Debian-snmp !syslog. | 5.11.0-5.16.1 | | | [4408387](#4408387)
| BGP crashes during EVPN route install due to incorrect memory access. | 5.11.0-5.13.1 | 5.14.0-5.16.1| | [4360615](#4360615)
| The control plane trap group counters are not associated correctly with the right trap group. | 5.11.0-5.12.1 | 5.13.0-5.16.1| -| [4328729](#4328729)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. | 5.10.1-5.12.1 | 5.13.0-5.16.1| +| [4328729, 4261676](#4328729, 4261676)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. | 5.10.1-5.12.1 | 5.13.0-5.16.1| | [4270957](#4270957)
| Optimized (two partition) upgrade from Cumulus Linux 5.11.0 requires approximately 2.4 Gbytes of free space in /var after downloading the image with NVUE commands instead of 1.6 Gbytes of free space. Upgrade needs the extra space for an additional copy of the downloaded image in /var . | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4220393](#4220393)
| The default GRUB timeout style changed from menu to countdown. When booting, a countdown displays on the console and you can use the escape key to break out of the countdown and show the GRUB menu. This reduces the chance of console noise halting the reboot process. If you press the escape key twice, you might go to the GRUB command line. In this case, type normal to get back to the GRUB menu or reboot to reboot the switch. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4205060](#4205060)
| Debian 12 does not support LDAP SSL CRL check. Cumulus Linux now uses CRL file. | 5.11.0-5.11.5 | 5.12.0-5.16.1| @@ -234,12 +234,12 @@ pdfhidden: True | [4183214](#4183214)
| If you upgrade the switch from Cumulus Linux 5.9.x or 5.10.x with package upgrade and Radius is enabled, you see configuration and commit errors. To avoid this issue, either disable Radius during package upgrade or disable Radius before package upgrade with the sudo adduser --system --group --home /run/nslcd --no-create-home --gecos 'nslcd name service LDAP connection daemon' nslcd command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4177067](#4177067)
| When performing a package upgrade, nslcd installation might open an interactive dialog to configure nslcd.conf .
To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:
cumulus@switch:~$ sudo apt-get update
cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
| 5.11.0-5.16.1 | | | [4176931](#4176931)
| The nv show platform firmware command results in a Python traceback and takes a long time to complete because the VX image does not support the smartctl utility. | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4174646](#4174646)
| On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. | 5.10.1-5.11.5 | 5.12.0-5.16.1| +| [4174646, 4042294](#4174646, 4042294)
| On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. | 5.10.1-5.11.5 | 5.12.0-5.16.1| | [4155957](#4155957)
| Logs from the OTLP exporter process (nv-telemetry) grow uncontrolled and result in excessive disk space usage. You can remove the large files in the /var/log/nv-telemetry folder or modify them to reduce their size. | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4154839](#4154839)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | +| [4154839, 4280933, 4291934](#4154839, 4280933, 4291934)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | | [4144021](#4144021)
| Shutting down port 65 or 66 on the NVIDIA Spectrum-4 switch leaves the opposite port up when using MLNX SFP-T and RJ45 connections. Spectrum-4 switches do not support SFP-T modules on ports 65 and 66. | 5.10.0-5.12.1 | 5.13.0-5.16.1| | [4142857](#4142857)
| The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. | 5.10.0-5.16.1 | | -| [4139511](#4139511)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | +| [4139511, 4184813, 4180112](#4139511, 4184813, 4180112)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | | [4134447](#4134447)
| The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. You can safely ignore this log message. | 5.11.0-5.16.1 | | | [4134174](#4134174)
| If you configure a route map by attaching it to a specific protocol, then you detach it from that protocol, if you then attach the same route map to all protocols, then detach it from all protocols, Cumulus Linux deletes routes from the forwarding table.
To work around this issue, either attach the route map to all protocols or attach the route map to each protocol you want to use. For example, to attach the route map to all protocols, run the nv set vrf router rib fib-filter route-map command. To attach the route map to each protocol you want to use, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4130022](#4130022)
| LDAP does not support per-command authorization. | 5.11.0-5.11.5 | 5.12.0-5.16.1| @@ -248,30 +248,30 @@ pdfhidden: True | [4128912](#4128912)
| When you use PPS IN, PTP might show a high offset. The offset might be around an offset value. For example, around 60 ns or 80 ns. To work around this issue, set the cable compensation value. For 60 ns, run the nv set platform pulse-per-second in timestamp-correction -60 command to set the compensation. | 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4127932](#4127932)
| After you run the nv action install system image command or the cl-image-upgrade -u command, if you run the command a second time to upgrade to a different image, the upgrade might fail because there are leftover /var/install/sys mounts. To resolve this issue, either reboot before you retry image upgrade or run the following commands :
cumulus@switch:~$ sudo mount --make-rslave /var/installer/sys
cumulus@switch:~$ sudo umount -R /var/installer/sys
cumulus@switch:~$ sudo umount tmpfs-installer
| 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4127315](#4127315)
| If you set BGP community-advertise large to off with NVUE, large communities are still sent to BGP peers. To resolve this issue, NVUE has changed the default value of community-advertise large from off to on. | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4124376](#4124376)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | +| [4124376, 4316163](#4124376, 4316163)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | | [4122591](#4122591)
| The NVUE nv set system aaa ldap ssl ca-list command shows the following error if you use the string option:
Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none']
| 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4118970](#4118970)
| When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.16.1 | | -| [4105127](#4105127)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | -| [4101560](#4101560)
| The nv set vrf router rib fib-filter route-map command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| +| [4105127, 4796391](#4105127, 4796391)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | +| [4101560, 4101440](#4101560, 4101440)
| The nv set vrf router rib fib-filter route-map command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4100629](#4100629)
| NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.16.1 | | | [4082210](#4082210)
| When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. | 5.11.0-5.16.1 | | | [4077921](#4077921)
| You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1 or later. You must install the Cumulus Linux image instead. | 5.10.1-5.16.1 | | | [4052578](#4052578)
| When you perform a binary upgrade from Cumulus Linux 5.8 or earlier to 5.9.0 or later with a pre-staged startup.yaml file, the cumulus user password is reset to the default password because there is no default startup.yaml file present in 5.8.0 or earlier. To work around this issue, generate the startup.yaml file from the existing NVUE configuration. | 5.9.2-5.11.5 | 5.12.0-5.16.1| -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4048583](#4048583)
| If there are failures in MSTPD or a port is not updated in the database, the NVUE nv show bridge domain stp command might not work and might produce errors even when STP has data for other working ports or VLANs. This is a display issue only and does not impact functionality. | 5.10.0-5.12.1 | 5.13.0-5.16.1| | [4047798](#4047798)
| Packet distribution based on ECMP hashing using GTP-TEID does not function as expected in an EVPN Clos topology. | 5.10.0-5.16.1 | | | [4030380](#4030380)
| When you roll back interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you cannot configure FEC on the interface at the lower layers. | 5.10.0-5.16.1 | | | [4019256](#4019256)
| If you change the switch hostname, the histogram data producer service restarts. | 5.10.0-5.12.1 | 5.13.0-5.16.1| -| [4005422](#4005422)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | +| [4005422, 4015452](#4005422, 4015452)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | | [3985682](#3985682)
| On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.16.1 | | | [3966312](#3966312)
| When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.16.1 | | | [3948068](#3948068)
| On the SN3700 and SN3700c switch, the nv show platform environment voltage command output shows a failed state for the PSU-n-12V-RAIL-OUT sensors. This is a known hardware limitation that cannot be corrected by the PSU vendor. | 5.10.0-5.16.1 | | | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3879717](#3879717)
| Running snmpwalk on the switch with the management IP address does not work. To work around this issue, use the localhost option (snmpwalk -v 2c -c public28 localhost 1.3.6.1.2.1.14) or create a control plane ACL whitelist rule. | 5.10.0-5.16.1 | | | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | | [3855796](#3855796)
| When configuring a Unicast Master Table for clients, the server addresses must be reachable and the route to the destination must exist. The unicast table can have one directly-connected port for a client. This restriction is only for directly connected ports and doesn't apply to Unicast Servers on other devices or switches. | 5.9.0-5.16.1 | | @@ -286,17 +286,17 @@ pdfhidden: True | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -306,10 +306,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -319,8 +319,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -330,7 +330,7 @@ pdfhidden: True ### Fixed Issues in 5.11.4 | Issue ID | Description | Affects | |--- |--- |--- | -| [4507163](#4507163)
| In some cases after a package upgrade with ISSU (warm boot mode), you see continuous errors in the syslog similar to the following:
NOTICE  CORE_ASYNC: Error at pre send callback status [Resource is in use]
| 5.11.2-5.11.3 | | +| [4507163, 4119158](#4507163, 4119158)
| In some cases after a package upgrade with ISSU (warm boot mode), you see continuous errors in the syslog similar to the following:
NOTICE  CORE_ASYNC: Error at pre send callback status [Resource is in use]
| 5.11.2-5.11.3 | | ## 5.11.3 Release Notes ### Open Issues in 5.11.3 @@ -358,23 +358,23 @@ pdfhidden: True | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| | [4608614](#4608614)
| When setting up SSH keys, you have to run nv config apply twice for the configuration to take effect. | 5.11.3-5.16.1 | | | [4582679](#4582679)
| If a node has Suppress Route Advertisement enabled and routes are re-learned; for example, when a peer sends the route again due to route policy changes, or you enable or disable graceful shutdown, not all routes are offloaded, which might cause discrepancies in traffic. | 5.9.4-5.16.1 | | -| [4579237](#4579237)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | -| [4558846](#4558846)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.0-5.11.5 | 5.12.0-5.16.1| +| [4579237, 4579234](#4579237, 4579234)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | +| [4558846, 4237198](#4558846, 4237198)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4548512](#4548512)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.0-5.16.1 | | | [4535804](#4535804)
| If you use a bridge name other than br_default, PTP neighbors fail to establish because the PTP packets are sourced from an unexpected IP address.
To work around this issue, configure the base-interface for the VLAN interface with the nv set interface base-interface command. | 5.10.0-5.16.1 | | | [4535749](#4535749)
| The uc-discards field in the nv show interface counters qos egress-queue-stats command output is actually the number of packets discarded per queue, but it is wrongly interpreted as bytes. To work around this issue, convert the data shown in bytes to packets by multiplying by 1024 if the data is in KB, 1024x1024 if the data is in MB, and 1024x1024x1024 if the data is in GB. | 5.11.0-5.16.1 | | | [4535699](#4535699)
| When you configure the RADIUS authentication order with local first and radius second, the RADIUS user is authenticated as a default user name. | 5.11.3-5.16.1 | | -| [4531952](#4531952)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | 5.14.0-5.16.1| +| [4531952, 4518822](#4531952, 4518822)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | 5.14.0-5.16.1| | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | 5.14.0-5.16.1| | [4522594](#4522594)
| In a VXLAN environment, if the bridge MAC address changes for a VTEP, the switch drops VXLAN traffic entering this VTEP from a remote VTEP. The switch only drops layer 3 routed VXLAN traffic because the RMAC is not updated correctly in the SDK. | 5.11.1-5.11.5 | 5.9.4, 5.12.0-5.16.1| | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| | [4508830](#4508830)
| Cumulus Linux allows you to add bond ports of mismatched speeds (such as 10G and 25G) to the same LACP bond without error and the bond reports UP. | 5.11.2-5.16.1 | | -| [4507163](#4507163)
| In some cases after a package upgrade with ISSU (warm boot mode), you see continuous errors in the syslog similar to the following:
NOTICE  CORE_ASYNC: Error at pre send callback status [Resource is in use]
| 5.11.2-5.11.3 | 5.11.4-5.16.1| +| [4507163, 4119158](#4507163, 4119158)
| In some cases after a package upgrade with ISSU (warm boot mode), you see continuous errors in the syslog similar to the following:
NOTICE  CORE_ASYNC: Error at pre send callback status [Resource is in use]
| 5.11.2-5.11.3 | 5.11.4-5.16.1| | [4499025](#4499025)
| You see a high volume of NAT and NFCT errors flooding switchd logs. This issue has no functional impact. | 5.11.2-5.16.1 | | | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | | [4486200](#4486200)
| If you enable dynamic NAT and try to install two identical dynamic NAT rules, switchd might crash. | 5.11.2-5.13.1 | 5.14.0-5.16.1| | [4475111](#4475111)
| When you try to convert a layer 3 port that is part of ECMP to a bond member, you might see a failure in the switchd logs. This issue does not have any functional impact. | 5.11.2-5.16.1 | 5.9.4| -| [4472414](#4472414)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| +| [4472414, 4621451](#4472414, 4621451)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| | [4461102](#4461102)
| In certain cases, when a port is down and you apply adaptive routing with the link utilization threshold setting to the port as it goes up, you might see log errors while the port is not yet up. | 5.11.0-5.13.1 | 5.14.0-5.16.1| | [4423352](#4423352)
| ZTP scripts return an error due to incorrect ASCI to UTF-8 conversion. | 5.11.0-5.16.1 | | | [4423335](#4423335)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.16.1 | | @@ -384,7 +384,7 @@ pdfhidden: True | [4423235](#4423235)
| The snmpd service generates debugging logs of sudo calls. To work around this issue, disable sudo logging for the specific commands run by the Debian-snmp user in the /etc/sudoers.d/snmp file by adding Defaults:Debian-snmp !syslog. | 5.11.0-5.16.1 | | | [4408387](#4408387)
| BGP crashes during EVPN route install due to incorrect memory access. | 5.11.0-5.13.1 | 5.14.0-5.16.1| | [4360615](#4360615)
| The control plane trap group counters are not associated correctly with the right trap group. | 5.11.0-5.12.1 | 5.13.0-5.16.1| -| [4328729](#4328729)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. | 5.10.1-5.12.1 | 5.13.0-5.16.1| +| [4328729, 4261676](#4328729, 4261676)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. | 5.10.1-5.12.1 | 5.13.0-5.16.1| | [4270957](#4270957)
| Optimized (two partition) upgrade from Cumulus Linux 5.11.0 requires approximately 2.4 Gbytes of free space in /var after downloading the image with NVUE commands instead of 1.6 Gbytes of free space. Upgrade needs the extra space for an additional copy of the downloaded image in /var . | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4220393](#4220393)
| The default GRUB timeout style changed from menu to countdown. When booting, a countdown displays on the console and you can use the escape key to break out of the countdown and show the GRUB menu. This reduces the chance of console noise halting the reboot process. If you press the escape key twice, you might go to the GRUB command line. In this case, type normal to get back to the GRUB menu or reboot to reboot the switch. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4205060](#4205060)
| Debian 12 does not support LDAP SSL CRL check. Cumulus Linux now uses CRL file. | 5.11.0-5.11.5 | 5.12.0-5.16.1| @@ -394,12 +394,12 @@ pdfhidden: True | [4183214](#4183214)
| If you upgrade the switch from Cumulus Linux 5.9.x or 5.10.x with package upgrade and Radius is enabled, you see configuration and commit errors. To avoid this issue, either disable Radius during package upgrade or disable Radius before package upgrade with the sudo adduser --system --group --home /run/nslcd --no-create-home --gecos 'nslcd name service LDAP connection daemon' nslcd command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4177067](#4177067)
| When performing a package upgrade, nslcd installation might open an interactive dialog to configure nslcd.conf .
To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:
cumulus@switch:~$ sudo apt-get update
cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
| 5.11.0-5.16.1 | | | [4176931](#4176931)
| The nv show platform firmware command results in a Python traceback and takes a long time to complete because the VX image does not support the smartctl utility. | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4174646](#4174646)
| On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. | 5.10.1-5.11.5 | 5.12.0-5.16.1| +| [4174646, 4042294](#4174646, 4042294)
| On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. | 5.10.1-5.11.5 | 5.12.0-5.16.1| | [4155957](#4155957)
| Logs from the OTLP exporter process (nv-telemetry) grow uncontrolled and result in excessive disk space usage. You can remove the large files in the /var/log/nv-telemetry folder or modify them to reduce their size. | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4154839](#4154839)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | +| [4154839, 4280933, 4291934](#4154839, 4280933, 4291934)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | | [4144021](#4144021)
| Shutting down port 65 or 66 on the NVIDIA Spectrum-4 switch leaves the opposite port up when using MLNX SFP-T and RJ45 connections. Spectrum-4 switches do not support SFP-T modules on ports 65 and 66. | 5.10.0-5.12.1 | 5.13.0-5.16.1| | [4142857](#4142857)
| The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. | 5.10.0-5.16.1 | | -| [4139511](#4139511)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | +| [4139511, 4184813, 4180112](#4139511, 4184813, 4180112)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | | [4134447](#4134447)
| The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. You can safely ignore this log message. | 5.11.0-5.16.1 | | | [4134174](#4134174)
| If you configure a route map by attaching it to a specific protocol, then you detach it from that protocol, if you then attach the same route map to all protocols, then detach it from all protocols, Cumulus Linux deletes routes from the forwarding table.
To work around this issue, either attach the route map to all protocols or attach the route map to each protocol you want to use. For example, to attach the route map to all protocols, run the nv set vrf router rib fib-filter route-map command. To attach the route map to each protocol you want to use, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4130022](#4130022)
| LDAP does not support per-command authorization. | 5.11.0-5.11.5 | 5.12.0-5.16.1| @@ -408,30 +408,30 @@ pdfhidden: True | [4128912](#4128912)
| When you use PPS IN, PTP might show a high offset. The offset might be around an offset value. For example, around 60 ns or 80 ns. To work around this issue, set the cable compensation value. For 60 ns, run the nv set platform pulse-per-second in timestamp-correction -60 command to set the compensation. | 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4127932](#4127932)
| After you run the nv action install system image command or the cl-image-upgrade -u command, if you run the command a second time to upgrade to a different image, the upgrade might fail because there are leftover /var/install/sys mounts. To resolve this issue, either reboot before you retry image upgrade or run the following commands :
cumulus@switch:~$ sudo mount --make-rslave /var/installer/sys
cumulus@switch:~$ sudo umount -R /var/installer/sys
cumulus@switch:~$ sudo umount tmpfs-installer
| 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4127315](#4127315)
| If you set BGP community-advertise large to off with NVUE, large communities are still sent to BGP peers. To resolve this issue, NVUE has changed the default value of community-advertise large from off to on. | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4124376](#4124376)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | +| [4124376, 4316163](#4124376, 4316163)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | | [4122591](#4122591)
| The NVUE nv set system aaa ldap ssl ca-list command shows the following error if you use the string option:
Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none']
| 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4118970](#4118970)
| When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.16.1 | | -| [4105127](#4105127)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | -| [4101560](#4101560)
| The nv set vrf router rib fib-filter route-map command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| +| [4105127, 4796391](#4105127, 4796391)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | +| [4101560, 4101440](#4101560, 4101440)
| The nv set vrf router rib fib-filter route-map command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4100629](#4100629)
| NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.16.1 | | | [4082210](#4082210)
| When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. | 5.11.0-5.16.1 | | | [4077921](#4077921)
| You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1 or later. You must install the Cumulus Linux image instead. | 5.10.1-5.16.1 | | | [4052578](#4052578)
| When you perform a binary upgrade from Cumulus Linux 5.8 or earlier to 5.9.0 or later with a pre-staged startup.yaml file, the cumulus user password is reset to the default password because there is no default startup.yaml file present in 5.8.0 or earlier. To work around this issue, generate the startup.yaml file from the existing NVUE configuration. | 5.9.2-5.11.5 | 5.12.0-5.16.1| -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4048583](#4048583)
| If there are failures in MSTPD or a port is not updated in the database, the NVUE nv show bridge domain stp command might not work and might produce errors even when STP has data for other working ports or VLANs. This is a display issue only and does not impact functionality. | 5.10.0-5.12.1 | 5.13.0-5.16.1| | [4047798](#4047798)
| Packet distribution based on ECMP hashing using GTP-TEID does not function as expected in an EVPN Clos topology. | 5.10.0-5.16.1 | | | [4030380](#4030380)
| When you roll back interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you cannot configure FEC on the interface at the lower layers. | 5.10.0-5.16.1 | | | [4019256](#4019256)
| If you change the switch hostname, the histogram data producer service restarts. | 5.10.0-5.12.1 | 5.13.0-5.16.1| -| [4005422](#4005422)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | +| [4005422, 4015452](#4005422, 4015452)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | | [3985682](#3985682)
| On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.16.1 | | | [3966312](#3966312)
| When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.16.1 | | | [3948068](#3948068)
| On the SN3700 and SN3700c switch, the nv show platform environment voltage command output shows a failed state for the PSU-n-12V-RAIL-OUT sensors. This is a known hardware limitation that cannot be corrected by the PSU vendor. | 5.10.0-5.16.1 | | | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3879717](#3879717)
| Running snmpwalk on the switch with the management IP address does not work. To work around this issue, use the localhost option (snmpwalk -v 2c -c public28 localhost 1.3.6.1.2.1.14) or create a control plane ACL whitelist rule. | 5.10.0-5.16.1 | | | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | | [3855796](#3855796)
| When configuring a Unicast Master Table for clients, the server addresses must be reachable and the route to the destination must exist. The unicast table can have one directly-connected port for a client. This restriction is only for directly connected ports and doesn't apply to Unicast Servers on other devices or switches. | 5.9.0-5.16.1 | | @@ -446,17 +446,17 @@ pdfhidden: True | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -466,10 +466,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -479,8 +479,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -513,21 +513,21 @@ pdfhidden: True | [4622487](#4622487)
| When you configure an exclude_users line in /etc/tacplus_nss.conf containing a long list of users, NSS lookups might fail or behave incorrectly when parsing the configuration. | 5.11.1-5.14.0 | 5.15.0-5.16.1| | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| | [4582679](#4582679)
| If a node has Suppress Route Advertisement enabled and routes are re-learned; for example, when a peer sends the route again due to route policy changes, or you enable or disable graceful shutdown, not all routes are offloaded, which might cause discrepancies in traffic. | 5.9.4-5.16.1 | | -| [4558846](#4558846)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.0-5.11.5 | 5.12.0-5.16.1| +| [4558846, 4237198](#4558846, 4237198)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4548512](#4548512)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.0-5.16.1 | | | [4535804](#4535804)
| If you use a bridge name other than br_default, PTP neighbors fail to establish because the PTP packets are sourced from an unexpected IP address.
To work around this issue, configure the base-interface for the VLAN interface with the nv set interface base-interface command. | 5.10.0-5.16.1 | | | [4535749](#4535749)
| The uc-discards field in the nv show interface counters qos egress-queue-stats command output is actually the number of packets discarded per queue, but it is wrongly interpreted as bytes. To work around this issue, convert the data shown in bytes to packets by multiplying by 1024 if the data is in KB, 1024x1024 if the data is in MB, and 1024x1024x1024 if the data is in GB. | 5.11.0-5.16.1 | | -| [4531952](#4531952)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | 5.14.0-5.16.1| +| [4531952, 4518822](#4531952, 4518822)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | 5.14.0-5.16.1| | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | 5.14.0-5.16.1| | [4522594](#4522594)
| In a VXLAN environment, if the bridge MAC address changes for a VTEP, the switch drops VXLAN traffic entering this VTEP from a remote VTEP. The switch only drops layer 3 routed VXLAN traffic because the RMAC is not updated correctly in the SDK. | 5.11.1-5.11.5 | 5.9.4, 5.12.0-5.16.1| | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| | [4508830](#4508830)
| Cumulus Linux allows you to add bond ports of mismatched speeds (such as 10G and 25G) to the same LACP bond without error and the bond reports UP. | 5.11.2-5.16.1 | | -| [4507163](#4507163)
| In some cases after a package upgrade with ISSU (warm boot mode), you see continuous errors in the syslog similar to the following:
NOTICE  CORE_ASYNC: Error at pre send callback status [Resource is in use]
| 5.11.2-5.11.3 | 5.11.4-5.16.1| +| [4507163, 4119158](#4507163, 4119158)
| In some cases after a package upgrade with ISSU (warm boot mode), you see continuous errors in the syslog similar to the following:
NOTICE  CORE_ASYNC: Error at pre send callback status [Resource is in use]
| 5.11.2-5.11.3 | 5.11.4-5.16.1| | [4499025](#4499025)
| You see a high volume of NAT and NFCT errors flooding switchd logs. This issue has no functional impact. | 5.11.2-5.16.1 | | | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | | [4486200](#4486200)
| If you enable dynamic NAT and try to install two identical dynamic NAT rules, switchd might crash. | 5.11.2-5.13.1 | 5.14.0-5.16.1| | [4475111](#4475111)
| When you try to convert a layer 3 port that is part of ECMP to a bond member, you might see a failure in the switchd logs. This issue does not have any functional impact. | 5.11.2-5.16.1 | 5.9.4| -| [4472414](#4472414)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| +| [4472414, 4621451](#4472414, 4621451)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| | [4461102](#4461102)
| In certain cases, when a port is down and you apply adaptive routing with the link utilization threshold setting to the port as it goes up, you might see log errors while the port is not yet up. | 5.11.0-5.13.1 | 5.14.0-5.16.1| | [4423352](#4423352)
| ZTP scripts return an error due to incorrect ASCI to UTF-8 conversion. | 5.11.0-5.16.1 | | | [4423335](#4423335)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.16.1 | | @@ -537,7 +537,7 @@ pdfhidden: True | [4423235](#4423235)
| The snmpd service generates debugging logs of sudo calls. To work around this issue, disable sudo logging for the specific commands run by the Debian-snmp user in the /etc/sudoers.d/snmp file by adding Defaults:Debian-snmp !syslog. | 5.11.0-5.16.1 | | | [4408387](#4408387)
| BGP crashes during EVPN route install due to incorrect memory access. | 5.11.0-5.13.1 | 5.14.0-5.16.1| | [4360615](#4360615)
| The control plane trap group counters are not associated correctly with the right trap group. | 5.11.0-5.12.1 | 5.13.0-5.16.1| -| [4328729](#4328729)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. | 5.10.1-5.12.1 | 5.13.0-5.16.1| +| [4328729, 4261676](#4328729, 4261676)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. | 5.10.1-5.12.1 | 5.13.0-5.16.1| | [4270957](#4270957)
| Optimized (two partition) upgrade from Cumulus Linux 5.11.0 requires approximately 2.4 Gbytes of free space in /var after downloading the image with NVUE commands instead of 1.6 Gbytes of free space. Upgrade needs the extra space for an additional copy of the downloaded image in /var . | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4220393](#4220393)
| The default GRUB timeout style changed from menu to countdown. When booting, a countdown displays on the console and you can use the escape key to break out of the countdown and show the GRUB menu. This reduces the chance of console noise halting the reboot process. If you press the escape key twice, you might go to the GRUB command line. In this case, type normal to get back to the GRUB menu or reboot to reboot the switch. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4205060](#4205060)
| Debian 12 does not support LDAP SSL CRL check. Cumulus Linux now uses CRL file. | 5.11.0-5.11.5 | 5.12.0-5.16.1| @@ -547,12 +547,12 @@ pdfhidden: True | [4183214](#4183214)
| If you upgrade the switch from Cumulus Linux 5.9.x or 5.10.x with package upgrade and Radius is enabled, you see configuration and commit errors. To avoid this issue, either disable Radius during package upgrade or disable Radius before package upgrade with the sudo adduser --system --group --home /run/nslcd --no-create-home --gecos 'nslcd name service LDAP connection daemon' nslcd command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4177067](#4177067)
| When performing a package upgrade, nslcd installation might open an interactive dialog to configure nslcd.conf .
To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:
cumulus@switch:~$ sudo apt-get update
cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
| 5.11.0-5.16.1 | | | [4176931](#4176931)
| The nv show platform firmware command results in a Python traceback and takes a long time to complete because the VX image does not support the smartctl utility. | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4174646](#4174646)
| On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. | 5.10.1-5.11.5 | 5.12.0-5.16.1| +| [4174646, 4042294](#4174646, 4042294)
| On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. | 5.10.1-5.11.5 | 5.12.0-5.16.1| | [4155957](#4155957)
| Logs from the OTLP exporter process (nv-telemetry) grow uncontrolled and result in excessive disk space usage. You can remove the large files in the /var/log/nv-telemetry folder or modify them to reduce their size. | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4154839](#4154839)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | +| [4154839, 4280933, 4291934](#4154839, 4280933, 4291934)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | | [4144021](#4144021)
| Shutting down port 65 or 66 on the NVIDIA Spectrum-4 switch leaves the opposite port up when using MLNX SFP-T and RJ45 connections. Spectrum-4 switches do not support SFP-T modules on ports 65 and 66. | 5.10.0-5.12.1 | 5.13.0-5.16.1| | [4142857](#4142857)
| The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. | 5.10.0-5.16.1 | | -| [4139511](#4139511)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | +| [4139511, 4184813, 4180112](#4139511, 4184813, 4180112)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | | [4134447](#4134447)
| The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. You can safely ignore this log message. | 5.11.0-5.16.1 | | | [4134174](#4134174)
| If you configure a route map by attaching it to a specific protocol, then you detach it from that protocol, if you then attach the same route map to all protocols, then detach it from all protocols, Cumulus Linux deletes routes from the forwarding table.
To work around this issue, either attach the route map to all protocols or attach the route map to each protocol you want to use. For example, to attach the route map to all protocols, run the nv set vrf router rib fib-filter route-map command. To attach the route map to each protocol you want to use, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4130022](#4130022)
| LDAP does not support per-command authorization. | 5.11.0-5.11.5 | 5.12.0-5.16.1| @@ -561,30 +561,30 @@ pdfhidden: True | [4128912](#4128912)
| When you use PPS IN, PTP might show a high offset. The offset might be around an offset value. For example, around 60 ns or 80 ns. To work around this issue, set the cable compensation value. For 60 ns, run the nv set platform pulse-per-second in timestamp-correction -60 command to set the compensation. | 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4127932](#4127932)
| After you run the nv action install system image command or the cl-image-upgrade -u command, if you run the command a second time to upgrade to a different image, the upgrade might fail because there are leftover /var/install/sys mounts. To resolve this issue, either reboot before you retry image upgrade or run the following commands :
cumulus@switch:~$ sudo mount --make-rslave /var/installer/sys
cumulus@switch:~$ sudo umount -R /var/installer/sys
cumulus@switch:~$ sudo umount tmpfs-installer
| 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4127315](#4127315)
| If you set BGP community-advertise large to off with NVUE, large communities are still sent to BGP peers. To resolve this issue, NVUE has changed the default value of community-advertise large from off to on. | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4124376](#4124376)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | +| [4124376, 4316163](#4124376, 4316163)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | | [4122591](#4122591)
| The NVUE nv set system aaa ldap ssl ca-list command shows the following error if you use the string option:
Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none']
| 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4118970](#4118970)
| When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.16.1 | | -| [4105127](#4105127)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | -| [4101560](#4101560)
| The nv set vrf router rib fib-filter route-map command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| +| [4105127, 4796391](#4105127, 4796391)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | +| [4101560, 4101440](#4101560, 4101440)
| The nv set vrf router rib fib-filter route-map command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4100629](#4100629)
| NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.16.1 | | | [4082210](#4082210)
| When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. | 5.11.0-5.16.1 | | | [4077921](#4077921)
| You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1 or later. You must install the Cumulus Linux image instead. | 5.10.1-5.16.1 | | | [4052578](#4052578)
| When you perform a binary upgrade from Cumulus Linux 5.8 or earlier to 5.9.0 or later with a pre-staged startup.yaml file, the cumulus user password is reset to the default password because there is no default startup.yaml file present in 5.8.0 or earlier. To work around this issue, generate the startup.yaml file from the existing NVUE configuration. | 5.9.2-5.11.5 | 5.12.0-5.16.1| -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4048583](#4048583)
| If there are failures in MSTPD or a port is not updated in the database, the NVUE nv show bridge domain stp command might not work and might produce errors even when STP has data for other working ports or VLANs. This is a display issue only and does not impact functionality. | 5.10.0-5.12.1 | 5.13.0-5.16.1| | [4047798](#4047798)
| Packet distribution based on ECMP hashing using GTP-TEID does not function as expected in an EVPN Clos topology. | 5.10.0-5.16.1 | | | [4030380](#4030380)
| When you roll back interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you cannot configure FEC on the interface at the lower layers. | 5.10.0-5.16.1 | | | [4019256](#4019256)
| If you change the switch hostname, the histogram data producer service restarts. | 5.10.0-5.12.1 | 5.13.0-5.16.1| -| [4005422](#4005422)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | +| [4005422, 4015452](#4005422, 4015452)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | | [3985682](#3985682)
| On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.16.1 | | | [3966312](#3966312)
| When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.16.1 | | | [3948068](#3948068)
| On the SN3700 and SN3700c switch, the nv show platform environment voltage command output shows a failed state for the PSU-n-12V-RAIL-OUT sensors. This is a known hardware limitation that cannot be corrected by the PSU vendor. | 5.10.0-5.16.1 | | | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3879717](#3879717)
| Running snmpwalk on the switch with the management IP address does not work. To work around this issue, use the localhost option (snmpwalk -v 2c -c public28 localhost 1.3.6.1.2.1.14) or create a control plane ACL whitelist rule. | 5.10.0-5.16.1 | | | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | | [3855796](#3855796)
| When configuring a Unicast Master Table for clients, the server addresses must be reachable and the route to the destination must exist. The unicast table can have one directly-connected port for a client. This restriction is only for directly connected ports and doesn't apply to Unicast Servers on other devices or switches. | 5.9.0-5.16.1 | | @@ -599,17 +599,17 @@ pdfhidden: True | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -619,10 +619,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -632,8 +632,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -649,14 +649,14 @@ pdfhidden: True | [4495502](#4495502)
| After you run the onie-install -t command to upgrade the switch, accounting does not work but authentication does. This issue occurs because rsyslog.service does not restart properly after upgrade. To work around this issue, reboot the switch a second time or manually restart rsyslog.service with the systemctl restart rsyslog.service command. | | | | [4475117](#4475117)
| After you perform an optimized, two partition upgrade followed by a rollback to the previous release, certain services, including the NVUE service, might fail to start. If you see this issue after rollback, run the following commands on the switch to ensure that file ownership is correct:
sudo chown -R nvue /var/lib/nvue
sudo chown -R ntpsec /var/lib/ntpsec
sudo chown -R Debian-snmp /var/lib/snmp

To restart the services, either reboot the switch, or run the following commands:
sudo systemctl restart nvued.service
sudo systemctl restart nvue-startup.servicesystemctl is-enabled snmpd && sudo systemctl restart snmpd.servicesystemctl is-enabled ntpsec && sudo systemctl restart ntpsec.service
| 5.11.1 | | | [4475074](#4475074)
| The SN5610 switch records a High FEC Bin Error at room temperature. | 5.13.0-5.16.1 | | -| [4472549](#4472549)
| When running tens of thousands of nv set commands, the /var/lib/nvue directory might grow to several GBs in size, potentially using all the disk space. To work around this issue, run the following commands to reduce the disk space in the /var/lib/nvue directory:
cumulus@switch:~$ sudo su
cumulus@switch:~$ cd /var/lib/nvue/config
cumulus@switch:~$ git gc
| 5.13.0-5.13.1 | | +| [4472549, 4461303](#4472549, 4461303)
| When running tens of thousands of nv set commands, the /var/lib/nvue directory might grow to several GBs in size, potentially using all the disk space. To work around this issue, run the following commands to reduce the disk space in the /var/lib/nvue directory:
cumulus@switch:~$ sudo su
cumulus@switch:~$ cd /var/lib/nvue/config
cumulus@switch:~$ git gc
| 5.13.0-5.13.1 | | | [4458897](#4458897)
| The nv config patch and nv config replace commands have no effect with filenames with relative paths, such as ./config.yaml, ../config.yaml}, and so on. | 5.13.0-5.13.1 | | | [4457389](#4457389)
| On rare occasions, when bridge or L2VNI interfaces are coming up or transitioning state, type 2 EVPN routes might not be properly installed. To work around this issue, flap the VNI interface. | 5.9.3 | | -| [4423430](#4423430)
| When toggling the bridge binding flag on an SVI from ON to OFF, the SVI might not come operationally UP if it was DOWN previously from the bridge binding flag. | 5.11.0-5.11.1 | | +| [4423430, 4322632, 4391362](#4423430, 4322632, 4391362)
| When toggling the bridge binding flag on an SVI from ON to OFF, the SVI might not come operationally UP if it was DOWN previously from the bridge binding flag. | 5.11.0-5.11.1 | | | [4423365](#4423365)
| When you enable NAT dynamic mode and NAT rules with NVUE in a single commit, you see the error error: hw sync failed (Dynamic NAT is not enabled. Ignoring rules..). To work around this issue, enable dynamic NAT with NVUE in one commit, then add NAT ACL rules in a subsequent commit. | 5.11.0-5.11.1 | | -| [4423362](#4423362)
| After a remote link flap, neighbor entries using the link might not get resolved immediately. Only when some traffic uses the nexthop will they be resolved. | 5.12.0-5.12.1 | | -| [4423359](#4423359)
| After a factory reset, the files in the /etc/pam.d/ directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command:
cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package
| 5.12.0-5.12.1 | | -| [4423336](#4423336)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.1 | | +| [4423362, 4255653, 4335726](#4423362, 4255653, 4335726)
| After a remote link flap, neighbor entries using the link might not get resolved immediately. Only when some traffic uses the nexthop will they be resolved. | 5.12.0-5.12.1 | | +| [4423359, 4352307](#4423359, 4352307)
| After a factory reset, the files in the /etc/pam.d/ directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command:
cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package
| 5.12.0-5.12.1 | | +| [4423336, 3875789, 3933038](#4423336, 3875789, 3933038)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.1 | | | [4423321](#4423321)
| When you configure BGP suppress-fib-pending, the prefix might not be withdrawn from downstream peers. | 5.11.0-5.11.1 | | | [4423300](#4423300)
| The NVUE nv show interface qos command takes approximately two minutes to display output. To work around this issue, fetch only the sub commands that are part of the nv show interface qos, command such as buffer, congestion-control, pfc, and so on. | 5.12.0-5.12.1 | | | [4423286](#4423286)
| SVIs do not go down even when all the bridge ports on the corresponding VLAN are down because the vlan-bridge-binding option default setting is off for all the SVIs responsible for bringing down the SVI when all the ports on the corresponding VLAN are down. To work around this issue, Manually configure the vlan-bridge-binding on option under the SVI stanza in the /etc/network/interfaces file. | 5.11.0-5.11.1 | | @@ -665,20 +665,20 @@ pdfhidden: True | [4423274](#4423274)
| After you run the nv action upgrade system packages to latest command followed by the nv action reboot system command, nv show system reboot displays upgrade instead of one of the valid values cold, warm, or fast. | 5.11.0-5.11.1 | | | [4423270](#4423270)
| When you configure the switch to move to warm restart mode, the message does not clearly indicate that the reboot to get the switch into warm mode is not hitless. | 5.11.0-5.11.1 | | | [4423261](#4423261)
| When you use the NVUE nv set qos congestion-control traffic-class min-threshold-bytes command to set an ECN Profile, you must configure the minimum threshold according to the platform:
On the Spectrum-4 switch, the cell-size is 192 bytes. The minimum buffer must be a multiple of 64; therefore, the initial value is 192*64 (12KB).
On the Spectrum-3 switch, the cell-size is 144 bytes. The minimum size is 144*64 (9KB). | 5.12.0-5.12.1 | | -| [4423258](#4423258)
| After a factory reset, the files in the /etc/pam.d/ directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command:
cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package
| 5.12.0-5.12.1 | | -| [4423251](#4423251)
| When you use onie-install to install an image with a preconfigured startup.yaml file, an issue with the ZTP infrastructure script results in certain interfaces being UP in the kernel and the lower layer but DOWN in NVUE or the /etc/network/interfaces file. | | | +| [4423258, 4210596](#4423258, 4210596)
| After a factory reset, the files in the /etc/pam.d/ directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command:
cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package
| 5.12.0-5.12.1 | | +| [4423251, 4395776](#4423251, 4395776)
| When you use onie-install to install an image with a preconfigured startup.yaml file, an issue with the ZTP infrastructure script results in certain interfaces being UP in the kernel and the lower layer but DOWN in NVUE or the /etc/network/interfaces file. | | | | [4423249](#4423249)
| If you unset an interface static IP address when the interface IP gateway is configured, the nv config apply command fails with an ifreload.service error. To work around the issue, unset both the static IP address and gateway together. | 5.11.0-5.11.1 | | | [4423245](#4423245)
| When you enable, then disable adaptive routing, BGP neighbors might go down because of an unresolved MAC address. To resolve this issue configure another attribute on the interface. | 5.11.0-5.11.1 | | | [4423237](#4423237)
| The snmpd service generates debugging logs of sudo calls. To work around this issue, disable sudo logging for the specific commands run by the Debian-snmp user in the /etc/sudoers.d/snmp file by adding Defaults:Debian-snmp !syslog. | 5.11.0-5.11.1, 5.12.0-5.12.1 | | | [4423224](#4423224)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.9.3 | | | [4423209](#4423209)
| When using DHCP snooping , access ports do not work as trust ports or server connection ports . | 5.12.0-5.12.1 | | | [4423176](#4423176)
| When you configure an API port with a TCP port already in use, the nginx server fails to restart. | | | -| [4423168](#4423168)
| Zebra might crash when multiple interfaces flap rapidly with a large scale number of routes. This issue occurs because the next hop group hash comparison incorrectly treats distinct next hop groups as equal. I addition, the hashing logic currently uses only four bytes of the IPv6 address, which increases the likelihood of collisions and misidentification. Avoid rapidly flapping multiple interfaces when managing large scale routes. | | | +| [4423168, 4408283, 4240003](#4423168, 4408283, 4240003)
| Zebra might crash when multiple interfaces flap rapidly with a large scale number of routes. This issue occurs because the next hop group hash comparison incorrectly treats distinct next hop groups as equal. I addition, the hashing logic currently uses only four bytes of the IPv6 address, which increases the likelihood of collisions and misidentification. Avoid rapidly flapping multiple interfaces when managing large scale routes. | | | | [4423134](#4423134)
| On Spectrum-1a switches with IGMP snooping enabled, a multicast hardware programming failure might occur after interface flap or switch reboot events. You can observe this issue when log messages similar to the following are generated:
sx_sdk[18174]: ERROR   FDB: Usage API type can not be changed for 0x1003 fid.
sx_sdk[18174]: ERROR   FDB: Failed to __fdb_unreg_mc_flood_cfg_api_type_set , err: Command Unpermitted
switchd[19460]: hal_mlx_l2mc.c:1107 ERR VFID: 4099, Failed to set unregistered IPv4 MC mode FLOOD and attr MCC 0: Command Unpermitted
| 5.12.0-5.12.1 | | -| [4422898](#4422898)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | | -| [4408280](#4408280)
| NVUE commands create excessive log data. To work around this issue, configure rsyslog rules to limit logging of these commands. | 5.11.0-5.11.1, 5.12.0-5.12.1 | | +| [4422898, 4497128](#4422898, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | | +| [4408280, 4360680](#4408280, 4360680)
| NVUE commands create excessive log data. To work around this issue, configure rsyslog rules to limit logging of these commands. | 5.11.0-5.11.1, 5.12.0-5.12.1 | | | [4408161](#4408161)
| On the NVIDIA SN2201 switch, the fan tray LED status update fails and you see the following syslog errors:
systemd-udevd116276: mlxreg:fan1:green: Process ‘/usr/bin/hw-management-chassis-events.sh fantray-led-event mlxreg:fan1:green 255’ failed with exit code 1.

To work around this issue, restart the hw-management service with the sudo systemctl restart hw-management command. | 5.7.0-5.9.3 | | -| [4400384](#4400384)
| After the switch reboots or switchd.service restarts, NVUE applied ERSPAN sessions do not work if the ERSPAN destination IP address is reachable through an MLAG bond. To work around this issue, remove the ERSPAN configuration and reapply it using NVUE. | 5.11.0-5.11.1 | | +| [4400384, 4391704](#4400384, 4391704)
| After the switch reboots or switchd.service restarts, NVUE applied ERSPAN sessions do not work if the ERSPAN destination IP address is reachable through an MLAG bond. To work around this issue, remove the ERSPAN configuration and reapply it using NVUE. | 5.11.0-5.11.1 | | | [4389124](#4389124)
| NVUE fails when applying ERSPAN configuration on an MLAG peer. This failure occurs because ERSPAN does not support bond slave ports as analyzer ports but fails to validate the configuration. | 5.11.0-5.11.1 | | | [4370955](#4370955)
| After enabling, then disabling truncation on a SPAN session, truncated packets are still received on the SPAN destination. To work around this issue, remove the SPAN session configuration, reboot the switch, then reconfigure the SPAN session without truncation. | 5.12.0-5.12.1 | | | [4370952](#4370952)
| ERSPAN does not work when the ERSPAN destination IP address is reachable over SVIs and layer 2 bonds. To work around this issue, make the ERSPAN destination IP address reachable over layer 3 swps or bond interfaces. | 5.11.0-5.11.1, 5.12.0-5.12.1 | | @@ -910,7 +910,7 @@ pdfhidden: True | [4633514](#4633514)
| When the switch processes large numbers of mroute updates in an MLAG configuration, FRR might crash. | 5.8.0-5.14.0 | 5.15.0-5.16.1| | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| | [4582679](#4582679)
| If a node has Suppress Route Advertisement enabled and routes are re-learned; for example, when a peer sends the route again due to route policy changes, or you enable or disable graceful shutdown, not all routes are offloaded, which might cause discrepancies in traffic. | 5.9.4-5.16.1 | | -| [4558846](#4558846)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.0-5.11.5 | 5.12.0-5.16.1| +| [4558846, 4237198](#4558846, 4237198)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4548512](#4548512)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.0-5.16.1 | | | [4535804](#4535804)
| If you use a bridge name other than br_default, PTP neighbors fail to establish because the PTP packets are sourced from an unexpected IP address.
To work around this issue, configure the base-interface for the VLAN interface with the nv set interface base-interface command. | 5.10.0-5.16.1 | | | [4535749](#4535749)
| The uc-discards field in the nv show interface counters qos egress-queue-stats command output is actually the number of packets discarded per queue, but it is wrongly interpreted as bytes. To work around this issue, convert the data shown in bytes to packets by multiplying by 1024 if the data is in KB, 1024x1024 if the data is in MB, and 1024x1024x1024 if the data is in GB. | 5.11.0-5.16.1 | | @@ -918,12 +918,12 @@ pdfhidden: True | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| | [4501645](#4501645)
| When you connect the QLOUIE cable with FW 52.181.1003 to an NVIDIA SN5600 switch, you might see link flaps. | 5.11.0-5.13.1 | 5.14.0-5.16.1| | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | -| [4472414](#4472414)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| +| [4472414, 4621451](#4472414, 4621451)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| | [4461102](#4461102)
| In certain cases, when a port is down and you apply adaptive routing with the link utilization threshold setting to the port as it goes up, you might see log errors while the port is not yet up. | 5.11.0-5.13.1 | 5.14.0-5.16.1| -| [4423430](#4423430)
| When toggling the bridge binding flag on an SVI from ON to OFF, the SVI might not come operationally UP if it was DOWN previously from the bridge binding flag. | 5.11.0-5.12.1 | 5.13.0-5.16.1| +| [4423430, 4322632, 4391362](#4423430, 4322632, 4391362)
| When toggling the bridge binding flag on an SVI from ON to OFF, the SVI might not come operationally UP if it was DOWN previously from the bridge binding flag. | 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4423365](#4423365)
| When you enable NAT dynamic mode and NAT rules with NVUE in a single commit, you see the error error: hw sync failed (Dynamic NAT is not enabled. Ignoring rules..). To work around this issue, enable dynamic NAT with NVUE in one commit, then add NAT ACL rules in a subsequent commit. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4423352](#4423352)
| ZTP scripts return an error due to incorrect ASCI to UTF-8 conversion. | 5.11.0-5.16.1 | | -| [4423336](#4423336)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| +| [4423336, 3875789, 3933038](#4423336, 3875789, 3933038)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| | [4423335](#4423335)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.16.1 | | | [4423321](#4423321)
| When you configure BGP suppress-fib-pending, the prefix might not be withdrawn from downstream peers. | 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4423286](#4423286)
| SVIs do not go down even when all the bridge ports on the corresponding VLAN are down because the vlan-bridge-binding option default setting is off for all the SVIs responsible for bringing down the SVI when all the ports on the corresponding VLAN are down. To work around this issue, Manually configure the vlan-bridge-binding on option under the SVI stanza in the /etc/network/interfaces file. | 5.11.0-5.12.1 | 5.9.4, 5.13.0-5.16.1| @@ -938,23 +938,23 @@ pdfhidden: True | [4423244](#4423244)
| When you enable, then disable adaptive routing, the BGP neighbors might go down because of an unresolved MAC address. To work around this issue, configure another attribute on the interface. | 5.9.0-5.16.1 | | | [4423237](#4423237)
| The snmpd service generates debugging logs of sudo calls. To work around this issue, disable sudo logging for the specific commands run by the Debian-snmp user in the /etc/sudoers.d/snmp file by adding Defaults:Debian-snmp !syslog. | 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4423235](#4423235)
| The snmpd service generates debugging logs of sudo calls. To work around this issue, disable sudo logging for the specific commands run by the Debian-snmp user in the /etc/sudoers.d/snmp file by adding Defaults:Debian-snmp !syslog. | 5.11.0-5.16.1 | | -| [4422898](#4422898)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| +| [4422898, 4497128](#4422898, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| | [4408387](#4408387)
| BGP crashes during EVPN route install due to incorrect memory access. | 5.11.0-5.13.1 | 5.14.0-5.16.1| -| [4408280](#4408280)
| NVUE commands create excessive log data. To work around this issue, configure rsyslog rules to limit logging of these commands. | 5.11.0-5.12.1 | 5.13.0-5.16.1| -| [4400384](#4400384)
| After the switch reboots or switchd.service restarts, NVUE applied ERSPAN sessions do not work if the ERSPAN destination IP address is reachable through an MLAG bond. To work around this issue, remove the ERSPAN configuration and reapply it using NVUE. | 5.11.0-5.12.1 | 5.13.0-5.16.1| +| [4408280, 4360680](#4408280, 4360680)
| NVUE commands create excessive log data. To work around this issue, configure rsyslog rules to limit logging of these commands. | 5.11.0-5.12.1 | 5.13.0-5.16.1| +| [4400384, 4391704](#4400384, 4391704)
| After the switch reboots or switchd.service restarts, NVUE applied ERSPAN sessions do not work if the ERSPAN destination IP address is reachable through an MLAG bond. To work around this issue, remove the ERSPAN configuration and reapply it using NVUE. | 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4389124](#4389124)
| NVUE fails when applying ERSPAN configuration on an MLAG peer. This failure occurs because ERSPAN does not support bond slave ports as analyzer ports but fails to validate the configuration. | 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4370952](#4370952)
| ERSPAN does not work when the ERSPAN destination IP address is reachable over SVIs and layer 2 bonds. To work around this issue, make the ERSPAN destination IP address reachable over layer 3 swps or bond interfaces. | 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4370462](#4370462)
| When you assign an IP address to a VRF interface, NVUE removes the 127.0.0.1, 127.0.1.1, and ::1/128 IP addresses from VRF interfaces in the kernel. This results in traffic generated by the switch in the VRF destined to 127.0.0.1 to be sent out of the local device and onto the network. To work around this issue, when assigning an IP address to a VRF interface, also configure the following on the VRF interface to ensure that the expected functionality is maintained:
nv set vrf  loopback ip address 127.0.0.1/8
nv set vrf  loopback ip address 127.0.1.1/8
nv set vrf  loopback ip address ::/128
nv config apply -y
| 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4363640](#4363640)
| When a MAC address flaps between two different EVPN VTEPs, a Zebra core crash occurs. | 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4360615](#4360615)
| The control plane trap group counters are not associated correctly with the right trap group. | 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4341608](#4341608)
| When you enable PFC watchdog, telemetry histograms, and 802.1x with NVUE, then upgrade the switch to Cumulus Linux 5.12 followed by a warm reboot, the switch crashes when a cl-support file is created or by certain sx_api requests. You see error logs in the SDK continuously because the switch collects interface statistics every one second. To work around this issue, reboot the switch. | 5.10.1-5.12.1 | 5.13.0-5.16.1| -| [4328729](#4328729)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. | 5.10.1-5.12.1 | 5.13.0-5.16.1| +| [4328729, 4261676](#4328729, 4261676)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. | 5.10.1-5.12.1 | 5.13.0-5.16.1| | [4298572](#4298572)
| The Spectrum-4 switch reports a Modules DataPath FSM fault in logs when the link fails at polling. | 5.10.1-5.11.0, 5.12.0 | 5.9.4, 5.11.1, 5.12.1-5.16.1| | [4287285](#4287285)
| Due to unsupported EVPN BUM replication configuration (a mix of PIM and HER modes), a resource leak can occur. | 5.11.0 | 5.9.4, 5.11.1-5.16.1, 5.13.0-5.16.1| -| [4277143](#4277143)
| After a factory reset with the nv action reset system factory-default force command, RADIUS does not fully reset; the radius-cmd-acct package is not installed correctly and includes missing files. In addition, /etc/pam.d/common-auth is incorrect. | 5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| +| [4277143, 4277148](#4277143, 4277148)
| After a factory reset with the nv action reset system factory-default force command, RADIUS does not fully reset; the radius-cmd-acct package is not installed correctly and includes missing files. In addition, /etc/pam.d/common-auth is incorrect. | 5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| | [4271311](#4271311)
| On the NVIDIA SN2010 and SN2100 switches, the management interface (eth0) might negotiate 100M instead of 1G after you install, upgrade, or, reboot Cumulus Linux. To resolve this issue, force the speed to 1G:
cumulus@switch:~$ nv set interface eth0 link speed 1G
cumulus@switch:~$ nv set interface eth0 link duplex full
cumulus@switch:~$ nv config apply
| 5.11.0 | 5.9.4, 5.11.1-5.16.1, 5.13.0-5.16.1| | [4270957](#4270957)
| Optimized (two partition) upgrade from Cumulus Linux 5.11.0 requires approximately 2.4 Gbytes of free space in /var after downloading the image with NVUE commands instead of 1.6 Gbytes of free space. Upgrade needs the extra space for an additional copy of the downloaded image in /var . | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4261676](#4261676)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. | 5.11.0 | 5.11.1-5.16.1, 5.12.1-5.16.1, 5.13.0-5.16.1| +| [4261676, 4328729](#4261676, 4328729)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. | 5.11.0 | 5.11.1-5.16.1, 5.12.1-5.16.1, 5.13.0-5.16.1| | [4257386](#4257386)
| NVUE overwrites the MOTD file during NVUE configuration with no option to ignore it
| 5.11.0 | 5.11.1-5.16.1, 5.13.0-5.16.1| | [4256151](#4256151)
| After rebooting the spine switch in an EVPN multihoming configuration, the BGP EVPN Type-2 entry is missing, which causes flooding and duplicates in the fabric. To work around this issue, flush the IP neighbor entries with the sudo ip neigh flush x.x.x.x command. | 5.9.1-5.9.3, 5.11.0 | 5.9.4, 5.11.1-5.16.1, 5.12.0-5.16.1| | [4251984](#4251984)
| NVUE prevents you from setting the IPv6 RA lifetime to 0 (zero). Use vtysh mode to apply the setting. | 5.11.0 | 5.9.4, 5.11.1-5.16.1, 5.12.0-5.16.1| @@ -969,7 +969,7 @@ pdfhidden: True | [4205103](#4205103)
| On rare occasions, platform drivers capture the firmware state as being in ISSU when it is not the case. This causes the ASIC temperature to be read as 0, which causes the thermal algorithm to set fan speeds to low. As a result, the switch can get overheated and undergo a thermal shutdown. To work around this issue, reboot or powercycle the switch. | 5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| | [4205060](#4205060)
| Debian 12 does not support LDAP SSL CRL check. Cumulus Linux now uses CRL file. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4203794](#4203794)
| The nv show platform transceiver command sometimes does not show transceiver data for layer 3 Dot1q subinterfaces (such as swp2.10). To work around this issue, run the ethtool -m command. | 5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| -| [4203784](#4203784)
| Under unique hardware failure conditions, when the ASIC temperature sensor read fails repeatedly, the fans are set to twenty percent, which might not be high enough to maintain proper ASIC cooling, resulting in a thermal shutdown. | 5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| +| [4203784, 4203785](#4203784, 4203785)
| Under unique hardware failure conditions, when the ASIC temperature sensor read fails repeatedly, the fans are set to twenty percent, which might not be high enough to maintain proper ASIC cooling, resulting in a thermal shutdown. | 5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| | [4200952](#4200952)
| Configuring the listening-address for the SNMP server fails for IP addresses associated with VRFs other than the management VRF. | 5.11.0 | 5.11.1-5.16.1| | [4200758](#4200758)
| The nv show service ntp command shows the peers that are discovered together with the configured NTP servers instead of displaying only the NTP configuration. As a result, the applied and operational columns have different values, which causes confusion. | 5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| | [4200742](#4200742)
| Due to hardware limitations in the MPS2975, the minimum threshold for PMIC-12-COMEX-VCORE-OUT is fixed and cannot be set to zero. While a threshold violation warning might appear, system functionality remains unaffected, and the current configuration is maintained to ensure device compatibility. | 5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| @@ -985,16 +985,16 @@ pdfhidden: True | [4177067](#4177067)
| When performing a package upgrade, nslcd installation might open an interactive dialog to configure nslcd.conf .
To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:
cumulus@switch:~$ sudo apt-get update
cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
| 5.11.0-5.16.1 | | | [4176931](#4176931)
| The nv show platform firmware command results in a Python traceback and takes a long time to complete because the VX image does not support the smartctl utility. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4175695](#4175695)
| If all of the neighbors returned in the nv show vrf router bgp neighbor command output have no address-family configuration, you see an internal error when the nested table in the output is being rendered. | 5.10.0-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| -| [4174646](#4174646)
| On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. | 5.10.1-5.11.5 | 5.12.0-5.16.1| +| [4174646, 4042294](#4174646, 4042294)
| On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. | 5.10.1-5.11.5 | 5.12.0-5.16.1| | [4170628](#4170628)
| If you use a bridge name other than br_default, PTP neighbors fail to establish because the PTP packets are sourced from an unexpected IP address.
To work around this issue, configure the base-interface for the VLAN interface with the nv set interface base-interface command. | 5.10.0-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| | [4156332](#4156332)
| On the Spectrum-4 switch, switchd might crash with the following log message:
CRIT Restarting switchd to recover from SDK health event: FW Long Command
| 5.10.1-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| | [4155957](#4155957)
| Logs from the OTLP exporter process (nv-telemetry) grow uncontrolled and result in excessive disk space usage. You can remove the large files in the /var/log/nv-telemetry folder or modify them to reduce their size. | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4154839](#4154839)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | +| [4154839, 4280933, 4291934](#4154839, 4280933, 4291934)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | | [4151336](#4151336)
| After you reboot the switch, the ifplugd.service fails to start monitoring the interface. | 5.8.0-5.9.3, 5.10.0-5.11.0 | 5.9.4, 5.11.1-5.16.1, 5.12.0-5.16.1| | [4150508](#4150508)
| When there is a large number of discontiguous VTEP to VLAN mappings, switchd crashes with a Netlink error similar to the following:

netlink.c:409 CRIT nlroute: nl_cache_mngr_data_ready failed: Kernel reported truncated message
| 5.10.1-5.11.0 | 5.9.4, 5.11.1-5.16.1, 5.12.0-5.16.1| | [4144021](#4144021)
| Shutting down port 65 or 66 on the NVIDIA Spectrum-4 switch leaves the opposite port up when using MLNX SFP-T and RJ45 connections. Spectrum-4 switches do not support SFP-T modules on ports 65 and 66. | 5.10.0-5.12.1 | 5.13.0-5.16.1| | [4142857](#4142857)
| The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. | 5.10.0-5.16.1 | | -| [4139511](#4139511)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | +| [4139511, 4184813, 4180112](#4139511, 4184813, 4180112)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | | [4134447](#4134447)
| The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. You can safely ignore this log message. | 5.11.0-5.16.1 | | | [4134174](#4134174)
| If you configure a route map by attaching it to a specific protocol, then you detach it from that protocol, if you then attach the same route map to all protocols, then detach it from all protocols, Cumulus Linux deletes routes from the forwarding table.
To work around this issue, either attach the route map to all protocols or attach the route map to each protocol you want to use. For example, to attach the route map to all protocols, run the nv set vrf router rib fib-filter route-map command. To attach the route map to each protocol you want to use, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4130022](#4130022)
| LDAP does not support per-command authorization. | 5.11.0-5.11.5 | 5.12.0-5.16.1| @@ -1003,30 +1003,30 @@ pdfhidden: True | [4128912](#4128912)
| When you use PPS IN, PTP might show a high offset. The offset might be around an offset value. For example, around 60 ns or 80 ns. To work around this issue, set the cable compensation value. For 60 ns, run the nv set platform pulse-per-second in timestamp-correction -60 command to set the compensation. | 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4127932](#4127932)
| After you run the nv action install system image command or the cl-image-upgrade -u command, if you run the command a second time to upgrade to a different image, the upgrade might fail because there are leftover /var/install/sys mounts. To resolve this issue, either reboot before you retry image upgrade or run the following commands :
cumulus@switch:~$ sudo mount --make-rslave /var/installer/sys
cumulus@switch:~$ sudo umount -R /var/installer/sys
cumulus@switch:~$ sudo umount tmpfs-installer
| 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4127315](#4127315)
| If you set BGP community-advertise large to off with NVUE, large communities are still sent to BGP peers. To resolve this issue, NVUE has changed the default value of community-advertise large from off to on. | 5.11.0-5.11.5 | 5.12.0-5.16.1| -| [4124376](#4124376)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | +| [4124376, 4316163](#4124376, 4316163)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | | [4122591](#4122591)
| The NVUE nv set system aaa ldap ssl ca-list command shows the following error if you use the string option:
Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none']
| 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4118970](#4118970)
| When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.16.1 | | -| [4105127](#4105127)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | -| [4101560](#4101560)
| The nv set vrf router rib fib-filter route-map command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| +| [4105127, 4796391](#4105127, 4796391)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | +| [4101560, 4101440](#4101560, 4101440)
| The nv set vrf router rib fib-filter route-map command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | 5.12.0-5.16.1| | [4100629](#4100629)
| NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.16.1 | | | [4082210](#4082210)
| When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. | 5.11.0-5.16.1 | | | [4077921](#4077921)
| You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1 or later. You must install the Cumulus Linux image instead. | 5.10.1-5.16.1 | | | [4052578](#4052578)
| When you perform a binary upgrade from Cumulus Linux 5.8 or earlier to 5.9.0 or later with a pre-staged startup.yaml file, the cumulus user password is reset to the default password because there is no default startup.yaml file present in 5.8.0 or earlier. To work around this issue, generate the startup.yaml file from the existing NVUE configuration. | 5.9.2-5.11.5 | 5.12.0-5.16.1| -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4048583](#4048583)
| If there are failures in MSTPD or a port is not updated in the database, the NVUE nv show bridge domain stp command might not work and might produce errors even when STP has data for other working ports or VLANs. This is a display issue only and does not impact functionality. | 5.10.0-5.12.1 | 5.13.0-5.16.1| | [4047798](#4047798)
| Packet distribution based on ECMP hashing using GTP-TEID does not function as expected in an EVPN Clos topology. | 5.10.0-5.16.1 | | | [4030380](#4030380)
| When you roll back interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you cannot configure FEC on the interface at the lower layers. | 5.10.0-5.16.1 | | | [4019256](#4019256)
| If you change the switch hostname, the histogram data producer service restarts. | 5.10.0-5.12.1 | 5.13.0-5.16.1| -| [4005422](#4005422)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | +| [4005422, 4015452](#4005422, 4015452)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | | [3985682](#3985682)
| On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.16.1 | | | [3966312](#3966312)
| When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.16.1 | | | [3948068](#3948068)
| On the SN3700 and SN3700c switch, the nv show platform environment voltage command output shows a failed state for the PSU-n-12V-RAIL-OUT sensors. This is a known hardware limitation that cannot be corrected by the PSU vendor. | 5.10.0-5.16.1 | | | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3879717](#3879717)
| Running snmpwalk on the switch with the management IP address does not work. To work around this issue, use the localhost option (snmpwalk -v 2c -c public28 localhost 1.3.6.1.2.1.14) or create a control plane ACL whitelist rule. | 5.10.0-5.16.1 | | | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | | [3855796](#3855796)
| When configuring a Unicast Master Table for clients, the server addresses must be reachable and the route to the destination must exist. The unicast table can have one directly-connected port for a client. This restriction is only for directly connected ports and doesn't apply to Unicast Servers on other devices or switches. | 5.9.0-5.16.1 | | @@ -1041,17 +1041,17 @@ pdfhidden: True | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -1061,10 +1061,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -1074,8 +1074,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -1088,7 +1088,7 @@ pdfhidden: True | [4137492](#4137492)
| Accessing NVIDIA Spectrum-4 SPICE from multiple applications to the same path in parallel might cause a kernel crash. | 5.10.1 | | | [4135919](#4135919)
| You might experience a memory leak in ospfd when processing next hops due to network changes. | 5.9.1-5.9.3 | | | [4130139](#4130139)
| If the LDAP server becomes unreachable while an LDAP user is logged on, NVUE nv set and nv show commands result in traceback messages. | | | -| [4129699](#4129699)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | | +| [4129699, 3790461](#4129699, 3790461)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | | | [4129344](#4129344)
| When you create an ACL rule that matches TCP state and more than seven TCP or UDP source or destination ports, the rule does not get framed properly and is rejected by the kernel.
To work around this issue, create another rule number when the number of ports you want to match is more than seven. | 5.9.1-5.9.3 | | | [4127636](#4127636)
| Multicast traffic continues to egress an interface that leaves the group. Logs and multicast data show that the IGMP group is deleted but the OIF is still listed. | 5.10.0-5.10.1 | | | [4127253](#4127253)
| You might see switchd high-memory consumption and eventually switchd stops because it is out of memory due to higher tunnel (VNI x VTEP) scale. | 5.8.0-5.10.1 | | @@ -1099,9 +1099,9 @@ pdfhidden: True | [4102992](#4102992)
| When you use the NVUE nv set bridge domain stp priority command to configure the STP priority on two bridges, the STP priority on the second bridge does not apply.
To work around this issue, configure an NVUE snippet for the second bridge and apply it to the switch; for example:
Create the vlan-aware_bridge_snippet.yaml file and add the following:
- set:
  system:
   config:
    snippet:
     ifupdown2_eni:
      bridge2: \|mstpctl-treeprio 8192

Save the file, run the nv config patch vlan-aware_bridge_snippet.yaml command, then the nv config apply command. | 5.9.1-5.9.3, 5.10.0-5.10.1 | | | [4101808](#4101808)
| When the SNMP service is busy for approximately more than a minute, the applications using net-snmp APIs to support their MIBs (such as FRR) become blocked. | 5.9.0-5.10.1 | | | [4096505](#4096505)
| In an EVPN configuration, when you use NVUE to configure a new host bond and a multihoming ESI at the same time, the Split-Horizon preventive traffic class rule is not programmed in the egress direction. To work around this issue, configure the host bond and apply the configuration, then configure the EVPN multihoming ESI on the host bonds and apply the configuration in a separate step. | 5.9.1-5.9.3 | | -| [4089469](#4089469)
| When you apply interface configuration at the same time as VRF based services (such as the DHCP service for a VRF), the VRF based service does not become fully operational because the service is not receiving protocol packets.
To work around this issue, first apply the interface configuration, then apply the configuration for the VRF based service. | | | +| [4089469, 4101616, 3878045](#4089469, 4101616, 3878045)
| When you apply interface configuration at the same time as VRF based services (such as the DHCP service for a VRF), the VRF based service does not become fully operational because the service is not receiving protocol packets.
To work around this issue, first apply the interface configuration, then apply the configuration for the VRF based service. | | | | [4086136](#4086136)
| If a Cumulus Linux 5.9.1 switch has an nv set interface lldp application-tlv configuration with an empty value, when you upgrade to Cumulus Linux 5.10, NVUE cannot apply the configuration and shows an Invalid config message. | 5.10.0-5.10.1 | | -| [4081974](#4081974)
| When you use mlxlink to check TX power, you see incorrect values for different lanes of a port. To work around this issue, either use the NVUE nv show platform transceiver command or the ethtool -m command. | 5.10.0-5.10.1 | | +| [4081974, 3905576](#4081974, 3905576)
| When you use mlxlink to check TX power, you see incorrect values for different lanes of a port. To work around this issue, either use the NVUE nv show platform transceiver command or the ethtool -m command. | 5.10.0-5.10.1 | | | [4081784](#4081784)
| If you configure an inbound route policy that drops prefixes, then run the vtysh show bgp vrf neighbours received-routes brief json command, the BGP service might crash. Avoid running a vtysh received routes brief json show command if you configure an inbound route policy that drops prefixes. Another option to avoid the issue is to run just show ip bgp neighbors received-routes without json. | 5.9.1-5.9.3, 5.10.0-5.10.1 | | | [4075960](#4075960)
| When you configure the IGMP Querier on a VLAN, the switch sends IGMP Querier packets on the untagged VLAN, not the configured VLAN. Also, the source IP address is always 0.0.0.0, even though the loopback IP address is configured on the IGMP Querier. | 5.9.1-5.10.1 | | | [4072165](#4072165)
| When you add a VLAN to a bridge member port, VXLAN traffic might be impacted for few seconds. | 5.7.0-5.9.3 | | @@ -1111,10 +1111,10 @@ pdfhidden: True | [4061534](#4061534)
| When you remove a secondary OTLP collector, there is a telemetry spike and existing connections with OTLP exporters reset. When new connections with the OTLP collector re-establish, the server experiences a high CPU and memory leak, which can bring down the telemetry collection service. | 5.10.0-5.10.1 | | | [4050835](#4050835)
| The NVUE Service fails to start after an upgrade from Cumulus Linux 5.9 to Cumulus Linux 5.10 because of a corrupted database. | 5.10.0-5.10.1 | | | [4050801](#4050801)
| When configuring telemetry for interface statistics with ranges or lists, the lists and ranges do not expand correctly in the configuration and the configuration is rejected. Configuration example:
cumulus@leaf01:~$ nv set system telemetry interface-stats ingress-buffer priority-group 1-6
cumulus@leaf01:~$ nv set system telemetry interface-stats egress-buffer traffic-class 0,3,6

You see the following log errors:
interface_stats: [ERROR] interface_stats_collector.py:_parse_conf_file:201 — Configured ingress-priority-group 0-6 is not an integer
interface_stats: [ERROR] interface_stats_collector.py:_parse_conf_file:201 — Configured egress-traffic-class 0,3,6 is not an integer
| 5.10.0-5.10.1 | | -| [4047829](#4047829)
| Ports can be operationally down if the switchd service fails to come UP due to certain firmware failures and you the following switchd.log messages:
PDDR long process T.O
MCIA no response
FW assert [0x8C91] detected

To work around this issue, power-cycle the switch. | 5.10.0-5.10.1 | | +| [4047829, 4040901, 4040916](#4047829, 4040901, 4040916)
| Ports can be operationally down if the switchd service fails to come UP due to certain firmware failures and you the following switchd.log messages:
PDDR long process T.O
MCIA no response
FW assert [0x8C91] detected

To work around this issue, power-cycle the switch. | 5.10.0-5.10.1 | | | [4039850](#4039850)
| When the MAC address of the neighbor changes, a possible crash might occur because the pointer to which the MAC address points is freed, resulting in a dangling pointer. | 5.3.1-5.10.1 | | | [4037315](#4037315)
| NVUE fails to enforce the password length limitation of 512 characters or fewer. | 5.10.0-5.10.1 | | -| [4037224](#4037224)
| ASIC monitoring histogram collection might not work because of a crash in the asic-monitor service. To work around this issue, see the Release Considerations section of the What’s New. | 5.10.0 | | +| [4037224, 4048679](#4037224, 4048679)
| ASIC monitoring histogram collection might not work because of a crash in the asic-monitor service. To work around this issue, see the Release Considerations section of the What’s New. | 5.10.0 | | | [4034329](#4034329)
| After network churn, the watchfrr process might restart FRR because zebra is unresponsive. | 5.9.1-5.9.3 | | | [4023318](#4023318)
| If you run nv set commands after you perform an upgrade but before a reboot, NVUE creates a revision based off the pre-upgrade version. After reboot, the revision contains pre-upgrade data that might cause it to fail during config apply. To work around this issue, detach the stale revision after upgrade with the nv config detach command. | 5.10.0-5.10.1 | | | [4022906](#4022906)
| If you use NVUE to configure a bond, apply a port mirror on the bond, then run the nv config apply command, the validation fails.
To work around this issue, configure the bond with a separate nv config apply command before you configure the port mirror on the bond. | 5.10.0-5.10.1 | | @@ -1122,8 +1122,8 @@ pdfhidden: True | [4016216](#4016216)
| If a ZTP script includes a directive to reboot, the reboot might stop the running ZTP process before it is able to disable itself from running again. As a result, the ZTP process starts again when the system comes back up. To work around this issue, run shutdown -r +1 to schedule a reboot after one minute so that the ZTP process can successfully complete disabling the ztp.service systemd service. | 5.10.0 | | | [4004898](#4004898)
| When you configure the SNMP server listening address to a VRF that has no interfaces, snmp.service fails.
To recover from the failure, set the SNMP server listening address back to the VRF that has interfaces. If you really want to move the SNMP server to the VRF with no interfaces, assign an interface to the VRF and move the SNMP server to the VRF. | 5.10.0-5.10.1 | | | [3990135](#3990135)
| If there are multiple relay switches in the path reaching the DHCP server, DHCP packets are duplicated at each transit relay switch and the server receives duplicate packets. | 5.9.1-5.9.3 | | -| [3955971](#3955971)
| When using the optional nslcd service, if tls_crlcheck is in the /etc/nslcd.conf file, the service fails due to a missing library. | 5.10.0-5.10.1 | | +| [3955971, 4296649, 4308856](#3955971, 4296649, 4308856)
| When using the optional nslcd service, if tls_crlcheck is in the /etc/nslcd.conf file, the service fails due to a missing library. | 5.10.0-5.10.1 | | | [3928905](#3928905)
| The nv show interface commands show RX and TX Power values from the wrong lanes on breakout ports. | 5.8.0-5.9.1, 5.10.0-5.10.1 | | -| [3878699](#3878699)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | | -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | | +| [3878699, 3939355](#3878699, 3939355)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | | +| [3452681, 3465375](#3452681, 3465375)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | | diff --git a/content/cumulus-linux-511/rn.xml b/content/cumulus-linux-511/rn.xml index 508f3bb1aa..bb4f71c253 100644 --- a/content/cumulus-linux-511/rn.xml +++ b/content/cumulus-linux-511/rn.xml @@ -149,13 +149,13 @@ To work around this issue, verify system boot mode with the {{nv show system reb -4579237 +4579237, 4579234 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.3-5.16.1 -4558846 +4558846, 4237198 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.0-5.11.5 5.12.0-5.16.1 @@ -189,7 +189,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4531952 +4531952, 4518822 When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface {{vlan10}}, the route might install against {{vlan10-v0}}. This prevents next-hop tracking and route installation into hardware. This issue can occur in the following conditions: <ul><li>When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.</li> @@ -251,7 +251,7 @@ To work around this issue, power cycle the switch. 5.9.4 -4472414 +4472414, 4621451 After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. 5.11.0-5.14.0 5.15.0-5.16.1 @@ -311,7 +311,7 @@ To work around this issue, power cycle the switch. 5.13.0-5.16.1 -4328729 +4328729, 4261676 When sending control packets that have the port range 259 through 1023 in their TX base header system target (above {{cap_max_system_ports}} and below {{cap_ports}} used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. 5.10.1-5.12.1 5.13.0-5.16.1 @@ -373,7 +373,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio 5.12.0-5.16.1 -4174646 +4174646, 4042294 On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. 5.10.1-5.11.5 5.12.0-5.16.1 @@ -385,7 +385,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio 5.12.0-5.16.1 -4154839 +4154839, 4280933, 4291934 When you run certain SDK commands (such as {{sudo sx_api_port_counter_dump_all.py}} or {{sx_api_fdb_dump}}) first as the cumulus user, then with {{sudo}}, you see the following error: PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt' To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. @@ -405,7 +405,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4139511 +4139511, 4184813, 4180112 When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue. [ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock [ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query) [ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds @@ -467,7 +467,7 @@ cumulus@switch:~$ sudo umount tmpfs-installer 5.12.0-5.16.1 -4124376 +4124376, 4316163 The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux/Installation-Management/Upgrading-Cumulus-Linux/#downgrade-a-secure-boot-switch">Downgrade a Secure Boot Switch</a>. 5.11.0-5.16.1 @@ -486,13 +486,13 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' -4105127 +4105127, 4796391 Any sFlow configuration changes that require an {{hsflowd}} restart are operational only after an initial delay of 60 seconds. 5.11.0-5.16.1 -4101560 +4101560, 4101440 The {{nv set vrf <vrf> router rib <address-family> fib-filter route-map <route-map>}} command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the {{nv set vrf <vrf-name> router rib fib-filter protocol <protocol string> route-map <route-map>}} command. 5.11.0-5.11.5 5.12.0-5.16.1 @@ -522,7 +522,7 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' 5.12.0-5.16.1 -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -552,7 +552,7 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' 5.13.0-5.16.1 -4005422 +4005422, 4015452 When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the {{systemctl enable ntpsec@<vrf>}} and {{systemctl restart ntpsec@<vrf>}} commands. 5.10.0-5.16.1 @@ -585,7 +585,7 @@ The logs occur because the {{rsyslog}} service starts before the networking serv -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -612,7 +612,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -721,7 +721,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -733,7 +733,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -757,19 +757,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -782,7 +782,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -844,7 +844,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -867,7 +867,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -930,7 +930,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -938,7 +938,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -991,7 +991,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 5.11.1-5.11.4 -4717753 +4717753, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.9.4 @@ -1150,13 +1150,13 @@ To work around this issue, verify system boot mode with the {{nv show system reb -4579237 +4579237, 4579234 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.3-5.16.1 -4558846 +4558846, 4237198 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.0-5.11.5 5.12.0-5.16.1 @@ -1190,7 +1190,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4531952 +4531952, 4518822 When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface {{vlan10}}, the route might install against {{vlan10-v0}}. This prevents next-hop tracking and route installation into hardware. This issue can occur in the following conditions: <ul><li>When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.</li> @@ -1252,7 +1252,7 @@ To work around this issue, power cycle the switch. 5.9.4 -4472414 +4472414, 4621451 After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. 5.11.0-5.14.0 5.15.0-5.16.1 @@ -1312,7 +1312,7 @@ To work around this issue, power cycle the switch. 5.13.0-5.16.1 -4328729 +4328729, 4261676 When sending control packets that have the port range 259 through 1023 in their TX base header system target (above {{cap_max_system_ports}} and below {{cap_ports}} used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. 5.10.1-5.12.1 5.13.0-5.16.1 @@ -1374,7 +1374,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio 5.12.0-5.16.1 -4174646 +4174646, 4042294 On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. 5.10.1-5.11.5 5.12.0-5.16.1 @@ -1386,7 +1386,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio 5.12.0-5.16.1 -4154839 +4154839, 4280933, 4291934 When you run certain SDK commands (such as {{sudo sx_api_port_counter_dump_all.py}} or {{sx_api_fdb_dump}}) first as the cumulus user, then with {{sudo}}, you see the following error: PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt' To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. @@ -1406,7 +1406,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4139511 +4139511, 4184813, 4180112 When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue. [ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock [ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query) [ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds @@ -1468,7 +1468,7 @@ cumulus@switch:~$ sudo umount tmpfs-installer 5.12.0-5.16.1 -4124376 +4124376, 4316163 The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux/Installation-Management/Upgrading-Cumulus-Linux/#downgrade-a-secure-boot-switch">Downgrade a Secure Boot Switch</a>. 5.11.0-5.16.1 @@ -1487,13 +1487,13 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' -4105127 +4105127, 4796391 Any sFlow configuration changes that require an {{hsflowd}} restart are operational only after an initial delay of 60 seconds. 5.11.0-5.16.1 -4101560 +4101560, 4101440 The {{nv set vrf <vrf> router rib <address-family> fib-filter route-map <route-map>}} command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the {{nv set vrf <vrf-name> router rib fib-filter protocol <protocol string> route-map <route-map>}} command. 5.11.0-5.11.5 5.12.0-5.16.1 @@ -1523,7 +1523,7 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' 5.12.0-5.16.1 -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -1553,7 +1553,7 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' 5.13.0-5.16.1 -4005422 +4005422, 4015452 When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the {{systemctl enable ntpsec@<vrf>}} and {{systemctl restart ntpsec@<vrf>}} commands. 5.10.0-5.16.1 @@ -1586,7 +1586,7 @@ The logs occur because the {{rsyslog}} service starts before the networking serv -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -1613,7 +1613,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -1722,7 +1722,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -1734,7 +1734,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -1758,19 +1758,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -1783,7 +1783,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -1845,7 +1845,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -1868,7 +1868,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -1931,7 +1931,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -1939,7 +1939,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -1982,7 +1982,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 Affects -4507163 +4507163, 4119158 In some cases after a package upgrade with ISSU (warm boot mode), you see continuous errors in the syslog similar to the following: NOTICE CORE_ASYNC: Error at pre send callback status [Resource is in use] 5.11.2-5.11.3 @@ -2122,13 +2122,13 @@ NOTICE CORE_ASYNC: Error at pre send callback status [Resource is in use] -4579237 +4579237, 4579234 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.3-5.16.1 -4558846 +4558846, 4237198 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.0-5.11.5 5.12.0-5.16.1 @@ -2162,7 +2162,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4531952 +4531952, 4518822 When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface {{vlan10}}, the route might install against {{vlan10-v0}}. This prevents next-hop tracking and route installation into hardware. This issue can occur in the following conditions: <ul><li>When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.</li> @@ -2200,7 +2200,7 @@ To work around this issue, power cycle the switch. -4507163 +4507163, 4119158 In some cases after a package upgrade with ISSU (warm boot mode), you see continuous errors in the syslog similar to the following: NOTICE CORE_ASYNC: Error at pre send callback status [Resource is in use] 5.11.2-5.11.3 @@ -2231,7 +2231,7 @@ NOTICE CORE_ASYNC: Error at pre send callback status [Resource is in use] 5.9.4 -4472414 +4472414, 4621451 After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. 5.11.0-5.14.0 5.15.0-5.16.1 @@ -2291,7 +2291,7 @@ NOTICE CORE_ASYNC: Error at pre send callback status [Resource is in use] 5.13.0-5.16.1 -4328729 +4328729, 4261676 When sending control packets that have the port range 259 through 1023 in their TX base header system target (above {{cap_max_system_ports}} and below {{cap_ports}} used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. 5.10.1-5.12.1 5.13.0-5.16.1 @@ -2353,7 +2353,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio 5.12.0-5.16.1 -4174646 +4174646, 4042294 On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. 5.10.1-5.11.5 5.12.0-5.16.1 @@ -2365,7 +2365,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio 5.12.0-5.16.1 -4154839 +4154839, 4280933, 4291934 When you run certain SDK commands (such as {{sudo sx_api_port_counter_dump_all.py}} or {{sx_api_fdb_dump}}) first as the cumulus user, then with {{sudo}}, you see the following error: PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt' To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. @@ -2385,7 +2385,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4139511 +4139511, 4184813, 4180112 When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue. [ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock [ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query) [ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds @@ -2447,7 +2447,7 @@ cumulus@switch:~$ sudo umount tmpfs-installer 5.12.0-5.16.1 -4124376 +4124376, 4316163 The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux/Installation-Management/Upgrading-Cumulus-Linux/#downgrade-a-secure-boot-switch">Downgrade a Secure Boot Switch</a>. 5.11.0-5.16.1 @@ -2466,13 +2466,13 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' -4105127 +4105127, 4796391 Any sFlow configuration changes that require an {{hsflowd}} restart are operational only after an initial delay of 60 seconds. 5.11.0-5.16.1 -4101560 +4101560, 4101440 The {{nv set vrf <vrf> router rib <address-family> fib-filter route-map <route-map>}} command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the {{nv set vrf <vrf-name> router rib fib-filter protocol <protocol string> route-map <route-map>}} command. 5.11.0-5.11.5 5.12.0-5.16.1 @@ -2502,7 +2502,7 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' 5.12.0-5.16.1 -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -2532,7 +2532,7 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' 5.13.0-5.16.1 -4005422 +4005422, 4015452 When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the {{systemctl enable ntpsec@<vrf>}} and {{systemctl restart ntpsec@<vrf>}} commands. 5.10.0-5.16.1 @@ -2565,7 +2565,7 @@ The logs occur because the {{rsyslog}} service starts before the networking serv -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -2592,7 +2592,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -2701,7 +2701,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -2713,7 +2713,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -2737,19 +2737,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -2762,7 +2762,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -2824,7 +2824,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -2847,7 +2847,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -2910,7 +2910,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -2918,7 +2918,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -3071,7 +3071,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -4558846 +4558846, 4237198 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.0-5.11.5 5.12.0-5.16.1 @@ -3099,7 +3099,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4531952 +4531952, 4518822 When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface {{vlan10}}, the route might install against {{vlan10-v0}}. This prevents next-hop tracking and route installation into hardware. This issue can occur in the following conditions: <ul><li>When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.</li> @@ -3137,7 +3137,7 @@ To work around this issue, power cycle the switch. -4507163 +4507163, 4119158 In some cases after a package upgrade with ISSU (warm boot mode), you see continuous errors in the syslog similar to the following: NOTICE CORE_ASYNC: Error at pre send callback status [Resource is in use] 5.11.2-5.11.3 @@ -3168,7 +3168,7 @@ NOTICE CORE_ASYNC: Error at pre send callback status [Resource is in use] 5.9.4 -4472414 +4472414, 4621451 After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. 5.11.0-5.14.0 5.15.0-5.16.1 @@ -3228,7 +3228,7 @@ NOTICE CORE_ASYNC: Error at pre send callback status [Resource is in use] 5.13.0-5.16.1 -4328729 +4328729, 4261676 When sending control packets that have the port range 259 through 1023 in their TX base header system target (above {{cap_max_system_ports}} and below {{cap_ports}} used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. 5.10.1-5.12.1 5.13.0-5.16.1 @@ -3290,7 +3290,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio 5.12.0-5.16.1 -4174646 +4174646, 4042294 On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. 5.10.1-5.11.5 5.12.0-5.16.1 @@ -3302,7 +3302,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio 5.12.0-5.16.1 -4154839 +4154839, 4280933, 4291934 When you run certain SDK commands (such as {{sudo sx_api_port_counter_dump_all.py}} or {{sx_api_fdb_dump}}) first as the cumulus user, then with {{sudo}}, you see the following error: PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt' To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. @@ -3322,7 +3322,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4139511 +4139511, 4184813, 4180112 When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue. [ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock [ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query) [ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds @@ -3384,7 +3384,7 @@ cumulus@switch:~$ sudo umount tmpfs-installer 5.12.0-5.16.1 -4124376 +4124376, 4316163 The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux/Installation-Management/Upgrading-Cumulus-Linux/#downgrade-a-secure-boot-switch">Downgrade a Secure Boot Switch</a>. 5.11.0-5.16.1 @@ -3403,13 +3403,13 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' -4105127 +4105127, 4796391 Any sFlow configuration changes that require an {{hsflowd}} restart are operational only after an initial delay of 60 seconds. 5.11.0-5.16.1 -4101560 +4101560, 4101440 The {{nv set vrf <vrf> router rib <address-family> fib-filter route-map <route-map>}} command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the {{nv set vrf <vrf-name> router rib fib-filter protocol <protocol string> route-map <route-map>}} command. 5.11.0-5.11.5 5.12.0-5.16.1 @@ -3439,7 +3439,7 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' 5.12.0-5.16.1 -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -3469,7 +3469,7 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' 5.13.0-5.16.1 -4005422 +4005422, 4015452 When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the {{systemctl enable ntpsec@<vrf>}} and {{systemctl restart ntpsec@<vrf>}} commands. 5.10.0-5.16.1 @@ -3502,7 +3502,7 @@ The logs occur because the {{rsyslog}} service starts before the networking serv -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -3529,7 +3529,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -3638,7 +3638,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -3650,7 +3650,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -3674,19 +3674,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -3699,7 +3699,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -3761,7 +3761,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -3784,7 +3784,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -3847,7 +3847,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -3855,7 +3855,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -3937,7 +3937,7 @@ systemctl is-enabled ntpsec && sudo systemctl restart ntpsec.service 5.13.0-5.16.1 -4472549 +4472549, 4461303 When running tens of thousands of {{nv set}} commands, the {{/var/lib/nvue}} directory might grow to several GBs in size, potentially using all the disk space. To work around this issue, run the following commands to reduce the disk space in the {{/var/lib/nvue}} directory: cumulus@switch:~$ sudo su cumulus@switch:~$ cd /var/lib/nvue/config @@ -3955,7 +3955,7 @@ cumulus@switch:~$ git gc 5.9.3 -4423430 +4423430, 4322632, 4391362 When toggling the bridge binding flag on an SVI from ON to OFF, the SVI might not come operationally UP if it was DOWN previously from the bridge binding flag. 5.11.0-5.11.1 @@ -3965,18 +3965,18 @@ cumulus@switch:~$ git gc 5.11.0-5.11.1 -4423362 +4423362, 4255653, 4335726 After a remote link flap, neighbor entries using the link might not get resolved immediately. Only when some traffic uses the nexthop will they be resolved. 5.12.0-5.12.1 -4423359 +4423359, 4352307 After a factory reset, the files in the {{/etc/pam.d/}} directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command: cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package 5.12.0-5.12.1 -4423336 +4423336, 3875789, 3933038 When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the {{nv config patch}} command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with {{systemctl restart nvued.service}}. 5.9.0-5.11.1 @@ -4023,13 +4023,13 @@ On the Spectrum-3 switch, the cell-size is 144 bytes. The minimum size is 144*64 5.12.0-5.12.1 -4423258 +4423258, 4210596 After a factory reset, the files in the {{/etc/pam.d/}} directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command: cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package 5.12.0-5.12.1 -4423251 +4423251, 4395776 When you use {{onie-install}} to install an image with a preconfigured {{startup.yaml}} file, an issue with the ZTP infrastructure script results in certain interfaces being UP in the kernel and the lower layer but DOWN in NVUE or the {{/etc/network/interfaces}} file. @@ -4064,7 +4064,7 @@ cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package -4423168 +4423168, 4408283, 4240003 Zebra might crash when multiple interfaces flap rapidly with a large scale number of routes. This issue occurs because the next hop group hash comparison incorrectly treats distinct next hop groups as equal. I addition, the hashing logic currently uses only four bytes of the IPv6 address, which increases the likelihood of collisions and misidentification. Avoid rapidly flapping multiple interfaces when managing large scale routes. @@ -4077,12 +4077,12 @@ switchd[19460]: hal_mlx_l2mc.c:1107 ERR VFID: 4099, Failed to set unregistered I 5.12.0-5.12.1 -4422898 +4422898, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 -4408280 +4408280, 4360680 NVUE commands create excessive log data. To work around this issue, configure rsyslog rules to limit logging of these commands. 5.11.0-5.11.1, 5.12.0-5.12.1 @@ -4094,7 +4094,7 @@ To work around this issue, restart the {{hw-management}} service with the {{sudo 5.7.0-5.9.3 -4400384 +4400384, 4391704 After the switch reboots or {{switchd.service}} restarts, NVUE applied ERSPAN sessions do not work if the ERSPAN destination IP address is reachable through an MLAG bond. To work around this issue, remove the ERSPAN configuration and reapply it using NVUE. 5.11.0-5.11.1 @@ -5459,7 +5459,7 @@ CRIT Restarting switchd to recover from SDK health event: FW Long Command -4558846 +4558846, 4237198 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.0-5.11.5 5.12.0-5.16.1 @@ -5515,7 +5515,7 @@ To work around this issue, power cycle the switch. -4472414 +4472414, 4621451 After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. 5.11.0-5.14.0 5.15.0-5.16.1 @@ -5527,7 +5527,7 @@ To work around this issue, power cycle the switch. 5.14.0-5.16.1 -4423430 +4423430, 4322632, 4391362 When toggling the bridge binding flag on an SVI from ON to OFF, the SVI might not come operationally UP if it was DOWN previously from the bridge binding flag. 5.11.0-5.12.1 5.13.0-5.16.1 @@ -5545,7 +5545,7 @@ To work around this issue, power cycle the switch. -4423336 +4423336, 3875789, 3933038 When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the {{nv config patch}} command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with {{systemctl restart nvued.service}}. 5.9.0-5.11.5 5.12.0-5.16.1 @@ -5635,7 +5635,7 @@ To work around this issue, power cycle the switch. -4422898 +4422898, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.13.1 5.14.0-5.16.1 @@ -5647,13 +5647,13 @@ To work around this issue, power cycle the switch. 5.14.0-5.16.1 -4408280 +4408280, 4360680 NVUE commands create excessive log data. To work around this issue, configure rsyslog rules to limit logging of these commands. 5.11.0-5.12.1 5.13.0-5.16.1 -4400384 +4400384, 4391704 After the switch reboots or {{switchd.service}} restarts, NVUE applied ERSPAN sessions do not work if the ERSPAN destination IP address is reachable through an MLAG bond. To work around this issue, remove the ERSPAN configuration and reapply it using NVUE. 5.11.0-5.12.1 5.13.0-5.16.1 @@ -5699,7 +5699,7 @@ nv config apply -y 5.13.0-5.16.1 -4328729 +4328729, 4261676 When sending control packets that have the port range 259 through 1023 in their TX base header system target (above {{cap_max_system_ports}} and below {{cap_ports}} used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. 5.10.1-5.12.1 5.13.0-5.16.1 @@ -5717,7 +5717,7 @@ nv config apply -y 5.9.4, 5.11.1-5.16.1, 5.13.0-5.16.1 -4277143 +4277143, 4277148 After a factory reset with the {{nv action reset system factory-default force}} command, RADIUS does not fully reset; the {{radius-cmd-acct}} package is not installed correctly and includes missing files. In addition, {{/etc/pam.d/common-auth}} is incorrect. 5.11.0 5.11.1-5.16.1, 5.12.0-5.16.1 @@ -5738,7 +5738,7 @@ cumulus@switch:~$ nv config apply 5.12.0-5.16.1 -4261676 +4261676, 4328729 When sending control packets that have the port range 259 through 1023 in their TX base header system target (above {{cap_max_system_ports}} and below {{cap_ports}} used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. 5.11.0 5.11.1-5.16.1, 5.12.1-5.16.1, 5.13.0-5.16.1 @@ -5833,7 +5833,7 @@ To work around this issue, manually add the {{debian-snmp}} user to the TACACS c 5.11.1-5.16.1, 5.12.0-5.16.1 -4203784 +4203784, 4203785 Under unique hardware failure conditions, when the ASIC temperature sensor read fails repeatedly, the fans are set to twenty percent, which might not be high enough to maintain proper ASIC cooling, resulting in a thermal shutdown. 5.11.0 5.11.1-5.16.1, 5.12.0-5.16.1 @@ -5932,7 +5932,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio 5.11.1-5.16.1, 5.12.0-5.16.1 -4174646 +4174646, 4042294 On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. 5.10.1-5.11.5 5.12.0-5.16.1 @@ -5957,7 +5957,7 @@ CRIT Restarting switchd to recover from SDK health event: FW Long Command 5.12.0-5.16.1 -4154839 +4154839, 4280933, 4291934 When you run certain SDK commands (such as {{sudo sx_api_port_counter_dump_all.py}} or {{sx_api_fdb_dump}}) first as the cumulus user, then with {{sudo}}, you see the following error: PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt' To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. @@ -5990,7 +5990,7 @@ netlink.c:409 CRIT nlroute: nl_cache_mngr_data_ready failed: Kernel reported tru -4139511 +4139511, 4184813, 4180112 When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue. [ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock [ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query) [ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds @@ -6052,7 +6052,7 @@ cumulus@switch:~$ sudo umount tmpfs-installer 5.12.0-5.16.1 -4124376 +4124376, 4316163 The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux/Installation-Management/Upgrading-Cumulus-Linux/#downgrade-a-secure-boot-switch">Downgrade a Secure Boot Switch</a>. 5.11.0-5.16.1 @@ -6071,13 +6071,13 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' -4105127 +4105127, 4796391 Any sFlow configuration changes that require an {{hsflowd}} restart are operational only after an initial delay of 60 seconds. 5.11.0-5.16.1 -4101560 +4101560, 4101440 The {{nv set vrf <vrf> router rib <address-family> fib-filter route-map <route-map>}} command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the {{nv set vrf <vrf-name> router rib fib-filter protocol <protocol string> route-map <route-map>}} command. 5.11.0-5.11.5 5.12.0-5.16.1 @@ -6107,7 +6107,7 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' 5.12.0-5.16.1 -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -6137,7 +6137,7 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' 5.13.0-5.16.1 -4005422 +4005422, 4015452 When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the {{systemctl enable ntpsec@<vrf>}} and {{systemctl restart ntpsec@<vrf>}} commands. 5.10.0-5.16.1 @@ -6170,7 +6170,7 @@ The logs occur because the {{rsyslog}} service starts before the networking serv -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -6197,7 +6197,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -6306,7 +6306,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -6318,7 +6318,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -6342,19 +6342,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -6367,7 +6367,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -6429,7 +6429,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -6452,7 +6452,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -6515,7 +6515,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -6523,7 +6523,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -6581,7 +6581,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -4129699 +4129699, 3790461 {{switchd}} crashes because the hardware MAC limit is higher than the maximum. 5.8.0-5.10.1 @@ -6645,7 +6645,7 @@ Save the file, run the {{nv config patch vlan-aware_bridge_snippet.yaml}} comman 5.9.1-5.9.3 -4089469 +4089469, 4101616, 3878045 When you apply interface configuration at the same time as VRF based services (such as the DHCP service for a VRF), the VRF based service does not become fully operational because the service is not receiving protocol packets. To work around this issue, first apply the interface configuration, then apply the configuration for the VRF based service. @@ -6655,7 +6655,7 @@ Save the file, run the {{nv config patch vlan-aware_bridge_snippet.yaml}} comman 5.10.0-5.10.1 -4081974 +4081974, 3905576 When you use {{mlxlink}} to check TX power, you see incorrect values for different lanes of a port. To work around this issue, either use the NVUE {{nv show platform transceiver <interface>}} command or the ethtool {{-m <interface>}} command. 5.10.0-5.10.1 @@ -6709,7 +6709,7 @@ interface_stats: [ERROR] interface_stats_collector.py:_parse_conf_file:201 — C 5.10.0-5.10.1 -4047829 +4047829, 4040901, 4040916 Ports can be operationally down if the {{switchd}} service fails to come UP due to certain firmware failures and you the following {{switchd.log}} messages: PDDR long process T.O MCIA no response @@ -6728,7 +6728,7 @@ To work around this issue, power-cycle the switch. 5.10.0-5.10.1 -4037224 +4037224, 4048679 ASIC monitoring histogram collection might not work because of a crash in the {{asic-monitor}} service. To work around this issue, see the <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-510/Whats-New/#release-considerations">Release Considerations section of the What’s New</a>. 5.10.0 @@ -6768,7 +6768,7 @@ To work around this issue, power-cycle the switch. 5.9.1-5.9.3 -3955971 +3955971, 4296649, 4308856 When using the optional {{nslcd}} service, if {{tls_crlcheck}} is in the {{/etc/nslcd.conf}} file, the service fails due to a missing library. 5.10.0-5.10.1 @@ -6778,12 +6778,12 @@ To work around this issue, power-cycle the switch. 5.8.0-5.9.1, 5.10.0-5.10.1 -3878699 +3878699, 3939355 In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. 5.9.0-5.10.1 -3452681 +3452681, 3465375 When you run the NVUE {{nv show system aaa tacacs authorization}} commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to {{Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND}}. 5.5.0-5.10.1 diff --git a/content/cumulus-linux-512/Whats-New/rn.md b/content/cumulus-linux-512/Whats-New/rn.md index 4658a140b1..1cd7f069f5 100644 --- a/content/cumulus-linux-512/Whats-New/rn.md +++ b/content/cumulus-linux-512/Whats-New/rn.md @@ -223,7 +223,7 @@ pdfhidden: True | [4840299](#4840299)
| If you use NVUE commands to change the BGP autonomous system number (ASN) for existing VRFs without deleting the associated EVPN VNI, FRR reload fails and shows an error during nv config apply. Be sure to delete the layer 3 VNI before changing the BGP ASN or restart FRR after the AS change. | 5.9.1-5.16.1 | | | [4789097](#4789097)
| The switch deletes a static blackhole route even when the blackhole type specified in the delete command does not match the configured type. | 5.9.4-5.15.1 | 5.16.0-5.16.1| | [4771521](#4771521)
| Layer 3 multicast traffic does not forward when OMF (Optimized Multicast Flooding) and PIM is enabled. To work around this issue, flap the router port. | 5.9.2-5.15.1 | 5.16.0-5.16.1| -| [4751060](#4751060)
| If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to:
sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds')
| 5.12.0-5.15.1 | 5.16.0-5.16.1| +| [4751060, 4637733](#4751060, 4637733)
| If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to:
sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds')
| 5.12.0-5.15.1 | 5.16.0-5.16.1| | [4729839](#4729839)
| In an MLAG configuration, when you reboot the primary MLAG switch with PVRST spanning tree mode configured on both MLAG switches, PVRST mode briefly changes to RSTP, then back to PVRST when the primary switch comes back up. | 5.11.3-5.15.1 | 5.16.0-5.16.1| | [4722680](#4722680)
| If you install RADIUS client packages when rolling back a two partition upgrade, the /var/lib/nvue, /var/lib/ntpsec, and /var/lib/snmp directories might have incorrect ownership after rollback and the nvued service might fail to start up. To work around this issue, run the following commands:
sudo chown -R nvue /var/lib/nvue
sudo chown -R ntpsec /var/lib/ntpsec
sudo chown -R Debian-snmp /var/lib/snmp
sudo reboot
| 5.11.4-5.16.1 | | | [4722539](#4722539)
| Optimized image upgrade with warm boot mode is supported in Cumulus Linux 5.13 and later. When you try to run the nv action boot-next command during optimized image upgrade in Cumulus Linux 5.12 and earlier to any target release while the system is in warm boot mode, the boot-next operation fails with the following error:
cumulus@switch:~$ nv action boot-next system image other
Error: Action failed with the following issue:>br>
 Failed to set boot-next due to Unknown error

To work around this issue, verify system boot mode with the nv show system reboot command before you perform optimized image upgrade and switch to cold boot mode if necessary with the nv set system reboot mode cold command. You can then proceed with the optimized image upgrade boot-next operation. | 5.11.4-5.15.1 | 5.16.0-5.16.1| @@ -239,7 +239,7 @@ pdfhidden: True | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| | [4608614](#4608614)
| When setting up SSH keys, you have to run nv config apply twice for the configuration to take effect. | 5.11.3-5.16.1 | | | [4582679](#4582679)
| If a node has Suppress Route Advertisement enabled and routes are re-learned; for example, when a peer sends the route again due to route policy changes, or you enable or disable graceful shutdown, not all routes are offloaded, which might cause discrepancies in traffic. | 5.9.4-5.16.1 | | -| [4579237](#4579237)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | +| [4579237, 4579234](#4579237, 4579234)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | | [4562806](#4562806)
| When there is a very high volume of MLD traffic in a VXLAN environment, the switch CPU and control protocols might be impacted. | 5.12.0-5.14.0 | 5.15.0-5.16.1| | [4555938](#4555938)
| When one of the FRR processes such as bgpd or zebra goes down, watchfrr tries to restart those processes and also restarts the routing telemetry service, which blocks watchfrr causing cascading failures on other processes. | 5.12.0-5.13.1 | 5.14.0-5.16.1| | [4548512](#4548512)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.0-5.16.1 | | @@ -247,16 +247,16 @@ pdfhidden: True | [4535804](#4535804)
| If you use a bridge name other than br_default, PTP neighbors fail to establish because the PTP packets are sourced from an unexpected IP address.
To work around this issue, configure the base-interface for the VLAN interface with the nv set interface base-interface command. | 5.10.0-5.16.1 | | | [4535749](#4535749)
| The uc-discards field in the nv show interface counters qos egress-queue-stats command output is actually the number of packets discarded per queue, but it is wrongly interpreted as bytes. To work around this issue, convert the data shown in bytes to packets by multiplying by 1024 if the data is in KB, 1024x1024 if the data is in MB, and 1024x1024x1024 if the data is in GB. | 5.11.0-5.16.1 | | | [4535699](#4535699)
| When you configure the RADIUS authentication order with local first and radius second, the RADIUS user is authenticated as a default user name. | 5.11.3-5.16.1 | | -| [4531952](#4531952)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | 5.14.0-5.16.1| +| [4531952, 4518822](#4531952, 4518822)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | 5.14.0-5.16.1| | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | 5.14.0-5.16.1| | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| -| [4509255](#4509255)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | +| [4509255, 4546858](#4509255, 4546858)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | | [4508830](#4508830)
| Cumulus Linux allows you to add bond ports of mismatched speeds (such as 10G and 25G) to the same LACP bond without error and the bond reports UP. | 5.11.2-5.16.1 | | | [4499025](#4499025)
| You see a high volume of NAT and NFCT errors flooding switchd logs. This issue has no functional impact. | 5.11.2-5.16.1 | | | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | | [4486200](#4486200)
| If you enable dynamic NAT and try to install two identical dynamic NAT rules, switchd might crash. | 5.11.2-5.13.1 | 5.14.0-5.16.1| | [4475111](#4475111)
| When you try to convert a layer 3 port that is part of ECMP to a bond member, you might see a failure in the switchd logs. This issue does not have any functional impact. | 5.11.2-5.16.1 | 5.9.4| -| [4472414](#4472414)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| +| [4472414, 4621451](#4472414, 4621451)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| | [4466525](#4466525)
| Radius priority values can range between 1 and 8; however Cumulus Linux allows you to configure an invalid priority. | 5.12.0-5.13.1 | 5.14.0-5.16.1| | [4461102](#4461102)
| In certain cases, when a port is down and you apply adaptive routing with the link utilization threshold setting to the port as it goes up, you might see log errors while the port is not yet up. | 5.11.0-5.13.1 | 5.14.0-5.16.1| | [4427224](#4427224)
| The nv show interface command output shows the operational status as down for a link flap error disabled state instead of the real protodown reason. To work around this issue, run the nv show interface status command, which shows if any of the interfaces are protodown with the protodown reason. | 5.12.0-5.13.1 | 5.14.0-5.16.1| @@ -272,13 +272,13 @@ pdfhidden: True | [4403127](#4403127)
| When you use BGP prefix independent convergence (PIC) with IPv6, cl-route-check might show errors due to a discrepancy in the IPv4-mapped IPv6 SOO route string format across FRR and the kernel. This is a display-only issue and has no impact on routing functionality. | 5.12.0-5.12.1 | 5.13.0-5.16.1| | [4391394](#4391394)
| When using DHCP snooping , access ports do not work as trust ports or server connection ports . | 5.12.0-5.12.1 | 5.11.2, 5.13.0-5.16.1| | [4389433](#4389433)
| On switches with ONIE 5.3.0012 (might be displayed as 2023.11-5.3.0012-115200), reinstalling Cumulus Linux with onie-install when SecureBoot is enabled fails during CMS verification of a found image.
To determine the ONIE version on the switch:
sudo mount LABEL="ONIE-BOOT" /mnt
/mnt/onie/tools/bin/onie-version
If the ONIE version is earlier than 5.3.0012 (might be displayed as 2023.11-5.3.0012-115200), either disable SecureBoot during reinstallation, or if SecureBoot is enabled and ONIE finds the image on one of the disks (for example, /dev/sda5), then fails CMS verification, log into the ONIE shell as root and run the following commands:
onie-stop
mkdir /$devname
mount $devname /$devname
onie-nos-install /$devname/onie-installer
| 5.12.0-5.13.1 | 5.14.0-5.16.1| -| [4380671](#4380671)
| Slow bandwidth and traffic polarization occurs when you create a significant number of next hop groups with adaptive routing weighted equal cost multipath (W-ECMP). | 5.12.0-5.12.1 | 5.13.0-5.16.1| +| [4380671, 4363822](#4380671, 4363822)
| Slow bandwidth and traffic polarization occurs when you create a significant number of next hop groups with adaptive routing weighted equal cost multipath (W-ECMP). | 5.12.0-5.12.1 | 5.13.0-5.16.1| | [4378226](#4378226)
| On Spectrum-1a switches with IGMP snooping enabled, a multicast hardware programming failure might occur after interface flap or switch reboot events. You can observe this issue when log messages similar to the following are generated:
sx_sdk[18174]: ERROR   FDB: Usage API type can not be changed for 0x1003 fid.
sx_sdk[18174]: ERROR   FDB: Failed to __fdb_unreg_mc_flood_cfg_api_type_set , err: Command Unpermitted
switchd[19460]: hal_mlx_l2mc.c:1107 ERR VFID: 4099, Failed to set unregistered IPv4 MC mode FLOOD and attr MCC 0: Command Unpermitted
| 5.12.0-5.12.1 | 5.11.2, 5.13.0-5.16.1| | [4373436](#4373436)
| The snmpd service generates debugging logs of sudo calls. To work around this issue, disable sudo logging for the specific commands run by the Debian-snmp user in the /etc/sudoers.d/snmp file by adding Defaults:Debian-snmp !syslog. | 5.11.0-5.11.1, 5.12.0-5.12.1 | 5.11.2, 5.13.0-5.16.1| | [4370954](#4370954)
| After enabling, then disabling truncation on a SPAN session, truncated packets are still received on the SPAN destination. To work around this issue, remove the SPAN session configuration, reboot the switch, then reconfigure the SPAN session without truncation. | 5.12.0-5.16.1 | | -| [4370702](#4370702)
| NVUE commands create excessive log data. To work around this issue, configure rsyslog rules to limit logging of these commands. | 5.11.0-5.11.1, 5.12.0-5.12.1 | 5.11.2, 5.13.0-5.16.1| +| [4370702, 4360680](#4370702, 4360680)
| NVUE commands create excessive log data. To work around this issue, configure rsyslog rules to limit logging of these commands. | 5.11.0-5.11.1, 5.12.0-5.12.1 | 5.11.2, 5.13.0-5.16.1| | [4360615](#4360615)
| The control plane trap group counters are not associated correctly with the right trap group. | 5.11.0-5.12.1 | 5.13.0-5.16.1| -| [4352307](#4352307)
| After a factory reset, the files in the /etc/pam.d/ directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command:
cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package
| 5.12.0-5.12.1 | 5.11.2, 5.13.0-5.16.1| +| [4352307, 4210596](#4352307, 4210596)
| After a factory reset, the files in the /etc/pam.d/ directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command:
cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package
| 5.12.0-5.12.1 | 5.11.2, 5.13.0-5.16.1| | [4347300](#4347300)
| When all links go down or the switch reboots, you see next hop group churn from Zebra to the SOO next hop group. This issue might cause some convergence degradation. | 5.12.0-5.12.1 | 5.13.0-5.16.1| | [4347029](#4347029)
| When you use the NVUE nv set qos congestion-control traffic-class min-threshold-bytes command to set an ECN Profile, you must configure the minimum threshold according to the platform:
On the Spectrum-4 switch, the cell-size is 192 bytes. The minimum buffer must be a multiple of 64; therefore, the initial value is 192*64 (12KB).
On the Spectrum-3 switch, the cell-size is 144 bytes. The minimum size is 144*64 (9KB). | 5.12.0-5.12.1 | 5.11.2, 5.13.0-5.16.1| | [4341806](#4341806)
| The BGP uptime differs between vtysh and NVUE command output. | 5.12.0-5.13.1 | 5.14.0-5.16.1| @@ -288,7 +288,7 @@ pdfhidden: True | [4335287](#4335287)
| ERSPAN does not work when the ERSPAN destination IP address is reachable over SVIs and layer 2 bonds. To work around this issue, make the ERSPAN destination IP address reachable over layer 3 swps or bond interfaces. | 5.11.0-5.11.1, 5.12.0-5.12.1 | 5.11.2, 5.13.0-5.16.1| | [4335117](#4335117)
| Under rare circumstances, firmware on an NVIDIA SN3700 switch can get locked up, which leads to the switchd process going down. | 5.12.0-5.12.1 | 5.13.0-5.16.1| | [4329931](#4329931)
| Cumulus Linux incorrectly allows SyncE and PPS to be enabled at the same time. Upgrading systems with both features configured using NVUE to 5.12.0 or later results in a failure to apply the startup configuration as part of the first boot of the upgraded version. To work around the issue, unset one of the features before you upgrade. | 5.12.0-5.16.1 | | -| [4328729](#4328729)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. | 5.10.1-5.12.1 | 5.13.0-5.16.1| +| [4328729, 4261676](#4328729, 4261676)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. | 5.10.1-5.12.1 | 5.13.0-5.16.1| | [4318464](#4318464)
| When connecting two NVIDIA devices using DAC in auto-negotiation mode with 100GbE R1 (one lane) port speed, the link goes down. To avoid this issue, use firmware version xx.2014.3xxx and above on both sides. | 5.12.0-5.12.1 | 5.13.0-5.16.1| | [4309876](#4309876)
| When you configure an invalid switch port (swp), NVUE adds the invalid configuration instead of rejecting it. The invalid interface in the configuration does not have any functional impact. | 5.12.0-5.16.1 | | | [4308857](#4308857)
| When you use tls_crlcheck in the /etc/nslcd.conf file, the optional nslcd service fails due to a missing library. | 5.9.2-5.9.3, 5.12.0-5.16.1 | 5.9.4| @@ -300,45 +300,45 @@ pdfhidden: True | [4290629](#4290629)
| The NVUE nv show interface qos command takes approximately two minutes to display output. To work around this issue, fetch only the sub commands that are part of the nv show interface qos, command such as buffer, congestion-control, pfc, and so on. | 5.12.0-5.12.1 | 5.11.2, 5.13.0-5.16.1| | [4286833](#4286833)
| When you change the port breakout configuration, the switch deletes, then recreates the port and the sflow configuration on the port resets. However, switchd continues to retain sflow configuration for the same logical ID, which leads to divergence in sflow configuration in the SDK and switchd; switchd sees sflow enabled for the port but in the SDK the ports gets reset to disabled. | 5.12.0-5.12.1 | 5.13.0-5.16.1| | [4286489](#4286489)
| Optimized (two partition) upgrade and rollback fails when you apply configuration by editing the /etc/nvue.d/startup.yaml file, then run nv config apply startup. To work around this issue, after activating optimized upgrade, but before rebooting, save a copy of the contents of /var/lib/nvue/ to some other location. Then, after activating rollback, but before rebooting, move /var/lib/nvue/ to some other location and copy the previously saved contents to /var/lib/nvue/. | 5.12.0 | 5.11.1, 5.12.1-5.16.1| -| [4281438](#4281438)
| The first time you run the nv show interface rates command, an internal error occurs. | 5.12.0-5.12.1 | 5.13.0-5.16.1| +| [4281438, 4257936](#4281438, 4257936)
| The first time you run the nv show interface rates command, an internal error occurs. | 5.12.0-5.12.1 | 5.13.0-5.16.1| | [4277042](#4277042)
| On the NVIDIA SN5600 switch, you see low power alarms immediately after a reboot. The alarms disappear after showing up initially. Certain modules typically show low power alarms on initialization. No action is needed. | 5.12.0-5.16.1 | | | [4270240](#4270240)
| Statically configured VXLAN FDB entries do not age out. | 5.12.0-5.12.1 | 5.13.0-5.16.1| -| [4255639](#4255639)
| When all links go down or the switch reboots, you see next hop group churn from Zebra to the SOO next hop group. This issue might cause some convergence degradation. | 5.12.0-5.12.1 | 5.13.0-5.16.1| +| [4255639, 4326989](#4255639, 4326989)
| When all links go down or the switch reboots, you see next hop group churn from Zebra to the SOO next hop group. This issue might cause some convergence degradation. | 5.12.0-5.12.1 | 5.13.0-5.16.1| | [4249096](#4249096)
| Binary upgrade from Cumulus Linux 4.3.1 to 5.12.0 and later is not supported. To work around this issue, perform a binary upgrade from Cumulus Linux 4.3.1 to 5.9.0, then perform a binary upgrade from Cumulus Linux 5.9.0 to 5.12.0 or later. | 5.12.0-5.16.1 | | | [4236419](#4236419)
| On the Spectrum-3 switch, the PTP offset for 25GbE fluctuates within a range of plus or minus 50 nanoseconds beyond the expected values. | 5.12.0-5.16.1 | | -| [4215613](#4215613)
| After a remote link flap, neighbor entries using the link might not get resolved immediately. Only when some traffic uses the nexthop will they be resolved. | 5.12.0-5.12.1 | 5.11.2, 5.13.0-5.16.1| +| [4215613, 4255653, 4335726](#4215613, 4255653, 4335726)
| After a remote link flap, neighbor entries using the link might not get resolved immediately. Only when some traffic uses the nexthop will they be resolved. | 5.12.0-5.12.1 | 5.11.2, 5.13.0-5.16.1| | [4214678](#4214678)
| Changes to open telemetry configuration or export states restarts the telemetry service and resets all health metrics. | 5.12.0-5.16.1 | | -| [4210596](#4210596)
| After a factory reset, the files in the /etc/pam.d/ directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command:
cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package
| 5.12.0-5.12.1 | 5.11.2, 5.13.0-5.16.1| +| [4210596, 4352307](#4210596, 4352307)
| After a factory reset, the files in the /etc/pam.d/ directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command:
cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package
| 5.12.0-5.12.1 | 5.11.2, 5.13.0-5.16.1| | [4177067](#4177067)
| When performing a package upgrade, nslcd installation might open an interactive dialog to configure nslcd.conf .
To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:
cumulus@switch:~$ sudo apt-get update
cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
| 5.11.0-5.16.1 | | -| [4154839](#4154839)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | +| [4154839, 4280933, 4291934](#4154839, 4280933, 4291934)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | | [4144021](#4144021)
| Shutting down port 65 or 66 on the NVIDIA Spectrum-4 switch leaves the opposite port up when using MLNX SFP-T and RJ45 connections. Spectrum-4 switches do not support SFP-T modules on ports 65 and 66. | 5.10.0-5.12.1 | 5.13.0-5.16.1| | [4142857](#4142857)
| The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. | 5.10.0-5.16.1 | | -| [4139511](#4139511)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | +| [4139511, 4184813, 4180112](#4139511, 4184813, 4180112)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | | [4134447](#4134447)
| The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. You can safely ignore this log message. | 5.11.0-5.16.1 | | | [4129757](#4129757)
| If you include a comma in the BGP community list, extended community list, or large community list regex expression of a routing policy, you see error messages and FRR reload fails. Make sure the regex expression does not contain a comma.
For example, instead of ^65550:([0-9]{1,2}\|[1-9][1-9]):.*$, specify ^65550:([0-9]\|[0-9][0-9]):.*$ and instead of ^65550:([0-4]{1,2}\|[7-9][8-9]):.*$, specify ^65550:([0-4]\|[0-4][0-4]\|[7-9][8-9]):.*$. | 5.11.0-5.16.1 | | | [4128952](#4128952)
| Cumulus Linux does not support LDAP over IPv6. | 5.11.0-5.12.1 | 5.13.0-5.16.1| | [4128912](#4128912)
| When you use PPS IN, PTP might show a high offset. The offset might be around an offset value. For example, around 60 ns or 80 ns. To work around this issue, set the cable compensation value. For 60 ns, run the nv set platform pulse-per-second in timestamp-correction -60 command to set the compensation. | 5.11.0-5.12.1 | 5.13.0-5.16.1| -| [4124376](#4124376)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | +| [4124376, 4316163](#4124376, 4316163)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | | [4118970](#4118970)
| When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.16.1 | | -| [4105127](#4105127)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | +| [4105127, 4796391](#4105127, 4796391)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | | [4100629](#4100629)
| NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.16.1 | | | [4082210](#4082210)
| When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. | 5.11.0-5.16.1 | | | [4077921](#4077921)
| You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1 or later. You must install the Cumulus Linux image instead. | 5.10.1-5.16.1 | | -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4048583](#4048583)
| If there are failures in MSTPD or a port is not updated in the database, the NVUE nv show bridge domain stp command might not work and might produce errors even when STP has data for other working ports or VLANs. This is a display issue only and does not impact functionality. | 5.10.0-5.12.1 | 5.13.0-5.16.1| | [4047798](#4047798)
| Packet distribution based on ECMP hashing using GTP-TEID does not function as expected in an EVPN Clos topology. | 5.10.0-5.16.1 | | | [4030380](#4030380)
| When you roll back interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you cannot configure FEC on the interface at the lower layers. | 5.10.0-5.16.1 | | | [4019256](#4019256)
| If you change the switch hostname, the histogram data producer service restarts. | 5.10.0-5.12.1 | 5.13.0-5.16.1| -| [4005422](#4005422)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | +| [4005422, 4015452](#4005422, 4015452)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | | [3985682](#3985682)
| On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.16.1 | | | [3966312](#3966312)
| When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.16.1 | | | [3948068](#3948068)
| On the SN3700 and SN3700c switch, the nv show platform environment voltage command output shows a failed state for the PSU-n-12V-RAIL-OUT sensors. This is a known hardware limitation that cannot be corrected by the PSU vendor. | 5.10.0-5.16.1 | | | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3879717](#3879717)
| Running snmpwalk on the switch with the management IP address does not work. To work around this issue, use the localhost option (snmpwalk -v 2c -c public28 localhost 1.3.6.1.2.1.14) or create a control plane ACL whitelist rule. | 5.10.0-5.16.1 | | | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | | [3855796](#3855796)
| When configuring a Unicast Master Table for clients, the server addresses must be reachable and the route to the destination must exist. The unicast table can have one directly-connected port for a client. This restriction is only for directly connected ports and doesn't apply to Unicast Servers on other devices or switches. | 5.9.0-5.16.1 | | @@ -353,17 +353,17 @@ pdfhidden: True | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -373,10 +373,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -386,8 +386,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -397,10 +397,10 @@ pdfhidden: True ### Fixed Issues in 5.12.0 | Issue ID | Description | Affects | |--- |--- |--- | -| [4558846](#4558846)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.0-5.11.5 | | +| [4558846, 4237198](#4558846, 4237198)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.0-5.11.5 | | | [4522594](#4522594)
| In a VXLAN environment, if the bridge MAC address changes for a VTEP, the switch drops VXLAN traffic entering this VTEP from a remote VTEP. The switch only drops layer 3 routed VXLAN traffic because the RMAC is not updated correctly in the SDK. | 5.11.1-5.11.5 | | -| [4280823](#4280823)
| When you configure an invalid switch port (swp), NVUE adds the invalid configuration instead of rejecting it. The invalid interface in the configuration does not have any functional impact. | | | -| [4277143](#4277143)
| After a factory reset with the nv action reset system factory-default force command, RADIUS does not fully reset; the radius-cmd-acct package is not installed correctly and includes missing files. In addition, /etc/pam.d/common-auth is incorrect. | 5.11.0 | | +| [4280823, 3537335](#4280823, 3537335)
| When you configure an invalid switch port (swp), NVUE adds the invalid configuration instead of rejecting it. The invalid interface in the configuration does not have any functional impact. | | | +| [4277143, 4277148](#4277143, 4277148)
| After a factory reset with the nv action reset system factory-default force command, RADIUS does not fully reset; the radius-cmd-acct package is not installed correctly and includes missing files. In addition, /etc/pam.d/common-auth is incorrect. | 5.11.0 | | | [4270957](#4270957)
| Optimized (two partition) upgrade from Cumulus Linux 5.11.0 requires approximately 2.4 Gbytes of free space in /var after downloading the image with NVUE commands instead of 1.6 Gbytes of free space. Upgrade needs the extra space for an additional copy of the downloaded image in /var . | 5.11.0-5.11.5 | | | [4256151](#4256151)
| After rebooting the spine switch in an EVPN multihoming configuration, the BGP EVPN Type-2 entry is missing, which causes flooding and duplicates in the fabric. To work around this issue, flush the IP neighbor entries with the sudo ip neigh flush x.x.x.x command. | 5.9.1-5.9.3, 5.11.0 | | | [4251984](#4251984)
| NVUE prevents you from setting the IPv6 RA lifetime to 0 (zero). Use vtysh mode to apply the setting. | 5.11.0 | | @@ -417,7 +417,7 @@ pdfhidden: True | [4205103](#4205103)
| On rare occasions, platform drivers capture the firmware state as being in ISSU when it is not the case. This causes the ASIC temperature to be read as 0, which causes the thermal algorithm to set fan speeds to low. As a result, the switch can get overheated and undergo a thermal shutdown. To work around this issue, reboot or powercycle the switch. | 5.11.0 | | | [4205060](#4205060)
| Debian 12 does not support LDAP SSL CRL check. Cumulus Linux now uses CRL file. | 5.11.0-5.11.5 | | | [4203794](#4203794)
| The nv show platform transceiver command sometimes does not show transceiver data for layer 3 Dot1q subinterfaces (such as swp2.10). To work around this issue, run the ethtool -m command. | 5.11.0 | | -| [4203784](#4203784)
| Under unique hardware failure conditions, when the ASIC temperature sensor read fails repeatedly, the fans are set to twenty percent, which might not be high enough to maintain proper ASIC cooling, resulting in a thermal shutdown. | 5.11.0 | | +| [4203784, 4203785](#4203784, 4203785)
| Under unique hardware failure conditions, when the ASIC temperature sensor read fails repeatedly, the fans are set to twenty percent, which might not be high enough to maintain proper ASIC cooling, resulting in a thermal shutdown. | 5.11.0 | | | [4200758](#4200758)
| The nv show service ntp command shows the peers that are discovered together with the configured NTP servers instead of displaying only the NTP configuration. As a result, the applied and operational columns have different values, which causes confusion. | 5.11.0 | | | [4200742](#4200742)
| Due to hardware limitations in the MPS2975, the minimum threshold for PMIC-12-COMEX-VCORE-OUT is fixed and cannot be set to zero. While a threshold violation warning might appear, system functionality remains unaffected, and the current configuration is maintained to ensure device compatibility. | 5.11.0 | | | [4199734](#4199734)
| The nv show system ztp command might report an error when you use a system local that represents time differently from %a %b %d %H:%M:%S %Y %Z. | 5.11.0 | | @@ -431,7 +431,7 @@ pdfhidden: True | [4182753](#4182753)
| When you configure the SPAN port mirror truncate size to a value greater than four and less than the supported minimum, NVUE allows the configuration even though there are errors and failures in the mirror session configuration.
The supported values for truncate size are 32 to 4088 for Spectrum 1, 48 to 4088 for Spectrum-2 and Spectrum-3, and 64 to 4088 for Spectrum-4.
To work around this issue, run the echo > /cumulus/switchd/config/mirror/session/1/truncate_size command before you reconfigure mirror sessions with the supported values. | 5.8.0-5.9.3 | | | [4176931](#4176931)
| The nv show platform firmware command results in a Python traceback and takes a long time to complete because the VX image does not support the smartctl utility. | 5.11.0-5.11.5 | | | [4175695](#4175695)
| If all of the neighbors returned in the nv show vrf router bgp neighbor command output have no address-family configuration, you see an internal error when the nested table in the output is being rendered. | 5.10.0-5.11.0 | | -| [4174646](#4174646)
| On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. | 5.10.1-5.11.5 | | +| [4174646, 4042294](#4174646, 4042294)
| On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. | 5.10.1-5.11.5 | | | [4170628](#4170628)
| If you use a bridge name other than br_default, PTP neighbors fail to establish because the PTP packets are sourced from an unexpected IP address.
To work around this issue, configure the base-interface for the VLAN interface with the nv set interface base-interface command. | 5.10.0-5.11.0 | | | [4159554](#4159554)
| When you configure EVPN multihoming with more than one ESI bond member, you might see intermediate traffic loss. | 5.9.1-5.9.3 | | | [4156332](#4156332)
| On the Spectrum-4 switch, switchd might crash with the following log message:
CRIT Restarting switchd to recover from SDK health event: FW Long Command
| 5.10.1-5.11.0 | | @@ -445,7 +445,7 @@ pdfhidden: True | [4127315](#4127315)
| If you set BGP community-advertise large to off with NVUE, large communities are still sent to BGP peers. To resolve this issue, NVUE has changed the default value of community-advertise large from off to on. | 5.11.0-5.11.5 | | | [4122591](#4122591)
| The NVUE nv set system aaa ldap ssl ca-list command shows the following error if you use the string option:
Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none']
| 5.11.0-5.11.5 | | | [4115126](#4115126)
| When IPv4 layer 3 switch ports and virtual interfaces flap, switchd might send an ICMP Reply message instead of an ARP request (although no ICMP request was sent). Multiple ICMP Replies might be sent to any of the neighbor IP addresses of that interface. | 5.9.2-5.9.3 | | -| [4101560](#4101560)
| The nv set vrf router rib fib-filter route-map command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | | +| [4101560, 4101440](#4101560, 4101440)
| The nv set vrf router rib fib-filter route-map command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the nv set vrf router rib fib-filter protocol route-map command. | 5.11.0-5.11.5 | | | [4052578](#4052578)
| When you perform a binary upgrade from Cumulus Linux 5.8 or earlier to 5.9.0 or later with a pre-staged startup.yaml file, the cumulus user password is reset to the default password because there is no default startup.yaml file present in 5.8.0 or earlier. To work around this issue, generate the startup.yaml file from the existing NVUE configuration. | 5.9.2-5.11.5 | | -| [3844670](#3844670)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.1 | | +| [3844670, 3875789, 3933038](#3844670, 3875789, 3933038)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.1 | | diff --git a/content/cumulus-linux-512/rn.xml b/content/cumulus-linux-512/rn.xml index be60bc3ebf..9c77cbaef2 100644 --- a/content/cumulus-linux-512/rn.xml +++ b/content/cumulus-linux-512/rn.xml @@ -1301,7 +1301,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 5.16.0-5.16.1 -4751060 +4751060, 4637733 If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to: sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds') 5.12.0-5.15.1 @@ -1406,7 +1406,7 @@ To work around this issue, verify system boot mode with the {{nv show system reb -4579237 +4579237, 4579234 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.3-5.16.1 @@ -1458,7 +1458,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4531952 +4531952, 4518822 When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface {{vlan10}}, the route might install against {{vlan10-v0}}. This prevents next-hop tracking and route installation into hardware. This issue can occur in the following conditions: <ul><li>When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.</li> @@ -1484,7 +1484,7 @@ To work around this issue, power cycle the switch. 5.14.0-5.16.1 -4509255 +4509255, 4546858 In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. 5.12.0-5.16.1 @@ -1520,7 +1520,7 @@ To work around this issue, power cycle the switch. 5.9.4 -4472414 +4472414, 4621451 After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. 5.11.0-5.14.0 5.15.0-5.16.1 @@ -1623,7 +1623,7 @@ onie-nos-install /$devname/onie-installer 5.14.0-5.16.1 -4380671 +4380671, 4363822 Slow bandwidth and traffic polarization occurs when you create a significant number of next hop groups with adaptive routing weighted equal cost multipath (W-ECMP). 5.12.0-5.12.1 5.13.0-5.16.1 @@ -1650,7 +1650,7 @@ switchd[19460]: hal_mlx_l2mc.c:1107 ERR VFID: 4099, Failed to set unregistered I -4370702 +4370702, 4360680 NVUE commands create excessive log data. To work around this issue, configure rsyslog rules to limit logging of these commands. 5.11.0-5.11.1, 5.12.0-5.12.1 5.11.2, 5.13.0-5.16.1 @@ -1662,7 +1662,7 @@ switchd[19460]: hal_mlx_l2mc.c:1107 ERR VFID: 4099, Failed to set unregistered I 5.13.0-5.16.1 -4352307 +4352307, 4210596 After a factory reset, the files in the {{/etc/pam.d/}} directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command: cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package 5.12.0-5.12.1 @@ -1725,7 +1725,7 @@ On the Spectrum-3 switch, the cell-size is 144 bytes. The minimum size is 144*64 -4328729 +4328729, 4261676 When sending control packets that have the port range 259 through 1023 in their TX base header system target (above {{cap_max_system_ports}} and below {{cap_ports}} used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. 5.10.1-5.12.1 5.13.0-5.16.1 @@ -1799,7 +1799,7 @@ cumulus@switch:~$ sudo systemctl start cumulus-upgrade-on-shutdown 5.11.1, 5.12.1-5.16.1 -4281438 +4281438, 4257936 The first time you run the {{nv show interface rates}} command, an internal error occurs. 5.12.0-5.12.1 5.13.0-5.16.1 @@ -1817,7 +1817,7 @@ cumulus@switch:~$ sudo systemctl start cumulus-upgrade-on-shutdown 5.13.0-5.16.1 -4255639 +4255639, 4326989 When all links go down or the switch reboots, you see next hop group churn from Zebra to the SOO next hop group. This issue might cause some convergence degradation. 5.12.0-5.12.1 5.13.0-5.16.1 @@ -1835,7 +1835,7 @@ cumulus@switch:~$ sudo systemctl start cumulus-upgrade-on-shutdown -4215613 +4215613, 4255653, 4335726 After a remote link flap, neighbor entries using the link might not get resolved immediately. Only when some traffic uses the nexthop will they be resolved. 5.12.0-5.12.1 5.11.2, 5.13.0-5.16.1 @@ -1847,7 +1847,7 @@ cumulus@switch:~$ sudo systemctl start cumulus-upgrade-on-shutdown -4210596 +4210596, 4352307 After a factory reset, the files in the {{/etc/pam.d/}} directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command: cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package 5.12.0-5.12.1 @@ -1862,7 +1862,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio -4154839 +4154839, 4280933, 4291934 When you run certain SDK commands (such as {{sudo sx_api_port_counter_dump_all.py}} or {{sx_api_fdb_dump}}) first as the cumulus user, then with {{sudo}}, you see the following error: PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt' To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. @@ -1882,7 +1882,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4139511 +4139511, 4184813, 4180112 When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue. [ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock [ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query) [ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds @@ -1917,7 +1917,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. 5.13.0-5.16.1 -4124376 +4124376, 4316163 The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux/Installation-Management/Upgrading-Cumulus-Linux/#downgrade-a-secure-boot-switch">Downgrade a Secure Boot Switch</a>. 5.11.0-5.16.1 @@ -1929,7 +1929,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4105127 +4105127, 4796391 Any sFlow configuration changes that require an {{hsflowd}} restart are operational only after an initial delay of 60 seconds. 5.11.0-5.16.1 @@ -1953,7 +1953,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -1983,7 +1983,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. 5.13.0-5.16.1 -4005422 +4005422, 4015452 When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the {{systemctl enable ntpsec@<vrf>}} and {{systemctl restart ntpsec@<vrf>}} commands. 5.10.0-5.16.1 @@ -2016,7 +2016,7 @@ The logs occur because the {{rsyslog}} service starts before the networking serv -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -2043,7 +2043,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -2152,7 +2152,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -2164,7 +2164,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -2188,19 +2188,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -2213,7 +2213,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -2275,7 +2275,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -2298,7 +2298,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -2361,7 +2361,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -2369,7 +2369,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -2412,7 +2412,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 Affects -4558846 +4558846, 4237198 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.0-5.11.5 @@ -2422,12 +2422,12 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 5.11.1-5.11.5 -4280823 +4280823, 3537335 When you configure an invalid switch port (swp), NVUE adds the invalid configuration instead of rejecting it. The invalid interface in the configuration does not have any functional impact. -4277143 +4277143, 4277148 After a factory reset with the {{nv action reset system factory-default force}} command, RADIUS does not fully reset; the {{radius-cmd-acct}} package is not installed correctly and includes missing files. In addition, {{/etc/pam.d/common-auth}} is incorrect. 5.11.0 @@ -2516,7 +2516,7 @@ To work around this issue, manually add the {{debian-snmp}} user to the TACACS c 5.11.0 -4203784 +4203784, 4203785 Under unique hardware failure conditions, when the ASIC temperature sensor read fails repeatedly, the fans are set to twenty percent, which might not be high enough to maintain proper ASIC cooling, resulting in a thermal shutdown. 5.11.0 @@ -2587,7 +2587,7 @@ This happens in async mode, where the end notification expected after an end of 5.10.0-5.11.0 -4174646 +4174646, 4042294 On the NVIDIA SN5400 and SN5600 switch, the fans might run at full speed when it is not necessary. 5.10.1-5.11.5 @@ -2663,7 +2663,7 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' 5.9.2-5.9.3 -4101560 +4101560, 4101440 The {{nv set vrf <vrf> router rib <address-family> fib-filter route-map <route-map>}} command only works if you restart FRR after you run the command. To work around this issue, attach the route map to each needed protocol; for example, run the {{nv set vrf <vrf-name> router rib fib-filter protocol <protocol string> route-map <route-map>}} command. 5.11.0-5.11.5 @@ -2673,7 +2673,7 @@ Error: At ca-list: '/etc/ssl/certs/ca-cert.crt' is not one of ['default', 'none' 5.9.2-5.11.5 -3844670 +3844670, 3875789, 3933038 When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the {{nv config patch}} command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with {{systemctl restart nvued.service}}. 5.9.0-5.11.1 diff --git a/content/cumulus-linux-513/Whats-New/rn.md b/content/cumulus-linux-513/Whats-New/rn.md index 9bf6e3c110..974ccf889b 100644 --- a/content/cumulus-linux-513/Whats-New/rn.md +++ b/content/cumulus-linux-513/Whats-New/rn.md @@ -18,7 +18,7 @@ pdfhidden: True | [4963277](#4963277)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.16.1 | | | [4930152](#4930152)
| When you configure layer 3 SVI interfaces with an anycast gateway (VRR) IP address only and no unique IP address, the connected route for the subnet is not programmed in the ASIC, causing packets destined for locally connected hosts to drop after decapsulation. | 5.11.3-5.16.1 | | | [4922104](#4922104)
| When the system is under load and the wd_keepalive process is running at the default rate of one time per minute, the switch might reboot due to starvation of the wd_keepalive process. | 5.13.1-5.16.1 | | -| [4918342](#4918342)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. | 5.13.0-5.16.1 | | +| [4918342, 4641291](#4918342, 4641291)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. | 5.13.0-5.16.1 | | | [4895501](#4895501)
| Adding vlan 1 as a tagged VLAN to a newly created MLAG bond fails if no previous VLANs are configured on the MLAG bond. | 5.13.0-5.16.1 | | | [4895298](#4895298)
| When you configure BGP dynamic neighbors and default-originate with a route map, the default route stops being advertised to those neighbors after an FRR restart, reboot, or after the BGP session re-establishes (after a link flap or a hard clear on the peer). To work around this issue and to ensure that the default route advertises correctly, remove, then readd the default-originate with the route map command or toggle default-route-origination off, then on. | 5.11.5-5.16.1 | | | [4885553](#4885553)
| If ZTP uses a proxy server for image download using onie-install, the image install fails with signing issues. | 5.12.0-5.16.1 | | @@ -27,12 +27,12 @@ pdfhidden: True | [4840299](#4840299)
| If you use NVUE commands to change the BGP autonomous system number (ASN) for existing VRFs without deleting the associated EVPN VNI, FRR reload fails and shows an error during nv config apply. Be sure to delete the layer 3 VNI before changing the BGP ASN or restart FRR after the AS change. | 5.9.1-5.16.1 | | | [4835058](#4835058)
| When you add or remove bond members, the sflow state and rate are incorrect. | 5.13.1-5.15.1 | 5.16.0-5.16.1| | [4789562](#4789562)
| A switch running Nvidia Cumulus Linux may improperly forward routed packets out of an access port or on the native vlan of a trunk with an 802.1Q tag imposed on the packet. | 5.12.1-5.15.1 | 5.16.0-5.16.1| -| [4789339](#4789339)
| The interface_stats process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. | 5.13.1-5.15.1 | 5.16.0-5.16.1| +| [4789339, 4540985](#4789339, 4540985)
| The interface_stats process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. | 5.13.1-5.15.1 | 5.16.0-5.16.1| | [4789097](#4789097)
| The switch deletes a static blackhole route even when the blackhole type specified in the delete command does not match the configured type. | 5.9.4-5.15.1 | 5.16.0-5.16.1| | [4771521](#4771521)
| Layer 3 multicast traffic does not forward when OMF (Optimized Multicast Flooding) and PIM is enabled. To work around this issue, flap the router port. | 5.9.2-5.15.1 | 5.16.0-5.16.1| -| [4751060](#4751060)
| If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to:
sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds')
| 5.12.0-5.15.1 | 5.16.0-5.16.1| +| [4751060, 4637733](#4751060, 4637733)
| If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to:
sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds')
| 5.12.0-5.15.1 | 5.16.0-5.16.1| | [4748963](#4748963)
| In an MLAG configuration with PVRST spanning tree mode configured on both switches, when the primary switch comes back up after a reboot, PVRST mode briefly changes to RSTP, then back to PVRST. | 5.13.1-5.15.1 | 5.16.0-5.16.1| -| [4748176](#4748176)
| Unsupported hardware modules might cause SDK and firmware health event and traffic loss. | 5.12.1-5.15.1 | 5.16.0-5.16.1| +| [4748176, 4662528, 4652420](#4748176, 4662528, 4652420)
| Unsupported hardware modules might cause SDK and firmware health event and traffic loss. | 5.12.1-5.15.1 | 5.16.0-5.16.1| | [4729839](#4729839)
| In an MLAG configuration, when you reboot the primary MLAG switch with PVRST spanning tree mode configured on both MLAG switches, PVRST mode briefly changes to RSTP, then back to PVRST when the primary switch comes back up. | 5.11.3-5.15.1 | 5.16.0-5.16.1| | [4722680](#4722680)
| If you install RADIUS client packages when rolling back a two partition upgrade, the /var/lib/nvue, /var/lib/ntpsec, and /var/lib/snmp directories might have incorrect ownership after rollback and the nvued service might fail to start up. To work around this issue, run the following commands:
sudo chown -R nvue /var/lib/nvue
sudo chown -R ntpsec /var/lib/ntpsec
sudo chown -R Debian-snmp /var/lib/snmp
sudo reboot
| 5.11.4-5.16.1 | | | [4722539](#4722539)
| Optimized image upgrade with warm boot mode is supported in Cumulus Linux 5.13 and later. When you try to run the nv action boot-next command during optimized image upgrade in Cumulus Linux 5.12 and earlier to any target release while the system is in warm boot mode, the boot-next operation fails with the following error:
cumulus@switch:~$ nv action boot-next system image other
Error: Action failed with the following issue:>br>
 Failed to set boot-next due to Unknown error

To work around this issue, verify system boot mode with the nv show system reboot command before you perform optimized image upgrade and switch to cold boot mode if necessary with the nv set system reboot mode cold command. You can then proceed with the optimized image upgrade boot-next operation. | 5.11.4-5.15.1 | 5.16.0-5.16.1| @@ -41,7 +41,7 @@ pdfhidden: True | [4667010](#4667010)
| When streaming telemetry is enabled, additional logs containing ERROR BULK_COUNTER might be generated by the switch, unexpectedly bypassing log suppression rules. | 5.12.1-5.14.0 | 5.15.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4643537](#4643537)
| The nv action clear interface command does not clear the in and out packet counters under interface//link/stats. | 5.12.1-5.14.0 | 5.15.0-5.16.1| -| [4641291](#4641291)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or phy. | 5.13.1-5.14.0 | 5.15.0-5.16.1| +| [4641291, 4703438, 4918342, 4923799](#4641291, 4703438, 4918342, 4923799)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or phy. | 5.13.1-5.14.0 | 5.15.0-5.16.1| | [4640126](#4640126)
| LLDP session flaps might result in a PTMD process crash due to a double free memory block. | 5.11.2-5.14.0 | 5.15.0-5.16.1| | [4637200](#4637200)
| When more than one IPv4 and/or IPv6 addresses are configured on a remote interface, NVUE LLDP commands such as nv show interface lldp-detail only reflect one address. To work around this issue, use lldpctl to view LLDP information. For example, sudo lldpctl -d -f json swp1. | 5.9.0-5.14.0 | 5.15.0-5.16.1| | [4633514](#4633514)
| When the switch processes large numbers of mroute updates in an MLAG configuration, FRR might crash. | 5.8.0-5.14.0 | 5.15.0-5.16.1| @@ -51,13 +51,13 @@ pdfhidden: True | [4625452](#4625452)
| Trying to apply a hashed password of '*' blocks access to the switch instead of rejecting the password and showing an error. | 5.12.0-5.14.0 | 5.15.0-5.16.1| | [4622487](#4622487)
| When you configure an exclude_users line in /etc/tacplus_nss.conf containing a long list of users, NSS lookups might fail or behave incorrectly when parsing the configuration. | 5.11.1-5.14.0 | 5.15.0-5.16.1| | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| -| [4621451](#4621451)
| Changing the gateway interface IP address on the DHCP relay causes DHCP relay to not forward the packet. To work around this issue, restart the DHCP relay service corresponding to the VRF on which it is running. | 5.13.1-5.14.0 | 5.15.0-5.16.1| +| [4621451, 4472414](#4621451, 4472414)
| Changing the gateway interface IP address on the DHCP relay causes DHCP relay to not forward the packet. To work around this issue, restart the DHCP relay service corresponding to the VRF on which it is running. | 5.13.1-5.14.0 | 5.15.0-5.16.1| | [4608614](#4608614)
| When setting up SSH keys, you have to run nv config apply twice for the configuration to take effect. | 5.11.3-5.16.1 | | | [4605303](#4605303)
| The downstream VNI software VXLAN encapsulation path does not derive the source IP address of the outer IP header properly. Instead of using the defined vxlan-local-tunnelip under the loopback interface, it uses the underlay interface on which the packet egresses the VTEP. In a mixed vendor environment, this might lead to a drop on the decapsulating VTEP if it is not an Nvidia Cumulus Linux switch. To work around this issue, use symmetric VNI configuration instead of downstream VNI or use downstream VNI with an unnumbered underlay. | 5.13.0-5.14.0 | 5.15.0-5.16.1| | [4601056](#4601056)
| The neighbor manager service memory usage increases significantly after the number of entries in the kernel neighbor table exceeds the gc_threshold. | 5.13.1-5.14.0 | 5.15.0-5.16.1| | [4597153](#4597153)
| When you use a gateway-interface configuration with the source IP address as the gateway interface, DHCP Relay is unable to send packets to the DHCP server after flapping the gateway interface. To work around this issue, restart the DHCP Relay service or avoid configuring the gateway interface to be same as the uplink or downlink interface on the DHCP Relay node. | 5.13.1-5.14.0 | 5.15.0-5.16.1| | [4582679](#4582679)
| If a node has Suppress Route Advertisement enabled and routes are re-learned; for example, when a peer sends the route again due to route policy changes, or you enable or disable graceful shutdown, not all routes are offloaded, which might cause discrepancies in traffic. | 5.9.4-5.16.1 | | -| [4579237](#4579237)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | +| [4579237, 4579234](#4579237, 4579234)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | | [4579137](#4579137)
| TTL exceeded packets might not have the expected source IP address in the forwarding path to the destination when VRF interfaces are present on the forwarding path. | 5.13.1-5.14.0 | 5.15.0-5.16.1| | [4570105](#4570105)
| During initial configuration of an MLAG switch with no MLAG peer or if both MLAG peers go down and only one recovers, VXLAN traffic arriving on the MLAG switch with a local IP destination might see packet loss. | 5.13.1-5.14.0 | 5.9.4, 5.15.0-5.16.1| | [4567894](#4567894)
| ACL statistics in nv show interface acl statistics and cl-acltool command output count packets twice. If packets are transiting the switch, the ACL statistics are correct. | 5.13.1-5.14.0 | 5.15.0-5.16.1| @@ -68,7 +68,7 @@ pdfhidden: True | [4548512](#4548512)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.0-5.16.1 | | | [4546389](#4546389)
| The nv config show -o commands command displays numbered BGP neighbors in IP address range format; however, the nv set commands fail for BGP numbered neighbors configured in IP address ranges. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4544433](#4544433)
| When you enable bandwidth gauge on an interface, the asic-monitor leaks memory steadily over time. The memory leak rate depends on how many interfaces have the bandwidth gauge enabled and the snapshot rate. | 5.13.1 | 5.14.0-5.16.1| -| [4540985](#4540985)
| If you have a transceiver module with a vendor name containing invalid characters and OTEL is enabled, the switch generates an interface_stats core file. | 5.13.1 | 5.14.0-5.16.1| +| [4540985, 4789339, 4776413](#4540985, 4789339, 4776413)
| If you have a transceiver module with a vendor name containing invalid characters and OTEL is enabled, the switch generates an interface_stats core file. | 5.13.1 | 5.14.0-5.16.1| | [4539084](#4539084)
| When you lower the speed for an interface, the nv show interface rates command output might show the link utilization percentage above 100 percent. This issue is corrected automatically after the load interval duration. | 5.12.0-5.13.1 | 5.14.0-5.16.1| | [4535856](#4535856)
| When you try to import an invalid server certificate file, Cumulus Linux does not import the certificate file but fails to show an error message. | 5.13.0-5.16.1 | | | [4535843](#4535843)
| After a switch reboot, the nv show system health command shows incorrect system LED status and color. | 5.13.0-5.16.1 | | @@ -77,7 +77,7 @@ pdfhidden: True | [4535699](#4535699)
| When you configure the RADIUS authentication order with local first and radius second, the RADIUS user is authenticated as a default user name. | 5.11.3-5.16.1 | | | [4535696](#4535696)
| When you configure the RADIUS authentication order with local first and radius second, the RADIUS user is authenticated as a default user name. | 5.12.1-5.16.1 | 5.9.4| | [4534357](#4534357)
| During Cumulus Linux upgrade or downgrade, rsyslog might crash because the management (eth0) port is unavailable, which triggers a use-after-free fault and produces a cl-support file as a response. | 5.13.1-5.16.1 | | -| [4531952](#4531952)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | 5.14.0-5.16.1| +| [4531952, 4518822](#4531952, 4518822)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | 5.14.0-5.16.1| | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | 5.14.0-5.16.1| | [4526096](#4526096)
| The global VRRP priority level change is not applied to the VRRP interface. It is always set to 100. | 5.13.1 | 5.14.0-5.16.1| | [4524763](#4524763)
| Cumulus Linux does not provide a specific error message if you try to configure an ACL rule with conflicting match protocol criteria. For example, if you configure a single rule with both match ip protocol tcp and match ip udp dest-port , you see the following error:
Unable to run ‘install_acls.sh’ script:

RAN: sudo -S bash /var/lib/nvue/config/install_acls.sh

To work around this issue, configure consistent protocol match statements in each ACL rule. | 5.13.1 | 5.14.0-5.16.1| @@ -85,13 +85,13 @@ pdfhidden: True | [4517549](#4517549)
| If you use TACACS on the default VRF while using multiple switch ports (ECMP) to reach the TACACS server, Cumulus Linux only allows you to configure a single port, even though there are multiple ports to reach the server. When configuring the single port, you see issues such as long delays to login, authentication failures, sudo command failures after login, username changes to an unknown tacacsNN user on the shell prompt. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4516848](#4516848)
| The nv show system health command output might show status-led amber and rasdaemon inactive due to a failed rasdaemon start even though the actual system status LED is green. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4513849](#4513849)
| After upgrading from Cumulus Linux 5.12 on the NVIDIA SN5400 switch bonus port, PTP does not converge. To work around this issue, disable, then enable the bonus port after upgrade. | 5.13.0-5.16.1 | | -| [4509255](#4509255)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | +| [4509255, 4546858](#4509255, 4546858)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | | [4509053](#4509053)
| When the default route is available through a floating static route (admin distance 254) and through an eBGP learned route where the next hop is the eBGP peer, the route that comes up first (the floating static) becomes the best path, even though the BGP learned route is presented as the best path after the neighbor comes up. To work around this issue, set the nv set vrf router bgp peer-group nexthop-connected-check off command in NVUE or configure neighbor disable-connected-check in vtysh. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4508830](#4508830)
| Cumulus Linux allows you to add bond ports of mismatched speeds (such as 10G and 25G) to the same LACP bond without error and the bond reports UP. | 5.11.2-5.16.1 | | | [4502199](#4502199)
| The TFTP client drops packets due to default firewall rules. | 5.13.0-5.13.1 | 5.9.4, 5.14.0-5.16.1| | [4500170](#4500170)
| When you use the API to compare a revision between a revision ID and an applied revision, the output adds the encrypted values in the diffs incorrectly, indicating that there are diffs when there are no diffs. The NVUE nv config diff command shows the correct output. | 5.13.1 | 5.14.0-5.16.1| | [4499025](#4499025)
| You see a high volume of NAT and NFCT errors flooding switchd logs. This issue has no functional impact. | 5.11.2-5.16.1 | | -| [4495383](#4495383)
| NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. | 5.13.0-5.16.1 | | +| [4495383, 4493988](#4495383, 4493988)
| NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. | 5.13.0-5.16.1 | | | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | | [4493540](#4493540)
| The CBS field in the nv show system control-plane policer command output might not show the configured value. | 5.13.0-5.13.1 | 5.9.4, 5.14.0-5.16.1| | [4486200](#4486200)
| If you enable dynamic NAT and try to install two identical dynamic NAT rules, switchd might crash. | 5.11.2-5.13.1 | 5.14.0-5.16.1| @@ -103,11 +103,11 @@ pdfhidden: True | [4475095](#4475095)
| The BGP service might crash when you have overlapping routes between two VRFs and you are leaking these routes between these VRFs in an EVPN environment. Avoid leaking overlapping IP addresses or subnets between two VRFs. This is typically accomplished by filtering the overlapping IP address or subnet routes with a prefix list and route map. | 5.13.1 | 5.14.0-5.16.1| | [4475074](#4475074)
| The SN5610 switch records a High FEC Bin Error at room temperature. | 5.13.0-5.16.1 | 5.11.2| | [4474924](#4474924)
| The nv config show -o commands command displays numbered BGP neighbors in IP address range format; however, the nv set commands fail for BGP numbered neighbors configured in IP address ranges. | 5.13.0-5.13.1 | 5.14.0-5.16.1| -| [4472414](#4472414)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| +| [4472414, 4621451](#4472414, 4621451)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| | [4471932](#4471932)
| ERSPAN is not generated with the intended VLAN tag but is always sent out untagged. If the interface is a trunk port or a subinterface, the peer might discard these packets. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4469479](#4469479)
| If you use NVUE to unset an extremely large IP prefix list (around 50K), the command might time out when unconfiguring FRR. As a result, you see the message Failure during apply. Ignore? [y/N] and the FRR service stops. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4469349](#4469349)
| When you try to import an invalid server certificate file, Cumulus Linux does not import the certificate file but fails to show an error message. | 5.13.0-5.13.1 | 5.14.0-5.16.1| -| [4467245](#4467245)
| Transceiver channel power values in dBm reported through streaming telemetry protocols such as OTLP and GNMI are imprecise and are rounded to whole numbers. The NVUE nv show platform transceiver command or Linux ethtool -m command provides more precise, floating-point values. | 5.13.0-5.13.1 | 5.14.0-5.16.1| +| [4467245, 4417072](#4467245, 4417072)
| Transceiver channel power values in dBm reported through streaming telemetry protocols such as OTLP and GNMI are imprecise and are rounded to whole numbers. The NVUE nv show platform transceiver command or Linux ethtool -m command provides more precise, floating-point values. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4466525](#4466525)
| Radius priority values can range between 1 and 8; however Cumulus Linux allows you to configure an invalid priority. | 5.12.0-5.13.1 | 5.14.0-5.16.1| | [4461102](#4461102)
| In certain cases, when a port is down and you apply adaptive routing with the link utilization threshold setting to the port as it goes up, you might see log errors while the port is not yet up. | 5.11.0-5.13.1 | 5.14.0-5.16.1| | [4460588](#4460588)
| The NVIDIA SN5610 switch might experience FEC burstiness with multiple optics, which can impact link stability and performance. | 5.13.1 | 5.14.0-5.16.1| @@ -116,14 +116,14 @@ pdfhidden: True | [4447797](#4447797)
| When you remove an FRU, such as a PSU, from the switch, stale statistical data from the component is still reported over GNMI and OTLP. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4447794](#4447794)
| The gNMI value for the sensor alarm-status shows incorrectly. For a raised alarm, the alarm-status is True(1) but normally functioning sensors also show True(1). | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4447661](#4447661)
| During link down events affecting a subset of local links, switchd might observe extra route deletions due to timing mismatches between Zebra and kernel processing of Next Hop Group (NHG) changes. Routes should transition directly from one NHG to another, but instead get temporarily deleted and reinstalled, causing unnecessary churn. Zebra logs might show Extended Error: Nexthop id does not exist messages during partial link down scenarios
| 5.13.0-5.13.1 | 5.14.0-5.16.1| -| [4443870](#4443870)
| When running tens of thousands of nv set commands, the /var/lib/nvue directory might grow to several GBs in size, potentially using all the disk space. To work around this issue, run the following commands to reduce the disk space in the /var/lib/nvue directory:
cumulus@switch:~$ sudo su
cumulus@switch:~$ cd /var/lib/nvue/config
cumulus@switch:~$ git gc
| 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4443870, 4461303](#4443870, 4461303)
| When running tens of thousands of nv set commands, the /var/lib/nvue directory might grow to several GBs in size, potentially using all the disk space. To work around this issue, run the following commands to reduce the disk space in the /var/lib/nvue directory:
cumulus@switch:~$ sudo su
cumulus@switch:~$ cd /var/lib/nvue/config
cumulus@switch:~$ git gc
| 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4440766](#4440766)
| When you try to delete a trusted ca key, Cumulus Linux shows an incorrect error message. To remove a trusted ca key, you must unset the key ID, not the key literal. | 5.13.0-5.16.1 | | | [4438933](#4438933)
| When gNMI subscription and configuration changes to an interface occur simultaneously, the interface statistics process can crash and leave a core file. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4433969](#4433969)
| Cumulus Linux generates multiple cl-support files when there are multiple errors exporting OTEL metrics. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4427224](#4427224)
| The nv show interface command output shows the operational status as down for a link flap error disabled state instead of the real protodown reason. To work around this issue, run the nv show interface status command, which shows if any of the interfaces are protodown with the protodown reason. | 5.12.0-5.13.1 | 5.14.0-5.16.1| | [4427085](#4427085)
| cl-route-check fails if there are INCOMPLETE entries in the Kernel neighbor table. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4425299](#4425299)
| After upgrading from Cumulus Linux 5.12 to 5.13 on the NVIDIA SN5400 switch bonus port, PTP does not converge. To work around this issue, disable, then enable the bonus port after upgrade. | 5.13.0-5.13.1 | 5.9.4, 5.14.0-5.16.1| -| [4425288](#4425288)
| When gNMI streaming is enabled on the switch, Cumulus Linux generates a cl-support file the first time you perform an FRR operation that reloads or restarts the FRR service (such as remove or add a neighbor or add or modify static routes). | 5.13.0-5.13.1 | 5.14.0-5.16.1| +| [4425288, 4423331, 4426775, 4413508](#4425288, 4423331, 4426775, 4413508)
| When gNMI streaming is enabled on the switch, Cumulus Linux generates a cl-support file the first time you perform an FRR operation that reloads or restarts the FRR service (such as remove or add a neighbor or add or modify static routes). | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4423368](#4423368)
| When all links go down or the switch reboots, you see next hop group churn from Zebra to the SOO next hop group. This issue might cause some convergence degradation. | 5.12.0-5.16.1 | | | [4423360](#4423360)
| After a remote link flap, neighbor entries using the link might not get resolved immediately. Only when some traffic uses the nexthop will they be resolved. | 5.12.0-5.16.1 | | | [4423352](#4423352)
| ZTP scripts return an error due to incorrect ASCI to UTF-8 conversion. | 5.11.0-5.16.1 | | @@ -133,17 +133,17 @@ pdfhidden: True | [4423244](#4423244)
| When you enable, then disable adaptive routing, the BGP neighbors might go down because of an unresolved MAC address. To work around this issue, configure another attribute on the interface. | 5.9.0-5.16.1 | | | [4423235](#4423235)
| The snmpd service generates debugging logs of sudo calls. To work around this issue, disable sudo logging for the specific commands run by the Debian-snmp user in the /etc/sudoers.d/snmp file by adding Defaults:Debian-snmp !syslog. | 5.11.0-5.16.1 | | | [4423175](#4423175)
| When you configure an API port with a TCP port already in use, the nginx server fails to restart. | 5.13.0-5.16.1 | | -| [4414935](#4414935)
| Interface counters retrieved from the kernel are not reset when switchd restarts. These kernel counters are inconsistent with other telemetry counters that do reset when switchd restarts. | 5.13.0-5.13.1 | 5.14.0-5.16.1| +| [4414935, 4320281](#4414935, 4320281)
| Interface counters retrieved from the kernel are not reset when switchd restarts. These kernel counters are inconsistent with other telemetry counters that do reset when switchd restarts. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4413589](#4413589)
| A MAC-only EVPN type-2 route is wrongly advertised with the layer 3 VNI label in the BGP NLRI (Network Layer Reachability Information). Although this does not have any functional impact, it is not the desired RFC behavior. | 5.13.0-5.16.1 | | -| [4413450](#4413450)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4413450, 4497128](#4413450, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4408549](#4408549)
| UMF processes do not include log rotation and the logs can grow very large causing operational failures when you generate cl-support files and run the nv config apply command. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4408387](#4408387)
| BGP crashes during EVPN route install due to incorrect memory access. | 5.11.0-5.13.1 | 5.14.0-5.16.1| -| [4393369](#4393369)
| If you generate a cl-support file after configuring a breakout port, the syslog file includes errors due to a statistic collection failure for stale ports. This issue has no functional impact. | 5.13.0-5.13.1 | 5.14.0-5.16.1| +| [4393369, 4461301](#4393369, 4461301)
| If you generate a cl-support file after configuring a breakout port, the syslog file includes errors due to a statistic collection failure for stale ports. This issue has no functional impact. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4389433](#4389433)
| On switches with ONIE 5.3.0012 (might be displayed as 2023.11-5.3.0012-115200), reinstalling Cumulus Linux with onie-install when SecureBoot is enabled fails during CMS verification of a found image.
To determine the ONIE version on the switch:
sudo mount LABEL="ONIE-BOOT" /mnt
/mnt/onie/tools/bin/onie-version
If the ONIE version is earlier than 5.3.0012 (might be displayed as 2023.11-5.3.0012-115200), either disable SecureBoot during reinstallation, or if SecureBoot is enabled and ONIE finds the image on one of the disks (for example, /dev/sda5), then fails CMS verification, log into the ONIE shell as root and run the following commands:
onie-stop
mkdir /$devname
mount $devname /$devname
onie-nos-install /$devname/onie-installer
| 5.12.0-5.13.1 | 5.14.0-5.16.1| -| [4386779](#4386779)
| When you start gNMI subscription from a remote client, interface rates reset and values start from 0. | 5.13.0-5.13.1 | 5.14.0-5.16.1| +| [4386779, 4321086](#4386779, 4321086)
| When you start gNMI subscription from a remote client, interface rates reset and values start from 0. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4372795](#4372795)
| With high SSH scale you might see LTTNG high memory usage errors causing an out of memory condition. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4370954](#4370954)
| After enabling, then disabling truncation on a SPAN session, truncated packets are still received on the SPAN destination. To work around this issue, remove the SPAN session configuration, reboot the switch, then reconfigure the SPAN session without truncation. | 5.12.0-5.16.1 | | -| [4360826](#4360826)
| On rare occasions, when you run the NVUE nv config apply command, switchd crashes, then restarts after the crash and resumes its normal flow of operation. | 5.13.0-5.13.1 | 5.14.0-5.16.1| +| [4360826, 4445857](#4360826, 4445857)
| On rare occasions, when you run the NVUE nv config apply command, switchd crashes, then restarts after the crash and resumes its normal flow of operation. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4341806](#4341806)
| The BGP uptime differs between vtysh and NVUE command output. | 5.12.0-5.13.1 | 5.14.0-5.16.1| | [4337278](#4337278)
| In certain cases, statically configured VXLAN entries age out after a peerlink flap. | 5.12.0-5.16.1 | | | [4329931](#4329931)
| Cumulus Linux incorrectly allows SyncE and PPS to be enabled at the same time. Upgrading systems with both features configured using NVUE to 5.12.0 or later results in a failure to apply the startup configuration as part of the first boot of the upgraded version. To work around the issue, unset one of the features before you upgrade. | 5.12.0-5.16.1 | | @@ -155,30 +155,30 @@ pdfhidden: True | [4236419](#4236419)
| On the Spectrum-3 switch, the PTP offset for 25GbE fluctuates within a range of plus or minus 50 nanoseconds beyond the expected values. | 5.12.0-5.16.1 | | | [4214678](#4214678)
| Changes to open telemetry configuration or export states restarts the telemetry service and resets all health metrics. | 5.12.0-5.16.1 | | | [4177067](#4177067)
| When performing a package upgrade, nslcd installation might open an interactive dialog to configure nslcd.conf .
To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:
cumulus@switch:~$ sudo apt-get update
cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
| 5.11.0-5.16.1 | | -| [4154839](#4154839)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | +| [4154839, 4280933, 4291934](#4154839, 4280933, 4291934)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | | [4142857](#4142857)
| The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. | 5.10.0-5.16.1 | | -| [4139511](#4139511)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | +| [4139511, 4184813, 4180112](#4139511, 4184813, 4180112)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | | [4134447](#4134447)
| The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. You can safely ignore this log message. | 5.11.0-5.16.1 | | | [4129757](#4129757)
| If you include a comma in the BGP community list, extended community list, or large community list regex expression of a routing policy, you see error messages and FRR reload fails. Make sure the regex expression does not contain a comma.
For example, instead of ^65550:([0-9]{1,2}\|[1-9][1-9]):.*$, specify ^65550:([0-9]\|[0-9][0-9]):.*$ and instead of ^65550:([0-4]{1,2}\|[7-9][8-9]):.*$, specify ^65550:([0-4]\|[0-4][0-4]\|[7-9][8-9]):.*$. | 5.11.0-5.16.1 | | -| [4124376](#4124376)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | +| [4124376, 4316163](#4124376, 4316163)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | | [4118970](#4118970)
| When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.16.1 | | -| [4105127](#4105127)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | +| [4105127, 4796391](#4105127, 4796391)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | | [4100629](#4100629)
| NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.16.1 | | | [4082210](#4082210)
| When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. | 5.11.0-5.16.1 | | | [4077921](#4077921)
| You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1 or later. You must install the Cumulus Linux image instead. | 5.10.1-5.16.1 | | -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4047798](#4047798)
| Packet distribution based on ECMP hashing using GTP-TEID does not function as expected in an EVPN Clos topology. | 5.10.0-5.16.1 | | | [4030380](#4030380)
| When you roll back interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you cannot configure FEC on the interface at the lower layers. | 5.10.0-5.16.1 | | -| [4005422](#4005422)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | +| [4005422, 4015452](#4005422, 4015452)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | | [3985682](#3985682)
| On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.16.1 | | | [3966312](#3966312)
| When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.16.1 | | | [3948068](#3948068)
| On the SN3700 and SN3700c switch, the nv show platform environment voltage command output shows a failed state for the PSU-n-12V-RAIL-OUT sensors. This is a known hardware limitation that cannot be corrected by the PSU vendor. | 5.10.0-5.16.1 | | | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3879717](#3879717)
| Running snmpwalk on the switch with the management IP address does not work. To work around this issue, use the localhost option (snmpwalk -v 2c -c public28 localhost 1.3.6.1.2.1.14) or create a control plane ACL whitelist rule. | 5.10.0-5.16.1 | | | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | | [3855796](#3855796)
| When configuring a Unicast Master Table for clients, the server addresses must be reachable and the route to the destination must exist. The unicast table can have one directly-connected port for a client. This restriction is only for directly connected ports and doesn't apply to Unicast Servers on other devices or switches. | 5.9.0-5.16.1 | | @@ -193,17 +193,17 @@ pdfhidden: True | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -213,10 +213,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -226,8 +226,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -247,7 +247,7 @@ pdfhidden: True | [4963280](#4963280)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.16.1 | | | [4963277](#4963277)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.16.1 | | | [4930152](#4930152)
| When you configure layer 3 SVI interfaces with an anycast gateway (VRR) IP address only and no unique IP address, the connected route for the subnet is not programmed in the ASIC, causing packets destined for locally connected hosts to drop after decapsulation. | 5.11.3-5.16.1 | | -| [4918342](#4918342)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. | 5.13.0-5.16.1 | | +| [4918342, 4641291](#4918342, 4641291)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. | 5.13.0-5.16.1 | | | [4895501](#4895501)
| Adding vlan 1 as a tagged VLAN to a newly created MLAG bond fails if no previous VLANs are configured on the MLAG bond. | 5.13.0-5.16.1 | | | [4895298](#4895298)
| When you configure BGP dynamic neighbors and default-originate with a route map, the default route stops being advertised to those neighbors after an FRR restart, reboot, or after the BGP session re-establishes (after a link flap or a hard clear on the peer). To work around this issue and to ensure that the default route advertises correctly, remove, then readd the default-originate with the route map command or toggle default-route-origination off, then on. | 5.11.5-5.16.1 | | | [4885553](#4885553)
| If ZTP uses a proxy server for image download using onie-install, the image install fails with signing issues. | 5.12.0-5.16.1 | | @@ -257,8 +257,8 @@ pdfhidden: True | [4789562](#4789562)
| A switch running Nvidia Cumulus Linux may improperly forward routed packets out of an access port or on the native vlan of a trunk with an 802.1Q tag imposed on the packet. | 5.12.1-5.15.1 | 5.16.0-5.16.1| | [4789097](#4789097)
| The switch deletes a static blackhole route even when the blackhole type specified in the delete command does not match the configured type. | 5.9.4-5.15.1 | 5.16.0-5.16.1| | [4771521](#4771521)
| Layer 3 multicast traffic does not forward when OMF (Optimized Multicast Flooding) and PIM is enabled. To work around this issue, flap the router port. | 5.9.2-5.15.1 | 5.16.0-5.16.1| -| [4751060](#4751060)
| If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to:
sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds')
| 5.12.0-5.15.1 | 5.16.0-5.16.1| -| [4748176](#4748176)
| Unsupported hardware modules might cause SDK and firmware health event and traffic loss. | 5.12.1-5.15.1 | 5.16.0-5.16.1| +| [4751060, 4637733](#4751060, 4637733)
| If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to:
sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds')
| 5.12.0-5.15.1 | 5.16.0-5.16.1| +| [4748176, 4662528, 4652420](#4748176, 4662528, 4652420)
| Unsupported hardware modules might cause SDK and firmware health event and traffic loss. | 5.12.1-5.15.1 | 5.16.0-5.16.1| | [4729839](#4729839)
| In an MLAG configuration, when you reboot the primary MLAG switch with PVRST spanning tree mode configured on both MLAG switches, PVRST mode briefly changes to RSTP, then back to PVRST when the primary switch comes back up. | 5.11.3-5.15.1 | 5.16.0-5.16.1| | [4722680](#4722680)
| If you install RADIUS client packages when rolling back a two partition upgrade, the /var/lib/nvue, /var/lib/ntpsec, and /var/lib/snmp directories might have incorrect ownership after rollback and the nvued service might fail to start up. To work around this issue, run the following commands:
sudo chown -R nvue /var/lib/nvue
sudo chown -R ntpsec /var/lib/ntpsec
sudo chown -R Debian-snmp /var/lib/snmp
sudo reboot
| 5.11.4-5.16.1 | | | [4722539](#4722539)
| Optimized image upgrade with warm boot mode is supported in Cumulus Linux 5.13 and later. When you try to run the nv action boot-next command during optimized image upgrade in Cumulus Linux 5.12 and earlier to any target release while the system is in warm boot mode, the boot-next operation fails with the following error:
cumulus@switch:~$ nv action boot-next system image other
Error: Action failed with the following issue:>br>
 Failed to set boot-next due to Unknown error

To work around this issue, verify system boot mode with the nv show system reboot command before you perform optimized image upgrade and switch to cold boot mode if necessary with the nv set system reboot mode cold command. You can then proceed with the optimized image upgrade boot-next operation. | 5.11.4-5.15.1 | 5.16.0-5.16.1| @@ -279,7 +279,7 @@ pdfhidden: True | [4608614](#4608614)
| When setting up SSH keys, you have to run nv config apply twice for the configuration to take effect. | 5.11.3-5.16.1 | | | [4605303](#4605303)
| The downstream VNI software VXLAN encapsulation path does not derive the source IP address of the outer IP header properly. Instead of using the defined vxlan-local-tunnelip under the loopback interface, it uses the underlay interface on which the packet egresses the VTEP. In a mixed vendor environment, this might lead to a drop on the decapsulating VTEP if it is not an Nvidia Cumulus Linux switch. To work around this issue, use symmetric VNI configuration instead of downstream VNI or use downstream VNI with an unnumbered underlay. | 5.13.0-5.14.0 | 5.15.0-5.16.1| | [4582679](#4582679)
| If a node has Suppress Route Advertisement enabled and routes are re-learned; for example, when a peer sends the route again due to route policy changes, or you enable or disable graceful shutdown, not all routes are offloaded, which might cause discrepancies in traffic. | 5.9.4-5.16.1 | | -| [4579237](#4579237)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | +| [4579237, 4579234](#4579237, 4579234)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | | [4562806](#4562806)
| When there is a very high volume of MLD traffic in a VXLAN environment, the switch CPU and control protocols might be impacted. | 5.12.0-5.14.0 | 5.15.0-5.16.1| | [4555938](#4555938)
| When one of the FRR processes such as bgpd or zebra goes down, watchfrr tries to restart those processes and also restarts the routing telemetry service, which blocks watchfrr causing cascading failures on other processes. | 5.12.0-5.13.1 | 5.14.0-5.16.1| | [4548512](#4548512)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.0-5.16.1 | | @@ -291,18 +291,18 @@ pdfhidden: True | [4535749](#4535749)
| The uc-discards field in the nv show interface counters qos egress-queue-stats command output is actually the number of packets discarded per queue, but it is wrongly interpreted as bytes. To work around this issue, convert the data shown in bytes to packets by multiplying by 1024 if the data is in KB, 1024x1024 if the data is in MB, and 1024x1024x1024 if the data is in GB. | 5.11.0-5.16.1 | | | [4535699](#4535699)
| When you configure the RADIUS authentication order with local first and radius second, the RADIUS user is authenticated as a default user name. | 5.11.3-5.16.1 | | | [4535696](#4535696)
| When you configure the RADIUS authentication order with local first and radius second, the RADIUS user is authenticated as a default user name. | 5.12.1-5.16.1 | 5.9.4| -| [4531952](#4531952)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | 5.14.0-5.16.1| +| [4531952, 4518822](#4531952, 4518822)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | 5.14.0-5.16.1| | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | 5.14.0-5.16.1| | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| | [4517549](#4517549)
| If you use TACACS on the default VRF while using multiple switch ports (ECMP) to reach the TACACS server, Cumulus Linux only allows you to configure a single port, even though there are multiple ports to reach the server. When configuring the single port, you see issues such as long delays to login, authentication failures, sudo command failures after login, username changes to an unknown tacacsNN user on the shell prompt. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4516848](#4516848)
| The nv show system health command output might show status-led amber and rasdaemon inactive due to a failed rasdaemon start even though the actual system status LED is green. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4513849](#4513849)
| After upgrading from Cumulus Linux 5.12 on the NVIDIA SN5400 switch bonus port, PTP does not converge. To work around this issue, disable, then enable the bonus port after upgrade. | 5.13.0-5.16.1 | | -| [4509255](#4509255)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | +| [4509255, 4546858](#4509255, 4546858)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | | [4509053](#4509053)
| When the default route is available through a floating static route (admin distance 254) and through an eBGP learned route where the next hop is the eBGP peer, the route that comes up first (the floating static) becomes the best path, even though the BGP learned route is presented as the best path after the neighbor comes up. To work around this issue, set the nv set vrf router bgp peer-group nexthop-connected-check off command in NVUE or configure neighbor disable-connected-check in vtysh. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4508830](#4508830)
| Cumulus Linux allows you to add bond ports of mismatched speeds (such as 10G and 25G) to the same LACP bond without error and the bond reports UP. | 5.11.2-5.16.1 | | | [4502199](#4502199)
| The TFTP client drops packets due to default firewall rules. | 5.13.0-5.13.1 | 5.9.4, 5.14.0-5.16.1| | [4499025](#4499025)
| You see a high volume of NAT and NFCT errors flooding switchd logs. This issue has no functional impact. | 5.11.2-5.16.1 | | -| [4495383](#4495383)
| NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. | 5.13.0-5.16.1 | | +| [4495383, 4493988](#4495383, 4493988)
| NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. | 5.13.0-5.16.1 | | | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | | [4493540](#4493540)
| The CBS field in the nv show system control-plane policer command output might not show the configured value. | 5.13.0-5.13.1 | 5.9.4, 5.14.0-5.16.1| | [4486200](#4486200)
| If you enable dynamic NAT and try to install two identical dynamic NAT rules, switchd might crash. | 5.11.2-5.13.1 | 5.14.0-5.16.1| @@ -313,11 +313,11 @@ pdfhidden: True | [4475111](#4475111)
| When you try to convert a layer 3 port that is part of ECMP to a bond member, you might see a failure in the switchd logs. This issue does not have any functional impact. | 5.11.2-5.16.1 | 5.9.4| | [4475074](#4475074)
| The SN5610 switch records a High FEC Bin Error at room temperature. | 5.13.0-5.16.1 | 5.11.2| | [4474924](#4474924)
| The nv config show -o commands command displays numbered BGP neighbors in IP address range format; however, the nv set commands fail for BGP numbered neighbors configured in IP address ranges. | 5.13.0-5.13.1 | 5.14.0-5.16.1| -| [4472414](#4472414)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| +| [4472414, 4621451](#4472414, 4621451)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| | [4471932](#4471932)
| ERSPAN is not generated with the intended VLAN tag but is always sent out untagged. If the interface is a trunk port or a subinterface, the peer might discard these packets. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4469479](#4469479)
| If you use NVUE to unset an extremely large IP prefix list (around 50K), the command might time out when unconfiguring FRR. As a result, you see the message Failure during apply. Ignore? [y/N] and the FRR service stops. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4469349](#4469349)
| When you try to import an invalid server certificate file, Cumulus Linux does not import the certificate file but fails to show an error message. | 5.13.0-5.13.1 | 5.14.0-5.16.1| -| [4467245](#4467245)
| Transceiver channel power values in dBm reported through streaming telemetry protocols such as OTLP and GNMI are imprecise and are rounded to whole numbers. The NVUE nv show platform transceiver command or Linux ethtool -m command provides more precise, floating-point values. | 5.13.0-5.13.1 | 5.14.0-5.16.1| +| [4467245, 4417072](#4467245, 4417072)
| Transceiver channel power values in dBm reported through streaming telemetry protocols such as OTLP and GNMI are imprecise and are rounded to whole numbers. The NVUE nv show platform transceiver command or Linux ethtool -m command provides more precise, floating-point values. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4466525](#4466525)
| Radius priority values can range between 1 and 8; however Cumulus Linux allows you to configure an invalid priority. | 5.12.0-5.13.1 | 5.14.0-5.16.1| | [4461102](#4461102)
| In certain cases, when a port is down and you apply adaptive routing with the link utilization threshold setting to the port as it goes up, you might see log errors while the port is not yet up. | 5.11.0-5.13.1 | 5.14.0-5.16.1| | [4457165](#4457165)
| When a spine switch reboots and comes back online, leaf switches might cause prolonged convergence times due to premature traffic forwarding. The leaf switch immediately begins ECMP load-balancing traffic to the recovered spine before the spine has fully programmed its routing tables, resulting in dropped traffic during route convergence on the spine. | 5.13.0-5.13.1 | 5.14.0-5.16.1| @@ -325,7 +325,7 @@ pdfhidden: True | [4447797](#4447797)
| When you remove an FRU, such as a PSU, from the switch, stale statistical data from the component is still reported over GNMI and OTLP. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4447794](#4447794)
| The gNMI value for the sensor alarm-status shows incorrectly. For a raised alarm, the alarm-status is True(1) but normally functioning sensors also show True(1). | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4447661](#4447661)
| During link down events affecting a subset of local links, switchd might observe extra route deletions due to timing mismatches between Zebra and kernel processing of Next Hop Group (NHG) changes. Routes should transition directly from one NHG to another, but instead get temporarily deleted and reinstalled, causing unnecessary churn. Zebra logs might show Extended Error: Nexthop id does not exist messages during partial link down scenarios
| 5.13.0-5.13.1 | 5.14.0-5.16.1| -| [4443870](#4443870)
| When running tens of thousands of nv set commands, the /var/lib/nvue directory might grow to several GBs in size, potentially using all the disk space. To work around this issue, run the following commands to reduce the disk space in the /var/lib/nvue directory:
cumulus@switch:~$ sudo su
cumulus@switch:~$ cd /var/lib/nvue/config
cumulus@switch:~$ git gc
| 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4443870, 4461303](#4443870, 4461303)
| When running tens of thousands of nv set commands, the /var/lib/nvue directory might grow to several GBs in size, potentially using all the disk space. To work around this issue, run the following commands to reduce the disk space in the /var/lib/nvue directory:
cumulus@switch:~$ sudo su
cumulus@switch:~$ cd /var/lib/nvue/config
cumulus@switch:~$ git gc
| 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4440766](#4440766)
| When you try to delete a trusted ca key, Cumulus Linux shows an incorrect error message. To remove a trusted ca key, you must unset the key ID, not the key literal. | 5.13.0-5.16.1 | | | [4438933](#4438933)
| When gNMI subscription and configuration changes to an interface occur simultaneously, the interface statistics process can crash and leave a core file. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4438681](#4438681)
| Available file descriptors might reduce due to incorrect handing in NVUE error paths causing NVUE requests to fail. To work around this issue, restart the NVUE service. | 5.13.0 | 5.13.1-5.16.1| @@ -333,7 +333,7 @@ pdfhidden: True | [4427224](#4427224)
| The nv show interface command output shows the operational status as down for a link flap error disabled state instead of the real protodown reason. To work around this issue, run the nv show interface status command, which shows if any of the interfaces are protodown with the protodown reason. | 5.12.0-5.13.1 | 5.14.0-5.16.1| | [4427085](#4427085)
| cl-route-check fails if there are INCOMPLETE entries in the Kernel neighbor table. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4425299](#4425299)
| After upgrading from Cumulus Linux 5.12 to 5.13 on the NVIDIA SN5400 switch bonus port, PTP does not converge. To work around this issue, disable, then enable the bonus port after upgrade. | 5.13.0-5.13.1 | 5.9.4, 5.14.0-5.16.1| -| [4425288](#4425288)
| When gNMI streaming is enabled on the switch, Cumulus Linux generates a cl-support file the first time you perform an FRR operation that reloads or restarts the FRR service (such as remove or add a neighbor or add or modify static routes). | 5.13.0-5.13.1 | 5.14.0-5.16.1| +| [4425288, 4423331, 4426775, 4413508](#4425288, 4423331, 4426775, 4413508)
| When gNMI streaming is enabled on the switch, Cumulus Linux generates a cl-support file the first time you perform an FRR operation that reloads or restarts the FRR service (such as remove or add a neighbor or add or modify static routes). | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4423368](#4423368)
| When all links go down or the switch reboots, you see next hop group churn from Zebra to the SOO next hop group. This issue might cause some convergence degradation. | 5.12.0-5.16.1 | | | [4423360](#4423360)
| After a remote link flap, neighbor entries using the link might not get resolved immediately. Only when some traffic uses the nexthop will they be resolved. | 5.12.0-5.16.1 | | | [4423352](#4423352)
| ZTP scripts return an error due to incorrect ASCI to UTF-8 conversion. | 5.11.0-5.16.1 | | @@ -343,17 +343,17 @@ pdfhidden: True | [4423244](#4423244)
| When you enable, then disable adaptive routing, the BGP neighbors might go down because of an unresolved MAC address. To work around this issue, configure another attribute on the interface. | 5.9.0-5.16.1 | | | [4423235](#4423235)
| The snmpd service generates debugging logs of sudo calls. To work around this issue, disable sudo logging for the specific commands run by the Debian-snmp user in the /etc/sudoers.d/snmp file by adding Defaults:Debian-snmp !syslog. | 5.11.0-5.16.1 | | | [4423175](#4423175)
| When you configure an API port with a TCP port already in use, the nginx server fails to restart. | 5.13.0-5.16.1 | | -| [4414935](#4414935)
| Interface counters retrieved from the kernel are not reset when switchd restarts. These kernel counters are inconsistent with other telemetry counters that do reset when switchd restarts. | 5.13.0-5.13.1 | 5.14.0-5.16.1| +| [4414935, 4320281](#4414935, 4320281)
| Interface counters retrieved from the kernel are not reset when switchd restarts. These kernel counters are inconsistent with other telemetry counters that do reset when switchd restarts. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4413589](#4413589)
| A MAC-only EVPN type-2 route is wrongly advertised with the layer 3 VNI label in the BGP NLRI (Network Layer Reachability Information). Although this does not have any functional impact, it is not the desired RFC behavior. | 5.13.0-5.16.1 | | -| [4413450](#4413450)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4413450, 4497128](#4413450, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4408549](#4408549)
| UMF processes do not include log rotation and the logs can grow very large causing operational failures when you generate cl-support files and run the nv config apply command. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4408387](#4408387)
| BGP crashes during EVPN route install due to incorrect memory access. | 5.11.0-5.13.1 | 5.14.0-5.16.1| -| [4393369](#4393369)
| If you generate a cl-support file after configuring a breakout port, the syslog file includes errors due to a statistic collection failure for stale ports. This issue has no functional impact. | 5.13.0-5.13.1 | 5.14.0-5.16.1| +| [4393369, 4461301](#4393369, 4461301)
| If you generate a cl-support file after configuring a breakout port, the syslog file includes errors due to a statistic collection failure for stale ports. This issue has no functional impact. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4389433](#4389433)
| On switches with ONIE 5.3.0012 (might be displayed as 2023.11-5.3.0012-115200), reinstalling Cumulus Linux with onie-install when SecureBoot is enabled fails during CMS verification of a found image.
To determine the ONIE version on the switch:
sudo mount LABEL="ONIE-BOOT" /mnt
/mnt/onie/tools/bin/onie-version
If the ONIE version is earlier than 5.3.0012 (might be displayed as 2023.11-5.3.0012-115200), either disable SecureBoot during reinstallation, or if SecureBoot is enabled and ONIE finds the image on one of the disks (for example, /dev/sda5), then fails CMS verification, log into the ONIE shell as root and run the following commands:
onie-stop
mkdir /$devname
mount $devname /$devname
onie-nos-install /$devname/onie-installer
| 5.12.0-5.13.1 | 5.14.0-5.16.1| -| [4386779](#4386779)
| When you start gNMI subscription from a remote client, interface rates reset and values start from 0. | 5.13.0-5.13.1 | 5.14.0-5.16.1| +| [4386779, 4321086](#4386779, 4321086)
| When you start gNMI subscription from a remote client, interface rates reset and values start from 0. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4372795](#4372795)
| With high SSH scale you might see LTTNG high memory usage errors causing an out of memory condition. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4370954](#4370954)
| After enabling, then disabling truncation on a SPAN session, truncated packets are still received on the SPAN destination. To work around this issue, remove the SPAN session configuration, reboot the switch, then reconfigure the SPAN session without truncation. | 5.12.0-5.16.1 | | -| [4360826](#4360826)
| On rare occasions, when you run the NVUE nv config apply command, switchd crashes, then restarts after the crash and resumes its normal flow of operation. | 5.13.0-5.13.1 | 5.14.0-5.16.1| +| [4360826, 4445857](#4360826, 4445857)
| On rare occasions, when you run the NVUE nv config apply command, switchd crashes, then restarts after the crash and resumes its normal flow of operation. | 5.13.0-5.13.1 | 5.14.0-5.16.1| | [4341806](#4341806)
| The BGP uptime differs between vtysh and NVUE command output. | 5.12.0-5.13.1 | 5.14.0-5.16.1| | [4337278](#4337278)
| In certain cases, statically configured VXLAN entries age out after a peerlink flap. | 5.12.0-5.16.1 | | | [4329931](#4329931)
| Cumulus Linux incorrectly allows SyncE and PPS to be enabled at the same time. Upgrading systems with both features configured using NVUE to 5.12.0 or later results in a failure to apply the startup configuration as part of the first boot of the upgraded version. To work around the issue, unset one of the features before you upgrade. | 5.12.0-5.16.1 | | @@ -365,30 +365,30 @@ pdfhidden: True | [4236419](#4236419)
| On the Spectrum-3 switch, the PTP offset for 25GbE fluctuates within a range of plus or minus 50 nanoseconds beyond the expected values. | 5.12.0-5.16.1 | | | [4214678](#4214678)
| Changes to open telemetry configuration or export states restarts the telemetry service and resets all health metrics. | 5.12.0-5.16.1 | | | [4177067](#4177067)
| When performing a package upgrade, nslcd installation might open an interactive dialog to configure nslcd.conf .
To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:
cumulus@switch:~$ sudo apt-get update
cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
| 5.11.0-5.16.1 | | -| [4154839](#4154839)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | +| [4154839, 4280933, 4291934](#4154839, 4280933, 4291934)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | | [4142857](#4142857)
| The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. | 5.10.0-5.16.1 | | -| [4139511](#4139511)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | +| [4139511, 4184813, 4180112](#4139511, 4184813, 4180112)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | | [4134447](#4134447)
| The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. You can safely ignore this log message. | 5.11.0-5.16.1 | | | [4129757](#4129757)
| If you include a comma in the BGP community list, extended community list, or large community list regex expression of a routing policy, you see error messages and FRR reload fails. Make sure the regex expression does not contain a comma.
For example, instead of ^65550:([0-9]{1,2}\|[1-9][1-9]):.*$, specify ^65550:([0-9]\|[0-9][0-9]):.*$ and instead of ^65550:([0-4]{1,2}\|[7-9][8-9]):.*$, specify ^65550:([0-4]\|[0-4][0-4]\|[7-9][8-9]):.*$. | 5.11.0-5.16.1 | | -| [4124376](#4124376)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | +| [4124376, 4316163](#4124376, 4316163)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | | [4118970](#4118970)
| When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.16.1 | | -| [4105127](#4105127)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | +| [4105127, 4796391](#4105127, 4796391)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | | [4100629](#4100629)
| NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.16.1 | | | [4082210](#4082210)
| When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. | 5.11.0-5.16.1 | | | [4077921](#4077921)
| You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1 or later. You must install the Cumulus Linux image instead. | 5.10.1-5.16.1 | | -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4047798](#4047798)
| Packet distribution based on ECMP hashing using GTP-TEID does not function as expected in an EVPN Clos topology. | 5.10.0-5.16.1 | | | [4030380](#4030380)
| When you roll back interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you cannot configure FEC on the interface at the lower layers. | 5.10.0-5.16.1 | | -| [4005422](#4005422)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | +| [4005422, 4015452](#4005422, 4015452)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | | [3985682](#3985682)
| On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.16.1 | | | [3966312](#3966312)
| When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.16.1 | | | [3948068](#3948068)
| On the SN3700 and SN3700c switch, the nv show platform environment voltage command output shows a failed state for the PSU-n-12V-RAIL-OUT sensors. This is a known hardware limitation that cannot be corrected by the PSU vendor. | 5.10.0-5.16.1 | | | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3879717](#3879717)
| Running snmpwalk on the switch with the management IP address does not work. To work around this issue, use the localhost option (snmpwalk -v 2c -c public28 localhost 1.3.6.1.2.1.14) or create a control plane ACL whitelist rule. | 5.10.0-5.16.1 | | | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | | [3855796](#3855796)
| When configuring a Unicast Master Table for clients, the server addresses must be reachable and the route to the destination must exist. The unicast table can have one directly-connected port for a client. This restriction is only for directly connected ports and doesn't apply to Unicast Servers on other devices or switches. | 5.9.0-5.16.1 | | @@ -403,17 +403,17 @@ pdfhidden: True | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -423,10 +423,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -436,8 +436,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -447,22 +447,22 @@ pdfhidden: True ### Fixed Issues in 5.13.0 | Issue ID | Description | Affects | |--- |--- |--- | -| [4411453](#4411453)
| Zebra might crash when multiple interfaces flap rapidly with a large scale number of routes. This issue occurs because the next hop group hash comparison incorrectly treats distinct next hop groups as equal. I addition, the hashing logic currently uses only four bytes of the IPv6 address, which increases the likelihood of collisions and misidentification. Avoid rapidly flapping multiple interfaces when managing large scale routes. | | | -| [4404758](#4404758)
| Installing ssh keys for the cumulus user with NVUE fails and results in login failures. | 5.12.1 | | +| [4411453, 4408283, 4240003](#4411453, 4408283, 4240003)
| Zebra might crash when multiple interfaces flap rapidly with a large scale number of routes. This issue occurs because the next hop group hash comparison incorrectly treats distinct next hop groups as equal. I addition, the hashing logic currently uses only four bytes of the IPv6 address, which increases the likelihood of collisions and misidentification. Avoid rapidly flapping multiple interfaces when managing large scale routes. | | | +| [4404758, 4404759](#4404758, 4404759)
| Installing ssh keys for the cumulus user with NVUE fails and results in login failures. | 5.12.1 | | | [4403127](#4403127)
| When you use BGP prefix independent convergence (PIC) with IPv6, cl-route-check might show errors due to a discrepancy in the IPv4-mapped IPv6 SOO route string format across FRR and the kernel. This is a display-only issue and has no impact on routing functionality. | 5.12.0-5.12.1 | | | [4397962](#4397962)
| When you configure an API port with a TCP port already in use, the nginx server fails to restart. | | | -| [4391413](#4391413)
| After the switch reboots or switchd.service restarts, NVUE applied ERSPAN sessions do not work if the ERSPAN destination IP address is reachable through an MLAG bond. To work around this issue, remove the ERSPAN configuration and reapply it using NVUE. | 5.11.0-5.11.1 | | +| [4391413, 4391704](#4391413, 4391704)
| After the switch reboots or switchd.service restarts, NVUE applied ERSPAN sessions do not work if the ERSPAN destination IP address is reachable through an MLAG bond. To work around this issue, remove the ERSPAN configuration and reapply it using NVUE. | 5.11.0-5.11.1 | | | [4391394](#4391394)
| When using DHCP snooping , access ports do not work as trust ports or server connection ports . | 5.12.0-5.12.1 | | -| [4380671](#4380671)
| Slow bandwidth and traffic polarization occurs when you create a significant number of next hop groups with adaptive routing weighted equal cost multipath (W-ECMP). | 5.12.0-5.12.1 | | +| [4380671, 4363822](#4380671, 4363822)
| Slow bandwidth and traffic polarization occurs when you create a significant number of next hop groups with adaptive routing weighted equal cost multipath (W-ECMP). | 5.12.0-5.12.1 | | | [4378226](#4378226)
| On Spectrum-1a switches with IGMP snooping enabled, a multicast hardware programming failure might occur after interface flap or switch reboot events. You can observe this issue when log messages similar to the following are generated:
sx_sdk[18174]: ERROR   FDB: Usage API type can not be changed for 0x1003 fid.
sx_sdk[18174]: ERROR   FDB: Failed to __fdb_unreg_mc_flood_cfg_api_type_set , err: Command Unpermitted
switchd[19460]: hal_mlx_l2mc.c:1107 ERR VFID: 4099, Failed to set unregistered IPv4 MC mode FLOOD and attr MCC 0: Command Unpermitted
| 5.12.0-5.12.1 | | | [4377862](#4377862)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.9.3 | | | [4373436](#4373436)
| The snmpd service generates debugging logs of sudo calls. To work around this issue, disable sudo logging for the specific commands run by the Debian-snmp user in the /etc/sudoers.d/snmp file by adding Defaults:Debian-snmp !syslog. | 5.11.0-5.11.1, 5.12.0-5.12.1 | | -| [4370702](#4370702)
| NVUE commands create excessive log data. To work around this issue, configure rsyslog rules to limit logging of these commands. | 5.11.0-5.11.1, 5.12.0-5.12.1 | | +| [4370702, 4360680](#4370702, 4360680)
| NVUE commands create excessive log data. To work around this issue, configure rsyslog rules to limit logging of these commands. | 5.11.0-5.11.1, 5.12.0-5.12.1 | | | [4370516](#4370516)
| NVUE fails when applying ERSPAN configuration on an MLAG peer. This failure occurs because ERSPAN does not support bond slave ports as analyzer ports but fails to validate the configuration. | 5.11.0-5.11.1 | | -| [4360676](#4360676)
| When you use onie-install to install an image with a preconfigured startup.yaml file, an issue with the ZTP infrastructure script results in certain interfaces being UP in the kernel and the lower layer but DOWN in NVUE or the /etc/network/interfaces file. | | | +| [4360676, 4395776](#4360676, 4395776)
| When you use onie-install to install an image with a preconfigured startup.yaml file, an issue with the ZTP infrastructure script results in certain interfaces being UP in the kernel and the lower layer but DOWN in NVUE or the /etc/network/interfaces file. | | | | [4360636](#4360636)
| When you assign an IP address to a VRF interface, NVUE removes the 127.0.0.1, 127.0.1.1, and ::1/128 IP addresses from VRF interfaces in the kernel. This results in traffic generated by the switch in the VRF destined to 127.0.0.1 to be sent out of the local device and onto the network. To work around this issue, when assigning an IP address to a VRF interface, also configure the following on the VRF interface to ensure that the expected functionality is maintained:
nv set vrf  loopback ip address 127.0.0.1/8
nv set vrf  loopback ip address 127.0.1.1/8
nv set vrf  loopback ip address ::/128
nv config apply -y
| 5.11.0-5.11.1 | | | [4360615](#4360615)
| The control plane trap group counters are not associated correctly with the right trap group. | 5.11.0-5.12.1 | | -| [4352307](#4352307)
| After a factory reset, the files in the /etc/pam.d/ directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command:
cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package
| 5.12.0-5.12.1 | | +| [4352307, 4210596](#4352307, 4210596)
| After a factory reset, the files in the /etc/pam.d/ directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command:
cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package
| 5.12.0-5.12.1 | | | [4347300](#4347300)
| When all links go down or the switch reboots, you see next hop group churn from Zebra to the SOO next hop group. This issue might cause some convergence degradation. | 5.12.0-5.12.1 | | | [4347029](#4347029)
| When you use the NVUE nv set qos congestion-control traffic-class min-threshold-bytes command to set an ECN Profile, you must configure the minimum threshold according to the platform:
On the Spectrum-4 switch, the cell-size is 192 bytes. The minimum buffer must be a multiple of 64; therefore, the initial value is 192*64 (12KB).
On the Spectrum-3 switch, the cell-size is 144 bytes. The minimum size is 144*64 (9KB). | 5.12.0-5.12.1 | | | [4341508](#4341508)
| When you configure the switch to move to warm restart mode, the message does not clearly indicate that the reboot to get the switch into warm mode is not hitless. | 5.11.0-5.11.1 | | @@ -471,9 +471,9 @@ pdfhidden: True | [4340528](#4340528)
| After enabling, then disabling truncation on a SPAN session, truncated packets are still received on the SPAN destination. To work around this issue, remove the SPAN session configuration, reboot the switch, then reconfigure the SPAN session without truncation. | 5.12.0-5.12.1 | | | [4335287](#4335287)
| ERSPAN does not work when the ERSPAN destination IP address is reachable over SVIs and layer 2 bonds. To work around this issue, make the ERSPAN destination IP address reachable over layer 3 swps or bond interfaces. | 5.11.0-5.11.1, 5.12.0-5.12.1 | | | [4335117](#4335117)
| Under rare circumstances, firmware on an NVIDIA SN3700 switch can get locked up, which leads to the switchd process going down. | 5.12.0-5.12.1 | | -| [4328729](#4328729)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. | 5.10.1-5.12.1 | | +| [4328729, 4261676](#4328729, 4261676)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. | 5.10.1-5.12.1 | | | [4328029](#4328029)
| If you apply an NVUE snippet affecting the /etc/cumulus/datapath/traffic.conf file, the snippet might fail the consistency check, resulting in a failed snippet apply. | 5.11.0-5.11.1 | | -| [4320729](#4320729)
| When toggling the bridge binding flag on an SVI from ON to OFF, the SVI might not come operationally UP if it was DOWN previously from the bridge binding flag. | 5.11.0-5.11.1 | | +| [4320729, 4322632, 4391362](#4320729, 4322632, 4391362)
| When toggling the bridge binding flag on an SVI from ON to OFF, the SVI might not come operationally UP if it was DOWN previously from the bridge binding flag. | 5.11.0-5.11.1 | | | [4318464](#4318464)
| When connecting two NVIDIA devices using DAC in auto-negotiation mode with 100GbE R1 (one lane) port speed, the link goes down. To avoid this issue, use firmware version xx.2014.3xxx and above on both sides. | 5.12.0-5.12.1 | | | [4318313](#4318313)
| When you enable PFC watchdog, telemetry histograms, and 802.1x with NVUE, then upgrade the switch to Cumulus Linux 5.12 followed by a warm reboot, the switch crashes when a cl-support file is created or by certain sx_api requests. You see error logs in the SDK continuously because the switch collects interface statistics every one second. To work around this issue, reboot the switch. | 5.10.1-5.11.1 | | | [4299350](#4299350)
| SVIs do not go down even when all the bridge ports on the corresponding VLAN are down because the vlan-bridge-binding option default setting is off for all the SVIs responsible for bringing down the SVI when all the ports on the corresponding VLAN are down. To work around this issue, Manually configure the vlan-bridge-binding on option under the SVI stanza in the /etc/network/interfaces file. | 5.11.0-5.11.1 | | @@ -483,16 +483,16 @@ pdfhidden: True | [4290629](#4290629)
| The NVUE nv show interface qos command takes approximately two minutes to display output. To work around this issue, fetch only the sub commands that are part of the nv show interface qos, command such as buffer, congestion-control, pfc, and so on. | 5.12.0-5.12.1 | | | [4287285](#4287285)
| Due to unsupported EVPN BUM replication configuration (a mix of PIM and HER modes), a resource leak can occur. | 5.11.0 | | | [4286833](#4286833)
| When you change the port breakout configuration, the switch deletes, then recreates the port and the sflow configuration on the port resets. However, switchd continues to retain sflow configuration for the same logical ID, which leads to divergence in sflow configuration in the SDK and switchd; switchd sees sflow enabled for the port but in the SDK the ports gets reset to disabled. | 5.12.0-5.12.1 | | -| [4281438](#4281438)
| The first time you run the nv show interface rates command, an internal error occurs. | 5.12.0-5.12.1 | | +| [4281438, 4257936](#4281438, 4257936)
| The first time you run the nv show interface rates command, an internal error occurs. | 5.12.0-5.12.1 | | | [4271311](#4271311)
| On the NVIDIA SN2010 and SN2100 switches, the management interface (eth0) might negotiate 100M instead of 1G after you install, upgrade, or, reboot Cumulus Linux. To resolve this issue, force the speed to 1G:
cumulus@switch:~$ nv set interface eth0 link speed 1G
cumulus@switch:~$ nv set interface eth0 link duplex full
cumulus@switch:~$ nv config apply
| 5.11.0 | | | [4271264](#4271264)
| When a MAC address flaps between two different EVPN VTEPs, a Zebra core crash occurs. | 5.11.0-5.11.1 | | | [4270240](#4270240)
| Statically configured VXLAN FDB entries do not age out. | 5.12.0-5.12.1 | | | [4262224](#4262224)
| When you configure BGP suppress-fib-pending, the prefix might not be withdrawn from downstream peers. | 5.11.0-5.11.1 | | -| [4261676](#4261676)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. | 5.11.0 | | +| [4261676, 4328729](#4261676, 4328729)
| When sending control packets that have the port range 259 through 1023 in their TX base header system target (above cap_max_system_ports and below cap_ports used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. | 5.11.0 | | | [4257386](#4257386)
| NVUE overwrites the MOTD file during NVUE configuration with no option to ignore it
| 5.11.0 | | -| [4255639](#4255639)
| When all links go down or the switch reboots, you see next hop group churn from Zebra to the SOO next hop group. This issue might cause some convergence degradation. | 5.12.0-5.12.1 | | -| [4215613](#4215613)
| After a remote link flap, neighbor entries using the link might not get resolved immediately. Only when some traffic uses the nexthop will they be resolved. | 5.12.0-5.12.1 | | -| [4210596](#4210596)
| After a factory reset, the files in the /etc/pam.d/ directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command:
cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package
| 5.12.0-5.12.1 | | +| [4255639, 4326989](#4255639, 4326989)
| When all links go down or the switch reboots, you see next hop group churn from Zebra to the SOO next hop group. This issue might cause some convergence degradation. | 5.12.0-5.12.1 | | +| [4215613, 4255653, 4335726](#4215613, 4255653, 4335726)
| After a remote link flap, neighbor entries using the link might not get resolved immediately. Only when some traffic uses the nexthop will they be resolved. | 5.12.0-5.12.1 | | +| [4210596, 4352307](#4210596, 4352307)
| After a factory reset, the files in the /etc/pam.d/ directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command:
cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package
| 5.12.0-5.12.1 | | | [4207037](#4207037)
| NVUE Rest API calls that are authenticated with TACACS on the switch append unnecessary database entries to the /run/tacacs_clent_map file, which increases the file size. Over time, this increases the TACACS login authentication time, resulting in delayed login authentication.
To work around this issue, delete the tacacs_client_map file with the sudo rm rf /run/tacacs_client_map command. | 5.11.0 | | | [4144021](#4144021)
| Shutting down port 65 or 66 on the NVIDIA Spectrum-4 switch leaves the opposite port up when using MLNX SFP-T and RJ45 connections. Spectrum-4 switches do not support SFP-T modules on ports 65 and 66. | 5.10.0-5.12.1 | | | [4128952](#4128952)
| Cumulus Linux does not support LDAP over IPv6. | 5.11.0-5.12.1 | | diff --git a/content/cumulus-linux-513/rn.xml b/content/cumulus-linux-513/rn.xml index f558794eeb..c4fc24ee5b 100644 --- a/content/cumulus-linux-513/rn.xml +++ b/content/cumulus-linux-513/rn.xml @@ -31,7 +31,7 @@ -4918342 +4918342, 4641291 In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. 5.13.0-5.16.1 @@ -87,7 +87,7 @@ 5.16.0-5.16.1 -4789339 +4789339, 4540985 The {{interface_stats}} process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. 5.13.1-5.15.1 5.16.0-5.16.1 @@ -105,7 +105,7 @@ 5.16.0-5.16.1 -4751060 +4751060, 4637733 If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to: sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds') 5.12.0-5.15.1 @@ -118,7 +118,7 @@ sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK t 5.16.0-5.16.1 -4748176 +4748176, 4662528, 4652420 Unsupported hardware modules might cause SDK and firmware health event and traffic loss. 5.12.1-5.15.1 5.16.0-5.16.1 @@ -180,7 +180,7 @@ To work around this issue, verify system boot mode with the {{nv show system reb 5.15.0-5.16.1 -4641291 +4641291, 4703438, 4918342, 4923799 In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or phy. 5.13.1-5.14.0 5.15.0-5.16.1 @@ -244,7 +244,7 @@ To work around this issue, disable SNMP with the {{nv set system snmp-server sta 5.15.0-5.16.1 -4621451 +4621451, 4472414 Changing the gateway interface IP address on the DHCP relay causes DHCP relay to not forward the packet. To work around this issue, restart the DHCP relay service corresponding to the VRF on which it is running. 5.13.1-5.14.0 5.15.0-5.16.1 @@ -280,7 +280,7 @@ To work around this issue, disable SNMP with the {{nv set system snmp-server sta -4579237 +4579237, 4579234 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.3-5.16.1 @@ -350,7 +350,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re 5.14.0-5.16.1 -4540985 +4540985, 4789339, 4776413 If you have a transceiver module with a vendor name containing invalid characters and OTEL is enabled, the switch generates an {{interface_stats}} core file. 5.13.1 5.14.0-5.16.1 @@ -404,7 +404,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4531952 +4531952, 4518822 When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface {{vlan10}}, the route might install against {{vlan10-v0}}. This prevents next-hop tracking and route installation into hardware. This issue can occur in the following conditions: <ul><li>When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.</li> @@ -463,7 +463,7 @@ To work around this issue, power cycle the switch. -4509255 +4509255, 4546858 In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. 5.12.0-5.16.1 @@ -499,7 +499,7 @@ To work around this issue, power cycle the switch. -4495383 +4495383, 4493988 NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. 5.13.0-5.16.1 @@ -575,7 +575,7 @@ prometheus ALL = NOPASSWD: /usr/sbin/lldpcli -f json show neighbor 5.14.0-5.16.1 -4472414 +4472414, 4621451 After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. 5.11.0-5.14.0 5.15.0-5.16.1 @@ -599,7 +599,7 @@ prometheus ALL = NOPASSWD: /usr/sbin/lldpcli -f json show neighbor 5.14.0-5.16.1 -4467245 +4467245, 4417072 Transceiver channel power values in dBm reported through streaming telemetry protocols such as OTLP and GNMI are imprecise and are rounded to whole numbers. The NVUE {{nv show platform transceiver <port>}} command or Linux {{ethtool -m <port>}} command provides more precise, floating-point values. 5.13.0-5.13.1 5.14.0-5.16.1 @@ -655,7 +655,7 @@ prometheus ALL = NOPASSWD: /usr/sbin/lldpcli -f json show neighbor 5.14.0-5.16.1 -4443870 +4443870, 4461303 When running tens of thousands of {{nv set}} commands, the {{/var/lib/nvue}} directory might grow to several GBs in size, potentially using all the disk space. To work around this issue, run the following commands to reduce the disk space in the {{/var/lib/nvue}} directory: cumulus@switch:~$ sudo su cumulus@switch:~$ cd /var/lib/nvue/config @@ -700,7 +700,7 @@ cumulus@switch:~$ git gc 5.9.4, 5.14.0-5.16.1 -4425288 +4425288, 4423331, 4426775, 4413508 When gNMI streaming is enabled on the switch, Cumulus Linux generates a cl-support file the first time you perform an FRR operation that reloads or restarts the FRR service (such as remove or add a neighbor or add or modify static routes). 5.13.0-5.13.1 5.14.0-5.16.1 @@ -760,7 +760,7 @@ cumulus@switch:~$ git gc -4414935 +4414935, 4320281 Interface counters retrieved from the kernel are not reset when {{switchd}} restarts. These kernel counters are inconsistent with other telemetry counters that do reset when {{switchd}} restarts. 5.13.0-5.13.1 5.14.0-5.16.1 @@ -772,7 +772,7 @@ cumulus@switch:~$ git gc -4413450 +4413450, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 5.11.2, 5.14.0-5.16.1 @@ -790,7 +790,7 @@ cumulus@switch:~$ git gc 5.14.0-5.16.1 -4393369 +4393369, 4461301 If you generate a cl-support file after configuring a breakout port, the syslog file includes errors due to a statistic collection failure for stale ports. This issue has no functional impact. 5.13.0-5.13.1 5.14.0-5.16.1 @@ -809,7 +809,7 @@ onie-nos-install /$devname/onie-installer 5.14.0-5.16.1 -4386779 +4386779, 4321086 When you start gNMI subscription from a remote client, interface rates reset and values start from 0. 5.13.0-5.13.1 5.14.0-5.16.1 @@ -827,7 +827,7 @@ onie-nos-install /$devname/onie-installer -4360826 +4360826, 4445857 On rare occasions, when you run the NVUE {{nv config apply}} command, {{switchd}} crashes, then restarts after the crash and resumes its normal flow of operation. 5.13.0-5.13.1 5.14.0-5.16.1 @@ -901,7 +901,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio -4154839 +4154839, 4280933, 4291934 When you run certain SDK commands (such as {{sudo sx_api_port_counter_dump_all.py}} or {{sx_api_fdb_dump}}) first as the cumulus user, then with {{sudo}}, you see the following error: PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt' To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. @@ -915,7 +915,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4139511 +4139511, 4184813, 4180112 When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue. [ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock [ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query) [ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds @@ -938,7 +938,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4124376 +4124376, 4316163 The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux/Installation-Management/Upgrading-Cumulus-Linux/#downgrade-a-secure-boot-switch">Downgrade a Secure Boot Switch</a>. 5.11.0-5.16.1 @@ -950,7 +950,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4105127 +4105127, 4796391 Any sFlow configuration changes that require an {{hsflowd}} restart are operational only after an initial delay of 60 seconds. 5.11.0-5.16.1 @@ -974,7 +974,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -992,7 +992,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4005422 +4005422, 4015452 When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the {{systemctl enable ntpsec@<vrf>}} and {{systemctl restart ntpsec@<vrf>}} commands. 5.10.0-5.16.1 @@ -1025,7 +1025,7 @@ The logs occur because the {{rsyslog}} service starts before the networking serv -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -1052,7 +1052,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -1161,7 +1161,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -1173,7 +1173,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -1197,19 +1197,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -1222,7 +1222,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -1284,7 +1284,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -1307,7 +1307,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -1370,7 +1370,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -1378,7 +1378,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -1452,7 +1452,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -4918342 +4918342, 4641291 In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. 5.13.0-5.16.1 @@ -1514,14 +1514,14 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 5.16.0-5.16.1 -4751060 +4751060, 4637733 If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to: sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds') 5.12.0-5.15.1 5.16.0-5.16.1 -4748176 +4748176, 4662528, 4652420 Unsupported hardware modules might cause SDK and firmware health event and traffic loss. 5.12.1-5.15.1 5.16.0-5.16.1 @@ -1659,7 +1659,7 @@ To work around this issue, disable SNMP with the {{nv set system snmp-server sta -4579237 +4579237, 4579234 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.3-5.16.1 @@ -1735,7 +1735,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re 5.9.4 -4531952 +4531952, 4518822 When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface {{vlan10}}, the route might install against {{vlan10-v0}}. This prevents next-hop tracking and route installation into hardware. This issue can occur in the following conditions: <ul><li>When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.</li> @@ -1779,7 +1779,7 @@ To work around this issue, power cycle the switch. -4509255 +4509255, 4546858 In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. 5.12.0-5.16.1 @@ -1809,7 +1809,7 @@ To work around this issue, power cycle the switch. -4495383 +4495383, 4493988 NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. 5.13.0-5.16.1 @@ -1879,7 +1879,7 @@ prometheus ALL = NOPASSWD: /usr/sbin/lldpcli -f json show neighbor 5.14.0-5.16.1 -4472414 +4472414, 4621451 After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. 5.11.0-5.14.0 5.15.0-5.16.1 @@ -1903,7 +1903,7 @@ prometheus ALL = NOPASSWD: /usr/sbin/lldpcli -f json show neighbor 5.14.0-5.16.1 -4467245 +4467245, 4417072 Transceiver channel power values in dBm reported through streaming telemetry protocols such as OTLP and GNMI are imprecise and are rounded to whole numbers. The NVUE {{nv show platform transceiver <port>}} command or Linux {{ethtool -m <port>}} command provides more precise, floating-point values. 5.13.0-5.13.1 5.14.0-5.16.1 @@ -1953,7 +1953,7 @@ prometheus ALL = NOPASSWD: /usr/sbin/lldpcli -f json show neighbor 5.14.0-5.16.1 -4443870 +4443870, 4461303 When running tens of thousands of {{nv set}} commands, the {{/var/lib/nvue}} directory might grow to several GBs in size, potentially using all the disk space. To work around this issue, run the following commands to reduce the disk space in the {{/var/lib/nvue}} directory: cumulus@switch:~$ sudo su cumulus@switch:~$ cd /var/lib/nvue/config @@ -2004,7 +2004,7 @@ cumulus@switch:~$ git gc 5.9.4, 5.14.0-5.16.1 -4425288 +4425288, 4423331, 4426775, 4413508 When gNMI streaming is enabled on the switch, Cumulus Linux generates a cl-support file the first time you perform an FRR operation that reloads or restarts the FRR service (such as remove or add a neighbor or add or modify static routes). 5.13.0-5.13.1 5.14.0-5.16.1 @@ -2064,7 +2064,7 @@ cumulus@switch:~$ git gc -4414935 +4414935, 4320281 Interface counters retrieved from the kernel are not reset when {{switchd}} restarts. These kernel counters are inconsistent with other telemetry counters that do reset when {{switchd}} restarts. 5.13.0-5.13.1 5.14.0-5.16.1 @@ -2076,7 +2076,7 @@ cumulus@switch:~$ git gc -4413450 +4413450, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 5.11.2, 5.14.0-5.16.1 @@ -2094,7 +2094,7 @@ cumulus@switch:~$ git gc 5.14.0-5.16.1 -4393369 +4393369, 4461301 If you generate a cl-support file after configuring a breakout port, the syslog file includes errors due to a statistic collection failure for stale ports. This issue has no functional impact. 5.13.0-5.13.1 5.14.0-5.16.1 @@ -2113,7 +2113,7 @@ onie-nos-install /$devname/onie-installer 5.14.0-5.16.1 -4386779 +4386779, 4321086 When you start gNMI subscription from a remote client, interface rates reset and values start from 0. 5.13.0-5.13.1 5.14.0-5.16.1 @@ -2131,7 +2131,7 @@ onie-nos-install /$devname/onie-installer -4360826 +4360826, 4445857 On rare occasions, when you run the NVUE {{nv config apply}} command, {{switchd}} crashes, then restarts after the crash and resumes its normal flow of operation. 5.13.0-5.13.1 5.14.0-5.16.1 @@ -2205,7 +2205,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio -4154839 +4154839, 4280933, 4291934 When you run certain SDK commands (such as {{sudo sx_api_port_counter_dump_all.py}} or {{sx_api_fdb_dump}}) first as the cumulus user, then with {{sudo}}, you see the following error: PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt' To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. @@ -2219,7 +2219,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4139511 +4139511, 4184813, 4180112 When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue. [ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock [ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query) [ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds @@ -2242,7 +2242,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4124376 +4124376, 4316163 The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux/Installation-Management/Upgrading-Cumulus-Linux/#downgrade-a-secure-boot-switch">Downgrade a Secure Boot Switch</a>. 5.11.0-5.16.1 @@ -2254,7 +2254,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4105127 +4105127, 4796391 Any sFlow configuration changes that require an {{hsflowd}} restart are operational only after an initial delay of 60 seconds. 5.11.0-5.16.1 @@ -2278,7 +2278,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -2296,7 +2296,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4005422 +4005422, 4015452 When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the {{systemctl enable ntpsec@<vrf>}} and {{systemctl restart ntpsec@<vrf>}} commands. 5.10.0-5.16.1 @@ -2329,7 +2329,7 @@ The logs occur because the {{rsyslog}} service starts before the networking serv -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -2356,7 +2356,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -2465,7 +2465,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -2477,7 +2477,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -2501,19 +2501,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -2526,7 +2526,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -2588,7 +2588,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -2611,7 +2611,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -2674,7 +2674,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -2682,7 +2682,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -2725,12 +2725,12 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 Affects -4411453 +4411453, 4408283, 4240003 Zebra might crash when multiple interfaces flap rapidly with a large scale number of routes. This issue occurs because the next hop group hash comparison incorrectly treats distinct next hop groups as equal. I addition, the hashing logic currently uses only four bytes of the IPv6 address, which increases the likelihood of collisions and misidentification. Avoid rapidly flapping multiple interfaces when managing large scale routes. -4404758 +4404758, 4404759 Installing ssh keys for the cumulus user with NVUE fails and results in login failures. 5.12.1 @@ -2745,7 +2745,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -4391413 +4391413, 4391704 After the switch reboots or {{switchd.service}} restarts, NVUE applied ERSPAN sessions do not work if the ERSPAN destination IP address is reachable through an MLAG bond. To work around this issue, remove the ERSPAN configuration and reapply it using NVUE. 5.11.0-5.11.1 @@ -2755,7 +2755,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 5.12.0-5.12.1 -4380671 +4380671, 4363822 Slow bandwidth and traffic polarization occurs when you create a significant number of next hop groups with adaptive routing weighted equal cost multipath (W-ECMP). 5.12.0-5.12.1 @@ -2778,7 +2778,7 @@ switchd[19460]: hal_mlx_l2mc.c:1107 ERR VFID: 4099, Failed to set unregistered I 5.11.0-5.11.1, 5.12.0-5.12.1 -4370702 +4370702, 4360680 NVUE commands create excessive log data. To work around this issue, configure rsyslog rules to limit logging of these commands. 5.11.0-5.11.1, 5.12.0-5.12.1 @@ -2788,7 +2788,7 @@ switchd[19460]: hal_mlx_l2mc.c:1107 ERR VFID: 4099, Failed to set unregistered I 5.11.0-5.11.1 -4360676 +4360676, 4395776 When you use {{onie-install}} to install an image with a preconfigured {{startup.yaml}} file, an issue with the ZTP infrastructure script results in certain interfaces being UP in the kernel and the lower layer but DOWN in NVUE or the {{/etc/network/interfaces}} file. @@ -2807,7 +2807,7 @@ nv config apply -y 5.11.0-5.12.1 -4352307 +4352307, 4210596 After a factory reset, the files in the {{/etc/pam.d/}} directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command: cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package 5.12.0-5.12.1 @@ -2855,7 +2855,7 @@ On the Spectrum-3 switch, the cell-size is 144 bytes. The minimum size is 144*64 5.12.0-5.12.1 -4328729 +4328729, 4261676 When sending control packets that have the port range 259 through 1023 in their TX base header system target (above {{cap_max_system_ports}} and below {{cap_ports}} used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. As this range reflects illegal system ports, do not set these values in the control packet TX base header, as it will be dropped. 5.10.1-5.12.1 @@ -2865,7 +2865,7 @@ On the Spectrum-3 switch, the cell-size is 144 bytes. The minimum size is 144*64 5.11.0-5.11.1 -4320729 +4320729, 4322632, 4391362 When toggling the bridge binding flag on an SVI from ON to OFF, the SVI might not come operationally UP if it was DOWN previously from the bridge binding flag. 5.11.0-5.11.1 @@ -2917,7 +2917,7 @@ cumulus@switch:~$ sudo systemctl start cumulus-upgrade-on-shutdown 5.12.0-5.12.1 -4281438 +4281438, 4257936 The first time you run the {{nv show interface rates}} command, an internal error occurs. 5.12.0-5.12.1 @@ -2945,7 +2945,7 @@ cumulus@switch:~$ nv config apply 5.11.0-5.11.1 -4261676 +4261676, 4328729 When sending control packets that have the port range 259 through 1023 in their TX base header system target (above {{cap_max_system_ports}} and below {{cap_ports}} used for LAG forwarding), a fatal health event occurs on the switch. The port range 259 through 1023 reflects illegal system ports; do not set these values in the control packet TX base header. 5.11.0 @@ -2956,17 +2956,17 @@ cumulus@switch:~$ nv config apply 5.11.0 -4255639 +4255639, 4326989 When all links go down or the switch reboots, you see next hop group churn from Zebra to the SOO next hop group. This issue might cause some convergence degradation. 5.12.0-5.12.1 -4215613 +4215613, 4255653, 4335726 After a remote link flap, neighbor entries using the link might not get resolved immediately. Only when some traffic uses the nexthop will they be resolved. 5.12.0-5.12.1 -4210596 +4210596, 4352307 After a factory reset, the files in the {{/etc/pam.d/}} directory might be incorrect, causing problems with password strength checking, TACACS+, RADIUS, and LDAP. To work around this issue, run the following command: cumulus@switch:~$ sudo /usr/sbin/pam-auth-update --force --package 5.12.0-5.12.1 diff --git a/content/cumulus-linux-514/Whats-New/rn.md b/content/cumulus-linux-514/Whats-New/rn.md index 9e6296bd7f..8b210f5f78 100644 --- a/content/cumulus-linux-514/Whats-New/rn.md +++ b/content/cumulus-linux-514/Whats-New/rn.md @@ -19,7 +19,7 @@ pdfhidden: True | [4930152](#4930152)
| When you configure layer 3 SVI interfaces with an anycast gateway (VRR) IP address only and no unique IP address, the connected route for the subnet is not programmed in the ASIC, causing packets destined for locally connected hosts to drop after decapsulation. | 5.11.3-5.16.1 | | | [4922104](#4922104)
| When the system is under load and the wd_keepalive process is running at the default rate of one time per minute, the switch might reboot due to starvation of the wd_keepalive process. | 5.13.1-5.16.1 | | | [4922099](#4922099)
| In a highly volatile network, frequent churn of SOO‑tagged routes can generate a large volume of SOO NHG sync messages to Zebra. When Zebra becomes backed up while processing these NHG updates, its memory usage can grow significantly. | 5.14.0-5.16.1 | | -| [4918342](#4918342)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. | 5.13.0-5.16.1 | | +| [4918342, 4641291](#4918342, 4641291)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. | 5.13.0-5.16.1 | | | [4917759](#4917759)
| BGP sessions configured with an explicit IPv6 link local peer address might result in stale or invalid next hop tracking entries after a session disruption. | 5.14.0-5.16.1 | | | [4895563](#4895563)
| Routes are present in BGP and Zebra but are missing in the kernel. This occurs when next hops in an NHG become invalid and the kernel deletes the next hops, then notifies the control plane (zebra). The control plane tries to reinstall the routes in the existing NHG with the invalid next hop information so route installation fails. Later, the routes arrive with the correct next hop information in the NHG but there is no mechanism to replace the failed routes and install them again in the kernel. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4895501](#4895501)
| Adding vlan 1 as a tagged VLAN to a newly created MLAG bond fails if no previous VLANs are configured on the MLAG bond. | 5.13.0-5.16.1 | | @@ -38,20 +38,20 @@ pdfhidden: True | [4823999](#4823999)
| When making interface changes with NVUE, you might see the following message after you run the nv config apply command:


update-ports returned with error (code 254): switchd ports.conf node status not ready switchd validate_node is absent/not ready ports configuration(ports.conf/ports_width.conf) is invalid
| 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4804084](#4804084)
| On switches at scale with OTEL enabled, an interface_stats_collector crash might occur with the following logs:
interface_stats_collector[3429270]: ERROR
 buffer_stats_collector.go:1875 SDK bulk counter read failed
interface_stats_collector[3429270]: fatal error: concurrent map iteration and map write
interface_stats_collector[3429270]: goroutine 5610 gp=0xc007814c40 m=16 mp=0xc000552808 [running]:
| 5.14.0-5.16.1 | | | [4789562](#4789562)
| A switch running Nvidia Cumulus Linux may improperly forward routed packets out of an access port or on the native vlan of a trunk with an 802.1Q tag imposed on the packet. | 5.12.1-5.15.1 | 5.16.0-5.16.1| -| [4789339](#4789339)
| The interface_stats process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. | 5.13.1-5.15.1 | 5.16.0-5.16.1| +| [4789339, 4540985](#4789339, 4540985)
| The interface_stats process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. | 5.13.1-5.15.1 | 5.16.0-5.16.1| | [4789097](#4789097)
| The switch deletes a static blackhole route even when the blackhole type specified in the delete command does not match the configured type. | 5.9.4-5.15.1 | 5.16.0-5.16.1| | [4783824](#4783824)
| RoCE ingress reserved pools do not display correct values for ports that are not operationally UP. Switch ports that were never operational or not operational after setting RoCE mode do not have RoCE reserved pool buffers allocated but the nv show interface qos roce status command displays an invalid buffer size. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4771785](#4771785)
| NVUE drop counters and ethtool output do not show the packets discarded because the destination MAC address does not match the router MAC address. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4771521](#4771521)
| Layer 3 multicast traffic does not forward when OMF (Optimized Multicast Flooding) and PIM is enabled. To work around this issue, flap the router port. | 5.9.2-5.15.1 | 5.16.0-5.16.1| | [4769255](#4769255)
| When using the CPU port as a SPAN destination, the switch might become unresponsive and, or reboot. To work around this issue, use SPAN to a local port instead of the CPU port. | 5.14.0-5.15.1 | 5.16.0-5.16.1| -| [4751060](#4751060)
| If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to:
sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds')
| 5.12.0-5.15.1 | 5.16.0-5.16.1| +| [4751060, 4637733](#4751060, 4637733)
| If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to:
sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds')
| 5.12.0-5.15.1 | 5.16.0-5.16.1| | [4748963](#4748963)
| In an MLAG configuration with PVRST spanning tree mode configured on both switches, when the primary switch comes back up after a reboot, PVRST mode briefly changes to RSTP, then back to PVRST. | 5.13.1-5.15.1 | 5.16.0-5.16.1| -| [4748176](#4748176)
| Unsupported hardware modules might cause SDK and firmware health event and traffic loss. | 5.12.1-5.15.1 | 5.16.0-5.16.1| +| [4748176, 4662528, 4652420](#4748176, 4662528, 4652420)
| Unsupported hardware modules might cause SDK and firmware health event and traffic loss. | 5.12.1-5.15.1 | 5.16.0-5.16.1| | [4743814](#4743814)
| The switch clears the QoS buffer max usage values in the nv show interface qos buffer egress-traffic-class command output when a gNMI client subscribes to any QoS buffer metrics. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4734395](#4734395)
| mlxlink output sometimes displays additional special characters while still reporting valid data. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4734374](#4734374)
| The SNMP AgentX subsystem crashes with a segmentation fault when trying to cancel events from within event callbacks due to multiple Agentx reconnecting one after the other on the device. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4732177](#4732177)
| On the NVIDIA SN5610 switch, the nv show platform transceiver command output for 3rd party optics is missing fields such as rx-los and tx-los. | 5.14.0-5.15.1 | 5.16.0-5.16.1| -| [4731804](#4731804)
| NVUE might fail to apply a configuration due to a mishandling of ranges during a race condition and shows a message similar to the following (the issue is not limited to the transceiver ID or swp ranges):
 Invalid config [rev_id: 2]
 The transceiver id[swp1-64] is not valid.

To work around this issue, restart the nvued.service. To avoid this issue, call each interface in the configuration instead of using ranges. | 5.14.0 | 5.15.0-5.16.1| +| [4731804, 4559992](#4731804, 4559992)
| NVUE might fail to apply a configuration due to a mishandling of ranges during a race condition and shows a message similar to the following (the issue is not limited to the transceiver ID or swp ranges):
 Invalid config [rev_id: 2]
 The transceiver id[swp1-64] is not valid.

To work around this issue, restart the nvued.service. To avoid this issue, call each interface in the configuration instead of using ranges. | 5.14.0 | 5.15.0-5.16.1| | [4729839](#4729839)
| In an MLAG configuration, when you reboot the primary MLAG switch with PVRST spanning tree mode configured on both MLAG switches, PVRST mode briefly changes to RSTP, then back to PVRST when the primary switch comes back up. | 5.11.3-5.15.1 | 5.16.0-5.16.1| | [4722680](#4722680)
| If you install RADIUS client packages when rolling back a two partition upgrade, the /var/lib/nvue, /var/lib/ntpsec, and /var/lib/snmp directories might have incorrect ownership after rollback and the nvued service might fail to start up. To work around this issue, run the following commands:
sudo chown -R nvue /var/lib/nvue
sudo chown -R ntpsec /var/lib/ntpsec
sudo chown -R Debian-snmp /var/lib/snmp
sudo reboot
| 5.11.4-5.16.1 | | | [4722539](#4722539)
| Optimized image upgrade with warm boot mode is supported in Cumulus Linux 5.13 and later. When you try to run the nv action boot-next command during optimized image upgrade in Cumulus Linux 5.12 and earlier to any target release while the system is in warm boot mode, the boot-next operation fails with the following error:
cumulus@switch:~$ nv action boot-next system image other
Error: Action failed with the following issue:>br>
 Failed to set boot-next due to Unknown error

To work around this issue, verify system boot mode with the nv show system reboot command before you perform optimized image upgrade and switch to cold boot mode if necessary with the nv set system reboot mode cold command. You can then proceed with the optimized image upgrade boot-next operation. | 5.11.4-5.15.1 | 5.16.0-5.16.1| @@ -59,27 +59,27 @@ pdfhidden: True | [4722369](#4722369)
| Certain platforms with a SATA disk for NCQ might cause IO errors sending the SSD into read-only mode. You might see ports going down until the switch reboots. There is no observable performance impact due to this issue. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4721298](#4721298)
| When node or VM migration occurs between the MLAG pair and the EVPN-MH pair, the MLAG MAC database becomes out of sync with kernel FDB. The migrated MAC addresses remain as local in MLAG MAC database whereas in the kernel, all MAC addresses are updated correctly as remote with the layer 2 next hop ID. To work around this issue, flap the MLAG bond interface to clear the MLAG local database. | 5.11.0-5.15.1 | 5.9.5, 5.16.0-5.16.1| | [4714618](#4714618)
| On switches at scale with OTEL enabled, an interface_stats_collector crash might occur with the following logs:
interface_stats_collector[3429270]: ERROR
 buffer_stats_collector.go:1875 SDK bulk counter read failed
interface_stats_collector[3429270]: fatal error: concurrent map iteration and map write
interface_stats_collector[3429270]: goroutine 5610 gp=0xc007814c40 m=16 mp=0xc000552808 [running]:
| 5.14.0-5.15.1 | 5.16.0-5.16.1| -| [4704406](#4704406)
| TACACS authentication mode is not configured correctly in PAM common authentication and TACACS configuration files, which makes login the authentication mode regardless of the NVUE configuration. | 5.14.0-5.15.1 | 5.16.0-5.16.1| +| [4704406, 4633883](#4704406, 4633883)
| TACACS authentication mode is not configured correctly in PAM common authentication and TACACS configuration files, which makes login the authentication mode regardless of the NVUE configuration. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4686865](#4686865)
| An invalid hashed-password string for a local NVUE user causes all nv config apply operations (including unrelated changes) to fail health checks and raise tracebacks when NVUE attempts to recreate the user. | 5.12.0-5.14.0 | 5.15.0-5.16.1| | [4683370](#4683370)
| On scale systems with OTEL enabled, you might see an interface_stats_collector crash with the following logs:
interface_stats_collector[41358]: unexpected fault address 0x7fbb941d9110
interface_stats_collector[41358]: fatal error: fault
interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0x1
addr=0x7fbb941d9110 pc=0x55124a]
| 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4681608](#4681608)
| gNMI /system/mount-point/ xPaths unexpectedly return data for /dev. As /dev is not a persistent disk, unexpected storage monitoring alerts might be generated. | 5.14.0 | 5.15.0-5.16.1| -| [4680172](#4680172)
| In extremely rare circumstances, during a GNMI subscription change for interface or QoS data, a Spectrum ASIC SDK health event (SX_HEALTH_FATAL: Health-Check: new failure ) is observed and the process might become unresponsive. To recover from this issue, reboot the switch. | 5.14.0 | 5.15.0-5.16.1| +| [4680172, 4633345](#4680172, 4633345)
| In extremely rare circumstances, during a GNMI subscription change for interface or QoS data, a Spectrum ASIC SDK health event (SX_HEALTH_FATAL: Health-Check: new failure ) is observed and the process might become unresponsive. To recover from this issue, reboot the switch. | 5.14.0 | 5.15.0-5.16.1| | [4667792](#4667792)
| Usernames longer than 32 characters do not authenticate against the switch. Avoid using long usernames. | 5.14.0-5.16.1 | | | [4667010](#4667010)
| When streaming telemetry is enabled, additional logs containing ERROR BULK_COUNTER might be generated by the switch, unexpectedly bypassing log suppression rules. | 5.12.1-5.14.0 | 5.15.0-5.16.1| | [4662494](#4662494)
| When there are a very large number of gNMI client subscriptions, the switch might not accept new sessions and metrics might stop generating for existing sessions. | 5.14.0 | 5.15.0-5.16.1| | [4651578](#4651578)
| When you configure a link flap protection threshold to 0, the value is not applied operationally and is not reflected in the nv show system link flap-protection command. | 5.14.0 | 5.15.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| -| [4647325](#4647325)
| Running the nv config save command while a diff is pending might result in unexpected nv config diff output. To work around this issue, run the nv config diff --verbose command. | 5.14.0 | 5.15.0-5.16.1| +| [4647325, 4861067](#4647325, 4861067)
| Running the nv config save command while a diff is pending might result in unexpected nv config diff output. To work around this issue, run the nv config diff --verbose command. | 5.14.0 | 5.15.0-5.16.1| | [4643537](#4643537)
| The nv action clear interface command does not clear the in and out packet counters under interface//link/stats. | 5.12.1-5.14.0 | 5.15.0-5.16.1| -| [4643073](#4643073)
| Concurrent mlxfwmanager --query executions triggered by gNMI telemetry polling might cause MFT deadlock, resulting in repeated core dumps, nvued restarts, and control plane unresponsiveness. | 5.14.0-5.15.1 | 5.16.0-5.16.1| -| [4641806](#4641806)
| When gNMI streaming is enabled and clients are subscribed to system information such as the firmware version with xPath '/components/component[name=*]/state/firmware-version', the nv config replace command might take longer than expected to complete. | 5.14.0 | 5.15.0-5.16.1| +| [4643073, 4643425](#4643073, 4643425)
| Concurrent mlxfwmanager --query executions triggered by gNMI telemetry polling might cause MFT deadlock, resulting in repeated core dumps, nvued restarts, and control plane unresponsiveness. | 5.14.0-5.15.1 | 5.16.0-5.16.1| +| [4641806, 4652004, 4652006](#4641806, 4652004, 4652006)
| When gNMI streaming is enabled and clients are subscribed to system information such as the firmware version with xPath '/components/component[name=*]/state/firmware-version', the nv config replace command might take longer than expected to complete. | 5.14.0 | 5.15.0-5.16.1| | [4641344](#4641344)
| The switch sends out IPv6 neighbor discovery (ND) router advertisement through an interface that does not have router advertisement enabled. To prevent this issue, do not change or remove the remote-as of a peer-group that is used by BGP unnumbered peers. To work around this issue, restart FRR. | 5.14.0-5.16.1 | | | [4641343](#4641343)
| The switch sends out IPv6 neighbor discovery (ND) router advertisement through an interface that does not have router advertisement enabled. To prevent this issue, do not change or remove the remote-as of a peer-group that is used by BGP unnumbered peers. To work around this issue, restart FRR. | 5.14.0-5.16.1 | | -| [4641291](#4641291)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or phy. | 5.13.1-5.14.0 | 5.15.0-5.16.1| +| [4641291, 4703438, 4918342, 4923799](#4641291, 4703438, 4918342, 4923799)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or phy. | 5.13.1-5.14.0 | 5.15.0-5.16.1| | [4640126](#4640126)
| LLDP session flaps might result in a PTMD process crash due to a double free memory block. | 5.11.2-5.14.0 | 5.15.0-5.16.1| | [4638802](#4638802)
| When you attempt to set a new BGP peer group on a neighbor with a current peer group configured, NVUE fails to apply the new configuration. To work around this issue, remove the existing peer group before configuring the new one. | 5.14.0 | 5.15.0-5.16.1| | [4637200](#4637200)
| When more than one IPv4 and/or IPv6 addresses are configured on a remote interface, NVUE LLDP commands such as nv show interface lldp-detail only reflect one address. To work around this issue, use lldpctl to view LLDP information. For example, sudo lldpctl -d -f json swp1. | 5.9.0-5.14.0 | 5.15.0-5.16.1| -| [4634976](#4634976)
| When you run the nv action fetch system packages key command, the command fails. To work around this issue, use the apt-key-adv --fetch-keys command instead. | 5.14.0 | 5.15.0-5.16.1| +| [4634976, 4707726](#4634976, 4707726)
| When you run the nv action fetch system packages key command, the command fails. To work around this issue, use the apt-key-adv --fetch-keys command instead. | 5.14.0 | 5.15.0-5.16.1| | [4634819](#4634819)
| The switch does not provide any gNMI sensor path metrics. A sync-response message indicates that the gNMI server has finished sending all the update messages but no messages are sent. | 5.14.0 | 5.15.0-5.16.1| | [4633514](#4633514)
| When the switch processes large numbers of mroute updates in an MLAG configuration, FRR might crash. | 5.8.0-5.14.0 | 5.15.0-5.16.1| | [4629293](#4629293)
| The nv show system telemetry command output shows the global port but not the per destination port, which makes it look like the port configured and displayed do not match. | 5.12.1-5.14.0 | 5.15.0-5.16.1| @@ -88,7 +88,7 @@ pdfhidden: True | [4622487](#4622487)
| When you configure an exclude_users line in /etc/tacplus_nss.conf containing a long list of users, NSS lookups might fail or behave incorrectly when parsing the configuration. | 5.11.1-5.14.0 | 5.15.0-5.16.1| | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| | [4621717](#4621717)
| When you configure TACACS+ for the first time on a switch with the nv set system aaa tacacs enable on command, the nvued service must be restarted before TACACS+ per-command authorization can be configured with any nv set system aaa tacacs authorization} commands. | 5.14.0 | 5.15.0-5.16.1| -| [4621451](#4621451)
| Changing the gateway interface IP address on the DHCP relay causes DHCP relay to not forward the packet. To work around this issue, restart the DHCP relay service corresponding to the VRF on which it is running. | 5.13.1-5.14.0 | 5.15.0-5.16.1| +| [4621451, 4472414](#4621451, 4472414)
| Changing the gateway interface IP address on the DHCP relay causes DHCP relay to not forward the packet. To work around this issue, restart the DHCP relay service corresponding to the VRF on which it is running. | 5.13.1-5.14.0 | 5.15.0-5.16.1| | [4618809](#4618809)
| When collecting streaming telemetry data for per-process information and statistics from the system, you might see false errors about unavailable process IDs in the logs. | 5.14.0 | 5.15.0-5.16.1| | [4616352](#4616352)
| The NVUE nv config diff command returns an incorrect exit code of 1 instead of 0 for successfully staged changes. As a result, ansible automation fails, which relies on program return codes to determine whether the commands are successful. | 5.14.0 | 5.15.0-5.16.1| | [4608614](#4608614)
| When setting up SSH keys, you have to run nv config apply twice for the configuration to take effect. | 5.11.3-5.16.1 | | @@ -103,7 +103,7 @@ pdfhidden: True | [4597153](#4597153)
| When you use a gateway-interface configuration with the source IP address as the gateway interface, DHCP Relay is unable to send packets to the DHCP server after flapping the gateway interface. To work around this issue, restart the DHCP Relay service or avoid configuring the gateway interface to be same as the uplink or downlink interface on the DHCP Relay node. | 5.13.1-5.14.0 | 5.15.0-5.16.1| | [4582679](#4582679)
| If a node has Suppress Route Advertisement enabled and routes are re-learned; for example, when a peer sends the route again due to route policy changes, or you enable or disable graceful shutdown, not all routes are offloaded, which might cause discrepancies in traffic. | 5.9.4-5.16.1 | | | [4582566](#4582566)
| The cnp_pg_map and roce_pg_map fields are missing in the NVUE nv show interface qos roce status and nv show interface qos-roce-status commands. | 5.14.0 | 5.15.0-5.16.1| -| [4579237](#4579237)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | +| [4579237, 4579234](#4579237, 4579234)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | | [4579137](#4579137)
| TTL exceeded packets might not have the expected source IP address in the forwarding path to the destination when VRF interfaces are present on the forwarding path. | 5.13.1-5.14.0 | 5.15.0-5.16.1| | [4570105](#4570105)
| During initial configuration of an MLAG switch with no MLAG peer or if both MLAG peers go down and only one recovers, VXLAN traffic arriving on the MLAG switch with a local IP destination might see packet loss. | 5.13.1-5.14.0 | 5.9.4, 5.15.0-5.16.1| | [4567894](#4567894)
| ACL statistics in nv show interface acl statistics and cl-acltool command output count packets twice. If packets are transiting the switch, the ACL statistics are correct. | 5.13.1-5.14.0 | 5.15.0-5.16.1| @@ -113,11 +113,11 @@ pdfhidden: True | [4556982](#4556982)
| In the Spanning Tree PVRST environment, when one bridge interface goes down, it causes all the other bridge interfaces to enter a blocking state for approximately ten seconds. Even though the down port is not the root port, all the other bridge ports are flushed and not in service for about ten seconds. | 5.13.1-5.15.1 | 5.16.0-5.16.1| | [4556729](#4556729)
| OTEL SRv6 metrics might not be sent in the correct format after a switchd service restart. | 5.14.0 | 5.15.0-5.16.1| | [4554858](#4554858)
| The default poll interval for on-change notifications is set to 10 seconds instead of 1 second for gNMI packet trimming metrics. | 5.14.0 | 5.15.0-5.16.1| -| [4551249](#4551249)
| The NVUE service might fail during switch upgrade. To work around this issue, stop the sysmonitor with the sudo systemctl stop sysmonitor command, then upgrade the switch with the nv action upgrade system packages to latest command. | 5.14.0-5.16.1 | | +| [4551249, 4572507, 4573399, 4712858, 4919013](#4551249, 4572507, 4573399, 4712858, 4919013)
| The NVUE service might fail during switch upgrade. To work around this issue, stop the sysmonitor with the sudo systemctl stop sysmonitor command, then upgrade the switch with the nv action upgrade system packages to latest command. | 5.14.0-5.16.1 | | | [4550126](#4550126)
| Sometimes NVUE does not show SRv6 statistics even though static SID configuration is present. | 5.14.0 | 5.15.0-5.16.1| | [4549896](#4549896)
| When you try to set a VXLAN with a bridge, you see the error sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge. You can safely ignore this error. | 5.14.0-5.16.1 | | | [4548512](#4548512)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.0-5.16.1 | | -| [4547463](#4547463)
| When you try to run nv action boot-next commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action.
To check that the action command completed before going to the next step to reboot the system:
  1. Find the Request ID for the REST API invocation corresponding to the nv action boot-next command by doing a grep for ActionKey.*boot-next in the /var/log/nvued.log file. For example, the value 3 in the Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),)) line indicates the Request ID.
  2. Run the curl -u ':\' -X GET https://127.0.0.1:8765/nvue_v1/action/ -k command from the shell to show the status of the action command. If the value of state is action_success, the action command completed successfully. If the value of state is running, the system is still processing. If the value of state is action_error, the system encountered an error.
| 5.14.0-5.16.1 | | +| [4547463, 4705370](#4547463, 4705370)
| When you try to run nv action boot-next commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action.
To check that the action command completed before going to the next step to reboot the system:
  1. Find the Request ID for the REST API invocation corresponding to the nv action boot-next command by doing a grep for ActionKey.*boot-next in the /var/log/nvued.log file. For example, the value 3 in the Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),)) line indicates the Request ID.
  2. Run the curl -u ':\' -X GET https://127.0.0.1:8765/nvue_v1/action/ -k command from the shell to show the status of the action command. If the value of state is action_success, the action command completed successfully. If the value of state is running, the system is still processing. If the value of state is action_error, the system encountered an error.
| 5.14.0-5.16.1 | | | [4535856](#4535856)
| When you try to import an invalid server certificate file, Cumulus Linux does not import the certificate file but fails to show an error message. | 5.13.0-5.16.1 | | | [4535843](#4535843)
| After a switch reboot, the nv show system health command shows incorrect system LED status and color. | 5.13.0-5.16.1 | | | [4535806](#4535806)
| After a factory reset, the switch does not clear the /var/tmp directory, which the switch uses for temporary files. | 5.14.0-5.16.1 | | @@ -128,16 +128,16 @@ pdfhidden: True | [4534357](#4534357)
| During Cumulus Linux upgrade or downgrade, rsyslog might crash because the management (eth0) port is unavailable, which triggers a use-after-free fault and produces a cl-support file as a response. | 5.13.1-5.16.1 | | | [4531960](#4531960)
| The GNMI Subscription to xpath interfaces/interface[name=swp61s0]/state/counters/out-pkts with a high sample interval results in an initial response of zero but in subsequent updates, the value is correct. You do not see this issue when the sample interval is 1 second. | 5.14.0-5.16.1 | | | [4513849](#4513849)
| After upgrading from Cumulus Linux 5.12 on the NVIDIA SN5400 switch bonus port, PTP does not converge. To work around this issue, disable, then enable the bonus port after upgrade. | 5.13.0-5.16.1 | | -| [4509255](#4509255)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | +| [4509255, 4546858](#4509255, 4546858)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | | [4508830](#4508830)
| Cumulus Linux allows you to add bond ports of mismatched speeds (such as 10G and 25G) to the same LACP bond without error and the bond reports UP. | 5.11.2-5.16.1 | | -| [4501632](#4501632)
| NVIDIA recommends you wait for approximately 60 seconds after running nv config apply before power cycling the switch so that NVUE database has time to sync to the filesystem. | 5.14.0-5.16.1 | | -| [4498428](#4498428)
| Due to a GCC update in Cumulus Linux 5.14, you might see unexpected log messages, such as BPF: Invalid name when using package upgrade to upgrade to Cumulus Linux 5.14. You can ignore these messages. | 5.14.0 | 5.15.0-5.16.1| -| [4495383](#4495383)
| NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. | 5.13.0-5.16.1 | | +| [4501632, 4530257](#4501632, 4530257)
| NVIDIA recommends you wait for approximately 60 seconds after running nv config apply before power cycling the switch so that NVUE database has time to sync to the filesystem. | 5.14.0-5.16.1 | | +| [4498428, 4542680, 4574671](#4498428, 4542680, 4574671)
| Due to a GCC update in Cumulus Linux 5.14, you might see unexpected log messages, such as BPF: Invalid name when using package upgrade to upgrade to Cumulus Linux 5.14. You can ignore these messages. | 5.14.0 | 5.15.0-5.16.1| +| [4495383, 4493988](#4495383, 4493988)
| NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. | 5.13.0-5.16.1 | | | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | | [4475401](#4475401)
| External input such as Ctrl+\ might trigger core dumps on the serial console from /bin/login. This behavior is caused by external sources, such as console servers or automation tools, and does not reflect a fault in the operating system. As a potential result, the serial console might become unresponsive. | 5.14.0-5.16.1 | | | [4475111](#4475111)
| When you try to convert a layer 3 port that is part of ECMP to a bond member, you might see a failure in the switchd logs. This issue does not have any functional impact. | 5.11.2-5.16.1 | 5.9.4| | [4475074](#4475074)
| The SN5610 switch records a High FEC Bin Error at room temperature. | 5.13.0-5.16.1 | 5.11.2| -| [4472414](#4472414)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| +| [4472414, 4621451](#4472414, 4621451)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | 5.15.0-5.16.1| | [4440766](#4440766)
| When you try to delete a trusted ca key, Cumulus Linux shows an incorrect error message. To remove a trusted ca key, you must unset the key ID, not the key literal. | 5.13.0-5.16.1 | | | [4423368](#4423368)
| When all links go down or the switch reboots, you see next hop group churn from Zebra to the SOO next hop group. This issue might cause some convergence degradation. | 5.12.0-5.16.1 | | | [4423360](#4423360)
| After a remote link flap, neighbor entries using the link might not get resolved immediately. Only when some traffic uses the nexthop will they be resolved. | 5.12.0-5.16.1 | | @@ -160,21 +160,21 @@ pdfhidden: True | [4236419](#4236419)
| On the Spectrum-3 switch, the PTP offset for 25GbE fluctuates within a range of plus or minus 50 nanoseconds beyond the expected values. | 5.12.0-5.16.1 | | | [4214678](#4214678)
| Changes to open telemetry configuration or export states restarts the telemetry service and resets all health metrics. | 5.12.0-5.16.1 | | | [4177067](#4177067)
| When performing a package upgrade, nslcd installation might open an interactive dialog to configure nslcd.conf .
To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:
cumulus@switch:~$ sudo apt-get update
cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
| 5.11.0-5.16.1 | | -| [4154839](#4154839)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | +| [4154839, 4280933, 4291934](#4154839, 4280933, 4291934)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | | [4142857](#4142857)
| The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. | 5.10.0-5.16.1 | | -| [4139511](#4139511)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | +| [4139511, 4184813, 4180112](#4139511, 4184813, 4180112)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | | [4134447](#4134447)
| The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. You can safely ignore this log message. | 5.11.0-5.16.1 | | | [4129757](#4129757)
| If you include a comma in the BGP community list, extended community list, or large community list regex expression of a routing policy, you see error messages and FRR reload fails. Make sure the regex expression does not contain a comma.
For example, instead of ^65550:([0-9]{1,2}\|[1-9][1-9]):.*$, specify ^65550:([0-9]\|[0-9][0-9]):.*$ and instead of ^65550:([0-4]{1,2}\|[7-9][8-9]):.*$, specify ^65550:([0-4]\|[0-4][0-4]\|[7-9][8-9]):.*$. | 5.11.0-5.16.1 | | -| [4124376](#4124376)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | +| [4124376, 4316163](#4124376, 4316163)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | | [4118970](#4118970)
| When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.16.1 | | -| [4105127](#4105127)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | +| [4105127, 4796391](#4105127, 4796391)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | | [4100629](#4100629)
| NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.16.1 | | | [4082210](#4082210)
| When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. | 5.11.0-5.16.1 | | | [4077921](#4077921)
| You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1 or later. You must install the Cumulus Linux image instead. | 5.10.1-5.16.1 | | -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4047798](#4047798)
| Packet distribution based on ECMP hashing using GTP-TEID does not function as expected in an EVPN Clos topology. | 5.10.0-5.16.1 | | | [4030380](#4030380)
| When you roll back interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you cannot configure FEC on the interface at the lower layers. | 5.10.0-5.16.1 | | -| [4005422](#4005422)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | +| [4005422, 4015452](#4005422, 4015452)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | | [3985682](#3985682)
| On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.16.1 | | | [3966312](#3966312)
| When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.16.1 | | | [3948068](#3948068)
| On the SN3700 and SN3700c switch, the nv show platform environment voltage command output shows a failed state for the PSU-n-12V-RAIL-OUT sensors. This is a known hardware limitation that cannot be corrected by the PSU vendor. | 5.10.0-5.16.1 | | @@ -196,17 +196,17 @@ pdfhidden: True | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -216,10 +216,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -229,8 +229,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -244,10 +244,10 @@ pdfhidden: True | [4555938](#4555938)
| When one of the FRR processes such as bgpd or zebra goes down, watchfrr tries to restart those processes and also restarts the routing telemetry service, which blocks watchfrr causing cascading failures on other processes. | 5.12.0-5.13.1 | | | [4546389](#4546389)
| The nv config show -o commands command displays numbered BGP neighbors in IP address range format; however, the nv set commands fail for BGP numbered neighbors configured in IP address ranges. | 5.13.0-5.13.1 | | | [4544433](#4544433)
| When you enable bandwidth gauge on an interface, the asic-monitor leaks memory steadily over time. The memory leak rate depends on how many interfaces have the bandwidth gauge enabled and the snapshot rate. | 5.13.1 | | -| [4540985](#4540985)
| If you have a transceiver module with a vendor name containing invalid characters and OTEL is enabled, the switch generates an interface_stats core file. | 5.13.1 | | +| [4540985, 4789339, 4776413](#4540985, 4789339, 4776413)
| If you have a transceiver module with a vendor name containing invalid characters and OTEL is enabled, the switch generates an interface_stats core file. | 5.13.1 | | | [4540976](#4540976)
| When an SVI interface is brought up with routes installed against it, during subsequent interface updates that are applied to the interface during bringup such as MTU changes, interface forwarding state, MAC learning updates, or multicast forwarding state changes, the routes installed for the interface might be programmed as blackhole routes. This can occur during a fresh boot of a switch. To work around this issue, toggle the interface state of the SVI. | 5.8.0-5.9.3 | | | [4539084](#4539084)
| When you lower the speed for an interface, the nv show interface rates command output might show the link utilization percentage above 100 percent. This issue is corrected automatically after the load interval duration. | 5.12.0-5.13.1 | | -| [4531952](#4531952)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | | +| [4531952, 4518822](#4531952, 4518822)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.1-5.13.1 | | | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | | | [4529334](#4529334)
| The GNMI Subscription to xpath interfaces/interface[name=swp61s0]/state/counters/out-pkts with a high sample interval results in an initial response of zero but in subsequent updates, the value is correct. You do not see this issue when the sample interval is 1 second. | | | | [4526096](#4526096)
| The global VRRP priority level change is not applied to the VRRP interface. It is always set to 100. | 5.13.1 | | @@ -276,7 +276,7 @@ pdfhidden: True | [4469498](#4469498)
| When a host moves to a new VTEP during mobility or network failover events in an EVPN multihoming environment, the host might be unreachable due to ARP resolution failures. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.4.0-5.9.3 | | | [4469479](#4469479)
| If you use NVUE to unset an extremely large IP prefix list (around 50K), the command might time out when unconfiguring FRR. As a result, you see the message Failure during apply. Ignore? [y/N] and the FRR service stops. | 5.13.0-5.13.1 | | | [4469349](#4469349)
| When you try to import an invalid server certificate file, Cumulus Linux does not import the certificate file but fails to show an error message. | 5.13.0-5.13.1 | | -| [4467245](#4467245)
| Transceiver channel power values in dBm reported through streaming telemetry protocols such as OTLP and GNMI are imprecise and are rounded to whole numbers. The NVUE nv show platform transceiver command or Linux ethtool -m command provides more precise, floating-point values. | 5.13.0-5.13.1 | | +| [4467245, 4417072](#4467245, 4417072)
| Transceiver channel power values in dBm reported through streaming telemetry protocols such as OTLP and GNMI are imprecise and are rounded to whole numbers. The NVUE nv show platform transceiver command or Linux ethtool -m command provides more precise, floating-point values. | 5.13.0-5.13.1 | | | [4466525](#4466525)
| Radius priority values can range between 1 and 8; however Cumulus Linux allows you to configure an invalid priority. | 5.12.0-5.13.1 | | | [4461102](#4461102)
| In certain cases, when a port is down and you apply adaptive routing with the link utilization threshold setting to the port as it goes up, you might see log errors while the port is not yet up. | 5.11.0-5.13.1 | | | [4460588](#4460588)
| The NVIDIA SN5610 switch might experience FEC burstiness with multiple optics, which can impact link stability and performance. | 5.13.1 | | @@ -286,25 +286,25 @@ pdfhidden: True | [4447794](#4447794)
| The gNMI value for the sensor alarm-status shows incorrectly. For a raised alarm, the alarm-status is True(1) but normally functioning sensors also show True(1). | 5.13.0-5.13.1 | | | [4447661](#4447661)
| During link down events affecting a subset of local links, switchd might observe extra route deletions due to timing mismatches between Zebra and kernel processing of Next Hop Group (NHG) changes. Routes should transition directly from one NHG to another, but instead get temporarily deleted and reinstalled, causing unnecessary churn. Zebra logs might show Extended Error: Nexthop id does not exist messages during partial link down scenarios
| 5.13.0-5.13.1 | | | [4447419](#4447419)
| Users with nv show privileges only can still execute the nv config apply and related commands. | 5.9.2-5.9.3 | | -| [4443870](#4443870)
| When running tens of thousands of nv set commands, the /var/lib/nvue directory might grow to several GBs in size, potentially using all the disk space. To work around this issue, run the following commands to reduce the disk space in the /var/lib/nvue directory:
cumulus@switch:~$ sudo su
cumulus@switch:~$ cd /var/lib/nvue/config
cumulus@switch:~$ git gc
| 5.13.0-5.13.1 | | +| [4443870, 4461303](#4443870, 4461303)
| When running tens of thousands of nv set commands, the /var/lib/nvue directory might grow to several GBs in size, potentially using all the disk space. To work around this issue, run the following commands to reduce the disk space in the /var/lib/nvue directory:
cumulus@switch:~$ sudo su
cumulus@switch:~$ cd /var/lib/nvue/config
cumulus@switch:~$ git gc
| 5.13.0-5.13.1 | | | [4438933](#4438933)
| When gNMI subscription and configuration changes to an interface occur simultaneously, the interface statistics process can crash and leave a core file. | 5.13.0-5.13.1 | | | [4433969](#4433969)
| Cumulus Linux generates multiple cl-support files when there are multiple errors exporting OTEL metrics. | 5.13.0-5.13.1 | | | [4427224](#4427224)
| The nv show interface command output shows the operational status as down for a link flap error disabled state instead of the real protodown reason. To work around this issue, run the nv show interface status command, which shows if any of the interfaces are protodown with the protodown reason. | 5.12.0-5.13.1 | | | [4427085](#4427085)
| cl-route-check fails if there are INCOMPLETE entries in the Kernel neighbor table. | 5.13.0-5.13.1 | | | [4425975](#4425975)
| On rare occasions, when bridge or L2VNI interfaces are coming up or transitioning state, type 2 EVPN routes might not be properly installed. To work around this issue, flap the VNI interface. | 5.9.3 | | | [4425299](#4425299)
| After upgrading from Cumulus Linux 5.12 to 5.13 on the NVIDIA SN5400 switch bonus port, PTP does not converge. To work around this issue, disable, then enable the bonus port after upgrade. | 5.13.0-5.13.1 | | -| [4425288](#4425288)
| When gNMI streaming is enabled on the switch, Cumulus Linux generates a cl-support file the first time you perform an FRR operation that reloads or restarts the FRR service (such as remove or add a neighbor or add or modify static routes). | 5.13.0-5.13.1 | | -| [4414935](#4414935)
| Interface counters retrieved from the kernel are not reset when switchd restarts. These kernel counters are inconsistent with other telemetry counters that do reset when switchd restarts. | 5.13.0-5.13.1 | | -| [4413450](#4413450)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | | +| [4425288, 4423331, 4426775, 4413508](#4425288, 4423331, 4426775, 4413508)
| When gNMI streaming is enabled on the switch, Cumulus Linux generates a cl-support file the first time you perform an FRR operation that reloads or restarts the FRR service (such as remove or add a neighbor or add or modify static routes). | 5.13.0-5.13.1 | | +| [4414935, 4320281](#4414935, 4320281)
| Interface counters retrieved from the kernel are not reset when switchd restarts. These kernel counters are inconsistent with other telemetry counters that do reset when switchd restarts. | 5.13.0-5.13.1 | | +| [4413450, 4497128](#4413450, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | | | [4408549](#4408549)
| UMF processes do not include log rotation and the logs can grow very large causing operational failures when you generate cl-support files and run the nv config apply command. | 5.13.0-5.13.1 | | | [4408387](#4408387)
| BGP crashes during EVPN route install due to incorrect memory access. | 5.11.0-5.13.1 | | | [4408161](#4408161)
| On the NVIDIA SN2201 switch, the fan tray LED status update fails and you see the following syslog errors:
systemd-udevd116276: mlxreg:fan1:green: Process ‘/usr/bin/hw-management-chassis-events.sh fantray-led-event mlxreg:fan1:green 255’ failed with exit code 1.

To work around this issue, restart the hw-management service with the sudo systemctl restart hw-management command. | 5.7.0-5.9.3 | | -| [4393369](#4393369)
| If you generate a cl-support file after configuring a breakout port, the syslog file includes errors due to a statistic collection failure for stale ports. This issue has no functional impact. | 5.13.0-5.13.1 | | +| [4393369, 4461301](#4393369, 4461301)
| If you generate a cl-support file after configuring a breakout port, the syslog file includes errors due to a statistic collection failure for stale ports. This issue has no functional impact. | 5.13.0-5.13.1 | | | [4389433](#4389433)
| On switches with ONIE 5.3.0012 (might be displayed as 2023.11-5.3.0012-115200), reinstalling Cumulus Linux with onie-install when SecureBoot is enabled fails during CMS verification of a found image.
To determine the ONIE version on the switch:
sudo mount LABEL="ONIE-BOOT" /mnt
/mnt/onie/tools/bin/onie-version
If the ONIE version is earlier than 5.3.0012 (might be displayed as 2023.11-5.3.0012-115200), either disable SecureBoot during reinstallation, or if SecureBoot is enabled and ONIE finds the image on one of the disks (for example, /dev/sda5), then fails CMS verification, log into the ONIE shell as root and run the following commands:
onie-stop
mkdir /$devname
mount $devname /$devname
onie-nos-install /$devname/onie-installer
| 5.12.0-5.13.1 | | -| [4386779](#4386779)
| When you start gNMI subscription from a remote client, interface rates reset and values start from 0. | 5.13.0-5.13.1 | | +| [4386779, 4321086](#4386779, 4321086)
| When you start gNMI subscription from a remote client, interface rates reset and values start from 0. | 5.13.0-5.13.1 | | | [4372795](#4372795)
| With high SSH scale you might see LTTNG high memory usage errors causing an out of memory condition. | 5.13.0-5.13.1 | | -| [4360826](#4360826)
| On rare occasions, when you run the NVUE nv config apply command, switchd crashes, then restarts after the crash and resumes its normal flow of operation. | 5.13.0-5.13.1 | | +| [4360826, 4445857](#4360826, 4445857)
| On rare occasions, when you run the NVUE nv config apply command, switchd crashes, then restarts after the crash and resumes its normal flow of operation. | 5.13.0-5.13.1 | | | [4341806](#4341806)
| The BGP uptime differs between vtysh and NVUE command output. | 5.12.0-5.13.1 | | -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | | +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | | +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | | diff --git a/content/cumulus-linux-514/rn.xml b/content/cumulus-linux-514/rn.xml index e223679f99..d912540b58 100644 --- a/content/cumulus-linux-514/rn.xml +++ b/content/cumulus-linux-514/rn.xml @@ -37,7 +37,7 @@ -4918342 +4918342, 4641291 In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. 5.13.0-5.16.1 @@ -158,7 +158,7 @@ interface_stats_collector[3429270]: goroutine 5610 gp=0xc007814c40 m=16 mp=0xc00 5.16.0-5.16.1 -4789339 +4789339, 4540985 The {{interface_stats}} process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. 5.13.1-5.15.1 5.16.0-5.16.1 @@ -194,7 +194,7 @@ interface_stats_collector[3429270]: goroutine 5610 gp=0xc007814c40 m=16 mp=0xc00 5.16.0-5.16.1 -4751060 +4751060, 4637733 If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to: sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds') 5.12.0-5.15.1 @@ -207,7 +207,7 @@ sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK t 5.16.0-5.16.1 -4748176 +4748176, 4662528, 4652420 Unsupported hardware modules might cause SDK and firmware health event and traffic loss. 5.12.1-5.15.1 5.16.0-5.16.1 @@ -237,7 +237,7 @@ sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK t 5.16.0-5.16.1 -4731804 +4731804, 4559992 NVUE might fail to apply a configuration due to a mishandling of ranges during a race condition and shows a message similar to the following (the issue is not limited to the transceiver ID or swp ranges): {{ Invalid config [rev_id: 2] The transceiver id[swp1-64] is not valid.}} @@ -299,7 +299,7 @@ interface_stats_collector[3429270]: goroutine 5610 gp=0xc007814c40 m=16 mp=0xc00 5.16.0-5.16.1 -4704406 +4704406, 4633883 TACACS authentication mode is not configured correctly in PAM common authentication and TACACS configuration files, which makes {{login}} the authentication mode regardless of the NVUE configuration. 5.14.0-5.15.1 5.16.0-5.16.1 @@ -326,7 +326,7 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 5.15.0-5.16.1 -4680172 +4680172, 4633345 In extremely rare circumstances, during a GNMI subscription change for interface or QoS data, a Spectrum ASIC SDK health event ({{SX_HEALTH_FATAL: Health-Check: new failure }}) is observed and the process might become unresponsive. To recover from this issue, reboot the switch. 5.14.0 5.15.0-5.16.1 @@ -362,7 +362,7 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 5.15.0-5.16.1 -4647325 +4647325, 4861067 Running the {{nv config save}} command while a diff is pending might result in unexpected {{nv config diff}} output. To work around this issue, run the {{nv config diff --verbose}} command. 5.14.0 5.15.0-5.16.1 @@ -374,13 +374,13 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 5.15.0-5.16.1 -4643073 +4643073, 4643425 Concurrent {{mlxfwmanager --query}} executions triggered by gNMI telemetry polling might cause MFT deadlock, resulting in repeated core dumps, {{nvued}} restarts, and control plane unresponsiveness. 5.14.0-5.15.1 5.16.0-5.16.1 -4641806 +4641806, 4652004, 4652006 When gNMI streaming is enabled and clients are subscribed to system information such as the firmware version with xPath {{'/components/component[name=*]/state/firmware-version'}}, the {{nv config replace}} command might take longer than expected to complete. 5.14.0 5.15.0-5.16.1 @@ -398,7 +398,7 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 -4641291 +4641291, 4703438, 4918342, 4923799 In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or phy. 5.13.1-5.14.0 5.15.0-5.16.1 @@ -422,7 +422,7 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 5.15.0-5.16.1 -4634976 +4634976, 4707726 When you run the {{nv action fetch system packages key <key>}} command, the command fails. To work around this issue, use the {{apt-key-adv --fetch-keys <key>}} command instead. 5.14.0 5.15.0-5.16.1 @@ -476,7 +476,7 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 5.15.0-5.16.1 -4621451 +4621451, 4472414 Changing the gateway interface IP address on the DHCP relay causes DHCP relay to not forward the packet. To work around this issue, restart the DHCP relay service corresponding to the VRF on which it is running. 5.13.1-5.14.0 5.15.0-5.16.1 @@ -566,7 +566,7 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 5.15.0-5.16.1 -4579237 +4579237, 4579234 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.3-5.16.1 @@ -626,7 +626,7 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 5.15.0-5.16.1 -4551249 +4551249, 4572507, 4573399, 4712858, 4919013 The NVUE service might fail during switch upgrade. To work around this issue, stop the {{sysmonitor}} with the {{sudo systemctl stop sysmonitor}} command, then upgrade the switch with the {{nv action upgrade system packages to latest}} command. 5.14.0-5.16.1 @@ -654,7 +654,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4547463 +4547463, 4705370 When you try to run {{nv action boot-next}} commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action. To check that the action command completed before going to the next step to reboot the system: <ol><li>Find the Request ID for the REST API invocation corresponding to the {{nv action boot-next}} command by doing a grep for {{ActionKey.*boot-next}} in the /var/log/nvued.log}} file. For example, the value 3 in the {{Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),))}} line indicates the Request ID.</li> <li>Run the {{curl -u '<username>:<password>' -X GET https://127.0.0.1:8765/nvue_v1/action/<Request ID> -k}} command from the shell to show the status of the action command. If the value of {{state}} is {{action_success}}, the action command completed successfully. If the value of {{state}} is {{running}}, the system is still processing. If the value of {{state}} is {{action_error}}, the system encountered an error.</li></ol> @@ -722,7 +722,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4509255 +4509255, 4546858 In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. 5.12.0-5.16.1 @@ -734,19 +734,19 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4501632 +4501632, 4530257 NVIDIA recommends you wait for approximately 60 seconds after running {{nv config apply}} before power cycling the switch so that NVUE database has time to sync to the filesystem. 5.14.0-5.16.1 -4498428 +4498428, 4542680, 4574671 Due to a GCC update in Cumulus Linux 5.14, you might see unexpected log messages, such as {{BPF: Invalid name}} when using package upgrade to upgrade to Cumulus Linux 5.14. You can ignore these messages. 5.14.0 5.15.0-5.16.1 -4495383 +4495383, 4493988 NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. 5.13.0-5.16.1 @@ -776,7 +776,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re 5.11.2 -4472414 +4472414, 4621451 After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. 5.11.0-5.14.0 5.15.0-5.16.1 @@ -916,7 +916,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio -4154839 +4154839, 4280933, 4291934 When you run certain SDK commands (such as {{sudo sx_api_port_counter_dump_all.py}} or {{sx_api_fdb_dump}}) first as the cumulus user, then with {{sudo}}, you see the following error: PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt' To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. @@ -930,7 +930,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4139511 +4139511, 4184813, 4180112 When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue. [ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock [ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query) [ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds @@ -953,7 +953,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4124376 +4124376, 4316163 The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux/Installation-Management/Upgrading-Cumulus-Linux/#downgrade-a-secure-boot-switch">Downgrade a Secure Boot Switch</a>. 5.11.0-5.16.1 @@ -965,7 +965,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4105127 +4105127, 4796391 Any sFlow configuration changes that require an {{hsflowd}} restart are operational only after an initial delay of 60 seconds. 5.11.0-5.16.1 @@ -989,7 +989,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -1007,7 +1007,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4005422 +4005422, 4015452 When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the {{systemctl enable ntpsec@<vrf>}} and {{systemctl restart ntpsec@<vrf>}} commands. 5.10.0-5.16.1 @@ -1164,7 +1164,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -1176,7 +1176,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -1200,19 +1200,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -1225,7 +1225,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -1287,7 +1287,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -1310,7 +1310,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -1373,7 +1373,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -1381,7 +1381,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -1448,7 +1448,7 @@ To work around this issue, disable SNMP with the {{nv set system snmp-server sta 5.13.1 -4540985 +4540985, 4789339, 4776413 If you have a transceiver module with a vendor name containing invalid characters and OTEL is enabled, the switch generates an {{interface_stats}} core file. 5.13.1 @@ -1463,7 +1463,7 @@ To work around this issue, disable SNMP with the {{nv set system snmp-server sta 5.12.0-5.13.1 -4531952 +4531952, 4518822 When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface {{vlan10}}, the route might install against {{vlan10-v0}}. This prevents next-hop tracking and route installation into hardware. This issue can occur in the following conditions: <ul><li>When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.</li> @@ -1632,7 +1632,7 @@ systemctl is-enabled ntpsec && sudo systemctl restart ntpsec.service 5.13.0-5.13.1 -4467245 +4467245, 4417072 Transceiver channel power values in dBm reported through streaming telemetry protocols such as OTLP and GNMI are imprecise and are rounded to whole numbers. The NVUE {{nv show platform transceiver <port>}} command or Linux {{ethtool -m <port>}} command provides more precise, floating-point values. 5.13.0-5.13.1 @@ -1684,7 +1684,7 @@ systemctl is-enabled ntpsec && sudo systemctl restart ntpsec.service 5.9.2-5.9.3 -4443870 +4443870, 4461303 When running tens of thousands of {{nv set}} commands, the {{/var/lib/nvue}} directory might grow to several GBs in size, potentially using all the disk space. To work around this issue, run the following commands to reduce the disk space in the {{/var/lib/nvue}} directory: cumulus@switch:~$ sudo su cumulus@switch:~$ cd /var/lib/nvue/config @@ -1722,17 +1722,17 @@ cumulus@switch:~$ git gc 5.13.0-5.13.1 -4425288 +4425288, 4423331, 4426775, 4413508 When gNMI streaming is enabled on the switch, Cumulus Linux generates a cl-support file the first time you perform an FRR operation that reloads or restarts the FRR service (such as remove or add a neighbor or add or modify static routes). 5.13.0-5.13.1 -4414935 +4414935, 4320281 Interface counters retrieved from the kernel are not reset when {{switchd}} restarts. These kernel counters are inconsistent with other telemetry counters that do reset when {{switchd}} restarts. 5.13.0-5.13.1 -4413450 +4413450, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 @@ -1754,7 +1754,7 @@ To work around this issue, restart the {{hw-management}} service with the {{sudo 5.7.0-5.9.3 -4393369 +4393369, 4461301 If you generate a cl-support file after configuring a breakout port, the syslog file includes errors due to a statistic collection failure for stale ports. This issue has no functional impact. 5.13.0-5.13.1 @@ -1771,7 +1771,7 @@ onie-nos-install /$devname/onie-installer 5.12.0-5.13.1 -4386779 +4386779, 4321086 When you start gNMI subscription from a remote client, interface rates reset and values start from 0. 5.13.0-5.13.1 @@ -1781,7 +1781,7 @@ onie-nos-install /$devname/onie-installer 5.13.0-5.13.1 -4360826 +4360826, 4445857 On rare occasions, when you run the NVUE {{nv config apply}} command, {{switchd}} crashes, then restarts after the crash and resumes its normal flow of operation. 5.13.0-5.13.1 @@ -1791,12 +1791,12 @@ onie-nos-install /$devname/onie-installer 5.12.0-5.13.1 -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 diff --git a/content/cumulus-linux-515/Whats-New/rn.md b/content/cumulus-linux-515/Whats-New/rn.md index 63a9b8841d..2e11efc14f 100644 --- a/content/cumulus-linux-515/Whats-New/rn.md +++ b/content/cumulus-linux-515/Whats-New/rn.md @@ -19,11 +19,11 @@ pdfhidden: True | [4963277](#4963277)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.16.1 | | | [4963271](#4963271)
| PTM does not refresh certain entries and the PTM's neighbor status command (ptmctl -d) continues to show a neighbor that is already gone. This condition clears when the expected neighbor gets discovered. | 5.15.1-5.16.1 | | | [4930152](#4930152)
| When you configure layer 3 SVI interfaces with an anycast gateway (VRR) IP address only and no unique IP address, the connected route for the subnet is not programmed in the ASIC, causing packets destined for locally connected hosts to drop after decapsulation. | 5.11.3-5.16.1 | | -| [4926427](#4926427)
| When you run the nv config apply command or the sudo systemctl reload frr.service command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run sudo systemctl edit frr.service to change the TimeoutSec=2m to a higher value and apply the changes with sudo systemctl daemon-reload. | 5.15.0-5.16.1 | 5.9.5| +| [4926427, 4926426](#4926427, 4926426)
| When you run the nv config apply command or the sudo systemctl reload frr.service command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run sudo systemctl edit frr.service to change the TimeoutSec=2m to a higher value and apply the changes with sudo systemctl daemon-reload. | 5.15.0-5.16.1 | 5.9.5| | [4922104](#4922104)
| When the system is under load and the wd_keepalive process is running at the default rate of one time per minute, the switch might reboot due to starvation of the wd_keepalive process. | 5.13.1-5.16.1 | | | [4922100](#4922100)
| The firmware includes two asserts assert id = [0xc2e], [0x627] that are incorrectly categorized as fatal. The firmware has reduced the severity of these asserts and they no longer result in health event and switchd crashes. | 5.15.1-5.16.1 | | | [4922099](#4922099)
| In a highly volatile network, frequent churn of SOO‑tagged routes can generate a large volume of SOO NHG sync messages to Zebra. When Zebra becomes backed up while processing these NHG updates, its memory usage can grow significantly. | 5.14.0-5.16.1 | | -| [4918342](#4918342)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. | 5.13.0-5.16.1 | | +| [4918342, 4641291](#4918342, 4641291)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. | 5.13.0-5.16.1 | | | [4917759](#4917759)
| BGP sessions configured with an explicit IPv6 link local peer address might result in stale or invalid next hop tracking entries after a session disruption. | 5.14.0-5.16.1 | | | [4908392](#4908392)
| In the multicast routing path (ip_mr_output) you might encounter a self-deadlock issue in one CPU that causes the kernel lock up (the switch reboots). | 5.15.1-5.16.1 | | | [4895563](#4895563)
| Routes are present in BGP and Zebra but are missing in the kernel. This occurs when next hops in an NHG become invalid and the kernel deletes the next hops, then notifies the control plane (zebra). The control plane tries to reinstall the routes in the existing NHG with the invalid next hop information so route installation fails. Later, the routes arrive with the correct next hop information in the NHG but there is no mechanism to replace the failed routes and install them again in the kernel. | 5.14.0-5.15.1 | 5.16.0-5.16.1| @@ -47,7 +47,7 @@ pdfhidden: True | [4838636](#4838636)
| A bad reading of a module temperature sensor results in fan speeds being set to high. The temperature read error seen in /var/log/tc_log is:
ERROR - module22: err on module22_temp_input count 3

To work around this issue, run the sudo systemctl restart hw-management-tc.service command during a maintenance window. This command clears the faulty read_error that brings down the fan speed. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4838527](#4838527)
| On a high port scale system, streaming telemetry for interface and buffer statistics (GNMI or OTEL) together with the PFC watchdog feature, causes samples of telemetry data to fail to export from the system periodically and kernel memory use might increase. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4835058](#4835058)
| When you add or remove bond members, the sflow state and rate are incorrect. | 5.13.1-5.15.1 | 5.16.0-5.16.1| -| [4830305](#4830305)
| After an optimized image upgrade, certain disabled systemd services that are replaced with VRF-based services are reenabled. This results in multiple instances of the applications running, where they either fail to start or run with incorrect configuration. This issue occurs with, but is not limited to SSH, NTP and streaming telemetry services running with a custom VRF configuration. To work around this issue, after the upgrade, stop and disable the incorrect services, then restart the correct ones as required. | 5.15.0-5.15.1 | 5.16.0-5.16.1| +| [4830305, 4830251, 4834348](#4830305, 4830251, 4834348)
| After an optimized image upgrade, certain disabled systemd services that are replaced with VRF-based services are reenabled. This results in multiple instances of the applications running, where they either fail to start or run with incorrect configuration. This issue occurs with, but is not limited to SSH, NTP and streaming telemetry services running with a custom VRF configuration. To work around this issue, after the upgrade, stop and disable the incorrect services, then restart the correct ones as required. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4829730](#4829730)
| The interface-stats-collector might crash during boot or when services restart if the SDK process is not fully up. The interface-stats-collector eventually comes up on a subsequent restart. | 5.15.1 | 5.16.0-5.16.1| | [4826181](#4826181)
| When you apply EVPN layer 3 VNI and BGP AS configurations together for a VRF, an internal AS number inconsistency might occur between the FRR running configuration and the /etc/frr/frr.conf file. When you try to apply any configuration using frr-reload, NVUE detects this pre-existing inconsistency and triggers an unnecessary FRR restart, causing BGP session flaps. To work around this issue, apply BGP configuration before EVPN layer 3 VNI configuration in separate commits. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4823999](#4823999)
| When making interface changes with NVUE, you might see the following message after you run the nv config apply command:


update-ports returned with error (code 254): switchd ports.conf node status not ready switchd validate_node is absent/not ready ports configuration(ports.conf/ports_width.conf) is invalid
| 5.14.0-5.15.1 | 5.16.0-5.16.1| @@ -59,7 +59,7 @@ pdfhidden: True | [4799272](#4799272)
| When nvued.log triggers log rotation, it also forces rotation of all three logs (nvued, nv-cli, and nv-api). As a result, the nv-cli logs are rotated unnecessarily, which might eventually lead to missing nv-cli.log entries due to excessive rotations. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4797691](#4797691)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.9.4, 5.15.1 | 5.9.5, 5.16.0-5.16.1| | [4789562](#4789562)
| A switch running Nvidia Cumulus Linux may improperly forward routed packets out of an access port or on the native vlan of a trunk with an 802.1Q tag imposed on the packet. | 5.12.1-5.15.1 | 5.16.0-5.16.1| -| [4789339](#4789339)
| The interface_stats process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. | 5.13.1-5.15.1 | 5.16.0-5.16.1| +| [4789339, 4540985](#4789339, 4540985)
| The interface_stats process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. | 5.13.1-5.15.1 | 5.16.0-5.16.1| | [4789097](#4789097)
| The switch deletes a static blackhole route even when the blackhole type specified in the delete command does not match the configured type. | 5.9.4-5.15.1 | 5.16.0-5.16.1| | [4783824](#4783824)
| RoCE ingress reserved pools do not display correct values for ports that are not operationally UP. Switch ports that were never operational or not operational after setting RoCE mode do not have RoCE reserved pool buffers allocated but the nv show interface qos roce status command displays an invalid buffer size. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4781499](#4781499)
| The 802.1X RADIUS shared secret is limited to 32 characters instead of 256 characters. | 5.15.0-5.15.1 | 5.16.0-5.16.1| @@ -67,17 +67,17 @@ pdfhidden: True | [4776501](#4776501)
| When you configure a VRF that does not exist for NTP, the switch attempts to start the NTP service in that VRF and fails instead of indicating that the VRF does not exist. The configuration change does not take effect and NTP continues to work in the current VRF. | 5.15.1 | 5.16.0-5.16.1| | [4776471](#4776471)
| In Cumulus Linux 5.15.0, NTP and DNS configuration commands changed from nv set service to nv set system. However, after upgrading the switch to Cumulus Linux 5.15.1, the nv set service command might still appear in the configuration output because a stale nv set service command remains after the configuration is translated during the upgrade. If you save the configuration with the nv config show -o commands, then reapply the configuration with nv config replace, the command fails if the stale nv set service command is present.
To workaround this issue, before applying the configuration with nv config replace, remove any stale nv set service commands from the saved configuration file, then reapply the configuration with the nv config replace command. | 5.15.0-5.16.1 | | | [4776470](#4776470)
| In Cumulus Linux 5.15.0, NTP and DNS configuration commands changed from nv set service to nv set system. However, after upgrading the switch to Cumulus Linux 5.15.1, the nv set service command might still appear in the configuration output because a stale nv set service command remains after the configuration is translated during the upgrade. If you save the configuration with the nv config show -o commands, then reapply the configuration with nv config replace, the command fails if the stale nv set service command is present.
To workaround this issue, before applying the configuration with nv config replace, remove any stale nv set service commands from the saved configuration file, then reapply the configuration with the nv config replace command. | 5.15.0-5.15.1 | 5.16.0-5.16.1| -| [4776444](#4776444)
| In rare cases when telemetry is configured on a switch with high interface scale, the following log message might be generated and lead to a kernel crash event:
interface_stats_collector[27979]: ERROR intf_stats_collector.go:485 WaitBulkCounterDone error: unable to receive trap info after 15 iterations
| 5.15.0-5.15.1 | 5.16.0-5.16.1| +| [4776444, 4594612, 4823905](#4776444, 4594612, 4823905)
| In rare cases when telemetry is configured on a switch with high interface scale, the following log message might be generated and lead to a kernel crash event:
interface_stats_collector[27979]: ERROR intf_stats_collector.go:485 WaitBulkCounterDone error: unable to receive trap info after 15 iterations
| 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4776390](#4776390)
| gNMI subscription changes for interface counters, buffer, packet trim, latency or any other statistics produced by the prometheus-sdk-stats service leads to a change in the service configuration file causing the load interval configuration to be removed. This results in a rate calculation done with an interval of 60s instead of the interval configured in NVUE. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4771865](#4771865)
| When you change the RADIUS privilege level, all affected existing RADIUS users are not updated in the next session to the relevant privilege level. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4771785](#4771785)
| NVUE drop counters and ethtool output do not show the packets discarded because the destination MAC address does not match the router MAC address. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4771521](#4771521)
| Layer 3 multicast traffic does not forward when OMF (Optimized Multicast Flooding) and PIM is enabled. To work around this issue, flap the router port. | 5.9.2-5.15.1 | 5.16.0-5.16.1| -| [4752986](#4752986)
| Warm reboot results in approximately 14 second traffic loss. | 5.15.0-5.15.1 | 5.16.0-5.16.1| -| [4751060](#4751060)
| If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to:
sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds')
| 5.12.0-5.15.1 | 5.16.0-5.16.1| +| [4752986, 4851043](#4752986, 4851043)
| Warm reboot results in approximately 14 second traffic loss. | 5.15.0-5.15.1 | 5.16.0-5.16.1| +| [4751060, 4637733](#4751060, 4637733)
| If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to:
sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds')
| 5.12.0-5.15.1 | 5.16.0-5.16.1| | [4748963](#4748963)
| In an MLAG configuration with PVRST spanning tree mode configured on both switches, when the primary switch comes back up after a reboot, PVRST mode briefly changes to RSTP, then back to PVRST. | 5.13.1-5.15.1 | 5.16.0-5.16.1| -| [4748176](#4748176)
| Unsupported hardware modules might cause SDK and firmware health event and traffic loss. | 5.12.1-5.15.1 | 5.16.0-5.16.1| +| [4748176, 4662528, 4652420](#4748176, 4662528, 4652420)
| Unsupported hardware modules might cause SDK and firmware health event and traffic loss. | 5.12.1-5.15.1 | 5.16.0-5.16.1| | [4743814](#4743814)
| The switch clears the QoS buffer max usage values in the nv show interface qos buffer egress-traffic-class command output when a gNMI client subscribes to any QoS buffer metrics. | 5.14.0-5.15.1 | 5.16.0-5.16.1| -| [4740606](#4740606)
| When you configure a port with a 802.1x IPv6 profile, then remove 802.1x, the port might block all ingress and egress traffic, including LLDP frames. This behavior is unintended and might impact network visibility and connectivity.
To restore normal traffic flow on the affected port, remove the residual traffic-control filters by running the following commands:
tc qdisc del dev  clsact 2>/dev/null
tc qdisc del dev  ingress 2>/dev/null
tc qdisc del dev  egress 2>/dev/null
| 5.15.0-5.15.1 | 5.16.0-5.16.1| +| [4740606, 4783693](#4740606, 4783693)
| When you configure a port with a 802.1x IPv6 profile, then remove 802.1x, the port might block all ingress and egress traffic, including LLDP frames. This behavior is unintended and might impact network visibility and connectivity.
To restore normal traffic flow on the affected port, remove the residual traffic-control filters by running the following commands:
tc qdisc del dev  clsact 2>/dev/null
tc qdisc del dev  ingress 2>/dev/null
tc qdisc del dev  egress 2>/dev/null
| 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4734606](#4734606)
| Physical interface based static IPv6 address assignment does not work for DHCPv6 with inbound DHCP requests (discover packets) on an SVI interface. To work around this issue, configure the IPv6 pool for the subnet to assign the IPv6 address from the pool. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4734395](#4734395)
| mlxlink output sometimes displays additional special characters while still reporting valid data. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4734374](#4734374)
| The SNMP AgentX subsystem crashes with a segmentation fault when trying to cancel events from within event callbacks due to multiple Agentx reconnecting one after the other on the device. | 5.14.0-5.15.1 | 5.16.0-5.16.1| @@ -96,7 +96,7 @@ pdfhidden: True | [4707930](#4707930)
| When you configure a high number of 802.1x IPv6 profiles, the nv show system dot1x ipv6-profile command might return no data. To work around this issue, run the nv show system dot1x ipv6-profile --applied command. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4706305](#4706305)
| The gNMI interface statistics collector reports the error Failed to get SRv6 no sid drop counter: No-SID counter not available in syslog even when SRv6 is disabled. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4706274](#4706274)
| When switchd terminates (on system shutdown or service restart), the switch does not clean up PBR ACL rules that reference ECMP groups before the SDK de-initializes. This causes SDK errors in the cleanup sequence. | 5.15.0-5.15.1 | 5.16.0-5.16.1| -| [4704406](#4704406)
| TACACS authentication mode is not configured correctly in PAM common authentication and TACACS configuration files, which makes login the authentication mode regardless of the NVUE configuration. | 5.14.0-5.15.1 | 5.16.0-5.16.1| +| [4704406, 4633883](#4704406, 4633883)
| TACACS authentication mode is not configured correctly in PAM common authentication and TACACS configuration files, which makes login the authentication mode regardless of the NVUE configuration. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4702667](#4702667)
| When you run the nv show vrf default router rib command, NVUE returns an ItemDoesNotExist error. This error occurs because the vtysh show ip route vrf default brief json command does not return any output, which propagates through NVUE. To work around this issue, run the nv show vrf default router rib ipv6 and nv show vrf default router rib ipv6 route commands instead. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4693175](#4693175)
| There is a mismatch between NVUE and gNMI telemetry for latency-measurement data on network interfaces with high sample intervals. For example, when you remove traffic class configurations from interfaces, NVUE correctly updates to reflect only active traffic classes; however, gNMI telemetry continues to report stale latency-measurement entries for the removed traffic classes. The stale entries include outdated error-type responses (TIMEOUT) with timestamps from previous runs. These stale entries persist across multiple polling cycles. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4692400](#4692400)
| You see the error Failed to get SRv6 no sid drop counter: No-SID counter not available in syslog even when SRv6 is disabled. | 5.15.0-5.15.1 | 5.16.0-5.16.1| @@ -108,20 +108,20 @@ pdfhidden: True | [4667792](#4667792)
| Usernames longer than 32 characters do not authenticate against the switch. Avoid using long usernames. | 5.14.0-5.16.1 | | | [4662854](#4662854)
| If you configure a DSCP match as ANY, the gNMI subscription does not show DSCP as ANY. The OpenConfig model supports only integer DSCP values. | 5.15.0-5.16.1 | | | [4662695](#4662695)
| In an EVPN-MH environment, when you flap all interfaces on a switch or the bridge interface, stale VXLAN route entries might remain installed for locally connected hosts. To work around this issue, flap individual SVI interfaces for the affected routes. | 5.15.0-5.15.1 | 5.16.0-5.16.1| -| [4657192](#4657192)
| On the NVIDIA SN5640 switch, after you configure a port as unsplit, links do not come up while optics are in use. To work around this issue, use copper cables. | 5.15.0-5.16.1 | | +| [4657192, 4414675](#4657192, 4414675)
| On the NVIDIA SN5640 switch, after you configure a port as unsplit, links do not come up while optics are in use. To work around this issue, use copper cables. | 5.15.0-5.16.1 | | | [4650961](#4650961)
| When you bring a bond down, then up with the ifdown and ifup commands, the sflow rate is not configured correctly after the bond comes up and the sflow sample is not generated. To work around this issue, bring the member port down, then up. | 5.15.0-5.15.1 | 5.16.0-5.16.1| -| [4648833](#4648833)
| Interfaces using PAM4 DAC cables on switches with Spectrum-4 and later might not come up after a link flap or reboot if auto-negotiation is disabled. Auto-negotiation is required for PAM4 DAC cables on these switches. | 5.15.0-5.16.1 | | -| [4643073](#4643073)
| Concurrent mlxfwmanager --query executions triggered by gNMI telemetry polling might cause MFT deadlock, resulting in repeated core dumps, nvued restarts, and control plane unresponsiveness. | 5.14.0-5.15.1 | 5.16.0-5.16.1| +| [4648833, 4662556, 4687350](#4648833, 4662556, 4687350)
| Interfaces using PAM4 DAC cables on switches with Spectrum-4 and later might not come up after a link flap or reboot if auto-negotiation is disabled. Auto-negotiation is required for PAM4 DAC cables on these switches. | 5.15.0-5.16.1 | | +| [4643073, 4643425](#4643073, 4643425)
| Concurrent mlxfwmanager --query executions triggered by gNMI telemetry polling might cause MFT deadlock, resulting in repeated core dumps, nvued restarts, and control plane unresponsiveness. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4641344](#4641344)
| The switch sends out IPv6 neighbor discovery (ND) router advertisement through an interface that does not have router advertisement enabled. To prevent this issue, do not change or remove the remote-as of a peer-group that is used by BGP unnumbered peers. To work around this issue, restart FRR. | 5.14.0-5.16.1 | | | [4641343](#4641343)
| The switch sends out IPv6 neighbor discovery (ND) router advertisement through an interface that does not have router advertisement enabled. To prevent this issue, do not change or remove the remote-as of a peer-group that is used by BGP unnumbered peers. To work around this issue, restart FRR. | 5.14.0-5.16.1 | | | [4608614](#4608614)
| When setting up SSH keys, you have to run nv config apply twice for the configuration to take effect. | 5.11.3-5.16.1 | | | [4582679](#4582679)
| If a node has Suppress Route Advertisement enabled and routes are re-learned; for example, when a peer sends the route again due to route policy changes, or you enable or disable graceful shutdown, not all routes are offloaded, which might cause discrepancies in traffic. | 5.9.4-5.16.1 | | -| [4579237](#4579237)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | +| [4579237, 4579234](#4579237, 4579234)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | | [4556982](#4556982)
| In the Spanning Tree PVRST environment, when one bridge interface goes down, it causes all the other bridge interfaces to enter a blocking state for approximately ten seconds. Even though the down port is not the root port, all the other bridge ports are flushed and not in service for about ten seconds. | 5.13.1-5.15.1 | 5.16.0-5.16.1| -| [4551249](#4551249)
| The NVUE service might fail during switch upgrade. To work around this issue, stop the sysmonitor with the sudo systemctl stop sysmonitor command, then upgrade the switch with the nv action upgrade system packages to latest command. | 5.14.0-5.16.1 | | +| [4551249, 4572507, 4573399, 4712858, 4919013](#4551249, 4572507, 4573399, 4712858, 4919013)
| The NVUE service might fail during switch upgrade. To work around this issue, stop the sysmonitor with the sudo systemctl stop sysmonitor command, then upgrade the switch with the nv action upgrade system packages to latest command. | 5.14.0-5.16.1 | | | [4549896](#4549896)
| When you try to set a VXLAN with a bridge, you see the error sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge. You can safely ignore this error. | 5.14.0-5.16.1 | | | [4548512](#4548512)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.0-5.16.1 | | -| [4547463](#4547463)
| When you try to run nv action boot-next commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action.
To check that the action command completed before going to the next step to reboot the system:
  1. Find the Request ID for the REST API invocation corresponding to the nv action boot-next command by doing a grep for ActionKey.*boot-next in the /var/log/nvued.log file. For example, the value 3 in the Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),)) line indicates the Request ID.
  2. Run the curl -u ':\' -X GET https://127.0.0.1:8765/nvue_v1/action/ -k command from the shell to show the status of the action command. If the value of state is action_success, the action command completed successfully. If the value of state is running, the system is still processing. If the value of state is action_error, the system encountered an error.
| 5.14.0-5.16.1 | | +| [4547463, 4705370](#4547463, 4705370)
| When you try to run nv action boot-next commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action.
To check that the action command completed before going to the next step to reboot the system:
  1. Find the Request ID for the REST API invocation corresponding to the nv action boot-next command by doing a grep for ActionKey.*boot-next in the /var/log/nvued.log file. For example, the value 3 in the Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),)) line indicates the Request ID.
  2. Run the curl -u ':\' -X GET https://127.0.0.1:8765/nvue_v1/action/ -k command from the shell to show the status of the action command. If the value of state is action_success, the action command completed successfully. If the value of state is running, the system is still processing. If the value of state is action_error, the system encountered an error.
| 5.14.0-5.16.1 | | | [4535856](#4535856)
| When you try to import an invalid server certificate file, Cumulus Linux does not import the certificate file but fails to show an error message. | 5.13.0-5.16.1 | | | [4535843](#4535843)
| After a switch reboot, the nv show system health command shows incorrect system LED status and color. | 5.13.0-5.16.1 | | | [4535806](#4535806)
| After a factory reset, the switch does not clear the /var/tmp directory, which the switch uses for temporary files. | 5.14.0-5.16.1 | | @@ -132,10 +132,10 @@ pdfhidden: True | [4534357](#4534357)
| During Cumulus Linux upgrade or downgrade, rsyslog might crash because the management (eth0) port is unavailable, which triggers a use-after-free fault and produces a cl-support file as a response. | 5.13.1-5.16.1 | | | [4531960](#4531960)
| The GNMI Subscription to xpath interfaces/interface[name=swp61s0]/state/counters/out-pkts with a high sample interval results in an initial response of zero but in subsequent updates, the value is correct. You do not see this issue when the sample interval is 1 second. | 5.14.0-5.16.1 | | | [4513849](#4513849)
| After upgrading from Cumulus Linux 5.12 on the NVIDIA SN5400 switch bonus port, PTP does not converge. To work around this issue, disable, then enable the bonus port after upgrade. | 5.13.0-5.16.1 | | -| [4509255](#4509255)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | +| [4509255, 4546858](#4509255, 4546858)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | | [4508830](#4508830)
| Cumulus Linux allows you to add bond ports of mismatched speeds (such as 10G and 25G) to the same LACP bond without error and the bond reports UP. | 5.11.2-5.16.1 | | -| [4501632](#4501632)
| NVIDIA recommends you wait for approximately 60 seconds after running nv config apply before power cycling the switch so that NVUE database has time to sync to the filesystem. | 5.14.0-5.16.1 | | -| [4495383](#4495383)
| NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. | 5.13.0-5.16.1 | | +| [4501632, 4530257](#4501632, 4530257)
| NVIDIA recommends you wait for approximately 60 seconds after running nv config apply before power cycling the switch so that NVUE database has time to sync to the filesystem. | 5.14.0-5.16.1 | | +| [4495383, 4493988](#4495383, 4493988)
| NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. | 5.13.0-5.16.1 | | | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | | [4475401](#4475401)
| External input such as Ctrl+\ might trigger core dumps on the serial console from /bin/login. This behavior is caused by external sources, such as console servers or automation tools, and does not reflect a fault in the operating system. As a potential result, the serial console might become unresponsive. | 5.14.0-5.16.1 | | | [4475111](#4475111)
| When you try to convert a layer 3 port that is part of ECMP to a bond member, you might see a failure in the switchd logs. This issue does not have any functional impact. | 5.11.2-5.16.1 | 5.9.4| @@ -162,21 +162,21 @@ pdfhidden: True | [4236419](#4236419)
| On the Spectrum-3 switch, the PTP offset for 25GbE fluctuates within a range of plus or minus 50 nanoseconds beyond the expected values. | 5.12.0-5.16.1 | | | [4214678](#4214678)
| Changes to open telemetry configuration or export states restarts the telemetry service and resets all health metrics. | 5.12.0-5.16.1 | | | [4177067](#4177067)
| When performing a package upgrade, nslcd installation might open an interactive dialog to configure nslcd.conf .
To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:
cumulus@switch:~$ sudo apt-get update
cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
| 5.11.0-5.16.1 | | -| [4154839](#4154839)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | +| [4154839, 4280933, 4291934](#4154839, 4280933, 4291934)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | | [4142857](#4142857)
| The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. | 5.10.0-5.16.1 | | -| [4139511](#4139511)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | +| [4139511, 4184813, 4180112](#4139511, 4184813, 4180112)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | | [4134447](#4134447)
| The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. You can safely ignore this log message. | 5.11.0-5.16.1 | | | [4129757](#4129757)
| If you include a comma in the BGP community list, extended community list, or large community list regex expression of a routing policy, you see error messages and FRR reload fails. Make sure the regex expression does not contain a comma.
For example, instead of ^65550:([0-9]{1,2}\|[1-9][1-9]):.*$, specify ^65550:([0-9]\|[0-9][0-9]):.*$ and instead of ^65550:([0-4]{1,2}\|[7-9][8-9]):.*$, specify ^65550:([0-4]\|[0-4][0-4]\|[7-9][8-9]):.*$. | 5.11.0-5.16.1 | | -| [4124376](#4124376)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | +| [4124376, 4316163](#4124376, 4316163)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | | [4118970](#4118970)
| When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.16.1 | | -| [4105127](#4105127)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | +| [4105127, 4796391](#4105127, 4796391)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | | [4100629](#4100629)
| NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.16.1 | | | [4082210](#4082210)
| When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. | 5.11.0-5.16.1 | | | [4077921](#4077921)
| You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1 or later. You must install the Cumulus Linux image instead. | 5.10.1-5.16.1 | | -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4047798](#4047798)
| Packet distribution based on ECMP hashing using GTP-TEID does not function as expected in an EVPN Clos topology. | 5.10.0-5.16.1 | | | [4030380](#4030380)
| When you roll back interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you cannot configure FEC on the interface at the lower layers. | 5.10.0-5.16.1 | | -| [4005422](#4005422)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | +| [4005422, 4015452](#4005422, 4015452)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | | [3985682](#3985682)
| On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.16.1 | | | [3966312](#3966312)
| When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.16.1 | | | [3948068](#3948068)
| On the SN3700 and SN3700c switch, the nv show platform environment voltage command output shows a failed state for the PSU-n-12V-RAIL-OUT sensors. This is a known hardware limitation that cannot be corrected by the PSU vendor. | 5.10.0-5.16.1 | | @@ -198,17 +198,17 @@ pdfhidden: True | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -218,10 +218,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -231,8 +231,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -257,10 +257,10 @@ pdfhidden: True | [4963280](#4963280)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.16.1 | | | [4963277](#4963277)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.16.1 | | | [4930152](#4930152)
| When you configure layer 3 SVI interfaces with an anycast gateway (VRR) IP address only and no unique IP address, the connected route for the subnet is not programmed in the ASIC, causing packets destined for locally connected hosts to drop after decapsulation. | 5.11.3-5.16.1 | | -| [4926427](#4926427)
| When you run the nv config apply command or the sudo systemctl reload frr.service command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run sudo systemctl edit frr.service to change the TimeoutSec=2m to a higher value and apply the changes with sudo systemctl daemon-reload. | 5.15.0-5.16.1 | 5.9.5| +| [4926427, 4926426](#4926427, 4926426)
| When you run the nv config apply command or the sudo systemctl reload frr.service command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run sudo systemctl edit frr.service to change the TimeoutSec=2m to a higher value and apply the changes with sudo systemctl daemon-reload. | 5.15.0-5.16.1 | 5.9.5| | [4922104](#4922104)
| When the system is under load and the wd_keepalive process is running at the default rate of one time per minute, the switch might reboot due to starvation of the wd_keepalive process. | 5.13.1-5.16.1 | | | [4922099](#4922099)
| In a highly volatile network, frequent churn of SOO‑tagged routes can generate a large volume of SOO NHG sync messages to Zebra. When Zebra becomes backed up while processing these NHG updates, its memory usage can grow significantly. | 5.14.0-5.16.1 | | -| [4918342](#4918342)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. | 5.13.0-5.16.1 | | +| [4918342, 4641291](#4918342, 4641291)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. | 5.13.0-5.16.1 | | | [4917759](#4917759)
| BGP sessions configured with an explicit IPv6 link local peer address might result in stale or invalid next hop tracking entries after a session disruption. | 5.14.0-5.16.1 | | | [4895563](#4895563)
| Routes are present in BGP and Zebra but are missing in the kernel. This occurs when next hops in an NHG become invalid and the kernel deletes the next hops, then notifies the control plane (zebra). The control plane tries to reinstall the routes in the existing NHG with the invalid next hop information so route installation fails. Later, the routes arrive with the correct next hop information in the NHG but there is no mechanism to replace the failed routes and install them again in the kernel. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4895501](#4895501)
| Adding vlan 1 as a tagged VLAN to a newly created MLAG bond fails if no previous VLANs are configured on the MLAG bond. | 5.13.0-5.16.1 | | @@ -281,7 +281,7 @@ pdfhidden: True | [4838636](#4838636)
| A bad reading of a module temperature sensor results in fan speeds being set to high. The temperature read error seen in /var/log/tc_log is:
ERROR - module22: err on module22_temp_input count 3

To work around this issue, run the sudo systemctl restart hw-management-tc.service command during a maintenance window. This command clears the faulty read_error that brings down the fan speed. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4838527](#4838527)
| On a high port scale system, streaming telemetry for interface and buffer statistics (GNMI or OTEL) together with the PFC watchdog feature, causes samples of telemetry data to fail to export from the system periodically and kernel memory use might increase. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4835058](#4835058)
| When you add or remove bond members, the sflow state and rate are incorrect. | 5.13.1-5.15.1 | 5.16.0-5.16.1| -| [4830305](#4830305)
| After an optimized image upgrade, certain disabled systemd services that are replaced with VRF-based services are reenabled. This results in multiple instances of the applications running, where they either fail to start or run with incorrect configuration. This issue occurs with, but is not limited to SSH, NTP and streaming telemetry services running with a custom VRF configuration. To work around this issue, after the upgrade, stop and disable the incorrect services, then restart the correct ones as required. | 5.15.0-5.15.1 | 5.16.0-5.16.1| +| [4830305, 4830251, 4834348](#4830305, 4830251, 4834348)
| After an optimized image upgrade, certain disabled systemd services that are replaced with VRF-based services are reenabled. This results in multiple instances of the applications running, where they either fail to start or run with incorrect configuration. This issue occurs with, but is not limited to SSH, NTP and streaming telemetry services running with a custom VRF configuration. To work around this issue, after the upgrade, stop and disable the incorrect services, then restart the correct ones as required. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4826181](#4826181)
| When you apply EVPN layer 3 VNI and BGP AS configurations together for a VRF, an internal AS number inconsistency might occur between the FRR running configuration and the /etc/frr/frr.conf file. When you try to apply any configuration using frr-reload, NVUE detects this pre-existing inconsistency and triggers an unnecessary FRR restart, causing BGP session flaps. To work around this issue, apply BGP configuration before EVPN layer 3 VNI configuration in separate commits. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4823999](#4823999)
| When making interface changes with NVUE, you might see the following message after you run the nv config apply command:


update-ports returned with error (code 254): switchd ports.conf node status not ready switchd validate_node is absent/not ready ports configuration(ports.conf/ports_width.conf) is invalid
| 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4813804](#4813804)
| The nv config show command output shows each egress buffer configuration separately for each traffic class instead of in a single line configuration. | 5.15.0-5.15.1 | 5.16.0-5.16.1| @@ -290,14 +290,14 @@ pdfhidden: True | [4804084](#4804084)
| On switches at scale with OTEL enabled, an interface_stats_collector crash might occur with the following logs:
interface_stats_collector[3429270]: ERROR
 buffer_stats_collector.go:1875 SDK bulk counter read failed
interface_stats_collector[3429270]: fatal error: concurrent map iteration and map write
interface_stats_collector[3429270]: goroutine 5610 gp=0xc007814c40 m=16 mp=0xc000552808 [running]:
| 5.14.0-5.16.1 | | | [4799272](#4799272)
| When nvued.log triggers log rotation, it also forces rotation of all three logs (nvued, nv-cli, and nv-api). As a result, the nv-cli logs are rotated unnecessarily, which might eventually lead to missing nv-cli.log entries due to excessive rotations. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4789562](#4789562)
| A switch running Nvidia Cumulus Linux may improperly forward routed packets out of an access port or on the native vlan of a trunk with an 802.1Q tag imposed on the packet. | 5.12.1-5.15.1 | 5.16.0-5.16.1| -| [4789339](#4789339)
| The interface_stats process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. | 5.13.1-5.15.1 | 5.16.0-5.16.1| +| [4789339, 4540985](#4789339, 4540985)
| The interface_stats process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. | 5.13.1-5.15.1 | 5.16.0-5.16.1| | [4789097](#4789097)
| The switch deletes a static blackhole route even when the blackhole type specified in the delete command does not match the configured type. | 5.9.4-5.15.1 | 5.16.0-5.16.1| | [4783824](#4783824)
| RoCE ingress reserved pools do not display correct values for ports that are not operationally UP. Switch ports that were never operational or not operational after setting RoCE mode do not have RoCE reserved pool buffers allocated but the nv show interface qos roce status command displays an invalid buffer size. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4781499](#4781499)
| The 802.1X RADIUS shared secret is limited to 32 characters instead of 256 characters. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4781498](#4781498)
| When you use a text-based patch file with nv config patch cmd.txt or nv config replace cmd.txt, if the cmd.txt file contains any of the following CLI commands, the patch operation fails and triggers an exception in NVUE:
nv set system aaa auth order radius 
nv set system ssh-server ciphers 
nv set system ssh-server macs 
nv set system ssh-server kex-algorithms 
nv set system ssh-server pubkey-accepted-algorithms 
nv set system ssh-server host-key-algorithms

To work around this issue, use a YAML file instead of a text-based patch file or run the nv set commands manually. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4776471](#4776471)
| In Cumulus Linux 5.15.0, NTP and DNS configuration commands changed from nv set service to nv set system. However, after upgrading the switch to Cumulus Linux 5.15.1, the nv set service command might still appear in the configuration output because a stale nv set service command remains after the configuration is translated during the upgrade. If you save the configuration with the nv config show -o commands, then reapply the configuration with nv config replace, the command fails if the stale nv set service command is present.
To workaround this issue, before applying the configuration with nv config replace, remove any stale nv set service commands from the saved configuration file, then reapply the configuration with the nv config replace command. | 5.15.0-5.16.1 | | | [4776470](#4776470)
| In Cumulus Linux 5.15.0, NTP and DNS configuration commands changed from nv set service to nv set system. However, after upgrading the switch to Cumulus Linux 5.15.1, the nv set service command might still appear in the configuration output because a stale nv set service command remains after the configuration is translated during the upgrade. If you save the configuration with the nv config show -o commands, then reapply the configuration with nv config replace, the command fails if the stale nv set service command is present.
To workaround this issue, before applying the configuration with nv config replace, remove any stale nv set service commands from the saved configuration file, then reapply the configuration with the nv config replace command. | 5.15.0-5.15.1 | 5.16.0-5.16.1| -| [4776444](#4776444)
| In rare cases when telemetry is configured on a switch with high interface scale, the following log message might be generated and lead to a kernel crash event:
interface_stats_collector[27979]: ERROR intf_stats_collector.go:485 WaitBulkCounterDone error: unable to receive trap info after 15 iterations
| 5.15.0-5.15.1 | 5.16.0-5.16.1| +| [4776444, 4594612, 4823905](#4776444, 4594612, 4823905)
| In rare cases when telemetry is configured on a switch with high interface scale, the following log message might be generated and lead to a kernel crash event:
interface_stats_collector[27979]: ERROR intf_stats_collector.go:485 WaitBulkCounterDone error: unable to receive trap info after 15 iterations
| 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4776390](#4776390)
| gNMI subscription changes for interface counters, buffer, packet trim, latency or any other statistics produced by the prometheus-sdk-stats service leads to a change in the service configuration file causing the load interval configuration to be removed. This results in a rate calculation done with an interval of 60s instead of the interval configured in NVUE. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4771865](#4771865)
| When you change the RADIUS privilege level, all affected existing RADIUS users are not updated in the next session to the relevant privilege level. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4771785](#4771785)
| NVUE drop counters and ethtool output do not show the packets discarded because the destination MAC address does not match the router MAC address. | 5.14.0-5.15.1 | 5.16.0-5.16.1| @@ -306,12 +306,12 @@ pdfhidden: True | [4769258](#4769258)
| After upgrading the switch with onie-install -t, NTP configuration is missing and does not work. This issue does not occur with package or optimized image upgrade. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4769256](#4769256)
| Low fan speed alarm events occur while the corresponding fan modules are amber physically. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4769255](#4769255)
| When using the CPU port as a SPAN destination, the switch might become unresponsive and, or reboot. To work around this issue, use SPAN to a local port instead of the CPU port. | 5.14.0-5.15.1 | 5.16.0-5.16.1| -| [4752986](#4752986)
| Warm reboot results in approximately 14 second traffic loss. | 5.15.0-5.15.1 | 5.16.0-5.16.1| -| [4751060](#4751060)
| If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to:
sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds')
| 5.12.0-5.15.1 | 5.16.0-5.16.1| +| [4752986, 4851043](#4752986, 4851043)
| Warm reboot results in approximately 14 second traffic loss. | 5.15.0-5.15.1 | 5.16.0-5.16.1| +| [4751060, 4637733](#4751060, 4637733)
| If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to:
sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds')
| 5.12.0-5.15.1 | 5.16.0-5.16.1| | [4748963](#4748963)
| In an MLAG configuration with PVRST spanning tree mode configured on both switches, when the primary switch comes back up after a reboot, PVRST mode briefly changes to RSTP, then back to PVRST. | 5.13.1-5.15.1 | 5.16.0-5.16.1| -| [4748176](#4748176)
| Unsupported hardware modules might cause SDK and firmware health event and traffic loss. | 5.12.1-5.15.1 | 5.16.0-5.16.1| +| [4748176, 4662528, 4652420](#4748176, 4662528, 4652420)
| Unsupported hardware modules might cause SDK and firmware health event and traffic loss. | 5.12.1-5.15.1 | 5.16.0-5.16.1| | [4743814](#4743814)
| The switch clears the QoS buffer max usage values in the nv show interface qos buffer egress-traffic-class command output when a gNMI client subscribes to any QoS buffer metrics. | 5.14.0-5.15.1 | 5.16.0-5.16.1| -| [4740606](#4740606)
| When you configure a port with a 802.1x IPv6 profile, then remove 802.1x, the port might block all ingress and egress traffic, including LLDP frames. This behavior is unintended and might impact network visibility and connectivity.
To restore normal traffic flow on the affected port, remove the residual traffic-control filters by running the following commands:
tc qdisc del dev  clsact 2>/dev/null
tc qdisc del dev  ingress 2>/dev/null
tc qdisc del dev  egress 2>/dev/null
| 5.15.0-5.15.1 | 5.16.0-5.16.1| +| [4740606, 4783693](#4740606, 4783693)
| When you configure a port with a 802.1x IPv6 profile, then remove 802.1x, the port might block all ingress and egress traffic, including LLDP frames. This behavior is unintended and might impact network visibility and connectivity.
To restore normal traffic flow on the affected port, remove the residual traffic-control filters by running the following commands:
tc qdisc del dev  clsact 2>/dev/null
tc qdisc del dev  ingress 2>/dev/null
tc qdisc del dev  egress 2>/dev/null
| 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4738956](#4738956)
| When a Spectrum-4 or Spectrum-5 switch interface is connected to a ConnectX-7 NIC that performs a soft reset, adaptive routing and Spectrum-X features fail to start on the interface. To work around this issue, flap the interface. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4734606](#4734606)
| Physical interface based static IPv6 address assignment does not work for DHCPv6 with inbound DHCP requests (discover packets) on an SVI interface. To work around this issue, configure the IPv6 pool for the subnet to assign the IPv6 address from the pool. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4734395](#4734395)
| mlxlink output sometimes displays additional special characters while still reporting valid data. | 5.14.0-5.15.1 | 5.16.0-5.16.1| @@ -331,7 +331,7 @@ pdfhidden: True | [4707930](#4707930)
| When you configure a high number of 802.1x IPv6 profiles, the nv show system dot1x ipv6-profile command might return no data. To work around this issue, run the nv show system dot1x ipv6-profile --applied command. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4706305](#4706305)
| The gNMI interface statistics collector reports the error Failed to get SRv6 no sid drop counter: No-SID counter not available in syslog even when SRv6 is disabled. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4706274](#4706274)
| When switchd terminates (on system shutdown or service restart), the switch does not clean up PBR ACL rules that reference ECMP groups before the SDK de-initializes. This causes SDK errors in the cleanup sequence. | 5.15.0-5.15.1 | 5.16.0-5.16.1| -| [4704406](#4704406)
| TACACS authentication mode is not configured correctly in PAM common authentication and TACACS configuration files, which makes login the authentication mode regardless of the NVUE configuration. | 5.14.0-5.15.1 | 5.16.0-5.16.1| +| [4704406, 4633883](#4704406, 4633883)
| TACACS authentication mode is not configured correctly in PAM common authentication and TACACS configuration files, which makes login the authentication mode regardless of the NVUE configuration. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4702667](#4702667)
| When you run the nv show vrf default router rib command, NVUE returns an ItemDoesNotExist error. This error occurs because the vtysh show ip route vrf default brief json command does not return any output, which propagates through NVUE. To work around this issue, run the nv show vrf default router rib ipv6 and nv show vrf default router rib ipv6 route commands instead. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4693175](#4693175)
| There is a mismatch between NVUE and gNMI telemetry for latency-measurement data on network interfaces with high sample intervals. For example, when you remove traffic class configurations from interfaces, NVUE correctly updates to reflect only active traffic classes; however, gNMI telemetry continues to report stale latency-measurement entries for the removed traffic classes. The stale entries include outdated error-type responses (TIMEOUT) with timestamps from previous runs. These stale entries persist across multiple polling cycles. | 5.15.0-5.15.1 | 5.16.0-5.16.1| | [4692400](#4692400)
| You see the error Failed to get SRv6 no sid drop counter: No-SID counter not available in syslog even when SRv6 is disabled. | 5.15.0-5.15.1 | 5.16.0-5.16.1| @@ -343,20 +343,20 @@ pdfhidden: True | [4667792](#4667792)
| Usernames longer than 32 characters do not authenticate against the switch. Avoid using long usernames. | 5.14.0-5.16.1 | | | [4662854](#4662854)
| If you configure a DSCP match as ANY, the gNMI subscription does not show DSCP as ANY. The OpenConfig model supports only integer DSCP values. | 5.15.0-5.16.1 | | | [4662695](#4662695)
| In an EVPN-MH environment, when you flap all interfaces on a switch or the bridge interface, stale VXLAN route entries might remain installed for locally connected hosts. To work around this issue, flap individual SVI interfaces for the affected routes. | 5.15.0-5.15.1 | 5.16.0-5.16.1| -| [4657192](#4657192)
| On the NVIDIA SN5640 switch, after you configure a port as unsplit, links do not come up while optics are in use. To work around this issue, use copper cables. | 5.15.0-5.16.1 | | +| [4657192, 4414675](#4657192, 4414675)
| On the NVIDIA SN5640 switch, after you configure a port as unsplit, links do not come up while optics are in use. To work around this issue, use copper cables. | 5.15.0-5.16.1 | | | [4650961](#4650961)
| When you bring a bond down, then up with the ifdown and ifup commands, the sflow rate is not configured correctly after the bond comes up and the sflow sample is not generated. To work around this issue, bring the member port down, then up. | 5.15.0-5.15.1 | 5.16.0-5.16.1| -| [4648833](#4648833)
| Interfaces using PAM4 DAC cables on switches with Spectrum-4 and later might not come up after a link flap or reboot if auto-negotiation is disabled. Auto-negotiation is required for PAM4 DAC cables on these switches. | 5.15.0-5.16.1 | | -| [4643073](#4643073)
| Concurrent mlxfwmanager --query executions triggered by gNMI telemetry polling might cause MFT deadlock, resulting in repeated core dumps, nvued restarts, and control plane unresponsiveness. | 5.14.0-5.15.1 | 5.16.0-5.16.1| +| [4648833, 4662556, 4687350](#4648833, 4662556, 4687350)
| Interfaces using PAM4 DAC cables on switches with Spectrum-4 and later might not come up after a link flap or reboot if auto-negotiation is disabled. Auto-negotiation is required for PAM4 DAC cables on these switches. | 5.15.0-5.16.1 | | +| [4643073, 4643425](#4643073, 4643425)
| Concurrent mlxfwmanager --query executions triggered by gNMI telemetry polling might cause MFT deadlock, resulting in repeated core dumps, nvued restarts, and control plane unresponsiveness. | 5.14.0-5.15.1 | 5.16.0-5.16.1| | [4641344](#4641344)
| The switch sends out IPv6 neighbor discovery (ND) router advertisement through an interface that does not have router advertisement enabled. To prevent this issue, do not change or remove the remote-as of a peer-group that is used by BGP unnumbered peers. To work around this issue, restart FRR. | 5.14.0-5.16.1 | | | [4641343](#4641343)
| The switch sends out IPv6 neighbor discovery (ND) router advertisement through an interface that does not have router advertisement enabled. To prevent this issue, do not change or remove the remote-as of a peer-group that is used by BGP unnumbered peers. To work around this issue, restart FRR. | 5.14.0-5.16.1 | | | [4608614](#4608614)
| When setting up SSH keys, you have to run nv config apply twice for the configuration to take effect. | 5.11.3-5.16.1 | | | [4582679](#4582679)
| If a node has Suppress Route Advertisement enabled and routes are re-learned; for example, when a peer sends the route again due to route policy changes, or you enable or disable graceful shutdown, not all routes are offloaded, which might cause discrepancies in traffic. | 5.9.4-5.16.1 | | -| [4579237](#4579237)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | +| [4579237, 4579234](#4579237, 4579234)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | | [4556982](#4556982)
| In the Spanning Tree PVRST environment, when one bridge interface goes down, it causes all the other bridge interfaces to enter a blocking state for approximately ten seconds. Even though the down port is not the root port, all the other bridge ports are flushed and not in service for about ten seconds. | 5.13.1-5.15.1 | 5.16.0-5.16.1| -| [4551249](#4551249)
| The NVUE service might fail during switch upgrade. To work around this issue, stop the sysmonitor with the sudo systemctl stop sysmonitor command, then upgrade the switch with the nv action upgrade system packages to latest command. | 5.14.0-5.16.1 | | +| [4551249, 4572507, 4573399, 4712858, 4919013](#4551249, 4572507, 4573399, 4712858, 4919013)
| The NVUE service might fail during switch upgrade. To work around this issue, stop the sysmonitor with the sudo systemctl stop sysmonitor command, then upgrade the switch with the nv action upgrade system packages to latest command. | 5.14.0-5.16.1 | | | [4549896](#4549896)
| When you try to set a VXLAN with a bridge, you see the error sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge. You can safely ignore this error. | 5.14.0-5.16.1 | | | [4548512](#4548512)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.0-5.16.1 | | -| [4547463](#4547463)
| When you try to run nv action boot-next commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action.
To check that the action command completed before going to the next step to reboot the system:
  1. Find the Request ID for the REST API invocation corresponding to the nv action boot-next command by doing a grep for ActionKey.*boot-next in the /var/log/nvued.log file. For example, the value 3 in the Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),)) line indicates the Request ID.
  2. Run the curl -u ':\' -X GET https://127.0.0.1:8765/nvue_v1/action/ -k command from the shell to show the status of the action command. If the value of state is action_success, the action command completed successfully. If the value of state is running, the system is still processing. If the value of state is action_error, the system encountered an error.
| 5.14.0-5.16.1 | | +| [4547463, 4705370](#4547463, 4705370)
| When you try to run nv action boot-next commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action.
To check that the action command completed before going to the next step to reboot the system:
  1. Find the Request ID for the REST API invocation corresponding to the nv action boot-next command by doing a grep for ActionKey.*boot-next in the /var/log/nvued.log file. For example, the value 3 in the Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),)) line indicates the Request ID.
  2. Run the curl -u ':\' -X GET https://127.0.0.1:8765/nvue_v1/action/ -k command from the shell to show the status of the action command. If the value of state is action_success, the action command completed successfully. If the value of state is running, the system is still processing. If the value of state is action_error, the system encountered an error.
| 5.14.0-5.16.1 | | | [4535856](#4535856)
| When you try to import an invalid server certificate file, Cumulus Linux does not import the certificate file but fails to show an error message. | 5.13.0-5.16.1 | | | [4535843](#4535843)
| After a switch reboot, the nv show system health command shows incorrect system LED status and color. | 5.13.0-5.16.1 | | | [4535806](#4535806)
| After a factory reset, the switch does not clear the /var/tmp directory, which the switch uses for temporary files. | 5.14.0-5.16.1 | | @@ -367,10 +367,10 @@ pdfhidden: True | [4534357](#4534357)
| During Cumulus Linux upgrade or downgrade, rsyslog might crash because the management (eth0) port is unavailable, which triggers a use-after-free fault and produces a cl-support file as a response. | 5.13.1-5.16.1 | | | [4531960](#4531960)
| The GNMI Subscription to xpath interfaces/interface[name=swp61s0]/state/counters/out-pkts with a high sample interval results in an initial response of zero but in subsequent updates, the value is correct. You do not see this issue when the sample interval is 1 second. | 5.14.0-5.16.1 | | | [4513849](#4513849)
| After upgrading from Cumulus Linux 5.12 on the NVIDIA SN5400 switch bonus port, PTP does not converge. To work around this issue, disable, then enable the bonus port after upgrade. | 5.13.0-5.16.1 | | -| [4509255](#4509255)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | +| [4509255, 4546858](#4509255, 4546858)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | | [4508830](#4508830)
| Cumulus Linux allows you to add bond ports of mismatched speeds (such as 10G and 25G) to the same LACP bond without error and the bond reports UP. | 5.11.2-5.16.1 | | -| [4501632](#4501632)
| NVIDIA recommends you wait for approximately 60 seconds after running nv config apply before power cycling the switch so that NVUE database has time to sync to the filesystem. | 5.14.0-5.16.1 | | -| [4495383](#4495383)
| NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. | 5.13.0-5.16.1 | | +| [4501632, 4530257](#4501632, 4530257)
| NVIDIA recommends you wait for approximately 60 seconds after running nv config apply before power cycling the switch so that NVUE database has time to sync to the filesystem. | 5.14.0-5.16.1 | | +| [4495383, 4493988](#4495383, 4493988)
| NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. | 5.13.0-5.16.1 | | | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | | [4475401](#4475401)
| External input such as Ctrl+\ might trigger core dumps on the serial console from /bin/login. This behavior is caused by external sources, such as console servers or automation tools, and does not reflect a fault in the operating system. As a potential result, the serial console might become unresponsive. | 5.14.0-5.16.1 | | | [4475111](#4475111)
| When you try to convert a layer 3 port that is part of ECMP to a bond member, you might see a failure in the switchd logs. This issue does not have any functional impact. | 5.11.2-5.16.1 | 5.9.4| @@ -397,21 +397,21 @@ pdfhidden: True | [4236419](#4236419)
| On the Spectrum-3 switch, the PTP offset for 25GbE fluctuates within a range of plus or minus 50 nanoseconds beyond the expected values. | 5.12.0-5.16.1 | | | [4214678](#4214678)
| Changes to open telemetry configuration or export states restarts the telemetry service and resets all health metrics. | 5.12.0-5.16.1 | | | [4177067](#4177067)
| When performing a package upgrade, nslcd installation might open an interactive dialog to configure nslcd.conf .
To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:
cumulus@switch:~$ sudo apt-get update
cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
| 5.11.0-5.16.1 | | -| [4154839](#4154839)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | +| [4154839, 4280933, 4291934](#4154839, 4280933, 4291934)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | | [4142857](#4142857)
| The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. | 5.10.0-5.16.1 | | -| [4139511](#4139511)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | +| [4139511, 4184813, 4180112](#4139511, 4184813, 4180112)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | | [4134447](#4134447)
| The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. You can safely ignore this log message. | 5.11.0-5.16.1 | | | [4129757](#4129757)
| If you include a comma in the BGP community list, extended community list, or large community list regex expression of a routing policy, you see error messages and FRR reload fails. Make sure the regex expression does not contain a comma.
For example, instead of ^65550:([0-9]{1,2}\|[1-9][1-9]):.*$, specify ^65550:([0-9]\|[0-9][0-9]):.*$ and instead of ^65550:([0-4]{1,2}\|[7-9][8-9]):.*$, specify ^65550:([0-4]\|[0-4][0-4]\|[7-9][8-9]):.*$. | 5.11.0-5.16.1 | | -| [4124376](#4124376)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | +| [4124376, 4316163](#4124376, 4316163)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | | [4118970](#4118970)
| When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.16.1 | | -| [4105127](#4105127)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | +| [4105127, 4796391](#4105127, 4796391)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | | [4100629](#4100629)
| NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.16.1 | | | [4082210](#4082210)
| When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. | 5.11.0-5.16.1 | | | [4077921](#4077921)
| You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1 or later. You must install the Cumulus Linux image instead. | 5.10.1-5.16.1 | | -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4047798](#4047798)
| Packet distribution based on ECMP hashing using GTP-TEID does not function as expected in an EVPN Clos topology. | 5.10.0-5.16.1 | | | [4030380](#4030380)
| When you roll back interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you cannot configure FEC on the interface at the lower layers. | 5.10.0-5.16.1 | | -| [4005422](#4005422)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | +| [4005422, 4015452](#4005422, 4015452)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | | [3985682](#3985682)
| On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.16.1 | | | [3966312](#3966312)
| When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.16.1 | | | [3948068](#3948068)
| On the SN3700 and SN3700c switch, the nv show platform environment voltage command output shows a failed state for the PSU-n-12V-RAIL-OUT sensors. This is a known hardware limitation that cannot be corrected by the PSU vendor. | 5.10.0-5.16.1 | | @@ -433,17 +433,17 @@ pdfhidden: True | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -453,10 +453,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -466,8 +466,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -477,23 +477,23 @@ pdfhidden: True ### Fixed Issues in 5.15.0 | Issue ID | Description | Affects | |--- |--- |--- | -| [4731804](#4731804)
| NVUE might fail to apply a configuration due to a mishandling of ranges during a race condition and shows a message similar to the following (the issue is not limited to the transceiver ID or swp ranges):
 Invalid config [rev_id: 2]
 The transceiver id[swp1-64] is not valid.

To work around this issue, restart the nvued.service. To avoid this issue, call each interface in the configuration instead of using ranges. | 5.14.0 | | +| [4731804, 4559992](#4731804, 4559992)
| NVUE might fail to apply a configuration due to a mishandling of ranges during a race condition and shows a message similar to the following (the issue is not limited to the transceiver ID or swp ranges):
 Invalid config [rev_id: 2]
 The transceiver id[swp1-64] is not valid.

To work around this issue, restart the nvued.service. To avoid this issue, call each interface in the configuration instead of using ranges. | 5.14.0 | | | [4686865](#4686865)
| An invalid hashed-password string for a local NVUE user causes all nv config apply operations (including unrelated changes) to fail health checks and raise tracebacks when NVUE attempts to recreate the user. | 5.12.0-5.14.0 | | | [4681608](#4681608)
| gNMI /system/mount-point/ xPaths unexpectedly return data for /dev. As /dev is not a persistent disk, unexpected storage monitoring alerts might be generated. | 5.14.0 | | -| [4680172](#4680172)
| In extremely rare circumstances, during a GNMI subscription change for interface or QoS data, a Spectrum ASIC SDK health event (SX_HEALTH_FATAL: Health-Check: new failure ) is observed and the process might become unresponsive. To recover from this issue, reboot the switch. | 5.14.0 | | +| [4680172, 4633345](#4680172, 4633345)
| In extremely rare circumstances, during a GNMI subscription change for interface or QoS data, a Spectrum ASIC SDK health event (SX_HEALTH_FATAL: Health-Check: new failure ) is observed and the process might become unresponsive. To recover from this issue, reboot the switch. | 5.14.0 | | | [4667010](#4667010)
| When streaming telemetry is enabled, additional logs containing ERROR BULK_COUNTER might be generated by the switch, unexpectedly bypassing log suppression rules. | 5.12.1-5.14.0 | | -| [4663076](#4663076)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | | +| [4663076, 3963232](#4663076, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | | | [4662494](#4662494)
| When there are a very large number of gNMI client subscriptions, the switch might not accept new sessions and metrics might stop generating for existing sessions. | 5.14.0 | | | [4651578](#4651578)
| When you configure a link flap protection threshold to 0, the value is not applied operationally and is not reflected in the nv show system link flap-protection command. | 5.14.0 | | | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | | -| [4647325](#4647325)
| Running the nv config save command while a diff is pending might result in unexpected nv config diff output. To work around this issue, run the nv config diff --verbose command. | 5.14.0 | | +| [4647325, 4861067](#4647325, 4861067)
| Running the nv config save command while a diff is pending might result in unexpected nv config diff output. To work around this issue, run the nv config diff --verbose command. | 5.14.0 | | | [4643537](#4643537)
| The nv action clear interface command does not clear the in and out packet counters under interface//link/stats. | 5.12.1-5.14.0 | | -| [4641806](#4641806)
| When gNMI streaming is enabled and clients are subscribed to system information such as the firmware version with xPath '/components/component[name=*]/state/firmware-version', the nv config replace command might take longer than expected to complete. | 5.14.0 | | -| [4641291](#4641291)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or phy. | 5.13.1-5.14.0 | | +| [4641806, 4652004, 4652006](#4641806, 4652004, 4652006)
| When gNMI streaming is enabled and clients are subscribed to system information such as the firmware version with xPath '/components/component[name=*]/state/firmware-version', the nv config replace command might take longer than expected to complete. | 5.14.0 | | +| [4641291, 4703438, 4918342, 4923799](#4641291, 4703438, 4918342, 4923799)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or phy. | 5.13.1-5.14.0 | | | [4640126](#4640126)
| LLDP session flaps might result in a PTMD process crash due to a double free memory block. | 5.11.2-5.14.0 | | | [4638802](#4638802)
| When you attempt to set a new BGP peer group on a neighbor with a current peer group configured, NVUE fails to apply the new configuration. To work around this issue, remove the existing peer group before configuring the new one. | 5.14.0 | | | [4637200](#4637200)
| When more than one IPv4 and/or IPv6 addresses are configured on a remote interface, NVUE LLDP commands such as nv show interface lldp-detail only reflect one address. To work around this issue, use lldpctl to view LLDP information. For example, sudo lldpctl -d -f json swp1. | 5.9.0-5.14.0 | | -| [4634976](#4634976)
| When you run the nv action fetch system packages key command, the command fails. To work around this issue, use the apt-key-adv --fetch-keys command instead. | 5.14.0 | | +| [4634976, 4707726](#4634976, 4707726)
| When you run the nv action fetch system packages key command, the command fails. To work around this issue, use the apt-key-adv --fetch-keys command instead. | 5.14.0 | | | [4634819](#4634819)
| The switch does not provide any gNMI sensor path metrics. A sync-response message indicates that the gNMI server has finished sending all the update messages but no messages are sent. | 5.14.0 | | | [4633514](#4633514)
| When the switch processes large numbers of mroute updates in an MLAG configuration, FRR might crash. | 5.8.0-5.14.0 | | | [4629293](#4629293)
| The nv show system telemetry command output shows the global port but not the per destination port, which makes it look like the port configured and displayed do not match. | 5.12.1-5.14.0 | | @@ -502,7 +502,7 @@ pdfhidden: True | [4622487](#4622487)
| When you configure an exclude_users line in /etc/tacplus_nss.conf containing a long list of users, NSS lookups might fail or behave incorrectly when parsing the configuration. | 5.11.1-5.14.0 | | | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | | | [4621717](#4621717)
| When you configure TACACS+ for the first time on a switch with the nv set system aaa tacacs enable on command, the nvued service must be restarted before TACACS+ per-command authorization can be configured with any nv set system aaa tacacs authorization} commands. | 5.14.0 | | -| [4621451](#4621451)
| Changing the gateway interface IP address on the DHCP relay causes DHCP relay to not forward the packet. To work around this issue, restart the DHCP relay service corresponding to the VRF on which it is running. | 5.13.1-5.14.0 | | +| [4621451, 4472414](#4621451, 4472414)
| Changing the gateway interface IP address on the DHCP relay causes DHCP relay to not forward the packet. To work around this issue, restart the DHCP relay service corresponding to the VRF on which it is running. | 5.13.1-5.14.0 | | | [4618809](#4618809)
| When collecting streaming telemetry data for per-process information and statistics from the system, you might see false errors about unavailable process IDs in the logs. | 5.14.0 | | | [4616352](#4616352)
| The NVUE nv config diff command returns an incorrect exit code of 1 instead of 0 for successfully staged changes. As a result, ansible automation fails, which relies on program return codes to determine whether the commands are successful. | 5.14.0 | | | [4608007](#4608007)
| Load interval configuration changes with the nv set system counter rates load-interval command do not take effect. | 5.14.0 | | @@ -524,6 +524,6 @@ pdfhidden: True | [4556729](#4556729)
| OTEL SRv6 metrics might not be sent in the correct format after a switchd service restart. | 5.14.0 | | | [4554858](#4554858)
| The default poll interval for on-change notifications is set to 10 seconds instead of 1 second for gNMI packet trimming metrics. | 5.14.0 | | | [4550126](#4550126)
| Sometimes NVUE does not show SRv6 statistics even though static SID configuration is present. | 5.14.0 | | -| [4498428](#4498428)
| Due to a GCC update in Cumulus Linux 5.14, you might see unexpected log messages, such as BPF: Invalid name when using package upgrade to upgrade to Cumulus Linux 5.14. You can ignore these messages. | 5.14.0 | | -| [4472414](#4472414)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | | +| [4498428, 4542680, 4574671](#4498428, 4542680, 4574671)
| Due to a GCC update in Cumulus Linux 5.14, you might see unexpected log messages, such as BPF: Invalid name when using package upgrade to upgrade to Cumulus Linux 5.14. You can ignore these messages. | 5.14.0 | | +| [4472414, 4621451](#4472414, 4621451)
| After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. | 5.11.0-5.14.0 | | diff --git a/content/cumulus-linux-515/rn.xml b/content/cumulus-linux-515/rn.xml index d9f3ec7ef1..8cad7aabf4 100644 --- a/content/cumulus-linux-515/rn.xml +++ b/content/cumulus-linux-515/rn.xml @@ -37,7 +37,7 @@ -4926427 +4926427, 4926426 When you run the {{nv config apply}} command or the {{sudo systemctl reload frr.service}} command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run {{sudo systemctl edit frr.service}} to change the {{TimeoutSec=2m}} to a higher value and apply the changes with {{sudo systemctl daemon-reload}}. 5.15.0-5.16.1 5.9.5 @@ -61,7 +61,7 @@ -4918342 +4918342, 4641291 In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. 5.13.0-5.16.1 @@ -209,7 +209,7 @@ To work around this issue, run the {{sudo systemctl restart hw-management-tc.ser 5.16.0-5.16.1 -4830305 +4830305, 4830251, 4834348 After an optimized image upgrade, certain disabled {{systemd}} services that are replaced with VRF-based services are reenabled. This results in multiple instances of the applications running, where they either fail to start or run with incorrect configuration. This issue occurs with, but is not limited to SSH, NTP and streaming telemetry services running with a custom VRF configuration. To work around this issue, after the upgrade, stop and disable the incorrect services, then restart the correct ones as required. 5.15.0-5.15.1 5.16.0-5.16.1 @@ -286,7 +286,7 @@ interface_stats_collector[3429270]: goroutine 5610 gp=0xc007814c40 m=16 mp=0xc00 5.16.0-5.16.1 -4789339 +4789339, 4540985 The {{interface_stats}} process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. 5.13.1-5.15.1 5.16.0-5.16.1 @@ -341,7 +341,7 @@ To work around this issue, use a YAML file instead of a text-based patch file or 5.16.0-5.16.1 -4776444 +4776444, 4594612, 4823905 In rare cases when telemetry is configured on a switch with high interface scale, the following log message might be generated and lead to a kernel crash event: interface_stats_collector[27979]: ERROR intf_stats_collector.go:485 WaitBulkCounterDone error: unable to receive trap info after 15 iterations @@ -374,13 +374,13 @@ interface_stats_collector[27979]: ERROR intf_stats_collector.go:485 WaitBulkCoun 5.16.0-5.16.1 -4752986 +4752986, 4851043 Warm reboot results in approximately 14 second traffic loss. 5.15.0-5.15.1 5.16.0-5.16.1 -4751060 +4751060, 4637733 If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to: sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds') 5.12.0-5.15.1 @@ -393,7 +393,7 @@ sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK t 5.16.0-5.16.1 -4748176 +4748176, 4662528, 4652420 Unsupported hardware modules might cause SDK and firmware health event and traffic loss. 5.12.1-5.15.1 5.16.0-5.16.1 @@ -405,7 +405,7 @@ sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK t 5.16.0-5.16.1 -4740606 +4740606, 4783693 When you configure a port with a 802.1x IPv6 profile, then remove 802.1x, the port might block all ingress and egress traffic, including LLDP frames. This behavior is unintended and might impact network visibility and connectivity. To restore normal traffic flow on the affected port, remove the residual traffic-control filters by running the following commands: tc qdisc del dev <swp port> clsact 2>/dev/null tc qdisc del dev <swp port> ingress 2>/dev/null @@ -536,7 +536,7 @@ User name {} is already in use as OS group name 'and could not be used as userna 5.16.0-5.16.1 -4704406 +4704406, 4633883 TACACS authentication mode is not configured correctly in PAM common authentication and TACACS configuration files, which makes {{login}} the authentication mode regardless of the NVUE configuration. 5.14.0-5.15.1 5.16.0-5.16.1 @@ -611,7 +611,7 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 5.16.0-5.16.1 -4657192 +4657192, 4414675 On the NVIDIA SN5640 switch, after you configure a port as unsplit, links do not come up while optics are in use. To work around this issue, use copper cables. 5.15.0-5.16.1 @@ -623,13 +623,13 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 5.16.0-5.16.1 -4648833 +4648833, 4662556, 4687350 Interfaces using PAM4 DAC cables on switches with Spectrum-4 and later might not come up after a link flap or reboot if auto-negotiation is disabled. Auto-negotiation is required for PAM4 DAC cables on these switches. 5.15.0-5.16.1 -4643073 +4643073, 4643425 Concurrent {{mlxfwmanager --query}} executions triggered by gNMI telemetry polling might cause MFT deadlock, resulting in repeated core dumps, {{nvued}} restarts, and control plane unresponsiveness. 5.14.0-5.15.1 5.16.0-5.16.1 @@ -659,7 +659,7 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 -4579237 +4579237, 4579234 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.3-5.16.1 @@ -671,7 +671,7 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 5.16.0-5.16.1 -4551249 +4551249, 4572507, 4573399, 4712858, 4919013 The NVUE service might fail during switch upgrade. To work around this issue, stop the {{sysmonitor}} with the {{sudo systemctl stop sysmonitor}} command, then upgrade the switch with the {{nv action upgrade system packages to latest}} command. 5.14.0-5.16.1 @@ -693,7 +693,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4547463 +4547463, 4705370 When you try to run {{nv action boot-next}} commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action. To check that the action command completed before going to the next step to reboot the system: <ol><li>Find the Request ID for the REST API invocation corresponding to the {{nv action boot-next}} command by doing a grep for {{ActionKey.*boot-next}} in the /var/log/nvued.log}} file. For example, the value 3 in the {{Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),))}} line indicates the Request ID.</li> <li>Run the {{curl -u '<username>:<password>' -X GET https://127.0.0.1:8765/nvue_v1/action/<Request ID> -k}} command from the shell to show the status of the action command. If the value of {{state}} is {{action_success}}, the action command completed successfully. If the value of {{state}} is {{running}}, the system is still processing. If the value of {{state}} is {{action_error}}, the system encountered an error.</li></ol> @@ -761,7 +761,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4509255 +4509255, 4546858 In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. 5.12.0-5.16.1 @@ -773,13 +773,13 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4501632 +4501632, 4530257 NVIDIA recommends you wait for approximately 60 seconds after running {{nv config apply}} before power cycling the switch so that NVUE database has time to sync to the filesystem. 5.14.0-5.16.1 -4495383 +4495383, 4493988 NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. 5.13.0-5.16.1 @@ -943,7 +943,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio -4154839 +4154839, 4280933, 4291934 When you run certain SDK commands (such as {{sudo sx_api_port_counter_dump_all.py}} or {{sx_api_fdb_dump}}) first as the cumulus user, then with {{sudo}}, you see the following error: PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt' To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. @@ -957,7 +957,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4139511 +4139511, 4184813, 4180112 When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue. [ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock [ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query) [ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds @@ -980,7 +980,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4124376 +4124376, 4316163 The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux/Installation-Management/Upgrading-Cumulus-Linux/#downgrade-a-secure-boot-switch">Downgrade a Secure Boot Switch</a>. 5.11.0-5.16.1 @@ -992,7 +992,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4105127 +4105127, 4796391 Any sFlow configuration changes that require an {{hsflowd}} restart are operational only after an initial delay of 60 seconds. 5.11.0-5.16.1 @@ -1016,7 +1016,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -1034,7 +1034,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4005422 +4005422, 4015452 When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the {{systemctl enable ntpsec@<vrf>}} and {{systemctl restart ntpsec@<vrf>}} commands. 5.10.0-5.16.1 @@ -1191,7 +1191,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -1203,7 +1203,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -1227,19 +1227,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -1252,7 +1252,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -1314,7 +1314,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -1337,7 +1337,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -1400,7 +1400,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -1408,7 +1408,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -1508,7 +1508,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -4926427 +4926427, 4926426 When you run the {{nv config apply}} command or the {{sudo systemctl reload frr.service}} command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run {{sudo systemctl edit frr.service}} to change the {{TimeoutSec=2m}} to a higher value and apply the changes with {{sudo systemctl daemon-reload}}. 5.15.0-5.16.1 5.9.5 @@ -1526,7 +1526,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -4918342 +4918342, 4641291 In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. 5.13.0-5.16.1 @@ -1656,7 +1656,7 @@ To work around this issue, run the {{sudo systemctl restart hw-management-tc.ser 5.16.0-5.16.1 -4830305 +4830305, 4830251, 4834348 After an optimized image upgrade, certain disabled {{systemd}} services that are replaced with VRF-based services are reenabled. This results in multiple instances of the applications running, where they either fail to start or run with incorrect configuration. This issue occurs with, but is not limited to SSH, NTP and streaming telemetry services running with a custom VRF configuration. To work around this issue, after the upgrade, stop and disable the incorrect services, then restart the correct ones as required. 5.15.0-5.15.1 5.16.0-5.16.1 @@ -1715,7 +1715,7 @@ interface_stats_collector[3429270]: goroutine 5610 gp=0xc007814c40 m=16 mp=0xc00 5.16.0-5.16.1 -4789339 +4789339, 4540985 The {{interface_stats}} process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. 5.13.1-5.15.1 5.16.0-5.16.1 @@ -1764,7 +1764,7 @@ To work around this issue, use a YAML file instead of a text-based patch file or 5.16.0-5.16.1 -4776444 +4776444, 4594612, 4823905 In rare cases when telemetry is configured on a switch with high interface scale, the following log message might be generated and lead to a kernel crash event: interface_stats_collector[27979]: ERROR intf_stats_collector.go:485 WaitBulkCounterDone error: unable to receive trap info after 15 iterations @@ -1821,13 +1821,13 @@ interface_stats_collector[27979]: ERROR intf_stats_collector.go:485 WaitBulkCoun 5.16.0-5.16.1 -4752986 +4752986, 4851043 Warm reboot results in approximately 14 second traffic loss. 5.15.0-5.15.1 5.16.0-5.16.1 -4751060 +4751060, 4637733 If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to: sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds') 5.12.0-5.15.1 @@ -1840,7 +1840,7 @@ sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK t 5.16.0-5.16.1 -4748176 +4748176, 4662528, 4652420 Unsupported hardware modules might cause SDK and firmware health event and traffic loss. 5.12.1-5.15.1 5.16.0-5.16.1 @@ -1852,7 +1852,7 @@ sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK t 5.16.0-5.16.1 -4740606 +4740606, 4783693 When you configure a port with a 802.1x IPv6 profile, then remove 802.1x, the port might block all ingress and egress traffic, including LLDP frames. This behavior is unintended and might impact network visibility and connectivity. To restore normal traffic flow on the affected port, remove the residual traffic-control filters by running the following commands: tc qdisc del dev <swp port> clsact 2>/dev/null tc qdisc del dev <swp port> ingress 2>/dev/null @@ -1989,7 +1989,7 @@ User name {} is already in use as OS group name 'and could not be used as userna 5.16.0-5.16.1 -4704406 +4704406, 4633883 TACACS authentication mode is not configured correctly in PAM common authentication and TACACS configuration files, which makes {{login}} the authentication mode regardless of the NVUE configuration. 5.14.0-5.15.1 5.16.0-5.16.1 @@ -2064,7 +2064,7 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 5.16.0-5.16.1 -4657192 +4657192, 4414675 On the NVIDIA SN5640 switch, after you configure a port as unsplit, links do not come up while optics are in use. To work around this issue, use copper cables. 5.15.0-5.16.1 @@ -2076,13 +2076,13 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 5.16.0-5.16.1 -4648833 +4648833, 4662556, 4687350 Interfaces using PAM4 DAC cables on switches with Spectrum-4 and later might not come up after a link flap or reboot if auto-negotiation is disabled. Auto-negotiation is required for PAM4 DAC cables on these switches. 5.15.0-5.16.1 -4643073 +4643073, 4643425 Concurrent {{mlxfwmanager --query}} executions triggered by gNMI telemetry polling might cause MFT deadlock, resulting in repeated core dumps, {{nvued}} restarts, and control plane unresponsiveness. 5.14.0-5.15.1 5.16.0-5.16.1 @@ -2112,7 +2112,7 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 -4579237 +4579237, 4579234 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.3-5.16.1 @@ -2124,7 +2124,7 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 5.16.0-5.16.1 -4551249 +4551249, 4572507, 4573399, 4712858, 4919013 The NVUE service might fail during switch upgrade. To work around this issue, stop the {{sysmonitor}} with the {{sudo systemctl stop sysmonitor}} command, then upgrade the switch with the {{nv action upgrade system packages to latest}} command. 5.14.0-5.16.1 @@ -2146,7 +2146,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4547463 +4547463, 4705370 When you try to run {{nv action boot-next}} commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action. To check that the action command completed before going to the next step to reboot the system: <ol><li>Find the Request ID for the REST API invocation corresponding to the {{nv action boot-next}} command by doing a grep for {{ActionKey.*boot-next}} in the /var/log/nvued.log}} file. For example, the value 3 in the {{Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),))}} line indicates the Request ID.</li> <li>Run the {{curl -u '<username>:<password>' -X GET https://127.0.0.1:8765/nvue_v1/action/<Request ID> -k}} command from the shell to show the status of the action command. If the value of {{state}} is {{action_success}}, the action command completed successfully. If the value of {{state}} is {{running}}, the system is still processing. If the value of {{state}} is {{action_error}}, the system encountered an error.</li></ol> @@ -2214,7 +2214,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4509255 +4509255, 4546858 In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. 5.12.0-5.16.1 @@ -2226,13 +2226,13 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4501632 +4501632, 4530257 NVIDIA recommends you wait for approximately 60 seconds after running {{nv config apply}} before power cycling the switch so that NVUE database has time to sync to the filesystem. 5.14.0-5.16.1 -4495383 +4495383, 4493988 NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. 5.13.0-5.16.1 @@ -2396,7 +2396,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio -4154839 +4154839, 4280933, 4291934 When you run certain SDK commands (such as {{sudo sx_api_port_counter_dump_all.py}} or {{sx_api_fdb_dump}}) first as the cumulus user, then with {{sudo}}, you see the following error: PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt' To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. @@ -2410,7 +2410,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4139511 +4139511, 4184813, 4180112 When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue. [ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock [ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query) [ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds @@ -2433,7 +2433,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4124376 +4124376, 4316163 The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux/Installation-Management/Upgrading-Cumulus-Linux/#downgrade-a-secure-boot-switch">Downgrade a Secure Boot Switch</a>. 5.11.0-5.16.1 @@ -2445,7 +2445,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4105127 +4105127, 4796391 Any sFlow configuration changes that require an {{hsflowd}} restart are operational only after an initial delay of 60 seconds. 5.11.0-5.16.1 @@ -2469,7 +2469,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -2487,7 +2487,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4005422 +4005422, 4015452 When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the {{systemctl enable ntpsec@<vrf>}} and {{systemctl restart ntpsec@<vrf>}} commands. 5.10.0-5.16.1 @@ -2644,7 +2644,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -2656,7 +2656,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -2680,19 +2680,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -2705,7 +2705,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -2767,7 +2767,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -2790,7 +2790,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -2853,7 +2853,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -2861,7 +2861,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -2904,7 +2904,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 Affects -4731804 +4731804, 4559992 NVUE might fail to apply a configuration due to a mishandling of ranges during a race condition and shows a message similar to the following (the issue is not limited to the transceiver ID or swp ranges): {{ Invalid config [rev_id: 2] The transceiver id[swp1-64] is not valid.}} @@ -2922,7 +2922,7 @@ To work around this issue, restart the {{nvued.service}}. To avoid this issue, c 5.14.0 -4680172 +4680172, 4633345 In extremely rare circumstances, during a GNMI subscription change for interface or QoS data, a Spectrum ASIC SDK health event ({{SX_HEALTH_FATAL: Health-Check: new failure }}) is observed and the process might become unresponsive. To recover from this issue, reboot the switch. 5.14.0 @@ -2932,7 +2932,7 @@ To work around this issue, restart the {{nvued.service}}. To avoid this issue, c 5.12.1-5.14.0 -4663076 +4663076, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.9.4 @@ -2952,7 +2952,7 @@ To work around this issue, restart the {{nvued.service}}. To avoid this issue, c 4.4.2-5.14.0 -4647325 +4647325, 4861067 Running the {{nv config save}} command while a diff is pending might result in unexpected {{nv config diff}} output. To work around this issue, run the {{nv config diff --verbose}} command. 5.14.0 @@ -2962,12 +2962,12 @@ To work around this issue, restart the {{nvued.service}}. To avoid this issue, c 5.12.1-5.14.0 -4641806 +4641806, 4652004, 4652006 When gNMI streaming is enabled and clients are subscribed to system information such as the firmware version with xPath {{'/components/component[name=*]/state/firmware-version'}}, the {{nv config replace}} command might take longer than expected to complete. 5.14.0 -4641291 +4641291, 4703438, 4918342, 4923799 In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or phy. 5.13.1-5.14.0 @@ -2987,7 +2987,7 @@ To work around this issue, restart the {{nvued.service}}. To avoid this issue, c 5.9.0-5.14.0 -4634976 +4634976, 4707726 When you run the {{nv action fetch system packages key <key>}} command, the command fails. To work around this issue, use the {{apt-key-adv --fetch-keys <key>}} command instead. 5.14.0 @@ -3032,7 +3032,7 @@ To work around this issue, restart the {{nvued.service}}. To avoid this issue, c 5.14.0 -4621451 +4621451, 4472414 Changing the gateway interface IP address on the DHCP relay causes DHCP relay to not forward the packet. To work around this issue, restart the DHCP relay service corresponding to the VRF on which it is running. 5.13.1-5.14.0 @@ -3142,12 +3142,12 @@ To work around this issue, restart the {{nvued.service}}. To avoid this issue, c 5.14.0 -4498428 +4498428, 4542680, 4574671 Due to a GCC update in Cumulus Linux 5.14, you might see unexpected log messages, such as {{BPF: Invalid name}} when using package upgrade to upgrade to Cumulus Linux 5.14. You can ignore these messages. 5.14.0 -4472414 +4472414, 4621451 After you modify the IP address of an SVI, DHCP relay uses an old cached IP address instead of the changed IP address. This occurs because DHCP relay monitors the link state change not IP address change. 5.11.0-5.14.0 diff --git a/content/cumulus-linux-516/Whats-New/rn.md b/content/cumulus-linux-516/Whats-New/rn.md index 91d712753b..59f3937f92 100644 --- a/content/cumulus-linux-516/Whats-New/rn.md +++ b/content/cumulus-linux-516/Whats-New/rn.md @@ -18,16 +18,16 @@ pdfhidden: True | [4963280](#4963280)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.16.1 | | | [4963277](#4963277)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.16.1 | | | [4963271](#4963271)
| PTM does not refresh certain entries and the PTM's neighbor status command (ptmctl -d) continues to show a neighbor that is already gone. This condition clears when the expected neighbor gets discovered. | 5.15.1-5.16.1 | | -| [4949347](#4949347)
| When interfaces experience authentication failures and retries due to Radius or host misconfiguration, NVUE commands such as nv show interface dot1x-summary and nv show interface dot1x-ipv6-summary become slow and unresponsive. To work around this issue, ensure the RADIUS server is reachable and correctly configured, and that client credentials and certificates are valid. The hostapd_cli slowdown is triggered by repeated authentication failures causing deauthentication and re-authentication cycles. Resolving the underlying authentication failures eliminates the blocking behavior. | 5.16.1 | | +| [4949347, 4949346](#4949347, 4949346)
| When interfaces experience authentication failures and retries due to Radius or host misconfiguration, NVUE commands such as nv show interface dot1x-summary and nv show interface dot1x-ipv6-summary become slow and unresponsive. To work around this issue, ensure the RADIUS server is reachable and correctly configured, and that client credentials and certificates are valid. The hostapd_cli slowdown is triggered by repeated authentication failures causing deauthentication and re-authentication cycles. Resolving the underlying authentication failures eliminates the blocking behavior. | 5.16.1 | | | [4931702](#4931702)
| When you launch a Cumulus VX 5.16.1 image in Air with switch emulation, you see the systemd-remount-fs.service systemd service in a failed state. This issue has no functional impact. | 5.16.1 | | | [4930970](#4930970)
| Unreachability routes originated locally (for example, due to a link-down event) display incorrect BGP origin attribute values in show commands and JSON output. The origin shows as IGP instead of incomplete and JSON fields include redundant origin symbols in the AS path string. | 5.16.0-5.16.1 | | | [4930152](#4930152)
| When you configure layer 3 SVI interfaces with an anycast gateway (VRR) IP address only and no unique IP address, the connected route for the subnet is not programmed in the ASIC, causing packets destined for locally connected hosts to drop after decapsulation. | 5.11.3-5.16.1 | | -| [4926427](#4926427)
| When you run the nv config apply command or the sudo systemctl reload frr.service command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run sudo systemctl edit frr.service to change the TimeoutSec=2m to a higher value and apply the changes with sudo systemctl daemon-reload. | 5.15.0-5.16.1 | 5.9.5| +| [4926427, 4926426](#4926427, 4926426)
| When you run the nv config apply command or the sudo systemctl reload frr.service command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run sudo systemctl edit frr.service to change the TimeoutSec=2m to a higher value and apply the changes with sudo systemctl daemon-reload. | 5.15.0-5.16.1 | 5.9.5| | [4925516](#4925516)
| If Cumulus Linux generates a core file while automatic cl-support file generation is deactivated, automatic file generation does not work for core files even after you reactivate automatic cl-support file generation but does work for other types of failures, such as service failures and restarts.
To clear this problem condition and get automatic cl-support file generation working for cores again, run the following commands:
cumulus@switch:~$ sudo systemctl reset-failed cumulus-core.service
cumulus@switch:~$ sudo systemctl restart cumulus-core.service
cumulus@switch:~$ sudo systemctl reset-failed cumulus-core.path
cumulus@switch:~$ sudo systemctl restart cumulus-core.path
| 5.16.1 | | -| [4925514](#4925514)
| Core processing services such as cumulus-core.service and cumulus-core.path might enter a failed state due to systemd start rate limiting caused by rapid start and stop cycles. This issue can prevent core files from being included in subsequent automatically generated cl-support collections even after you reactivate automatic cl-support generation after deactivation due to a chain of faults. Newly generated core files might accumulate, potentially leading to /var partition exhaustion. To recover from this condition, run the sudo systemctl reset-failed cumulus-core.service cumulus-core.path command. | 5.16.1 | | +| [4925514, 4919006](#4925514, 4919006)
| Core processing services such as cumulus-core.service and cumulus-core.path might enter a failed state due to systemd start rate limiting caused by rapid start and stop cycles. This issue can prevent core files from being included in subsequent automatically generated cl-support collections even after you reactivate automatic cl-support generation after deactivation due to a chain of faults. Newly generated core files might accumulate, potentially leading to /var partition exhaustion. To recover from this condition, run the sudo systemctl reset-failed cumulus-core.service cumulus-core.path command. | 5.16.1 | | | [4925316](#4925316)
| Known registered multicast traffic is duplicated to receivers behind an EVPN-MH dual-homed access switch. | 5.16.0-5.16.1 | | | [4918507](#4918507)
| When you upgrade Cumulus Linux from a prior release with package upgrade, TACACS users with a restricted bash shell might not be able to recall shell commands from history with the up and down arrow keys. | 5.16.0-5.16.1 | | -| [4918342](#4918342)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. | 5.13.0-5.16.1 | | +| [4918342, 4641291](#4918342, 4641291)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. | 5.13.0-5.16.1 | | | [4917759](#4917759)
| BGP sessions configured with an explicit IPv6 link local peer address might result in stale or invalid next hop tracking entries after a session disruption. | 5.14.0-5.16.1 | | | [4908392](#4908392)
| In the multicast routing path (ip_mr_output) you might encounter a self-deadlock issue in one CPU that causes the kernel lock up (the switch reboots). | 5.15.1-5.16.1 | | | [4905123](#4905123)
| When a spine undergoes a cold reboot (reboot -f) while BGP Graceful Restart is configured, the leaf (acting as the GR helper) retains stale routes from the spine. When the links on the spine come back up before the restart timer expires but before BGP has converged, the leaf revalidates these stale routes and installs them in the FIB, forwarding traffic to a peer that has no routes programmed in hardware yet. To work around this issue, either disable BGP Graceful Restart helper mode on the leaf so that routes are immediately withdrawn when the spine goes down, or perform a warm reboot on the spine instead of a cold reboot so that forwarding state is preserved and links remain up throughout the restart. | 5.16.0-5.16.1 | | @@ -39,7 +39,7 @@ pdfhidden: True | [4893569](#4893569)
| NVUE allows invalid interfaces with leading zeroes; for example, swp000001. | 5.16.0-5.16.1 | | | [4889939](#4889939)
| In an MLAG configuration, when the MLAG node receives MLAG peer keepalives from an IP address that is not configured as the peer IP address, a peer IP address mismatch conflict occurs. Even after the conflict is resolved, you sometimes see that the MLAG session still retains the peer IP mismatch conflict. | 5.14.0-5.16.1 | | | [4885553](#4885553)
| If ZTP uses a proxy server for image download using onie-install, the image install fails with signing issues. | 5.12.0-5.16.1 | | -| [4885474](#4885474)
| During warm boot, a transient error ERR Failed to enable ipv4-mc for VRF tbl-id:0 vr-id:1 appears in the switchd log. You can ignore this error; VRF configuration is not affected. | 5.16.0-5.16.1 | | +| [4885474, 4891596](#4885474, 4891596)
| During warm boot, a transient error ERR Failed to enable ipv4-mc for VRF tbl-id:0 vr-id:1 appears in the switchd log. You can ignore this error; VRF configuration is not affected. | 5.16.0-5.16.1 | | | [4883698](#4883698)
| Removing or replacing private ASNs or replacing private ASNs with public ASNs under the ipv4-unreachability or ipv6-unreachability address family on a BGP neighbor or peer group causes FRR reload to fail. FRR does not support these options for the unreachability address families. | 5.16.0-5.16.1 | | | [4883569](#4883569)
| Removing or replacing private ASNs or replacing private ASNs with public ASNs under the ipv4-unreachability or ipv6-unreachability address family on a BGP neighbor or peer group causes FRR reload to fail. FRR does not support these options for the unreachability address families. | 5.16.0-5.16.1 | | | [4882392](#4882392)
| If you run the nv show evpn access-vlan-info vlan command after deleting a bond interface, which is part of a bridge, the server encounters an internal error. | 5.9.1-5.16.1 | | @@ -58,25 +58,25 @@ pdfhidden: True | [4840423](#4840423)
| Running traceroute in an SRv6 topology is unsuccessful. | 5.16.0-5.16.1 | | | [4840299](#4840299)
| If you use NVUE commands to change the BGP autonomous system number (ASN) for existing VRFs without deleting the associated EVPN VNI, FRR reload fails and shows an error during nv config apply. Be sure to delete the layer 3 VNI before changing the BGP ASN or restart FRR after the AS change. | 5.9.1-5.16.1 | | | [4824056](#4824056)
| Adding a bond member fails when the member port has subinterfaces and you unset the subinterface and add the bond member under same commit. | 5.16.0-5.16.1 | | -| [4820187](#4820187)
| The firmware includes two asserts assert id = [0xc2e], [0x627] that are categorized incorrectly as fatal. The firmware has reduced the severity of these asserts and they no longer result in health event and switchd crashes. | 5.16.0-5.16.1 | | +| [4820187, 4895566](#4820187, 4895566)
| The firmware includes two asserts assert id = [0xc2e], [0x627] that are categorized incorrectly as fatal. The firmware has reduced the severity of these asserts and they no longer result in health event and switchd crashes. | 5.16.0-5.16.1 | | | [4804084](#4804084)
| On switches at scale with OTEL enabled, an interface_stats_collector crash might occur with the following logs:
interface_stats_collector[3429270]: ERROR
 buffer_stats_collector.go:1875 SDK bulk counter read failed
interface_stats_collector[3429270]: fatal error: concurrent map iteration and map write
interface_stats_collector[3429270]: goroutine 5610 gp=0xc007814c40 m=16 mp=0xc000552808 [running]:
| 5.14.0-5.16.1 | | | [4776471](#4776471)
| In Cumulus Linux 5.15.0, NTP and DNS configuration commands changed from nv set service to nv set system. However, after upgrading the switch to Cumulus Linux 5.15.1, the nv set service command might still appear in the configuration output because a stale nv set service command remains after the configuration is translated during the upgrade. If you save the configuration with the nv config show -o commands, then reapply the configuration with nv config replace, the command fails if the stale nv set service command is present.
To workaround this issue, before applying the configuration with nv config replace, remove any stale nv set service commands from the saved configuration file, then reapply the configuration with the nv config replace command. | 5.15.0-5.16.1 | | -| [4774686](#4774686)
| The final hop does not respond to traceroute with the layer 4 protocol set to TCP or UDP. | 5.16.0-5.16.1 | | +| [4774686, 4764590](#4774686, 4764590)
| The final hop does not respond to traceroute with the layer 4 protocol set to TCP or UDP. | 5.16.0-5.16.1 | | | [4722680](#4722680)
| If you install RADIUS client packages when rolling back a two partition upgrade, the /var/lib/nvue, /var/lib/ntpsec, and /var/lib/snmp directories might have incorrect ownership after rollback and the nvued service might fail to start up. To work around this issue, run the following commands:
sudo chown -R nvue /var/lib/nvue
sudo chown -R ntpsec /var/lib/ntpsec
sudo chown -R Debian-snmp /var/lib/snmp
sudo reboot
| 5.11.4-5.16.1 | | | [4717494](#4717494)
| When you run the nv show vrf default router rib command, NVUE returns an ItemDoesNotExist error. To work around this issue, run the following commands to retrieve IPv6 routing information:
nv show vrf default router rib ipv6
nv show vrf default router rib ipv6 route
| 5.15.0-5.16.1 | | | [4667792](#4667792)
| Usernames longer than 32 characters do not authenticate against the switch. Avoid using long usernames. | 5.14.0-5.16.1 | | | [4662854](#4662854)
| If you configure a DSCP match as ANY, the gNMI subscription does not show DSCP as ANY. The OpenConfig model supports only integer DSCP values. | 5.15.0-5.16.1 | | -| [4657192](#4657192)
| On the NVIDIA SN5640 switch, after you configure a port as unsplit, links do not come up while optics are in use. To work around this issue, use copper cables. | 5.15.0-5.16.1 | | -| [4648833](#4648833)
| Interfaces using PAM4 DAC cables on switches with Spectrum-4 and later might not come up after a link flap or reboot if auto-negotiation is disabled. Auto-negotiation is required for PAM4 DAC cables on these switches. | 5.15.0-5.16.1 | | +| [4657192, 4414675](#4657192, 4414675)
| On the NVIDIA SN5640 switch, after you configure a port as unsplit, links do not come up while optics are in use. To work around this issue, use copper cables. | 5.15.0-5.16.1 | | +| [4648833, 4662556, 4687350](#4648833, 4662556, 4687350)
| Interfaces using PAM4 DAC cables on switches with Spectrum-4 and later might not come up after a link flap or reboot if auto-negotiation is disabled. Auto-negotiation is required for PAM4 DAC cables on these switches. | 5.15.0-5.16.1 | | | [4641344](#4641344)
| The switch sends out IPv6 neighbor discovery (ND) router advertisement through an interface that does not have router advertisement enabled. To prevent this issue, do not change or remove the remote-as of a peer-group that is used by BGP unnumbered peers. To work around this issue, restart FRR. | 5.14.0-5.16.1 | | | [4641343](#4641343)
| The switch sends out IPv6 neighbor discovery (ND) router advertisement through an interface that does not have router advertisement enabled. To prevent this issue, do not change or remove the remote-as of a peer-group that is used by BGP unnumbered peers. To work around this issue, restart FRR. | 5.14.0-5.16.1 | | | [4608614](#4608614)
| When setting up SSH keys, you have to run nv config apply twice for the configuration to take effect. | 5.11.3-5.16.1 | | | [4582679](#4582679)
| If a node has Suppress Route Advertisement enabled and routes are re-learned; for example, when a peer sends the route again due to route policy changes, or you enable or disable graceful shutdown, not all routes are offloaded, which might cause discrepancies in traffic. | 5.9.4-5.16.1 | | -| [4579237](#4579237)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | -| [4551249](#4551249)
| The NVUE service might fail during switch upgrade. To work around this issue, stop the sysmonitor with the sudo systemctl stop sysmonitor command, then upgrade the switch with the nv action upgrade system packages to latest command. | 5.14.0-5.16.1 | | +| [4579237, 4579234](#4579237, 4579234)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | +| [4551249, 4572507, 4573399, 4712858, 4919013](#4551249, 4572507, 4573399, 4712858, 4919013)
| The NVUE service might fail during switch upgrade. To work around this issue, stop the sysmonitor with the sudo systemctl stop sysmonitor command, then upgrade the switch with the nv action upgrade system packages to latest command. | 5.14.0-5.16.1 | | | [4549896](#4549896)
| When you try to set a VXLAN with a bridge, you see the error sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge. You can safely ignore this error. | 5.14.0-5.16.1 | | | [4548512](#4548512)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.0-5.16.1 | | -| [4547463](#4547463)
| When you try to run nv action boot-next commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action.
To check that the action command completed before going to the next step to reboot the system:
  1. Find the Request ID for the REST API invocation corresponding to the nv action boot-next command by doing a grep for ActionKey.*boot-next in the /var/log/nvued.log file. For example, the value 3 in the Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),)) line indicates the Request ID.
  2. Run the curl -u ':\' -X GET https://127.0.0.1:8765/nvue_v1/action/ -k command from the shell to show the status of the action command. If the value of state is action_success, the action command completed successfully. If the value of state is running, the system is still processing. If the value of state is action_error, the system encountered an error.
| 5.14.0-5.16.1 | | +| [4547463, 4705370](#4547463, 4705370)
| When you try to run nv action boot-next commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action.
To check that the action command completed before going to the next step to reboot the system:
  1. Find the Request ID for the REST API invocation corresponding to the nv action boot-next command by doing a grep for ActionKey.*boot-next in the /var/log/nvued.log file. For example, the value 3 in the Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),)) line indicates the Request ID.
  2. Run the curl -u ':\' -X GET https://127.0.0.1:8765/nvue_v1/action/ -k command from the shell to show the status of the action command. If the value of state is action_success, the action command completed successfully. If the value of state is running, the system is still processing. If the value of state is action_error, the system encountered an error.
| 5.14.0-5.16.1 | | | [4535856](#4535856)
| When you try to import an invalid server certificate file, Cumulus Linux does not import the certificate file but fails to show an error message. | 5.13.0-5.16.1 | | | [4535843](#4535843)
| After a switch reboot, the nv show system health command shows incorrect system LED status and color. | 5.13.0-5.16.1 | | | [4535806](#4535806)
| After a factory reset, the switch does not clear the /var/tmp directory, which the switch uses for temporary files. | 5.14.0-5.16.1 | | @@ -87,10 +87,10 @@ pdfhidden: True | [4534357](#4534357)
| During Cumulus Linux upgrade or downgrade, rsyslog might crash because the management (eth0) port is unavailable, which triggers a use-after-free fault and produces a cl-support file as a response. | 5.13.1-5.16.1 | | | [4531960](#4531960)
| The GNMI Subscription to xpath interfaces/interface[name=swp61s0]/state/counters/out-pkts with a high sample interval results in an initial response of zero but in subsequent updates, the value is correct. You do not see this issue when the sample interval is 1 second. | 5.14.0-5.16.1 | | | [4513849](#4513849)
| After upgrading from Cumulus Linux 5.12 on the NVIDIA SN5400 switch bonus port, PTP does not converge. To work around this issue, disable, then enable the bonus port after upgrade. | 5.13.0-5.16.1 | | -| [4509255](#4509255)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | +| [4509255, 4546858](#4509255, 4546858)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | | [4508830](#4508830)
| Cumulus Linux allows you to add bond ports of mismatched speeds (such as 10G and 25G) to the same LACP bond without error and the bond reports UP. | 5.11.2-5.16.1 | | -| [4501632](#4501632)
| NVIDIA recommends you wait for approximately 60 seconds after running nv config apply before power cycling the switch so that NVUE database has time to sync to the filesystem. | 5.14.0-5.16.1 | | -| [4495383](#4495383)
| NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. | 5.13.0-5.16.1 | | +| [4501632, 4530257](#4501632, 4530257)
| NVIDIA recommends you wait for approximately 60 seconds after running nv config apply before power cycling the switch so that NVUE database has time to sync to the filesystem. | 5.14.0-5.16.1 | | +| [4495383, 4493988](#4495383, 4493988)
| NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. | 5.13.0-5.16.1 | | | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | | [4475401](#4475401)
| External input such as Ctrl+\ might trigger core dumps on the serial console from /bin/login. This behavior is caused by external sources, such as console servers or automation tools, and does not reflect a fault in the operating system. As a potential result, the serial console might become unresponsive. | 5.14.0-5.16.1 | | | [4475111](#4475111)
| When you try to convert a layer 3 port that is part of ECMP to a bond member, you might see a failure in the switchd logs. This issue does not have any functional impact. | 5.11.2-5.16.1 | 5.9.4| @@ -117,21 +117,21 @@ pdfhidden: True | [4236419](#4236419)
| On the Spectrum-3 switch, the PTP offset for 25GbE fluctuates within a range of plus or minus 50 nanoseconds beyond the expected values. | 5.12.0-5.16.1 | | | [4214678](#4214678)
| Changes to open telemetry configuration or export states restarts the telemetry service and resets all health metrics. | 5.12.0-5.16.1 | | | [4177067](#4177067)
| When performing a package upgrade, nslcd installation might open an interactive dialog to configure nslcd.conf .
To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:
cumulus@switch:~$ sudo apt-get update
cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
| 5.11.0-5.16.1 | | -| [4154839](#4154839)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | +| [4154839, 4280933, 4291934](#4154839, 4280933, 4291934)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | | [4142857](#4142857)
| The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. | 5.10.0-5.16.1 | | -| [4139511](#4139511)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | +| [4139511, 4184813, 4180112](#4139511, 4184813, 4180112)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | | [4134447](#4134447)
| The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. You can safely ignore this log message. | 5.11.0-5.16.1 | | | [4129757](#4129757)
| If you include a comma in the BGP community list, extended community list, or large community list regex expression of a routing policy, you see error messages and FRR reload fails. Make sure the regex expression does not contain a comma.
For example, instead of ^65550:([0-9]{1,2}\|[1-9][1-9]):.*$, specify ^65550:([0-9]\|[0-9][0-9]):.*$ and instead of ^65550:([0-4]{1,2}\|[7-9][8-9]):.*$, specify ^65550:([0-4]\|[0-4][0-4]\|[7-9][8-9]):.*$. | 5.11.0-5.16.1 | | -| [4124376](#4124376)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | +| [4124376, 4316163](#4124376, 4316163)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | | [4118970](#4118970)
| When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.16.1 | | -| [4105127](#4105127)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | +| [4105127, 4796391](#4105127, 4796391)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | | [4100629](#4100629)
| NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.16.1 | | | [4082210](#4082210)
| When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. | 5.11.0-5.16.1 | | | [4077921](#4077921)
| You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1 or later. You must install the Cumulus Linux image instead. | 5.10.1-5.16.1 | | -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4047798](#4047798)
| Packet distribution based on ECMP hashing using GTP-TEID does not function as expected in an EVPN Clos topology. | 5.10.0-5.16.1 | | | [4030380](#4030380)
| When you roll back interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you cannot configure FEC on the interface at the lower layers. | 5.10.0-5.16.1 | | -| [4005422](#4005422)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | +| [4005422, 4015452](#4005422, 4015452)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | | [3985682](#3985682)
| On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.16.1 | | | [3966312](#3966312)
| When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.16.1 | | | [3948068](#3948068)
| On the SN3700 and SN3700c switch, the nv show platform environment voltage command output shows a failed state for the PSU-n-12V-RAIL-OUT sensors. This is a known hardware limitation that cannot be corrected by the PSU vendor. | 5.10.0-5.16.1 | | @@ -153,17 +153,17 @@ pdfhidden: True | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -173,10 +173,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -186,8 +186,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -225,7 +225,7 @@ pdfhidden: True | [4963271](#4963271)
| PTM does not refresh certain entries and the PTM's neighbor status command (ptmctl -d) continues to show a neighbor that is already gone. This condition clears when the expected neighbor gets discovered. | 5.15.1-5.16.1 | | | [4930970](#4930970)
| Unreachability routes originated locally (for example, due to a link-down event) display incorrect BGP origin attribute values in show commands and JSON output. The origin shows as IGP instead of incomplete and JSON fields include redundant origin symbols in the AS path string. | 5.16.0-5.16.1 | | | [4930152](#4930152)
| When you configure layer 3 SVI interfaces with an anycast gateway (VRR) IP address only and no unique IP address, the connected route for the subnet is not programmed in the ASIC, causing packets destined for locally connected hosts to drop after decapsulation. | 5.11.3-5.16.1 | | -| [4926427](#4926427)
| When you run the nv config apply command or the sudo systemctl reload frr.service command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run sudo systemctl edit frr.service to change the TimeoutSec=2m to a higher value and apply the changes with sudo systemctl daemon-reload. | 5.15.0-5.16.1 | 5.9.5| +| [4926427, 4926426](#4926427, 4926426)
| When you run the nv config apply command or the sudo systemctl reload frr.service command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run sudo systemctl edit frr.service to change the TimeoutSec=2m to a higher value and apply the changes with sudo systemctl daemon-reload. | 5.15.0-5.16.1 | 5.9.5| | [4925515](#4925515)
| When you exceed the maximum number of ports allowed (30) in an 802.1x IPv6 profile, IPv6 addresses are not allocated to additional ports even if authentication is successful. To work around this issue, create additional profiles with the same configuration, associating no more than 30 interfaces to each profile. | 5.16.0-5.16.1 | | | [4925316](#4925316)
| Known registered multicast traffic is duplicated to receivers behind an EVPN-MH dual-homed access switch. | 5.16.0-5.16.1 | | | [4923828](#4923828)
| When cl-support files generate in quick succession due to a chain of faults, the cl-support files are not generated correctly. | 5.16.0-5.16.1 | | @@ -243,7 +243,7 @@ pdfhidden: True | [4922093](#4922093)
| When core files generate or persist due to repeated faults after tech-support auto-generation deactivates, the switch repeatedly attempts to trigger tech-support collection resulting in continuous error messages. | 5.16.0-5.16.1 | | | [4922090](#4922090)
| When you configure OTEL to generate a large number of metrics with a small sample interval but the remote receiver is unreachable, OTEL collector memory usage might increase rapidly leading to the OTEL collector being Out Of Memory Killed. | 5.16.0-5.16.1 | | | [4918507](#4918507)
| When you upgrade Cumulus Linux from a prior release with package upgrade, TACACS users with a restricted bash shell might not be able to recall shell commands from history with the up and down arrow keys. | 5.16.0-5.16.1 | | -| [4918342](#4918342)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. | 5.13.0-5.16.1 | | +| [4918342, 4641291](#4918342, 4641291)
| In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. | 5.13.0-5.16.1 | | | [4917759](#4917759)
| BGP sessions configured with an explicit IPv6 link local peer address might result in stale or invalid next hop tracking entries after a session disruption. | 5.14.0-5.16.1 | | | [4908392](#4908392)
| In the multicast routing path (ip_mr_output) you might encounter a self-deadlock issue in one CPU that causes the kernel lock up (the switch reboots). | 5.15.1-5.16.1 | | | [4905123](#4905123)
| When a spine undergoes a cold reboot (reboot -f) while BGP Graceful Restart is configured, the leaf (acting as the GR helper) retains stale routes from the spine. When the links on the spine come back up before the restart timer expires but before BGP has converged, the leaf revalidates these stale routes and installs them in the FIB, forwarding traffic to a peer that has no routes programmed in hardware yet. To work around this issue, either disable BGP Graceful Restart helper mode on the leaf so that routes are immediately withdrawn when the spine goes down, or perform a warm reboot on the spine instead of a cold reboot so that forwarding state is preserved and links remain up throughout the restart. | 5.16.0-5.16.1 | | @@ -255,7 +255,7 @@ pdfhidden: True | [4893569](#4893569)
| NVUE allows invalid interfaces with leading zeroes; for example, swp000001. | 5.16.0-5.16.1 | | | [4889939](#4889939)
| In an MLAG configuration, when the MLAG node receives MLAG peer keepalives from an IP address that is not configured as the peer IP address, a peer IP address mismatch conflict occurs. Even after the conflict is resolved, you sometimes see that the MLAG session still retains the peer IP mismatch conflict. | 5.14.0-5.16.1 | | | [4885553](#4885553)
| If ZTP uses a proxy server for image download using onie-install, the image install fails with signing issues. | 5.12.0-5.16.1 | | -| [4885474](#4885474)
| During warm boot, a transient error ERR Failed to enable ipv4-mc for VRF tbl-id:0 vr-id:1 appears in the switchd log. You can ignore this error; VRF configuration is not affected. | 5.16.0-5.16.1 | | +| [4885474, 4891596](#4885474, 4891596)
| During warm boot, a transient error ERR Failed to enable ipv4-mc for VRF tbl-id:0 vr-id:1 appears in the switchd log. You can ignore this error; VRF configuration is not affected. | 5.16.0-5.16.1 | | | [4883698](#4883698)
| Removing or replacing private ASNs or replacing private ASNs with public ASNs under the ipv4-unreachability or ipv6-unreachability address family on a BGP neighbor or peer group causes FRR reload to fail. FRR does not support these options for the unreachability address families. | 5.16.0-5.16.1 | | | [4883569](#4883569)
| Removing or replacing private ASNs or replacing private ASNs with public ASNs under the ipv4-unreachability or ipv6-unreachability address family on a BGP neighbor or peer group causes FRR reload to fail. FRR does not support these options for the unreachability address families. | 5.16.0-5.16.1 | | | [4882392](#4882392)
| If you run the nv show evpn access-vlan-info vlan command after deleting a bond interface, which is part of a bridge, the server encounters an internal error. | 5.9.1-5.16.1 | | @@ -274,25 +274,25 @@ pdfhidden: True | [4840423](#4840423)
| Running traceroute in an SRv6 topology is unsuccessful. | 5.16.0-5.16.1 | | | [4840299](#4840299)
| If you use NVUE commands to change the BGP autonomous system number (ASN) for existing VRFs without deleting the associated EVPN VNI, FRR reload fails and shows an error during nv config apply. Be sure to delete the layer 3 VNI before changing the BGP ASN or restart FRR after the AS change. | 5.9.1-5.16.1 | | | [4824056](#4824056)
| Adding a bond member fails when the member port has subinterfaces and you unset the subinterface and add the bond member under same commit. | 5.16.0-5.16.1 | | -| [4820187](#4820187)
| The firmware includes two asserts assert id = [0xc2e], [0x627] that are categorized incorrectly as fatal. The firmware has reduced the severity of these asserts and they no longer result in health event and switchd crashes. | 5.16.0-5.16.1 | | +| [4820187, 4895566](#4820187, 4895566)
| The firmware includes two asserts assert id = [0xc2e], [0x627] that are categorized incorrectly as fatal. The firmware has reduced the severity of these asserts and they no longer result in health event and switchd crashes. | 5.16.0-5.16.1 | | | [4804084](#4804084)
| On switches at scale with OTEL enabled, an interface_stats_collector crash might occur with the following logs:
interface_stats_collector[3429270]: ERROR
 buffer_stats_collector.go:1875 SDK bulk counter read failed
interface_stats_collector[3429270]: fatal error: concurrent map iteration and map write
interface_stats_collector[3429270]: goroutine 5610 gp=0xc007814c40 m=16 mp=0xc000552808 [running]:
| 5.14.0-5.16.1 | | | [4776471](#4776471)
| In Cumulus Linux 5.15.0, NTP and DNS configuration commands changed from nv set service to nv set system. However, after upgrading the switch to Cumulus Linux 5.15.1, the nv set service command might still appear in the configuration output because a stale nv set service command remains after the configuration is translated during the upgrade. If you save the configuration with the nv config show -o commands, then reapply the configuration with nv config replace, the command fails if the stale nv set service command is present.
To workaround this issue, before applying the configuration with nv config replace, remove any stale nv set service commands from the saved configuration file, then reapply the configuration with the nv config replace command. | 5.15.0-5.16.1 | | -| [4774686](#4774686)
| The final hop does not respond to traceroute with the layer 4 protocol set to TCP or UDP. | 5.16.0-5.16.1 | | +| [4774686, 4764590](#4774686, 4764590)
| The final hop does not respond to traceroute with the layer 4 protocol set to TCP or UDP. | 5.16.0-5.16.1 | | | [4722680](#4722680)
| If you install RADIUS client packages when rolling back a two partition upgrade, the /var/lib/nvue, /var/lib/ntpsec, and /var/lib/snmp directories might have incorrect ownership after rollback and the nvued service might fail to start up. To work around this issue, run the following commands:
sudo chown -R nvue /var/lib/nvue
sudo chown -R ntpsec /var/lib/ntpsec
sudo chown -R Debian-snmp /var/lib/snmp
sudo reboot
| 5.11.4-5.16.1 | | | [4717494](#4717494)
| When you run the nv show vrf default router rib command, NVUE returns an ItemDoesNotExist error. To work around this issue, run the following commands to retrieve IPv6 routing information:
nv show vrf default router rib ipv6
nv show vrf default router rib ipv6 route
| 5.15.0-5.16.1 | | | [4667792](#4667792)
| Usernames longer than 32 characters do not authenticate against the switch. Avoid using long usernames. | 5.14.0-5.16.1 | | | [4662854](#4662854)
| If you configure a DSCP match as ANY, the gNMI subscription does not show DSCP as ANY. The OpenConfig model supports only integer DSCP values. | 5.15.0-5.16.1 | | -| [4657192](#4657192)
| On the NVIDIA SN5640 switch, after you configure a port as unsplit, links do not come up while optics are in use. To work around this issue, use copper cables. | 5.15.0-5.16.1 | | -| [4648833](#4648833)
| Interfaces using PAM4 DAC cables on switches with Spectrum-4 and later might not come up after a link flap or reboot if auto-negotiation is disabled. Auto-negotiation is required for PAM4 DAC cables on these switches. | 5.15.0-5.16.1 | | +| [4657192, 4414675](#4657192, 4414675)
| On the NVIDIA SN5640 switch, after you configure a port as unsplit, links do not come up while optics are in use. To work around this issue, use copper cables. | 5.15.0-5.16.1 | | +| [4648833, 4662556, 4687350](#4648833, 4662556, 4687350)
| Interfaces using PAM4 DAC cables on switches with Spectrum-4 and later might not come up after a link flap or reboot if auto-negotiation is disabled. Auto-negotiation is required for PAM4 DAC cables on these switches. | 5.15.0-5.16.1 | | | [4641344](#4641344)
| The switch sends out IPv6 neighbor discovery (ND) router advertisement through an interface that does not have router advertisement enabled. To prevent this issue, do not change or remove the remote-as of a peer-group that is used by BGP unnumbered peers. To work around this issue, restart FRR. | 5.14.0-5.16.1 | | | [4641343](#4641343)
| The switch sends out IPv6 neighbor discovery (ND) router advertisement through an interface that does not have router advertisement enabled. To prevent this issue, do not change or remove the remote-as of a peer-group that is used by BGP unnumbered peers. To work around this issue, restart FRR. | 5.14.0-5.16.1 | | | [4608614](#4608614)
| When setting up SSH keys, you have to run nv config apply twice for the configuration to take effect. | 5.11.3-5.16.1 | | | [4582679](#4582679)
| If a node has Suppress Route Advertisement enabled and routes are re-learned; for example, when a peer sends the route again due to route policy changes, or you enable or disable graceful shutdown, not all routes are offloaded, which might cause discrepancies in traffic. | 5.9.4-5.16.1 | | -| [4579237](#4579237)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | -| [4551249](#4551249)
| The NVUE service might fail during switch upgrade. To work around this issue, stop the sysmonitor with the sudo systemctl stop sysmonitor command, then upgrade the switch with the nv action upgrade system packages to latest command. | 5.14.0-5.16.1 | | +| [4579237, 4579234](#4579237, 4579234)
| If interface statistics telemetry is running on the switch, an interface_stats_collector core file might generate during statistics collection. | 5.11.3-5.16.1 | | +| [4551249, 4572507, 4573399, 4712858, 4919013](#4551249, 4572507, 4573399, 4712858, 4919013)
| The NVUE service might fail during switch upgrade. To work around this issue, stop the sysmonitor with the sudo systemctl stop sysmonitor command, then upgrade the switch with the nv action upgrade system packages to latest command. | 5.14.0-5.16.1 | | | [4549896](#4549896)
| When you try to set a VXLAN with a bridge, you see the error sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge. You can safely ignore this error. | 5.14.0-5.16.1 | | | [4548512](#4548512)
| When a connected route for an SVI interface with VRR configured is installed by FRR, the route might be installed with the next hop interface of the VRR device instead of the SVI. For example, instead of interface vlan10, the route might install against vlan10-v0. This prevents next-hop tracking and route installation into hardware.
This issue can occur in the following conditions:
  • When initially configuring VRF route leaking, the target VRF might not install a route into hardware when leaking directly connected routes for SVI interfaces with VRR enabled.
  • In an MLAG and VRR configuration, static routes fail to install when the route is resolved through a connected route and the interface of the connected route undergoes a link state change for any reason, such as link flaps, interface bring-up, clagd restart, switchd restart, etc.

To work around this issue, restart the FRR service using the sudo systemctl restart frr.service command. | 5.11.0-5.16.1 | | -| [4547463](#4547463)
| When you try to run nv action boot-next commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action.
To check that the action command completed before going to the next step to reboot the system:
  1. Find the Request ID for the REST API invocation corresponding to the nv action boot-next command by doing a grep for ActionKey.*boot-next in the /var/log/nvued.log file. For example, the value 3 in the Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),)) line indicates the Request ID.
  2. Run the curl -u ':\' -X GET https://127.0.0.1:8765/nvue_v1/action/ -k command from the shell to show the status of the action command. If the value of state is action_success, the action command completed successfully. If the value of state is running, the system is still processing. If the value of state is action_error, the system encountered an error.
| 5.14.0-5.16.1 | | +| [4547463, 4705370](#4547463, 4705370)
| When you try to run nv action boot-next commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action.
To check that the action command completed before going to the next step to reboot the system:
  1. Find the Request ID for the REST API invocation corresponding to the nv action boot-next command by doing a grep for ActionKey.*boot-next in the /var/log/nvued.log file. For example, the value 3 in the Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),)) line indicates the Request ID.
  2. Run the curl -u ':\' -X GET https://127.0.0.1:8765/nvue_v1/action/ -k command from the shell to show the status of the action command. If the value of state is action_success, the action command completed successfully. If the value of state is running, the system is still processing. If the value of state is action_error, the system encountered an error.
| 5.14.0-5.16.1 | | | [4535856](#4535856)
| When you try to import an invalid server certificate file, Cumulus Linux does not import the certificate file but fails to show an error message. | 5.13.0-5.16.1 | | | [4535843](#4535843)
| After a switch reboot, the nv show system health command shows incorrect system LED status and color. | 5.13.0-5.16.1 | | | [4535806](#4535806)
| After a factory reset, the switch does not clear the /var/tmp directory, which the switch uses for temporary files. | 5.14.0-5.16.1 | | @@ -303,10 +303,10 @@ pdfhidden: True | [4534357](#4534357)
| During Cumulus Linux upgrade or downgrade, rsyslog might crash because the management (eth0) port is unavailable, which triggers a use-after-free fault and produces a cl-support file as a response. | 5.13.1-5.16.1 | | | [4531960](#4531960)
| The GNMI Subscription to xpath interfaces/interface[name=swp61s0]/state/counters/out-pkts with a high sample interval results in an initial response of zero but in subsequent updates, the value is correct. You do not see this issue when the sample interval is 1 second. | 5.14.0-5.16.1 | | | [4513849](#4513849)
| After upgrading from Cumulus Linux 5.12 on the NVIDIA SN5400 switch bonus port, PTP does not converge. To work around this issue, disable, then enable the bonus port after upgrade. | 5.13.0-5.16.1 | | -| [4509255](#4509255)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | +| [4509255, 4546858](#4509255, 4546858)
| In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. | 5.12.0-5.16.1 | | | [4508830](#4508830)
| Cumulus Linux allows you to add bond ports of mismatched speeds (such as 10G and 25G) to the same LACP bond without error and the bond reports UP. | 5.11.2-5.16.1 | | -| [4501632](#4501632)
| NVIDIA recommends you wait for approximately 60 seconds after running nv config apply before power cycling the switch so that NVUE database has time to sync to the filesystem. | 5.14.0-5.16.1 | | -| [4495383](#4495383)
| NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. | 5.13.0-5.16.1 | | +| [4501632, 4530257](#4501632, 4530257)
| NVIDIA recommends you wait for approximately 60 seconds after running nv config apply before power cycling the switch so that NVUE database has time to sync to the filesystem. | 5.14.0-5.16.1 | | +| [4495383, 4493988](#4495383, 4493988)
| NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. | 5.13.0-5.16.1 | | | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | | [4475401](#4475401)
| External input such as Ctrl+\ might trigger core dumps on the serial console from /bin/login. This behavior is caused by external sources, such as console servers or automation tools, and does not reflect a fault in the operating system. As a potential result, the serial console might become unresponsive. | 5.14.0-5.16.1 | | | [4475111](#4475111)
| When you try to convert a layer 3 port that is part of ECMP to a bond member, you might see a failure in the switchd logs. This issue does not have any functional impact. | 5.11.2-5.16.1 | 5.9.4| @@ -333,21 +333,21 @@ pdfhidden: True | [4236419](#4236419)
| On the Spectrum-3 switch, the PTP offset for 25GbE fluctuates within a range of plus or minus 50 nanoseconds beyond the expected values. | 5.12.0-5.16.1 | | | [4214678](#4214678)
| Changes to open telemetry configuration or export states restarts the telemetry service and resets all health metrics. | 5.12.0-5.16.1 | | | [4177067](#4177067)
| When performing a package upgrade, nslcd installation might open an interactive dialog to configure nslcd.conf .
To avoid this interactive dialog, set the DEBIAN_FRONTEND environment variable to noninteractive. For example:
cumulus@switch:~$ sudo apt-get update
cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Options::=--force-confdef" -o "Dpkg::Options::=--force-confold" upgrade
| 5.11.0-5.16.1 | | -| [4154839](#4154839)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | +| [4154839, 4280933, 4291934](#4154839, 4280933, 4291934)
| When you run certain SDK commands (such as sudo sx_api_port_counter_dump_all.py or sx_api_fdb_dump) first as the cumulus user, then with sudo, you see the following error:
PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt'

To resolve this issue, run the rm -rf /tmp/python_err_log.txt command. | 5.11.0-5.16.1 | | | [4142857](#4142857)
| The switch drops PTP packets received with extra ethernet padding and you see syslog [ptp4l.ERR] messages. | 5.10.0-5.16.1 | | -| [4139511](#4139511)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | +| [4139511, 4184813, 4180112](#4139511, 4184813, 4180112)
| When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue.
[ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds
[ 1903.846724] mlxsw_minimal 2-0048: Could not acquire lock
[ 1903.852689] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query)
[ 1903.861573] hwmon hwmon28: Failed to query module temperature
| 5.11.0-5.16.1 | | | [4134447](#4134447)
| The journal logs might include the error message ERR kernel: [ 7.453789] usb usb2-port2: connect-debounce failed. You can safely ignore this log message. | 5.11.0-5.16.1 | | | [4129757](#4129757)
| If you include a comma in the BGP community list, extended community list, or large community list regex expression of a routing policy, you see error messages and FRR reload fails. Make sure the regex expression does not contain a comma.
For example, instead of ^65550:([0-9]{1,2}\|[1-9][1-9]):.*$, specify ^65550:([0-9]\|[0-9][0-9]):.*$ and instead of ^65550:([0-4]{1,2}\|[7-9][8-9]):.*$, specify ^65550:([0-4]\|[0-4][0-4]\|[7-9][8-9]):.*$. | 5.11.0-5.16.1 | | -| [4124376](#4124376)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | +| [4124376, 4316163](#4124376, 4316163)
| The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier).
To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in Downgrade a Secure Boot Switch. | 5.11.0-5.16.1 | | | [4118970](#4118970)
| When running PTP, the performance for 100Gx2 and 400Gx8 can have a high offset in up to 1.5% of the sampling. | 5.11.0-5.16.1 | | -| [4105127](#4105127)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | +| [4105127, 4796391](#4105127, 4796391)
| Any sFlow configuration changes that require an hsflowd restart are operational only after an initial delay of 60 seconds. | 5.11.0-5.16.1 | | | [4100629](#4100629)
| NVUE show command outputs show LLDP neighbor changes only after the LLDP update frequency multiplied by the hold time. | 5.11.0-5.16.1 | | | [4082210](#4082210)
| When you change the CPU resource limit with the nv set service control rsyslog resource-limit cpu command, the rsyslog agent does not start. To work around this issue, increase the CPU resource limit, then restart the service manually. | 5.11.0-5.16.1 | | | [4077921](#4077921)
| You cannot use package upgrade to upgrade from Cumulus Linux 5.9.2 to Cumulus Linux 5.10.1 or later. You must install the Cumulus Linux image instead. | 5.10.1-5.16.1 | | -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4047798](#4047798)
| Packet distribution based on ECMP hashing using GTP-TEID does not function as expected in an EVPN Clos topology. | 5.10.0-5.16.1 | | | [4030380](#4030380)
| When you roll back interface configuration to the default setting with the nv unset interface command, NVUE removes the complete entry for the interface from the /etc/network/interface file, and puts the interface in admin down. As a result, you cannot configure FEC on the interface at the lower layers. | 5.10.0-5.16.1 | | -| [4005422](#4005422)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | +| [4005422, 4015452](#4005422, 4015452)
| When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the systemctl enable ntpsec@ and systemctl restart ntpsec@ commands. | 5.10.0-5.16.1 | | | [3985682](#3985682)
| On Spectrum-4 switches, multicast flows containing packets smaller than 512 bytes might not reach full line rate. Cumulus Linux supports 512 byte and larger multicast packets. | 5.10.0-5.16.1 | | | [3966312](#3966312)
| When connecting the SN5xxx switch to third party test equipment (such as IXIA) using copper cables at 100GbE, 200GbE, 400GbE, or 800GbE, links do not come up. | 5.10.0-5.16.1 | | | [3948068](#3948068)
| On the SN3700 and SN3700c switch, the nv show platform environment voltage command output shows a failed state for the PSU-n-12V-RAIL-OUT sensors. This is a known hardware limitation that cannot be corrected by the PSU vendor. | 5.10.0-5.16.1 | | @@ -369,17 +369,17 @@ pdfhidden: True | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -389,10 +389,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -402,8 +402,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -424,7 +424,7 @@ pdfhidden: True | [4838636](#4838636)
| A bad reading of a module temperature sensor results in fan speeds being set to high. The temperature read error seen in /var/log/tc_log is:
ERROR - module22: err on module22_temp_input count 3

To work around this issue, run the sudo systemctl restart hw-management-tc.service command during a maintenance window. This command clears the faulty read_error that brings down the fan speed. | 5.15.0-5.15.1 | | | [4838527](#4838527)
| On a high port scale system, streaming telemetry for interface and buffer statistics (GNMI or OTEL) together with the PFC watchdog feature, causes samples of telemetry data to fail to export from the system periodically and kernel memory use might increase. | 5.14.0-5.15.1 | | | [4835058](#4835058)
| When you add or remove bond members, the sflow state and rate are incorrect. | 5.13.1-5.15.1 | | -| [4830305](#4830305)
| After an optimized image upgrade, certain disabled systemd services that are replaced with VRF-based services are reenabled. This results in multiple instances of the applications running, where they either fail to start or run with incorrect configuration. This issue occurs with, but is not limited to SSH, NTP and streaming telemetry services running with a custom VRF configuration. To work around this issue, after the upgrade, stop and disable the incorrect services, then restart the correct ones as required. | 5.15.0-5.15.1 | | +| [4830305, 4830251, 4834348](#4830305, 4830251, 4834348)
| After an optimized image upgrade, certain disabled systemd services that are replaced with VRF-based services are reenabled. This results in multiple instances of the applications running, where they either fail to start or run with incorrect configuration. This issue occurs with, but is not limited to SSH, NTP and streaming telemetry services running with a custom VRF configuration. To work around this issue, after the upgrade, stop and disable the incorrect services, then restart the correct ones as required. | 5.15.0-5.15.1 | | | [4829730](#4829730)
| The interface-stats-collector might crash during boot or when services restart if the SDK process is not fully up. The interface-stats-collector eventually comes up on a subsequent restart. | 5.15.1 | | | [4826181](#4826181)
| When you apply EVPN layer 3 VNI and BGP AS configurations together for a VRF, an internal AS number inconsistency might occur between the FRR running configuration and the /etc/frr/frr.conf file. When you try to apply any configuration using frr-reload, NVUE detects this pre-existing inconsistency and triggers an unnecessary FRR restart, causing BGP session flaps. To work around this issue, apply BGP configuration before EVPN layer 3 VNI configuration in separate commits. | 5.14.0-5.15.1 | | | [4823999](#4823999)
| When making interface changes with NVUE, you might see the following message after you run the nv config apply command:


update-ports returned with error (code 254): switchd ports.conf node status not ready switchd validate_node is absent/not ready ports configuration(ports.conf/ports_width.conf) is invalid
| 5.14.0-5.15.1 | | @@ -437,7 +437,7 @@ pdfhidden: True | [4799272](#4799272)
| When nvued.log triggers log rotation, it also forces rotation of all three logs (nvued, nv-cli, and nv-api). As a result, the nv-cli logs are rotated unnecessarily, which might eventually lead to missing nv-cli.log entries due to excessive rotations. | 5.15.0-5.15.1 | | | [4797691](#4797691)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.9.4, 5.15.1 | | | [4789562](#4789562)
| A switch running Nvidia Cumulus Linux may improperly forward routed packets out of an access port or on the native vlan of a trunk with an 802.1Q tag imposed on the packet. | 5.12.1-5.15.1 | | -| [4789339](#4789339)
| The interface_stats process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. | 5.13.1-5.15.1 | | +| [4789339, 4540985](#4789339, 4540985)
| The interface_stats process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. | 5.13.1-5.15.1 | | | [4789097](#4789097)
| The switch deletes a static blackhole route even when the blackhole type specified in the delete command does not match the configured type. | 5.9.4-5.15.1 | | | [4783824](#4783824)
| RoCE ingress reserved pools do not display correct values for ports that are not operationally UP. Switch ports that were never operational or not operational after setting RoCE mode do not have RoCE reserved pool buffers allocated but the nv show interface qos roce status command displays an invalid buffer size. | 5.14.0-5.15.1 | | | [4781602](#4781602)
| Some internal OTLP metrics were incorrectly exported by the system. | | | @@ -445,18 +445,18 @@ pdfhidden: True | [4781498](#4781498)
| When you use a text-based patch file with nv config patch cmd.txt or nv config replace cmd.txt, if the cmd.txt file contains any of the following CLI commands, the patch operation fails and triggers an exception in NVUE:
nv set system aaa auth order radius 
nv set system ssh-server ciphers 
nv set system ssh-server macs 
nv set system ssh-server kex-algorithms 
nv set system ssh-server pubkey-accepted-algorithms 
nv set system ssh-server host-key-algorithms

To work around this issue, use a YAML file instead of a text-based patch file or run the nv set commands manually. | 5.15.0-5.15.1 | | | [4776501](#4776501)
| When you configure a VRF that does not exist for NTP, the switch attempts to start the NTP service in that VRF and fails instead of indicating that the VRF does not exist. The configuration change does not take effect and NTP continues to work in the current VRF. | 5.15.1 | | | [4776470](#4776470)
| In Cumulus Linux 5.15.0, NTP and DNS configuration commands changed from nv set service to nv set system. However, after upgrading the switch to Cumulus Linux 5.15.1, the nv set service command might still appear in the configuration output because a stale nv set service command remains after the configuration is translated during the upgrade. If you save the configuration with the nv config show -o commands, then reapply the configuration with nv config replace, the command fails if the stale nv set service command is present.
To workaround this issue, before applying the configuration with nv config replace, remove any stale nv set service commands from the saved configuration file, then reapply the configuration with the nv config replace command. | 5.15.0-5.15.1 | | -| [4776444](#4776444)
| In rare cases when telemetry is configured on a switch with high interface scale, the following log message might be generated and lead to a kernel crash event:
interface_stats_collector[27979]: ERROR intf_stats_collector.go:485 WaitBulkCounterDone error: unable to receive trap info after 15 iterations
| 5.15.0-5.15.1 | | +| [4776444, 4594612, 4823905](#4776444, 4594612, 4823905)
| In rare cases when telemetry is configured on a switch with high interface scale, the following log message might be generated and lead to a kernel crash event:
interface_stats_collector[27979]: ERROR intf_stats_collector.go:485 WaitBulkCounterDone error: unable to receive trap info after 15 iterations
| 5.15.0-5.15.1 | | | [4776390](#4776390)
| gNMI subscription changes for interface counters, buffer, packet trim, latency or any other statistics produced by the prometheus-sdk-stats service leads to a change in the service configuration file causing the load interval configuration to be removed. This results in a rate calculation done with an interval of 60s instead of the interval configured in NVUE. | 5.15.0-5.15.1 | | | [4771865](#4771865)
| When you change the RADIUS privilege level, all affected existing RADIUS users are not updated in the next session to the relevant privilege level. | 5.15.0-5.15.1 | | | [4771785](#4771785)
| NVUE drop counters and ethtool output do not show the packets discarded because the destination MAC address does not match the router MAC address. | 5.14.0-5.15.1 | | | [4771521](#4771521)
| Layer 3 multicast traffic does not forward when OMF (Optimized Multicast Flooding) and PIM is enabled. To work around this issue, flap the router port. | 5.9.2-5.15.1 | | -| [4752986](#4752986)
| Warm reboot results in approximately 14 second traffic loss. | 5.15.0-5.15.1 | | -| [4751060](#4751060)
| If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to:
sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds')
| 5.12.0-5.15.1 | | +| [4752986, 4851043](#4752986, 4851043)
| Warm reboot results in approximately 14 second traffic loss. | 5.15.0-5.15.1 | | +| [4751060, 4637733](#4751060, 4637733)
| If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to:
sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds')
| 5.12.0-5.15.1 | | | [4748963](#4748963)
| In an MLAG configuration with PVRST spanning tree mode configured on both switches, when the primary switch comes back up after a reboot, PVRST mode briefly changes to RSTP, then back to PVRST. | 5.13.1-5.15.1 | | -| [4748176](#4748176)
| Unsupported hardware modules might cause SDK and firmware health event and traffic loss. | 5.12.1-5.15.1 | | +| [4748176, 4662528, 4652420](#4748176, 4662528, 4652420)
| Unsupported hardware modules might cause SDK and firmware health event and traffic loss. | 5.12.1-5.15.1 | | | [4743814](#4743814)
| The switch clears the QoS buffer max usage values in the nv show interface qos buffer egress-traffic-class command output when a gNMI client subscribes to any QoS buffer metrics. | 5.14.0-5.15.1 | | | [4740671](#4740671)
| Low fan speed alarm events occur while the corresponding fan modules are amber physically. | 5.15.0 | | -| [4740606](#4740606)
| When you configure a port with a 802.1x IPv6 profile, then remove 802.1x, the port might block all ingress and egress traffic, including LLDP frames. This behavior is unintended and might impact network visibility and connectivity.
To restore normal traffic flow on the affected port, remove the residual traffic-control filters by running the following commands:
tc qdisc del dev  clsact 2>/dev/null
tc qdisc del dev  ingress 2>/dev/null
tc qdisc del dev  egress 2>/dev/null
| 5.15.0-5.15.1 | | +| [4740606, 4783693](#4740606, 4783693)
| When you configure a port with a 802.1x IPv6 profile, then remove 802.1x, the port might block all ingress and egress traffic, including LLDP frames. This behavior is unintended and might impact network visibility and connectivity.
To restore normal traffic flow on the affected port, remove the residual traffic-control filters by running the following commands:
tc qdisc del dev  clsact 2>/dev/null
tc qdisc del dev  ingress 2>/dev/null
tc qdisc del dev  egress 2>/dev/null
| 5.15.0-5.15.1 | | | [4734606](#4734606)
| Physical interface based static IPv6 address assignment does not work for DHCPv6 with inbound DHCP requests (discover packets) on an SVI interface. To work around this issue, configure the IPv6 pool for the subnet to assign the IPv6 address from the pool. | 5.15.0-5.15.1 | | | [4734395](#4734395)
| mlxlink output sometimes displays additional special characters while still reporting valid data. | 5.14.0-5.15.1 | | | [4734374](#4734374)
| The SNMP AgentX subsystem crashes with a segmentation fault when trying to cancel events from within event callbacks due to multiple Agentx reconnecting one after the other on the device. | 5.14.0-5.15.1 | | @@ -477,7 +477,7 @@ pdfhidden: True | [4707930](#4707930)
| When you configure a high number of 802.1x IPv6 profiles, the nv show system dot1x ipv6-profile command might return no data. To work around this issue, run the nv show system dot1x ipv6-profile --applied command. | 5.15.0-5.15.1 | | | [4706305](#4706305)
| The gNMI interface statistics collector reports the error Failed to get SRv6 no sid drop counter: No-SID counter not available in syslog even when SRv6 is disabled. | 5.15.0-5.15.1 | | | [4706274](#4706274)
| When switchd terminates (on system shutdown or service restart), the switch does not clean up PBR ACL rules that reference ECMP groups before the SDK de-initializes. This causes SDK errors in the cleanup sequence. | 5.15.0-5.15.1 | | -| [4704406](#4704406)
| TACACS authentication mode is not configured correctly in PAM common authentication and TACACS configuration files, which makes login the authentication mode regardless of the NVUE configuration. | 5.14.0-5.15.1 | | +| [4704406, 4633883](#4704406, 4633883)
| TACACS authentication mode is not configured correctly in PAM common authentication and TACACS configuration files, which makes login the authentication mode regardless of the NVUE configuration. | 5.14.0-5.15.1 | | | [4702667](#4702667)
| When you run the nv show vrf default router rib command, NVUE returns an ItemDoesNotExist error. This error occurs because the vtysh show ip route vrf default brief json command does not return any output, which propagates through NVUE. To work around this issue, run the nv show vrf default router rib ipv6 and nv show vrf default router rib ipv6 route commands instead. | 5.15.0-5.15.1 | | | [4693175](#4693175)
| There is a mismatch between NVUE and gNMI telemetry for latency-measurement data on network interfaces with high sample intervals. For example, when you remove traffic class configurations from interfaces, NVUE correctly updates to reflect only active traffic classes; however, gNMI telemetry continues to report stale latency-measurement entries for the removed traffic classes. The stale entries include outdated error-type responses (TIMEOUT) with timestamps from previous runs. These stale entries persist across multiple polling cycles. | 5.15.0-5.15.1 | | | [4692400](#4692400)
| You see the error Failed to get SRv6 no sid drop counter: No-SID counter not available in syslog even when SRv6 is disabled. | 5.15.0-5.15.1 | | @@ -489,6 +489,6 @@ pdfhidden: True | [4683370](#4683370)
| On scale systems with OTEL enabled, you might see an interface_stats_collector crash with the following logs:
interface_stats_collector[41358]: unexpected fault address 0x7fbb941d9110
interface_stats_collector[41358]: fatal error: fault
interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0x1
addr=0x7fbb941d9110 pc=0x55124a]
| 5.14.0-5.15.1 | | | [4662695](#4662695)
| In an EVPN-MH environment, when you flap all interfaces on a switch or the bridge interface, stale VXLAN route entries might remain installed for locally connected hosts. To work around this issue, flap individual SVI interfaces for the affected routes. | 5.15.0-5.15.1 | | | [4650961](#4650961)
| When you bring a bond down, then up with the ifdown and ifup commands, the sflow rate is not configured correctly after the bond comes up and the sflow sample is not generated. To work around this issue, bring the member port down, then up. | 5.15.0-5.15.1 | | -| [4643073](#4643073)
| Concurrent mlxfwmanager --query executions triggered by gNMI telemetry polling might cause MFT deadlock, resulting in repeated core dumps, nvued restarts, and control plane unresponsiveness. | 5.14.0-5.15.1 | | +| [4643073, 4643425](#4643073, 4643425)
| Concurrent mlxfwmanager --query executions triggered by gNMI telemetry polling might cause MFT deadlock, resulting in repeated core dumps, nvued restarts, and control plane unresponsiveness. | 5.14.0-5.15.1 | | | [4556982](#4556982)
| In the Spanning Tree PVRST environment, when one bridge interface goes down, it causes all the other bridge interfaces to enter a blocking state for approximately ten seconds. Even though the down port is not the root port, all the other bridge ports are flushed and not in service for about ten seconds. | 5.13.1-5.15.1 | | diff --git a/content/cumulus-linux-516/rn.xml b/content/cumulus-linux-516/rn.xml index a41c39e281..90135eb215 100644 --- a/content/cumulus-linux-516/rn.xml +++ b/content/cumulus-linux-516/rn.xml @@ -31,7 +31,7 @@ -4949347 +4949347, 4949346 When interfaces experience authentication failures and retries due to Radius or host misconfiguration, NVUE commands such as {{nv show interface dot1x-summary}} and {{nv show interface dot1x-ipv6-summary}} become slow and unresponsive. To work around this issue, ensure the RADIUS server is reachable and correctly configured, and that client credentials and certificates are valid. The hostapd_cli slowdown is triggered by repeated authentication failures causing deauthentication and re-authentication cycles. Resolving the underlying authentication failures eliminates the blocking behavior. 5.16.1 @@ -55,7 +55,7 @@ -4926427 +4926427, 4926426 When you run the {{nv config apply}} command or the {{sudo systemctl reload frr.service}} command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run {{sudo systemctl edit frr.service}} to change the {{TimeoutSec=2m}} to a higher value and apply the changes with {{sudo systemctl daemon-reload}}. 5.15.0-5.16.1 5.9.5 @@ -71,7 +71,7 @@ cumulus@switch:~$ sudo systemctl restart cumulus-core.path -4925514 +4925514, 4919006 Core processing services such as {{cumulus-core.service}} and {{cumulus-core.path}} might enter a failed state due to {{systemd}} start rate limiting caused by rapid start and stop cycles. This issue can prevent core files from being included in subsequent automatically generated cl-support collections even after you reactivate automatic cl-support generation after deactivation due to a chain of faults. Newly generated core files might accumulate, potentially leading to {{/var}} partition exhaustion. To recover from this condition, run the {{sudo systemctl reset-failed cumulus-core.service cumulus-core.path}} command. 5.16.1 @@ -89,7 +89,7 @@ cumulus@switch:~$ sudo systemctl restart cumulus-core.path -4918342 +4918342, 4641291 In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. 5.13.0-5.16.1 @@ -163,7 +163,7 @@ cumulus@switch:~$ sudo systemctl restart cumulus-core.path -4885474 +4885474, 4891596 During warm boot, a transient error {{ERR Failed to enable ipv4-mc for VRF tbl-id:0 vr-id:1}} appears in the {{switchd}} log. You can ignore this error; VRF configuration is not affected. 5.16.0-5.16.1 @@ -281,7 +281,7 @@ where only the aggregate should be advertised. -4820187 +4820187, 4895566 The firmware includes two asserts assert id = [0xc2e], [0x627] that are categorized incorrectly as fatal. The firmware has reduced the severity of these asserts and they no longer result in health event and switchd crashes. 5.16.0-5.16.1 @@ -302,7 +302,7 @@ interface_stats_collector[3429270]: goroutine 5610 gp=0xc007814c40 m=16 mp=0xc00 -4774686 +4774686, 4764590 The final hop does not respond to traceroute with the layer 4 protocol set to TCP or UDP. 5.16.0-5.16.1 @@ -338,13 +338,13 @@ nv show vrf default router rib ipv6 route -4657192 +4657192, 4414675 On the NVIDIA SN5640 switch, after you configure a port as unsplit, links do not come up while optics are in use. To work around this issue, use copper cables. 5.15.0-5.16.1 -4648833 +4648833, 4662556, 4687350 Interfaces using PAM4 DAC cables on switches with Spectrum-4 and later might not come up after a link flap or reboot if auto-negotiation is disabled. Auto-negotiation is required for PAM4 DAC cables on these switches. 5.15.0-5.16.1 @@ -374,13 +374,13 @@ nv show vrf default router rib ipv6 route -4579237 +4579237, 4579234 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.3-5.16.1 -4551249 +4551249, 4572507, 4573399, 4712858, 4919013 The NVUE service might fail during switch upgrade. To work around this issue, stop the {{sysmonitor}} with the {{sudo systemctl stop sysmonitor}} command, then upgrade the switch with the {{nv action upgrade system packages to latest}} command. 5.14.0-5.16.1 @@ -402,7 +402,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4547463 +4547463, 4705370 When you try to run {{nv action boot-next}} commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action. To check that the action command completed before going to the next step to reboot the system: <ol><li>Find the Request ID for the REST API invocation corresponding to the {{nv action boot-next}} command by doing a grep for {{ActionKey.*boot-next}} in the /var/log/nvued.log}} file. For example, the value 3 in the {{Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),))}} line indicates the Request ID.</li> <li>Run the {{curl -u '<username>:<password>' -X GET https://127.0.0.1:8765/nvue_v1/action/<Request ID> -k}} command from the shell to show the status of the action command. If the value of {{state}} is {{action_success}}, the action command completed successfully. If the value of {{state}} is {{running}}, the system is still processing. If the value of {{state}} is {{action_error}}, the system encountered an error.</li></ol> @@ -470,7 +470,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4509255 +4509255, 4546858 In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. 5.12.0-5.16.1 @@ -482,13 +482,13 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4501632 +4501632, 4530257 NVIDIA recommends you wait for approximately 60 seconds after running {{nv config apply}} before power cycling the switch so that NVUE database has time to sync to the filesystem. 5.14.0-5.16.1 -4495383 +4495383, 4493988 NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. 5.13.0-5.16.1 @@ -652,7 +652,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio -4154839 +4154839, 4280933, 4291934 When you run certain SDK commands (such as {{sudo sx_api_port_counter_dump_all.py}} or {{sx_api_fdb_dump}}) first as the cumulus user, then with {{sudo}}, you see the following error: PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt' To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. @@ -666,7 +666,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4139511 +4139511, 4184813, 4180112 When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue. [ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock [ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query) [ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds @@ -689,7 +689,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4124376 +4124376, 4316163 The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux/Installation-Management/Upgrading-Cumulus-Linux/#downgrade-a-secure-boot-switch">Downgrade a Secure Boot Switch</a>. 5.11.0-5.16.1 @@ -701,7 +701,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4105127 +4105127, 4796391 Any sFlow configuration changes that require an {{hsflowd}} restart are operational only after an initial delay of 60 seconds. 5.11.0-5.16.1 @@ -725,7 +725,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -743,7 +743,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4005422 +4005422, 4015452 When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the {{systemctl enable ntpsec@<vrf>}} and {{systemctl restart ntpsec@<vrf>}} commands. 5.10.0-5.16.1 @@ -900,7 +900,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -912,7 +912,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -936,19 +936,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -961,7 +961,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -1023,7 +1023,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -1046,7 +1046,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -1109,7 +1109,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -1117,7 +1117,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -1285,7 +1285,7 @@ hal_mlx_port.c:3919 ERR port state set failed for port <#>: Driver's Retur -4926427 +4926427, 4926426 When you run the {{nv config apply}} command or the {{sudo systemctl reload frr.service}} command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run {{sudo systemctl edit frr.service}} to change the {{TimeoutSec=2m}} to a higher value and apply the changes with {{sudo systemctl daemon-reload}}. 5.15.0-5.16.1 5.9.5 @@ -1394,7 +1394,7 @@ hal_mlx_port.c:3919 ERR port state set failed for port <#>: Driver's Retur -4918342 +4918342, 4641291 In rare circumstances, the switch stops streaming telemetry data for interface counters, buffers, or PHY. 5.13.0-5.16.1 @@ -1468,7 +1468,7 @@ hal_mlx_port.c:3919 ERR port state set failed for port <#>: Driver's Retur -4885474 +4885474, 4891596 During warm boot, a transient error {{ERR Failed to enable ipv4-mc for VRF tbl-id:0 vr-id:1}} appears in the {{switchd}} log. You can ignore this error; VRF configuration is not affected. 5.16.0-5.16.1 @@ -1586,7 +1586,7 @@ where only the aggregate should be advertised. -4820187 +4820187, 4895566 The firmware includes two asserts assert id = [0xc2e], [0x627] that are categorized incorrectly as fatal. The firmware has reduced the severity of these asserts and they no longer result in health event and switchd crashes. 5.16.0-5.16.1 @@ -1607,7 +1607,7 @@ interface_stats_collector[3429270]: goroutine 5610 gp=0xc007814c40 m=16 mp=0xc00 -4774686 +4774686, 4764590 The final hop does not respond to traceroute with the layer 4 protocol set to TCP or UDP. 5.16.0-5.16.1 @@ -1643,13 +1643,13 @@ nv show vrf default router rib ipv6 route -4657192 +4657192, 4414675 On the NVIDIA SN5640 switch, after you configure a port as unsplit, links do not come up while optics are in use. To work around this issue, use copper cables. 5.15.0-5.16.1 -4648833 +4648833, 4662556, 4687350 Interfaces using PAM4 DAC cables on switches with Spectrum-4 and later might not come up after a link flap or reboot if auto-negotiation is disabled. Auto-negotiation is required for PAM4 DAC cables on these switches. 5.15.0-5.16.1 @@ -1679,13 +1679,13 @@ nv show vrf default router rib ipv6 route -4579237 +4579237, 4579234 If interface statistics telemetry is running on the switch, an {{interface_stats_collector}} core file might generate during statistics collection. 5.11.3-5.16.1 -4551249 +4551249, 4572507, 4573399, 4712858, 4919013 The NVUE service might fail during switch upgrade. To work around this issue, stop the {{sysmonitor}} with the {{sudo systemctl stop sysmonitor}} command, then upgrade the switch with the {{nv action upgrade system packages to latest}} command. 5.14.0-5.16.1 @@ -1707,7 +1707,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4547463 +4547463, 4705370 When you try to run {{nv action boot-next}} commands during optimized image upgrade, the commands time out. This does not necessarily mean an issue occurred; the system might still be executing the action. To check that the action command completed before going to the next step to reboot the system: <ol><li>Find the Request ID for the REST API invocation corresponding to the {{nv action boot-next}} command by doing a grep for {{ActionKey.*boot-next}} in the /var/log/nvued.log}} file. For example, the value 3 in the {{Ran Job running ActionKey('@boot-next', '/system/image', (), 3, (('partition', 'partition1'),))}} line indicates the Request ID.</li> <li>Run the {{curl -u '<username>:<password>' -X GET https://127.0.0.1:8765/nvue_v1/action/<Request ID> -k}} command from the shell to show the status of the action command. If the value of {{state}} is {{action_success}}, the action command completed successfully. If the value of {{state}} is {{running}}, the system is still processing. If the value of {{state}} is {{action_error}}, the system encountered an error.</li></ol> @@ -1775,7 +1775,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4509255 +4509255, 4546858 In PTP two-step, the hardware incorrectly modifies the SYNC message correction field. 5.12.0-5.16.1 @@ -1787,13 +1787,13 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re -4501632 +4501632, 4530257 NVIDIA recommends you wait for approximately 60 seconds after running {{nv config apply}} before power cycling the switch so that NVUE database has time to sync to the filesystem. 5.14.0-5.16.1 -4495383 +4495383, 4493988 NVUE configuration yaml file translation converts unset commands to set commands because the translation logic expects only set commands. 5.13.0-5.16.1 @@ -1957,7 +1957,7 @@ cumulus@switch:~$ sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o "Dpkg::Optio -4154839 +4154839, 4280933, 4291934 When you run certain SDK commands (such as {{sudo sx_api_port_counter_dump_all.py}} or {{sx_api_fdb_dump}}) first as the cumulus user, then with {{sudo}}, you see the following error: PermissionError: Errno 13] Permission denied: '/tmp/python_err_log.txt' To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. @@ -1971,7 +1971,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4139511 +4139511, 4184813, 4180112 When you generate the cl-support file on the Spectrum-4 switch, the following messages appear on the serial console. You can safely ignore this issue. [ 1903.595131] mlxsw_minimal 2-0048: Could not acquire lock [ 1903.601089] mlxsw_minimal 2-0048: Reg cmd access failed (reg_id=900a(mtmp),type=query) [ 1903.609961] hwmon hwmon28: Failed to query module temperature thresholds @@ -1994,7 +1994,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4124376 +4124376, 4316163 The SN3700C-S, SN5400, and SN5600 secure boot switch running Cumulus Linux 5.11.0 or later boots with shim 15.8 that adds entries to the SBAT revocations to prevent the switch from booting shim 15.7 or earlier (included in Cumulus Linux 5.10 and earlier). To downgrade a secure boot switch from Cumulus Linux 5.11.0 or later, or to recover a downgraded switch that does not boot, follow the steps in <a href="https://docs.nvidia.com/networking-ethernet-software/cumulus-linux/Installation-Management/Upgrading-Cumulus-Linux/#downgrade-a-secure-boot-switch">Downgrade a Secure Boot Switch</a>. 5.11.0-5.16.1 @@ -2006,7 +2006,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4105127 +4105127, 4796391 Any sFlow configuration changes that require an {{hsflowd}} restart are operational only after an initial delay of 60 seconds. 5.11.0-5.16.1 @@ -2030,7 +2030,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -2048,7 +2048,7 @@ To resolve this issue, run the {{rm -rf /tmp/python_err_log.txt}} command. -4005422 +4005422, 4015452 When you upgrade Cumulus Linux 5.9.1 to Cumulus Linux 5.10 or later with package upgrade, the NTP service stops. To restart the NTP service, enable, then restart the service in the VRF in which it was running with the {{systemctl enable ntpsec@<vrf>}} and {{systemctl restart ntpsec@<vrf>}} commands. 5.10.0-5.16.1 @@ -2205,7 +2205,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -2217,7 +2217,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -2241,19 +2241,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -2266,7 +2266,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -2328,7 +2328,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -2351,7 +2351,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -2414,7 +2414,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -2422,7 +2422,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -2522,7 +2522,7 @@ To work around this issue, run the {{sudo systemctl restart hw-management-tc.ser 5.13.1-5.15.1 -4830305 +4830305, 4830251, 4834348 After an optimized image upgrade, certain disabled {{systemd}} services that are replaced with VRF-based services are reenabled. This results in multiple instances of the applications running, where they either fail to start or run with incorrect configuration. This issue occurs with, but is not limited to SSH, NTP and streaming telemetry services running with a custom VRF configuration. To work around this issue, after the upgrade, stop and disable the incorrect services, then restart the correct ones as required. 5.15.0-5.15.1 @@ -2589,7 +2589,7 @@ ports configuration(ports.conf/ports_width.conf) is invalid 5.12.1-5.15.1 -4789339 +4789339, 4540985 The {{interface_stats}} process might crash when a transceiver has non-ASCII data in EEPROM fields, such as vendor name or part number. 5.13.1-5.15.1 @@ -2636,7 +2636,7 @@ To work around this issue, use a YAML file instead of a text-based patch file or 5.15.0-5.15.1 -4776444 +4776444, 4594612, 4823905 In rare cases when telemetry is configured on a switch with high interface scale, the following log message might be generated and lead to a kernel crash event: interface_stats_collector[27979]: ERROR intf_stats_collector.go:485 WaitBulkCounterDone error: unable to receive trap info after 15 iterations @@ -2664,12 +2664,12 @@ interface_stats_collector[27979]: ERROR intf_stats_collector.go:485 WaitBulkCoun 5.9.2-5.15.1 -4752986 +4752986, 4851043 Warm reboot results in approximately 14 second traffic loss. 5.15.0-5.15.1 -4751060 +4751060, 4637733 If the switch filesystem is overloaded or memory is exhausted, you see very slow responses from the filesystem and the SDK might fail with a fatal error similar to: sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK thread issue'], irisc=255, desc='Health check: SDK thread [sxSniffer] TID [0x7f81cffff6c0] bit [4] does not respond [5] seconds') 5.12.0-5.15.1 @@ -2680,7 +2680,7 @@ sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK t 5.13.1-5.15.1 -4748176 +4748176, 4662528, 4652420 Unsupported hardware modules might cause SDK and firmware health event and traffic loss. 5.12.1-5.15.1 @@ -2695,7 +2695,7 @@ sxd_kernel: Health-Check: new failure (dev=1, severity='Fatal', cause=10 ['SDK t 5.15.0 -4740606 +4740606, 4783693 When you configure a port with a 802.1x IPv6 profile, then remove 802.1x, the port might block all ingress and egress traffic, including LLDP frames. This behavior is unintended and might impact network visibility and connectivity. To restore normal traffic flow on the affected port, remove the residual traffic-control filters by running the following commands: tc qdisc del dev <swp port> clsact 2>/dev/null tc qdisc del dev <swp port> ingress 2>/dev/null @@ -2811,7 +2811,7 @@ User name {} is already in use as OS group name 'and could not be used as userna 5.15.0-5.15.1 -4704406 +4704406, 4633883 TACACS authentication mode is not configured correctly in PAM common authentication and TACACS configuration files, which makes {{login}} the authentication mode regardless of the NVUE configuration. 5.14.0-5.15.1 @@ -2874,7 +2874,7 @@ interface_stats_collector[41358]: [signal SIGSEGV: segmentation violation code=0 5.15.0-5.15.1 -4643073 +4643073, 4643425 Concurrent {{mlxfwmanager --query}} executions triggered by gNMI telemetry polling might cause MFT deadlock, resulting in repeated core dumps, {{nvued}} restarts, and control plane unresponsiveness. 5.14.0-5.15.1 diff --git a/content/cumulus-linux-53/Whats-New/rn.md b/content/cumulus-linux-53/Whats-New/rn.md index c8db790865..09677407d0 100644 --- a/content/cumulus-linux-53/Whats-New/rn.md +++ b/content/cumulus-linux-53/Whats-New/rn.md @@ -16,16 +16,16 @@ pdfhidden: True |--- |--- |--- |--- | | [4963277](#4963277)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.16.1 | | | [4797691](#4797691)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.9.4, 5.15.1 | 5.9.5, 5.16.0-5.16.1| -| [4663076](#4663076)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1| +| [4663076, 3963232](#4663076, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| -| [4413450](#4413450)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4413450, 4497128](#4413450, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4377862](#4377862)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.9.3 | 5.9.4-5.16.1, 5.11.2-5.16.1, 5.13.0-5.16.1| | [4039850](#4039850)
| When the MAC address of the neighbor changes, a possible crash might occur because the pointer to which the MAC address points is freed, resulting in a dangling pointer. | 5.3.1-5.10.1 | 5.11.0-5.16.1| | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3949367](#3949367)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3949367, 3949366](#3949367, 3949366)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3927016](#3927016)
| Following an EVPN extended mobility event, where a host with IP address A and MAC address A moves within the fabric and now resides at IP address A and MAC address B, you might see traffic destined to this host experience drops as the flow is software forwarded on the egress VTEP. | 5.0.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3859422](#3859422)
| On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port. | 5.2.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3713419](#3713419)
| When monitoring system statistics and network traffic with sFlow, an aggressive link flap might produce a memory leak in the sFlow service hsflowd. | 5.1.0-5.7.0 | 5.8.0-5.16.1| @@ -33,7 +33,7 @@ pdfhidden: True | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3663182](#3663182)
| Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.3.1-5.6.0 | 5.7.0-5.16.1| | [3613258](#3613258)
| With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed between switchd and the kernel. | 5.2.1-5.6.0 | 5.7.0-5.16.1| -| [3610967](#3610967)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| +| [3610967, 3647761](#3610967, 3647761)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | 5.7.0-5.16.1| | [3580435](#3580435)
| On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:
smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)
This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. | 5.3.1-5.6.0 | 5.7.0-5.16.1| | [3573800](#3573800)
| After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del dev bridge vlan command. | 5.3.1-5.6.0 | 5.7.0-5.16.1| @@ -49,7 +49,7 @@ pdfhidden: True | [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.8.0 | 5.9.0-5.16.1| | [3482006](#3482006)
| If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.16.1| | [3479786](#3479786)
| The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. | 5.3.0-5.5.1 | 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3474352](#3474352)
| On the NVIDIA SN4700 switch, reversing the upper four lanes on a port does not work and might cause link degradation. If you swap between the upper and lower four lanes on a port, the firmware gets stuck. | 5.3.0-5.5.1 | 5.6.0-5.16.1| | [3467890](#3467890)
| BGP aggregate routers are not advertised after learning the same route from another protocol. To work around this issue, restart the FRR service or, if possible, don't learn the route from another protocol (use route maps instead). | 5.3.0-5.5.1 | 5.6.0-5.16.1| | [3466703](#3466703)
| In rare cases when there is high load, the clagd service might experience a buffer overflow and MLAG bonds stay in a proto-down state on the secondary switch. You see a "NetlinkThread: Netlink overflow" log message and the MLAG state indicates VLAN conflicts between peers. To work around this issue, restart the clagd service with the sudo systemctl restart clagd command on the switch that reports the overflow log message. | 5.2.0-5.5.1 | 5.6.0-5.16.1| @@ -57,11 +57,11 @@ pdfhidden: True | [3434791](#3434791)
| Changing the ebgp-multihop setting for a BGP peer always resets the peer, even if the configured TTL value matches the existing TTL value of the peer. | 5.3.1-5.4.0 | 5.5.0-5.16.1| | [3432897](#3432897)
| When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| -| [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | 5.7.0-5.16.1| -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3428677, 3437317](#3428677, 3437317)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | 5.7.0-5.16.1| +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| -| [3393306](#3393306)
| The python-netaddr package is not preinstalled on the switch, which leads to an error similar to the following when SNMP accesses data from the CUMULUS-BGPVRF-MIB
CUMULUS-BGPVRF-MIB::bgpPeerFsmEstablishedTransitions = No Such Instance currently exists at this OID
To work around this issue, manually install the python-netaddr package with the sudo -E apt-get install python-netaddr command. | 5.3.1-5.4.0 | 5.5.0-5.16.1| +| [3413785, 3424967](#3413785, 3424967)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| +| [3393306, 3425495](#3393306, 3425495)
| The python-netaddr package is not preinstalled on the switch, which leads to an error similar to the following when SNMP accesses data from the CUMULUS-BGPVRF-MIB
CUMULUS-BGPVRF-MIB::bgpPeerFsmEstablishedTransitions = No Such Instance currently exists at this OID
To work around this issue, manually install the python-netaddr package with the sudo -E apt-get install python-netaddr command. | 5.3.1-5.4.0 | 5.5.0-5.16.1| | [3390758](#3390758)
| The neighmgrd service does not enable the snooper unless ARP suppression is enabled on at least one VXLAN interface. This can result in missing ARP and NDP entries if the host does not directly interact with the switch. | 5.3.1-5.4.0 | 5.5.0-5.16.1| | [3389198](#3389198)
| The NVUE nv unset command does not completely remove IPv6 DNS server configuration
| 5.3.1-5.4.0 | 5.5.0-5.16.1| | [3388067](#3388067)
| TACACS+ packages in the local apt repository might be out of date; as a result, the upgrade does not install tacacs0 through tacacs15 users in the correct NVUE groups. When you run NVUE commands as a TACACS+ user, the commands fail and you see the error You do not have permission to execute that command
To obtain the correct packages, install the tacplus-client package and its dependencies from apt.cumulusnetworks.com. | 5.1.0-5.4.0 | 5.5.0-5.16.1| @@ -72,52 +72,52 @@ pdfhidden: True | [3351936](#3351936)
| Switch fans run at very high speed but the temperature is normal. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3349207](#3349207)
| The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 | 5.5.0-5.16.1| -| [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.16.1| +| [3347677, 3180068](#3347677, 3180068)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.16.1| | [3340890](#3340890)
| When you run the NVUE nv show interface command, you see an error similar to the following:
Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL SERVER ERROR
| 5.3.0-5.4.0 | 5.5.0-5.16.1| -| [3339336](#3339336)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | 5.4.0-5.16.1| +| [3339336, 3336807](#3339336, 3336807)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3334275](#3334275)
| When you run the sensors command, the output shows an erroneous fault on some front panel ports. | 5.2.0-5.7.0 | 5.8.0-5.16.1| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.16.1| -| [3330600](#3330600)
| The SNMP monitor might fail to send the expected traps. | 5.3.0-5.3.1 | 5.4.0-5.16.1| +| [3330600, 3330601, 3255756, 3326018](#3330600, 3330601, 3255756, 3326018)
| The SNMP monitor might fail to send the expected traps. | 5.3.0-5.3.1 | 5.4.0-5.16.1| | [3329494](#3329494)
| Ethtool HwIfInDot3FrameErrors (Rx FCS Errors) might lead to an incorrect and very large HwIfInErrors count. To work around this issue, stop the source of the FCS errors, then reset the interface counters. First, run the sudo mst status command to find the device, then run the sudo mlxlink -d -p -pc command to reset the interface counters; for example, sudo mlxlink -d /dev/mst/mt53104_pciconf0 -p 39 -pc. | 5.3.1-5.4.0 | 5.5.0-5.16.1| | [3329096](#3329096)
| The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd, then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. | 5.0.0-5.3.1 | 5.4.0-5.16.1| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.16.1 | | -| [3322944](#3322944)
| The ptmd service causes memory leaks. | 5.3.0-5.3.1 | 5.4.0-5.16.1| +| [3322944, 3456051](#3322944, 3456051)
| The ptmd service causes memory leaks. | 5.3.0-5.3.1 | 5.4.0-5.16.1| | [3320571](#3320571)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3308248](#3308248)
| DHCP packets do not forward over VXLAN interfaces in multicast replication environments. This issue does not affect VXLAN environments using head end replication (HER). | 5.2.0-5.3.1 | 5.4.0-5.16.1| -| [3303084](#3303084)
| The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward the BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. | 5.3.0-5.3.1 | 5.4.0-5.16.1| +| [3303084, 3289646, 3456051](#3303084, 3289646, 3456051)
| The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward the BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. | 5.3.0-5.3.1 | 5.4.0-5.16.1| | [3301988](#3301988)
| Some EVPN multihoming show commands might cause BGP to crash if you use the json flag and attempt to reference the default VRF by name. For example, show bgp l2vpn evpn es-vrf json. | 5.0.0-5.3.1 | 5.4.0-5.16.1| | [3301950](#3301950)
| When upgrading from Cumulus Linux 5.0.0 thru 5.2.1 to Cumulus Linux 5.3.0 or 5.3.1, the babeltrace and python3-babeltrace packages are not added automatically even though they are in the default image in Cumulus Linux 5.3.0 and later. You may need these packages to decode LTTNG traces with /usr/lib/frr/frr_babeltrace.py.. If you need to use this script, run the sudo apt update && sudo apt install babeltrace python3-babeltrace command to install the packages. | 5.3.0-5.3.1 | 5.4.0-5.16.1| -| [3298616](#3298616)
| NVUE gracefully detects and handles upgrades that include valid flexible snippets. For any invalid (incompatible) flexible snippets, you must delete the snippets before you apt upgrade Cumulus Linux; otherwise, the NVUE nv config apply command and the equivalent REST API, do not run. | 5.3.0-5.3.1 | 5.4.0-5.16.1| +| [3298616, 3047290, 3324961](#3298616, 3047290, 3324961)
| NVUE gracefully detects and handles upgrades that include valid flexible snippets. For any invalid (incompatible) flexible snippets, you must delete the snippets before you apt upgrade Cumulus Linux; otherwise, the NVUE nv config apply command and the equivalent REST API, do not run. | 5.3.0-5.3.1 | 5.4.0-5.16.1| | [3296715](#3296715)
| When you clear interface counters with the ethtool -S clear command, the command fails with the following message:
switch:~$ ethtool -S swp1 clearethtool (-S): unknown parameter 'clear'
| 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3293114](#3293114)
| In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface ip neighbor-discovery router-advertisement enable off. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface ip neighbor-discovery router-advertisement enable on. | 5.3.0-5.5.1 | 5.6.0-5.16.1| | [3293039](#3293039)
| When you add the /etc/frr/frr.conf file to the ignore list for NVUE, any configuration change causes FRR to restart because a check is done to see if any running configuration has changed since the previously applied configuration in the vtysh shell. | 5.3.0-5.3.1 | 5.4.0-5.16.1| -| [3292773](#3292773)
| NVUE requires the SNMPv2 community string to be a minimum of eight characters. | 5.3.0-5.3.1 | 5.4.0-5.16.1| -| [3289646](#3289646)
| The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. | 5.2.0-5.3.1 | 5.4.0-5.16.1| +| [3292773, 3159654](#3292773, 3159654)
| NVUE requires the SNMPv2 community string to be a minimum of eight characters. | 5.3.0-5.3.1 | 5.4.0-5.16.1| +| [3289646, 3303084](#3289646, 3303084)
| The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3267328](#3267328)
| On Spectrum 1 switches when configuring ACLs in non-atomic mode, if there are too many IPv6 matches due to rules with both input-interface and output-interface matches on SVIs, the ACL install fails and switchd crashes. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3266197](#3266197)
| When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure. | 5.2.0-5.6.0 | 5.7.0-5.16.1| | [3266050](#3266050)
| Due to a race at the initial configuration, the SDK RDQ test may test RDQ configured for WJH and fail the test resulting in a fatal health event. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3264269](#3264269)
| When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly. | 5.3.0-5.6.0 | 5.7.0-5.16.1| | [3262012](#3262012)
| When an FRR routing service (such as bgpd) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. | 4.4.0-5.3.1 | 5.4.0-5.16.1| | [3258232](#3258232)
| If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.6.0 | 5.7.0-5.16.1| -| [3255899](#3255899)
| The Linux utility that sends ARP packets is constrained to 512 interfaces on the system. In large scale deployments, the warm boot process fails repeatedly as it sends gratuitous ARP requests for each local address. This issue does not impact the functionality and can be ignored. | 5.2.0-5.3.1 | 5.4.0-5.16.1| -| [3244955](#3244955)
| ACL configurations fail when the TCAM memory is exhausted because the CTCAM profile is configured with duplicate entries. | 5.2.0-5.3.1 | 5.4.0-5.16.1| +| [3255899, 3261883, 3255886](#3255899, 3261883, 3255886)
| The Linux utility that sends ARP packets is constrained to 512 interfaces on the system. In large scale deployments, the warm boot process fails repeatedly as it sends gratuitous ARP requests for each local address. This issue does not impact the functionality and can be ignored. | 5.2.0-5.3.1 | 5.4.0-5.16.1| +| [3244955, 3264678](#3244955, 3264678)
| ACL configurations fail when the TCAM memory is exhausted because the CTCAM profile is configured with duplicate entries. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3241047](#3241047)
| When you delete a route under the following conditions, switchd might crash:- The minimum number of routes is set to a non-zero value
- KVD utilization is higher than sixty percent
- The number of routes currently configured is less than the minimum reserved value, and multiple KVD linear resources have just been freed and are waiting in the Garbage Collector queue. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3234814](#3234814)
| With double tagged QinQ interfaces, if the bridge corresponding to the QinQ interface flaps, you might see invalid learning notifications and errors from similar to the following:
Can't set non-static MAC address for non-vPort 0x0001006B when VID is VFID.
| 5.3.0-5.4.0 | 5.5.0-5.16.1| | [3234085](#3234085)
| When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 5.0.1-5.3.1 | 4.3.2-4.4.5, 5.4.0-5.16.1| | [3226525](#3226525)
| When using TACACS+, if you configure per-command authorization with the tacplus-restrict command, NVUE configuration commands fail for any user with a privilege level lower than 15. This occurs because NVUE is not able to create a .local user directory. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3221628](#3221628)
| Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | 5.7.0-5.16.1| +| [3221628, 3217877](#3221628, 3217877)
| Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | 5.7.0-5.16.1| | [3192808](#3192808)
| When a switch receives an LLDP frame from a Cisco router right after a ptmd restart, the ptmd service crashes. | 4.3.0-4.3.1, 4.4.0-4.4.5, 5.0.1-5.16.1 | 4.3.2| -| [3187469](#3187469)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0-5.16.1| +| [3187469, 3188618](#3187469, 3188618)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3178090](#3178090)
| The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3172682](#3172682)
| On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure. | 5.2.0-5.5.1 | 5.6.0-5.16.1| | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3145222](#3145222)
| The NVUE nv show system forwarding --output json command does not provide any output. To work around this issue, run the nv show system forwarding command. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3145204](#3145204)
| On the NVIDIA Spectrum-1 switch, the nv show system forwarding command shows GTP hashing output, which is not supported on this switch. | 5.2.0-5.4.0 | 5.5.0-5.16.1| -| [3144740](#3144740)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | 5.5.0-5.16.1| +| [3144740, 3209923](#3144740, 3209923)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | 5.5.0-5.16.1| | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.8.0 | 5.9.0-5.16.1| | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | @@ -125,19 +125,19 @@ pdfhidden: True | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | | [3084476](#3084476)
| After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.16.1 | 4.4.4-4.4.5| | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | -| [3074390](#3074390)
| You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the nvue account to the exclude_users line in /etc/tacplus_nss.conf:
exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,*
| 5.0.1-5.3.1 | 5.4.0-5.16.1| +| [3074390, 3055255, 2602877](#3074390, 3055255, 2602877)
| You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the nvue account to the exclude_users line in /etc/tacplus_nss.conf:
exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,*
| 5.0.1-5.3.1 | 5.4.0-5.16.1| | [3071652](#3071652)
| On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. | 4.4.4-4.4.5, 5.1.0-5.16.1 | | -| [3069069](#3069069)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | 5.6.0-5.16.1| +| [3069069, 3271536](#3069069, 3271536)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | -| [3055283](#3055283)
| After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. | 5.1.0-5.4.0 | 5.5.0-5.16.1| +| [3055283, 3038763](#3055283, 3038763)
| After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. | 5.1.0-5.4.0 | 5.5.0-5.16.1| | [3045310](#3045310)
| If GTP Hashing is set to true, after more than two warm boots, switchd fails and a cl-support file is generated. | 5.1.0-5.4.0 | 5.5.0-5.16.1| | [3037824](#3037824)
| The NVUE nv show interface link state command shows an empty table instead of showing the port link state. | 5.0.0-5.3.1 | 5.4.0-5.16.1| -| [3034435](#3034435)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| +| [3034435, 3101184](#3034435, 3101184)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| | [3015393](#3015393)
| The NVUE nv show interface command shows the operational state of the tunnel as down even though the tunnel is up, and encapsulation and decapsulation occurs correctly. | 5.1.0-5.3.1 | 5.4.0-5.16.1| | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2821929](#2821929)
| FRR restarts even when the NVUE configuration overwrite mode is set. | 5.0.0-5.3.1 | 5.4.0-5.16.1| @@ -158,18 +158,18 @@ pdfhidden: True |--- |--- |--- |--- | | [4797691](#4797691)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.9.4, 5.15.1 | 5.9.5, 5.16.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| -| [4413450](#4413450)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4413450, 4497128](#4413450, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4377862](#4377862)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.9.3 | 5.9.4-5.16.1, 5.11.2-5.16.1, 5.13.0-5.16.1| | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3927016](#3927016)
| Following an EVPN extended mobility event, where a host with IP address A and MAC address A moves within the fabric and now resides at IP address A and MAC address B, you might see traffic destined to this host experience drops as the flow is software forwarded on the egress VTEP. | 5.0.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3859422](#3859422)
| On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port. | 5.2.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3713419](#3713419)
| When monitoring system statistics and network traffic with sFlow, an aggressive link flap might produce a memory leak in the sFlow service hsflowd. | 5.1.0-5.7.0 | 5.8.0-5.16.1| | [3696061](#3696061)
| When the MAC address of a neighbor changes, the zebra IP routing manager might crash. | 5.2.1-5.6.0 | 5.7.0-5.16.1| | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3613258](#3613258)
| With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed between switchd and the kernel. | 5.2.1-5.6.0 | 5.7.0-5.16.1| -| [3610967](#3610967)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| +| [3610967, 3647761](#3610967, 3647761)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | 5.7.0-5.16.1| | [3562767](#3562767)
| ACLs do not process inbound DHCP packets and the packets do not contribute to ACL counters | 5.2.0-5.4.0 | 5.5.0-5.16.1| | [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0-5.16.1| @@ -179,17 +179,17 @@ pdfhidden: True | [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.8.0 | 5.9.0-5.16.1| | [3482006](#3482006)
| If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.16.1| | [3479786](#3479786)
| The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. | 5.3.0-5.5.1 | 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3474352](#3474352)
| On the NVIDIA SN4700 switch, reversing the upper four lanes on a port does not work and might cause link degradation. If you swap between the upper and lower four lanes on a port, the firmware gets stuck. | 5.3.0-5.5.1 | 5.6.0-5.16.1| | [3467890](#3467890)
| BGP aggregate routers are not advertised after learning the same route from another protocol. To work around this issue, restart the FRR service or, if possible, don't learn the route from another protocol (use route maps instead). | 5.3.0-5.5.1 | 5.6.0-5.16.1| | [3466703](#3466703)
| In rare cases when there is high load, the clagd service might experience a buffer overflow and MLAG bonds stay in a proto-down state on the secondary switch. You see a "NetlinkThread: Netlink overflow" log message and the MLAG state indicates VLAN conflicts between peers. To work around this issue, restart the clagd service with the sudo systemctl restart clagd command on the switch that reports the overflow log message. | 5.2.0-5.5.1 | 5.6.0-5.16.1| | [3445841](#3445841)
| FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.6.0 | 5.7.0-5.16.1| | [3432897](#3432897)
| When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| -| [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | 5.7.0-5.16.1| -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3428677, 3437317](#3428677, 3437317)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | 5.7.0-5.16.1| +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| +| [3413785, 3424967](#3413785, 3424967)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| | [3388067](#3388067)
| TACACS+ packages in the local apt repository might be out of date; as a result, the upgrade does not install tacacs0 through tacacs15 users in the correct NVUE groups. When you run NVUE commands as a TACACS+ user, the commands fail and you see the error You do not have permission to execute that command
To obtain the correct packages, install the tacplus-client package and its dependencies from apt.cumulusnetworks.com. | 5.1.0-5.4.0 | 5.5.0-5.16.1| | [3379873](#3379873)
| apt source linux fails to download the Linux kernel source code. To work around this issue, run the sudo apt update && sudo apt install linux-source-5.10 command or download the desired version from https://apt.cumulusnetworks.com/repo/pool/cumulus/l/linux/ and install it with the sudo dpkg -i $filename command. The source code in a tar.xz file will then be located in the /usr/src/ directory. | 5.2.0-5.4.0 | 5.5.0-5.16.1| | [3375071](#3375071)
| On the NVIDIA SN2010 and SN2100 switch, smond indicates that the FAN status is BAD and syslog is flooded with Path /run/hw-management/thermal/fan1_status does not exist errors. When you run the smonctl -v command, the TEMP on switch looks OK
cumulus@switch:~$ smonctl -vFan1(Fan 1): BAD fan:6931 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan2(Fan 2): BAD fan:6619 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan3(Fan 3): BAD fan:6931 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)Fan4(Fan 4): BAD fan:6720 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 15%)
| 5.1.0-5.4.0 | 5.5.0-5.16.1| @@ -198,52 +198,52 @@ pdfhidden: True | [3351936](#3351936)
| Switch fans run at very high speed but the temperature is normal. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3349207](#3349207)
| The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 | 5.5.0-5.16.1| -| [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.16.1| +| [3347677, 3180068](#3347677, 3180068)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.16.1| | [3340890](#3340890)
| When you run the NVUE nv show interface command, you see an error similar to the following:
Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL SERVER ERROR
| 5.3.0-5.4.0 | 5.5.0-5.16.1| -| [3339336](#3339336)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | 5.4.0-5.16.1| +| [3339336, 3336807](#3339336, 3336807)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3334275](#3334275)
| When you run the sensors command, the output shows an erroneous fault on some front panel ports. | 5.2.0-5.7.0 | 5.8.0-5.16.1| | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | 5.4.0-5.16.1| -| [3330600](#3330600)
| The SNMP monitor might fail to send the expected traps. | 5.3.0-5.3.1 | 5.4.0-5.16.1| +| [3330600, 3330601, 3255756, 3326018](#3330600, 3330601, 3255756, 3326018)
| The SNMP monitor might fail to send the expected traps. | 5.3.0-5.3.1 | 5.4.0-5.16.1| | [3329096](#3329096)
| The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd, then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. | 5.0.0-5.3.1 | 5.4.0-5.16.1| | [3327477](#3327477)
| If you use su to change to a user specified through TACACS+, the user becomes the local tacacs0 thru tacacs15 user instead of the named user to run sudo commands. As a result, the named user password might not match the local tacacs0 thru tacacs15 user password. | 3.7.0-3.7.16, 4.0.0-4.4.5, 5.0.0-5.16.1 | | -| [3322944](#3322944)
| The ptmd service causes memory leaks. | 5.3.0-5.3.1 | 5.4.0-5.16.1| +| [3322944, 3456051](#3322944, 3456051)
| The ptmd service causes memory leaks. | 5.3.0-5.3.1 | 5.4.0-5.16.1| | [3320571](#3320571)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3308248](#3308248)
| DHCP packets do not forward over VXLAN interfaces in multicast replication environments. This issue does not affect VXLAN environments using head end replication (HER). | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3303372](#3303372)
| On Spectrum-2 switches, 200G ports might flap. This issue happens rarely. | 5.3.0 | 5.3.1-5.16.1| -| [3303084](#3303084)
| The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward the BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. | 5.3.0-5.3.1 | 5.4.0-5.16.1| +| [3303084, 3289646, 3456051](#3303084, 3289646, 3456051)
| The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward the BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. | 5.3.0-5.3.1 | 5.4.0-5.16.1| | [3303082](#3303082)
| When you delete a route under the following conditions, switchd might crash:
- The minimum number of routes is set to a non-zero value.
- KVD utilization is higher than sixty percent.
- The number of routes currently configured is less than the minimum reserved value, and multiple KVD linear resources have just been freed and are waiting in the Garbage Collector queue. | 5.2.0-5.3.0 | 5.3.1-5.16.1| | [3301988](#3301988)
| Some EVPN multihoming show commands might cause BGP to crash if you use the json flag and attempt to reference the default VRF by name. For example, show bgp l2vpn evpn es-vrf json. | 5.0.0-5.3.1 | 5.4.0-5.16.1| | [3301950](#3301950)
| When upgrading from Cumulus Linux 5.0.0 thru 5.2.1 to Cumulus Linux 5.3.0 or 5.3.1, the babeltrace and python3-babeltrace packages are not added automatically even though they are in the default image in Cumulus Linux 5.3.0 and later. You may need these packages to decode LTTNG traces with /usr/lib/frr/frr_babeltrace.py.. If you need to use this script, run the sudo apt update && sudo apt install babeltrace python3-babeltrace command to install the packages. | 5.3.0-5.3.1 | 5.4.0-5.16.1| -| [3298616](#3298616)
| NVUE gracefully detects and handles upgrades that include valid flexible snippets. For any invalid (incompatible) flexible snippets, you must delete the snippets before you apt upgrade Cumulus Linux; otherwise, the NVUE nv config apply command and the equivalent REST API, do not run. | 5.3.0-5.3.1 | 5.4.0-5.16.1| +| [3298616, 3047290, 3324961](#3298616, 3047290, 3324961)
| NVUE gracefully detects and handles upgrades that include valid flexible snippets. For any invalid (incompatible) flexible snippets, you must delete the snippets before you apt upgrade Cumulus Linux; otherwise, the NVUE nv config apply command and the equivalent REST API, do not run. | 5.3.0-5.3.1 | 5.4.0-5.16.1| | [3296715](#3296715)
| When you clear interface counters with the ethtool -S clear command, the command fails with the following message:
switch:~$ ethtool -S swp1 clearethtool (-S): unknown parameter 'clear'
| 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3293114](#3293114)
| In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface ip neighbor-discovery router-advertisement enable off. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface ip neighbor-discovery router-advertisement enable on. | 5.3.0-5.5.1 | 5.6.0-5.16.1| | [3293039](#3293039)
| When you add the /etc/frr/frr.conf file to the ignore list for NVUE, any configuration change causes FRR to restart because a check is done to see if any running configuration has changed since the previously applied configuration in the vtysh shell. | 5.3.0-5.3.1 | 5.4.0-5.16.1| -| [3292773](#3292773)
| NVUE requires the SNMPv2 community string to be a minimum of eight characters. | 5.3.0-5.3.1 | 5.4.0-5.16.1| -| [3289646](#3289646)
| The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. | 5.2.0-5.3.1 | 5.4.0-5.16.1| +| [3292773, 3159654](#3292773, 3159654)
| NVUE requires the SNMPv2 community string to be a minimum of eight characters. | 5.3.0-5.3.1 | 5.4.0-5.16.1| +| [3289646, 3303084](#3289646, 3303084)
| The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3267328](#3267328)
| On Spectrum 1 switches when configuring ACLs in non-atomic mode, if there are too many IPv6 matches due to rules with both input-interface and output-interface matches on SVIs, the ACL install fails and switchd crashes. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3266197](#3266197)
| When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure. | 5.2.0-5.6.0 | 5.7.0-5.16.1| | [3266050](#3266050)
| Due to a race at the initial configuration, the SDK RDQ test may test RDQ configured for WJH and fail the test resulting in a fatal health event. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3264269](#3264269)
| When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly. | 5.3.0-5.6.0 | 5.7.0-5.16.1| | [3262012](#3262012)
| When an FRR routing service (such as bgpd) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. | 4.4.0-5.3.1 | 5.4.0-5.16.1| | [3258232](#3258232)
| If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.6.0 | 5.7.0-5.16.1| -| [3255899](#3255899)
| The Linux utility that sends ARP packets is constrained to 512 interfaces on the system. In large scale deployments, the warm boot process fails repeatedly as it sends gratuitous ARP requests for each local address. This issue does not impact the functionality and can be ignored. | 5.2.0-5.3.1 | 5.4.0-5.16.1| -| [3244955](#3244955)
| ACL configurations fail when the TCAM memory is exhausted because the CTCAM profile is configured with duplicate entries. | 5.2.0-5.3.1 | 5.4.0-5.16.1| +| [3255899, 3261883, 3255886](#3255899, 3261883, 3255886)
| The Linux utility that sends ARP packets is constrained to 512 interfaces on the system. In large scale deployments, the warm boot process fails repeatedly as it sends gratuitous ARP requests for each local address. This issue does not impact the functionality and can be ignored. | 5.2.0-5.3.1 | 5.4.0-5.16.1| +| [3244955, 3264678](#3244955, 3264678)
| ACL configurations fail when the TCAM memory is exhausted because the CTCAM profile is configured with duplicate entries. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3241047](#3241047)
| When you delete a route under the following conditions, switchd might crash:- The minimum number of routes is set to a non-zero value
- KVD utilization is higher than sixty percent
- The number of routes currently configured is less than the minimum reserved value, and multiple KVD linear resources have just been freed and are waiting in the Garbage Collector queue. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3234814](#3234814)
| With double tagged QinQ interfaces, if the bridge corresponding to the QinQ interface flaps, you might see invalid learning notifications and errors from similar to the following:
Can't set non-static MAC address for non-vPort 0x0001006B when VID is VFID.
| 5.3.0-5.4.0 | 5.5.0-5.16.1| | [3234085](#3234085)
| When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 5.0.1-5.3.1 | 4.3.2-4.4.5, 5.4.0-5.16.1| | [3226525](#3226525)
| When using TACACS+, if you configure per-command authorization with the tacplus-restrict command, NVUE configuration commands fail for any user with a privilege level lower than 15. This occurs because NVUE is not able to create a .local user directory. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3221628](#3221628)
| Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | 5.7.0-5.16.1| -| [3187469](#3187469)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0-5.16.1| +| [3221628, 3217877](#3221628, 3217877)
| Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | 5.7.0-5.16.1| +| [3187469, 3188618](#3187469, 3188618)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3178090](#3178090)
| The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3172682](#3172682)
| On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure. | 5.2.0-5.5.1 | 5.6.0-5.16.1| | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3145222](#3145222)
| The NVUE nv show system forwarding --output json command does not provide any output. To work around this issue, run the nv show system forwarding command. | 5.2.0-5.3.1 | 5.4.0-5.16.1| | [3145204](#3145204)
| On the NVIDIA Spectrum-1 switch, the nv show system forwarding command shows GTP hashing output, which is not supported on this switch. | 5.2.0-5.4.0 | 5.5.0-5.16.1| -| [3144740](#3144740)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | 5.5.0-5.16.1| +| [3144740, 3209923](#3144740, 3209923)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | 5.5.0-5.16.1| | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.8.0 | 5.9.0-5.16.1| | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | @@ -251,19 +251,19 @@ pdfhidden: True | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | | [3084476](#3084476)
| After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.16.1 | 4.4.4-4.4.5| | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | -| [3074390](#3074390)
| You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the nvue account to the exclude_users line in /etc/tacplus_nss.conf:
exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,*
| 5.0.1-5.3.1 | 5.4.0-5.16.1| +| [3074390, 3055255, 2602877](#3074390, 3055255, 2602877)
| You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the nvue account to the exclude_users line in /etc/tacplus_nss.conf:
exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,*
| 5.0.1-5.3.1 | 5.4.0-5.16.1| | [3071652](#3071652)
| On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. | 4.4.4-4.4.5, 5.1.0-5.16.1 | | -| [3069069](#3069069)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | 5.6.0-5.16.1| +| [3069069, 3271536](#3069069, 3271536)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | -| [3055283](#3055283)
| After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. | 5.1.0-5.4.0 | 5.5.0-5.16.1| +| [3055283, 3038763](#3055283, 3038763)
| After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. | 5.1.0-5.4.0 | 5.5.0-5.16.1| | [3045310](#3045310)
| If GTP Hashing is set to true, after more than two warm boots, switchd fails and a cl-support file is generated. | 5.1.0-5.4.0 | 5.5.0-5.16.1| | [3037824](#3037824)
| The NVUE nv show interface link state command shows an empty table instead of showing the port link state. | 5.0.0-5.3.1 | 5.4.0-5.16.1| -| [3034435](#3034435)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| +| [3034435, 3101184](#3034435, 3101184)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| | [3015393](#3015393)
| The NVUE nv show interface command shows the operational state of the tunnel as down even though the tunnel is up, and encapsulation and decapsulation occurs correctly. | 5.1.0-5.3.1 | 5.4.0-5.16.1| | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2821929](#2821929)
| FRR restarts even when the NVUE configuration overwrite mode is set. | 5.0.0-5.3.1 | 5.4.0-5.16.1| @@ -282,15 +282,15 @@ pdfhidden: True | [3227905](#3227905)
| PTP forced master mode does not work. To work around this issue, change masterOnly to serverOnly in the /etc/ptp4l.conf file. | 5.2.0-5.2.1 | | | [3227895](#3227895)
| The match evpn default-route setting does not filter the default route correctly. | | | | [3227677](#3227677)
| When daylight saving time changes the time, the MLAG initDelay timer resets and all MLAG bonds go down. | 4.4.4-5.2.1 | | -| [3227651](#3227651)
| Docker commands can cause Cumulus Linux commands to fail. apt upgrade can also fail if you use Docker commands implicitly. To work around this issue, run ulimit -v unlimited before running Docker commands or running apt upgrade. | 5.2.0-5.2.1 | | +| [3227651, 3528122](#3227651, 3528122)
| Docker commands can cause Cumulus Linux commands to fail. apt upgrade can also fail if you use Docker commands implicitly. To work around this issue, run ulimit -v unlimited before running Docker commands or running apt upgrade. | 5.2.0-5.2.1 | | | [3218207](#3218207)
| Certain routes on tenant VRFs have missing next hop entries because the router MAC address is missing in the bridge forwarding database table that corresponds to the remote VTEP. As a result, traffic forwarding is affected for these routes. | 4.3.0-5.2.1 | | | [3217675](#3217675)
| When you run the NVUE nv set bridge domain br_default multicast snooping enable off command to disable multicast snooping, the bridge still shows that multicast snooping is enabled. | 5.0.1-5.2.1 | | | [3217674](#3217674)
| Multicast PTP over UDP traffic does not forward to data ports when the PTP service is disabled. To work around this issue, change the ptp.timestamping setting to FALSE in the /etc/cumulus/switchd.conf file, then restart switchd. | 5.0.1-5.2.1 | | | [3216922](#3216922)
| RADIUS authenticated users with read-only access to NCLU commands (users in the users_with_show list) can run edit commands if a username for a non-local account is on the users_with_edit line of the /etc/netd.conf file. To work around this issue, make sure that all usernames on the users_with_edit line of the /etc/netd.conf file are configured local users for the system (real Linux users)
| 3.7.0-4.3.0, 4.4.0-5.2.1 | | -| [3211114](#3211114)
| After an abrupt power cycle, the nvued service might fail to start due to NVUE internal data corruption
This issue has been resolved with the addition of an automatic backup feature, which is enabled by default; if NVUE detects an internal data store corruption, the nvued service recovers from the backup. | 5.2.0-5.2.1 | | +| [3211114, 3221639](#3211114, 3221639)
| After an abrupt power cycle, the nvued service might fail to start due to NVUE internal data corruption
This issue has been resolved with the addition of an automatic backup feature, which is enabled by default; if NVUE detects an internal data store corruption, the nvued service recovers from the backup. | 5.2.0-5.2.1 | | | [3211054](#3211054)
| On the NVIDIA Spectrum-2 switch, when receiving multicast traffic on a PIM enabled VLAN, the multicast traffic is forwarded correctly to the associated VLAN, however WJH shows traffic loss with the error:

Packet size is larger than router interface MTU – Validate the router interface MTU configuration
| 4.4.2-5.2.1 | | -| [3205859](#3205859)
| On the NVIDIA SN3700 and SN4600 switch, the fans run at very high speed but the temperature sensor readings are within an acceptable range. | 5.2.0-5.2.1 | | -| [3205858](#3205858)
| Ports might experience intermittent I2C EEPROM read problems, which result in blinking amber LEDs and incorrect ethtool output. | 5.2.0-5.2.1 | | +| [3205859, 3204485, 3205622](#3205859, 3204485, 3205622)
| On the NVIDIA SN3700 and SN4600 switch, the fans run at very high speed but the temperature sensor readings are within an acceptable range. | 5.2.0-5.2.1 | | +| [3205858, 3205856](#3205858, 3205856)
| Ports might experience intermittent I2C EEPROM read problems, which result in blinking amber LEDs and incorrect ethtool output. | 5.2.0-5.2.1 | | | [3205012](#3205012)
| The NVIDIA SN4600 switch might experience SDK errors caused by the garbage collection process. | 5.1.0-5.2.1 | | | [3204533](#3204533)
| At high scale with 79 VRFs and 10 VLANs per VRF (a total of 790 VLANs), clagd loses backup connection during a switchd restart. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.2.1 | | | [3202991](#3202991)
| Locally generated multicast traffic including IGMPv2 GSQs do not transmit to local clients when using PIM. | 5.0.1-5.2.1 | | @@ -301,7 +301,7 @@ pdfhidden: True | [3188576](#3188576)
| IPv6 messages fill the /var/log/frr/frr.log files and logrotate is unable to clean up the old log files. As a result, a significant number of log files are never deleted, which fill up the file system. | 5.2.0-5.2.1 | | | [3187408](#3187408)
| Certain NUE commands produce an Invalid Command error. For example:
cumulus@switch:~$ nv set vrf default router bgp peer-group SPINE password CumulusLinux!Invalid Command: set vrf default router bgp peer-group SPINE password CumulusLinux!cumulus@switch:~$ nv set router policy route-map GLOBAL rule 10 description globalInvalid Command: set router policy route-map GLOBAL rule 10 description global
| 5.2.0-5.2.1 | | | [3180043](#3180043)
| The EVPN Multihoming ESI configuration command nv set interface evpn multihoming segment identifier does not work. | 5.1.0-5.2.1 | | -| [3177985](#3177985)
| When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:
[Dec-08-17:09:58] root@switch:/home/cumulus#  ztp -r http://myztp.server.local/ztp
| 5.2.0-5.2.1 | | +| [3177985, 3298418](#3177985, 3298418)
| When you run ZTP manually with the ztp -R command, then the ztp -vb command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the ztp -r command with the URL of the ZTP server:
[Dec-08-17:09:58] root@switch:/home/cumulus#  ztp -r http://myztp.server.local/ztp
| 5.2.0-5.2.1 | | | [3176318](#3176318)
| The NVUE nv set bridge domain br_default stp priority command does not change the STP priority. | 5.1.0-5.2.1 | | | [3171316](#3171316)
| Various FRR show commands do not have json output. This applies to BGP show commands ending in prefix-list, route-map, dampening parameters, and longer-prefixes. FRR show bgp detail output contains a summary instead of details on each prefix. FRR show bgp ... neighbor routes and show bgp ... neighbor received-routes both incorrectly use a json key of advertisedRoutes. | 5.2.0-5.2.1 | | | [3166746](#3166746)
| FRR does not install EVPN type-2 routes correctly after the specific operation that deletes and adds all non-uplink ports. The routes show as rejected in the zebra RIB. To work around this problem, restart FRR with the sudo systemctl restart frr command. | 5.1.0-5.2.1 | | diff --git a/content/cumulus-linux-53/rn.xml b/content/cumulus-linux-53/rn.xml index efd60ec5f2..b77671d32e 100644 --- a/content/cumulus-linux-53/rn.xml +++ b/content/cumulus-linux-53/rn.xml @@ -19,7 +19,7 @@ 5.9.5, 5.16.0-5.16.1 -4663076 +4663076, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.9.4 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1 @@ -37,7 +37,7 @@ 5.15.0-5.16.1 -4413450 +4413450, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 5.11.2, 5.14.0-5.16.1 @@ -61,7 +61,7 @@ 5.9.2-5.16.1, 5.10.0-5.16.1 -3949367 +3949367, 3949366 If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. 5.3.1-5.9.1 5.9.2-5.16.1, 5.10.0-5.16.1 @@ -73,7 +73,7 @@ 5.9.2-5.16.1, 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -130,7 +130,7 @@ cumulus@switch:~$ sudo apt upgrade 5.7.0-5.16.1 -3610967 +3610967, 3647761 In an EVPN symmetric routing configuration, running the NVUE {{nv set vrf <vrf> vlan auto}} command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. 5.3.0-5.8.0 5.9.0-5.16.1 @@ -232,7 +232,7 @@ To work around this issue, disable next hop groups in zebra with the vtysh {{zeb 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -280,13 +280,13 @@ To work around this issue, disable next hop groups in zebra with the vtysh {{zeb 5.5.0-5.16.1 -3428677 +3428677, 3437317 In certain cases, Cumulus Linux does not process next hop updates because the {{zebra}} IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. 5.3.0-5.6.0 5.7.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -299,13 +299,13 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3413785 +3413785, 3424967 To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE {{nv set system aaa tacacs vrf <interface>}} command (for example, {{nv set system aaa tacacs vrf swp51}}) or set the {{vrf=<interface>}} option in the {{/etc/tacplus_servers}} file (for example, {{vrf=swp51}}). A similar issue might prevent TACACS+ users with privilege level 15 from using {{sudo}} if the TACACS+ server is reachable only on the {{default}} VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use {{vrf task exec default sudo ...}} to execute the {{sudo}} command using the TACACS+ server on the {{default}} VRF. 5.0.0-5.5.1 5.6.0-5.16.1 -3393306 +3393306, 3425495 The {{python-netaddr}} package is not preinstalled on the switch, which leads to an error similar to the following when SNMP accesses data from the CUMULUS-BGPVRF-MIB. CUMULUS-BGPVRF-MIB::bgpPeerFsmEstablishedTransitions = No Such Instance currently exists at this OID @@ -384,7 +384,7 @@ Fan4(Fan 4): BAD fan:6720 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 5.5.0-5.16.1 -3347677 +3347677, 3180068 In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. 5.1.0-5.6.0 5.7.0-5.16.1 @@ -399,7 +399,7 @@ Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL 5.5.0-5.16.1 -3339336 +3339336, 3336807 The {{ethtool -m}} command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the {{l1-show or mlxlink}} command instead. 5.2.0-5.3.1 5.4.0-5.16.1 @@ -417,7 +417,7 @@ Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL 5.4.0-5.16.1 -3330600 +3330600, 3330601, 3255756, 3326018 The SNMP monitor might fail to send the expected traps. 5.3.0-5.3.1 5.4.0-5.16.1 @@ -441,7 +441,7 @@ Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL -3322944 +3322944, 3456051 The {{ptmd}} service causes memory leaks. 5.3.0-5.3.1 5.4.0-5.16.1 @@ -459,7 +459,7 @@ Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL 5.4.0-5.16.1 -3303084 +3303084, 3289646, 3456051 The memory consumption in {{ptmd}} can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward the BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. 5.3.0-5.3.1 5.4.0-5.16.1 @@ -477,7 +477,7 @@ Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL 5.4.0-5.16.1 -3298616 +3298616, 3047290, 3324961 NVUE gracefully detects and handles upgrades that include valid flexible snippets. For any invalid (incompatible) flexible snippets, you must delete the snippets before you {{apt upgrade}} Cumulus Linux; otherwise, the NVUE {{nv config apply}} command and the equivalent REST API, do not run. 5.3.0-5.3.1 5.4.0-5.16.1 @@ -505,13 +505,13 @@ ethtool (-S): unknown parameter 'clear' 5.4.0-5.16.1 -3292773 +3292773, 3159654 NVUE requires the SNMPv2 community string to be a minimum of eight characters. 5.3.0-5.3.1 5.4.0-5.16.1 -3289646 +3289646, 3303084 The memory consumption in {{ptmd}} can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. 5.2.0-5.3.1 5.4.0-5.16.1 @@ -553,13 +553,13 @@ ethtool (-S): unknown parameter 'clear' 5.7.0-5.16.1 -3255899 +3255899, 3261883, 3255886 The Linux utility that sends ARP packets is constrained to 512 interfaces on the system. In large scale deployments, the warm boot process fails repeatedly as it sends gratuitous ARP requests for each local address. This issue does not impact the functionality and can be ignored. 5.2.0-5.3.1 5.4.0-5.16.1 -3244955 +3244955, 3264678 ACL configurations fail when the TCAM memory is exhausted because the CTCAM profile is configured with duplicate entries. 5.2.0-5.3.1 5.4.0-5.16.1 @@ -607,7 +607,7 @@ Can't set non-static MAC address for non-vPort 0x0001006B when VID is VFID. -3221628 +3221628, 3217877 Cumulus Linux VX images might include an incorrect entry at the end of {{/etc/apt/sources.list}}, which produces warnings when you run {{apt update}}. Remove this entry to avoid these warnings. 5.2.0-5.6.0 5.7.0-5.16.1 @@ -619,7 +619,7 @@ Can't set non-static MAC address for non-vPort 0x0001006B when VID is VFID. 4.3.2 -3187469 +3187469, 3188618 At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. 5.1.0-5.5.1 5.6.0-5.16.1 @@ -654,7 +654,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -672,7 +672,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} 5.5.0-5.16.1 -3144740 +3144740, 3209923 The {{/var/lib/snmp/snmpd.conf}} file contains multiple {{Warning: Unknown token: ifXTable}} messages. To avoid these warnings, add the {{-noTokenWarnings}} option to the SNMPDOPTS variable in the {{/etc/defaults/snmpd}} file, then restart the {{snmpd}} service. 5.2.0-5.4.0 @@ -732,7 +732,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -3074390 +3074390, 3055255, 2602877 You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the {{nvue}} account to the {{exclude_users}} line in {{/etc/tacplus_nss.conf}}: exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,* @@ -747,7 +747,7 @@ exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus, -3069069 +3069069, 3271536 When you run the {{systemctl reload switchd}} command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. 5.1.0-5.5.1 5.6.0-5.16.1 @@ -759,7 +759,7 @@ exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus, -3055283 +3055283, 3038763 After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the {{hash_config.enable}} or {{lag_hash_config.enable}} parameter to {{false}}, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. 5.1.0-5.4.0 5.5.0-5.16.1 @@ -777,7 +777,7 @@ exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus, 5.4.0-5.16.1 -3034435 +3034435, 3101184 In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. 4.4.4-5.4.0 5.5.0-5.16.1 @@ -801,7 +801,7 @@ exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus, -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -809,7 +809,7 @@ exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus, -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -895,7 +895,7 @@ You can safely ignore this warning. 5.15.0-5.16.1 -4413450 +4413450, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 5.11.2, 5.14.0-5.16.1 @@ -919,7 +919,7 @@ You can safely ignore this warning. 5.9.2-5.16.1, 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -970,7 +970,7 @@ cumulus@switch:~$ sudo apt upgrade 5.7.0-5.16.1 -3610967 +3610967, 3647761 In an EVPN symmetric routing configuration, running the NVUE {{nv set vrf <vrf> vlan auto}} command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. 5.3.0-5.8.0 5.9.0-5.16.1 @@ -1032,7 +1032,7 @@ To work around this issue, disable next hop groups in zebra with the vtysh {{zeb 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -1074,13 +1074,13 @@ To work around this issue, disable next hop groups in zebra with the vtysh {{zeb 5.5.0-5.16.1 -3428677 +3428677, 3437317 In certain cases, Cumulus Linux does not process next hop updates because the {{zebra}} IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. 5.3.0-5.6.0 5.7.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -1093,7 +1093,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3413785 +3413785, 3424967 To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE {{nv set system aaa tacacs vrf <interface>}} command (for example, {{nv set system aaa tacacs vrf swp51}}) or set the {{vrf=<interface>}} option in the {{/etc/tacplus_servers}} file (for example, {{vrf=swp51}}). A similar issue might prevent TACACS+ users with privilege level 15 from using {{sudo}} if the TACACS+ server is reachable only on the {{default}} VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use {{vrf task exec default sudo ...}} to execute the {{sudo}} command using the TACACS+ server on the {{default}} VRF. 5.0.0-5.5.1 5.6.0-5.16.1 @@ -1155,7 +1155,7 @@ Fan4(Fan 4): BAD fan:6720 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 5.5.0-5.16.1 -3347677 +3347677, 3180068 In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. 5.1.0-5.6.0 5.7.0-5.16.1 @@ -1170,7 +1170,7 @@ Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL 5.5.0-5.16.1 -3339336 +3339336, 3336807 The {{ethtool -m}} command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the {{l1-show or mlxlink}} command instead. 5.2.0-5.3.1 5.4.0-5.16.1 @@ -1188,7 +1188,7 @@ Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL 5.4.0-5.16.1 -3330600 +3330600, 3330601, 3255756, 3326018 The SNMP monitor might fail to send the expected traps. 5.3.0-5.3.1 5.4.0-5.16.1 @@ -1206,7 +1206,7 @@ Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL -3322944 +3322944, 3456051 The {{ptmd}} service causes memory leaks. 5.3.0-5.3.1 5.4.0-5.16.1 @@ -1230,7 +1230,7 @@ Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL 5.3.1-5.16.1 -3303084 +3303084, 3289646, 3456051 The memory consumption in {{ptmd}} can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward the BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. 5.3.0-5.3.1 5.4.0-5.16.1 @@ -1257,7 +1257,7 @@ Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL 5.4.0-5.16.1 -3298616 +3298616, 3047290, 3324961 NVUE gracefully detects and handles upgrades that include valid flexible snippets. For any invalid (incompatible) flexible snippets, you must delete the snippets before you {{apt upgrade}} Cumulus Linux; otherwise, the NVUE {{nv config apply}} command and the equivalent REST API, do not run. 5.3.0-5.3.1 5.4.0-5.16.1 @@ -1285,13 +1285,13 @@ ethtool (-S): unknown parameter 'clear' 5.4.0-5.16.1 -3292773 +3292773, 3159654 NVUE requires the SNMPv2 community string to be a minimum of eight characters. 5.3.0-5.3.1 5.4.0-5.16.1 -3289646 +3289646, 3303084 The memory consumption in {{ptmd}} can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. 5.2.0-5.3.1 5.4.0-5.16.1 @@ -1333,13 +1333,13 @@ ethtool (-S): unknown parameter 'clear' 5.7.0-5.16.1 -3255899 +3255899, 3261883, 3255886 The Linux utility that sends ARP packets is constrained to 512 interfaces on the system. In large scale deployments, the warm boot process fails repeatedly as it sends gratuitous ARP requests for each local address. This issue does not impact the functionality and can be ignored. 5.2.0-5.3.1 5.4.0-5.16.1 -3244955 +3244955, 3264678 ACL configurations fail when the TCAM memory is exhausted because the CTCAM profile is configured with duplicate entries. 5.2.0-5.3.1 5.4.0-5.16.1 @@ -1387,13 +1387,13 @@ Can't set non-static MAC address for non-vPort 0x0001006B when VID is VFID. -3221628 +3221628, 3217877 Cumulus Linux VX images might include an incorrect entry at the end of {{/etc/apt/sources.list}}, which produces warnings when you run {{apt update}}. Remove this entry to avoid these warnings. 5.2.0-5.6.0 5.7.0-5.16.1 -3187469 +3187469, 3188618 At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. 5.1.0-5.5.1 5.6.0-5.16.1 @@ -1428,7 +1428,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -1446,7 +1446,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} 5.5.0-5.16.1 -3144740 +3144740, 3209923 The {{/var/lib/snmp/snmpd.conf}} file contains multiple {{Warning: Unknown token: ifXTable}} messages. To avoid these warnings, add the {{-noTokenWarnings}} option to the SNMPDOPTS variable in the {{/etc/defaults/snmpd}} file, then restart the {{snmpd}} service. 5.2.0-5.4.0 @@ -1506,7 +1506,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -3074390 +3074390, 3055255, 2602877 You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the {{nvue}} account to the {{exclude_users}} line in {{/etc/tacplus_nss.conf}}: exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,* @@ -1521,7 +1521,7 @@ exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus, -3069069 +3069069, 3271536 When you run the {{systemctl reload switchd}} command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. 5.1.0-5.5.1 5.6.0-5.16.1 @@ -1533,7 +1533,7 @@ exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus, -3055283 +3055283, 3038763 After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the {{hash_config.enable}} or {{lag_hash_config.enable}} parameter to {{false}}, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. 5.1.0-5.4.0 5.5.0-5.16.1 @@ -1551,7 +1551,7 @@ exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus, 5.4.0-5.16.1 -3034435 +3034435, 3101184 In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. 4.4.4-5.4.0 5.5.0-5.16.1 @@ -1575,7 +1575,7 @@ exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus, -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -1583,7 +1583,7 @@ exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus, -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -1676,7 +1676,7 @@ You can safely ignore this warning. 4.4.4-5.2.1 -3227651 +3227651, 3528122 Docker commands can cause Cumulus Linux commands to fail. {{apt upgrade}} can also fail if you use Docker commands implicitly. To work around this issue, run {{ulimit -v unlimited}} before running Docker commands or running {{apt upgrade}}. 5.2.0-5.2.1 @@ -1703,7 +1703,7 @@ You can safely ignore this warning. 3.7.0-4.3.0, 4.4.0-5.2.1 -3211114 +3211114, 3221639 After an abrupt power cycle, the {{nvued}} service might fail to start due to NVUE internal data corruption. This issue has been resolved with the addition of an automatic backup feature, which is enabled by default; if NVUE detects an internal data store corruption, the {{nvued}} service recovers from the backup. 5.2.0-5.2.1 @@ -1717,12 +1717,12 @@ Packet size is larger than router interface MTU – Validate the router interfac 4.4.2-5.2.1 -3205859 +3205859, 3204485, 3205622 On the NVIDIA SN3700 and SN4600 switch, the fans run at very high speed but the temperature sensor readings are within an acceptable range. 5.2.0-5.2.1 -3205858 +3205858, 3205856 Ports might experience intermittent I2C EEPROM read problems, which result in blinking amber LEDs and incorrect ethtool output. 5.2.0-5.2.1 @@ -1783,7 +1783,7 @@ Invalid Command: set router policy route-map GLOBAL rule 10 description global 5.1.0-5.2.1 -3177985 +3177985, 3298418 When you run ZTP manually with the {{ztp -R}} command, then the {{ztp -vb}} command, the process stalls indefinitely while searching the local (USB) location and not using DHCP information. To work around this issue, run the {{ztp -r}} command with the URL of the ZTP server: [Dec-08-17:09:58] root@switch:/home/cumulus# ztp -r http://myztp.server.local/ztp diff --git a/content/cumulus-linux-54/Whats-New/rn.md b/content/cumulus-linux-54/Whats-New/rn.md index f72bae7b55..c16161c68b 100644 --- a/content/cumulus-linux-54/Whats-New/rn.md +++ b/content/cumulus-linux-54/Whats-New/rn.md @@ -16,18 +16,18 @@ pdfhidden: True |--- |--- |--- |--- | | [4963277](#4963277)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.16.1 | | | [4797691](#4797691)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.9.4, 5.15.1 | 5.9.5, 5.16.0-5.16.1| -| [4663076](#4663076)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1| +| [4663076, 3963232](#4663076, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| | [4469498](#4469498)
| When a host moves to a new VTEP during mobility or network failover events in an EVPN multihoming environment, the host might be unreachable due to ARP resolution failures. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.4.0-5.9.3 | 5.9.4-5.16.1, 5.14.0-5.16.1| -| [4413450](#4413450)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4413450, 4497128](#4413450, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4377862](#4377862)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.9.3 | 5.9.4-5.16.1, 5.11.2-5.16.1, 5.13.0-5.16.1| | [4039850](#4039850)
| When the MAC address of the neighbor changes, a possible crash might occur because the pointer to which the MAC address points is freed, resulting in a dangling pointer. | 5.3.1-5.10.1 | 5.11.0-5.16.1| | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3982222](#3982222)
| When you enable SPAN on a bridge member, an ARP or Gratuitous ARP received during a failover event between locally attached redundant devices, such as load balancers, might fail to update the bridge MAC table to point to the interface with the newly active load balancer.

To work around this issue, remove the SPAN configuration from the bridge member or ensure that the load balancer generates non-ARP traffic after the failover to properly update the bridge MAC table. | 5.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3949367](#3949367)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3949367, 3949366](#3949367, 3949366)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3927016](#3927016)
| Following an EVPN extended mobility event, where a host with IP address A and MAC address A moves within the fabric and now resides at IP address A and MAC address B, you might see traffic destined to this host experience drops as the flow is software forwarded on the egress VTEP. | 5.0.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3859422](#3859422)
| On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port. | 5.2.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3730904](#3730904)
| When sending untagged frames to the CPU with an MTU higher than the SVD (single VXLAN device) MTU, the kernel might crash. | 5.4.0-5.8.0 | 5.9.0-5.16.1| @@ -38,7 +38,7 @@ pdfhidden: True | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3663182](#3663182)
| Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.3.1-5.6.0 | 5.7.0-5.16.1| | [3613258](#3613258)
| With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed between switchd and the kernel. | 5.2.1-5.6.0 | 5.7.0-5.16.1| -| [3610967](#3610967)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| +| [3610967, 3647761](#3610967, 3647761)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | 5.7.0-5.16.1| | [3580435](#3580435)
| On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:
smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)
This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. | 5.3.1-5.6.0 | 5.7.0-5.16.1| | [3573800](#3573800)
| After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del dev bridge vlan command. | 5.3.1-5.6.0 | 5.7.0-5.16.1| @@ -55,7 +55,7 @@ pdfhidden: True | [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.8.0 | 5.9.0-5.16.1| | [3482006](#3482006)
| If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.16.1| | [3479786](#3479786)
| The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. | 5.3.0-5.5.1 | 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3474352](#3474352)
| On the NVIDIA SN4700 switch, reversing the upper four lanes on a port does not work and might cause link degradation. If you swap between the upper and lower four lanes on a port, the firmware gets stuck. | 5.3.0-5.5.1 | 5.6.0-5.16.1| | [3472865](#3472865)
| The json output for the vtysh -c ‘show bgp all json command is missing a string key in front of the list of routes under the l2vpnevpn address family. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3471052](#3471052)
| On certain QSFP-DD and OSFP optical modules, the ethtool -m command, and the related NCLU and NVUE commands that display optical module information fail. | 5.4.0-5.5.1 | 5.6.0-5.16.1| @@ -72,18 +72,18 @@ pdfhidden: True | [3433944](#3433944)
| The wjh_dissector.lua WJH packet decoder script provided with Cumulus Linux might fail to decode all WJH packets. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3432897](#3432897)
| When you remove the restriction from a TACACS+ mapped user to remove per command authorization, the tacplus-restrict -R command does not restore ownership of restored files correctly. As a result, some commands might fail due to permission errors in the files or directories under the home directory. To work around this issue, run the sudo chown command to correct the ownership of the affected files and directories. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | 5.5.0-5.16.1| -| [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | 5.7.0-5.16.1| -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3428677, 3437317](#3428677, 3437317)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | 5.7.0-5.16.1| +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [3419928](#3419928)
| The NVUE PIM timer command option names keep-alive and rp-keep-alive are inconsistent and need to change to keepalive and rp-keepalive. | 5.4.0-5.6.0 | 5.7.0-5.16.1| | [3418103](#3418103)
| On the Spectrum-2 and Spectrum-3 switch, if you use module SPQCELRCDFB when connected to a 3rd party switch, you might see no link or a very long link up time (around two minutes). To work around this issue, bring down the port, then bring it back up. | 5.4.0 | 5.5.0-5.16.1| -| [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| +| [3413785, 3424967](#3413785, 3424967)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| | [3410303](#3410303)
| The NVUE command to set the frequency of LLDP updates nv set service lldp tx-interval and the NVUE command to set the amount of time to hold the information before discarding it nv set service lldp tx-hold-multiplier do not provide reasonable maximum and minimum values. Cumulus Linux 5.5.0 and later provides new values. For the nv set service lldp tx-interval command, you can now set a minimum value of 5 and a maximum value of 32768. For the nv set service lldp tx-hold command, you can set a minimum value of 1 and a maximum value of 8192. | 5.4.0 | 5.5.0-5.16.1| | [3397649](#3397649)
| When an ECMP route is present in a non-default VRF, resilient hashing does not work as expected and flows might get remapped to a new next hop when the set of nexthops changes. | 5.4.0 | 5.5.0-5.16.1| | [3395247](#3395247)
| The NVUE nv show system forwarding profile-option command reports an incorrect Max ipv4 mcast routes value. To work around this issue, validate values with cl-resource-query. | 5.4.0 | 5.5.0-5.16.1| | [3394674](#3394674)
| If you restart FRR with the log file debugging level set to informational, BGP crashes. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3393866](#3393866)
| On a VX, NVUE commands with an argument parameter that can be multiple types (such as IPv4 and IPv6) do not provide auto complete or additional options when you use a question mark. | 5.4.0 | 5.5.0-5.16.1| -| [3393306](#3393306)
| The python-netaddr package is not preinstalled on the switch, which leads to an error similar to the following when SNMP accesses data from the CUMULUS-BGPVRF-MIB
CUMULUS-BGPVRF-MIB::bgpPeerFsmEstablishedTransitions = No Such Instance currently exists at this OID
To work around this issue, manually install the python-netaddr package with the sudo -E apt-get install python-netaddr command. | 5.3.1-5.4.0 | 5.5.0-5.16.1| +| [3393306, 3425495](#3393306, 3425495)
| The python-netaddr package is not preinstalled on the switch, which leads to an error similar to the following when SNMP accesses data from the CUMULUS-BGPVRF-MIB
CUMULUS-BGPVRF-MIB::bgpPeerFsmEstablishedTransitions = No Such Instance currently exists at this OID
To work around this issue, manually install the python-netaddr package with the sudo -E apt-get install python-netaddr command. | 5.3.1-5.4.0 | 5.5.0-5.16.1| | [3390758](#3390758)
| The neighmgrd service does not enable the snooper unless ARP suppression is enabled on at least one VXLAN interface. This can result in missing ARP and NDP entries if the host does not directly interact with the switch. | 5.3.1-5.4.0 | 5.5.0-5.16.1| | [3389198](#3389198)
| The NVUE nv unset command does not completely remove IPv6 DNS server configuration
| 5.3.1-5.4.0 | 5.5.0-5.16.1| | [3388201](#3388201)
| Cumulus Linux does not let you add an interface to the bond interface when the bridge-allow-untagged no option is present. | 5.4.0 | 5.5.0-5.16.1| @@ -97,10 +97,10 @@ pdfhidden: True | [3361904](#3361904)
| The NVUE PTP shaping commands are available in the NVUE command list; however, these commands are disabled and do not configure PTP shaping. PTP shaping is not supported in Cumulus Linux 5.4. | 5.4.0 | 5.5.0-5.16.1| | [3351941](#3351941)
| Cumulus Linux 5.4 package upgrade (apt-upgrade) does not support warm restart to complete the upgrade; performing an unsupported upgrade can result in unexpected or undesirable behavior, such as a traffic outage. | 5.4.0 | 5.5.0-5.16.1| | [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | 5.5.0-5.16.1| -| [3350061](#3350061)
| If you use TACACS+ authentication, modifying the TACACS+ configuration with NVUE might result in a timeout error when you run the nv config apply command. To work around the issue, restart the nvued service with the sudo systemctl restart nvued.service command, then apply the configuration again. | 5.4.0 | 5.5.0-5.16.1| +| [3350061, 3351938](#3350061, 3351938)
| If you use TACACS+ authentication, modifying the TACACS+ configuration with NVUE might result in a timeout error when you run the nv config apply command. To work around the issue, restart the nvued service with the sudo systemctl restart nvued.service command, then apply the configuration again. | 5.4.0 | 5.5.0-5.16.1| | [3349533](#3349533)
| On the Spectrum-2 and Spectrum-3 switch with ports operating at 1G speed, there is loss of frames that have an odd or random frame size. In the frame size range of 75 to 1000 bytes, there is frame loss of less than approximately one percent for all odd or random frame sizes in the range. In the frame size range greater than 1000 bytes, there is no loss observed. | 5.4.0 | 5.5.0-5.16.1| | [3349207](#3349207)
| The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 | 5.5.0-5.16.1| -| [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.16.1| +| [3347677, 3180068](#3347677, 3180068)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.16.1| | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3344846](#3344846)
| The Spectrum-3 hardware configuration is not optimized for the best PTP accuracy when using 25GbE. You might see higher than expected PTP offsets on this platforms and interface speed. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -122,16 +122,16 @@ pdfhidden: True | [3234814](#3234814)
| With double tagged QinQ interfaces, if the bridge corresponding to the QinQ interface flaps, you might see invalid learning notifications and errors from similar to the following:
Can't set non-static MAC address for non-vPort 0x0001006B when VID is VFID.
| 5.3.0-5.4.0 | 5.5.0-5.16.1| | [3232091](#3232091)
| The NVUE nv unset interface link lanes command does not restore the port lane setting to the default value. To work around this issue, run the nv set interface link lanes command. | 5.4.0-5.6.0 | 5.7.0-5.16.1| | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | -| [3221628](#3221628)
| Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | 5.7.0-5.16.1| -| [3187469](#3187469)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0-5.16.1| +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3221628, 3217877](#3221628, 3217877)
| Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | 5.7.0-5.16.1| +| [3187469, 3188618](#3187469, 3188618)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3178090](#3178090)
| The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3172682](#3172682)
| On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure. | 5.2.0-5.5.1 | 5.6.0-5.16.1| | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3145204](#3145204)
| On the NVIDIA Spectrum-1 switch, the nv show system forwarding command shows GTP hashing output, which is not supported on this switch. | 5.2.0-5.4.0 | 5.5.0-5.16.1| -| [3144740](#3144740)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | 5.5.0-5.16.1| +| [3144740, 3209923](#3144740, 3209923)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | 5.5.0-5.16.1| | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | 5.5.0-5.16.1| | [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.8.0 | 5.9.0-5.16.1| | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | @@ -140,15 +140,15 @@ pdfhidden: True | [3084476](#3084476)
| After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.16.1 | 4.4.4-4.4.5| | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | | [3071652](#3071652)
| On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. | 4.4.4-4.4.5, 5.1.0-5.16.1 | | -| [3069069](#3069069)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | 5.6.0-5.16.1| +| [3069069, 3271536](#3069069, 3271536)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | -| [3055283](#3055283)
| After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. | 5.1.0-5.4.0 | 5.5.0-5.16.1| +| [3055283, 3038763](#3055283, 3038763)
| After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. | 5.1.0-5.4.0 | 5.5.0-5.16.1| | [3045310](#3045310)
| If GTP Hashing is set to true, after more than two warm boots, switchd fails and a cl-support file is generated. | 5.1.0-5.4.0 | 5.5.0-5.16.1| -| [3034435](#3034435)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| +| [3034435, 3101184](#3034435, 3101184)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | 5.5.0-5.16.1| | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -162,34 +162,34 @@ pdfhidden: True | [3351951](#3351951)
| Currently, the default core dump size limit on Cumulus Linux is 256M but the SDK generates core dumps around 800M. To avoid incomplete core files, you can increase the core dump size limit. | 4.2.1-4.3.1, 4.4.0-5.3.1 | | | [3351936](#3351936)
| Switch fans run at very high speed but the temperature is normal. | 5.2.0-5.3.1 | | | [3344373](#3344373)
| When the switch boots up, you might see logs similar to the following in the nvued log files because switchd is not up and running. This does not impact switch functionality
2023-01-29T06:05:18.683152+00:00 cumulus nvued:  INFO: apply_config.py:2177 Apply Issues: (b'),(update-ports returned with error (code 254): ports validation node file is not accessibleswitchd validate_node is absent),(ports configuration(ports.conf/ports_width.conf) is invalid),(')
| | | -| [3339336](#3339336)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | | +| [3339336, 3336807](#3339336, 3336807)
| The ethtool -m command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the l1-show or mlxlink command instead. | 5.2.0-5.3.1 | | | [3332869](#3332869)
| When a switch is operating as a PTP Grand Master, the phc2sys service might exit shortly after starting as the initial offset to correct is the delta from epoch, which is too large to correct. | | | | [3330705](#3330705)
| When using TACACS+, a TACACS+ server name that returns more than one IP address, such as an IPv6 and IPv4 address, is counted many times against the limit of seven TACACS+ servers, which might cause some of the later listed servers to be ignored as over the limit. To work around this issue, you can set the prefer_ip_version configuration option (the default value is 4) to choose between an IPv4 or IPv6 address if both are present. | 3.7.0-5.3.1 | | -| [3330600](#3330600)
| The SNMP monitor might fail to send the expected traps. | 5.3.0-5.3.1 | | +| [3330600, 3330601, 3255756, 3326018](#3330600, 3330601, 3255756, 3326018)
| The SNMP monitor might fail to send the expected traps. | 5.3.0-5.3.1 | | | [3329096](#3329096)
| The traffic control rules that the EVPN multihoming configuration adds to an interface are deleted when the hsflowd service restarts. The hsflowd service deletes the EVPN multihoming traffic control filters after you stop hsflowd, then adds back the match-all filters with the psample action; however, hsflowd does not add back the EVPN multihoming traffic control rules. | 5.0.0-5.3.1 | | -| [3322944](#3322944)
| The ptmd service causes memory leaks. | 5.3.0-5.3.1 | | +| [3322944, 3456051](#3322944, 3456051)
| The ptmd service causes memory leaks. | 5.3.0-5.3.1 | | | [3320571](#3320571)
| The sensors.conf files in Cumulus Linux are out of date. | 5.2.0-5.3.1 | | | [3308248](#3308248)
| DHCP packets do not forward over VXLAN interfaces in multicast replication environments. This issue does not affect VXLAN environments using head end replication (HER). | 5.2.0-5.3.1 | | -| [3303084](#3303084)
| The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward the BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. | 5.3.0-5.3.1 | | +| [3303084, 3289646, 3456051](#3303084, 3289646, 3456051)
| The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward the BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. | 5.3.0-5.3.1 | | | [3301988](#3301988)
| Some EVPN multihoming show commands might cause BGP to crash if you use the json flag and attempt to reference the default VRF by name. For example, show bgp l2vpn evpn es-vrf json. | 5.0.0-5.3.1 | | | [3301950](#3301950)
| When upgrading from Cumulus Linux 5.0.0 thru 5.2.1 to Cumulus Linux 5.3.0 or 5.3.1, the babeltrace and python3-babeltrace packages are not added automatically even though they are in the default image in Cumulus Linux 5.3.0 and later. You may need these packages to decode LTTNG traces with /usr/lib/frr/frr_babeltrace.py.. If you need to use this script, run the sudo apt update && sudo apt install babeltrace python3-babeltrace command to install the packages. | 5.3.0-5.3.1 | | -| [3298616](#3298616)
| NVUE gracefully detects and handles upgrades that include valid flexible snippets. For any invalid (incompatible) flexible snippets, you must delete the snippets before you apt upgrade Cumulus Linux; otherwise, the NVUE nv config apply command and the equivalent REST API, do not run. | 5.3.0-5.3.1 | | +| [3298616, 3047290, 3324961](#3298616, 3047290, 3324961)
| NVUE gracefully detects and handles upgrades that include valid flexible snippets. For any invalid (incompatible) flexible snippets, you must delete the snippets before you apt upgrade Cumulus Linux; otherwise, the NVUE nv config apply command and the equivalent REST API, do not run. | 5.3.0-5.3.1 | | | [3296715](#3296715)
| When you clear interface counters with the ethtool -S clear command, the command fails with the following message:
switch:~$ ethtool -S swp1 clearethtool (-S): unknown parameter 'clear'
| 5.2.0-5.3.1 | | | [3293039](#3293039)
| When you add the /etc/frr/frr.conf file to the ignore list for NVUE, any configuration change causes FRR to restart because a check is done to see if any running configuration has changed since the previously applied configuration in the vtysh shell. | 5.3.0-5.3.1 | | -| [3292773](#3292773)
| NVUE requires the SNMPv2 community string to be a minimum of eight characters. | 5.3.0-5.3.1 | | +| [3292773, 3159654](#3292773, 3159654)
| NVUE requires the SNMPv2 community string to be a minimum of eight characters. | 5.3.0-5.3.1 | | | [3289972](#3289972)
| When the switch needs to forward a frame that has a source MAC address of 00:00:00:00:00:00, the dmesg log might report the message bridge: RTM_NEWNEIGH with invalid ether address in a loop every 30 seconds. The log message is harmless and frames with that MAC forward correctly. | 4.4.3-5.3.1 | | -| [3289646](#3289646)
| The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. | 5.2.0-5.3.1 | | +| [3289646, 3303084](#3289646, 3303084)
| The memory consumption in ptmd can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. | 5.2.0-5.3.1 | | | [3283598](#3283598)
| After you restart the FRR service, show commands incorrectly reflect the VLAN associated with layer 3 VNIs as 0:
# net show evpn vni 123VNI: 123Type: L3Tenant VRF: BLUEVlan: 0
| 4.4.3-5.3.1 | | | [3267328](#3267328)
| On Spectrum 1 switches when configuring ACLs in non-atomic mode, if there are too many IPv6 matches due to rules with both input-interface and output-interface matches on SVIs, the ACL install fails and switchd crashes. | 5.2.0-5.3.1 | | | [3266050](#3266050)
| Due to a race at the initial configuration, the SDK RDQ test may test RDQ configured for WJH and fail the test resulting in a fatal health event. | 5.2.0-5.3.1 | | | [3262012](#3262012)
| When an FRR routing service (such as bgpd) becomes unresponsive, watchfrr might fail to stop and restart service. To work around this issue, restart FRR with the systemctl restart frr command. | 4.4.0-5.3.1 | | -| [3255899](#3255899)
| The Linux utility that sends ARP packets is constrained to 512 interfaces on the system. In large scale deployments, the warm boot process fails repeatedly as it sends gratuitous ARP requests for each local address. This issue does not impact the functionality and can be ignored. | 5.2.0-5.3.1 | | -| [3244955](#3244955)
| ACL configurations fail when the TCAM memory is exhausted because the CTCAM profile is configured with duplicate entries. | 5.2.0-5.3.1 | | +| [3255899, 3261883, 3255886](#3255899, 3261883, 3255886)
| The Linux utility that sends ARP packets is constrained to 512 interfaces on the system. In large scale deployments, the warm boot process fails repeatedly as it sends gratuitous ARP requests for each local address. This issue does not impact the functionality and can be ignored. | 5.2.0-5.3.1 | | +| [3244955, 3264678](#3244955, 3264678)
| ACL configurations fail when the TCAM memory is exhausted because the CTCAM profile is configured with duplicate entries. | 5.2.0-5.3.1 | | | [3241047](#3241047)
| When you delete a route under the following conditions, switchd might crash:- The minimum number of routes is set to a non-zero value
- KVD utilization is higher than sixty percent
- The number of routes currently configured is less than the minimum reserved value, and multiple KVD linear resources have just been freed and are waiting in the Garbage Collector queue. | 5.2.0-5.3.1 | | | [3234085](#3234085)
| When you configure or unconfigure a BGP peer and interface towards a host, memory corruption can cause BGP to crash. | 5.0.1-5.3.1 | | | [3226525](#3226525)
| When using TACACS+, if you configure per-command authorization with the tacplus-restrict command, NVUE configuration commands fail for any user with a privilege level lower than 15. This occurs because NVUE is not able to create a .local user directory. | 5.2.0-5.3.1 | | | [3145222](#3145222)
| The NVUE nv show system forwarding --output json command does not provide any output. To work around this issue, run the nv show system forwarding command. | 5.2.0-5.3.1 | | -| [3074390](#3074390)
| You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the nvue account to the exclude_users line in /etc/tacplus_nss.conf:
exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,*
| 5.0.1-5.3.1 | | +| [3074390, 3055255, 2602877](#3074390, 3055255, 2602877)
| You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the nvue account to the exclude_users line in /etc/tacplus_nss.conf:
exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,*
| 5.0.1-5.3.1 | | | [3037824](#3037824)
| The NVUE nv show interface link state command shows an empty table instead of showing the port link state. | 5.0.0-5.3.1 | | | [3015393](#3015393)
| The NVUE nv show interface command shows the operational state of the tunnel as down even though the tunnel is up, and encapsulation and decapsulation occurs correctly. | 5.1.0-5.3.1 | | | [2821929](#2821929)
| FRR restarts even when the NVUE configuration overwrite mode is set. | 5.0.0-5.3.1 | | diff --git a/content/cumulus-linux-54/rn.xml b/content/cumulus-linux-54/rn.xml index 1d9c3796cb..12a7f32f1f 100644 --- a/content/cumulus-linux-54/rn.xml +++ b/content/cumulus-linux-54/rn.xml @@ -19,7 +19,7 @@ 5.9.5, 5.16.0-5.16.1 -4663076 +4663076, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.9.4 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1 @@ -43,7 +43,7 @@ 5.9.4-5.16.1, 5.14.0-5.16.1 -4413450 +4413450, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 5.11.2, 5.14.0-5.16.1 @@ -73,7 +73,7 @@ 5.9.2-5.16.1, 5.10.0-5.16.1 -3949367 +3949367, 3949366 If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. 5.3.1-5.9.1 5.9.2-5.16.1, 5.10.0-5.16.1 @@ -85,7 +85,7 @@ 5.9.2-5.16.1, 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -160,7 +160,7 @@ cumulus@switch:~$ sudo apt upgrade 5.7.0-5.16.1 -3610967 +3610967, 3647761 In an EVPN symmetric routing configuration, running the NVUE {{nv set vrf <vrf> vlan auto}} command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. 5.3.0-5.8.0 5.9.0-5.16.1 @@ -268,7 +268,7 @@ To work around this issue, disable next hop groups in zebra with the vtysh {{zeb 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -373,13 +373,13 @@ cumulus@switch:~$ what-just-happened poll --export --no_metadata 5.5.0-5.16.1 -3428677 +3428677, 3437317 In certain cases, Cumulus Linux does not process next hop updates because the {{zebra}} IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. 5.3.0-5.6.0 5.7.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -404,7 +404,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 5.5.0-5.16.1 -3413785 +3413785, 3424967 To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE {{nv set system aaa tacacs vrf <interface>}} command (for example, {{nv set system aaa tacacs vrf swp51}}) or set the {{vrf=<interface>}} option in the {{/etc/tacplus_servers}} file (for example, {{vrf=swp51}}). A similar issue might prevent TACACS+ users with privilege level 15 from using {{sudo}} if the TACACS+ server is reachable only on the {{default}} VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use {{vrf task exec default sudo ...}} to execute the {{sudo}} command using the TACACS+ server on the {{default}} VRF. 5.0.0-5.5.1 5.6.0-5.16.1 @@ -440,7 +440,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 5.5.0-5.16.1 -3393306 +3393306, 3425495 The {{python-netaddr}} package is not preinstalled on the switch, which leads to an error similar to the following when SNMP accesses data from the CUMULUS-BGPVRF-MIB. CUMULUS-BGPVRF-MIB::bgpPeerFsmEstablishedTransitions = No Such Instance currently exists at this OID @@ -537,7 +537,7 @@ Fan4(Fan 4): BAD fan:6720 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 5.5.0-5.16.1 -3350061 +3350061, 3351938 If you use TACACS+ authentication, modifying the TACACS+ configuration with NVUE might result in a timeout error when you run the {{nv config apply}} command. To work around the issue, restart the {{nvued}} service with the {{sudo systemctl restart nvued.service}} command, then apply the configuration again. 5.4.0 5.5.0-5.16.1 @@ -555,7 +555,7 @@ Fan4(Fan 4): BAD fan:6720 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 5.5.0-5.16.1 -3347677 +3347677, 3180068 In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. 5.1.0-5.6.0 5.7.0-5.16.1 @@ -705,19 +705,19 @@ Can't set non-static MAC address for non-vPort 0x0001006B when VID is VFID. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 -3221628 +3221628, 3217877 Cumulus Linux VX images might include an incorrect entry at the end of {{/etc/apt/sources.list}}, which produces warnings when you run {{apt update}}. Remove this entry to avoid these warnings. 5.2.0-5.6.0 5.7.0-5.16.1 -3187469 +3187469, 3188618 At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. 5.1.0-5.5.1 5.6.0-5.16.1 @@ -752,7 +752,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -764,7 +764,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} 5.5.0-5.16.1 -3144740 +3144740, 3209923 The {{/var/lib/snmp/snmpd.conf}} file contains multiple {{Warning: Unknown token: ifXTable}} messages. To avoid these warnings, add the {{-noTokenWarnings}} option to the SNMPDOPTS variable in the {{/etc/defaults/snmpd}} file, then restart the {{snmpd}} service. 5.2.0-5.4.0 @@ -830,7 +830,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -3069069 +3069069, 3271536 When you run the {{systemctl reload switchd}} command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. 5.1.0-5.5.1 5.6.0-5.16.1 @@ -842,7 +842,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -3055283 +3055283, 3038763 After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the {{hash_config.enable}} or {{lag_hash_config.enable}} parameter to {{false}}, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. 5.1.0-5.4.0 5.5.0-5.16.1 @@ -854,7 +854,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 5.5.0-5.16.1 -3034435 +3034435, 3101184 In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. 4.4.4-5.4.0 5.5.0-5.16.1 @@ -872,7 +872,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -880,7 +880,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -950,7 +950,7 @@ You can safely ignore this warning. -3339336 +3339336, 3336807 The {{ethtool -m}} command does not show Digital Optical Monitoring (DOM) for SFP transceivers. To work around this issue, run the {{l1-show or mlxlink}} command instead. 5.2.0-5.3.1 @@ -965,7 +965,7 @@ You can safely ignore this warning. 3.7.0-5.3.1 -3330600 +3330600, 3330601, 3255756, 3326018 The SNMP monitor might fail to send the expected traps. 5.3.0-5.3.1 @@ -975,7 +975,7 @@ You can safely ignore this warning. 5.0.0-5.3.1 -3322944 +3322944, 3456051 The {{ptmd}} service causes memory leaks. 5.3.0-5.3.1 @@ -990,7 +990,7 @@ You can safely ignore this warning. 5.2.0-5.3.1 -3303084 +3303084, 3289646, 3456051 The memory consumption in {{ptmd}} can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward the BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. 5.3.0-5.3.1 @@ -1005,7 +1005,7 @@ You can safely ignore this warning. 5.3.0-5.3.1 -3298616 +3298616, 3047290, 3324961 NVUE gracefully detects and handles upgrades that include valid flexible snippets. For any invalid (incompatible) flexible snippets, you must delete the snippets before you {{apt upgrade}} Cumulus Linux; otherwise, the NVUE {{nv config apply}} command and the equivalent REST API, do not run. 5.3.0-5.3.1 @@ -1024,7 +1024,7 @@ ethtool (-S): unknown parameter 'clear' 5.3.0-5.3.1 -3292773 +3292773, 3159654 NVUE requires the SNMPv2 community string to be a minimum of eight characters. 5.3.0-5.3.1 @@ -1034,7 +1034,7 @@ ethtool (-S): unknown parameter 'clear' 4.4.3-5.3.1 -3289646 +3289646, 3303084 The memory consumption in {{ptmd}} can grow when the socket being used for a BFD session needs to be recreated. This is often seen when the route being used to forward BFD packets is removed; for example, if the connected route is removed when an interface goes down, over which a single hop BFD session is formed. 5.2.0-5.3.1 @@ -1066,12 +1066,12 @@ Vlan: 0 4.4.0-5.3.1 -3255899 +3255899, 3261883, 3255886 The Linux utility that sends ARP packets is constrained to 512 interfaces on the system. In large scale deployments, the warm boot process fails repeatedly as it sends gratuitous ARP requests for each local address. This issue does not impact the functionality and can be ignored. 5.2.0-5.3.1 -3244955 +3244955, 3264678 ACL configurations fail when the TCAM memory is exhausted because the CTCAM profile is configured with duplicate entries. 5.2.0-5.3.1 @@ -1099,7 +1099,7 @@ Vlan: 0 5.2.0-5.3.1 -3074390 +3074390, 3055255, 2602877 You can not apply NVUE configurations when TACACS is enabled for user authentication. To work around this issue, add the {{nvue}} account to the {{exclude_users}} line in {{/etc/tacplus_nss.conf}}: exclude_users=root,daemon,nobody,cron,radius_user,radius_priv_user,sshd,cumulus,quagga,frr,nvue,snmp,www-data,ntp,man,_lldpd,* diff --git a/content/cumulus-linux-55/Whats-New/rn.md b/content/cumulus-linux-55/Whats-New/rn.md index 02764b510d..678b01e342 100644 --- a/content/cumulus-linux-55/Whats-New/rn.md +++ b/content/cumulus-linux-55/Whats-New/rn.md @@ -16,22 +16,22 @@ pdfhidden: True |--- |--- |--- |--- | | [4963277](#4963277)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.16.1 | | | [4797691](#4797691)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.9.4, 5.15.1 | 5.9.5, 5.16.0-5.16.1| -| [4663076](#4663076)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1| +| [4663076, 3963232](#4663076, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| | [4469498](#4469498)
| When a host moves to a new VTEP during mobility or network failover events in an EVPN multihoming environment, the host might be unreachable due to ARP resolution failures. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.4.0-5.9.3 | 5.9.4-5.16.1, 5.14.0-5.16.1| -| [4413450](#4413450)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4413450, 4497128](#4413450, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4377862](#4377862)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.9.3 | 5.9.4-5.16.1, 5.11.2-5.16.1, 5.13.0-5.16.1| | [4039850](#4039850)
| When the MAC address of the neighbor changes, a possible crash might occur because the pointer to which the MAC address points is freed, resulting in a dangling pointer. | 5.3.1-5.10.1 | 5.11.0-5.16.1| | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3982222](#3982222)
| When you enable SPAN on a bridge member, an ARP or Gratuitous ARP received during a failover event between locally attached redundant devices, such as load balancers, might fail to update the bridge MAC table to point to the interface with the newly active load balancer.

To work around this issue, remove the SPAN configuration from the bridge member or ensure that the load balancer generates non-ARP traffic after the failover to properly update the bridge MAC table. | 5.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3980924](#3980924)
| When adding or removing routes in a virtual router with numerous configured routes, you might encounter incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.5.1-5.9.3 | 5.9.4-5.16.1, 5.11.1-5.16.1, 5.12.0-5.16.1| -| [3949367](#3949367)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3949367, 3949366](#3949367, 3949366)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3927016](#3927016)
| Following an EVPN extended mobility event, where a host with IP address A and MAC address A moves within the fabric and now resides at IP address A and MAC address B, you might see traffic destined to this host experience drops as the flow is software forwarded on the egress VTEP. | 5.0.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3917601](#3917601)
| If a packet containing an all zero source MAC address (00:00:00:00:00:00) is learned on the ASIC, switchd sends the learn notification to the kernel but the kernel rejects the MAC address as invalid. The ASIC continuously sends the mac-learn notifications, which wastes CPU resources. To work around this issue, configure ACLs to match on the all-zero source MAC address and drop the invalid packets. | 5.5.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3897227](#3897227)
| During an LLDP update storm while deleting or adding LLPD neighbors, PTMD crashes as a result of mishandling multi-threaded LLPD processing. | 5.5.1-5.9.5 | 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3859422](#3859422)
| On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port. | 5.2.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3765395](#3765395)
| The nv unset nve vxlan flooding and nv set nve vxlan flooding enable off commands do not disable BUM flooding. To work around this issue, disable BUM flooding with vtysh commands:
leaf01# configure terminal
leaf01(config)# router bgp 
leaf01(config-router)# address-family l2vpn evpn
leaf01(config-router-af)# flooding disable
leaf01(config-router-af)# end
leaf01# write memory
leaf01# exit
| 5.5.0-5.8.0 | 5.9.0-5.16.1| @@ -42,7 +42,7 @@ pdfhidden: True | [3713419](#3713419)
| When monitoring system statistics and network traffic with sFlow, an aggressive link flap might produce a memory leak in the sFlow service hsflowd. | 5.1.0-5.7.0 | 5.8.0-5.16.1| | [3702431](#3702431)
| Traditional SNMP snippets do not take effect unless you first enable SNMP with the NVUE nv set service snmp-server enable on and nv set service snmp-server listening-address commands. Alternatively, you can use the equivalent REST API methods. | 5.4.0-5.8.0 | 5.9.0-5.16.1| | [3696061](#3696061)
| When the MAC address of a neighbor changes, the zebra IP routing manager might crash. | 5.2.1-5.6.0 | 5.7.0-5.16.1| -| [3695541](#3695541)
| When applying a full configuration with NVUE that includes VRRP and BGP in VRFs, the VRRP configuration does not come up after you run nv config apply. BGP routes might also be missing. This issue only happens during the initial nv config apply of a full configuration, not during a normal initialization during a reboot or FRR restart. To work around this issue, reboot or restart FRR. | 5.5.1 | 5.6.0-5.16.1| +| [3695541, 3522324](#3695541, 3522324)
| When applying a full configuration with NVUE that includes VRRP and BGP in VRFs, the VRRP configuration does not come up after you run nv config apply. BGP routes might also be missing. This issue only happens during the initial nv config apply of a full configuration, not during a normal initialization during a reboot or FRR restart. To work around this issue, reboot or restart FRR. | 5.5.1 | 5.6.0-5.16.1| | [3695430](#3695430)
| When you configure extended nexthop encoding for a peer group, the peers in the group do not inherit the configuration. To work around this issue, configure extended nexthop encoding on each individual peer in the group. NVIDIA recommends that you upgrade to Cumulus Linux 5.6 or later to avoid this issue. | 5.4.0-5.6.0 | 5.7.0-5.16.1| | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3668939](#3668939)
| When you enable MIB 1.3.6.1.4.1.40310.1 in the snmpd.conf file, you might see high CPU usage by the snmpd service. | 5.5.1-5.6.0 | 5.7.0-5.16.1| @@ -50,24 +50,24 @@ pdfhidden: True | [3630492](#3630492)
| On the NVIDIA SN2201 switch, the ledmgrd -d command output shows the system and PSU LED status as orange when the physical LED is green. | 5.5.1-5.7.0 | 5.8.0-5.16.1| | [3616338](#3616338)
| When you reboot an MLAG switch with 3000 or more VNIs, there might be extended traffic loss during reboot. To work around this issue, configure the clagd service initDelay to 300 seconds with the nv set mlag init-delay 300 command. | 5.5.1-5.6.0 | 5.7.0-5.16.1| | [3613258](#3613258)
| With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed between switchd and the kernel. | 5.2.1-5.6.0 | 5.7.0-5.16.1| -| [3610967](#3610967)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| -| [3610611](#3610611)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | 5.7.0-5.16.1| -| [3609128](#3609128)
| When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=a
In addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3610967, 3647761](#3610967, 3647761)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| +| [3610611, 3599699](#3610611, 3599699)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3609128, 3609176](#3609128, 3609176)
| When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=a
In addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3606739](#3606739)
| The thermal control service, hw-management-tc.service, stops and switch fan speeds run at 100% when the ASIC temperature can't be read. This can occur if the SDK is not started. | 5.5.1-5.6.0 | 5.7.0-5.16.1| | [3603237](#3603237)
| If the secondary MLAG peer continuously reboots, you might experience momentary traffic loss. | 5.5.1-5.6.0 | 5.7.0-5.16.1| -| [3599699](#3599699)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3599699, 3569484, 3610611](#3599699, 3569484, 3610611)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3597456](#3597456)
| NVUE does not allow you to use the reserved name lo in an interface name. | 5.5.1-5.6.0 | 5.7.0-5.16.1| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | 5.7.0-5.16.1| -| [3582826](#3582826)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3582826, 3662354](#3582826, 3662354)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3580435](#3580435)
| On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:
smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)
This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. | 5.3.1-5.6.0 | 5.7.0-5.16.1| | [3576961](#3576961)
| The NVUE command to clear all ACL counters at once is not available. To work around this issue, run the cl-acltool -Z all command to reset the statistics for all ACL rules. | 5.5.1-5.6.0 | 5.7.0-5.16.1| | [3573800](#3573800)
| After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del dev bridge vlan command. | 5.3.1-5.6.0 | 5.7.0-5.16.1| | [3572580](#3572580)
| You cannot set a VLAN match and a MAC protocol IPv4 match in a MAC type ACL rule. To apply ACLs with a VLAN match and layer 3 header matches ( IPV4/IPV6), you need to use type ipv4 or ipv6 ACLs with the VLAN match specified. | 5.5.1 | 5.6.0-5.16.1| | [3572566](#3572566)
| The NVUE nv action commands are missing from nv list-commands output. | 5.5.1 | 5.6.0-5.16.1| | [3567708](#3567708)
| In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active. | 5.3.1-5.6.0 | 5.7.0-5.16.1| -| [3566980](#3566980)
| When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3566980, 3511344](#3566980, 3511344)
| When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0-5.16.1| -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3549138](#3549138)
| In an EVPN environment with ARP suppression enabled, when a host sends a unicast ARP request to a remote host, the ARP reply is duplicated. It is replied once by the remote host and once by the VTEP. | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3541912](#3541912)
| Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3541518](#3541518)
| When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 5.5.0-5.5.1 | 5.6.0-5.16.1| @@ -75,7 +75,7 @@ pdfhidden: True | [3534718](#3534718)
| The BGP command to suppress longer prefixes inside the aggregate address before sending updates (nv set vrf router bgp address-family aggregate-route
summary-only or vtysh router bgp aggregate-address
summary-only) does not suppress more specific routes from being exported into the EVPN routing table and advertised as EVPN type-5 routes. To work around this issue, announce EVPN type-5 routes by adding an additional outbound policy or export policy to filter out the more specific routes. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3528359](#3528359)
| A switchd assertion crash occurs after KVD resource exhaustion in the SDK because entries are in a pending delete state, which causes an ECMP allocation failure. | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3526004](#3526004)
| For layer 3 VNIs, Cumulus Linux automatically creates an SVI name that includes an underscore (for example, vlan4036_l3), which is not allowed in SVI names. As a result, commands such as nv show interface for the SVI show an error. The underscore (_) character is now allowed in SVI names. | 5.5.0-5.5.1 | 5.6.0-5.16.1| -| [3522524](#3522524)
| FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3522524, 3668926](#3522524, 3668926)
| FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3520511](#3520511)
| If you apply EVPN multihoming configuration such as es-df-pref, es-id and es-sys-mac with vtysh after you remove a bond interface that is part of a bridge and run ifreload -a, FRR crashes. To work around this issue, do not remove a bond from a bridge before you configure EVPN multihoming with vtysh. | 5.5.1 | 5.6.0-5.16.1| | [3517376](#3517376)
| When you use CMIS specification based optics, the l1-show command output provides incorrect values for digital diagnostics (TX Power and RX Power). To work around this issue, run the mlxlink command with either the -m or --cable --ddm flags. | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3509445](#3509445)
| If a BGP numbered session is in a non-established state, SNMP walk commands to the system might time out when the BGPVRF MIB is included in the OIDs to collect. In addition, FRR might report warnings about AgentX in the log files. | 5.5.0-5.5.1 | 5.6.0-5.16.1| @@ -89,7 +89,7 @@ pdfhidden: True | [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.8.0 | 5.9.0-5.16.1| | [3482006](#3482006)
| If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.16.1| | [3479786](#3479786)
| The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. | 5.3.0-5.5.1 | 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3472865](#3472865)
| The json output for the vtysh -c ‘show bgp all json command is missing a string key in front of the list of routes under the l2vpnevpn address family. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3471052](#3471052)
| On certain QSFP-DD and OSFP optical modules, the ethtool -m command, and the related NCLU and NVUE commands that display optical module information fail. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3467890](#3467890)
| BGP aggregate routers are not advertised after learning the same route from another protocol. To work around this issue, restart the FRR service or, if possible, don't learn the route from another protocol (use route maps instead). | 5.3.0-5.5.1 | 5.6.0-5.16.1| @@ -99,28 +99,28 @@ pdfhidden: True | [3455078](#3455078)
| When you bring down or delete a bridge or all interfaces on the switch, you see the following error message in the /var/log/switchd.log file:
ERR bridge destroy for vlan  bridge_id  vfid  failed: Resource is in use
The errors are temporary and have no impact on functionality or traffic. | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3452763](#3452763)
| When you use the NVUE API with TACACS+, users might see a 403 Forbidden message if no TACACS+ user has logged in some other way, such as with SSH. To work around this issue, log in any TACACS+ user through SSH before you use the NVUE API with TACACS+ users, or run the following commands:
cumulus@switch:~$ sudo touch /run/tacacs_client_map
cumulus@switch:~$ sudo chown root:shadow /run/tacacs_client_map
cumulus@switch:~$ sudo chmod 0644 /run/tacacs_client_map | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3452732](#3452732)
| The nv set router policy ext-community-list rule ext-community rt command does not generate the standard based BGP community list. As a result, routes do not match the expected community list. To work around this issue, create a snippet to add the policy configuration to the /etc/frr/frr.conf file, then patch the configuration. For example:
cumulus@switch:~$ sudo nano frr_policy.yaml- set:
   system:
     config:
       snippet:
         frr.conf: \|
           bgp extcommunity-list standard EXTCOMMUNITY1 seq 10 permit rt 65102:10
cumulus@switch:~$ nv config patch frr_policy.yaml
| 5.5.0-5.6.0 | 5.7.0-5.16.1| -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| +| [3452681, 3465375](#3452681, 3465375)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| | [3448984](#3448984)
| If you use NVUE to apply a configuration when the optional TACACS+ packages are not installed on the switch, you might see messages similar to the following in the /var/log/syslog file when auditd restarts (for example, when the switch reboots):
audispd: Unable to stat /sbin/audisp-tacplus (No such file or directory)
audispd: Skipping audisp-tacplus.conf plugin due to errors
These messages do not affect the functionality of the switch. | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3447762](#3447762)
| If the NVUE startup.yaml configuration file is invalid, the nv config apply startup command times out without providing details on the error. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3445841](#3445841)
| FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.6.0 | 5.7.0-5.16.1| -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | | [3436595](#3436595)
| When using WJH, if you export dropped packets to a file in PCAP format, the file contains custom WJH header data. As a result, certain tools, such as Wireshark, cannot decode the data. To work around this issue, use the --no_metadata option with the export command:
cumulus@switch:~$ what-just-happened poll --export --no_metadata
| 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3436407](#3436407)
| The nv show acl command output shows a header but no ACL details. | 5.5.0-5.8.0 | 5.9.0-5.16.1| | [3433944](#3433944)
| The wjh_dissector.lua WJH packet decoder script provided with Cumulus Linux might fail to decode all WJH packets. | 5.4.0-5.5.1 | 5.6.0-5.16.1| -| [3433577](#3433577)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.8.0 | 5.9.0-5.16.1| -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | 5.7.0-5.16.1| -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3433577, 3433769](#3433577, 3433769)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.8.0 | 5.9.0-5.16.1| +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3428677, 3437317](#3428677, 3437317)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | 5.7.0-5.16.1| +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3419940](#3419940)
| When generating a cl-support file either manually or when an issue occurs on the system, you see the following kernel error messages:
'Register access failed (reg_id=0x9029, status=0x4)' followed by a hex dump of a few lines
This error message is benign and has no functional impact. | 5.5.0-5.5.1 | 5.6.0-5.16.1| +| [3419940, 3442281](#3419940, 3442281)
| When generating a cl-support file either manually or when an issue occurs on the system, you see the following kernel error messages:
'Register access failed (reg_id=0x9029, status=0x4)' followed by a hex dump of a few lines
This error message is benign and has no functional impact. | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3419928](#3419928)
| The NVUE PIM timer command option names keep-alive and rp-keep-alive are inconsistent and need to change to keepalive and rp-keepalive. | 5.4.0-5.6.0 | 5.7.0-5.16.1| -| [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| +| [3413785, 3424967](#3413785, 3424967)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| | [3405024](#3405024)
| You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3394674](#3394674)
| If you restart FRR with the log file debugging level set to informational, BGP crashes. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3393966](#3393966)
| When you configure OSPF network statements using NVUE with the nv set vrf router ospf area network command, subsequent configuration changes with NVUE might bring down all OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement, or use the nv set interface router ospf area command to enable OSPF on interfaces instead of using a network statement. | 5.5.0-5.9.5 | 5.10.0-5.16.1| | [3378733](#3378733)
| After you add or delete a static MAC entry on the bridge FDB, a core dump occurs if the interface is VXLAN and the MAC address is 00:00:00:00:00:00. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | -| [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.16.1| +| [3347677, 3180068](#3347677, 3180068)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.16.1| | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3344846](#3344846)
| The Spectrum-3 hardware configuration is not optimized for the best PTP accuracy when using 25GbE. You might see higher than expected PTP offsets on this platforms and interface speed. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -137,14 +137,14 @@ pdfhidden: True | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3232091](#3232091)
| The NVUE nv unset interface link lanes command does not restore the port lane setting to the default value. To work around this issue, run the nv set interface link lanes command. | 5.4.0-5.6.0 | 5.7.0-5.16.1| | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | -| [3221628](#3221628)
| Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | 5.7.0-5.16.1| -| [3187469](#3187469)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0-5.16.1| +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3221628, 3217877](#3221628, 3217877)
| Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | 5.7.0-5.16.1| +| [3187469, 3188618](#3187469, 3188618)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3178090](#3178090)
| The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3172682](#3172682)
| On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure. | 5.2.0-5.5.1 | 5.6.0-5.16.1| | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.8.0 | 5.9.0-5.16.1| | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | @@ -152,12 +152,12 @@ pdfhidden: True | [3084476](#3084476)
| After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.16.1 | 4.4.4-4.4.5| | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | | [3071652](#3071652)
| On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. | 4.4.4-4.4.5, 5.1.0-5.16.1 | | -| [3069069](#3069069)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | 5.6.0-5.16.1| +| [3069069, 3271536](#3069069, 3271536)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -177,19 +177,19 @@ pdfhidden: True |--- |--- |--- |--- | | [4963277](#4963277)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.16.1 | | | [4797691](#4797691)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.9.4, 5.15.1 | 5.9.5, 5.16.0-5.16.1| -| [4663076](#4663076)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1| +| [4663076, 3963232](#4663076, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| | [4469498](#4469498)
| When a host moves to a new VTEP during mobility or network failover events in an EVPN multihoming environment, the host might be unreachable due to ARP resolution failures. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.4.0-5.9.3 | 5.9.4-5.16.1, 5.14.0-5.16.1| -| [4413450](#4413450)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4413450, 4497128](#4413450, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4377862](#4377862)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.9.3 | 5.9.4-5.16.1, 5.11.2-5.16.1, 5.13.0-5.16.1| | [4039850](#4039850)
| When the MAC address of the neighbor changes, a possible crash might occur because the pointer to which the MAC address points is freed, resulting in a dangling pointer. | 5.3.1-5.10.1 | 5.11.0-5.16.1| | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3982222](#3982222)
| When you enable SPAN on a bridge member, an ARP or Gratuitous ARP received during a failover event between locally attached redundant devices, such as load balancers, might fail to update the bridge MAC table to point to the interface with the newly active load balancer.

To work around this issue, remove the SPAN configuration from the bridge member or ensure that the load balancer generates non-ARP traffic after the failover to properly update the bridge MAC table. | 5.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3949367](#3949367)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3949367, 3949366](#3949367, 3949366)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3927016](#3927016)
| Following an EVPN extended mobility event, where a host with IP address A and MAC address A moves within the fabric and now resides at IP address A and MAC address B, you might see traffic destined to this host experience drops as the flow is software forwarded on the egress VTEP. | 5.0.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3917601](#3917601)
| If a packet containing an all zero source MAC address (00:00:00:00:00:00) is learned on the ASIC, switchd sends the learn notification to the kernel but the kernel rejects the MAC address as invalid. The ASIC continuously sends the mac-learn notifications, which wastes CPU resources. To work around this issue, configure ACLs to match on the all-zero source MAC address and drop the invalid packets. | 5.5.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3859422](#3859422)
| On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port. | 5.2.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3765395](#3765395)
| The nv unset nve vxlan flooding and nv set nve vxlan flooding enable off commands do not disable BUM flooding. To work around this issue, disable BUM flooding with vtysh commands:
leaf01# configure terminal
leaf01(config)# router bgp 
leaf01(config-router)# address-family l2vpn evpn
leaf01(config-router-af)# flooding disable
leaf01(config-router-af)# end
leaf01# write memory
leaf01# exit
| 5.5.0-5.8.0 | 5.9.0-5.16.1| @@ -201,18 +201,18 @@ pdfhidden: True | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3663182](#3663182)
| Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.3.1-5.6.0 | 5.7.0-5.16.1| | [3613258](#3613258)
| With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed between switchd and the kernel. | 5.2.1-5.6.0 | 5.7.0-5.16.1| -| [3610967](#3610967)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| -| [3610611](#3610611)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | 5.7.0-5.16.1| -| [3609128](#3609128)
| When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=a
In addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk. | 5.5.0-5.6.0 | 5.7.0-5.16.1| -| [3599699](#3599699)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3610967, 3647761](#3610967, 3647761)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| +| [3610611, 3599699](#3610611, 3599699)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3609128, 3609176](#3609128, 3609176)
| When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=a
In addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3599699, 3569484, 3610611](#3599699, 3569484, 3610611)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | 5.7.0-5.16.1| -| [3582826](#3582826)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3582826, 3662354](#3582826, 3662354)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3580435](#3580435)
| On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:
smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)
This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. | 5.3.1-5.6.0 | 5.7.0-5.16.1| | [3573800](#3573800)
| After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del dev bridge vlan command. | 5.3.1-5.6.0 | 5.7.0-5.16.1| | [3567708](#3567708)
| In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active. | 5.3.1-5.6.0 | 5.7.0-5.16.1| -| [3566980](#3566980)
| When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3566980, 3511344](#3566980, 3511344)
| When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3560622](#3560622)
| When you configure a route distinguisher (RD) or a route target (RT) manually for layer 2 VNIs, type-1 routes are not properly updated, type-1 EVI routes with the old RD are not properly withdrawn, and type-1 ES routes do not have the corresponding layer 2 VNI route target updated. | 5.0.0-5.5.1 | 5.6.0-5.16.1| -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3549138](#3549138)
| In an EVPN environment with ARP suppression enabled, when a host sends a unicast ARP request to a remote host, the ARP reply is duplicated. It is replied once by the remote host and once by the VTEP. | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3541912](#3541912)
| Collecting a cl-support file in a high VNI and interface environment can result in an out-of-memory (OOM) event on the switch. An OOM event can cause critical services to restart and might impact traffic. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3541518](#3541518)
| When you remove the update-source configuration for a BGP neighbor, the peering is reset if the neighbor is a member of a peer group with the same update-source configuration. | 5.5.0-5.5.1 | 5.6.0-5.16.1| @@ -220,7 +220,7 @@ pdfhidden: True | [3534718](#3534718)
| The BGP command to suppress longer prefixes inside the aggregate address before sending updates (nv set vrf router bgp address-family aggregate-route
summary-only or vtysh router bgp aggregate-address
summary-only) does not suppress more specific routes from being exported into the EVPN routing table and advertised as EVPN type-5 routes. To work around this issue, announce EVPN type-5 routes by adding an additional outbound policy or export policy to filter out the more specific routes. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3528359](#3528359)
| A switchd assertion crash occurs after KVD resource exhaustion in the SDK because entries are in a pending delete state, which causes an ECMP allocation failure. | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3526004](#3526004)
| For layer 3 VNIs, Cumulus Linux automatically creates an SVI name that includes an underscore (for example, vlan4036_l3), which is not allowed in SVI names. As a result, commands such as nv show interface for the SVI show an error. The underscore (_) character is now allowed in SVI names. | 5.5.0-5.5.1 | 5.6.0-5.16.1| -| [3522524](#3522524)
| FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3522524, 3668926](#3522524, 3668926)
| FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3517376](#3517376)
| When you use CMIS specification based optics, the l1-show command output provides incorrect values for digital diagnostics (TX Power and RX Power). To work around this issue, run the mlxlink command with either the -m or --cable --ddm flags. | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3509445](#3509445)
| If a BGP numbered session is in a non-established state, SNMP walk commands to the system might time out when the BGPVRF MIB is included in the OIDs to collect. In addition, FRR might report warnings about AgentX in the log files. | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3498939](#3498939)
| In an EVPN environment, VM migration (IP and MAC address migration) might not work because the new local VTEP to which the VM migrates does not install the entry in the kenel. To work around this issue, restart the switchd service. | 5.4.0-5.5.1 | 5.6.0-5.16.1| @@ -233,7 +233,7 @@ pdfhidden: True | [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.8.0 | 5.9.0-5.16.1| | [3482006](#3482006)
| If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 5.0.0-5.5.1 | 4.3.2-4.4.5, 5.6.0-5.16.1| | [3479786](#3479786)
| The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. | 5.3.0-5.5.1 | 5.6.0-5.16.1| -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | 5.6.0-5.16.1| | [3474352](#3474352)
| On the NVIDIA SN4700 switch, reversing the upper four lanes on a port does not work and might cause link degradation. If you swap between the upper and lower four lanes on a port, the firmware gets stuck. | 5.3.0-5.5.1 | 5.6.0-5.16.1| | [3472865](#3472865)
| The json output for the vtysh -c ‘show bgp all json command is missing a string key in front of the list of routes under the l2vpnevpn address family. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3471052](#3471052)
| On certain QSFP-DD and OSFP optical modules, the ethtool -m command, and the related NCLU and NVUE commands that display optical module information fail. | 5.4.0-5.5.1 | 5.6.0-5.16.1| @@ -244,28 +244,28 @@ pdfhidden: True | [3455078](#3455078)
| When you bring down or delete a bridge or all interfaces on the switch, you see the following error message in the /var/log/switchd.log file:
ERR bridge destroy for vlan  bridge_id  vfid  failed: Resource is in use
The errors are temporary and have no impact on functionality or traffic. | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3452763](#3452763)
| When you use the NVUE API with TACACS+, users might see a 403 Forbidden message if no TACACS+ user has logged in some other way, such as with SSH. To work around this issue, log in any TACACS+ user through SSH before you use the NVUE API with TACACS+ users, or run the following commands:
cumulus@switch:~$ sudo touch /run/tacacs_client_map
cumulus@switch:~$ sudo chown root:shadow /run/tacacs_client_map
cumulus@switch:~$ sudo chmod 0644 /run/tacacs_client_map | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3452732](#3452732)
| The nv set router policy ext-community-list rule ext-community rt command does not generate the standard based BGP community list. As a result, routes do not match the expected community list. To work around this issue, create a snippet to add the policy configuration to the /etc/frr/frr.conf file, then patch the configuration. For example:
cumulus@switch:~$ sudo nano frr_policy.yaml- set:
   system:
     config:
       snippet:
         frr.conf: \|
           bgp extcommunity-list standard EXTCOMMUNITY1 seq 10 permit rt 65102:10
cumulus@switch:~$ nv config patch frr_policy.yaml
| 5.5.0-5.6.0 | 5.7.0-5.16.1| -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| +| [3452681, 3465375](#3452681, 3465375)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| | [3448984](#3448984)
| If you use NVUE to apply a configuration when the optional TACACS+ packages are not installed on the switch, you might see messages similar to the following in the /var/log/syslog file when auditd restarts (for example, when the switch reboots):
audispd: Unable to stat /sbin/audisp-tacplus (No such file or directory)
audispd: Skipping audisp-tacplus.conf plugin due to errors
These messages do not affect the functionality of the switch. | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3447762](#3447762)
| If the NVUE startup.yaml configuration file is invalid, the nv config apply startup command times out without providing details on the error. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3445841](#3445841)
| FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.6.0 | 5.7.0-5.16.1| -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | | [3436595](#3436595)
| When using WJH, if you export dropped packets to a file in PCAP format, the file contains custom WJH header data. As a result, certain tools, such as Wireshark, cannot decode the data. To work around this issue, use the --no_metadata option with the export command:
cumulus@switch:~$ what-just-happened poll --export --no_metadata
| 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3436407](#3436407)
| The nv show acl command output shows a header but no ACL details. | 5.5.0-5.8.0 | 5.9.0-5.16.1| | [3433944](#3433944)
| The wjh_dissector.lua WJH packet decoder script provided with Cumulus Linux might fail to decode all WJH packets. | 5.4.0-5.5.1 | 5.6.0-5.16.1| -| [3433577](#3433577)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.8.0 | 5.9.0-5.16.1| -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | 5.7.0-5.16.1| -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3433577, 3433769](#3433577, 3433769)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.8.0 | 5.9.0-5.16.1| +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3428677, 3437317](#3428677, 3437317)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | 5.7.0-5.16.1| +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3419940](#3419940)
| When generating a cl-support file either manually or when an issue occurs on the system, you see the following kernel error messages:
'Register access failed (reg_id=0x9029, status=0x4)' followed by a hex dump of a few lines
This error message is benign and has no functional impact. | 5.5.0-5.5.1 | 5.6.0-5.16.1| +| [3419940, 3442281](#3419940, 3442281)
| When generating a cl-support file either manually or when an issue occurs on the system, you see the following kernel error messages:
'Register access failed (reg_id=0x9029, status=0x4)' followed by a hex dump of a few lines
This error message is benign and has no functional impact. | 5.5.0-5.5.1 | 5.6.0-5.16.1| | [3419928](#3419928)
| The NVUE PIM timer command option names keep-alive and rp-keep-alive are inconsistent and need to change to keepalive and rp-keepalive. | 5.4.0-5.6.0 | 5.7.0-5.16.1| -| [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| +| [3413785, 3424967](#3413785, 3424967)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | 5.6.0-5.16.1| | [3405024](#3405024)
| You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3394674](#3394674)
| If you restart FRR with the log file debugging level set to informational, BGP crashes. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3393966](#3393966)
| When you configure OSPF network statements using NVUE with the nv set vrf router ospf area network command, subsequent configuration changes with NVUE might bring down all OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement, or use the nv set interface router ospf area command to enable OSPF on interfaces instead of using a network statement. | 5.5.0-5.9.5 | 5.10.0-5.16.1| | [3378733](#3378733)
| After you add or delete a static MAC entry on the bridge FDB, a core dump occurs if the interface is VXLAN and the MAC address is 00:00:00:00:00:00. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | -| [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.16.1| +| [3347677, 3180068](#3347677, 3180068)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.16.1| | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3344846](#3344846)
| The Spectrum-3 hardware configuration is not optimized for the best PTP accuracy when using 25GbE. You might see higher than expected PTP offsets on this platforms and interface speed. | 5.4.0-5.5.1 | 5.6.0-5.16.1| | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | @@ -282,14 +282,14 @@ pdfhidden: True | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3232091](#3232091)
| The NVUE nv unset interface link lanes command does not restore the port lane setting to the default value. To work around this issue, run the nv set interface link lanes command. | 5.4.0-5.6.0 | 5.7.0-5.16.1| | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | -| [3221628](#3221628)
| Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | 5.7.0-5.16.1| -| [3187469](#3187469)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0-5.16.1| +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3221628, 3217877](#3221628, 3217877)
| Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | 5.7.0-5.16.1| +| [3187469, 3188618](#3187469, 3188618)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3178090](#3178090)
| The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3172682](#3172682)
| On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure. | 5.2.0-5.5.1 | 5.6.0-5.16.1| | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.8.0 | 5.9.0-5.16.1| | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | @@ -297,12 +297,12 @@ pdfhidden: True | [3084476](#3084476)
| After you disable traffic shaping in the /etc/cumulus/datapath/qos/qos_features.conf file, the default QOS traffic shaping configuration does not restore. To work around this issue, restart switchd. | 4.4.3, 5.0.0-5.16.1 | 4.4.4-4.4.5| | [3084027](#3084027)
| Under a high load, you might see ingress drop counters increase. The drops are classified as HwIfInDiscards in ethtool and shown as ingress_general in hardware. | 4.3.0-4.4.5, 5.0.0-5.16.1 | | | [3071652](#3071652)
| On rare occasions, after you reboot or restart switchd on a Spectrum 1 switch, any 25G connections with Direct Attach Copper (DAC) cables that connect from the switch to a non-NVIDIA device might flap continuously. To work around this issue, bring the affected link administratively down for a few seconds on the non-NVIDIA device, then bring the link back up. | 4.4.4-4.4.5, 5.1.0-5.16.1 | | -| [3069069](#3069069)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | 5.6.0-5.16.1| +| [3069069, 3271536](#3069069, 3271536)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | 5.6.0-5.16.1| | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -321,14 +321,14 @@ pdfhidden: True | [3429530](#3429530)
| On the Spectrum-2 and Spectrum-3 switch, multiple interfaces (in the same PLL quarter) might flap intermittently at the same time. | 4.2.1-5.4.0 | | | [3418103](#3418103)
| On the Spectrum-2 and Spectrum-3 switch, if you use module SPQCELRCDFB when connected to a 3rd party switch, you might see no link or a very long link up time (around two minutes). To work around this issue, bring down the port, then bring it back up. | 5.4.0 | | | [3413860](#3413860)
| If MLAG is configured but disconnected from an MLAG peer for an extended period of time (days or more), there is a long delay (up to a minute per day) before traffic forwarding stabilizes after the MLAG peer connection re-establishes. | 3.7.0-4.3.1 | | -| [3413827](#3413827)
| During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. | 4.4.0-5.4.0 | | +| [3413827, 3323143](#3413827, 3323143)
| During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. | 4.4.0-5.4.0 | | | [3412357](#3412357)
| When you configure EVPN either with or without MLAG and change the mapping for a layer 2 or layer 3 VNI, you see a permanent traffic drop for the VNI. To work around this issue, remove the VNI configuration, then add and apply it again. | | | | [3410303](#3410303)
| The NVUE command to set the frequency of LLDP updates nv set service lldp tx-interval and the NVUE command to set the amount of time to hold the information before discarding it nv set service lldp tx-hold-multiplier do not provide reasonable maximum and minimum values. Cumulus Linux 5.5.0 and later provides new values. For the nv set service lldp tx-interval command, you can now set a minimum value of 5 and a maximum value of 32768. For the nv set service lldp tx-hold command, you can set a minimum value of 1 and a maximum value of 8192. | 5.4.0 | | | [3402935](#3402935)
| For layer 3 interfaces configured on the switch, certain triggers, such as port flaps and subinterface flaps, or when configuring the ports to and from layer 2 and layer 3, cause the dummy internal VLAN to not free up, which can result in exhaustion of the dummy internal VLANs designated for the layer 3 interfaces. When this occurs, you see the following switchd log messages:
ERR dummy internal vlans exhaustedERR cannot allocate vlan for sub-interface
| 4.4.2-5.4.0 | | | [3397649](#3397649)
| When an ECMP route is present in a non-default VRF, resilient hashing does not work as expected and flows might get remapped to a new next hop when the set of nexthops changes. | 5.4.0 | | | [3395247](#3395247)
| The NVUE nv show system forwarding profile-option command reports an incorrect Max ipv4 mcast routes value. To work around this issue, validate values with cl-resource-query. | 5.4.0 | | | [3393866](#3393866)
| On a VX, NVUE commands with an argument parameter that can be multiple types (such as IPv4 and IPv6) do not provide auto complete or additional options when you use a question mark. | 5.4.0 | | -| [3393306](#3393306)
| The python-netaddr package is not preinstalled on the switch, which leads to an error similar to the following when SNMP accesses data from the CUMULUS-BGPVRF-MIB
CUMULUS-BGPVRF-MIB::bgpPeerFsmEstablishedTransitions = No Such Instance currently exists at this OID
To work around this issue, manually install the python-netaddr package with the sudo -E apt-get install python-netaddr command. | 5.3.1-5.4.0 | | +| [3393306, 3425495](#3393306, 3425495)
| The python-netaddr package is not preinstalled on the switch, which leads to an error similar to the following when SNMP accesses data from the CUMULUS-BGPVRF-MIB
CUMULUS-BGPVRF-MIB::bgpPeerFsmEstablishedTransitions = No Such Instance currently exists at this OID
To work around this issue, manually install the python-netaddr package with the sudo -E apt-get install python-netaddr command. | 5.3.1-5.4.0 | | | [3390758](#3390758)
| The neighmgrd service does not enable the snooper unless ARP suppression is enabled on at least one VXLAN interface. This can result in missing ARP and NDP entries if the host does not directly interact with the switch. | 5.3.1-5.4.0 | | | [3389198](#3389198)
| The NVUE nv unset command does not completely remove IPv6 DNS server configuration
| 5.3.1-5.4.0 | | | [3388201](#3388201)
| Cumulus Linux does not let you add an interface to the bond interface when the bridge-allow-untagged no option is present. | 5.4.0 | | @@ -340,7 +340,7 @@ pdfhidden: True | [3361904](#3361904)
| The NVUE PTP shaping commands are available in the NVUE command list; however, these commands are disabled and do not configure PTP shaping. PTP shaping is not supported in Cumulus Linux 5.4. | 5.4.0 | | | [3351941](#3351941)
| Cumulus Linux 5.4 package upgrade (apt-upgrade) does not support warm restart to complete the upgrade; performing an unsupported upgrade can result in unexpected or undesirable behavior, such as a traffic outage. | 5.4.0 | | | [3350789](#3350789)
| NVUE deprecated the port split command options (2x10G, 2x25G, 2x40G, 2x50G, 2x100G, 2x200G, 4x10G, 4x25G, 4x50G, 4x100G, 8x50G) with no backwards compatibility. | 5.0.0-5.4.0 | | -| [3350061](#3350061)
| If you use TACACS+ authentication, modifying the TACACS+ configuration with NVUE might result in a timeout error when you run the nv config apply command. To work around the issue, restart the nvued service with the sudo systemctl restart nvued.service command, then apply the configuration again. | 5.4.0 | | +| [3350061, 3351938](#3350061, 3351938)
| If you use TACACS+ authentication, modifying the TACACS+ configuration with NVUE might result in a timeout error when you run the nv config apply command. To work around the issue, restart the nvued service with the sudo systemctl restart nvued.service command, then apply the configuration again. | 5.4.0 | | | [3349533](#3349533)
| On the Spectrum-2 and Spectrum-3 switch with ports operating at 1G speed, there is loss of frames that have an odd or random frame size. In the frame size range of 75 to 1000 bytes, there is frame loss of less than approximately one percent for all odd or random frame sizes in the range. In the frame size range greater than 1000 bytes, there is no loss observed. | 5.4.0 | | | [3349207](#3349207)
| The switch does not learn MAC addresses from DHCP packets. When a DHCP enabled host is plugged in for the first time, it tries to obtain an IP address through DHCP. The switch does not learn the MAC address of the host when it receives these DHCP packets; therefore, the host MAC address is not updated in the local forwarding database and it does not get advertised across EVPN. The switch learns the MAC address when it receives other packets, such as ARP or ND from the host. To work around this issue, either configure a temporary IP address on the host to initiate ARP/ND or enable IPv6, which sends ND after link local address creation. | 5.2.0-5.4.0 | | | [3340890](#3340890)
| When you run the NVUE nv show interface command, you see an error similar to the following:
Error: GET /nvue_v1/interface/swp45?rev=operational responded with 500 INTERNAL SERVER ERROR
| 5.3.0-5.4.0 | | @@ -349,9 +349,9 @@ pdfhidden: True | [3293560](#3293560)
| If you run NVUE commands to break out a port into four interfaces, NVUE disables the subsequent port automatically. However, if you run NVUE commands to break out a port into eight interfaces, NVUE does not disable the subsequent port automatically; you have to run the NVUE command to disable the subsequent port. | 5.4.0 | | | [3234814](#3234814)
| With double tagged QinQ interfaces, if the bridge corresponding to the QinQ interface flaps, you might see invalid learning notifications and errors from similar to the following:
Can't set non-static MAC address for non-vPort 0x0001006B when VID is VFID.
| 5.3.0-5.4.0 | | | [3145204](#3145204)
| On the NVIDIA Spectrum-1 switch, the nv show system forwarding command shows GTP hashing output, which is not supported on this switch. | 5.2.0-5.4.0 | | -| [3144740](#3144740)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | | +| [3144740, 3209923](#3144740, 3209923)
| The /var/lib/snmp/snmpd.conf file contains multiple Warning: Unknown token: ifXTable messages. To avoid these warnings, add the -noTokenWarnings option to the SNMPDOPTS variable in the /etc/defaults/snmpd file, then restart the snmpd service. | 5.2.0-5.4.0 | | | [3142615](#3142615)
| The BGP4-MIB.txt file is missing from Net-SNMP agent. | 5.0.0-5.4.0 | | -| [3055283](#3055283)
| After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. | 5.1.0-5.4.0 | | +| [3055283, 3038763](#3055283, 3038763)
| After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the hash_config.enable or lag_hash_config.enable parameter to false, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. | 5.1.0-5.4.0 | | | [3045310](#3045310)
| If GTP Hashing is set to true, after more than two warm boots, switchd fails and a cl-support file is generated. | 5.1.0-5.4.0 | | -| [3034435](#3034435)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | | +| [3034435, 3101184](#3034435, 3101184)
| In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. | 4.4.4-5.4.0 | | diff --git a/content/cumulus-linux-55/rn.xml b/content/cumulus-linux-55/rn.xml index 45da273170..1f222e726b 100644 --- a/content/cumulus-linux-55/rn.xml +++ b/content/cumulus-linux-55/rn.xml @@ -19,7 +19,7 @@ 5.9.5, 5.16.0-5.16.1 -4663076 +4663076, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.9.4 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1 @@ -53,7 +53,7 @@ To work around this issue, power cycle the switch. 5.9.4-5.16.1, 5.14.0-5.16.1 -4413450 +4413450, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 5.11.2, 5.14.0-5.16.1 @@ -89,7 +89,7 @@ To work around this issue, power cycle the switch. 5.9.4-5.16.1, 5.11.1-5.16.1, 5.12.0-5.16.1 -3949367 +3949367, 3949366 If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. 5.3.1-5.9.1 5.9.2-5.16.1, 5.10.0-5.16.1 @@ -113,7 +113,7 @@ To work around this issue, power cycle the switch. 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -195,7 +195,7 @@ leaf01# exit 5.7.0-5.16.1 -3695541 +3695541, 3522324 When applying a full configuration with NVUE that includes VRRP and BGP in VRFs, the VRRP configuration does not come up after you run {{nv config apply}}. BGP routes might also be missing. This issue only happens during the initial {{nv config apply}} of a full configuration, not during a normal initialization during a reboot or FRR restart. To work around this issue, reboot or restart FRR. 5.5.1 5.6.0-5.16.1 @@ -243,19 +243,19 @@ leaf01# exit 5.7.0-5.16.1 -3610967 +3610967, 3647761 In an EVPN symmetric routing configuration, running the NVUE {{nv set vrf <vrf> vlan auto}} command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. 5.3.0-5.8.0 5.9.0-5.16.1 -3610611 +3610611, 3599699 Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf <vrf> loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the {{ping}} command to use a source address (such as an SVI address) with the {{ip vrf exec <VRF> ping <REMOTE_IP> -I <SVI_SRC_IP>}} command. 5.5.0-5.6.0 5.7.0-5.16.1 -3609128 +3609128, 3609176 When you use {{vi}} with root or sudo, visual mode is enabled by default due to a missing {{vimrc}} configuration file. This makes it difficult to copy and paste into {{vi}}. In CL5.7.0, the default configuration now includes {{set mouse-=a}}. In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines, which can be a security risk. @@ -275,7 +275,7 @@ In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines 5.7.0-5.16.1 -3599699 +3599699, 3569484, 3610611 Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the {{nv unset vrf <vrf> loopback ip address}} command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the {{ping}} command to use a source address (such as an SVI address) with the {{ip vrf exec <VRF> ping <REMOTE_IP> -I <SVI_SRC_IP>}} command. 5.5.0-5.6.0 5.7.0-5.16.1 @@ -293,7 +293,7 @@ In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines 5.7.0-5.16.1 -3582826 +3582826, 3662354 When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. 5.5.0-5.6.0 5.7.0-5.16.1 @@ -339,7 +339,7 @@ This is a cosmetic issue and does not affect how the switch operates. To prevent 5.7.0-5.16.1 -3566980 +3566980, 3511344 When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the {{dhcrelay6}} service, making sure the specified downstream interfaces are up and running. 5.5.0-5.6.0 5.7.0-5.16.1 @@ -351,7 +351,7 @@ This is a cosmetic issue and does not affect how the switch operates. To prevent 5.6.0-5.16.1 -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -399,7 +399,7 @@ This is a cosmetic issue and does not affect how the switch operates. To prevent 5.6.0-5.16.1 -3522524 +3522524, 3668926 FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. 5.5.0-5.6.0 @@ -486,7 +486,7 @@ To work around this issue, disable next hop groups in zebra with the vtysh {{zeb 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -565,7 +565,7 @@ cumulus@switch:~$ nv config patch frr_policy.yaml 5.7.0-5.16.1 -3452681 +3452681, 3465375 When you run the NVUE {{nv show system aaa tacacs authorization}} commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to {{Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND}}. 5.5.0-5.10.1 5.11.0-5.16.1 @@ -596,7 +596,7 @@ These messages do not affect the functionality of the switch. 5.7.0-5.16.1 -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 @@ -623,25 +623,25 @@ cumulus@switch:~$ what-just-happened poll --export --no_metadata 5.6.0-5.16.1 -3433577 +3433577, 3433769 When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the {{clagd}} service and {{switchd}}, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. 5.5.0-5.8.0 5.9.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3428677 +3428677, 3437317 In certain cases, Cumulus Linux does not process next hop updates because the {{zebra}} IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. 5.3.0-5.6.0 5.7.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -654,7 +654,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3419940 +3419940, 3442281 When generating a {{cl-support}} file either manually or when an issue occurs on the system, you see the following kernel error messages: 'Register access failed (reg_id=0x9029, status=0x4)' followed by a hex dump of a few lines. @@ -670,7 +670,7 @@ This error message is benign and has no functional impact. 5.7.0-5.16.1 -3413785 +3413785, 3424967 To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE {{nv set system aaa tacacs vrf <interface>}} command (for example, {{nv set system aaa tacacs vrf swp51}}) or set the {{vrf=<interface>}} option in the {{/etc/tacplus_servers}} file (for example, {{vrf=swp51}}). A similar issue might prevent TACACS+ users with privilege level 15 from using {{sudo}} if the TACACS+ server is reachable only on the {{default}} VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use {{vrf task exec default sudo ...}} to execute the {{sudo}} command using the TACACS+ server on the {{default}} VRF. 5.0.0-5.5.1 5.6.0-5.16.1 @@ -706,7 +706,7 @@ This error message is benign and has no functional impact. -3347677 +3347677, 3180068 In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. 5.1.0-5.6.0 5.7.0-5.16.1 @@ -808,19 +808,19 @@ This error message is benign and has no functional impact. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 -3221628 +3221628, 3217877 Cumulus Linux VX images might include an incorrect entry at the end of {{/etc/apt/sources.list}}, which produces warnings when you run {{apt update}}. Remove this entry to avoid these warnings. 5.2.0-5.6.0 5.7.0-5.16.1 -3187469 +3187469, 3188618 At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. 5.1.0-5.5.1 5.6.0-5.16.1 @@ -855,7 +855,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -914,7 +914,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -3069069 +3069069, 3271536 When you run the {{systemctl reload switchd}} command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. 5.1.0-5.5.1 5.6.0-5.16.1 @@ -938,7 +938,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -946,7 +946,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -1024,7 +1024,7 @@ You can safely ignore this warning. 5.9.5, 5.16.0-5.16.1 -4663076 +4663076, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.9.4 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1 @@ -1048,7 +1048,7 @@ You can safely ignore this warning. 5.9.4-5.16.1, 5.14.0-5.16.1 -4413450 +4413450, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 5.11.2, 5.14.0-5.16.1 @@ -1078,7 +1078,7 @@ You can safely ignore this warning. 5.9.2-5.16.1, 5.10.0-5.16.1 -3949367 +3949367, 3949366 If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. 5.3.1-5.9.1 5.9.2-5.16.1, 5.10.0-5.16.1 @@ -1096,7 +1096,7 @@ You can safely ignore this warning. 5.9.2-5.16.1, 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -1184,19 +1184,19 @@ leaf01# exit 5.7.0-5.16.1 -3610967 +3610967, 3647761 In an EVPN symmetric routing configuration, running the NVUE {{nv set vrf <vrf> vlan auto}} command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. 5.3.0-5.8.0 5.9.0-5.16.1 -3610611 +3610611, 3599699 Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf <vrf> loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the {{ping}} command to use a source address (such as an SVI address) with the {{ip vrf exec <VRF> ping <REMOTE_IP> -I <SVI_SRC_IP>}} command. 5.5.0-5.6.0 5.7.0-5.16.1 -3609128 +3609128, 3609176 When you use {{vi}} with root or sudo, visual mode is enabled by default due to a missing {{vimrc}} configuration file. This makes it difficult to copy and paste into {{vi}}. In CL5.7.0, the default configuration now includes {{set mouse-=a}}. In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines, which can be a security risk. @@ -1204,7 +1204,7 @@ In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines 5.7.0-5.16.1 -3599699 +3599699, 3569484, 3610611 Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the {{nv unset vrf <vrf> loopback ip address}} command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the {{ping}} command to use a source address (such as an SVI address) with the {{ip vrf exec <VRF> ping <REMOTE_IP> -I <SVI_SRC_IP>}} command. 5.5.0-5.6.0 5.7.0-5.16.1 @@ -1216,7 +1216,7 @@ In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines 5.7.0-5.16.1 -3582826 +3582826, 3662354 When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. 5.5.0-5.6.0 5.7.0-5.16.1 @@ -1244,7 +1244,7 @@ This is a cosmetic issue and does not affect how the switch operates. To prevent 5.7.0-5.16.1 -3566980 +3566980, 3511344 When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the {{dhcrelay6}} service, making sure the specified downstream interfaces are up and running. 5.5.0-5.6.0 5.7.0-5.16.1 @@ -1256,7 +1256,7 @@ This is a cosmetic issue and does not affect how the switch operates. To prevent 5.6.0-5.16.1 -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -1304,7 +1304,7 @@ This is a cosmetic issue and does not affect how the switch operates. To prevent 5.6.0-5.16.1 -3522524 +3522524, 3668926 FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. 5.5.0-5.6.0 @@ -1385,7 +1385,7 @@ To work around this issue, disable next hop groups in zebra with the vtysh {{zeb 5.6.0-5.16.1 -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 5.6.0-5.16.1 @@ -1470,7 +1470,7 @@ cumulus@switch:~$ nv config patch frr_policy.yaml 5.7.0-5.16.1 -3452681 +3452681, 3465375 When you run the NVUE {{nv show system aaa tacacs authorization}} commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to {{Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND}}. 5.5.0-5.10.1 5.11.0-5.16.1 @@ -1501,7 +1501,7 @@ These messages do not affect the functionality of the switch. 5.7.0-5.16.1 -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 @@ -1528,25 +1528,25 @@ cumulus@switch:~$ what-just-happened poll --export --no_metadata 5.6.0-5.16.1 -3433577 +3433577, 3433769 When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the {{clagd}} service and {{switchd}}, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. 5.5.0-5.8.0 5.9.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3428677 +3428677, 3437317 In certain cases, Cumulus Linux does not process next hop updates because the {{zebra}} IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. 5.3.0-5.6.0 5.7.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -1559,7 +1559,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3419940 +3419940, 3442281 When generating a {{cl-support}} file either manually or when an issue occurs on the system, you see the following kernel error messages: 'Register access failed (reg_id=0x9029, status=0x4)' followed by a hex dump of a few lines. @@ -1575,7 +1575,7 @@ This error message is benign and has no functional impact. 5.7.0-5.16.1 -3413785 +3413785, 3424967 To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE {{nv set system aaa tacacs vrf <interface>}} command (for example, {{nv set system aaa tacacs vrf swp51}}) or set the {{vrf=<interface>}} option in the {{/etc/tacplus_servers}} file (for example, {{vrf=swp51}}). A similar issue might prevent TACACS+ users with privilege level 15 from using {{sudo}} if the TACACS+ server is reachable only on the {{default}} VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use {{vrf task exec default sudo ...}} to execute the {{sudo}} command using the TACACS+ server on the {{default}} VRF. 5.0.0-5.5.1 5.6.0-5.16.1 @@ -1611,7 +1611,7 @@ This error message is benign and has no functional impact. -3347677 +3347677, 3180068 In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. 5.1.0-5.6.0 5.7.0-5.16.1 @@ -1713,19 +1713,19 @@ This error message is benign and has no functional impact. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 -3221628 +3221628, 3217877 Cumulus Linux VX images might include an incorrect entry at the end of {{/etc/apt/sources.list}}, which produces warnings when you run {{apt update}}. Remove this entry to avoid these warnings. 5.2.0-5.6.0 5.7.0-5.16.1 -3187469 +3187469, 3188618 At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. 5.1.0-5.5.1 5.6.0-5.16.1 @@ -1760,7 +1760,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -1819,7 +1819,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -3069069 +3069069, 3271536 When you run the {{systemctl reload switchd}} command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. 5.1.0-5.5.1 5.6.0-5.16.1 @@ -1843,7 +1843,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -1851,7 +1851,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -1944,7 +1944,7 @@ You can safely ignore this warning. 3.7.0-4.3.1 -3413827 +3413827, 3323143 During upgrade, when one MLAG node is upgraded and the other MLAG node is not yet upgraded, permanent neighbor entries cannot synchronize between MLAG nodes. During this transitory upgrade state, neighbor entry resolution relies on data plane traffic being forwarded to the CPU so ARP can resolve the necessary neighbor entry before traffic can go through the fastpath. 4.4.0-5.4.0 @@ -1983,7 +1983,7 @@ ERR cannot allocate vlan for sub-interface 5.4.0 -3393306 +3393306, 3425495 The {{python-netaddr}} package is not preinstalled on the switch, which leads to an error similar to the following when SNMP accesses data from the CUMULUS-BGPVRF-MIB. CUMULUS-BGPVRF-MIB::bgpPeerFsmEstablishedTransitions = No Such Instance currently exists at this OID @@ -2056,7 +2056,7 @@ Fan4(Fan 4): BAD fan:6720 RPM (max = 25000 RPM, min = 4500 RPM, limit_variance = 5.0.0-5.4.0 -3350061 +3350061, 3351938 If you use TACACS+ authentication, modifying the TACACS+ configuration with NVUE might result in a timeout error when you run the {{nv config apply}} command. To work around the issue, restart the {{nvued}} service with the {{sudo systemctl restart nvued.service}} command, then apply the configuration again. 5.4.0 @@ -2119,7 +2119,7 @@ Can't set non-static MAC address for non-vPort 0x0001006B when VID is VFID. 5.2.0-5.4.0 -3144740 +3144740, 3209923 The {{/var/lib/snmp/snmpd.conf}} file contains multiple {{Warning: Unknown token: ifXTable}} messages. To avoid these warnings, add the {{-noTokenWarnings}} option to the SNMPDOPTS variable in the {{/etc/defaults/snmpd}} file, then restart the {{snmpd}} service. 5.2.0-5.4.0 @@ -2130,7 +2130,7 @@ The {{/var/lib/snmp/snmpd.conf}} file contains multiple {{Warning: Unknown token 5.0.0-5.4.0 -3055283 +3055283, 3038763 After you run Linux commands to enable a custom ECMP or LAG hash parameter, if you set the {{hash_config.enable}} or {{lag_hash_config.enable}} parameter to {{false}}, the custom parameters do not restore their default values. To work around this issue, change the custom ECMP or LAG hash parameters to their default values manually. 5.1.0-5.4.0 @@ -2140,7 +2140,7 @@ The {{/var/lib/snmp/snmpd.conf}} file contains multiple {{Warning: Unknown token 5.1.0-5.4.0 -3034435 +3034435, 3101184 In an MLAG EVPN deployment when either of the MLAG peers reboots, FRR incorrectly programs the local host entries in the ARP table as remote. To work around this issue, either restart FRR or use BGP policies to mark and drop routes within an MLAG pair. Both MLAG peers must have an outbound policy that add a community representing the unique MLAG pair to Type-2 EVPN routes and an inbound policy to match and drop that community. 4.4.4-5.4.0 diff --git a/content/cumulus-linux-56/Whats-New/rn.md b/content/cumulus-linux-56/Whats-New/rn.md index 357c2de744..8ccd844747 100644 --- a/content/cumulus-linux-56/Whats-New/rn.md +++ b/content/cumulus-linux-56/Whats-New/rn.md @@ -16,25 +16,25 @@ pdfhidden: True |--- |--- |--- |--- | | [4963277](#4963277)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.16.1 | | | [4797691](#4797691)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.9.4, 5.15.1 | 5.9.5, 5.16.0-5.16.1| -| [4663076](#4663076)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1| +| [4663076, 3963232](#4663076, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | 5.14.0-5.16.1| | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| | [4505138](#4505138)
| Transceiver OIR (removal and insertion) or link flaps might cause EMAD timeouts, eventually causing switchd to crash. You see logs similar to EMAD_TRANSACTION] [ERROR ]: ACCESS_REG TIMEOUT. | 5.6.0-5.9.3 | 5.9.4-5.16.1, 5.14.0-5.16.1| | [4469498](#4469498)
| When a host moves to a new VTEP during mobility or network failover events in an EVPN multihoming environment, the host might be unreachable due to ARP resolution failures. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.4.0-5.9.3 | 5.9.4-5.16.1, 5.14.0-5.16.1| -| [4413450](#4413450)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4413450, 4497128](#4413450, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4377862](#4377862)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.9.3 | 5.9.4-5.16.1, 5.11.2-5.16.1, 5.13.0-5.16.1| | [4039850](#4039850)
| When the MAC address of the neighbor changes, a possible crash might occur because the pointer to which the MAC address points is freed, resulting in a dangling pointer. | 5.3.1-5.10.1 | 5.11.0-5.16.1| | [4004453](#4004453)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3982222](#3982222)
| When you enable SPAN on a bridge member, an ARP or Gratuitous ARP received during a failover event between locally attached redundant devices, such as load balancers, might fail to update the bridge MAC table to point to the interface with the newly active load balancer.

To work around this issue, remove the SPAN configuration from the bridge member or ensure that the load balancer generates non-ARP traffic after the failover to properly update the bridge MAC table. | 5.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3980924](#3980924)
| When adding or removing routes in a virtual router with numerous configured routes, you might encounter incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.5.1-5.9.3 | 5.9.4-5.16.1, 5.11.1-5.16.1, 5.12.0-5.16.1| | [3955615](#3955615)
| Cumulus Linux does not recognize QSFP_CMIS optical modules correctly. | 5.6.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3949367](#3949367)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3949367, 3949366](#3949367, 3949366)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3927016](#3927016)
| Following an EVPN extended mobility event, where a host with IP address A and MAC address A moves within the fabric and now resides at IP address A and MAC address B, you might see traffic destined to this host experience drops as the flow is software forwarded on the egress VTEP. | 5.0.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3917601](#3917601)
| If a packet containing an all zero source MAC address (00:00:00:00:00:00) is learned on the ASIC, switchd sends the learn notification to the kernel but the kernel rejects the MAC address as invalid. The ASIC continuously sends the mac-learn notifications, which wastes CPU resources. To work around this issue, configure ACLs to match on the all-zero source MAC address and drop the invalid packets. | 5.5.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3897227](#3897227)
| During an LLDP update storm while deleting or adding LLPD neighbors, PTMD crashes as a result of mishandling multi-threaded LLPD processing. | 5.5.1-5.9.5 | 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3863858](#3863858)
| VRR interfaces might show dadfailed on their IPv6 link-local address. | 5.6.0-5.8.0 | 5.9.0-5.16.1| | [3859422](#3859422)
| On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port. | 5.2.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3854807](#3854807)
| When you enable Optimized Multicast Flooding (OMF) and change VLAN configuration, a few ports might carry multicast traffic even when they are not in the MDB or they are not router ports. | 5.6.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| @@ -57,7 +57,7 @@ pdfhidden: True | [3698680](#3698680)
| If you run the ifreload -a command when ACLs exist but nonatomic update mode is set in the switchd.conf file, traffic pauses on unaffected interfaces. | 5.6.0-5.7.0 | 5.8.0-5.16.1| | [3696061](#3696061)
| When the MAC address of a neighbor changes, the zebra IP routing manager might crash. | 5.2.1-5.6.0 | 5.7.0-5.16.1| | [3695430](#3695430)
| When you configure extended nexthop encoding for a peer group, the peers in the group do not inherit the configuration. To work around this issue, configure extended nexthop encoding on each individual peer in the group. NVIDIA recommends that you upgrade to Cumulus Linux 5.6 or later to avoid this issue. | 5.4.0-5.6.0 | 5.7.0-5.16.1| -| [3686389](#3686389)
| When you use NVUE commands to configure an untagged VLAN (PVID) on a bridge to a non-default value, nv show bridge commands still indicate that the untagged VLAN is 1 (the default value). The untagged VLAN you configured is properly set on bridge ports, but displays incorrectly in operational NVUE show commands. | 5.6.0-5.7.0 | 5.8.0-5.16.1| +| [3686389, 3725881](#3686389, 3725881)
| When you use NVUE commands to configure an untagged VLAN (PVID) on a bridge to a non-default value, nv show bridge commands still indicate that the untagged VLAN is 1 (the default value). The untagged VLAN you configured is properly set on bridge ports, but displays incorrectly in operational NVUE show commands. | 5.6.0-5.7.0 | 5.8.0-5.16.1| | [3684998](#3684998)
| DHCP lease information is not collected in the cl-support file. | 4.3.0-5.6.0 | 5.7.0-5.16.1| | [3684268](#3684268)
| When multiple interfaces have addresses in the same network, deleting one of them might cause the wrong connected route from being deleted. | 5.6.0 | 5.7.0-5.16.1| | [3671288](#3671288)
| Routes and/or next-hops will no-longer be installed in kernel, and traffic related to these routes and/or next-hops will not be forwarded correctly. Flapping of EVPN prefixes from BGP updates and withdraws sometimes causes a race condition where the routes are never re-installed. An example of a trigger that can lead to this problem is a flapping peerlink. A reboot of each switch with missing routes will recover from this issue. | 5.6.0-5.7.0 | 5.8.0-5.16.1| @@ -66,7 +66,7 @@ pdfhidden: True | [3668809](#3668809)
| SN2410 switches manufactured or sold by OEMs (not Mellanox) might contain fans that do not support system fan direction detection. As a result, the following messages occur in the log:
/usr/sbin/smond : : Path /run/hw-management/thermal/fan1_dir does not exist/usr/sbin/smond : : Path /run/hw-management/thermal/fan2_dir does not exist
smond has been modified to determine dynamically (at run-time) if the fan has the capability. To drop the messages before they get to the log, create a file, such as /etc/rsyslog.d/18-drop_fan_dir_msgs.conf with the following contents, then restart rsyslogd with the systemctl restart rsyslog command
# The lines below cause the offending message to be dropped from all logs:msg, ereregex, ".*Path /run/hw-management/thermal/fan[1-8]_dir does not exist" stop
| 5.6.0 | 5.7.0-5.16.1| | [3664986](#3664986)
| If a core file is generated with a space in the name, Cumulus Linux generates cl-support files until the file is removed. To work around this issue, rename the core file without the space character. The next cl-support file generated will be moved into the cl-support archive and removed from the filesystem. | 5.6.0 | 5.7.0-5.16.1| | [3663182](#3663182)
| Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.3.1-5.6.0 | 5.7.0-5.16.1| -| [3662354](#3662354)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.6.0 | 5.7.0-5.16.1| +| [3662354, 3582826](#3662354, 3582826)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.6.0 | 5.7.0-5.16.1| | [3655043](#3655043)
| After you upgrade to Cumulus Linux 5.6.0 with package upgrade, configuration changes you make with NVUE commands do not apply and you see the error message Invalid config [rev_id: 4] Default profile parameters can not be modified. Modification allowed on user created profiles. To workaround this issue:1. Remove the PTP configuration using the nv unset service ptp 1 enable syntax
2. Save the configuration nv config apply. 3. Re-add the PTP config. Note: this procedure results in a switchd restart which will have an impact on the data plane. | 5.6.0 | 5.7.0-5.16.1| | [3655027](#3655027)
| If you create a new snippet with the same name as a snippet you deleted, you receive a warning message. To work around this issue, create the new snippet with a different name than any removed snippets. | 5.6.0 | 5.7.0-5.16.1| | [3650661](#3650661)
| Configuration changes to an already applied custom flexible snippet that includes a service restart does not restart the service when you apply the patch. | 5.6.0 | 5.7.0-5.16.1| @@ -77,62 +77,62 @@ pdfhidden: True | [3632843](#3632843)
| When the switch receives a type-5 route in BGP and there is a network statement for the same prefix, BGP sometimes removes the request to track next hops from FRR. As next hop reachability changes, BGP no longer reacts to the change. To work around this issue, run the clear bgp * command for all peerings. | 5.6.0-5.7.0 | 5.8.0-5.16.1| | [3630492](#3630492)
| On the NVIDIA SN2201 switch, the ledmgrd -d command output shows the system and PSU LED status as orange when the physical LED is green. | 5.5.1-5.7.0 | 5.8.0-5.16.1| | [3627913](#3627913)
| The switch drops untagged VLAN traffic on single VXLAN bridge ports. | 5.6.0 | 5.7.0-5.16.1| -| [3616643](#3616643)
| NVUE commands to set a route map exit policy match produce incorrect configuration in the /etc/frr/frr.conf file. | 5.6.0 | 5.7.0-5.16.1| +| [3616643, 3660953](#3616643, 3660953)
| NVUE commands to set a route map exit policy match produce incorrect configuration in the /etc/frr/frr.conf file. | 5.6.0 | 5.7.0-5.16.1| | [3616338](#3616338)
| When you reboot an MLAG switch with 3000 or more VNIs, there might be extended traffic loss during reboot. To work around this issue, configure the clagd service initDelay to 300 seconds with the nv set mlag init-delay 300 command. | 5.5.1-5.6.0 | 5.7.0-5.16.1| | [3614286](#3614286)
| To avoid unnecessary traffic loss, ifreload (ifupdown2) only flaps a bond to reset its MAC address when the bond MAC address is not present on any of the bond's interfaces. Previously, ifupdown2 enforced the bond MAC address to be set to the MAC address of the first interface. | 5.6.0-5.7.0 | 5.8.0-5.16.1| | [3613258](#3613258)
| With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed between switchd and the kernel. | 5.2.1-5.6.0 | 5.7.0-5.16.1| | [3612959](#3612959)
| The interface name for a VLAN subinterface does not show correctly; the VLAN is appended to the interface again. | 5.6.0 | 5.7.0-5.16.1| | [3611215](#3611215)
| In an EVPN multihoming configuration, the switchd service produces error messages similar to the following:
2023-09-07T15:45:56.055477+02:00 switch1 switchd7903: hal_mlx_flx_acl.c:2388 hal_mlx_flx_region_pull_bulk_counters failed
These error messages do not affect how the switch functions; however the messages fill up the switchd logs, which is not desirable. | 5.6.0 | 5.7.0-5.16.1| -| [3610967](#3610967)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| -| [3610611](#3610611)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | 5.7.0-5.16.1| -| [3609128](#3609128)
| When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=a
In addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3610967, 3647761](#3610967, 3647761)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| +| [3610611, 3599699](#3610611, 3599699)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3609128, 3609176](#3609128, 3609176)
| When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=a
In addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3608014](#3608014)
| Software MAC learning might not work for a bridged VLAN subinterface on a bond (such as bond1.100) if you remove a VLAN subinterface completely from the configuration, then add it back with an identical configuration. To work around this issue, restart switchd. | 5.6.0 | 5.7.0-5.16.1| | [3606739](#3606739)
| The thermal control service, hw-management-tc.service, stops and switch fan speeds run at 100% when the ASIC temperature can't be read. This can occur if the SDK is not started. | 5.5.1-5.6.0 | 5.7.0-5.16.1| | [3603237](#3603237)
| If the secondary MLAG peer continuously reboots, you might experience momentary traffic loss. | 5.5.1-5.6.0 | 5.7.0-5.16.1| | [3600588](#3600588)
| You can't reset the root password by booting into Cumulus Linux single-user recovery mode. To work around this issue, follow the steps in https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-56/Monitoring-and-Troubleshooting/Single-User-Mode-Password-Recovery/. | 5.6.0 | 5.7.0-5.16.1| -| [3599699](#3599699)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3599699, 3569484, 3610611](#3599699, 3569484, 3610611)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3597456](#3597456)
| NVUE does not allow you to use the reserved name lo in an interface name. | 5.5.1-5.6.0 | 5.7.0-5.16.1| | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3590394](#3590394)
| Under rare conditions, running NVUE commands that capture output larger than 4k bytes from Linux tools or utilities might result in failures with 500 INTERNAL SERVER ERROR or Unrecoverable internal error messages. This issue occurs when there are non-ascii characters in large outputs that Cumulus Linux can't decode. This failure is observed only in Cumulus Linux 5.6 and earlier. | 5.6.0 | 5.7.0-5.16.1| | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | 5.7.0-5.16.1| -| [3582826](#3582826)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3582826, 3662354](#3582826, 3662354)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3580435](#3580435)
| On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:
smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)
This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. | 5.3.1-5.6.0 | 5.7.0-5.16.1| | [3576961](#3576961)
| The NVUE command to clear all ACL counters at once is not available. To work around this issue, run the cl-acltool -Z all command to reset the statistics for all ACL rules. | 5.5.1-5.6.0 | 5.7.0-5.16.1| | [3575800](#3575800)
| When you configure the peerlink interface with NVUE but do not configure the necessary MLAG parameters with nv set mlag commands (such as the backup IP address, peer IP address, and MLAG MAC address), NVUE apply fails with the following message:

MLAG cannot be deleted when a peerlink or peerlink sub-interfaces exist
| 5.6.0 | 5.7.0-5.16.1| | [3573800](#3573800)
| After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del dev bridge vlan command. | 5.3.1-5.6.0 | 5.7.0-5.16.1| | [3567708](#3567708)
| In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active. | 5.3.1-5.6.0 | 5.7.0-5.16.1| -| [3566980](#3566980)
| When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running. | 5.5.0-5.6.0 | 5.7.0-5.16.1| -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | -| [3546857](#3546857)
| The nv show bridge vlan command does not show tagged and untagged VLAN information for the bridge
| 5.6.0-5.8.0 | 5.9.0-5.16.1| +| [3566980, 3511344](#3566980, 3511344)
| When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3546857, 3564377](#3546857, 3564377)
| The nv show bridge vlan command does not show tagged and untagged VLAN information for the bridge
| 5.6.0-5.8.0 | 5.9.0-5.16.1| | [3541653](#3541653)
| During warm boot with layer 3 traffic, you might experience packet loss for approximately 15 milliseconds. | 5.6.0-5.8.0 | 5.9.0-5.16.1| | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3534718](#3534718)
| The BGP command to suppress longer prefixes inside the aggregate address before sending updates (nv set vrf router bgp address-family aggregate-route
summary-only or vtysh router bgp aggregate-address
summary-only) does not suppress more specific routes from being exported into the EVPN routing table and advertised as EVPN type-5 routes. To work around this issue, announce EVPN type-5 routes by adding an additional outbound policy or export policy to filter out the more specific routes. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3533272](#3533272)
| If you set an OSPF network and define the subnet using a host address (such as 10.1.1.2/24) instead of the (starting) subnet network address (such as 10.1.1.0/24), you can't unset the prefix with the nv unset vrf default router ospf area network command. Avoid defining the subnet using a host address when setting an OSPF network. | 5.6.0 | 5.7.0-5.16.1| -| [3522524](#3522524)
| FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. | 5.5.0-5.6.0 | 5.7.0-5.16.1| -| [3517739](#3517739)
| When you connect the SN5600 switch to third party test equipment (such as IXIA) using copper cables, 100G, 200G, 400G, and 800G links do not come up. To work around this issue, use fiber optic cables when testing an SN5600 switch with IXIA for 100G, 200G, 400G, and 800G link speeds. | 5.6.0 | 5.7.0-5.16.1| +| [3522524, 3668926](#3522524, 3668926)
| FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. | 5.5.0-5.6.0 | 5.7.0-5.16.1| +| [3517739, 3477016, 3565701](#3517739, 3477016, 3565701)
| When you connect the SN5600 switch to third party test equipment (such as IXIA) using copper cables, 100G, 200G, 400G, and 800G links do not come up. To work around this issue, use fiber optic cables when testing an SN5600 switch with IXIA for 100G, 200G, 400G, and 800G link speeds. | 5.6.0 | 5.7.0-5.16.1| | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.8.0 | 5.9.0-5.16.1| | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | -| [3463827](#3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM, resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.6.0-5.8.0 | 5.9.0-5.16.1| +| [3463827, 3434515, 3556762](#3463827, 3434515, 3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM, resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.6.0-5.8.0 | 5.9.0-5.16.1| | [3452732](#3452732)
| The nv set router policy ext-community-list rule ext-community rt command does not generate the standard based BGP community list. As a result, routes do not match the expected community list. To work around this issue, create a snippet to add the policy configuration to the /etc/frr/frr.conf file, then patch the configuration. For example:
cumulus@switch:~$ sudo nano frr_policy.yaml- set:
   system:
     config:
       snippet:
         frr.conf: \|
           bgp extcommunity-list standard EXTCOMMUNITY1 seq 10 permit rt 65102:10
cumulus@switch:~$ nv config patch frr_policy.yaml
| 5.5.0-5.6.0 | 5.7.0-5.16.1| -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| +| [3452681, 3465375](#3452681, 3465375)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| | [3445841](#3445841)
| FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.6.0 | 5.7.0-5.16.1| | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | | [3436407](#3436407)
| The nv show acl command output shows a header but no ACL details. | 5.5.0-5.8.0 | 5.9.0-5.16.1| -| [3433577](#3433577)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.8.0 | 5.9.0-5.16.1| -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | 5.7.0-5.16.1| -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3433577, 3433769](#3433577, 3433769)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.8.0 | 5.9.0-5.16.1| +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3428677, 3437317](#3428677, 3437317)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | 5.7.0-5.16.1| +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | | [3419928](#3419928)
| The NVUE PIM timer command option names keep-alive and rp-keep-alive are inconsistent and need to change to keepalive and rp-keepalive. | 5.4.0-5.6.0 | 5.7.0-5.16.1| -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3405024](#3405024)
| You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. | 5.5.0-5.6.0 | 5.7.0-5.16.1| | [3393966](#3393966)
| When you configure OSPF network statements using NVUE with the nv set vrf router ospf area network command, subsequent configuration changes with NVUE might bring down all OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement, or use the nv set interface router ospf area command to enable OSPF on interfaces instead of using a network statement. | 5.5.0-5.9.5 | 5.10.0-5.16.1| | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | -| [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.16.1| +| [3347677, 3180068](#3347677, 3180068)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | 5.7.0-5.16.1| | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | | [3341214](#3341214)
| If you use the NVUE REST API to configure a local user with a hashed password, the user cannot log in and the /etc/nvue.d/startup.yaml file shows the password as plain text. | 5.4.0-5.16.1 | | | [3334275](#3334275)
| When you run the sensors command, the output shows an erroneous fault on some front panel ports. | 5.2.0-5.7.0 | 5.8.0-5.16.1| @@ -146,11 +146,11 @@ pdfhidden: True | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3232091](#3232091)
| The NVUE nv unset interface link lanes command does not restore the port lane setting to the default value. To work around this issue, run the nv set interface link lanes command. | 5.4.0-5.6.0 | 5.7.0-5.16.1| | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | -| [3221628](#3221628)
| Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | 5.7.0-5.16.1| +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3221628, 3217877](#3221628, 3217877)
| Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | 5.7.0-5.16.1| | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.8.0 | 5.9.0-5.16.1| | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | @@ -161,8 +161,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -174,7 +174,7 @@ pdfhidden: True | Issue ID | Description | Affects | |--- |--- |--- | | [3715651](#3715651)
| If you run NVUE commands to configure PIM for a VRF before you create the VRF, PIM does not create the pimreg device and the pimd service crashes. | 5.5.1 | | -| [3695541](#3695541)
| When applying a full configuration with NVUE that includes VRRP and BGP in VRFs, the VRRP configuration does not come up after you run nv config apply. BGP routes might also be missing. This issue only happens during the initial nv config apply of a full configuration, not during a normal initialization during a reboot or FRR restart. To work around this issue, reboot or restart FRR. | 5.5.1 | | +| [3695541, 3522324](#3695541, 3522324)
| When applying a full configuration with NVUE that includes VRRP and BGP in VRFs, the VRRP configuration does not come up after you run nv config apply. BGP routes might also be missing. This issue only happens during the initial nv config apply of a full configuration, not during a normal initialization during a reboot or FRR restart. To work around this issue, reboot or restart FRR. | 5.5.1 | | | [3647426](#3647426)
| If BGP remote-as is set to an integer and you try to configure the local-as for a BGP instance, you see the following error:
% AS specified for local as is the same as the remote as and this is not allowed
This configuration is not allowed; it is considered to be eBGP and local preference is not advertised. | 4.3.0-4.3.1 | | | [3572580](#3572580)
| You cannot set a VLAN match and a MAC protocol IPv4 match in a MAC type ACL rule. To apply ACLs with a VLAN match and layer 3 header matches ( IPV4/IPV6), you need to use type ipv4 or ipv6 ACLs with the VLAN match specified. | 5.5.1 | | | [3572566](#3572566)
| The NVUE nv action commands are missing from nv list-commands output. | 5.5.1 | | @@ -198,7 +198,7 @@ pdfhidden: True | [3482006](#3482006)
| If FRR learns a layer 2 entry against a VNI and you reconfigure the VNI later as a layer 3 VNI, the original layer 2 entry does not clear and remains in the forwarding database. | 5.0.0-5.5.1 | | | [3479786](#3479786)
| The switchd service does not handle certain route and next hop updates, which causes a synchronization loop. For example, in a VRF route leaking configuration, where a next hop group spans across multiple VRFs, when one of the routes is withdrawn and the next hop is no longer used, switchd has problems synchronizing other next hops in the group
To work around this issue, disable next hop groups in zebra with the vtysh zebra nexthop proto only command, and then reboot the switch. | 5.3.0-5.5.1 | | | [3474427](#3474427)
| On rare occasions, LLDP and other CPU originated IP packets that egress a port might get replicated in the data plane and forwarded out of another port as well. The peer node might discard the unicast packets on the wrong port because of the destination MAC address; however, there might be problems with multicast packets, such as LLDP, which uses a multicast MAC address as the destination MAC address. To work around this issue, reboot the switch. | | | -| [3474391](#3474391)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | | +| [3474391, 3479772](#3474391, 3479772)
| The SNMP MIB definition file /usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt does not define the INDEX of the bgpPeerEntry correctly. This issue does not impact SNMP functionality for this MIB. | 4.3.1-5.5.1 | | | [3472865](#3472865)
| The json output for the vtysh -c ‘show bgp all json command is missing a string key in front of the list of routes under the l2vpnevpn address family. | 5.4.0-5.5.1 | | | [3471052](#3471052)
| On certain QSFP-DD and OSFP optical modules, the ethtool -m command, and the related NCLU and NVUE commands that display optical module information fail. | 5.4.0-5.5.1 | | | [3470941](#3470941)
| On the NVIDIA SN4700 switch, reversing the upper four lanes on a port does not work and might cause link degradation. If you swap between the upper and lower four lanes on a port, the firmware gets stuck. | 5.3.0-5.5.0 | | @@ -211,7 +211,7 @@ pdfhidden: True | [3452763](#3452763)
| When you use the NVUE API with TACACS+, users might see a 403 Forbidden message if no TACACS+ user has logged in some other way, such as with SSH. To work around this issue, log in any TACACS+ user through SSH before you use the NVUE API with TACACS+ users, or run the following commands:
cumulus@switch:~$ sudo touch /run/tacacs_client_map
cumulus@switch:~$ sudo chown root:shadow /run/tacacs_client_map
cumulus@switch:~$ sudo chmod 0644 /run/tacacs_client_map | 5.5.0-5.5.1 | | | [3448984](#3448984)
| If you use NVUE to apply a configuration when the optional TACACS+ packages are not installed on the switch, you might see messages similar to the following in the /var/log/syslog file when auditd restarts (for example, when the switch reboots):
audispd: Unable to stat /sbin/audisp-tacplus (No such file or directory)
audispd: Skipping audisp-tacplus.conf plugin due to errors
These messages do not affect the functionality of the switch. | 5.5.0-5.5.1 | | | [3447762](#3447762)
| If the NVUE startup.yaml configuration file is invalid, the nv config apply startup command times out without providing details on the error. | 5.4.0-5.5.1 | | -| [3444668](#3444668)
| If the SDK becomes stuck and not able to process API calls, the systemd watchdog stops switchd and Cumulus Linux generates a cl-support file. switchd restarts after the watchdog timeout and then runs without issues
| | | +| [3444668, 3434088](#3444668, 3434088)
| If the SDK becomes stuck and not able to process API calls, the systemd watchdog stops switchd and Cumulus Linux generates a cl-support file. switchd restarts after the watchdog timeout and then runs without issues
| | | | [3436595](#3436595)
| When using WJH, if you export dropped packets to a file in PCAP format, the file contains custom WJH header data. As a result, certain tools, such as Wireshark, cannot decode the data. To work around this issue, use the --no_metadata option with the export command:
cumulus@switch:~$ what-just-happened poll --export --no_metadata
| 5.4.0-5.5.1 | | | [3436305](#3436305)
| Auto-negotiation and link-training is not supported at 25G between the NVIDIA SN5600 switch and non-NVIDIA devices. | | | | [3436296](#3436296)
| On the NVIDIA SN5600 switch, the 8x port breakout is not supported with the MCP4Y10-N00A cable
| | | @@ -220,15 +220,15 @@ pdfhidden: True | [3436229](#3436229)
| On the NVIDIA SN5600 switch, when you connect a Service port to non-NVIDIA devices, auto-negotiation is not supported for 25G links. | | | | [3436215](#3436215)
| On the NVIDIA SN5600 switch, the thermal control service crashes when you remove a fan tray. | | | | [3433944](#3433944)
| The wjh_dissector.lua WJH packet decoder script provided with Cumulus Linux might fail to decode all WJH packets. | 5.4.0-5.5.1 | | -| [3419940](#3419940)
| When generating a cl-support file either manually or when an issue occurs on the system, you see the following kernel error messages:
'Register access failed (reg_id=0x9029, status=0x4)' followed by a hex dump of a few lines
This error message is benign and has no functional impact. | 5.5.0-5.5.1 | | -| [3413785](#3413785)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | | +| [3419940, 3442281](#3419940, 3442281)
| When generating a cl-support file either manually or when an issue occurs on the system, you see the following kernel error messages:
'Register access failed (reg_id=0x9029, status=0x4)' followed by a hex dump of a few lines
This error message is benign and has no functional impact. | 5.5.0-5.5.1 | | +| [3413785, 3424967](#3413785, 3424967)
| To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE nv set system aaa tacacs vrf command (for example, nv set system aaa tacacs vrf swp51) or set the vrf= option in the /etc/tacplus_servers file (for example, vrf=swp51). A similar issue might prevent TACACS+ users with privilege level 15 from using sudo if the TACACS+ server is reachable only on the default VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use vrf task exec default sudo ... to execute the sudo command using the TACACS+ server on the default VRF. | 5.0.0-5.5.1 | | | [3394674](#3394674)
| If you restart FRR with the log file debugging level set to informational, BGP crashes. | 5.4.0-5.5.1 | | | [3378733](#3378733)
| After you add or delete a static MAC entry on the bridge FDB, a core dump occurs if the interface is VXLAN and the MAC address is 00:00:00:00:00:00. | 5.4.0-5.5.1 | | | [3344846](#3344846)
| The Spectrum-3 hardware configuration is not optimized for the best PTP accuracy when using 25GbE. You might see higher than expected PTP offsets on this platforms and interface speed. | 5.4.0-5.5.1 | | | [3336808](#3336808)
| If you run the NVUE nv set interface description command without providing a description, the nv config apply command fails with the error Unable to restart services (ifreload-nvue.service). | 5.4.0-5.5.1 | | | [3293114](#3293114)
| In Cumulus Linux 5.4 and earlier, the command to enable Neighbor Discovery (ND) router advertisement is inverted and causes confusion; nv set interface ip neighbor-discovery router-advertisement enable off. In Cumulus Linux 5.5 and later, the command to enable router advertisement is updated to nv set interface ip neighbor-discovery router-advertisement enable on. | 5.3.0-5.5.1 | | -| [3187469](#3187469)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | | +| [3187469, 3188618](#3187469, 3188618)
| At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. | 5.1.0-5.5.1 | | | [3178090](#3178090)
| The cl-support generation script causes TC filter collection to run as a background process for each interface, which can lead to memory exhaustion on a high scale configuration and on a switch with a small memory footprint. | 5.1.0-5.5.1 | | | [3172682](#3172682)
| On rare occasions, when you query the system hostname through the hostnamctl application, you see a timeout. NVUE uses the hostnamctl application to determine the system hostname, which can result in an nv config apply command failure. | 5.2.0-5.5.1 | | -| [3069069](#3069069)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | | +| [3069069, 3271536](#3069069, 3271536)
| When you run the systemctl reload switchd command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. | 5.1.0-5.5.1 | | diff --git a/content/cumulus-linux-56/rn.xml b/content/cumulus-linux-56/rn.xml index a1f215e99f..dd0a46fd75 100644 --- a/content/cumulus-linux-56/rn.xml +++ b/content/cumulus-linux-56/rn.xml @@ -19,7 +19,7 @@ 5.9.5, 5.16.0-5.16.1 -4663076 +4663076, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.9.4 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1 @@ -65,7 +65,7 @@ To work around this issue, power cycle the switch. 5.9.4-5.16.1, 5.14.0-5.16.1 -4413450 +4413450, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 5.11.2, 5.14.0-5.16.1 @@ -107,7 +107,7 @@ To work around this issue, power cycle the switch. 5.9.2-5.16.1, 5.10.0-5.16.1 -3949367 +3949367, 3949366 If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. 5.3.1-5.9.1 5.9.2-5.16.1, 5.10.0-5.16.1 @@ -131,7 +131,7 @@ To work around this issue, power cycle the switch. 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -289,7 +289,7 @@ leaf01# exit 5.7.0-5.16.1 -3686389 +3686389, 3725881 When you use NVUE commands to configure an untagged VLAN (PVID) on a bridge to a non-default value, {{nv show bridge}} commands still indicate that the untagged VLAN is 1 (the default value). The untagged VLAN you configured is properly set on bridge ports, but displays incorrectly in operational NVUE show commands. 5.6.0-5.7.0 5.8.0-5.16.1 @@ -352,7 +352,7 @@ leaf01# exit 5.7.0-5.16.1 -3662354 +3662354, 3582826 When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. 5.6.0 5.7.0-5.16.1 @@ -423,7 +423,7 @@ Note: this procedure results in a switchd restart which will have an impact on t 5.7.0-5.16.1 -3616643 +3616643, 3660953 NVUE commands to set a route map exit policy match produce incorrect configuration in the {{/etc/frr/frr.conf}} file. 5.6.0 5.7.0-5.16.1 @@ -463,19 +463,19 @@ These error messages do not affect how the switch functions; however the message 5.7.0-5.16.1 -3610967 +3610967, 3647761 In an EVPN symmetric routing configuration, running the NVUE {{nv set vrf <vrf> vlan auto}} command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. 5.3.0-5.8.0 5.9.0-5.16.1 -3610611 +3610611, 3599699 Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf <vrf> loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the {{ping}} command to use a source address (such as an SVI address) with the {{ip vrf exec <VRF> ping <REMOTE_IP> -I <SVI_SRC_IP>}} command. 5.5.0-5.6.0 5.7.0-5.16.1 -3609128 +3609128, 3609176 When you use {{vi}} with root or sudo, visual mode is enabled by default due to a missing {{vimrc}} configuration file. This makes it difficult to copy and paste into {{vi}}. In CL5.7.0, the default configuration now includes {{set mouse-=a}}. In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines, which can be a security risk. @@ -507,7 +507,7 @@ In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines 5.7.0-5.16.1 -3599699 +3599699, 3569484, 3610611 Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the {{nv unset vrf <vrf> loopback ip address}} command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the {{ping}} command to use a source address (such as an SVI address) with the {{ip vrf exec <VRF> ping <REMOTE_IP> -I <SVI_SRC_IP>}} command. 5.5.0-5.6.0 5.7.0-5.16.1 @@ -551,7 +551,7 @@ To work around this issue when using fiber cables: 5.7.0-5.16.1 -3582826 +3582826, 3662354 When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. 5.5.0-5.6.0 5.7.0-5.16.1 @@ -594,19 +594,19 @@ This is a cosmetic issue and does not affect how the switch operates. To prevent 5.7.0-5.16.1 -3566980 +3566980, 3511344 When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the {{dhcrelay6}} service, making sure the specified downstream interfaces are up and running. 5.5.0-5.6.0 5.7.0-5.16.1 -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 -3546857 +3546857, 3564377 The {{nv show bridge vlan}} command does not show tagged and untagged VLAN information for the bridge. @@ -626,7 +626,7 @@ This is a cosmetic issue and does not affect how the switch operates. To prevent -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -644,14 +644,14 @@ This is a cosmetic issue and does not affect how the switch operates. To prevent 5.7.0-5.16.1 -3522524 +3522524, 3668926 FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. 5.5.0-5.6.0 5.7.0-5.16.1 -3517739 +3517739, 3477016, 3565701 When you connect the SN5600 switch to third party test equipment (such as IXIA) using copper cables, 100G, 200G, 400G, and 800G links do not come up. To work around this issue, use fiber optic cables when testing an SN5600 switch with IXIA for 100G, 200G, 400G, and 800G link speeds. 5.6.0 5.7.0-5.16.1 @@ -675,7 +675,7 @@ This is a cosmetic issue and does not affect how the switch operates. To prevent -3463827 +3463827, 3434515, 3556762 On rare occasions, SPT switchover might not happen cleanly in PIM, resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.6.0-5.8.0 5.9.0-5.16.1 @@ -699,7 +699,7 @@ cumulus@switch:~$ nv config patch frr_policy.yaml 5.7.0-5.16.1 -3452681 +3452681, 3465375 When you run the NVUE {{nv show system aaa tacacs authorization}} commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to {{Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND}}. 5.5.0-5.10.1 5.11.0-5.16.1 @@ -717,7 +717,7 @@ cumulus@switch:~$ nv config patch frr_policy.yaml -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 @@ -729,25 +729,25 @@ cumulus@switch:~$ nv config patch frr_policy.yaml 5.9.0-5.16.1 -3433577 +3433577, 3433769 When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the {{clagd}} service and {{switchd}}, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. 5.5.0-5.8.0 5.9.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3428677 +3428677, 3437317 In certain cases, Cumulus Linux does not process next hop updates because the {{zebra}} IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. 5.3.0-5.6.0 5.7.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -766,7 +766,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 5.7.0-5.16.1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -792,7 +792,7 @@ You can ignore this error; it has no impact on switch functionality. -3347677 +3347677, 3180068 In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. 5.1.0-5.6.0 5.7.0-5.16.1 @@ -876,13 +876,13 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 -3221628 +3221628, 3217877 Cumulus Linux VX images might include an incorrect entry at the end of {{/etc/apt/sources.list}}, which produces warnings when you run {{apt update}}. Remove this entry to avoid these warnings. 5.2.0-5.6.0 5.7.0-5.16.1 @@ -905,7 +905,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -982,7 +982,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -990,7 +990,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -1048,7 +1048,7 @@ You can safely ignore this warning. 5.5.1 -3695541 +3695541, 3522324 When applying a full configuration with NVUE that includes VRRP and BGP in VRFs, the VRRP configuration does not come up after you run {{nv config apply}}. BGP routes might also be missing. This issue only happens during the initial {{nv config apply}} of a full configuration, not during a normal initialization during a reboot or FRR restart. To work around this issue, reboot or restart FRR. 5.5.1 @@ -1174,7 +1174,7 @@ To work around this issue, disable next hop groups in zebra with the vtysh {{zeb -3474391 +3474391, 3479772 The SNMP MIB definition file {{/usr/share/snmp/mibs/Cumulus-BGPVRF-MIB.txt}} does not define the INDEX of the {{bgpPeerEntry}} correctly. This issue does not impact SNMP functionality for this MIB. 4.3.1-5.5.1 @@ -1253,7 +1253,7 @@ These messages do not affect the functionality of the switch. 5.4.0-5.5.1 -3444668 +3444668, 3434088 If the SDK becomes stuck and not able to process API calls, the {{systemd}} watchdog stops {{switchd}} and Cumulus Linux generates a {{cl-support}} file. {{switchd}} restarts after the watchdog timeout and then runs without issues. @@ -1303,7 +1303,7 @@ cumulus@switch:~$ what-just-happened poll --export --no_metadata 5.4.0-5.5.1 -3419940 +3419940, 3442281 When generating a {{cl-support}} file either manually or when an issue occurs on the system, you see the following kernel error messages: 'Register access failed (reg_id=0x9029, status=0x4)' followed by a hex dump of a few lines. @@ -1312,7 +1312,7 @@ This error message is benign and has no functional impact. 5.5.0-5.5.1 -3413785 +3413785, 3424967 To reach the TACACS+ server through the default VRF, you must specify the egress interface you use in the default VRF. Either run the NVUE {{nv set system aaa tacacs vrf <interface>}} command (for example, {{nv set system aaa tacacs vrf swp51}}) or set the {{vrf=<interface>}} option in the {{/etc/tacplus_servers}} file (for example, {{vrf=swp51}}). A similar issue might prevent TACACS+ users with privilege level 15 from using {{sudo}} if the TACACS+ server is reachable only on the {{default}} VRF. If this occurs, and you do not run the above configuration workaround, the TACACS+ user with privilege level 15 can use {{vrf task exec default sudo ...}} to execute the {{sudo}} command using the TACACS+ server on the {{default}} VRF. 5.0.0-5.5.1 @@ -1342,7 +1342,7 @@ This error message is benign and has no functional impact. 5.3.0-5.5.1 -3187469 +3187469, 3188618 At high scale with 160 VRFs and 10 VLANs per VRF (a total of 1600 VLANs), you see traffic loss during primary switch reboot. To work around this issue, reduce the scale to 40 VRFs with no more than 400 VLANs in the configuration, and use a common MAC address. 5.1.0-5.5.1 @@ -1357,7 +1357,7 @@ This error message is benign and has no functional impact. 5.2.0-5.5.1 -3069069 +3069069, 3271536 When you run the {{systemctl reload switchd}} command, there is momentary traffic loss after a port configured with lossless buffers goes down. This is only temporary and the traffic stabilizes after the initial drops. 5.1.0-5.5.1 diff --git a/content/cumulus-linux-57/Whats-New/rn.md b/content/cumulus-linux-57/Whats-New/rn.md index e9996b92b9..c61bbc6bff 100644 --- a/content/cumulus-linux-57/Whats-New/rn.md +++ b/content/cumulus-linux-57/Whats-New/rn.md @@ -16,14 +16,14 @@ pdfhidden: True |--- |--- |--- |--- | | [4963277](#4963277)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.16.1 | | | [4797691](#4797691)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.9.4, 5.15.1 | 5.9.5, 5.16.0-5.16.1| -| [4663076](#4663076)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1| +| [4663076, 3963232](#4663076, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | 5.14.0-5.16.1| | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| | [4505138](#4505138)
| Transceiver OIR (removal and insertion) or link flaps might cause EMAD timeouts, eventually causing switchd to crash. You see logs similar to EMAD_TRANSACTION] [ERROR ]: ACCESS_REG TIMEOUT. | 5.6.0-5.9.3 | 5.9.4-5.16.1, 5.14.0-5.16.1| | [4469498](#4469498)
| When a host moves to a new VTEP during mobility or network failover events in an EVPN multihoming environment, the host might be unreachable due to ARP resolution failures. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.4.0-5.9.3 | 5.9.4-5.16.1, 5.14.0-5.16.1| -| [4413450](#4413450)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4413450, 4497128](#4413450, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4404955](#4404955)
| On the NVIDIA SN2201 switch, the fan tray LED status update fails and you see the following syslog errors:
systemd-udevd116276: mlxreg:fan1:green: Process ‘/usr/bin/hw-management-chassis-events.sh fantray-led-event mlxreg:fan1:green 255’ failed with exit code 1.

To work around this issue, restart the hw-management service with the sudo systemctl restart hw-management command. | 5.7.0-5.9.3 | 5.9.4-5.16.1, 5.11.2-5.16.1, 5.14.0-5.16.1| | [4377862](#4377862)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.9.3 | 5.9.4-5.16.1, 5.11.2-5.16.1, 5.13.0-5.16.1| | [4072165](#4072165)
| When you add a VLAN to a bridge member port, VXLAN traffic might be impacted for few seconds. | 5.7.0-5.9.3 | 5.9.4-5.16.1, 5.11.0-5.16.1| @@ -32,11 +32,11 @@ pdfhidden: True | [3982222](#3982222)
| When you enable SPAN on a bridge member, an ARP or Gratuitous ARP received during a failover event between locally attached redundant devices, such as load balancers, might fail to update the bridge MAC table to point to the interface with the newly active load balancer.

To work around this issue, remove the SPAN configuration from the bridge member or ensure that the load balancer generates non-ARP traffic after the failover to properly update the bridge MAC table. | 5.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3980924](#3980924)
| When adding or removing routes in a virtual router with numerous configured routes, you might encounter incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.5.1-5.9.3 | 5.9.4-5.16.1, 5.11.1-5.16.1, 5.12.0-5.16.1| | [3955615](#3955615)
| Cumulus Linux does not recognize QSFP_CMIS optical modules correctly. | 5.6.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3949367](#3949367)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3949367, 3949366](#3949367, 3949366)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3927016](#3927016)
| Following an EVPN extended mobility event, where a host with IP address A and MAC address A moves within the fabric and now resides at IP address A and MAC address B, you might see traffic destined to this host experience drops as the flow is software forwarded on the egress VTEP. | 5.0.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3917601](#3917601)
| If a packet containing an all zero source MAC address (00:00:00:00:00:00) is learned on the ASIC, switchd sends the learn notification to the kernel but the kernel rejects the MAC address as invalid. The ASIC continuously sends the mac-learn notifications, which wastes CPU resources. To work around this issue, configure ACLs to match on the all-zero source MAC address and drop the invalid packets. | 5.5.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3897227](#3897227)
| During an LLDP update storm while deleting or adding LLPD neighbors, PTMD crashes as a result of mishandling multi-threaded LLPD processing. | 5.5.1-5.9.5 | 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3863858](#3863858)
| VRR interfaces might show dadfailed on their IPv6 link-local address. | 5.6.0-5.8.0 | 5.9.0-5.16.1| | [3859422](#3859422)
| On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port. | 5.2.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3854807](#3854807)
| When you enable Optimized Multicast Flooding (OMF) and change VLAN configuration, a few ports might carry multicast traffic even when they are not in the MDB or they are not router ports. | 5.6.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| @@ -57,7 +57,7 @@ pdfhidden: True | [3738626](#3738626)
| If you configure a VNI before an SVI, you can't add or remove the VRR address from the SVI. To work around this issue, configure the SVI before the VNI. | 5.6.0-5.7.0 | 5.8.0-5.16.1| | [3730904](#3730904)
| When sending untagged frames to the CPU with an MTU higher than the SVD (single VXLAN device) MTU, the kernel might crash. | 5.4.0-5.8.0 | 5.9.0-5.16.1| | [3718614](#3718614)
| When a corrupt or invalid ZTP script exists on the ZTP file server, the ZTP service on the switch might crash and report Too many open files after approximately 1000 download attempts. To recover and restart ZTP, reboot the switch. Always provide a valid ZTP script when using ZTP download. | 5.7.0 | 5.8.0-5.16.1| -| [3713420](#3713420)
| When you run the systemctl restart switchd.service command or reboot the switch after you set the host route preference option with the NVUE nv set system forwarding host-route-preference command or manually in the /etc/cumulus/switchd.conf file, switchd crashes and creates core files. | 5.7.0 | 5.8.0-5.16.1| +| [3713420, 3718144](#3713420, 3718144)
| When you run the systemctl restart switchd.service command or reboot the switch after you set the host route preference option with the NVUE nv set system forwarding host-route-preference command or manually in the /etc/cumulus/switchd.conf file, switchd crashes and creates core files. | 5.7.0 | 5.8.0-5.16.1| | [3713419](#3713419)
| When monitoring system statistics and network traffic with sFlow, an aggressive link flap might produce a memory leak in the sFlow service hsflowd. | 5.1.0-5.7.0 | 5.8.0-5.16.1| | [3712007](#3712007)
| In RSTP mode when there is a bridge port flap, Cumulus Linux flushes, then re-adds dynamic MAC addresses on the peer link, which might cause short traffic disruption. | 5.6.0-5.7.0 | 5.8.0-5.16.1| | [3711913](#3711913)
| When you set an IPv4 ACL with a log action, logs do not appear under syslog after a match. This issue affects bridged packets when the rule is installed in iptables. To work around this issue, set the ACL with a MAC rule type so that it is installed in ebtables and the packets are logged correctly in syslog.
The following shows an example configuration:
cumulus@switch:~$ nv set acl one rule 1 action log log-prefix NVIDIA
cumulus@switch:~$ nv set acl one rule 1 match ip protocol udp
cumulus@switch:~$ nv set acl one rule 1 match ip source-ip 10.0.14.2
cumulus@switch:~$ nv set acl one rule 1 match ip udp source-port 34
cumulus@switch:~$ nv set acl one rule 1 match mac protocol ipv4
cumulus@switch:~$ nv set acl one type mac
| 5.7.0-5.9.5 | 5.10.0-5.16.1| @@ -65,8 +65,8 @@ pdfhidden: True | [3702431](#3702431)
| Traditional SNMP snippets do not take effect unless you first enable SNMP with the NVUE nv set service snmp-server enable on and nv set service snmp-server listening-address commands. Alternatively, you can use the equivalent REST API methods. | 5.4.0-5.8.0 | 5.9.0-5.16.1| | [3698680](#3698680)
| If you run the ifreload -a command when ACLs exist but nonatomic update mode is set in the switchd.conf file, traffic pauses on unaffected interfaces. | 5.6.0-5.7.0 | 5.8.0-5.16.1| | [3695491](#3695491)
| When you log into a Cumulus Linux switch after a fresh install through the serial console, the management VRF might not be available. (This is not an issue with ssh.) To work around this issue, log out, then log back into the console a few seconds later, after the switch finishes booting. | 5.7.0 | 5.8.0-5.16.1| -| [3686389](#3686389)
| When you use NVUE commands to configure an untagged VLAN (PVID) on a bridge to a non-default value, nv show bridge commands still indicate that the untagged VLAN is 1 (the default value). The untagged VLAN you configured is properly set on bridge ports, but displays incorrectly in operational NVUE show commands. | 5.6.0-5.7.0 | 5.8.0-5.16.1| -| [3679478](#3679478)
| During switch boot, you see the following messages in the syslog:
2024-03-04T10:34:49.650950+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR  ]: Tele impl module is already initialized2024-03-04T10:34:49.651041+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR  ]: sdk_tele_init failed, for chip type CHIP_TYPE_SWITCH_SPECTRUM3, err = Already initialized

This is due to both the ASIC Monitoring service and the What Just Happened (WJH) service trying to initialize the SDK TELE module. You can ignore the messages because the TELE service has already initialized properly. | 5.7.0-5.8.0 | 5.9.0-5.16.1| +| [3686389, 3725881](#3686389, 3725881)
| When you use NVUE commands to configure an untagged VLAN (PVID) on a bridge to a non-default value, nv show bridge commands still indicate that the untagged VLAN is 1 (the default value). The untagged VLAN you configured is properly set on bridge ports, but displays incorrectly in operational NVUE show commands. | 5.6.0-5.7.0 | 5.8.0-5.16.1| +| [3679478, 3701229, 3737814](#3679478, 3701229, 3737814)
| During switch boot, you see the following messages in the syslog:
2024-03-04T10:34:49.650950+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR  ]: Tele impl module is already initialized2024-03-04T10:34:49.651041+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR  ]: sdk_tele_init failed, for chip type CHIP_TYPE_SWITCH_SPECTRUM3, err = Already initialized

This is due to both the ASIC Monitoring service and the What Just Happened (WJH) service trying to initialize the SDK TELE module. You can ignore the messages because the TELE service has already initialized properly. | 5.7.0-5.8.0 | 5.9.0-5.16.1| | [3677533](#3677533)
| Due to resource constraints on the Spectrum 1 switch, staticd performance drops and takes longer to read static routes compared to the time BGP takes to complete a graceful restart and advertise routes and EOR to its helpers. As a result, static routes are advertised after the EOR is sent to graceful restart helpers, which delete the stale static routes and relearn them after receiving the EOR from the restarting node. Temporary traffic loss might occur. | 5.7.0-5.16.1 | | | [3672706](#3672706)
| When you enable port security, you can configure a maximum of 450 port security static MAC addresses for an interface. | 5.7.0-5.8.0 | 5.9.0-5.16.1| | [3671288](#3671288)
| Routes and/or next-hops will no-longer be installed in kernel, and traffic related to these routes and/or next-hops will not be forwarded correctly. Flapping of EVPN prefixes from BGP updates and withdraws sometimes causes a race condition where the routes are never re-installed. An example of a trigger that can lead to this problem is a flapping peerlink. A reboot of each switch with missing routes will recover from this issue. | 5.6.0-5.7.0 | 5.8.0-5.16.1| @@ -76,28 +76,28 @@ pdfhidden: True | [3632843](#3632843)
| When the switch receives a type-5 route in BGP and there is a network statement for the same prefix, BGP sometimes removes the request to track next hops from FRR. As next hop reachability changes, BGP no longer reacts to the change. To work around this issue, run the clear bgp * command for all peerings. | 5.6.0-5.7.0 | 5.8.0-5.16.1| | [3630492](#3630492)
| On the NVIDIA SN2201 switch, the ledmgrd -d command output shows the system and PSU LED status as orange when the physical LED is green. | 5.5.1-5.7.0 | 5.8.0-5.16.1| | [3614286](#3614286)
| To avoid unnecessary traffic loss, ifreload (ifupdown2) only flaps a bond to reset its MAC address when the bond MAC address is not present on any of the bond's interfaces. Previously, ifupdown2 enforced the bond MAC address to be set to the MAC address of the first interface. | 5.6.0-5.7.0 | 5.8.0-5.16.1| -| [3610967](#3610967)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| -| [3610591](#3610591)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| +| [3610967, 3647761](#3610967, 3647761)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| +| [3610591, 3781456](#3610591, 3781456)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | -| [3546857](#3546857)
| The nv show bridge vlan command does not show tagged and untagged VLAN information for the bridge
| 5.6.0-5.8.0 | 5.9.0-5.16.1| +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3546857, 3564377](#3546857, 3564377)
| The nv show bridge vlan command does not show tagged and untagged VLAN information for the bridge
| 5.6.0-5.8.0 | 5.9.0-5.16.1| | [3541653](#3541653)
| During warm boot with layer 3 traffic, you might experience packet loss for approximately 15 milliseconds. | 5.6.0-5.8.0 | 5.9.0-5.16.1| | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.8.0 | 5.9.0-5.16.1| | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | -| [3463827](#3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM, resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.6.0-5.8.0 | 5.9.0-5.16.1| -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| +| [3463827, 3434515, 3556762](#3463827, 3434515, 3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM, resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.6.0-5.8.0 | 5.9.0-5.16.1| +| [3452681, 3465375](#3452681, 3465375)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | | [3436407](#3436407)
| The nv show acl command output shows a header but no ACL details. | 5.5.0-5.8.0 | 5.9.0-5.16.1| -| [3433577](#3433577)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.8.0 | 5.9.0-5.16.1| -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3433577, 3433769](#3433577, 3433769)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.8.0 | 5.9.0-5.16.1| +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3393966](#3393966)
| When you configure OSPF network statements using NVUE with the nv set vrf router ospf area network command, subsequent configuration changes with NVUE might bring down all OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement, or use the nv set interface router ospf area command to enable OSPF on interfaces instead of using a network statement. | 5.5.0-5.9.5 | 5.10.0-5.16.1| | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | @@ -109,10 +109,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.8.0 | 5.9.0-5.16.1| | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | @@ -123,8 +123,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -144,7 +144,7 @@ pdfhidden: True | [3668809](#3668809)
| SN2410 switches manufactured or sold by OEMs (not Mellanox) might contain fans that do not support system fan direction detection. As a result, the following messages occur in the log:
/usr/sbin/smond : : Path /run/hw-management/thermal/fan1_dir does not exist/usr/sbin/smond : : Path /run/hw-management/thermal/fan2_dir does not exist
smond has been modified to determine dynamically (at run-time) if the fan has the capability. To drop the messages before they get to the log, create a file, such as /etc/rsyslog.d/18-drop_fan_dir_msgs.conf with the following contents, then restart rsyslogd with the systemctl restart rsyslog command
# The lines below cause the offending message to be dropped from all logs:msg, ereregex, ".*Path /run/hw-management/thermal/fan[1-8]_dir does not exist" stop
| 5.6.0 | | | [3664986](#3664986)
| If a core file is generated with a space in the name, Cumulus Linux generates cl-support files until the file is removed. To work around this issue, rename the core file without the space character. The next cl-support file generated will be moved into the cl-support archive and removed from the filesystem. | 5.6.0 | | | [3663182](#3663182)
| Changing non-default BGP timers with NCLU or vtysh commands sets the hold time and keep alive interval to 0 seconds. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.3.1-5.6.0 | | -| [3662354](#3662354)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.6.0 | | +| [3662354, 3582826](#3662354, 3582826)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.6.0 | | | [3661089](#3661089)
| When you run the show bgp l2vpn evpn route rd mac json command, VNI information shows twice, once where VNI is in upper case and again where VNI is in lower case (vni). | | | | [3655043](#3655043)
| After you upgrade to Cumulus Linux 5.6.0 with package upgrade, configuration changes you make with NVUE commands do not apply and you see the error message Invalid config [rev_id: 4] Default profile parameters can not be modified. Modification allowed on user created profiles. To workaround this issue:1. Remove the PTP configuration using the nv unset service ptp 1 enable syntax
2. Save the configuration nv config apply. 3. Re-add the PTP config. Note: this procedure results in a switchd restart which will have an impact on the data plane. | 5.6.0 | | | [3655027](#3655027)
| If you create a new snippet with the same name as a snippet you deleted, you receive a warning message. To work around this issue, create the new snippet with a different name than any removed snippets. | 5.6.0 | | @@ -155,41 +155,41 @@ pdfhidden: True | [3643624](#3643624)
| The help text for the NVUE policer command nv set acl rule action police mode incorrectly indicates that the policer mode units are in bits per second. NVUE configures policers using bytes per second. | 5.6.0 | | | [3639058](#3639058)
| When you run the nv show service ntp command, you see an error message instead of the expected output. | 5.6.0 | | | [3627913](#3627913)
| The switch drops untagged VLAN traffic on single VXLAN bridge ports. | 5.6.0 | | -| [3616643](#3616643)
| NVUE commands to set a route map exit policy match produce incorrect configuration in the /etc/frr/frr.conf file. | 5.6.0 | | +| [3616643, 3660953](#3616643, 3660953)
| NVUE commands to set a route map exit policy match produce incorrect configuration in the /etc/frr/frr.conf file. | 5.6.0 | | | [3616338](#3616338)
| When you reboot an MLAG switch with 3000 or more VNIs, there might be extended traffic loss during reboot. To work around this issue, configure the clagd service initDelay to 300 seconds with the nv set mlag init-delay 300 command. | 5.5.1-5.6.0 | | | [3613258](#3613258)
| With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed between switchd and the kernel. | 5.2.1-5.6.0 | | | [3612959](#3612959)
| The interface name for a VLAN subinterface does not show correctly; the VLAN is appended to the interface again. | 5.6.0 | | | [3611215](#3611215)
| In an EVPN multihoming configuration, the switchd service produces error messages similar to the following:
2023-09-07T15:45:56.055477+02:00 switch1 switchd7903: hal_mlx_flx_acl.c:2388 hal_mlx_flx_region_pull_bulk_counters failed
These error messages do not affect how the switch functions; however the messages fill up the switchd logs, which is not desirable. | 5.6.0 | | -| [3610611](#3610611)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | | -| [3609128](#3609128)
| When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=a
In addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk. | 5.5.0-5.6.0 | | +| [3610611, 3599699](#3610611, 3599699)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | | +| [3609128, 3609176](#3609128, 3609176)
| When you use vi with root or sudo, visual mode is enabled by default due to a missing vimrc configuration file. This makes it difficult to copy and paste into vi. In CL5.7.0, the default configuration now includes set mouse-=a
In addition, the CL5.7.0 default configuration for vi now disables modelines, which can be a security risk. | 5.5.0-5.6.0 | | | [3608014](#3608014)
| Software MAC learning might not work for a bridged VLAN subinterface on a bond (such as bond1.100) if you remove a VLAN subinterface completely from the configuration, then add it back with an identical configuration. To work around this issue, restart switchd. | 5.6.0 | | | [3606739](#3606739)
| The thermal control service, hw-management-tc.service, stops and switch fan speeds run at 100% when the ASIC temperature can't be read. This can occur if the SDK is not started. | 5.5.1-5.6.0 | | | [3603237](#3603237)
| If the secondary MLAG peer continuously reboots, you might experience momentary traffic loss. | 5.5.1-5.6.0 | | | [3600588](#3600588)
| You can't reset the root password by booting into Cumulus Linux single-user recovery mode. To work around this issue, follow the steps in https://docs.nvidia.com/networking-ethernet-software/cumulus-linux-56/Monitoring-and-Troubleshooting/Single-User-Mode-Password-Recovery/. | 5.6.0 | | -| [3599699](#3599699)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | | +| [3599699, 3569484, 3610611](#3599699, 3569484, 3610611)
| Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the ping command to use a source address (such as an SVI address) with the ip vrf exec ping -I command. | 5.5.0-5.6.0 | | | [3597456](#3597456)
| NVUE does not allow you to use the reserved name lo in an interface name. | 5.5.1-5.6.0 | | | [3590394](#3590394)
| Under rare conditions, running NVUE commands that capture output larger than 4k bytes from Linux tools or utilities might result in failures with 500 INTERNAL SERVER ERROR or Unrecoverable internal error messages. This issue occurs when there are non-ascii characters in large outputs that Cumulus Linux can't decode. This failure is observed only in Cumulus Linux 5.6 and earlier. | 5.6.0 | | | [3585467](#3585467)
| NVUE and ip link show traditional bridge VLAN subinterface counts incorrectly. The ingress (Rx) count increments correctly but the egress (Tx) count does not increment. This issues occurs because the hardware does not support transmit counters for a VLAN subinterface; therefore, no statistics from the hardware are updated. Statistics for software forwarded packets show correctly. | 5.0.0-5.6.0 | | -| [3582826](#3582826)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 | | +| [3582826, 3662354](#3582826, 3662354)
| When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. | 5.5.0-5.6.0 | | | [3580435](#3580435)
| On the NVIDIA SN2410 switch with an Innodisk SSD, you might see the following message in syslog:
smartd[501]: Device: /dev/sda [SAT], CHECK POWER STATUS spins up disk (0x00 -> 0xff)
This is a cosmetic issue and does not affect how the switch operates. To prevent this message from occurring, run the hdparm -S 24 /dev/sda command to change the HD timeout. | 5.3.1-5.6.0 | | | [3576961](#3576961)
| The NVUE command to clear all ACL counters at once is not available. To work around this issue, run the cl-acltool -Z all command to reset the statistics for all ACL rules. | 5.5.1-5.6.0 | | | [3575800](#3575800)
| When you configure the peerlink interface with NVUE but do not configure the necessary MLAG parameters with nv set mlag commands (such as the backup IP address, peer IP address, and MLAG MAC address), NVUE apply fails with the following message:

MLAG cannot be deleted when a peerlink or peerlink sub-interfaces exist
| 5.6.0 | | | [3573800](#3573800)
| After you apply a change to the router MAC address on an SVI with the ifreload -a command, the old router MAC address still remains in the FDB table. To work around this issue, remove the old router MAC address with the sudo bridge fdb del dev bridge vlan command. | 5.3.1-5.6.0 | | | [3567708](#3567708)
| In an EVPN multihoming environment with VRRP, when the master VRRP router fails, the standby router takes around 30 seconds to become active. | 5.3.1-5.6.0 | | -| [3566980](#3566980)
| When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running. | 5.5.0-5.6.0 | | +| [3566980, 3511344](#3566980, 3511344)
| When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the dhcrelay6 service, making sure the specified downstream interfaces are up and running. | 5.5.0-5.6.0 | | | [3534718](#3534718)
| The BGP command to suppress longer prefixes inside the aggregate address before sending updates (nv set vrf router bgp address-family aggregate-route
summary-only or vtysh router bgp aggregate-address
summary-only) does not suppress more specific routes from being exported into the EVPN routing table and advertised as EVPN type-5 routes. To work around this issue, announce EVPN type-5 routes by adding an additional outbound policy or export policy to filter out the more specific routes. | 5.5.0-5.6.0 | | | [3533272](#3533272)
| If you set an OSPF network and define the subnet using a host address (such as 10.1.1.2/24) instead of the (starting) subnet network address (such as 10.1.1.0/24), you can't unset the prefix with the nv unset vrf default router ospf area network command. Avoid defining the subnet using a host address when setting an OSPF network. | 5.6.0 | | -| [3522524](#3522524)
| FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. | 5.5.0-5.6.0 | | -| [3517739](#3517739)
| When you connect the SN5600 switch to third party test equipment (such as IXIA) using copper cables, 100G, 200G, 400G, and 800G links do not come up. To work around this issue, use fiber optic cables when testing an SN5600 switch with IXIA for 100G, 200G, 400G, and 800G link speeds. | 5.6.0 | | +| [3522524, 3668926](#3522524, 3668926)
| FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. | 5.5.0-5.6.0 | | +| [3517739, 3477016, 3565701](#3517739, 3477016, 3565701)
| When you connect the SN5600 switch to third party test equipment (such as IXIA) using copper cables, 100G, 200G, 400G, and 800G links do not come up. To work around this issue, use fiber optic cables when testing an SN5600 switch with IXIA for 100G, 200G, 400G, and 800G link speeds. | 5.6.0 | | | [3452732](#3452732)
| The nv set router policy ext-community-list rule ext-community rt command does not generate the standard based BGP community list. As a result, routes do not match the expected community list. To work around this issue, create a snippet to add the policy configuration to the /etc/frr/frr.conf file, then patch the configuration. For example:
cumulus@switch:~$ sudo nano frr_policy.yaml- set:
   system:
     config:
       snippet:
         frr.conf: \|
           bgp extcommunity-list standard EXTCOMMUNITY1 seq 10 permit rt 65102:10
cumulus@switch:~$ nv config patch frr_policy.yaml
| 5.5.0-5.6.0 | | | [3445841](#3445841)
| FRR does not apply Type-0 ESI configuration for EVPN multihoming bonds consistently after an FRR service reload. This issue occurs because the system MAC address value (es-sys-mac) is only compatible with a 3-byte Ethernet segment ID (es-id) for Type-3 ESIs, but still renders even when the Ethernet segment ID is 10 bytes for Type-0 ESIs. To work around this issue, configure EVPN multihoming bonds with a Type-3 ESI (es-sys-mac plus a 3-byte es-id). | 5.0.0-5.6.0 | | -| [3428677](#3428677)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | | +| [3428677, 3437317](#3428677, 3437317)
| In certain cases, Cumulus Linux does not process next hop updates because the zebra IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. | 5.3.0-5.6.0 | | | [3419928](#3419928)
| The NVUE PIM timer command option names keep-alive and rp-keep-alive are inconsistent and need to change to keepalive and rp-keepalive. | 5.4.0-5.6.0 | | | [3405024](#3405024)
| You cannot remove PBR map configuration with source and destination rules. To work around this issue, delete the entire PBR map clause. | 5.5.0-5.6.0 | | -| [3347677](#3347677)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | | +| [3347677, 3180068](#3347677, 3180068)
| In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. | 5.1.0-5.6.0 | | | [3266197](#3266197)
| When you disable BGP globally with the nv set router bgp enable off command, applying the configuration with NVUE might fail due to an FRR reload failure. | 5.2.0-5.6.0 | | | [3264269](#3264269)
| When you change the BGP router ID that causes a change to an EVPN VNI RD, EVPN EAD-per-EVI routes are not updated properly. | 5.3.0-5.6.0 | | | [3258232](#3258232)
| If you use NVUE to configure multiple SNMP listener addresses at the same time, the SNMP service fails to start. To work around this issue, configure multiple SNMP listener addresses one at a time. | 5.3.0-5.6.0 | | | [3232091](#3232091)
| The NVUE nv unset interface link lanes command does not restore the port lane setting to the default value. To work around this issue, run the nv set interface link lanes command. | 5.4.0-5.6.0 | | -| [3221628](#3221628)
| Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | | +| [3221628, 3217877](#3221628, 3217877)
| Cumulus Linux VX images might include an incorrect entry at the end of /etc/apt/sources.list, which produces warnings when you run apt update. Remove this entry to avoid these warnings. | 5.2.0-5.6.0 | | diff --git a/content/cumulus-linux-57/rn.xml b/content/cumulus-linux-57/rn.xml index 7dd601ba8d..59e9f65ce6 100644 --- a/content/cumulus-linux-57/rn.xml +++ b/content/cumulus-linux-57/rn.xml @@ -19,7 +19,7 @@ 5.9.5, 5.16.0-5.16.1 -4663076 +4663076, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.9.4 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1 @@ -65,7 +65,7 @@ To work around this issue, power cycle the switch. 5.9.4-5.16.1, 5.14.0-5.16.1 -4413450 +4413450, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 5.11.2, 5.14.0-5.16.1 @@ -121,7 +121,7 @@ To work around this issue, restart the {{hw-management}} service with the {{sudo 5.9.2-5.16.1, 5.10.0-5.16.1 -3949367 +3949367, 3949366 If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. 5.3.1-5.9.1 5.9.2-5.16.1, 5.10.0-5.16.1 @@ -145,7 +145,7 @@ To work around this issue, restart the {{hw-management}} service with the {{sudo 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -291,7 +291,7 @@ leaf01# exit 5.8.0-5.16.1 -3713420 +3713420, 3718144 When you run the {{systemctl restart switchd.service}} command or reboot the switch after you set the host route preference option with the NVUE {{nv set system forwarding host-route-preference}} command or manually in the {{/etc/cumulus/switchd.conf}} file, {{switchd}} crashes and creates core files. 5.7.0 5.8.0-5.16.1 @@ -347,13 +347,13 @@ cumulus@switch:~$ nv set acl one type mac 5.8.0-5.16.1 -3686389 +3686389, 3725881 When you use NVUE commands to configure an untagged VLAN (PVID) on a bridge to a non-default value, {{nv show bridge}} commands still indicate that the untagged VLAN is 1 (the default value). The untagged VLAN you configured is properly set on bridge ports, but displays incorrectly in operational NVUE show commands. 5.6.0-5.7.0 5.8.0-5.16.1 -3679478 +3679478, 3701229, 3737814 During switch boot, you see the following messages in the syslog: 2024-03-04T10:34:49.650950+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR ]: Tele impl module is already initialized @@ -418,13 +418,13 @@ This is due to both the ASIC Monitoring service and the What Just Happened (WJH) 5.8.0-5.16.1 -3610967 +3610967, 3647761 In an EVPN symmetric routing configuration, running the NVUE {{nv set vrf <vrf> vlan auto}} command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. 5.3.0-5.8.0 5.9.0-5.16.1 -3610591 +3610591, 3781456 After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the {{nv unset system}} command or the {{nv config apply empty}} command. 5.7.0-5.9.5 5.10.0-5.16.1 @@ -450,13 +450,13 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 -3546857 +3546857, 3564377 The {{nv show bridge vlan}} command does not show tagged and untagged VLAN information for the bridge. @@ -476,7 +476,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -500,13 +500,13 @@ To work around this issue when using fiber cables: -3463827 +3463827, 3434515, 3556762 On rare occasions, SPT switchover might not happen cleanly in PIM, resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.6.0-5.8.0 5.9.0-5.16.1 -3452681 +3452681, 3465375 When you run the NVUE {{nv show system aaa tacacs authorization}} commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to {{Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND}}. 5.5.0-5.10.1 5.11.0-5.16.1 @@ -518,7 +518,7 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 @@ -530,19 +530,19 @@ To work around this issue when using fiber cables: 5.9.0-5.16.1 -3433577 +3433577, 3433769 When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the {{clagd}} service and {{switchd}}, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. 5.5.0-5.8.0 5.9.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -555,7 +555,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -629,7 +629,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -652,7 +652,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -729,7 +729,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -737,7 +737,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -844,7 +844,7 @@ You can safely ignore this warning. 5.3.1-5.6.0 -3662354 +3662354, 3582826 When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. 5.6.0 @@ -904,7 +904,7 @@ Note: this procedure results in a switchd restart which will have an impact on t 5.6.0 -3616643 +3616643, 3660953 NVUE commands to set a route map exit policy match produce incorrect configuration in the {{/etc/frr/frr.conf}} file. 5.6.0 @@ -933,12 +933,12 @@ These error messages do not affect how the switch functions; however the message 5.6.0 -3610611 +3610611, 3599699 Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the nv unset vrf <vrf> loopback ip address command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the {{ping}} command to use a source address (such as an SVI address) with the {{ip vrf exec <VRF> ping <REMOTE_IP> -I <SVI_SRC_IP>}} command. 5.5.0-5.6.0 -3609128 +3609128, 3609176 When you use {{vi}} with root or sudo, visual mode is enabled by default due to a missing {{vimrc}} configuration file. This makes it difficult to copy and paste into {{vi}}. In CL5.7.0, the default configuration now includes {{set mouse-=a}}. In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines, which can be a security risk. @@ -965,7 +965,7 @@ In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines 5.6.0 -3599699 +3599699, 3569484, 3610611 Cumulus Linux assigns an IPv4 and IPv6 loopback address to a VRF interface by default. As a result, ping and route lookups for unique remote IP addresses on different VTEPs might not work if there is no source IP on the switch that belongs to the same subnet. To work around this issue, remove the loopback address on the VRF with the {{nv unset vrf <vrf> loopback ip address}} command. Only remove the loopback address if you are not running NTP as NTP requires a loopback address to work. Alternatively, you can change the {{ping}} command to use a source address (such as an SVI address) with the {{ip vrf exec <VRF> ping <REMOTE_IP> -I <SVI_SRC_IP>}} command. 5.5.0-5.6.0 @@ -985,7 +985,7 @@ In addition, the CL5.7.0 default configuration for {{vi}} now disables modelines 5.0.0-5.6.0 -3582826 +3582826, 3662354 When you enable the FRR SNMP agent (agentx) and configure routing adjacencies with short timers (dead, keepalive, and hold time), the routing adjacencies might go down in certain scenarios; for example when you have frequent or concurrent client SNMP requests, you use custom SNMP MIB extensions, you poll OIDs with large responses, or during high CPU load. To work around this issue, you can increase the routing adjacency timers to accommodate SNMP processing. 5.5.0-5.6.0 @@ -1022,7 +1022,7 @@ This is a cosmetic issue and does not affect how the switch operates. To prevent 5.3.1-5.6.0 -3566980 +3566980, 3511344 When running DHCP relay for IPv6 and a downstream interface flaps more than once, relaying might stop working. To recover, restart the {{dhcrelay6}} service, making sure the specified downstream interfaces are up and running. 5.5.0-5.6.0 @@ -1037,13 +1037,13 @@ This is a cosmetic issue and does not affect how the switch operates. To prevent 5.6.0 -3522524 +3522524, 3668926 FRR does not allow eBGP multi hop configuration on unnumbered BGP neighbors. 5.5.0-5.6.0 -3517739 +3517739, 3477016, 3565701 When you connect the SN5600 switch to third party test equipment (such as IXIA) using copper cables, 100G, 200G, 400G, and 800G links do not come up. To work around this issue, use fiber optic cables when testing an SN5600 switch with IXIA for 100G, 200G, 400G, and 800G link speeds. 5.6.0 @@ -1070,7 +1070,7 @@ cumulus@switch:~$ nv config patch frr_policy.yaml 5.0.0-5.6.0 -3428677 +3428677, 3437317 In certain cases, Cumulus Linux does not process next hop updates because the {{zebra}} IP routing manager thinks the state of the next hops is unchanged. As a result, route installation fails and remains in a rejected state. 5.3.0-5.6.0 @@ -1085,7 +1085,7 @@ cumulus@switch:~$ nv config patch frr_policy.yaml 5.5.0-5.6.0 -3347677 +3347677, 3180068 In an MLAG configuration, when a link failure occurs on the peerlink or the peerlink shuts down, the switch in the secondary role attracts traffic to its local VTEP as it advertises the local VTEP IP address momentarily just before the VXLAN device is protodown. This traffic is dropped for a brief moment (between 5 and 10 seconds) because the MLAG bonds on the secondary switch are already protodown. 5.1.0-5.6.0 @@ -1110,7 +1110,7 @@ cumulus@switch:~$ nv config patch frr_policy.yaml 5.4.0-5.6.0 -3221628 +3221628, 3217877 Cumulus Linux VX images might include an incorrect entry at the end of {{/etc/apt/sources.list}}, which produces warnings when you run {{apt update}}. Remove this entry to avoid these warnings. 5.2.0-5.6.0 diff --git a/content/cumulus-linux-58/Whats-New/rn.md b/content/cumulus-linux-58/Whats-New/rn.md index f207bb3f38..09a3cb3abe 100644 --- a/content/cumulus-linux-58/Whats-New/rn.md +++ b/content/cumulus-linux-58/Whats-New/rn.md @@ -16,7 +16,7 @@ pdfhidden: True |--- |--- |--- |--- | | [4963277](#4963277)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| | [4797691](#4797691)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.9.4, 5.15.1 | 5.9.5, 5.16.0-5.16.1| -| [4663076](#4663076)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1| +| [4663076, 3963232](#4663076, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4633514](#4633514)
| When the switch processes large numbers of mroute updates in an MLAG configuration, FRR might crash. | 5.8.0-5.14.0 | 5.15.0-5.16.1| | [4621759](#4621759)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.14.0 | 5.15.0-5.16.1| @@ -25,14 +25,14 @@ pdfhidden: True | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| | [4505138](#4505138)
| Transceiver OIR (removal and insertion) or link flaps might cause EMAD timeouts, eventually causing switchd to crash. You see logs similar to EMAD_TRANSACTION] [ERROR ]: ACCESS_REG TIMEOUT. | 5.6.0-5.9.3 | 5.9.4-5.16.1, 5.14.0-5.16.1| | [4469498](#4469498)
| When a host moves to a new VTEP during mobility or network failover events in an EVPN multihoming environment, the host might be unreachable due to ARP resolution failures. To work around this issue, restart the FRR service with the sudo systemctl restart frr.service command. | 5.4.0-5.9.3 | 5.9.4-5.16.1, 5.14.0-5.16.1| -| [4413450](#4413450)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| +| [4413450, 4497128](#4413450, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.11.1, 5.13.0-5.13.1 | 5.11.2, 5.14.0-5.16.1| | [4404955](#4404955)
| On the NVIDIA SN2201 switch, the fan tray LED status update fails and you see the following syslog errors:
systemd-udevd116276: mlxreg:fan1:green: Process ‘/usr/bin/hw-management-chassis-events.sh fantray-led-event mlxreg:fan1:green 255’ failed with exit code 1.

To work around this issue, restart the hw-management service with the sudo systemctl restart hw-management command. | 5.7.0-5.9.3 | 5.9.4-5.16.1, 5.11.2-5.16.1, 5.14.0-5.16.1| | [4377862](#4377862)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.9.3 | 5.9.4-5.16.1, 5.11.2-5.16.1, 5.13.0-5.16.1| | [4250847](#4250847)
| When the STP state goes down, then back up on the primary MLAG peer, the peerlink state is not updated correctly in mstpd. | 5.8.0-5.9.3 | 5.9.4-5.16.1, 5.11.1-5.16.1, 5.12.0-5.16.1| | [4220147](#4220147)
| When you bring STP down, then up on the primary MLAG peer, the STP state machine restarts and the peerlink operational edge resets. As a result, the secondary MLAG peer ends up in an STP discarding state. To work around this issue, restart the clagd service. | 5.8.0-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| | [4182753](#4182753)
| When you configure the SPAN port mirror truncate size to a value greater than four and less than the supported minimum, NVUE allows the configuration even though there are errors and failures in the mirror session configuration.
The supported values for truncate size are 32 to 4088 for Spectrum 1, 48 to 4088 for Spectrum-2 and Spectrum-3, and 64 to 4088 for Spectrum-4.
To work around this issue, run the echo > /cumulus/switchd/config/mirror/session/1/truncate_size command before you reconfigure mirror sessions with the supported values. | 5.8.0-5.9.3 | 5.9.4-5.16.1, 5.11.1-5.16.1, 5.12.0-5.16.1| | [4151336](#4151336)
| After you reboot the switch, the ifplugd.service fails to start monitoring the interface. | 5.8.0-5.9.3, 5.10.0-5.11.0 | 5.9.4, 5.11.1-5.16.1, 5.12.0-5.16.1| -| [4129699](#4129699)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| +| [4129699, 3790461](#4129699, 3790461)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4127253](#4127253)
| You might see switchd high-memory consumption and eventually switchd stops because it is out of memory due to higher tunnel (VNI x VTEP) scale. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4124139](#4124139)
| When you add MLAG configuration to the first bond in a single MLAG switch configuration, MLAG interfaces and VXLAN interfaces go down. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4119621](#4119621)
| When you set the SNMP server listening address to listen on all IPv4 and IPv6 addresses in a VRF with the nv set service snmp-server listening-address all vrf and nv set service snmp-server listening-address all-v6 vrf commands, SNMP requests over IPv6 addresses do not work. | 5.8.0-5.9.3, 5.10.0-5.10.1 | 5.9.4, 5.11.0-5.16.1| @@ -47,42 +47,42 @@ pdfhidden: True | [3970626](#3970626)
| When you configure the bridge.kernel_mac_refresh_interval parameter in the switchd.conf file, a switchd restart fails with a core dump. | 5.8.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3956091](#3956091)
| When you modify the default QoS configuration on top of the base RoCE configuration, NVUE reports an Invalid exception in the nv show qos roce command output even when the configuration is valid. | 5.8.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3955615](#3955615)
| Cumulus Linux does not recognize QSFP_CMIS optical modules correctly. | 5.6.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3954026](#3954026)
| Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. | 5.8.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3949367](#3949367)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3954026, 3677821](#3954026, 3677821)
| Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. | 5.8.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3949367, 3949366](#3949367, 3949366)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3928905](#3928905)
| The nv show interface commands show RX and TX Power values from the wrong lanes on breakout ports. | 5.8.0-5.9.1, 5.10.0-5.10.1 | 5.9.2, 5.11.0-5.16.1| | [3927016](#3927016)
| Following an EVPN extended mobility event, where a host with IP address A and MAC address A moves within the fabric and now resides at IP address A and MAC address B, you might see traffic destined to this host experience drops as the flow is software forwarded on the egress VTEP. | 5.0.1-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3917601](#3917601)
| If a packet containing an all zero source MAC address (00:00:00:00:00:00) is learned on the ASIC, switchd sends the learn notification to the kernel but the kernel rejects the MAC address as invalid. The ASIC continuously sends the mac-learn notifications, which wastes CPU resources. To work around this issue, configure ACLs to match on the all-zero source MAC address and drop the invalid packets. | 5.5.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3917528](#3917528)
| With LACP bypass enabled, Cumulus Linux does not program the MAC address in the bridge FDB for VLAN unaware tagged ports. With EVPN, the address is not advertised and the remote side might flood the packet instead of unicast. | 5.8.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3897227](#3897227)
| During an LLDP update storm while deleting or adding LLPD neighbors, PTMD crashes as a result of mishandling multi-threaded LLPD processing. | 5.5.1-5.9.5 | 5.10.0-5.16.1| | [3896967](#3896967)
| PTP doesn't come up with IPv6 over a trunk port due to the IPv6 VLAN tag not being sent. PTP over an IPv4 trunk works fine. | 5.8.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3895042](#3895042)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| +| [3895042, 3895041](#3895042, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3895017](#3895017)
| When ARP suppression is off, remote EVPN VTEPs duplicate ARP packets from local hosts and each remote host receives two copies of the ARP packets. The issue also applies to IPv6 ND packets. | 5.8.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3875419](#3875419)
| The cleanup scrip inadvertently removes the active LTTng session directory used by lttng-sessiond for trace dumping. This issue occurs under specific conditions when more than five LTTng trace folders are present, leading to intermittent failures in trace logging. To work around this issue, manually move the timestamped lttng logs to a different directory. | 5.8.0 | 5.9.0-5.16.1| +| [3875419, 3871507](#3875419, 3871507)
| The cleanup scrip inadvertently removes the active LTTng session directory used by lttng-sessiond for trace dumping. This issue occurs under specific conditions when more than five LTTng trace folders are present, leading to intermittent failures in trace logging. To work around this issue, manually move the timestamped lttng logs to a different directory. | 5.8.0 | 5.9.0-5.16.1| | [3863858](#3863858)
| VRR interfaces might show dadfailed on their IPv6 link-local address. | 5.6.0-5.8.0 | 5.9.0-5.16.1| | [3863063](#3863063)
| When simultaneously changing the maxage and forward-delay bridge timers in RSTP for VLAN-aware bridges, the commands might not be accepted if the 2xfdelay-1 is less than the previously configured maxage timer because ifupdown2 configures the forward delay first.
To work around this issue, run the ifreload -a command again to process the forward-delay command after the new maxage configuration has been accepted.
You have to repeat the ifreload -a command after a reboot to set the forward delay correctly in the bridge. | 5.8.0 | 5.9.0-5.16.1| | [3859422](#3859422)
| On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port. | 5.2.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3854807](#3854807)
| When you enable Optimized Multicast Flooding (OMF) and change VLAN configuration, a few ports might carry multicast traffic even when they are not in the MDB or they are not router ports. | 5.6.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3854800](#3854800)
| The switch forwards multicast traffic to the CPU when PIM is enabled globally, regardless of the interface configuration. | 5.6.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3851499](#3851499)
| On the Spectrum A1 switch, when you enable the ip-acl-heavy TCAM profile, VXLAN tunnel initialization might fail. | 5.8.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| -| [3837121](#3837121)
| With a large route map and community list configuration, FRR reload takes much longer than normal (approximately 13 seconds) and in some cases, CPU utilization is high. | 5.8.0 | 5.9.0-5.16.1| +| [3837121, 3695576](#3837121, 3695576)
| With a large route map and community list configuration, FRR reload takes much longer than normal (approximately 13 seconds) and in some cases, CPU utilization is high. | 5.8.0 | 5.9.0-5.16.1| | [3832116](#3832116)
| When you configure a SPAN session either with the NVUE nv set system port-mirror session command or in the /etc/cumulus/switchd.d/port-mirror.conf file and the default route is configured to 0.0.0.0/0, the SPAN session might not work as expected. To work around this issue, remove the default route 0.0.0.0/0 and use alternate routes instead. | 5.7.0-5.8.0 | 5.9.0-5.16.1| | [3828243](#3828243)
| After you change the remote AS for a peer group, the switch no longer has any peers associated with the peer group. To work around this issue, reconfigure all the associated peers after you change the remote AS for the peer group. | 5.8.0 | 5.9.0-5.16.1| | [3824750](#3824750)
| With the nvidia.nvue Ansible module, NVUE honors input from the Ansible module only; if you do not provide the full configuration, NVUE generates an exception. To work around this issue, always provide the full configuration. | 5.6.0-5.8.0 | 5.9.0-5.16.1| -| [3813710](#3813710)
| The What Just Happened service (wjhd) fails to start if an interface alias (description) contains the text Ethernet and add syslog messages similar to the following:
router1: wjhd: exception: stoirouter1: wjhd: Fail to deinit SDK telemetry, error: [3]: [Invalid Handle]
| 5.8.0 | 5.9.0-5.16.1| +| [3813710, 3814673](#3813710, 3814673)
| The What Just Happened service (wjhd) fails to start if an interface alias (description) contains the text Ethernet and add syslog messages similar to the following:
router1: wjhd: exception: stoirouter1: wjhd: Fail to deinit SDK telemetry, error: [3]: [Invalid Handle]
| 5.8.0 | 5.9.0-5.16.1| | [3812857](#3812857)
| When enabling telemetry on an interface, NVUE doesn’t validate if some of the configuration is correct. For example if you configure swp1s0, but enter swp1 by mistake, NVUE accepts and applies this configuration. If the ASIC monitor service finds that this port is not available, it skips the configuration associated with this port. NVUE applies configuration for other valid ports as expected. | 5.8.0 | 5.9.0-5.16.1| | [3800536](#3800536)
| Some third-party modules cause false-alarm interrupts during SERDES tuning, which overloads the ASIC and causes an ASIC response delay. | 5.8.0 | 5.9.0-5.16.1| | [3798580](#3798580)
| With ROCE enabled, LLDP DCBX TLVs might carry an incorrect PFC map when bond interfaces are present on the switch. | 5.8.0 | 5.9.0-5.16.1| | [3782996](#3782996)
| If you have installed a large number ACLs, you might see a switchd memory leak over a period of time that stops the switchd process because it is out of memory . | 5.6.0-5.8.0 | 5.9.0-5.16.1| | [3782543](#3782543)
| When you configure the BGP setting bgp max-med on-startup with vtysh, the MED on some peers might not be set to 4294967294 as expected on startup. The max-med might also fail to reset after the startup timer expires. | 5.6.0-5.8.0 | 5.9.0-5.16.1| -| [3775686](#3775686)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | 5.10.0-5.16.1| +| [3775686, 3644649](#3775686, 3644649)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | 5.10.0-5.16.1| | [3775648](#3775648)
| Enabling or disabling link utilization causes the switchd service to restart, which causes all network ports to reset, interrupts network services, and resets the switch hardware configuration. | 5.8.0 | 5.9.0-5.16.1| | [3774274](#3774274)
| When you manually configure the /etc/cumulus/datapath/qos/qos_features.conf file without applying the QoS configuration with NVUE, running the nv config apply empty command later does not clean up the QoS configuration. If the QoS configuration includes breakout ports, the nv config apply empty command fails due to a switchd reload trigger failure. To work around this issue, clean up the configuration manually in the /etc/cumulus/datapath/qos/qos_features.conf, then run the nv config apply empty command. | 5.8.0-5.16.1 | | | [3773991](#3773991)
| When you use warm mode to reboot a switch with a large number of EVPN routes and BGP graceful restart is enabled, stale routes might be relearned from BGP neighbors after the switch boots. This might cause traffic loss until BGP is fully converged after the reboot. | 5.8.0 | 5.9.0-5.16.1| | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3771168](#3771168)
| When you perform an ISSU upgrade on a Spectrum 1 switch, the switchd service might crash. | 5.8.0-5.16.1 | | -| [3770993](#3770993)
| When a supplicant is authorized successfully on an interface in 802.1x multi-host mode, ping traffic coming into the 802.1x interface towards a local SVI might not be successful. | 5.8.0 | 5.9.0-5.16.1| +| [3770993, 3811142](#3770993, 3811142)
| When a supplicant is authorized successfully on an interface in 802.1x multi-host mode, ping traffic coming into the 802.1x interface towards a local SVI might not be successful. | 5.8.0 | 5.9.0-5.16.1| | [3770865](#3770865)
| On the NVIDIA SN5600 switch, performing a fresh image install or a power cycle can cause the PCIE link speed to get downgraded from Gen3(8GTs) to Gen1(2.5GTs). To recover, reboot the switch. | 5.8.0 | 5.9.0-5.16.1| -| [3767037](#3767037)
| When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ sudo apt-get updatecumulus@switch:~$ sudo apt-get install --allow-unauthenticated cumulus-archive-keyring
| 5.8.0 | 5.9.0-5.16.1| +| [3767037, 3770312](#3767037, 3770312)
| When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ sudo apt-get updatecumulus@switch:~$ sudo apt-get install --allow-unauthenticated cumulus-archive-keyring
| 5.8.0 | 5.9.0-5.16.1| | [3765395](#3765395)
| The nv unset nve vxlan flooding and nv set nve vxlan flooding enable off commands do not disable BUM flooding. To work around this issue, disable BUM flooding with vtysh commands:
leaf01# configure terminal
leaf01(config)# router bgp 
leaf01(config-router)# address-family l2vpn evpn
leaf01(config-router-af)# flooding disable
leaf01(config-router-af)# end
leaf01# write memory
leaf01# exit
| 5.5.0-5.8.0 | 5.9.0-5.16.1| | [3763543](#3763543)
| The NVIDIA SN4600C switch fails to boot fully after you upgrade from Cumulus Linux 4.2.1 to 5.7 with ONIE install. To work around this issue, perform an intermediate step image upgrade; for example, upgrade the switch from Cumulus Linux 4.2.1 to 5.2.1 to 5.7.0. | 5.7.0-5.9.1 | 5.9.2-5.16.1, 5.10.0-5.16.1| | [3759515](#3759515)
| After upgrading to Cumulus Linux 5.8, MLAG reports bonds as bpdu guard mismatch. To work around this issue, restart the MLAG service with the systemctl restart clagd on the device that reports the conflict. | 5.8.0 | 5.9.0-5.16.1| @@ -93,34 +93,34 @@ pdfhidden: True | [3730904](#3730904)
| When sending untagged frames to the CPU with an MTU higher than the SVD (single VXLAN device) MTU, the kernel might crash. | 5.4.0-5.8.0 | 5.9.0-5.16.1| | [3711913](#3711913)
| When you set an IPv4 ACL with a log action, logs do not appear under syslog after a match. This issue affects bridged packets when the rule is installed in iptables. To work around this issue, set the ACL with a MAC rule type so that it is installed in ebtables and the packets are logged correctly in syslog.
The following shows an example configuration:
cumulus@switch:~$ nv set acl one rule 1 action log log-prefix NVIDIA
cumulus@switch:~$ nv set acl one rule 1 match ip protocol udp
cumulus@switch:~$ nv set acl one rule 1 match ip source-ip 10.0.14.2
cumulus@switch:~$ nv set acl one rule 1 match ip udp source-port 34
cumulus@switch:~$ nv set acl one rule 1 match mac protocol ipv4
cumulus@switch:~$ nv set acl one type mac
| 5.7.0-5.9.5 | 5.10.0-5.16.1| | [3702431](#3702431)
| Traditional SNMP snippets do not take effect unless you first enable SNMP with the NVUE nv set service snmp-server enable on and nv set service snmp-server listening-address commands. Alternatively, you can use the equivalent REST API methods. | 5.4.0-5.8.0 | 5.9.0-5.16.1| -| [3679478](#3679478)
| During switch boot, you see the following messages in the syslog:
2024-03-04T10:34:49.650950+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR  ]: Tele impl module is already initialized2024-03-04T10:34:49.651041+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR  ]: sdk_tele_init failed, for chip type CHIP_TYPE_SWITCH_SPECTRUM3, err = Already initialized

This is due to both the ASIC Monitoring service and the What Just Happened (WJH) service trying to initialize the SDK TELE module. You can ignore the messages because the TELE service has already initialized properly. | 5.7.0-5.8.0 | 5.9.0-5.16.1| +| [3679478, 3701229, 3737814](#3679478, 3701229, 3737814)
| During switch boot, you see the following messages in the syslog:
2024-03-04T10:34:49.650950+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR  ]: Tele impl module is already initialized2024-03-04T10:34:49.651041+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR  ]: sdk_tele_init failed, for chip type CHIP_TYPE_SWITCH_SPECTRUM3, err = Already initialized

This is due to both the ASIC Monitoring service and the What Just Happened (WJH) service trying to initialize the SDK TELE module. You can ignore the messages because the TELE service has already initialized properly. | 5.7.0-5.8.0 | 5.9.0-5.16.1| | [3677533](#3677533)
| Due to resource constraints on the Spectrum 1 switch, staticd performance drops and takes longer to read static routes compared to the time BGP takes to complete a graceful restart and advertise routes and EOR to its helpers. As a result, static routes are advertised after the EOR is sent to graceful restart helpers, which delete the stale static routes and relearn them after receiving the EOR from the restarting node. Temporary traffic loss might occur. | 5.7.0-5.16.1 | | | [3672706](#3672706)
| When you enable port security, you can configure a maximum of 450 port security static MAC addresses for an interface. | 5.7.0-5.8.0 | 5.9.0-5.16.1| | [3655681](#3655681)
| When you disable, then enable STP auto-edge on a port, the port might not transition to the operational edge even though the port does not receive bpdus. To work around this issue, configure the port as an admin-edge port. | 5.7.0-5.16.1 | | | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3636266](#3636266)
| When an unresolved next hop is present in a next hop group, especially over an SVI interface, the switch checks if the neighbor MAC address is in the forwarding table. If the neighbor's MAC address is not there, the switch skips this next hop from backend programming and you see the switchd error ERR NH: l3 nhg v6 l3 nhg contains one or more unresolvable nexthops. There is no impact to switch functionality as unresolved neighbors are not programmed in hardware until they are resolved. | 5.7.0-5.9.5 | 5.10.0-5.16.1| -| [3610967](#3610967)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| -| [3610591](#3610591)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| +| [3610967, 3647761](#3610967, 3647761)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | 5.9.0-5.16.1| +| [3610591, 3781456](#3610591, 3781456)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | -| [3546857](#3546857)
| The nv show bridge vlan command does not show tagged and untagged VLAN information for the bridge
| 5.6.0-5.8.0 | 5.9.0-5.16.1| +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3546857, 3564377](#3546857, 3564377)
| The nv show bridge vlan command does not show tagged and untagged VLAN information for the bridge
| 5.6.0-5.8.0 | 5.9.0-5.16.1| | [3541653](#3541653)
| During warm boot with layer 3 traffic, you might experience packet loss for approximately 15 milliseconds. | 5.6.0-5.8.0 | 5.9.0-5.16.1| | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.8.0 | 5.9.0-5.16.1| | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | -| [3463827](#3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM, resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.6.0-5.8.0 | 5.9.0-5.16.1| -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| +| [3463827, 3434515, 3556762](#3463827, 3434515, 3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM, resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.6.0-5.8.0 | 5.9.0-5.16.1| +| [3452681, 3465375](#3452681, 3465375)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | | [3436407](#3436407)
| The nv show acl command output shows a header but no ACL details. | 5.5.0-5.8.0 | 5.9.0-5.16.1| -| [3433577](#3433577)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.8.0 | 5.9.0-5.16.1| -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3433577, 3433769](#3433577, 3433769)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.8.0 | 5.9.0-5.16.1| +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3393966](#3393966)
| When you configure OSPF network statements using NVUE with the nv set vrf router ospf area network command, subsequent configuration changes with NVUE might bring down all OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement, or use the nv set interface router ospf area command to enable OSPF on interfaces instead of using a network statement. | 5.5.0-5.9.5 | 5.10.0-5.16.1| | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | @@ -131,10 +131,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.8.0 | 5.9.0-5.16.1| | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | @@ -145,8 +145,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -161,7 +161,7 @@ pdfhidden: True | [3751952](#3751952)
| ifupdown2 tries to set the multicast database hash elasticity (bridge-hashel attribute) with a value of 4096. However, this attribute is now deprecated in the Linux kernel and the value is always 16. | 5.5.1-5.7.0 | | | [3738626](#3738626)
| If you configure a VNI before an SVI, you can't add or remove the VRR address from the SVI. To work around this issue, configure the SVI before the VNI. | 5.6.0-5.7.0 | | | [3718614](#3718614)
| When a corrupt or invalid ZTP script exists on the ZTP file server, the ZTP service on the switch might crash and report Too many open files after approximately 1000 download attempts. To recover and restart ZTP, reboot the switch. Always provide a valid ZTP script when using ZTP download. | 5.7.0 | | -| [3713420](#3713420)
| When you run the systemctl restart switchd.service command or reboot the switch after you set the host route preference option with the NVUE nv set system forwarding host-route-preference command or manually in the /etc/cumulus/switchd.conf file, switchd crashes and creates core files. | 5.7.0 | | +| [3713420, 3718144](#3713420, 3718144)
| When you run the systemctl restart switchd.service command or reboot the switch after you set the host route preference option with the NVUE nv set system forwarding host-route-preference command or manually in the /etc/cumulus/switchd.conf file, switchd crashes and creates core files. | 5.7.0 | | | [3713419](#3713419)
| When monitoring system statistics and network traffic with sFlow, an aggressive link flap might produce a memory leak in the sFlow service hsflowd. | 5.1.0-5.7.0 | | | [3712877](#3712877)
| Configuring the number of lanes per port after breaking out the port is not effective. To work around this issue, first unset the breakout with the nv unset interface breakout and nv config apply commands, then reconfigure the breakout and the lanes with the nv set interface link breakout lanes-per-port command. For example:
cumulus@switch:~$ nv unset interface swp1 link breakout
cumulus@switch:~$ nv config apply
cumulus@switch:~$ nv set interface swp1 link breakout 2x lanes-per-port 2
cumulus@switch:~$ nv config apply | | | | [3712007](#3712007)
| In RSTP mode when there is a bridge port flap, Cumulus Linux flushes, then re-adds dynamic MAC addresses on the peer link, which might cause short traffic disruption. | 5.6.0-5.7.0 | | @@ -169,7 +169,7 @@ pdfhidden: True | [3710396](#3710396)
| In an eBGP multihop configuration with dynamic neighbors, Cumulus Linux does not update the configured TTL but uses the MAXTTL instead. This issue is only observed with dynamic peers. | 5.6.0-5.7.0 | | | [3698680](#3698680)
| If you run the ifreload -a command when ACLs exist but nonatomic update mode is set in the switchd.conf file, traffic pauses on unaffected interfaces. | 5.6.0-5.7.0 | | | [3695491](#3695491)
| When you log into a Cumulus Linux switch after a fresh install through the serial console, the management VRF might not be available. (This is not an issue with ssh.) To work around this issue, log out, then log back into the console a few seconds later, after the switch finishes booting. | 5.7.0 | | -| [3686389](#3686389)
| When you use NVUE commands to configure an untagged VLAN (PVID) on a bridge to a non-default value, nv show bridge commands still indicate that the untagged VLAN is 1 (the default value). The untagged VLAN you configured is properly set on bridge ports, but displays incorrectly in operational NVUE show commands. | 5.6.0-5.7.0 | | +| [3686389, 3725881](#3686389, 3725881)
| When you use NVUE commands to configure an untagged VLAN (PVID) on a bridge to a non-default value, nv show bridge commands still indicate that the untagged VLAN is 1 (the default value). The untagged VLAN you configured is properly set on bridge ports, but displays incorrectly in operational NVUE show commands. | 5.6.0-5.7.0 | | | [3671288](#3671288)
| Routes and/or next-hops will no-longer be installed in kernel, and traffic related to these routes and/or next-hops will not be forwarded correctly. Flapping of EVPN prefixes from BGP updates and withdraws sometimes causes a race condition where the routes are never re-installed. An example of a trigger that can lead to this problem is a flapping peerlink. A reboot of each switch with missing routes will recover from this issue. | 5.6.0-5.7.0 | | | [3632843](#3632843)
| When the switch receives a type-5 route in BGP and there is a network statement for the same prefix, BGP sometimes removes the request to track next hops from FRR. As next hop reachability changes, BGP no longer reacts to the change. To work around this issue, run the clear bgp * command for all peerings. | 5.6.0-5.7.0 | | | [3630492](#3630492)
| On the NVIDIA SN2201 switch, the ledmgrd -d command output shows the system and PSU LED status as orange when the physical LED is green. | 5.5.1-5.7.0 | | diff --git a/content/cumulus-linux-58/rn.xml b/content/cumulus-linux-58/rn.xml index 4cf4c7a21f..365d22b5a0 100644 --- a/content/cumulus-linux-58/rn.xml +++ b/content/cumulus-linux-58/rn.xml @@ -19,7 +19,7 @@ 5.9.5, 5.16.0-5.16.1 -4663076 +4663076, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.9.4 5.9.5-5.16.1, 5.11.5-5.16.1, 5.15.0-5.16.1 @@ -77,7 +77,7 @@ To work around this issue, power cycle the switch. 5.9.4-5.16.1, 5.14.0-5.16.1 -4413450 +4413450, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.11.1, 5.13.0-5.13.1 5.11.2, 5.14.0-5.16.1 @@ -121,7 +121,7 @@ To work around this issue, restart the {{hw-management}} service with the {{sudo 5.9.4, 5.11.1-5.16.1, 5.12.0-5.16.1 -4129699 +4129699, 3790461 {{switchd}} crashes because the hardware MAC limit is higher than the maximum. 5.8.0-5.10.1 5.11.0-5.16.1 @@ -211,13 +211,13 @@ To work around this issue, restart the {{hw-management}} service with the {{sudo 5.9.2-5.16.1, 5.10.0-5.16.1 -3954026 +3954026, 3677821 Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. 5.8.0-5.9.1 5.9.2-5.16.1, 5.10.0-5.16.1 -3949367 +3949367, 3949366 If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. 5.3.1-5.9.1 5.9.2-5.16.1, 5.10.0-5.16.1 @@ -259,7 +259,7 @@ To work around this issue, restart the {{hw-management}} service with the {{sudo 5.9.2-5.16.1, 5.10.0-5.16.1 -3895042 +3895042, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -274,7 +274,7 @@ This issue occurs because {{poectl}} is called on non-PoE switches. To work arou 5.9.2-5.16.1, 5.10.0-5.16.1 -3875419 +3875419, 3871507 The cleanup scrip inadvertently removes the active LTTng session directory used by {{lttng-sessiond}} for trace dumping. This issue occurs under specific conditions when more than five LTTng trace folders are present, leading to intermittent failures in trace logging. To work around this issue, manually move the timestamped {{lttng}} logs to a different directory. 5.8.0 5.9.0-5.16.1 @@ -316,7 +316,7 @@ This issue occurs because {{poectl}} is called on non-PoE switches. To work arou 5.9.2-5.16.1, 5.10.0-5.16.1 -3837121 +3837121, 3695576 With a large route map and community list configuration, FRR reload takes much longer than normal (approximately 13 seconds) and in some cases, CPU utilization is high. 5.8.0 5.9.0-5.16.1 @@ -340,7 +340,7 @@ This issue occurs because {{poectl}} is called on non-PoE switches. To work arou 5.9.0-5.16.1 -3813710 +3813710, 3814673 The What Just Happened service ({{wjhd}}) fails to start if an interface alias (description) contains the text {{Ethernet}} and add syslog messages similar to the following: router1: wjhd: exception: stoi @@ -380,7 +380,7 @@ router1: wjhd: Fail to deinit SDK telemetry, error: [3]: [Invalid Handle] 5.9.0-5.16.1 -3775686 +3775686, 3644649 The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. 5.8.0-5.9.5 5.10.0-5.16.1 @@ -422,7 +422,7 @@ cumulus@switch:~$ sudo apt upgrade -3770993 +3770993, 3811142 When a supplicant is authorized successfully on an interface in 802.1x multi-host mode, {{ping}} traffic coming into the 802.1x interface towards a local SVI might not be successful. 5.8.0 5.9.0-5.16.1 @@ -434,7 +434,7 @@ cumulus@switch:~$ sudo apt upgrade 5.9.0-5.16.1 -3767037 +3767037, 3770312 When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch. cumulus@switch:~$ sudo apt-get update @@ -519,7 +519,7 @@ cumulus@switch:~$ nv set acl one type mac 5.9.0-5.16.1 -3679478 +3679478, 3701229, 3737814 During switch boot, you see the following messages in the syslog: 2024-03-04T10:34:49.650950+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR ]: Tele impl module is already initialized @@ -560,13 +560,13 @@ This is due to both the ASIC Monitoring service and the What Just Happened (WJH) 5.10.0-5.16.1 -3610967 +3610967, 3647761 In an EVPN symmetric routing configuration, running the NVUE {{nv set vrf <vrf> vlan auto}} command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. 5.3.0-5.8.0 5.9.0-5.16.1 -3610591 +3610591, 3781456 After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the {{nv unset system}} command or the {{nv config apply empty}} command. 5.7.0-5.9.5 5.10.0-5.16.1 @@ -592,13 +592,13 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 -3546857 +3546857, 3564377 The {{nv show bridge vlan}} command does not show tagged and untagged VLAN information for the bridge. @@ -618,7 +618,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -642,13 +642,13 @@ To work around this issue when using fiber cables: -3463827 +3463827, 3434515, 3556762 On rare occasions, SPT switchover might not happen cleanly in PIM, resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.6.0-5.8.0 5.9.0-5.16.1 -3452681 +3452681, 3465375 When you run the NVUE {{nv show system aaa tacacs authorization}} commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to {{Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND}}. 5.5.0-5.10.1 5.11.0-5.16.1 @@ -660,7 +660,7 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 @@ -672,19 +672,19 @@ To work around this issue when using fiber cables: 5.9.0-5.16.1 -3433577 +3433577, 3433769 When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the {{clagd}} service and {{switchd}}, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. 5.5.0-5.8.0 5.9.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -697,7 +697,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -765,7 +765,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -788,7 +788,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -865,7 +865,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -873,7 +873,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -950,7 +950,7 @@ cumulus@switch:~$ dpkg --install frr-logrotate_8.4.3-0+cl5.7.0u1_amd64.deb 5.7.0 -3713420 +3713420, 3718144 When you run the {{systemctl restart switchd.service}} command or reboot the switch after you set the host route preference option with the NVUE {{nv set system forwarding host-route-preference}} command or manually in the {{/etc/cumulus/switchd.conf}} file, {{switchd}} crashes and creates core files. 5.7.0 @@ -994,7 +994,7 @@ cumulus@switch:~$ dpkg --install frr-logrotate_8.4.3-0+cl5.7.0u1_amd64.deb 5.7.0 -3686389 +3686389, 3725881 When you use NVUE commands to configure an untagged VLAN (PVID) on a bridge to a non-default value, {{nv show bridge}} commands still indicate that the untagged VLAN is 1 (the default value). The untagged VLAN you configured is properly set on bridge ports, but displays incorrectly in operational NVUE show commands. 5.6.0-5.7.0 diff --git a/content/cumulus-linux-59/Whats-New/rn.md b/content/cumulus-linux-59/Whats-New/rn.md index 08f3fc101d..488da4cc0a 100644 --- a/content/cumulus-linux-59/Whats-New/rn.md +++ b/content/cumulus-linux-59/Whats-New/rn.md @@ -29,15 +29,15 @@ pdfhidden: True | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | 5.14.0-5.16.1| | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | -| [4423336](#4423336)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| +| [4423336, 3875789, 3933038](#4423336, 3875789, 3933038)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| | [4423335](#4423335)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.16.1 | | | [4423248](#4423248)
| If you unset an interface static IP address when the interface IP gateway is configured, the nv config apply command fails with an ifreload.service error. To work around this issue, unset both the static IP address and gateway together. | 5.9.0-5.16.1 | | | [4423244](#4423244)
| When you enable, then disable adaptive routing, the BGP neighbors might go down because of an unresolved MAC address. To work around this issue, configure another attribute on the interface. | 5.9.0-5.16.1 | | -| [4422898](#4422898)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| +| [4422898, 4497128](#4422898, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| | [4220147](#4220147)
| When you bring STP down, then up on the primary MLAG peer, the STP state machine restarts and the peerlink operational edge resets. As a result, the secondary MLAG peer ends up in an STP discarding state. To work around this issue, restart the clagd service. | 5.8.0-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| | [4195240](#4195240)
| Cumulus Linux installs and runs the atftpd program by default but cannot access it because a /tftpboot directory is missing. | 5.9.2-5.11.5 | 5.12.0-5.16.1| | [4185962](#4185962)
| When you change the VRR MAC address, switchd crashes. This occurs because deleting an old VRR MAC address triggers a neighbor update that changes the ECMP container resolution, which results in route entry updates
This happens in async mode, where the end notification expected after an end of operation is missing. | 5.9.2-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| -| [4129699](#4129699)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| +| [4129699, 3790461](#4129699, 3790461)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4127253](#4127253)
| You might see switchd high-memory consumption and eventually switchd stops because it is out of memory due to higher tunnel (VNI x VTEP) scale. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4124831](#4124831)
| When you enable Per-VLAN Rapid Spanning Tree (PVRST) mode, bonds with LACP bypass discard ingress DHCP packets. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4124139](#4124139)
| When you add MLAG configuration to the first bond in a single MLAG switch configuration, MLAG interfaces and VXLAN interfaces go down. | 5.8.0-5.10.1 | 5.11.0-5.16.1| @@ -45,23 +45,23 @@ pdfhidden: True | [4075960](#4075960)
| When you configure the IGMP Querier on a VLAN, the switch sends IGMP Querier packets on the untagged VLAN, not the configured VLAN. Also, the source IP address is always 0.0.0.0, even though the loopback IP address is configured on the IGMP Querier. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4062001](#4062001)
| With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed in the kernel. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4052578](#4052578)
| When you perform a binary upgrade from Cumulus Linux 5.8 or earlier to 5.9.0 or later with a pre-staged startup.yaml file, the cumulus user password is reset to the default password because there is no default startup.yaml file present in 5.8.0 or earlier. To work around this issue, generate the startup.yaml file from the existing NVUE configuration. | 5.9.2-5.11.5 | 5.12.0-5.16.1| -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4042657](#4042657)
| The SDK times out with a FW FATAL health event, which requires a reboot of the system to recover. | 5.9.1-5.10.0 | 5.10.1-5.16.1| | [4040024](#4040024)
| After network churn, the watchfrr process might restart FRR because zebra is unresponsive. | 5.9.1-5.10.0 | 5.10.1-5.16.1| | [4039850](#4039850)
| When the MAC address of the neighbor changes, a possible crash might occur because the pointer to which the MAC address points is freed, resulting in a dangling pointer. | 5.3.1-5.10.1 | 5.11.0-5.16.1| | [4019257](#4019257)
| Some switches start booting but stop at the boot menu because console‑port noise is misinterpreted as input. | 5.9.1-5.10.1 | 5.11.0-5.16.1| -| [3994544](#3994544)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.9.5 | 5.10.0-5.16.1| +| [3994544, 3976680](#3994544, 3976680)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.9.5 | 5.10.0-5.16.1| | [3985600](#3985600)
| NTP initialization issues prevent the NTP service from starting on a non-default VRF. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | | [3900813](#3900813)
| When you configure or edit a large or extended BGP community list with NVUE, nv config apply might return an error and frr-reload might fail with the following message in /var/log/frr/frr-reload.log:
2025-04-04 18:15:44,745 WARNING: frr-reload.py failed due to vtysh (exec file) exited with status 13

You can safely ignore this error as FRR accepts and applies the new configuration. To work around this issue, apply the same configuration with the nv config apply -y command. The new configuration will correctly show in both NVUE and FRR. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3897227](#3897227)
| During an LLDP update storm while deleting or adding LLPD neighbors, PTMD crashes as a result of mishandling multi-threaded LLPD processing. | 5.5.1-5.9.5 | 5.10.0-5.16.1| | [3895848](#3895848)
| MLAG bonds might report an LACP partner MAC mismatch unexpectedly during LACP negotation and MLAG convergence until the bond reaches a dual connected state. There is no impact to bonds when this mismatch is reported. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3890993](#3890993)
| On the NVIDIA spectrum-4 switch, l1-show command output does not show Eye opening information for an interface port. | 5.9.0-5.9.5 | 5.10.0-5.16.1| -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| -| [3878699](#3878699)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | 5.11.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3878699, 3939355](#3878699, 3939355)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | 5.11.0-5.16.1| | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3873219](#3873219)
| When you remove a port from a bond and add it to the bridge in a single set of NVUE commands, then apply the configuration, the port forwarding state is blocked on all the bridge VLANs. To work around this issue, apply the configuration in two steps. First remove the port from the bond and apply the configuration, then add the port to the bridge and apply the configuration. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | @@ -69,7 +69,7 @@ pdfhidden: True | [3847439](#3847439)
| In rare cases on the Spectrum 1 switch, where a dual connected host transmits all traffic flows to only one switch in a connected MLAG pair, and the host changes behavior to hash all flows to the other MLAG switch, there might be traffic loss if the MAC FDB entry on the original switch ages out. | 5.9.0-5.16.1 | | | [3819945](#3819945)
| When you connect an NVIDIA SN4410, SN4700, or SN5600 switch to any Spectrum 1, Spectrum-2, or Spectrum-3 peer switch (with four lanes) using a 4x breakout configuration and the default lanes per port setting, links do not come up. To work around this issue, provide the lanes per port configuration shown below:
cumulus@switch:~$ nv set interface  link breakout 4x lanes-per-port 1
| 5.9.0-5.16.1 | | | [3818545](#3818545)
| The terminal monitoring software SecureCRT has a known issue when running on both Windows and Mac systems where it gets stuck when monitoring the serial port of the switch as Cumulus Linux boots up. When this occurs, the serial port stops as shown below and SecureCRT is unable to receive any more serial data from the switch (it is able to transmit).
Mounting dev-hugepages.mount - Huge Pages File System..
Mounting dev-mqueue.mount
| 5.9.0-5.16.1 | | -| [3775686](#3775686)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | 5.10.0-5.16.1| +| [3775686, 3644649](#3775686, 3644649)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | 5.10.0-5.16.1| | [3774274](#3774274)
| When you manually configure the /etc/cumulus/datapath/qos/qos_features.conf file without applying the QoS configuration with NVUE, running the nv config apply empty command later does not clean up the QoS configuration. If the QoS configuration includes breakout ports, the nv config apply empty command fails due to a switchd reload trigger failure. To work around this issue, clean up the configuration manually in the /etc/cumulus/datapath/qos/qos_features.conf, then run the nv config apply empty command. | 5.8.0-5.16.1 | | | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3771168](#3771168)
| When you perform an ISSU upgrade on a Spectrum 1 switch, the switchd service might crash. | 5.8.0-5.16.1 | | @@ -78,21 +78,21 @@ pdfhidden: True | [3655681](#3655681)
| When you disable, then enable STP auto-edge on a port, the port might not transition to the operational edge even though the port does not receive bpdus. To work around this issue, configure the port as an admin-edge port. | 5.7.0-5.16.1 | | | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3636266](#3636266)
| When an unresolved next hop is present in a next hop group, especially over an SVI interface, the switch checks if the neighbor MAC address is in the forwarding table. If the neighbor's MAC address is not there, the switch skips this next hop from backend programming and you see the switchd error ERR NH: l3 nhg v6 l3 nhg contains one or more unresolvable nexthops. There is no impact to switch functionality as unresolved neighbors are not programmed in hardware until they are resolved. | 5.7.0-5.9.5 | 5.10.0-5.16.1| -| [3610591](#3610591)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| +| [3610591, 3781456](#3610591, 3781456)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| +| [3452681, 3465375](#3452681, 3465375)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3393966](#3393966)
| When you configure OSPF network statements using NVUE with the nv set vrf router ospf area network command, subsequent configuration changes with NVUE might bring down all OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement, or use the nv set interface router ospf area command to enable OSPF on interfaces instead of using a network statement. | 5.5.0-5.9.5 | 5.10.0-5.16.1| | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | @@ -103,10 +103,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -116,8 +116,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -128,13 +128,13 @@ pdfhidden: True ### Fixed Issues in 5.9.5 | Issue ID | Description | Affects | |--- |--- |--- | -| [4958319](#4958319)
| When you run the nv config apply command or the sudo systemctl reload frr.service command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run sudo systemctl edit frr.service to change the TimeoutSec=2m to a higher value and apply the changes with sudo systemctl daemon-reload. | 5.15.0-5.16.1 | | +| [4958319, 4926426](#4958319, 4926426)
| When you run the nv config apply command or the sudo systemctl reload frr.service command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run sudo systemctl edit frr.service to change the TimeoutSec=2m to a higher value and apply the changes with sudo systemctl daemon-reload. | 5.15.0-5.16.1 | | | [4937854](#4937854)
| When node or VM migration occurs between the MLAG pair and the EVPN-MH pair, the MLAG MAC database becomes out of sync with kernel FDB. The migrated MAC addresses remain as local in MLAG MAC database whereas in the kernel, all MAC addresses are updated correctly as remote with the layer 2 next hop ID. To work around this issue, flap the MLAG bond interface to clear the MLAG local database. | 5.11.0-5.15.1 | | | [4937853](#4937853)
| During port‑mapping configuration, an edge case might lead to an invalid configuration state, causing the system to eventually become stuck. | 5.11.3-5.15.1 | | | [4850551](#4850551)
| The switch installs suboptimal routes in the routing table and advertises them out. | 5.9.2-5.9.4 | | | [4815029](#4815029)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.9.4, 5.15.1 | | | [4771875](#4771875)
| When you poll optical module data with ethtool -m, switchd might crash due to a firmware timeout that triggers a fatal health-check failure. | 5.11.1-5.15.1 | | -| [4717752](#4717752)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | | +| [4717752, 3963232](#4717752, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.9.4 | | | [4423277](#4423277)
| When the username in a 802.1X session includes the equals (=) character, the ISSU warmboot fails. Make sure that = is not part of the 802.1X session name. | 5.11.0-5.12.1 | | ## 5.9.4 Release Notes @@ -151,7 +151,7 @@ pdfhidden: True | [4815029](#4815029)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.15.1 | 5.16.0-5.16.1| | [4789097](#4789097)
| The switch deletes a static blackhole route even when the blackhole type specified in the delete command does not match the configured type. | 5.9.4-5.15.1 | 5.16.0-5.16.1| | [4771521](#4771521)
| Layer 3 multicast traffic does not forward when OMF (Optimized Multicast Flooding) and PIM is enabled. To work around this issue, flap the router port. | 5.9.2-5.15.1 | 5.16.0-5.16.1| -| [4717752](#4717752)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.11.4 | 5.11.5-5.16.1, 5.15.0-5.16.1| +| [4717752, 3963232](#4717752, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.11.4 | 5.11.5-5.16.1, 5.15.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4637200](#4637200)
| When more than one IPv4 and/or IPv6 addresses are configured on a remote interface, NVUE LLDP commands such as nv show interface lldp-detail only reflect one address. To work around this issue, use lldpctl to view LLDP information. For example, sudo lldpctl -d -f json swp1. | 5.9.0-5.14.0 | 5.15.0-5.16.1| | [4633514](#4633514)
| When the switch processes large numbers of mroute updates in an MLAG configuration, FRR might crash. | 5.8.0-5.14.0 | 5.15.0-5.16.1| @@ -160,15 +160,15 @@ pdfhidden: True | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | 5.14.0-5.16.1| | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | -| [4423336](#4423336)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| +| [4423336, 3875789, 3933038](#4423336, 3875789, 3933038)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| | [4423335](#4423335)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.16.1 | | | [4423248](#4423248)
| If you unset an interface static IP address when the interface IP gateway is configured, the nv config apply command fails with an ifreload.service error. To work around this issue, unset both the static IP address and gateway together. | 5.9.0-5.16.1 | | | [4423244](#4423244)
| When you enable, then disable adaptive routing, the BGP neighbors might go down because of an unresolved MAC address. To work around this issue, configure another attribute on the interface. | 5.9.0-5.16.1 | | -| [4422898](#4422898)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| +| [4422898, 4497128](#4422898, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| | [4220147](#4220147)
| When you bring STP down, then up on the primary MLAG peer, the STP state machine restarts and the peerlink operational edge resets. As a result, the secondary MLAG peer ends up in an STP discarding state. To work around this issue, restart the clagd service. | 5.8.0-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| | [4195240](#4195240)
| Cumulus Linux installs and runs the atftpd program by default but cannot access it because a /tftpboot directory is missing. | 5.9.2-5.11.5 | 5.12.0-5.16.1| | [4185962](#4185962)
| When you change the VRR MAC address, switchd crashes. This occurs because deleting an old VRR MAC address triggers a neighbor update that changes the ECMP container resolution, which results in route entry updates
This happens in async mode, where the end notification expected after an end of operation is missing. | 5.9.2-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| -| [4129699](#4129699)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| +| [4129699, 3790461](#4129699, 3790461)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4127253](#4127253)
| You might see switchd high-memory consumption and eventually switchd stops because it is out of memory due to higher tunnel (VNI x VTEP) scale. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4124831](#4124831)
| When you enable Per-VLAN Rapid Spanning Tree (PVRST) mode, bonds with LACP bypass discard ingress DHCP packets. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4124139](#4124139)
| When you add MLAG configuration to the first bond in a single MLAG switch configuration, MLAG interfaces and VXLAN interfaces go down. | 5.8.0-5.10.1 | 5.11.0-5.16.1| @@ -176,23 +176,23 @@ pdfhidden: True | [4075960](#4075960)
| When you configure the IGMP Querier on a VLAN, the switch sends IGMP Querier packets on the untagged VLAN, not the configured VLAN. Also, the source IP address is always 0.0.0.0, even though the loopback IP address is configured on the IGMP Querier. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4062001](#4062001)
| With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed in the kernel. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4052578](#4052578)
| When you perform a binary upgrade from Cumulus Linux 5.8 or earlier to 5.9.0 or later with a pre-staged startup.yaml file, the cumulus user password is reset to the default password because there is no default startup.yaml file present in 5.8.0 or earlier. To work around this issue, generate the startup.yaml file from the existing NVUE configuration. | 5.9.2-5.11.5 | 5.12.0-5.16.1| -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4042657](#4042657)
| The SDK times out with a FW FATAL health event, which requires a reboot of the system to recover. | 5.9.1-5.10.0 | 5.10.1-5.16.1| | [4040024](#4040024)
| After network churn, the watchfrr process might restart FRR because zebra is unresponsive. | 5.9.1-5.10.0 | 5.10.1-5.16.1| | [4039850](#4039850)
| When the MAC address of the neighbor changes, a possible crash might occur because the pointer to which the MAC address points is freed, resulting in a dangling pointer. | 5.3.1-5.10.1 | 5.11.0-5.16.1| | [4019257](#4019257)
| Some switches start booting but stop at the boot menu because console‑port noise is misinterpreted as input. | 5.9.1-5.10.1 | 5.11.0-5.16.1| -| [3994544](#3994544)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.9.5 | 5.10.0-5.16.1| +| [3994544, 3976680](#3994544, 3976680)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.9.5 | 5.10.0-5.16.1| | [3985600](#3985600)
| NTP initialization issues prevent the NTP service from starting on a non-default VRF. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | | [3900813](#3900813)
| When you configure or edit a large or extended BGP community list with NVUE, nv config apply might return an error and frr-reload might fail with the following message in /var/log/frr/frr-reload.log:
2025-04-04 18:15:44,745 WARNING: frr-reload.py failed due to vtysh (exec file) exited with status 13

You can safely ignore this error as FRR accepts and applies the new configuration. To work around this issue, apply the same configuration with the nv config apply -y command. The new configuration will correctly show in both NVUE and FRR. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3897227](#3897227)
| During an LLDP update storm while deleting or adding LLPD neighbors, PTMD crashes as a result of mishandling multi-threaded LLPD processing. | 5.5.1-5.9.5 | 5.10.0-5.16.1| | [3895848](#3895848)
| MLAG bonds might report an LACP partner MAC mismatch unexpectedly during LACP negotation and MLAG convergence until the bond reaches a dual connected state. There is no impact to bonds when this mismatch is reported. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3890993](#3890993)
| On the NVIDIA spectrum-4 switch, l1-show command output does not show Eye opening information for an interface port. | 5.9.0-5.9.5 | 5.10.0-5.16.1| -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| -| [3878699](#3878699)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | 5.11.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3878699, 3939355](#3878699, 3939355)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | 5.11.0-5.16.1| | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3873219](#3873219)
| When you remove a port from a bond and add it to the bridge in a single set of NVUE commands, then apply the configuration, the port forwarding state is blocked on all the bridge VLANs. To work around this issue, apply the configuration in two steps. First remove the port from the bond and apply the configuration, then add the port to the bridge and apply the configuration. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | @@ -200,7 +200,7 @@ pdfhidden: True | [3847439](#3847439)
| In rare cases on the Spectrum 1 switch, where a dual connected host transmits all traffic flows to only one switch in a connected MLAG pair, and the host changes behavior to hash all flows to the other MLAG switch, there might be traffic loss if the MAC FDB entry on the original switch ages out. | 5.9.0-5.16.1 | | | [3819945](#3819945)
| When you connect an NVIDIA SN4410, SN4700, or SN5600 switch to any Spectrum 1, Spectrum-2, or Spectrum-3 peer switch (with four lanes) using a 4x breakout configuration and the default lanes per port setting, links do not come up. To work around this issue, provide the lanes per port configuration shown below:
cumulus@switch:~$ nv set interface  link breakout 4x lanes-per-port 1
| 5.9.0-5.16.1 | | | [3818545](#3818545)
| The terminal monitoring software SecureCRT has a known issue when running on both Windows and Mac systems where it gets stuck when monitoring the serial port of the switch as Cumulus Linux boots up. When this occurs, the serial port stops as shown below and SecureCRT is unable to receive any more serial data from the switch (it is able to transmit).
Mounting dev-hugepages.mount - Huge Pages File System..
Mounting dev-mqueue.mount
| 5.9.0-5.16.1 | | -| [3775686](#3775686)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | 5.10.0-5.16.1| +| [3775686, 3644649](#3775686, 3644649)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | 5.10.0-5.16.1| | [3774274](#3774274)
| When you manually configure the /etc/cumulus/datapath/qos/qos_features.conf file without applying the QoS configuration with NVUE, running the nv config apply empty command later does not clean up the QoS configuration. If the QoS configuration includes breakout ports, the nv config apply empty command fails due to a switchd reload trigger failure. To work around this issue, clean up the configuration manually in the /etc/cumulus/datapath/qos/qos_features.conf, then run the nv config apply empty command. | 5.8.0-5.16.1 | | | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3771168](#3771168)
| When you perform an ISSU upgrade on a Spectrum 1 switch, the switchd service might crash. | 5.8.0-5.16.1 | | @@ -209,21 +209,21 @@ pdfhidden: True | [3655681](#3655681)
| When you disable, then enable STP auto-edge on a port, the port might not transition to the operational edge even though the port does not receive bpdus. To work around this issue, configure the port as an admin-edge port. | 5.7.0-5.16.1 | | | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3636266](#3636266)
| When an unresolved next hop is present in a next hop group, especially over an SVI interface, the switch checks if the neighbor MAC address is in the forwarding table. If the neighbor's MAC address is not there, the switch skips this next hop from backend programming and you see the switchd error ERR NH: l3 nhg v6 l3 nhg contains one or more unresolvable nexthops. There is no impact to switch functionality as unresolved neighbors are not programmed in hardware until they are resolved. | 5.7.0-5.9.5 | 5.10.0-5.16.1| -| [3610591](#3610591)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| +| [3610591, 3781456](#3610591, 3781456)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| +| [3452681, 3465375](#3452681, 3465375)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3393966](#3393966)
| When you configure OSPF network statements using NVUE with the nv set vrf router ospf area network command, subsequent configuration changes with NVUE might bring down all OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement, or use the nv set interface router ospf area command to enable OSPF on interfaces instead of using a network statement. | 5.5.0-5.9.5 | 5.10.0-5.16.1| | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | @@ -234,10 +234,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -247,8 +247,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -274,13 +274,13 @@ pdfhidden: True | [4499106](#4499106)
| A newly provisioned dynamic BGP neighbour with an MD5 password in a VRF does not come up until you delete, then re-add the password. | 5.9.2-5.9.3 | | | [4486320](#4486320)
| The age and last-update counters in the nv show bridge domain mac-table command output are reversed. The last-update counter shows age data and the age counter shows last-update data. Cumulus Linux uses the age timer to determine when to remove an old MAC entry. | 5.13.0-5.13.1 | | | [4463144](#4463144)
| Users with nv show privileges only can still execute the nv config apply and related commands. | 5.9.2-5.9.3 | | -| [4458865](#4458865)
| Installing ssh keys for the cumulus user with NVUE fails and results in login failures. | 5.12.1 | | +| [4458865, 4404759](#4458865, 4404759)
| Installing ssh keys for the cumulus user with NVUE fails and results in login failures. | 5.12.1 | | | [4457390](#4457390)
| On rare occasions, when bridge or L2VNI interfaces are coming up or transitioning state, type 2 EVPN routes might not be properly installed. To work around this issue, flap the VNI interface. | 5.9.3 | | | [4423285](#4423285)
| SVIs do not go down even when all the bridge ports on the corresponding VLAN are down because the vlan-bridge-binding option default setting is off for all the SVIs responsible for bringing down the SVI when all the ports on the corresponding VLAN are down. To work around this issue, Manually configure the vlan-bridge-binding on option under the SVI stanza in the /etc/network/interfaces file. | 5.11.0-5.11.1 | | | [4423273](#4423273)
| After you run the nv action upgrade system packages to latest command followed by the nv action reboot system command, nv show system reboot displays upgrade instead of one of the valid values cold, warm, or fast. | 5.11.0-5.11.1 | | | [4423223](#4423223)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.9.3 | | | [4404956](#4404956)
| On the NVIDIA SN2201 switch, the fan tray LED status update fails and you see the following syslog errors:
systemd-udevd116276: mlxreg:fan1:green: Process ‘/usr/bin/hw-management-chassis-events.sh fantray-led-event mlxreg:fan1:green 255’ failed with exit code 1.

To work around this issue, restart the hw-management service with the sudo systemctl restart hw-management command. | 5.7.0-5.9.3 | | -| [4309875](#4309875)
| When you configure an invalid switch port (swp), NVUE adds the invalid configuration instead of rejecting it. The invalid interface in the configuration does not have any functional impact. | | | +| [4309875, 3537335](#4309875, 3537335)
| When you configure an invalid switch port (swp), NVUE adds the invalid configuration instead of rejecting it. The invalid interface in the configuration does not have any functional impact. | | | | [4309869](#4309869)
| Due to unsupported EVPN BUM replication configuration (a mix of PIM and HER modes), a resource leak can occur. | 5.11.0 | | | [4309851](#4309851)
| On the NVIDIA SN2010 and SN2100 switches, the management interface (eth0) might negotiate 100M instead of 1G after you install, upgrade, or, reboot Cumulus Linux. To resolve this issue, force the speed to 1G:
cumulus@switch:~$ nv set interface eth0 link speed 1G
cumulus@switch:~$ nv set interface eth0 link duplex full
cumulus@switch:~$ nv config apply
| 5.11.0 | | | [4308857](#4308857)
| When you use tls_crlcheck in the /etc/nslcd.conf file, the optional nslcd service fails due to a missing library. | 5.9.2-5.9.3, 5.12.0-5.16.1 | | @@ -327,7 +327,7 @@ pdfhidden: True | [4840299](#4840299)
| If you use NVUE commands to change the BGP autonomous system number (ASN) for existing VRFs without deleting the associated EVPN VNI, FRR reload fails and shows an error during nv config apply. Be sure to delete the layer 3 VNI before changing the BGP ASN or restart FRR after the AS change. | 5.9.1-5.16.1 | | | [4815029](#4815029)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.15.1 | 5.16.0-5.16.1| | [4771521](#4771521)
| Layer 3 multicast traffic does not forward when OMF (Optimized Multicast Flooding) and PIM is enabled. To work around this issue, flap the router port. | 5.9.2-5.15.1 | 5.16.0-5.16.1| -| [4717752](#4717752)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.11.4 | 5.11.5-5.16.1, 5.15.0-5.16.1| +| [4717752, 3963232](#4717752, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.11.4 | 5.11.5-5.16.1, 5.15.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4637200](#4637200)
| When more than one IPv4 and/or IPv6 addresses are configured on a remote interface, NVUE LLDP commands such as nv show interface lldp-detail only reflect one address. To work around this issue, use lldpctl to view LLDP information. For example, sudo lldpctl -d -f json swp1. | 5.9.0-5.14.0 | 5.15.0-5.16.1| | [4633514](#4633514)
| When the switch processes large numbers of mroute updates in an MLAG configuration, FRR might crash. | 5.8.0-5.14.0 | 5.15.0-5.16.1| @@ -343,12 +343,12 @@ pdfhidden: True | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | | [4463144](#4463144)
| Users with nv show privileges only can still execute the nv config apply and related commands. | 5.9.2-5.11.1 | 5.11.2-5.16.1, 5.14.0-5.16.1| | [4457390](#4457390)
| On rare occasions, when bridge or L2VNI interfaces are coming up or transitioning state, type 2 EVPN routes might not be properly installed. To work around this issue, flap the VNI interface. | 5.9.3-5.11.1 | 5.11.2-5.16.1, 5.14.0-5.16.1| -| [4423336](#4423336)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| +| [4423336, 3875789, 3933038](#4423336, 3875789, 3933038)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| | [4423335](#4423335)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.16.1 | | | [4423248](#4423248)
| If you unset an interface static IP address when the interface IP gateway is configured, the nv config apply command fails with an ifreload.service error. To work around this issue, unset both the static IP address and gateway together. | 5.9.0-5.16.1 | | | [4423244](#4423244)
| When you enable, then disable adaptive routing, the BGP neighbors might go down because of an unresolved MAC address. To work around this issue, configure another attribute on the interface. | 5.9.0-5.16.1 | | | [4423223](#4423223)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.11.1 | 5.11.2-5.16.1, 5.13.0-5.16.1| -| [4422898](#4422898)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| +| [4422898, 4497128](#4422898, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| | [4404956](#4404956)
| On the NVIDIA SN2201 switch, the fan tray LED status update fails and you see the following syslog errors:
systemd-udevd116276: mlxreg:fan1:green: Process ‘/usr/bin/hw-management-chassis-events.sh fantray-led-event mlxreg:fan1:green 255’ failed with exit code 1.

To work around this issue, restart the hw-management service with the sudo systemctl restart hw-management command. | 5.7.0-5.11.1 | 5.11.2-5.16.1, 5.14.0-5.16.1| | [4308857](#4308857)
| When you use tls_crlcheck in the /etc/nslcd.conf file, the optional nslcd service fails due to a missing library. | 5.9.2-5.9.3, 5.12.0-5.16.1 | 5.9.4| | [4271228](#4271228)
| After rebooting the spine switch in an EVPN multihoming configuration, the BGP EVPN Type-2 entry is missing, which causes flooding and duplicates in the fabric. To work around this issue, flush the IP neighbor entries with the sudo ip neigh flush x.x.x.x command. | 5.9.1-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| @@ -367,7 +367,7 @@ pdfhidden: True | [4154369](#4154369)
| When adding or removing routes in a virtual router with numerous configured routes, you might encounter incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.5.1-5.9.3 | 5.9.4-5.16.1, 5.11.1-5.16.1| | [4150234](#4150234)
| You might experience a memory leak in ospfd when processing next hops due to network changes. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4134451](#4134451)
| When you set the SNMP server listening address to listen on all IPv4 and IPv6 addresses in a VRF with the nv set service snmp-server listening-address all vrf and nv set service snmp-server listening-address all-v6 vrf commands, SNMP requests over IPv6 addresses do not work. | 5.8.0-5.10.1 | 5.11.0-5.16.1| -| [4129699](#4129699)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| +| [4129699, 3790461](#4129699, 3790461)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4128913](#4128913)
| In an EVPN configuration, when you use NVUE to configure a new host bond and a multihoming ESI at the same time, the Split-Horizon preventive traffic class rule is not programmed in the egress direction. To work around this issue, configure the host bond and apply the configuration, then configure the EVPN multihoming ESI on the host bonds and apply the configuration in a separate step. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4127253](#4127253)
| You might see switchd high-memory consumption and eventually switchd stops because it is out of memory due to higher tunnel (VNI x VTEP) scale. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4124831](#4124831)
| When you enable Per-VLAN Rapid Spanning Tree (PVRST) mode, bonds with LACP bypass discard ingress DHCP packets. | 5.9.1-5.10.1 | 5.11.0-5.16.1| @@ -381,24 +381,24 @@ pdfhidden: True | [4075960](#4075960)
| When you configure the IGMP Querier on a VLAN, the switch sends IGMP Querier packets on the untagged VLAN, not the configured VLAN. Also, the source IP address is always 0.0.0.0, even though the loopback IP address is configured on the IGMP Querier. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4062001](#4062001)
| With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed in the kernel. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4052578](#4052578)
| When you perform a binary upgrade from Cumulus Linux 5.8 or earlier to 5.9.0 or later with a pre-staged startup.yaml file, the cumulus user password is reset to the default password because there is no default startup.yaml file present in 5.8.0 or earlier. To work around this issue, generate the startup.yaml file from the existing NVUE configuration. | 5.9.2-5.11.5 | 5.12.0-5.16.1| -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4042657](#4042657)
| The SDK times out with a FW FATAL health event, which requires a reboot of the system to recover. | 5.9.1-5.10.0 | 5.10.1-5.16.1| | [4040024](#4040024)
| After network churn, the watchfrr process might restart FRR because zebra is unresponsive. | 5.9.1-5.10.0 | 5.10.1-5.16.1| | [4039850](#4039850)
| When the MAC address of the neighbor changes, a possible crash might occur because the pointer to which the MAC address points is freed, resulting in a dangling pointer. | 5.3.1-5.10.1 | 5.11.0-5.16.1| | [4019257](#4019257)
| Some switches start booting but stop at the boot menu because console‑port noise is misinterpreted as input. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4007613](#4007613)
| If there are multiple relay switches in the path reaching the DHCP server, DHCP packets are duplicated at each transit relay switch and the server receives duplicate packets. | 5.9.1-5.10.1 | 5.11.0-5.16.1| -| [3994544](#3994544)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.9.5 | 5.10.0-5.16.1| +| [3994544, 3976680](#3994544, 3976680)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.9.5 | 5.10.0-5.16.1| | [3985600](#3985600)
| NTP initialization issues prevent the NTP service from starting on a non-default VRF. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | | [3900813](#3900813)
| When you configure or edit a large or extended BGP community list with NVUE, nv config apply might return an error and frr-reload might fail with the following message in /var/log/frr/frr-reload.log:
2025-04-04 18:15:44,745 WARNING: frr-reload.py failed due to vtysh (exec file) exited with status 13

You can safely ignore this error as FRR accepts and applies the new configuration. To work around this issue, apply the same configuration with the nv config apply -y command. The new configuration will correctly show in both NVUE and FRR. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3897227](#3897227)
| During an LLDP update storm while deleting or adding LLPD neighbors, PTMD crashes as a result of mishandling multi-threaded LLPD processing. | 5.5.1-5.9.5 | 5.10.0-5.16.1| | [3895848](#3895848)
| MLAG bonds might report an LACP partner MAC mismatch unexpectedly during LACP negotation and MLAG convergence until the bond reaches a dual connected state. There is no impact to bonds when this mismatch is reported. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3890993](#3890993)
| On the NVIDIA spectrum-4 switch, l1-show command output does not show Eye opening information for an interface port. | 5.9.0-5.9.5 | 5.10.0-5.16.1| -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| -| [3878699](#3878699)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | 5.11.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3878699, 3939355](#3878699, 3939355)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | 5.11.0-5.16.1| | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3873219](#3873219)
| When you remove a port from a bond and add it to the bridge in a single set of NVUE commands, then apply the configuration, the port forwarding state is blocked on all the bridge VLANs. To work around this issue, apply the configuration in two steps. First remove the port from the bond and apply the configuration, then add the port to the bridge and apply the configuration. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | @@ -406,7 +406,7 @@ pdfhidden: True | [3847439](#3847439)
| In rare cases on the Spectrum 1 switch, where a dual connected host transmits all traffic flows to only one switch in a connected MLAG pair, and the host changes behavior to hash all flows to the other MLAG switch, there might be traffic loss if the MAC FDB entry on the original switch ages out. | 5.9.0-5.16.1 | | | [3819945](#3819945)
| When you connect an NVIDIA SN4410, SN4700, or SN5600 switch to any Spectrum 1, Spectrum-2, or Spectrum-3 peer switch (with four lanes) using a 4x breakout configuration and the default lanes per port setting, links do not come up. To work around this issue, provide the lanes per port configuration shown below:
cumulus@switch:~$ nv set interface  link breakout 4x lanes-per-port 1
| 5.9.0-5.16.1 | | | [3818545](#3818545)
| The terminal monitoring software SecureCRT has a known issue when running on both Windows and Mac systems where it gets stuck when monitoring the serial port of the switch as Cumulus Linux boots up. When this occurs, the serial port stops as shown below and SecureCRT is unable to receive any more serial data from the switch (it is able to transmit).
Mounting dev-hugepages.mount - Huge Pages File System..
Mounting dev-mqueue.mount
| 5.9.0-5.16.1 | | -| [3775686](#3775686)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | 5.10.0-5.16.1| +| [3775686, 3644649](#3775686, 3644649)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | 5.10.0-5.16.1| | [3774274](#3774274)
| When you manually configure the /etc/cumulus/datapath/qos/qos_features.conf file without applying the QoS configuration with NVUE, running the nv config apply empty command later does not clean up the QoS configuration. If the QoS configuration includes breakout ports, the nv config apply empty command fails due to a switchd reload trigger failure. To work around this issue, clean up the configuration manually in the /etc/cumulus/datapath/qos/qos_features.conf, then run the nv config apply empty command. | 5.8.0-5.16.1 | | | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3771168](#3771168)
| When you perform an ISSU upgrade on a Spectrum 1 switch, the switchd service might crash. | 5.8.0-5.16.1 | | @@ -415,21 +415,21 @@ pdfhidden: True | [3655681](#3655681)
| When you disable, then enable STP auto-edge on a port, the port might not transition to the operational edge even though the port does not receive bpdus. To work around this issue, configure the port as an admin-edge port. | 5.7.0-5.16.1 | | | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3636266](#3636266)
| When an unresolved next hop is present in a next hop group, especially over an SVI interface, the switch checks if the neighbor MAC address is in the forwarding table. If the neighbor's MAC address is not there, the switch skips this next hop from backend programming and you see the switchd error ERR NH: l3 nhg v6 l3 nhg contains one or more unresolvable nexthops. There is no impact to switch functionality as unresolved neighbors are not programmed in hardware until they are resolved. | 5.7.0-5.9.5 | 5.10.0-5.16.1| -| [3610591](#3610591)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| +| [3610591, 3781456](#3610591, 3781456)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| +| [3452681, 3465375](#3452681, 3465375)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3393966](#3393966)
| When you configure OSPF network statements using NVUE with the nv set vrf router ospf area network command, subsequent configuration changes with NVUE might bring down all OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement, or use the nv set interface router ospf area command to enable OSPF on interfaces instead of using a network statement. | 5.5.0-5.9.5 | 5.10.0-5.16.1| | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | @@ -440,10 +440,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -453,8 +453,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -479,7 +479,7 @@ pdfhidden: True | [4840299](#4840299)
| If you use NVUE commands to change the BGP autonomous system number (ASN) for existing VRFs without deleting the associated EVPN VNI, FRR reload fails and shows an error during nv config apply. Be sure to delete the layer 3 VNI before changing the BGP ASN or restart FRR after the AS change. | 5.9.1-5.16.1 | | | [4815029](#4815029)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.15.1 | 5.16.0-5.16.1| | [4771521](#4771521)
| Layer 3 multicast traffic does not forward when OMF (Optimized Multicast Flooding) and PIM is enabled. To work around this issue, flap the router port. | 5.9.2-5.15.1 | 5.16.0-5.16.1| -| [4717752](#4717752)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.11.4 | 5.11.5-5.16.1, 5.15.0-5.16.1| +| [4717752, 3963232](#4717752, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.11.4 | 5.11.5-5.16.1, 5.15.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4637200](#4637200)
| When more than one IPv4 and/or IPv6 addresses are configured on a remote interface, NVUE LLDP commands such as nv show interface lldp-detail only reflect one address. To work around this issue, use lldpctl to view LLDP information. For example, sudo lldpctl -d -f json swp1. | 5.9.0-5.14.0 | 5.15.0-5.16.1| | [4633514](#4633514)
| When the switch processes large numbers of mroute updates in an MLAG configuration, FRR might crash. | 5.8.0-5.14.0 | 5.15.0-5.16.1| @@ -494,12 +494,12 @@ pdfhidden: True | [4499106](#4499106)
| A newly provisioned dynamic BGP neighbour with an MD5 password in a VRF does not come up until you delete, then re-add the password. | 5.9.2-5.9.3 | 5.9.4-5.16.1| | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | | [4463144](#4463144)
| Users with nv show privileges only can still execute the nv config apply and related commands. | 5.9.2-5.11.1 | 5.11.2-5.16.1, 5.14.0-5.16.1| -| [4423336](#4423336)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| +| [4423336, 3875789, 3933038](#4423336, 3875789, 3933038)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| | [4423335](#4423335)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.16.1 | | | [4423248](#4423248)
| If you unset an interface static IP address when the interface IP gateway is configured, the nv config apply command fails with an ifreload.service error. To work around this issue, unset both the static IP address and gateway together. | 5.9.0-5.16.1 | | | [4423244](#4423244)
| When you enable, then disable adaptive routing, the BGP neighbors might go down because of an unresolved MAC address. To work around this issue, configure another attribute on the interface. | 5.9.0-5.16.1 | | | [4423223](#4423223)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.11.1 | 5.11.2-5.16.1, 5.13.0-5.16.1| -| [4422898](#4422898)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| +| [4422898, 4497128](#4422898, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| | [4404956](#4404956)
| On the NVIDIA SN2201 switch, the fan tray LED status update fails and you see the following syslog errors:
systemd-udevd116276: mlxreg:fan1:green: Process ‘/usr/bin/hw-management-chassis-events.sh fantray-led-event mlxreg:fan1:green 255’ failed with exit code 1.

To work around this issue, restart the hw-management service with the sudo systemctl restart hw-management command. | 5.7.0-5.11.1 | 5.11.2-5.16.1, 5.14.0-5.16.1| | [4308857](#4308857)
| When you use tls_crlcheck in the /etc/nslcd.conf file, the optional nslcd service fails due to a missing library. | 5.9.2-5.9.3, 5.12.0-5.16.1 | 5.9.4| | [4271228](#4271228)
| After rebooting the spine switch in an EVPN multihoming configuration, the BGP EVPN Type-2 entry is missing, which causes flooding and duplicates in the fabric. To work around this issue, flush the IP neighbor entries with the sudo ip neigh flush x.x.x.x command. | 5.9.1-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| @@ -518,7 +518,7 @@ pdfhidden: True | [4154369](#4154369)
| When adding or removing routes in a virtual router with numerous configured routes, you might encounter incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.5.1-5.9.3 | 5.9.4-5.16.1, 5.11.1-5.16.1| | [4150234](#4150234)
| You might experience a memory leak in ospfd when processing next hops due to network changes. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4134451](#4134451)
| When you set the SNMP server listening address to listen on all IPv4 and IPv6 addresses in a VRF with the nv set service snmp-server listening-address all vrf and nv set service snmp-server listening-address all-v6 vrf commands, SNMP requests over IPv6 addresses do not work. | 5.8.0-5.10.1 | 5.11.0-5.16.1| -| [4129699](#4129699)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| +| [4129699, 3790461](#4129699, 3790461)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4128913](#4128913)
| In an EVPN configuration, when you use NVUE to configure a new host bond and a multihoming ESI at the same time, the Split-Horizon preventive traffic class rule is not programmed in the egress direction. To work around this issue, configure the host bond and apply the configuration, then configure the EVPN multihoming ESI on the host bonds and apply the configuration in a separate step. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4127253](#4127253)
| You might see switchd high-memory consumption and eventually switchd stops because it is out of memory due to higher tunnel (VNI x VTEP) scale. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4124831](#4124831)
| When you enable Per-VLAN Rapid Spanning Tree (PVRST) mode, bonds with LACP bypass discard ingress DHCP packets. | 5.9.1-5.10.1 | 5.11.0-5.16.1| @@ -532,24 +532,24 @@ pdfhidden: True | [4075960](#4075960)
| When you configure the IGMP Querier on a VLAN, the switch sends IGMP Querier packets on the untagged VLAN, not the configured VLAN. Also, the source IP address is always 0.0.0.0, even though the loopback IP address is configured on the IGMP Querier. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4062001](#4062001)
| With VM migration from one VTEP to another, traffic loss might occur during a MAC move as locally learned MAC addresses are frequently refreshed in the kernel. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4052578](#4052578)
| When you perform a binary upgrade from Cumulus Linux 5.8 or earlier to 5.9.0 or later with a pre-staged startup.yaml file, the cumulus user password is reset to the default password because there is no default startup.yaml file present in 5.8.0 or earlier. To work around this issue, generate the startup.yaml file from the existing NVUE configuration. | 5.9.2-5.11.5 | 5.12.0-5.16.1| -| [4049213](#4049213)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | +| [4049213, 4186873](#4049213, 4186873)
| When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. | 5.9.2-5.16.1 | | | [4042657](#4042657)
| The SDK times out with a FW FATAL health event, which requires a reboot of the system to recover. | 5.9.1-5.10.0 | 5.10.1-5.16.1| | [4040024](#4040024)
| After network churn, the watchfrr process might restart FRR because zebra is unresponsive. | 5.9.1-5.10.0 | 5.10.1-5.16.1| | [4039850](#4039850)
| When the MAC address of the neighbor changes, a possible crash might occur because the pointer to which the MAC address points is freed, resulting in a dangling pointer. | 5.3.1-5.10.1 | 5.11.0-5.16.1| | [4019257](#4019257)
| Some switches start booting but stop at the boot menu because console‑port noise is misinterpreted as input. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4007613](#4007613)
| If there are multiple relay switches in the path reaching the DHCP server, DHCP packets are duplicated at each transit relay switch and the server receives duplicate packets. | 5.9.1-5.10.1 | 5.11.0-5.16.1| -| [3994544](#3994544)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.9.5 | 5.10.0-5.16.1| +| [3994544, 3976680](#3994544, 3976680)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.9.5 | 5.10.0-5.16.1| | [3985600](#3985600)
| NTP initialization issues prevent the NTP service from starting on a non-default VRF. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | | [3900813](#3900813)
| When you configure or edit a large or extended BGP community list with NVUE, nv config apply might return an error and frr-reload might fail with the following message in /var/log/frr/frr-reload.log:
2025-04-04 18:15:44,745 WARNING: frr-reload.py failed due to vtysh (exec file) exited with status 13

You can safely ignore this error as FRR accepts and applies the new configuration. To work around this issue, apply the same configuration with the nv config apply -y command. The new configuration will correctly show in both NVUE and FRR. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3897227](#3897227)
| During an LLDP update storm while deleting or adding LLPD neighbors, PTMD crashes as a result of mishandling multi-threaded LLPD processing. | 5.5.1-5.9.5 | 5.10.0-5.16.1| | [3895848](#3895848)
| MLAG bonds might report an LACP partner MAC mismatch unexpectedly during LACP negotation and MLAG convergence until the bond reaches a dual connected state. There is no impact to bonds when this mismatch is reported. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3890993](#3890993)
| On the NVIDIA spectrum-4 switch, l1-show command output does not show Eye opening information for an interface port. | 5.9.0-5.9.5 | 5.10.0-5.16.1| -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| -| [3878699](#3878699)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | 5.11.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3878699, 3939355](#3878699, 3939355)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | 5.11.0-5.16.1| | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3873219](#3873219)
| When you remove a port from a bond and add it to the bridge in a single set of NVUE commands, then apply the configuration, the port forwarding state is blocked on all the bridge VLANs. To work around this issue, apply the configuration in two steps. First remove the port from the bond and apply the configuration, then add the port to the bridge and apply the configuration. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | @@ -557,7 +557,7 @@ pdfhidden: True | [3847439](#3847439)
| In rare cases on the Spectrum 1 switch, where a dual connected host transmits all traffic flows to only one switch in a connected MLAG pair, and the host changes behavior to hash all flows to the other MLAG switch, there might be traffic loss if the MAC FDB entry on the original switch ages out. | 5.9.0-5.16.1 | | | [3819945](#3819945)
| When you connect an NVIDIA SN4410, SN4700, or SN5600 switch to any Spectrum 1, Spectrum-2, or Spectrum-3 peer switch (with four lanes) using a 4x breakout configuration and the default lanes per port setting, links do not come up. To work around this issue, provide the lanes per port configuration shown below:
cumulus@switch:~$ nv set interface  link breakout 4x lanes-per-port 1
| 5.9.0-5.16.1 | | | [3818545](#3818545)
| The terminal monitoring software SecureCRT has a known issue when running on both Windows and Mac systems where it gets stuck when monitoring the serial port of the switch as Cumulus Linux boots up. When this occurs, the serial port stops as shown below and SecureCRT is unable to receive any more serial data from the switch (it is able to transmit).
Mounting dev-hugepages.mount - Huge Pages File System..
Mounting dev-mqueue.mount
| 5.9.0-5.16.1 | | -| [3775686](#3775686)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | 5.10.0-5.16.1| +| [3775686, 3644649](#3775686, 3644649)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | 5.10.0-5.16.1| | [3774274](#3774274)
| When you manually configure the /etc/cumulus/datapath/qos/qos_features.conf file without applying the QoS configuration with NVUE, running the nv config apply empty command later does not clean up the QoS configuration. If the QoS configuration includes breakout ports, the nv config apply empty command fails due to a switchd reload trigger failure. To work around this issue, clean up the configuration manually in the /etc/cumulus/datapath/qos/qos_features.conf, then run the nv config apply empty command. | 5.8.0-5.16.1 | | | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3771168](#3771168)
| When you perform an ISSU upgrade on a Spectrum 1 switch, the switchd service might crash. | 5.8.0-5.16.1 | | @@ -566,21 +566,21 @@ pdfhidden: True | [3655681](#3655681)
| When you disable, then enable STP auto-edge on a port, the port might not transition to the operational edge even though the port does not receive bpdus. To work around this issue, configure the port as an admin-edge port. | 5.7.0-5.16.1 | | | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3636266](#3636266)
| When an unresolved next hop is present in a next hop group, especially over an SVI interface, the switch checks if the neighbor MAC address is in the forwarding table. If the neighbor's MAC address is not there, the switch skips this next hop from backend programming and you see the switchd error ERR NH: l3 nhg v6 l3 nhg contains one or more unresolvable nexthops. There is no impact to switch functionality as unresolved neighbors are not programmed in hardware until they are resolved. | 5.7.0-5.9.5 | 5.10.0-5.16.1| -| [3610591](#3610591)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| +| [3610591, 3781456](#3610591, 3781456)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| +| [3452681, 3465375](#3452681, 3465375)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3393966](#3393966)
| When you configure OSPF network statements using NVUE with the nv set vrf router ospf area network command, subsequent configuration changes with NVUE might bring down all OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement, or use the nv set interface router ospf area command to enable OSPF on interfaces instead of using a network statement. | 5.5.0-5.9.5 | 5.10.0-5.16.1| | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | @@ -591,10 +591,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -604,8 +604,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -624,16 +624,16 @@ pdfhidden: True | [4037015](#4037015)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.1 | | | [4035681](#4035681)
| The nv show interface commands show RX and TX Power values from the wrong lanes on breakout ports. | 5.8.0-5.9.1, 5.10.0-5.10.1 | | | [4035597](#4035597)
| When using SSM and the upstream interface goes away (the source stops sending or the link goes down) the PIMREG interface is added to the outgoing interface list of the S,G and is never removed. As a result, multicast traffic that hits the impacted S,G is forwarded to the CPU and dropped by the switch. | 5.9.0-5.9.1 | | -| [4023776](#4023776)
| The NVUE nv show interface eth0 and nv show vrf commands take more than two minutes to run if you have configured hundreds of interfaces because NVUE makes repetitive system calls to get vlan/link/tunnel bridge information. | 5.9.0-5.9.1 | | +| [4023776, 4023377](#4023776, 4023377)
| The NVUE nv show interface eth0 and nv show vrf commands take more than two minutes to run if you have configured hundreds of interfaces because NVUE makes repetitive system calls to get vlan/link/tunnel bridge information. | 5.9.0-5.9.1 | | | [4023649](#4023649)
| On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port. | 5.2.0-5.9.1 | | | [4023645](#4023645)
| When you disable dynamic NAT manually in the /etc/cumulus/switchd.conf file instead of using NVUE commands but the dynamic NAT rules still exist in the /etc/cumulus/acl/policy,d/.rules file, the switch encounters a memory leak. To work around this issue, remove dynamic NAT rules in rules files in /etc/cumulus/acl/policy.d before you disable dynamic NAT in the /etc/cumulus/switchd.conf file. | 5.9.0-5.9.1 | | | [4013592](#4013592)
| A memory corruption kernel crash might occur due to a netfilter error. The log message from netfilter might contain a warning similar to the following:
kernel: WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_core.c:1210 __nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack]kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack]
| 5.9.1 | | -| [4007614](#4007614)
| Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. | 5.8.0-5.9.1 | | +| [4007614, 3677821](#4007614, 3677821)
| Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. | 5.8.0-5.9.1 | | | [4007612](#4007612)
| When two SVIs are configured with the same VLAN ID and are assigned to separate bridges (each in a different VRF) but both bridges share the same MAC hardware address, traffic drops might occur. | 5.9.1 | | | [4007329](#4007329)
| Cumulus Linux incorrectly handles unnumbered neighbor types, which causes discrepancies in the running configuration and session flaps during FRR reload. | 5.9.0-5.9.1 | | | [4005261](#4005261)
| On the Spectrum-4 switch, when you use PTP on a 800G link, jumbo frames traversing the same link might cause a degradation in PTP performance. | 5.9.0-5.9.1 | | | [4003866](#4003866)
| Following an EVPN extended mobility event, where a host with IP address A and MAC address A moves within the fabric and now resides at IP address A and MAC address B, you might see traffic destined to this host experience drops as the flow is software forwarded on the egress VTEP. | 5.0.1-5.9.1 | | -| [3994463](#3994463)
| The ntpsec@mgmt service does not come up by default when you install an image with ONIE because the trigger to bring up the service is missing. | 5.9.1 | | +| [3994463, 3925795](#3994463, 3925795)
| The ntpsec@mgmt service does not come up by default when you install an image with ONIE because the trigger to bring up the service is missing. | 5.9.1 | | | [3983497](#3983497)
| The NVIDIA SN4600C switch fails to boot fully after you upgrade from Cumulus Linux 4.2.1 to 5.7 with ONIE install. To work around this issue, perform an intermediate step image upgrade; for example, upgrade the switch from Cumulus Linux 4.2.1 to 5.2.1 to 5.7.0. | 5.7.0-5.9.1 | | | [3982294](#3982294)
| Cumulus Linux does not recognize QSFP_CMIS optical modules correctly. | 5.6.0-5.9.1 | | | [3982260](#3982260)
| When you modify the default QoS configuration on top of the base RoCE configuration, NVUE reports an Invalid exception in the nv show qos roce command output even when the configuration is valid. | 5.8.0-5.9.1 | | @@ -656,12 +656,12 @@ pdfhidden: True | [3980956](#3980956)
| The default memory configuration for NVIDIA Cumulus VX OVA is too low and needs to be increased. | 5.9.0-5.9.1 | | | [3980943](#3980943)
| The default NIC for the VMWare OVA file is set to vmxnet3 instead of e1000. | 5.9.0-5.9.1 | | | [3980942](#3980942)
| SNMP IF-MIB reports all interfaces (including layer 3 and VNIs) as ifType=6 (ethernetCsmacd) instead of IANA MIB-II types. | 5.9.1 | | -| [3980941](#3980941)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | | +| [3980941, 3895041](#3980941, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.1 | | | [3980938](#3980938)
| When ARP suppression is off, remote EVPN VTEPs duplicate ARP packets from local hosts and each remote host receives two copies of the ARP packets. The issue also applies to IPv6 ND packets. | 5.8.0-5.9.1 | | | [3980925](#3980925)
| When you configure the bridge.kernel_mac_refresh_interval parameter in the switchd.conf file, a switchd restart fails with a core dump. | 5.8.0-5.9.1 | | | [3972715](#3972715)
| The fans on the NVIDIA SN2410 switch (Part Number SSG7A80800) might spin at high speed. | 5.9.1 | | | [3965574](#3965574)
| The ethtool -m command shows incorrect optical DOM information for SFP modules. To work around this issue, run the l1-show command to show optical power values for SFP optical transceivers.. | 5.9.1 | | -| [3965573](#3965573)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | | +| [3965573, 3949366](#3965573, 3949366)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.1 | | | [3965564](#3965564)
| A kernel crash due to memory corruption might occur due to a netfilter error. The log message from netfilter might contain a warning similar to the following:
kernel: WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_core.c:1210 __nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack]kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack]
| 5.9.0-5.9.1 | | | [3951316](#3951316)
| In an EVPN multihoming configuration, if a host bond enters the protodown state due to a link flap, when you try to clear the protodown state, FRR reprograms it. | 5.9.1 | | @@ -676,7 +676,7 @@ pdfhidden: True | [4871161](#4871161)
| If you use NVUE commands to change the BGP autonomous system number (ASN) for existing VRFs without deleting the associated EVPN VNI, FRR reload fails and shows an error during nv config apply. Be sure to delete the layer 3 VNI before changing the BGP ASN or restart FRR after the AS change. | 5.9.1-5.16.1 | | | [4840299](#4840299)
| If you use NVUE commands to change the BGP autonomous system number (ASN) for existing VRFs without deleting the associated EVPN VNI, FRR reload fails and shows an error during nv config apply. Be sure to delete the layer 3 VNI before changing the BGP ASN or restart FRR after the AS change. | 5.9.1-5.16.1 | | | [4815029](#4815029)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.15.1 | 5.16.0-5.16.1| -| [4717752](#4717752)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.11.4 | 5.11.5-5.16.1, 5.15.0-5.16.1| +| [4717752, 3963232](#4717752, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.11.4 | 5.11.5-5.16.1, 5.15.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4637200](#4637200)
| When more than one IPv4 and/or IPv6 addresses are configured on a remote interface, NVUE LLDP commands such as nv show interface lldp-detail only reflect one address. To work around this issue, use lldpctl to view LLDP information. For example, sudo lldpctl -d -f json swp1. | 5.9.0-5.14.0 | 5.15.0-5.16.1| | [4633514](#4633514)
| When the switch processes large numbers of mroute updates in an MLAG configuration, FRR might crash. | 5.8.0-5.14.0 | 5.15.0-5.16.1| @@ -688,12 +688,12 @@ pdfhidden: True | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | 5.14.0-5.16.1| | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | -| [4423336](#4423336)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| +| [4423336, 3875789, 3933038](#4423336, 3875789, 3933038)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| | [4423335](#4423335)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.16.1 | | | [4423248](#4423248)
| If you unset an interface static IP address when the interface IP gateway is configured, the nv config apply command fails with an ifreload.service error. To work around this issue, unset both the static IP address and gateway together. | 5.9.0-5.16.1 | | | [4423244](#4423244)
| When you enable, then disable adaptive routing, the BGP neighbors might go down because of an unresolved MAC address. To work around this issue, configure another attribute on the interface. | 5.9.0-5.16.1 | | | [4423223](#4423223)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.11.1 | 5.11.2-5.16.1, 5.13.0-5.16.1| -| [4422898](#4422898)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| +| [4422898, 4497128](#4422898, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| | [4404956](#4404956)
| On the NVIDIA SN2201 switch, the fan tray LED status update fails and you see the following syslog errors:
systemd-udevd116276: mlxreg:fan1:green: Process ‘/usr/bin/hw-management-chassis-events.sh fantray-led-event mlxreg:fan1:green 255’ failed with exit code 1.

To work around this issue, restart the hw-management service with the sudo systemctl restart hw-management command. | 5.7.0-5.11.1 | 5.11.2-5.16.1, 5.14.0-5.16.1| | [4271228](#4271228)
| After rebooting the spine switch in an EVPN multihoming configuration, the BGP EVPN Type-2 entry is missing, which causes flooding and duplicates in the fabric. To work around this issue, flush the IP neighbor entries with the sudo ip neigh flush x.x.x.x command. | 5.9.1-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| | [4271202](#4271202)
| When the STP state goes down, then back up on the primary MLAG peer, the peerlink state is not updated correctly in mstpd. | 5.8.0-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| @@ -707,7 +707,7 @@ pdfhidden: True | [4154369](#4154369)
| When adding or removing routes in a virtual router with numerous configured routes, you might encounter incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.5.1-5.9.3 | 5.9.4-5.16.1, 5.11.1-5.16.1| | [4150234](#4150234)
| You might experience a memory leak in ospfd when processing next hops due to network changes. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4134451](#4134451)
| When you set the SNMP server listening address to listen on all IPv4 and IPv6 addresses in a VRF with the nv set service snmp-server listening-address all vrf and nv set service snmp-server listening-address all-v6 vrf commands, SNMP requests over IPv6 addresses do not work. | 5.8.0-5.10.1 | 5.11.0-5.16.1| -| [4129699](#4129699)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| +| [4129699, 3790461](#4129699, 3790461)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4128913](#4128913)
| In an EVPN configuration, when you use NVUE to configure a new host bond and a multihoming ESI at the same time, the Split-Horizon preventive traffic class rule is not programmed in the egress direction. To work around this issue, configure the host bond and apply the configuration, then configure the EVPN multihoming ESI on the host bonds and apply the configuration in a separate step. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4127253](#4127253)
| You might see switchd high-memory consumption and eventually switchd stops because it is out of memory due to higher tunnel (VNI x VTEP) scale. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4124831](#4124831)
| When you enable Per-VLAN Rapid Spanning Tree (PVRST) mode, bonds with LACP bypass discard ingress DHCP packets. | 5.9.1-5.10.1 | 5.11.0-5.16.1| @@ -729,19 +729,19 @@ pdfhidden: True | [4037015](#4037015)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.5 | 5.10.0-5.16.1| | [4035681](#4035681)
| The nv show interface commands show RX and TX Power values from the wrong lanes on breakout ports. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4035597](#4035597)
| When using SSM and the upstream interface goes away (the source stops sending or the link goes down) the PIMREG interface is added to the outgoing interface list of the S,G and is never removed. As a result, multicast traffic that hits the impacted S,G is forwarded to the CPU and dropped by the switch. | 5.9.0-5.9.5 | 5.10.0-5.16.1| -| [4023776](#4023776)
| The NVUE nv show interface eth0 and nv show vrf commands take more than two minutes to run if you have configured hundreds of interfaces because NVUE makes repetitive system calls to get vlan/link/tunnel bridge information. | 5.9.0-5.9.5 | 5.10.0-5.16.1| +| [4023776, 4023377](#4023776, 4023377)
| The NVUE nv show interface eth0 and nv show vrf commands take more than two minutes to run if you have configured hundreds of interfaces because NVUE makes repetitive system calls to get vlan/link/tunnel bridge information. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [4023649](#4023649)
| On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port. | 5.2.0-5.9.5 | 5.10.0-5.16.1| | [4023645](#4023645)
| When you disable dynamic NAT manually in the /etc/cumulus/switchd.conf file instead of using NVUE commands but the dynamic NAT rules still exist in the /etc/cumulus/acl/policy,d/.rules file, the switch encounters a memory leak. To work around this issue, remove dynamic NAT rules in rules files in /etc/cumulus/acl/policy.d before you disable dynamic NAT in the /etc/cumulus/switchd.conf file. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [4019257](#4019257)
| Some switches start booting but stop at the boot menu because console‑port noise is misinterpreted as input. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4013592](#4013592)
| A memory corruption kernel crash might occur due to a netfilter error. The log message from netfilter might contain a warning similar to the following:
kernel: WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_core.c:1210 __nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack]kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack]
| 5.9.1-5.9.5 | 5.10.0-5.16.1| -| [4007614](#4007614)
| Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. | 5.8.0-5.9.5 | 5.10.0-5.16.1| +| [4007614, 3677821](#4007614, 3677821)
| Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. | 5.8.0-5.9.5 | 5.10.0-5.16.1| | [4007613](#4007613)
| If there are multiple relay switches in the path reaching the DHCP server, DHCP packets are duplicated at each transit relay switch and the server receives duplicate packets. | 5.9.1-5.10.1 | 5.11.0-5.16.1| | [4007612](#4007612)
| When two SVIs are configured with the same VLAN ID and are assigned to separate bridges (each in a different VRF) but both bridges share the same MAC hardware address, traffic drops might occur. | 5.9.1-5.9.5 | 5.10.0-5.16.1| | [4007329](#4007329)
| Cumulus Linux incorrectly handles unnumbered neighbor types, which causes discrepancies in the running configuration and session flaps during FRR reload. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [4005261](#4005261)
| On the Spectrum-4 switch, when you use PTP on a 800G link, jumbo frames traversing the same link might cause a degradation in PTP performance. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [4003866](#4003866)
| Following an EVPN extended mobility event, where a host with IP address A and MAC address A moves within the fabric and now resides at IP address A and MAC address B, you might see traffic destined to this host experience drops as the flow is software forwarded on the egress VTEP. | 5.0.1-5.9.5 | 5.10.0-5.16.1| -| [3994544](#3994544)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.9.5 | 5.10.0-5.16.1| -| [3994463](#3994463)
| The ntpsec@mgmt service does not come up by default when you install an image with ONIE because the trigger to bring up the service is missing. | 5.9.1-5.9.5 | 5.10.0-5.16.1| +| [3994544, 3976680](#3994544, 3976680)
| Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. | 5.9.1-5.9.5 | 5.10.0-5.16.1| +| [3994463, 3925795](#3994463, 3925795)
| The ntpsec@mgmt service does not come up by default when you install an image with ONIE because the trigger to bring up the service is missing. | 5.9.1-5.9.5 | 5.10.0-5.16.1| | [3985600](#3985600)
| NTP initialization issues prevent the NTP service from starting on a non-default VRF. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3983497](#3983497)
| The NVIDIA SN4600C switch fails to boot fully after you upgrade from Cumulus Linux 4.2.1 to 5.7 with ONIE install. To work around this issue, perform an intermediate step image upgrade; for example, upgrade the switch from Cumulus Linux 4.2.1 to 5.2.1 to 5.7.0. | 5.7.0-5.9.5 | 5.10.0-5.16.1| | [3982294](#3982294)
| Cumulus Linux does not recognize QSFP_CMIS optical modules correctly. | 5.6.0-5.9.5 | 5.10.0-5.16.1| @@ -765,12 +765,12 @@ pdfhidden: True | [3980956](#3980956)
| The default memory configuration for NVIDIA Cumulus VX OVA is too low and needs to be increased. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3980943](#3980943)
| The default NIC for the VMWare OVA file is set to vmxnet3 instead of e1000. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3980942](#3980942)
| SNMP IF-MIB reports all interfaces (including layer 3 and VNIs) as ifType=6 (ethernetCsmacd) instead of IANA MIB-II types. | 5.9.1-5.9.5 | 5.10.0-5.16.1| -| [3980941](#3980941)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.5 | 5.10.0-5.16.1| +| [3980941, 3895041](#3980941, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.5 | 5.10.0-5.16.1| | [3980938](#3980938)
| When ARP suppression is off, remote EVPN VTEPs duplicate ARP packets from local hosts and each remote host receives two copies of the ARP packets. The issue also applies to IPv6 ND packets. | 5.8.0-5.9.5 | 5.10.0-5.16.1| | [3980925](#3980925)
| When you configure the bridge.kernel_mac_refresh_interval parameter in the switchd.conf file, a switchd restart fails with a core dump. | 5.8.0-5.9.5 | 5.10.0-5.16.1| | [3972715](#3972715)
| The fans on the NVIDIA SN2410 switch (Part Number SSG7A80800) might spin at high speed. | 5.9.1 | 5.9.2-5.16.1| | [3965574](#3965574)
| The ethtool -m command shows incorrect optical DOM information for SFP modules. To work around this issue, run the l1-show command to show optical power values for SFP optical transceivers.. | 5.9.1-5.9.5 | 5.10.0-5.16.1| -| [3965573](#3965573)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.5 | 5.10.0-5.16.1| +| [3965573, 3949366](#3965573, 3949366)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.5 | 5.10.0-5.16.1| | [3965564](#3965564)
| A kernel crash due to memory corruption might occur due to a netfilter error. The log message from netfilter might contain a warning similar to the following:
kernel: WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_core.c:1210 __nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack]kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack]
| 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3951316](#3951316)
| In an EVPN multihoming configuration, if a host bond enters the protodown state due to a link flap, when you try to clear the protodown state, FRR reprograms it. | 5.9.1-5.9.5 | 5.10.0-5.16.1| | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | @@ -778,11 +778,11 @@ pdfhidden: True | [3897227](#3897227)
| During an LLDP update storm while deleting or adding LLPD neighbors, PTMD crashes as a result of mishandling multi-threaded LLPD processing. | 5.5.1-5.9.5 | 5.10.0-5.16.1| | [3895848](#3895848)
| MLAG bonds might report an LACP partner MAC mismatch unexpectedly during LACP negotation and MLAG convergence until the bond reaches a dual connected state. There is no impact to bonds when this mismatch is reported. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3890993](#3890993)
| On the NVIDIA spectrum-4 switch, l1-show command output does not show Eye opening information for an interface port. | 5.9.0-5.9.5 | 5.10.0-5.16.1| -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| -| [3878699](#3878699)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | 5.11.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3878699, 3939355](#3878699, 3939355)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | 5.11.0-5.16.1| | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3873219](#3873219)
| When you remove a port from a bond and add it to the bridge in a single set of NVUE commands, then apply the configuration, the port forwarding state is blocked on all the bridge VLANs. To work around this issue, apply the configuration in two steps. First remove the port from the bond and apply the configuration, then add the port to the bridge and apply the configuration. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | @@ -790,7 +790,7 @@ pdfhidden: True | [3847439](#3847439)
| In rare cases on the Spectrum 1 switch, where a dual connected host transmits all traffic flows to only one switch in a connected MLAG pair, and the host changes behavior to hash all flows to the other MLAG switch, there might be traffic loss if the MAC FDB entry on the original switch ages out. | 5.9.0-5.16.1 | | | [3819945](#3819945)
| When you connect an NVIDIA SN4410, SN4700, or SN5600 switch to any Spectrum 1, Spectrum-2, or Spectrum-3 peer switch (with four lanes) using a 4x breakout configuration and the default lanes per port setting, links do not come up. To work around this issue, provide the lanes per port configuration shown below:
cumulus@switch:~$ nv set interface  link breakout 4x lanes-per-port 1
| 5.9.0-5.16.1 | | | [3818545](#3818545)
| The terminal monitoring software SecureCRT has a known issue when running on both Windows and Mac systems where it gets stuck when monitoring the serial port of the switch as Cumulus Linux boots up. When this occurs, the serial port stops as shown below and SecureCRT is unable to receive any more serial data from the switch (it is able to transmit).
Mounting dev-hugepages.mount - Huge Pages File System..
Mounting dev-mqueue.mount
| 5.9.0-5.16.1 | | -| [3775686](#3775686)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | 5.10.0-5.16.1| +| [3775686, 3644649](#3775686, 3644649)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | 5.10.0-5.16.1| | [3774274](#3774274)
| When you manually configure the /etc/cumulus/datapath/qos/qos_features.conf file without applying the QoS configuration with NVUE, running the nv config apply empty command later does not clean up the QoS configuration. If the QoS configuration includes breakout ports, the nv config apply empty command fails due to a switchd reload trigger failure. To work around this issue, clean up the configuration manually in the /etc/cumulus/datapath/qos/qos_features.conf, then run the nv config apply empty command. | 5.8.0-5.16.1 | | | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3771168](#3771168)
| When you perform an ISSU upgrade on a Spectrum 1 switch, the switchd service might crash. | 5.8.0-5.16.1 | | @@ -799,21 +799,21 @@ pdfhidden: True | [3655681](#3655681)
| When you disable, then enable STP auto-edge on a port, the port might not transition to the operational edge even though the port does not receive bpdus. To work around this issue, configure the port as an admin-edge port. | 5.7.0-5.16.1 | | | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3636266](#3636266)
| When an unresolved next hop is present in a next hop group, especially over an SVI interface, the switch checks if the neighbor MAC address is in the forwarding table. If the neighbor's MAC address is not there, the switch skips this next hop from backend programming and you see the switchd error ERR NH: l3 nhg v6 l3 nhg contains one or more unresolvable nexthops. There is no impact to switch functionality as unresolved neighbors are not programmed in hardware until they are resolved. | 5.7.0-5.9.5 | 5.10.0-5.16.1| -| [3610591](#3610591)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| +| [3610591, 3781456](#3610591, 3781456)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| +| [3452681, 3465375](#3452681, 3465375)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3393966](#3393966)
| When you configure OSPF network statements using NVUE with the nv set vrf router ospf area network command, subsequent configuration changes with NVUE might bring down all OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement, or use the nv set interface router ospf area command to enable OSPF on interfaces instead of using a network statement. | 5.5.0-5.9.5 | 5.10.0-5.16.1| | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | @@ -824,10 +824,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -837,8 +837,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -858,7 +858,7 @@ pdfhidden: True |--- |--- |--- |--- | | [4963277](#4963277)
| When many BFD sessions are configured at scale, ptmd might crash when one of the BFD sessions flaps. | 5.3.1-5.16.1 | | | [4815029](#4815029)
| The message that the switch displays when you generate a cl-support file or as a post login banner contains an invalid Cumulus Support email address, which is no longer the formal channel for reporting support issues. | 5.0.0-5.15.1 | 5.16.0-5.16.1| -| [4717752](#4717752)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.11.4 | 5.11.5-5.16.1, 5.15.0-5.16.1| +| [4717752, 3963232](#4717752, 3963232)
| When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.3.1-5.11.4 | 5.11.5-5.16.1, 5.15.0-5.16.1| | [4647646](#4647646)
| If you configure policy-based routing (PBR) rules for more than 32 interfaces, only the rules assigned to the first 32 interfaces are installed in the kernel. | 4.4.2-5.14.0 | 5.15.0-5.16.1| | [4637200](#4637200)
| When more than one IPv4 and/or IPv6 addresses are configured on a remote interface, NVUE LLDP commands such as nv show interface lldp-detail only reflect one address. To work around this issue, use lldpctl to view LLDP information. For example, sudo lldpctl -d -f json swp1. | 5.9.0-5.14.0 | 5.15.0-5.16.1| | [4633514](#4633514)
| When the switch processes large numbers of mroute updates in an MLAG configuration, FRR might crash. | 5.8.0-5.14.0 | 5.15.0-5.16.1| @@ -869,12 +869,12 @@ pdfhidden: True | [4531104](#4531104)
| On a switch with SDK 4.6.1062 or earlier, you might see FW fatal health events. | 5.6.0-5.13.1 | 5.14.0-5.16.1| | [4521203](#4521203)
| The SATA driver on the NVIDIA SN2410 switch sometimes exhibits failures similar to the following:
2025-06-20T20:03:38.785966+09:00 S1-RF10B kernel: 
[49878794.456350] ata1.00: failed command: WRITE FPDMA QUEUED
2025-06-20T20:03:38.785968+09:00 S1-RF10B kernel: [49878794.461984] ata1.00: cmd
61/08:08:50:2b:c4/00:00:01:00:00/40 tag 1 ncq dma 4096 out
2025-06-20T20:03:38.785970+09:00 S1-RF10B kernel: [49878794.461984] res 40/00:0c:50:2b:c4/00:00:01:00:00/40 Emask 0×10 (ATA bus error)

To work around this issue, power cycle the switch. | 5.5.1-5.13.1 | 5.14.0-5.16.1| | [4495231](#4495231)
| If the hardware clock date is later than 2038-01-19 03:14:07 UTC, the image might fail to install due to a grub-install failure on the EFI filesystem, which is a VFAT filesystem. As a result, you see the grub prompt immediately after reboot. To work around this issue, reboot from the grub prompt to go into ONIE. From ONIE, use the date command to set a date before 2038-01-19, then run the hwclock --systohc command to add it to the hardware clock. You can then use onie-nos-install to install the image. | 5.9.0-5.16.1 | | -| [4423336](#4423336)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| +| [4423336, 3875789, 3933038](#4423336, 3875789, 3933038)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.11.5 | 5.12.0-5.16.1| | [4423335](#4423335)
| When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the nv config patch command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with systemctl restart nvued.service. | 5.9.0-5.16.1 | | | [4423248](#4423248)
| If you unset an interface static IP address when the interface IP gateway is configured, the nv config apply command fails with an ifreload.service error. To work around this issue, unset both the static IP address and gateway together. | 5.9.0-5.16.1 | | | [4423244](#4423244)
| When you enable, then disable adaptive routing, the BGP neighbors might go down because of an unresolved MAC address. To work around this issue, configure another attribute on the interface. | 5.9.0-5.16.1 | | | [4423223](#4423223)
| When processing the static IP assignment for an interface previously managed through DHCP, Cumulus Linux fails to clean up the DHCP created state completely. As a result when the IP address assigned by DHCP earlier expires, the switch eventually loses connectivity. | 5.1.0-5.11.1 | 5.11.2-5.16.1, 5.13.0-5.16.1| -| [4422898](#4422898)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| +| [4422898, 4497128](#4422898, 4497128)
| When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. | 5.0.0-5.13.1 | 5.14.0-5.16.1| | [4404956](#4404956)
| On the NVIDIA SN2201 switch, the fan tray LED status update fails and you see the following syslog errors:
systemd-udevd116276: mlxreg:fan1:green: Process ‘/usr/bin/hw-management-chassis-events.sh fantray-led-event mlxreg:fan1:green 255’ failed with exit code 1.

To work around this issue, restart the hw-management service with the sudo systemctl restart hw-management command. | 5.7.0-5.11.1 | 5.11.2-5.16.1, 5.14.0-5.16.1| | [4271202](#4271202)
| When the STP state goes down, then back up on the primary MLAG peer, the peerlink state is not updated correctly in mstpd. | 5.8.0-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| | [4260013](#4260013)
| When you configure the SPAN port mirror truncate size to a value greater than four and less than the supported minimum, NVUE allows the configuration even though there are errors and failures in the mirror session configuration.
The supported values for truncate size are 32 to 4088 for Spectrum 1, 48 to 4088 for Spectrum-2 and Spectrum-3, and 64 to 4088 for Spectrum-4.
To work around this issue, run the echo > /cumulus/switchd/config/mirror/session/1/truncate_size command before you reconfigure mirror sessions with the supported values. | 5.8.0-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| @@ -882,7 +882,7 @@ pdfhidden: True | [4220147](#4220147)
| When you bring STP down, then up on the primary MLAG peer, the STP state machine restarts and the peerlink operational edge resets. As a result, the secondary MLAG peer ends up in an STP discarding state. To work around this issue, restart the clagd service. | 5.8.0-5.11.0 | 5.11.1-5.16.1, 5.12.0-5.16.1| | [4154369](#4154369)
| When adding or removing routes in a virtual router with numerous configured routes, you might encounter incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. | 5.5.1-5.9.3 | 5.9.4-5.16.1, 5.11.1-5.16.1| | [4134451](#4134451)
| When you set the SNMP server listening address to listen on all IPv4 and IPv6 addresses in a VRF with the nv set service snmp-server listening-address all vrf and nv set service snmp-server listening-address all-v6 vrf commands, SNMP requests over IPv6 addresses do not work. | 5.8.0-5.10.1 | 5.11.0-5.16.1| -| [4129699](#4129699)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| +| [4129699, 3790461](#4129699, 3790461)
| switchd crashes because the hardware MAC limit is higher than the maximum. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4127253](#4127253)
| You might see switchd high-memory consumption and eventually switchd stops because it is out of memory due to higher tunnel (VNI x VTEP) scale. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4124139](#4124139)
| When you add MLAG configuration to the first bond in a single MLAG switch configuration, MLAG interfaces and VXLAN interfaces go down. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4101808](#4101808)
| When the SNMP service is busy for approximately more than a minute, the applications using net-snmp APIs to support their MIBs (such as FRR) become blocked. | 5.9.0-5.10.1 | 5.11.0-5.16.1| @@ -897,10 +897,10 @@ pdfhidden: True | [4037015](#4037015)
| The NVUE commands to delete SNMP users, and change authentication passwords and encryption passphrases are not successful. | 4.3.0-5.9.5 | 5.10.0-5.16.1| | [4035681](#4035681)
| The nv show interface commands show RX and TX Power values from the wrong lanes on breakout ports. | 5.8.0-5.10.1 | 5.11.0-5.16.1| | [4035597](#4035597)
| When using SSM and the upstream interface goes away (the source stops sending or the link goes down) the PIMREG interface is added to the outgoing interface list of the S,G and is never removed. As a result, multicast traffic that hits the impacted S,G is forwarded to the CPU and dropped by the switch. | 5.9.0-5.9.5 | 5.10.0-5.16.1| -| [4023776](#4023776)
| The NVUE nv show interface eth0 and nv show vrf commands take more than two minutes to run if you have configured hundreds of interfaces because NVUE makes repetitive system calls to get vlan/link/tunnel bridge information. | 5.9.0-5.9.5 | 5.10.0-5.16.1| +| [4023776, 4023377](#4023776, 4023377)
| The NVUE nv show interface eth0 and nv show vrf commands take more than two minutes to run if you have configured hundreds of interfaces because NVUE makes repetitive system calls to get vlan/link/tunnel bridge information. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [4023649](#4023649)
| On rare occasions when certain events occur, such as changes to the topology in the network, when a bond comes online and directly transits to an STP blocking state, the slave ports might still be in a forwarding state. As a result, traffic is forwarded on a blocked port. | 5.2.0-5.9.5 | 5.10.0-5.16.1| | [4023645](#4023645)
| When you disable dynamic NAT manually in the /etc/cumulus/switchd.conf file instead of using NVUE commands but the dynamic NAT rules still exist in the /etc/cumulus/acl/policy,d/.rules file, the switch encounters a memory leak. To work around this issue, remove dynamic NAT rules in rules files in /etc/cumulus/acl/policy.d before you disable dynamic NAT in the /etc/cumulus/switchd.conf file. | 5.9.0-5.9.5 | 5.10.0-5.16.1| -| [4007614](#4007614)
| Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. | 5.8.0-5.9.5 | 5.10.0-5.16.1| +| [4007614, 3677821](#4007614, 3677821)
| Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. | 5.8.0-5.9.5 | 5.10.0-5.16.1| | [4007329](#4007329)
| Cumulus Linux incorrectly handles unnumbered neighbor types, which causes discrepancies in the running configuration and session flaps during FRR reload. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [4005261](#4005261)
| On the Spectrum-4 switch, when you use PTP on a 800G link, jumbo frames traversing the same link might cause a degradation in PTP performance. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [4003866](#4003866)
| Following an EVPN extended mobility event, where a host with IP address A and MAC address A moves within the fabric and now resides at IP address A and MAC address B, you might see traffic destined to this host experience drops as the flow is software forwarded on the egress VTEP. | 5.0.1-5.9.5 | 5.10.0-5.16.1| @@ -922,10 +922,10 @@ pdfhidden: True | [3980957](#3980957)
| On NVIDIA Cumulus VX, the password does not reset to the default value of cumulus. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3980956](#3980956)
| The default memory configuration for NVIDIA Cumulus VX OVA is too low and needs to be increased. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3980943](#3980943)
| The default NIC for the VMWare OVA file is set to vmxnet3 instead of e1000. | 5.9.0-5.9.5 | 5.10.0-5.16.1| -| [3980941](#3980941)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.5 | 5.10.0-5.16.1| +| [3980941, 3895041](#3980941, 3895041)
| After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes:
 snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a

This issue occurs because poectl is called on non-PoE switches. To work around this issue, remove or comment out the poetcl call from the /etc/snmpd.conf file, then restart the snmpd process with the sudo systemctl snmpd restart command

 #snmp ALL = NOPASSWD: /usr/cumulus/bin/poectl -j -a
| 4.4.0-5.9.5 | 5.10.0-5.16.1| | [3980938](#3980938)
| When ARP suppression is off, remote EVPN VTEPs duplicate ARP packets from local hosts and each remote host receives two copies of the ARP packets. The issue also applies to IPv6 ND packets. | 5.8.0-5.9.5 | 5.10.0-5.16.1| | [3980925](#3980925)
| When you configure the bridge.kernel_mac_refresh_interval parameter in the switchd.conf file, a switchd restart fails with a core dump. | 5.8.0-5.9.5 | 5.10.0-5.16.1| -| [3965573](#3965573)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.5 | 5.10.0-5.16.1| +| [3965573, 3949366](#3965573, 3949366)
| If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. | 5.3.1-5.9.5 | 5.10.0-5.16.1| | [3965564](#3965564)
| A kernel crash due to memory corruption might occur due to a netfilter error. The log message from netfilter might contain a warning similar to the following:
kernel: WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_core.c:1210 __nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack]kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack]
| 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3915878](#3915878)
| If you configure remote syslog export through a non-default VRF, you might see repeated error logs from the rsyslog process while the switch is booting:
rsyslogd: create UDP socket bound to device failed: No such device [v8.2302.0]rsyslogd: No UDP socket could successfully be initialized, some functionality may be disabled.  [v8.2302.0]

The logs occur because the rsyslog service starts before the networking service creates the configured VRF for syslog export. There is no functional impact with this issue. | 5.9.0-5.16.1 | | | [3915829](#3915829)
| General improvements to overall software stability. | 5.9.0 | 5.9.1-5.16.1| @@ -933,11 +933,11 @@ pdfhidden: True | [3897227](#3897227)
| During an LLDP update storm while deleting or adding LLPD neighbors, PTMD crashes as a result of mishandling multi-threaded LLPD processing. | 5.5.1-5.9.5 | 5.10.0-5.16.1| | [3895848](#3895848)
| MLAG bonds might report an LACP partner MAC mismatch unexpectedly during LACP negotation and MLAG convergence until the bond reaches a dual connected state. There is no impact to bonds when this mismatch is reported. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3890993](#3890993)
| On the NVIDIA spectrum-4 switch, l1-show command output does not show Eye opening information for an interface port. | 5.9.0-5.9.5 | 5.10.0-5.16.1| -| [3879809](#3879809)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| -| [3878699](#3878699)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | 5.11.0-5.16.1| +| [3879809, 4064254](#3879809, 4064254)
| Spectrum-4 switches do not include full What Just Happened (WJH) support. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3878699, 3939355](#3878699, 3939355)
| In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. | 5.9.0-5.10.1 | 5.11.0-5.16.1| | [3878394](#3878394)
| When ZTP runs a script that contains wget, ZTP fails and you see a message similar to the following:
ZTP: ZTP DHCP: Unexpected error: 'ascii' codec can't decode byte 0xe2 in position 181: ordinal not in range(128)ZTP: Script returned failure

To work around this issue, use the -q option with wget. | 5.9.0-5.16.1 | | | [3877516](#3877516)
| When you connect two NVIDIA switches and configure 400G speed in force mode, links don't come up.
To work around this issue, make sure auto-negotiation is always on when connecting NVIDIA to NVIDIA in PAM4. | 5.9.0-5.16.1 | | -| [3875687](#3875687)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| +| [3875687, 3879260, 4025900](#3875687, 3879260, 4025900)
| After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the Local Vtep Ip field of the nv show evpn vni command output. To work around this issue, either run the ifup command or reboot the switch. | 5.9.0-5.13.1 | 5.14.0-5.16.1| | [3875373](#3875373)
| When you run the nv config apply empty command, NVUE removes the cumulus user. If you are logged in as the cumulus user when you run the nv config apply empty command, the command fails. | 5.9.0-5.16.1 | | | [3873219](#3873219)
| When you remove a port from a bond and add it to the bridge in a single set of NVUE commands, then apply the configuration, the port forwarding state is blocked on all the bridge VLANs. To work around this issue, apply the configuration in two steps. First remove the port from the bond and apply the configuration, then add the port to the bridge and apply the configuration. | 5.9.0-5.9.5 | 5.10.0-5.16.1| | [3861745](#3861745)
| On UEFI hardware (where the /sys/firmware/efi directory exists), using the update-grub program might generate a /boot/grub/grub.cfg that is incorrect for booting ONIE if the ONIE option is selected on the console while booting. To work around this issue, run mount LABEL="EFI System" /boot/efi before using update-grub. | 5.9.0-5.16.1 | | @@ -945,7 +945,7 @@ pdfhidden: True | [3847439](#3847439)
| In rare cases on the Spectrum 1 switch, where a dual connected host transmits all traffic flows to only one switch in a connected MLAG pair, and the host changes behavior to hash all flows to the other MLAG switch, there might be traffic loss if the MAC FDB entry on the original switch ages out. | 5.9.0-5.16.1 | | | [3819945](#3819945)
| When you connect an NVIDIA SN4410, SN4700, or SN5600 switch to any Spectrum 1, Spectrum-2, or Spectrum-3 peer switch (with four lanes) using a 4x breakout configuration and the default lanes per port setting, links do not come up. To work around this issue, provide the lanes per port configuration shown below:
cumulus@switch:~$ nv set interface  link breakout 4x lanes-per-port 1
| 5.9.0-5.16.1 | | | [3818545](#3818545)
| The terminal monitoring software SecureCRT has a known issue when running on both Windows and Mac systems where it gets stuck when monitoring the serial port of the switch as Cumulus Linux boots up. When this occurs, the serial port stops as shown below and SecureCRT is unable to receive any more serial data from the switch (it is able to transmit).
Mounting dev-hugepages.mount - Huge Pages File System..
Mounting dev-mqueue.mount
| 5.9.0-5.16.1 | | -| [3775686](#3775686)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | 5.10.0-5.16.1| +| [3775686, 3644649](#3775686, 3644649)
| The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. | 5.8.0-5.9.5 | 5.10.0-5.16.1| | [3774274](#3774274)
| When you manually configure the /etc/cumulus/datapath/qos/qos_features.conf file without applying the QoS configuration with NVUE, running the nv config apply empty command later does not clean up the QoS configuration. If the QoS configuration includes breakout ports, the nv config apply empty command fails due to a switchd reload trigger failure. To work around this issue, clean up the configuration manually in the /etc/cumulus/datapath/qos/qos_features.conf, then run the nv config apply empty command. | 5.8.0-5.16.1 | | | [3773177](#3773177)
| When you try to upgrade a switch from Cumulus Linux before 5.6.0 with package upgrade, you might see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ wget https://download.nvidia.com/cumulus/apt.cumulusnetworks.com/repo/pool/cumulus/c/cumulus-archive-keyring/cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt install ./cumulus-archive-keyring_4-cl5.6.0u5_all.deb
cumulus@switch:~$ sudo apt update
cumulus@switch:~$ sudo apt upgrade
| 4.0.0-4.4.5, 5.0.0-5.16.1 | | | [3771168](#3771168)
| When you perform an ISSU upgrade on a Spectrum 1 switch, the switchd service might crash. | 5.8.0-5.16.1 | | @@ -954,21 +954,21 @@ pdfhidden: True | [3655681](#3655681)
| When you disable, then enable STP auto-edge on a port, the port might not transition to the operational edge even though the port does not receive bpdus. To work around this issue, configure the port as an admin-edge port. | 5.7.0-5.16.1 | | | [3637444](#3637444)
| Applying an inbound control plane ACL on the eth0 management interface does not take effect. To work around this issue, apply the ACL on the mgmt interface; for example, nv set interface mgmt acl inbound control-plane. | 5.7.0-5.16.1 | | | [3636266](#3636266)
| When an unresolved next hop is present in a next hop group, especially over an SVI interface, the switch checks if the neighbor MAC address is in the forwarding table. If the neighbor's MAC address is not there, the switch skips this next hop from backend programming and you see the switchd error ERR NH: l3 nhg v6 l3 nhg contains one or more unresolvable nexthops. There is no impact to switch functionality as unresolved neighbors are not programmed in hardware until they are resolved. | 5.7.0-5.9.5 | 5.10.0-5.16.1| -| [3610591](#3610591)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| +| [3610591, 3781456](#3610591, 3781456)
| After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the nv unset system command or the nv config apply empty command. | 5.7.0-5.9.5 | 5.10.0-5.16.1| | [3591918](#3591918)
| The nv action disconnect system aaa user command does not clear all open sessions. To work around this issue, run the command as many times as the number of sessions. | 5.6.0-5.16.1 | | | [3587393](#3587393)
| If you use the NVIDIA SN5600 (Spectrum-4) switch with Ixia test equipment, you might experience delayed link up due to intermittent link flaps.
To work around this issue when using copper cables:
  • Use Ixia IxOS version 9.37 with HF002156, or version 9.39 or later.
  • Use the DAC cable on ports 10 through 50.
  • Use NVIDIA cables with the recommended firmware revision.
  • Configure AN on the Cumulus Linux switch and AN/LT on Ixia.

To work around this issue when using fiber cables:
  • Configure 800g/Force.
  • Use the recommended NVIDIA optical adapters.
| 5.6.0-5.16.1 | | -| [3556762](#3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | +| [3556762, 3463827](#3556762, 3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.5.0-5.16.1 | | | [3540510](#3540510)
| 400Gx8 ports only support traffic line rate with packets that are larger than 172 bytes. | 5.6.0-5.16.1 | | -| [3538321](#3538321)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | +| [3538321, 3564344](#3538321, 3564344)
| In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. | 5.6.0-5.16.1 | | | [3497622](#3497622)
| When you remove PSUs, then plug them back in, you might experience traffic loss and some ports might be in a down state. | 5.6.0-5.16.1 | | | [3472163](#3472163)
| On a switch with the Spectrum-4 ASIC, packets that are smaller than 256 bytes are not included in multicast flows. Multicast flows support packets that are 256 bytes or larger. | 5.6.0-5.16.1 | | -| [3452681](#3452681)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| +| [3452681, 3465375](#3452681, 3465375)
| When you run the NVUE nv show system aaa tacacs authorization commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND. | 5.5.0-5.10.1 | 5.11.0-5.16.1| | [3444490](#3444490)
| Migration from ONYX to Cumulus Linux is supported and tested with ONYX version 3.10.4302 GA only. | 5.6.0-5.16.1 | | -| [3442569](#3442569)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | -| [3430430](#3430430)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | -| [3424967](#3424967)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | +| [3442569, 3520880, 3586421](#3442569, 3520880, 3586421)
| When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both nginx.service and nvued.service to begin authenticating users against the new authentication service. | 5.5.0-5.16.1 | | +| [3430430, 3337848](#3430430, 3337848)
| When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. | 5.5.0-5.16.1 | | +| [3424967, 3413785](#3424967, 3413785)
| sudo for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the default VRF. To work around this issue, specify the interface name that the default VRF uses in the vrf= setting of the /etc/tacplus_servers file or run the NVUE nv set system aaa tacacs vrf command. If you don't run either command, a TACACS+ user with privilege level 15 can run vrf task exec default sudo ... to execute the sudo command. | 5.0.0-5.16.1 | | | [3420056](#3420056)
| The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 when you use 10G QSA adaptors. To work around this issue, use 25G QSA adaptors. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [3414866](#3414866)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | +| [3414866, 3536555, 4465009, 4509253, 4732973](#3414866, 3536555, 4465009, 4509253, 4732973)
| Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error.
sx_sdk: 22985 [BRIDGE] [ERROR  ]: Port(0x200A000D)) already added to a bridge

You can ignore this error; it has no impact on switch functionality. | 5.6.0-5.16.1 | | | [3393966](#3393966)
| When you configure OSPF network statements using NVUE with the nv set vrf router ospf area network command, subsequent configuration changes with NVUE might bring down all OSPF neighbors. To work around this issue, create an NVUE snippet to configure the network statement, or use the nv set interface router ospf area command to enable OSPF on interfaces instead of using a network statement. | 5.5.0-5.9.5 | 5.10.0-5.16.1| | [3362113](#3362113)
| If you restore an NVUE startup.yaml file or run the nv config patch command after an upgrade that includes breakout ports with QoS configuration, the NVUE configuration fails to apply. Subsequent attempts to run nv config apply fail with a message similar to Invalid config [rev_id: 11] qos config is not supported on the following invalid interface: swp1s0. Supported on swp and bond interface types. To work around this issue, run nv unset on the configured QoS settings, then apply the breakout port configuration before you configure QoS. Alternatively, you can remove the QoS configuration from the yaml file and patch it separately after applying the breakout configuration. | 5.4.0-5.16.1 | | | [3347538](#3347538)
| When connecting NVIDIA-to-NVIDIA in PAM4, you must enable auto-negotiation. | 5.4.0-5.16.1 | | @@ -979,10 +979,10 @@ pdfhidden: True | [3253218](#3253218)
| Auto-negotiation isn't supported on Spectrum-2 and Spectrum-3 switches using the 1G SFP-T module; FORCE 1G is configured instead. | 5.4.0-5.16.1 | | | [3241567](#3241567)
| When you apply switch configuration for the first time on a freshly booted switch and you run the nv config apply command after setting the hostname with nv set system hostname, you might see the error message Failed to start Hostname Service. To work around this issue, run the nv config apply command a second time. | 5.3.0-5.16.1 | | | [3226506](#3226506)
| The l1-show eth0 command does not show port information and is not supported in this release. | 5.3.0-5.16.1 | | -| [3225117](#3225117)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | +| [3225117, 3158720](#3225117, 3158720)
| Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. | 5.4.0-5.16.1 | | | [3172504](#3172504)
| When you connect the NVIDIA SN4600C switch to a Spectrum 1 or Spectrum-3 switch with a 40GbE passive copper cable (Part Number: MC2210126-005) on edge ports 1-4 and 61-64, there is an Effective BER of 1E-12 in PHY. | 5.2.0-5.16.1 | | | [3147782](#3147782)
| You cannot use NVUE to configure an SNMP view to include a subtree beginning with a period. For example:
cumulus@switch:~$ nv set service snmp-server viewname cumulusOnly included .1.3.6.1.4.1.40310Error: GET /nvue_v1/service/snmp-server/viewname/cumulusOnly/included?pointers=%5B%22%2Fparameters%22%2C+%22%2Fpatch%2FrequestBody%2Fcontent%2Fapplication~1json%2Fschema%22%2C+%22%2Fpatch%2Fparameters%22%2C+%22%2Fpatch%2Fresponses%2F200%2Flinks%22%5D responded with 404 NOT FOUND
To work around this issue, reference the OID without the preceding period ( . ) in the command. | 5.3.0-5.16.1 | | -| [3145869](#3145869)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | +| [3145869, 3430508, 3543102](#3145869, 3430508, 3543102)
| On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. | 5.2.0-5.16.1 | | | [3135952](#3135952)
| PAM4 split cables (such as 2x100G, 4x100G, and 4x50G) do not work with a forced speed setting (when auto-negotiation is off) as the default speed enabled is for NRZ mode (such as 100G_4X). To work around this issue, set the appropriate lanes for forced speed (with auto-negotation off) with the ethtool -s swpX speed autoneg off lanes command. For example: 
cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2
| 5.2.0-5.16.1 | | | [3115242](#3115242)
| When you configure two VNIs in the same VLAN, ifupdown2 shows a vlan added to two or more VXLANS warning, which is only issued after the VNI is already added to the bridge. This leaves the new VNI in the PVID even if there is already an existing VNI configured in that PVID. | 5.1.0-5.16.1 | | | [3103821](#3103821)
| On the NVIDIA SN4700 switch, inserting and removing the PSU might cause loss of frames. | 5.2.0-5.16.1 | | @@ -992,8 +992,8 @@ pdfhidden: True | [3061656](#3061656)
| When the CPU load is high during a warm boot, bonds with a slow LACP rate fail to forward layer 2 traffic for up to 60 seconds (depending on the duration of the CPU load) and static bonds fail to forward layer 2 traffic for up to 5 seconds. | 5.1.0-5.16.1 | | | [2972540](#2972540)
| With RADIUS enabled for user shell authentication, there might be a delay in local user authentication for non cumulus user accounts. | 5.0.0-5.16.1 | | | [2951110](#2951110)
| The net show time ntp servers command does not show any output with the management VRF. | 3.7.15-3.7.16, 4.1.1-4.4.5, 5.0.0-5.16.1 | | -| [2904450](#2904450)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | -| [2885305](#2885305)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | +| [2904450, 2553222](#2904450, 2553222)
| When you run the ethtool -m or the l1-show command, the 400G interface optical values do not show. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | +| [2885305, 2887500, 3234087, 3074929, 3293192](#2885305, 2887500, 3234087, 3074929, 3293192)
| Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. | 5.0.0-5.16.1 | | | [2867042](#2867042)
| When connecting the NVIDIA SN4600 switch to another NVIDIA Spectrum switch, you must use auto-negotiation mode (not force mode); otherwise the switch might use the wrong Tx configuration. | 5.0.0-5.16.1 | | | [2823307](#2823307)
| Cumuls Linux does not support a bond with more than 64 ports. Any configuration with more than 64 ports in a bond changes all ports to down when you apply the configuration. | 5.0.0-5.16.1 | | | [2736108](#2736108)
| When you change the VRRP advertisement interval on the master, the master advertisement interval field in the show vrrp command output does not show the updated value. | 4.4.0-4.4.5, 5.0.0-5.16.1 | | @@ -1004,14 +1004,14 @@ pdfhidden: True ### Fixed Issues in 5.9.0 | Issue ID | Description | Affects | |--- |--- |--- | -| [3875419](#3875419)
| The cleanup scrip inadvertently removes the active LTTng session directory used by lttng-sessiond for trace dumping. This issue occurs under specific conditions when more than five LTTng trace folders are present, leading to intermittent failures in trace logging. To work around this issue, manually move the timestamped lttng logs to a different directory. | 5.8.0 | | +| [3875419, 3871507](#3875419, 3871507)
| The cleanup scrip inadvertently removes the active LTTng session directory used by lttng-sessiond for trace dumping. This issue occurs under specific conditions when more than five LTTng trace folders are present, leading to intermittent failures in trace logging. To work around this issue, manually move the timestamped lttng logs to a different directory. | 5.8.0 | | | [3863858](#3863858)
| VRR interfaces might show dadfailed on their IPv6 link-local address. | 5.6.0-5.8.0 | | | [3863063](#3863063)
| When simultaneously changing the maxage and forward-delay bridge timers in RSTP for VLAN-aware bridges, the commands might not be accepted if the 2xfdelay-1 is less than the previously configured maxage timer because ifupdown2 configures the forward delay first.
To work around this issue, run the ifreload -a command again to process the forward-delay command after the new maxage configuration has been accepted.
You have to repeat the ifreload -a command after a reboot to set the forward delay correctly in the bridge. | 5.8.0 | | -| [3837121](#3837121)
| With a large route map and community list configuration, FRR reload takes much longer than normal (approximately 13 seconds) and in some cases, CPU utilization is high. | 5.8.0 | | +| [3837121, 3695576](#3837121, 3695576)
| With a large route map and community list configuration, FRR reload takes much longer than normal (approximately 13 seconds) and in some cases, CPU utilization is high. | 5.8.0 | | | [3832116](#3832116)
| When you configure a SPAN session either with the NVUE nv set system port-mirror session command or in the /etc/cumulus/switchd.d/port-mirror.conf file and the default route is configured to 0.0.0.0/0, the SPAN session might not work as expected. To work around this issue, remove the default route 0.0.0.0/0 and use alternate routes instead. | 5.7.0-5.8.0 | | | [3828243](#3828243)
| After you change the remote AS for a peer group, the switch no longer has any peers associated with the peer group. To work around this issue, reconfigure all the associated peers after you change the remote AS for the peer group. | 5.8.0 | | | [3824750](#3824750)
| With the nvidia.nvue Ansible module, NVUE honors input from the Ansible module only; if you do not provide the full configuration, NVUE generates an exception. To work around this issue, always provide the full configuration. | 5.6.0-5.8.0 | | -| [3813710](#3813710)
| The What Just Happened service (wjhd) fails to start if an interface alias (description) contains the text Ethernet and add syslog messages similar to the following:
router1: wjhd: exception: stoirouter1: wjhd: Fail to deinit SDK telemetry, error: [3]: [Invalid Handle]
| 5.8.0 | | +| [3813710, 3814673](#3813710, 3814673)
| The What Just Happened service (wjhd) fails to start if an interface alias (description) contains the text Ethernet and add syslog messages similar to the following:
router1: wjhd: exception: stoirouter1: wjhd: Fail to deinit SDK telemetry, error: [3]: [Invalid Handle]
| 5.8.0 | | | [3812857](#3812857)
| When enabling telemetry on an interface, NVUE doesn’t validate if some of the configuration is correct. For example if you configure swp1s0, but enter swp1 by mistake, NVUE accepts and applies this configuration. If the ASIC monitor service finds that this port is not available, it skips the configuration associated with this port. NVUE applies configuration for other valid ports as expected. | 5.8.0 | | | [3800536](#3800536)
| Some third-party modules cause false-alarm interrupts during SERDES tuning, which overloads the ASIC and causes an ASIC response delay. | 5.8.0 | | | [3798580](#3798580)
| With ROCE enabled, LLDP DCBX TLVs might carry an incorrect PFC map when bond interfaces are present on the switch. | 5.8.0 | | @@ -1019,9 +1019,9 @@ pdfhidden: True | [3782543](#3782543)
| When you configure the BGP setting bgp max-med on-startup with vtysh, the MED on some peers might not be set to 4294967294 as expected on startup. The max-med might also fail to reset after the startup timer expires. | 5.6.0-5.8.0 | | | [3775648](#3775648)
| Enabling or disabling link utilization causes the switchd service to restart, which causes all network ports to reset, interrupts network services, and resets the switch hardware configuration. | 5.8.0 | | | [3773991](#3773991)
| When you use warm mode to reboot a switch with a large number of EVPN routes and BGP graceful restart is enabled, stale routes might be relearned from BGP neighbors after the switch boots. This might cause traffic loss until BGP is fully converged after the reboot. | 5.8.0 | | -| [3770993](#3770993)
| When a supplicant is authorized successfully on an interface in 802.1x multi-host mode, ping traffic coming into the 802.1x interface towards a local SVI might not be successful. | 5.8.0 | | +| [3770993, 3811142](#3770993, 3811142)
| When a supplicant is authorized successfully on an interface in 802.1x multi-host mode, ping traffic coming into the 802.1x interface towards a local SVI might not be successful. | 5.8.0 | | | [3770865](#3770865)
| On the NVIDIA SN5600 switch, performing a fresh image install or a power cycle can cause the PCIE link speed to get downgraded from Gen3(8GTs) to Gen1(2.5GTs). To recover, reboot the switch. | 5.8.0 | | -| [3767037](#3767037)
| When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ sudo apt-get updatecumulus@switch:~$ sudo apt-get install --allow-unauthenticated cumulus-archive-keyring
| 5.8.0 | | +| [3767037, 3770312](#3767037, 3770312)
| When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch.
cumulus@switch:~$ sudo apt-get updatecumulus@switch:~$ sudo apt-get install --allow-unauthenticated cumulus-archive-keyring
| 5.8.0 | | | [3765395](#3765395)
| The nv unset nve vxlan flooding and nv set nve vxlan flooding enable off commands do not disable BUM flooding. To work around this issue, disable BUM flooding with vtysh commands:
leaf01# configure terminal
leaf01(config)# router bgp 
leaf01(config-router)# address-family l2vpn evpn
leaf01(config-router-af)# flooding disable
leaf01(config-router-af)# end
leaf01# write memory
leaf01# exit
| 5.5.0-5.8.0 | | | [3759515](#3759515)
| After upgrading to Cumulus Linux 5.8, MLAG reports bonds as bpdu guard mismatch. To work around this issue, restart the MLAG service with the systemctl restart clagd on the device that reports the conflict. | 5.8.0 | | | [3753050](#3753050)
| On Spectrum 1 switches, switchd might crash due to an SDK health event or error. | 5.6.0-5.8.0 | | @@ -1030,14 +1030,14 @@ pdfhidden: True | [3739008](#3739008)
| The Lenovo MSN4600-VS2RC (PN SSG7B27990 Back-to-Front/C2P Airflow) might run the fan tray fans at a high speed because the software believes the PSU fans are running in the wrong direction. | 5.5.1-5.8.0 | | | [3730904](#3730904)
| When sending untagged frames to the CPU with an MTU higher than the SVD (single VXLAN device) MTU, the kernel might crash. | 5.4.0-5.8.0 | | | [3702431](#3702431)
| Traditional SNMP snippets do not take effect unless you first enable SNMP with the NVUE nv set service snmp-server enable on and nv set service snmp-server listening-address commands. Alternatively, you can use the equivalent REST API methods. | 5.4.0-5.8.0 | | -| [3679478](#3679478)
| During switch boot, you see the following messages in the syslog:
2024-03-04T10:34:49.650950+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR  ]: Tele impl module is already initialized2024-03-04T10:34:49.651041+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR  ]: sdk_tele_init failed, for chip type CHIP_TYPE_SWITCH_SPECTRUM3, err = Already initialized

This is due to both the ASIC Monitoring service and the What Just Happened (WJH) service trying to initialize the SDK TELE module. You can ignore the messages because the TELE service has already initialized properly. | 5.7.0-5.8.0 | | +| [3679478, 3701229, 3737814](#3679478, 3701229, 3737814)
| During switch boot, you see the following messages in the syslog:
2024-03-04T10:34:49.650950+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR  ]: Tele impl module is already initialized2024-03-04T10:34:49.651041+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR  ]: sdk_tele_init failed, for chip type CHIP_TYPE_SWITCH_SPECTRUM3, err = Already initialized

This is due to both the ASIC Monitoring service and the What Just Happened (WJH) service trying to initialize the SDK TELE module. You can ignore the messages because the TELE service has already initialized properly. | 5.7.0-5.8.0 | | | [3672706](#3672706)
| When you enable port security, you can configure a maximum of 450 port security static MAC addresses for an interface. | 5.7.0-5.8.0 | | -| [3610967](#3610967)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | | -| [3546857](#3546857)
| The nv show bridge vlan command does not show tagged and untagged VLAN information for the bridge
| 5.6.0-5.8.0 | | +| [3610967, 3647761](#3610967, 3647761)
| In an EVPN symmetric routing configuration, running the NVUE nv set vrf vlan auto command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. | 5.3.0-5.8.0 | | +| [3546857, 3564377](#3546857, 3564377)
| The nv show bridge vlan command does not show tagged and untagged VLAN information for the bridge
| 5.6.0-5.8.0 | | | [3541653](#3541653)
| During warm boot with layer 3 traffic, you might experience packet loss for approximately 15 milliseconds. | 5.6.0-5.8.0 | | | [3484058](#3484058)
| When you power on the NVIDIA SN3420 switch with no connected cables, the QSFP ports LEDs light in amber. | 5.3.0-5.8.0 | | -| [3463827](#3463827)
| On rare occasions, SPT switchover might not happen cleanly in PIM, resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.6.0-5.8.0 | | +| [3463827, 3434515, 3556762](#3463827, 3434515, 3556762)
| On rare occasions, SPT switchover might not happen cleanly in PIM, resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. | 5.6.0-5.8.0 | | | [3436407](#3436407)
| The nv show acl command output shows a header but no ACL details. | 5.5.0-5.8.0 | | -| [3433577](#3433577)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.8.0 | | +| [3433577, 3433769](#3433577, 3433769)
| When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the clagd service and switchd, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. | 5.5.0-5.8.0 | | | [3141826](#3141826)
| A slow memory leak (~5KB over 24 hour period at a 60 second polling interval) might occur in SNMP when you walk the following system MIB objects (1.3.6.1.2.1)
1.3.6.1.2.1.47 --> Entity MIB
1.3.6.1.2.1.99 --> Entity Sensor MIB
1.3.6.1.2.1.23 --> rip2
1.3.6.1.2.1.2 --> interface/interfaces
1.3.6.1.2.1.31 --> ifMIB
1.3.6.1.2.1.4 --> IP
1.3.6.1.2.1.25 --> hostResource | 5.0.1-5.8.0 | | diff --git a/content/cumulus-linux-59/rn.xml b/content/cumulus-linux-59/rn.xml index c4ca4310ac..dca54c9cda 100644 --- a/content/cumulus-linux-59/rn.xml +++ b/content/cumulus-linux-59/rn.xml @@ -101,7 +101,7 @@ To work around this issue, power cycle the switch. -4423336 +4423336, 3875789, 3933038 When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the {{nv config patch}} command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with {{systemctl restart nvued.service}}. 5.9.0-5.11.5 5.12.0-5.16.1 @@ -125,7 +125,7 @@ To work around this issue, power cycle the switch. -4422898 +4422898, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.13.1 5.14.0-5.16.1 @@ -150,7 +150,7 @@ This happens in async mode, where the end notification expected after an end of 5.11.1-5.16.1, 5.12.0-5.16.1 -4129699 +4129699, 3790461 {{switchd}} crashes because the hardware MAC limit is higher than the maximum. 5.8.0-5.10.1 5.11.0-5.16.1 @@ -198,7 +198,7 @@ This happens in async mode, where the end notification expected after an end of 5.12.0-5.16.1 -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -229,7 +229,7 @@ This happens in async mode, where the end notification expected after an end of 5.11.0-5.16.1 -3994544 +3994544, 3976680 Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. 5.9.1-5.9.5 5.10.0-5.16.1 @@ -277,13 +277,13 @@ You can safely ignore this error as FRR accepts and applies the new configuratio 5.10.0-5.16.1 -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 -3878699 +3878699, 3939355 In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. 5.9.0-5.10.1 5.11.0-5.16.1 @@ -304,7 +304,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -357,7 +357,7 @@ Mounting dev-mqueue.mount -3775686 +3775686, 3644649 The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. 5.8.0-5.9.5 5.10.0-5.16.1 @@ -425,7 +425,7 @@ cumulus@switch:~$ nv set acl one type mac 5.10.0-5.16.1 -3610591 +3610591, 3781456 After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the {{nv unset system}} command or the {{nv config apply empty}} command. 5.7.0-5.9.5 5.10.0-5.16.1 @@ -451,7 +451,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -463,7 +463,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -481,7 +481,7 @@ To work around this issue when using fiber cables: -3452681 +3452681, 3465375 When you run the NVUE {{nv show system aaa tacacs authorization}} commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to {{Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND}}. 5.5.0-5.10.1 5.11.0-5.16.1 @@ -493,19 +493,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -518,7 +518,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -586,7 +586,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -609,7 +609,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -672,7 +672,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -680,7 +680,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -733,7 +733,7 @@ You can safely ignore this warning. Affects -4958319 +4958319, 4926426 When you run the {{nv config apply}} command or the {{sudo systemctl reload frr.service}} command on a switch configured with VRF route leaking that has many BGP peers, VRFs, and BGP learned prefixes, FRR reload might time out. To work around this issue, run {{sudo systemctl edit frr.service}} to change the {{TimeoutSec=2m}} to a higher value and apply the changes with {{sudo systemctl daemon-reload}}. 5.15.0-5.16.1 @@ -763,7 +763,7 @@ You can safely ignore this warning. 5.11.1-5.15.1 -4717752 +4717752, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.9.4 @@ -835,7 +835,7 @@ You can safely ignore this warning. 5.16.0-5.16.1 -4717752 +4717752, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.11.4 5.11.5-5.16.1, 5.15.0-5.16.1 @@ -893,7 +893,7 @@ To work around this issue, power cycle the switch. -4423336 +4423336, 3875789, 3933038 When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the {{nv config patch}} command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with {{systemctl restart nvued.service}}. 5.9.0-5.11.5 5.12.0-5.16.1 @@ -917,7 +917,7 @@ To work around this issue, power cycle the switch. -4422898 +4422898, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.13.1 5.14.0-5.16.1 @@ -942,7 +942,7 @@ This happens in async mode, where the end notification expected after an end of 5.11.1-5.16.1, 5.12.0-5.16.1 -4129699 +4129699, 3790461 {{switchd}} crashes because the hardware MAC limit is higher than the maximum. 5.8.0-5.10.1 5.11.0-5.16.1 @@ -990,7 +990,7 @@ This happens in async mode, where the end notification expected after an end of 5.12.0-5.16.1 -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -1021,7 +1021,7 @@ This happens in async mode, where the end notification expected after an end of 5.11.0-5.16.1 -3994544 +3994544, 3976680 Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. 5.9.1-5.9.5 5.10.0-5.16.1 @@ -1069,13 +1069,13 @@ You can safely ignore this error as FRR accepts and applies the new configuratio 5.10.0-5.16.1 -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 -3878699 +3878699, 3939355 In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. 5.9.0-5.10.1 5.11.0-5.16.1 @@ -1096,7 +1096,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -1149,7 +1149,7 @@ Mounting dev-mqueue.mount -3775686 +3775686, 3644649 The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. 5.8.0-5.9.5 5.10.0-5.16.1 @@ -1217,7 +1217,7 @@ cumulus@switch:~$ nv set acl one type mac 5.10.0-5.16.1 -3610591 +3610591, 3781456 After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the {{nv unset system}} command or the {{nv config apply empty}} command. 5.7.0-5.9.5 5.10.0-5.16.1 @@ -1243,7 +1243,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -1255,7 +1255,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -1273,7 +1273,7 @@ To work around this issue when using fiber cables: -3452681 +3452681, 3465375 When you run the NVUE {{nv show system aaa tacacs authorization}} commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to {{Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND}}. 5.5.0-5.10.1 5.11.0-5.16.1 @@ -1285,19 +1285,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -1310,7 +1310,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -1378,7 +1378,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -1401,7 +1401,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -1464,7 +1464,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -1472,7 +1472,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -1604,7 +1604,7 @@ To work around this issue, restart the FRR service using the {{sudo systemctl re 5.9.2-5.9.3 -4458865 +4458865, 4404759 Installing ssh keys for the cumulus user with NVUE fails and results in login failures. 5.12.1 @@ -1636,7 +1636,7 @@ To work around this issue, restart the {{hw-management}} service with the {{sudo 5.7.0-5.9.3 -4309875 +4309875, 3537335 When you configure an invalid switch port (swp), NVUE adds the invalid configuration instead of rejecting it. The invalid interface in the configuration does not have any functional impact. @@ -1870,7 +1870,7 @@ Save the file, run the {{nv config patch vlan-aware_bridge_snippet.yaml}} comman 5.16.0-5.16.1 -4717752 +4717752, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.11.4 5.11.5-5.16.1, 5.15.0-5.16.1 @@ -1974,7 +1974,7 @@ To work around this issue, power cycle the switch. 5.11.2-5.16.1, 5.14.0-5.16.1 -4423336 +4423336, 3875789, 3933038 When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the {{nv config patch}} command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with {{systemctl restart nvued.service}}. 5.9.0-5.11.5 5.12.0-5.16.1 @@ -2004,7 +2004,7 @@ To work around this issue, power cycle the switch. 5.11.2-5.16.1, 5.13.0-5.16.1 -4422898 +4422898, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.13.1 5.14.0-5.16.1 @@ -2121,7 +2121,7 @@ This happens in async mode, where the end notification expected after an end of 5.11.0-5.16.1 -4129699 +4129699, 3790461 {{switchd}} crashes because the hardware MAC limit is higher than the maximum. 5.8.0-5.10.1 5.11.0-5.16.1 @@ -2214,7 +2214,7 @@ Save the file, run the {{nv config patch vlan-aware_bridge_snippet.yaml}} comman 5.12.0-5.16.1 -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -2251,7 +2251,7 @@ Save the file, run the {{nv config patch vlan-aware_bridge_snippet.yaml}} comman 5.11.0-5.16.1 -3994544 +3994544, 3976680 Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. 5.9.1-5.9.5 5.10.0-5.16.1 @@ -2299,13 +2299,13 @@ You can safely ignore this error as FRR accepts and applies the new configuratio 5.10.0-5.16.1 -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 -3878699 +3878699, 3939355 In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. 5.9.0-5.10.1 5.11.0-5.16.1 @@ -2326,7 +2326,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -2379,7 +2379,7 @@ Mounting dev-mqueue.mount -3775686 +3775686, 3644649 The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. 5.8.0-5.9.5 5.10.0-5.16.1 @@ -2447,7 +2447,7 @@ cumulus@switch:~$ nv set acl one type mac 5.10.0-5.16.1 -3610591 +3610591, 3781456 After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the {{nv unset system}} command or the {{nv config apply empty}} command. 5.7.0-5.9.5 5.10.0-5.16.1 @@ -2473,7 +2473,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -2485,7 +2485,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -2503,7 +2503,7 @@ To work around this issue when using fiber cables: -3452681 +3452681, 3465375 When you run the NVUE {{nv show system aaa tacacs authorization}} commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to {{Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND}}. 5.5.0-5.10.1 5.11.0-5.16.1 @@ -2515,19 +2515,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -2540,7 +2540,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -2608,7 +2608,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -2631,7 +2631,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -2694,7 +2694,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -2702,7 +2702,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -2811,7 +2811,7 @@ You can safely ignore this warning. 5.16.0-5.16.1 -4717752 +4717752, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.11.4 5.11.5-5.16.1, 5.15.0-5.16.1 @@ -2909,7 +2909,7 @@ To work around this issue, power cycle the switch. 5.11.2-5.16.1, 5.14.0-5.16.1 -4423336 +4423336, 3875789, 3933038 When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the {{nv config patch}} command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with {{systemctl restart nvued.service}}. 5.9.0-5.11.5 5.12.0-5.16.1 @@ -2939,7 +2939,7 @@ To work around this issue, power cycle the switch. 5.11.2-5.16.1, 5.13.0-5.16.1 -4422898 +4422898, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.13.1 5.14.0-5.16.1 @@ -3056,7 +3056,7 @@ This happens in async mode, where the end notification expected after an end of 5.11.0-5.16.1 -4129699 +4129699, 3790461 {{switchd}} crashes because the hardware MAC limit is higher than the maximum. 5.8.0-5.10.1 5.11.0-5.16.1 @@ -3149,7 +3149,7 @@ Save the file, run the {{nv config patch vlan-aware_bridge_snippet.yaml}} comman 5.12.0-5.16.1 -4049213 +4049213, 4186873 When there are routes that point to a single next hop, an ECMP entry is created in the SDK. After the single next hop from the route is removed, the ECMP entry might stay in the SDK until the time the next hop is present in the kernel. 5.9.2-5.16.1 @@ -3186,7 +3186,7 @@ Save the file, run the {{nv config patch vlan-aware_bridge_snippet.yaml}} comman 5.11.0-5.16.1 -3994544 +3994544, 3976680 Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. 5.9.1-5.9.5 5.10.0-5.16.1 @@ -3234,13 +3234,13 @@ You can safely ignore this error as FRR accepts and applies the new configuratio 5.10.0-5.16.1 -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 -3878699 +3878699, 3939355 In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. 5.9.0-5.10.1 5.11.0-5.16.1 @@ -3261,7 +3261,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -3314,7 +3314,7 @@ Mounting dev-mqueue.mount -3775686 +3775686, 3644649 The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. 5.8.0-5.9.5 5.10.0-5.16.1 @@ -3382,7 +3382,7 @@ cumulus@switch:~$ nv set acl one type mac 5.10.0-5.16.1 -3610591 +3610591, 3781456 After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the {{nv unset system}} command or the {{nv config apply empty}} command. 5.7.0-5.9.5 5.10.0-5.16.1 @@ -3408,7 +3408,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -3420,7 +3420,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -3438,7 +3438,7 @@ To work around this issue when using fiber cables: -3452681 +3452681, 3465375 When you run the NVUE {{nv show system aaa tacacs authorization}} commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to {{Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND}}. 5.5.0-5.10.1 5.11.0-5.16.1 @@ -3450,19 +3450,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -3475,7 +3475,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -3543,7 +3543,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -3566,7 +3566,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -3629,7 +3629,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -3637,7 +3637,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -3730,7 +3730,7 @@ You can safely ignore this warning. 5.9.0-5.9.1 -4023776 +4023776, 4023377 The NVUE {{nv show interface eth0}} and {{nv show vrf}} commands take more than two minutes to run if you have configured hundreds of interfaces because NVUE makes repetitive system calls to get {{vlan/link/tunnel}} bridge information. 5.9.0-5.9.1 @@ -3751,7 +3751,7 @@ kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack] 5.9.1 -4007614 +4007614, 3677821 Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. 5.8.0-5.9.1 @@ -3776,7 +3776,7 @@ kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack] 5.0.1-5.9.1 -3994463 +3994463, 3925795 The {{ntpsec@mgmt}} service does not come up by default when you install an image with ONIE because the trigger to bring up the service is missing. 5.9.1 @@ -3891,7 +3891,7 @@ kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack] 5.9.1 -3980941 +3980941, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -3919,7 +3919,7 @@ This issue occurs because {{poectl}} is called on non-PoE switches. To work arou 5.9.1 -3965573 +3965573, 3949366 If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. 5.3.1-5.9.1 @@ -3979,7 +3979,7 @@ kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack] 5.16.0-5.16.1 -4717752 +4717752, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.11.4 5.11.5-5.16.1, 5.15.0-5.16.1 @@ -4059,7 +4059,7 @@ To work around this issue, power cycle the switch. -4423336 +4423336, 3875789, 3933038 When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the {{nv config patch}} command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with {{systemctl restart nvued.service}}. 5.9.0-5.11.5 5.12.0-5.16.1 @@ -4089,7 +4089,7 @@ To work around this issue, power cycle the switch. 5.11.2-5.16.1, 5.13.0-5.16.1 -4422898 +4422898, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.13.1 5.14.0-5.16.1 @@ -4175,7 +4175,7 @@ To work around this issue, restart the {{hw-management}} service with the {{sudo 5.11.0-5.16.1 -4129699 +4129699, 3790461 {{switchd}} crashes because the hardware MAC limit is higher than the maximum. 5.8.0-5.10.1 5.11.0-5.16.1 @@ -4317,7 +4317,7 @@ Save the file, run the {{nv config patch vlan-aware_bridge_snippet.yaml}} comman 5.10.0-5.16.1 -4023776 +4023776, 4023377 The NVUE {{nv show interface eth0}} and {{nv show vrf}} commands take more than two minutes to run if you have configured hundreds of interfaces because NVUE makes repetitive system calls to get {{vlan/link/tunnel}} bridge information. 5.9.0-5.9.5 5.10.0-5.16.1 @@ -4348,7 +4348,7 @@ kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack] 5.10.0-5.16.1 -4007614 +4007614, 3677821 Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. 5.8.0-5.9.5 5.10.0-5.16.1 @@ -4384,13 +4384,13 @@ kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack] 5.10.0-5.16.1 -3994544 +3994544, 3976680 Under certain scale scenarios, the switch might end up in a state where the PTM component's connection to LLDP breaks. This issue results in LLDP socket contention issues and, in turn, a PTM memory leak. 5.9.1-5.9.5 5.10.0-5.16.1 -3994463 +3994463, 3925795 The {{ntpsec@mgmt}} service does not come up by default when you install an image with ONIE because the trigger to bring up the service is missing. 5.9.1-5.9.5 5.10.0-5.16.1 @@ -4534,7 +4534,7 @@ kernel: RIP: 0010:__nf_conntrack_confirm+0x5c7/0x6b0 [nf_conntrack] 5.10.0-5.16.1 -3980941 +3980941, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -4567,7 +4567,7 @@ This issue occurs because {{poectl}} is called on non-PoE switches. To work arou 5.10.0-5.16.1 -3965573 +3965573, 3949366 If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. 5.3.1-5.9.5 5.10.0-5.16.1 @@ -4622,13 +4622,13 @@ You can safely ignore this error as FRR accepts and applies the new configuratio 5.10.0-5.16.1 -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 -3878699 +3878699, 3939355 In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. 5.9.0-5.10.1 5.11.0-5.16.1 @@ -4649,7 +4649,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -4702,7 +4702,7 @@ Mounting dev-mqueue.mount -3775686 +3775686, 3644649 The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. 5.8.0-5.9.5 5.10.0-5.16.1 @@ -4770,7 +4770,7 @@ cumulus@switch:~$ nv set acl one type mac 5.10.0-5.16.1 -3610591 +3610591, 3781456 After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the {{nv unset system}} command or the {{nv config apply empty}} command. 5.7.0-5.9.5 5.10.0-5.16.1 @@ -4796,7 +4796,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -4808,7 +4808,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -4826,7 +4826,7 @@ To work around this issue when using fiber cables: -3452681 +3452681, 3465375 When you run the NVUE {{nv show system aaa tacacs authorization}} commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to {{Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND}}. 5.5.0-5.10.1 5.11.0-5.16.1 @@ -4838,19 +4838,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -4863,7 +4863,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -4931,7 +4931,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -4954,7 +4954,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -5017,7 +5017,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -5025,7 +5025,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -5103,7 +5103,7 @@ You can safely ignore this warning. 5.16.0-5.16.1 -4717752 +4717752, 3963232 When you add or remove routes in a virtual router with numerous configured routes, you might see incorrect routing of certain IP addresses. This can result in packets exiting through incorrect ports or being discarded. 5.3.1-5.11.4 5.11.5-5.16.1, 5.15.0-5.16.1 @@ -5173,7 +5173,7 @@ To work around this issue, power cycle the switch. -4423336 +4423336, 3875789, 3933038 When you configure TACACS with NVUE or merge an NVUE configuration file that includes TACACS configuration with the {{nv config patch}} command, you see an unrecoverable error when running additional NVUE commands. To work around this issue, restart the NVUE service with {{systemctl restart nvued.service}}. 5.9.0-5.11.5 5.12.0-5.16.1 @@ -5203,7 +5203,7 @@ To work around this issue, power cycle the switch. 5.11.2-5.16.1, 5.13.0-5.16.1 -4422898 +4422898, 4497128 When displaying BGP neighbor advertised routes in JSON format with very large routing tables, the process consumes excessive memory resulting in out of memory crashes. 5.0.0-5.13.1 5.14.0-5.16.1 @@ -5253,7 +5253,7 @@ To work around this issue, restart the {{hw-management}} service with the {{sudo 5.11.0-5.16.1 -4129699 +4129699, 3790461 {{switchd}} crashes because the hardware MAC limit is higher than the maximum. 5.8.0-5.10.1 5.11.0-5.16.1 @@ -5343,7 +5343,7 @@ To work around this issue, restart the {{hw-management}} service with the {{sudo 5.10.0-5.16.1 -4023776 +4023776, 4023377 The NVUE {{nv show interface eth0}} and {{nv show vrf}} commands take more than two minutes to run if you have configured hundreds of interfaces because NVUE makes repetitive system calls to get {{vlan/link/tunnel}} bridge information. 5.9.0-5.9.5 5.10.0-5.16.1 @@ -5361,7 +5361,7 @@ To work around this issue, restart the {{hw-management}} service with the {{sudo 5.10.0-5.16.1 -4007614 +4007614, 3677821 Static ARP configured with NVUE commands is deleted when the relevant layer 3 interface flaps. 5.8.0-5.9.5 5.10.0-5.16.1 @@ -5493,7 +5493,7 @@ To work around this issue, restart the {{hw-management}} service with the {{sudo 5.10.0-5.16.1 -3980941 +3980941, 3895041 After an NMS station does a full SNMP walk on the switch, you see the following message every 5 minutes: snmp : command not allowed ; TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/cumulus/bin/poectl -j -a This issue occurs because {{poectl}} is called on non-PoE switches. To work around this issue, remove or comment out the {{poetcl}} call from the {{/etc/snmpd.conf}} file, then restart the {{snmpd}} process with the {{sudo systemctl snmpd restart}} command. @@ -5514,7 +5514,7 @@ This issue occurs because {{poectl}} is called on non-PoE switches. To work arou 5.10.0-5.16.1 -3965573 +3965573, 3949366 If you use NVUE to create an SNMP user with a password, then delete and recreate the user with additional encryption passwords (such as DES or AES), SNMP authorization fails for that user. 5.3.1-5.9.5 5.10.0-5.16.1 @@ -5569,13 +5569,13 @@ You can safely ignore this error as FRR accepts and applies the new configuratio 5.10.0-5.16.1 -3879809 +3879809, 4064254 Spectrum-4 switches do not include full What Just Happened (WJH) support. 5.9.0-5.13.1 5.14.0-5.16.1 -3878699 +3878699, 3939355 In an EVPN multihoming configuration, when the VXLAN device associated with a layer 2 VNI flaps, there is a route entry in the tenant VRF associated with the locally learned host. 5.9.0-5.10.1 5.11.0-5.16.1 @@ -5596,7 +5596,7 @@ To work around this issue, use the {{-q}} option with {{wget}}. -3875687 +3875687, 3879260, 4025900 After changing the VXLAN local tunnel IP address, the new IP address is not reflected in the {{Local Vtep Ip}} field of the {{nv show evpn vni <vni>}} command output. To work around this issue, either run the {{ifup <vxlan-id>}} command or reboot the switch. 5.9.0-5.13.1 5.14.0-5.16.1 @@ -5649,7 +5649,7 @@ Mounting dev-mqueue.mount -3775686 +3775686, 3644649 The BGP Suppress Route Advertisement feature under scale (more than 30000 routes) advertises partial updates to downstream neighbors. Because FRR does not read kernel route updates fast enough, the netlink socket receive buffer gets full and further update notifications are dropped. 5.8.0-5.9.5 5.10.0-5.16.1 @@ -5717,7 +5717,7 @@ cumulus@switch:~$ nv set acl one type mac 5.10.0-5.16.1 -3610591 +3610591, 3781456 After configuring the system level pre-login and post-login banner messages, the messages do not return to their default settings when you run the {{nv unset system}} command or the {{nv config apply empty}} command. 5.7.0-5.9.5 5.10.0-5.16.1 @@ -5743,7 +5743,7 @@ To work around this issue when using fiber cables: -3556762 +3556762, 3463827 On rare occasions, SPT switchover might not happen cleanly in PIM resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.5.0-5.16.1 @@ -5755,7 +5755,7 @@ To work around this issue when using fiber cables: -3538321 +3538321, 3564344 In rare cases, an STP topology change on PTP over a VLAN can result in the switch losing the slave state and one of the ports might remain in an uncalibrated state. To work around this issue, toggle the port that is in the uncalibrated state up and down so that one of the ports is selected as the slave. 5.6.0-5.16.1 @@ -5773,7 +5773,7 @@ To work around this issue when using fiber cables: -3452681 +3452681, 3465375 When you run the NVUE {{nv show system aaa tacacs authorization}} commands to show per command authorization for a specific TACACS+ user privilege level, you see an error message similar to {{Error: GET /nvue_v1/system/aaa/tacacs/authorization/1?rev=operational responded with 404 NOT FOUND}}. 5.5.0-5.10.1 5.11.0-5.16.1 @@ -5785,19 +5785,19 @@ To work around this issue when using fiber cables: -3442569 +3442569, 3520880, 3586421 When trying to access the NVUE API, user accounts authenticated with a newly-configured external service, such as TACACS, RADIUS, or LDAP, receive a 401 forbidden error. To work around this issue, after enabling a new authentication service, make sure to restart both {{nginx.service}} and {{nvued.service}} to begin authenticating users against the new authentication service. 5.5.0-5.16.1 -3430430 +3430430, 3337848 When you configure PTP on 50G ports, the offset correction might be higher, which can affect the time synchronization of the node. To work around this issue, configure PTP on 100G ports, or on 10G or 1G ports with PTP shaper enabled. 5.5.0-5.16.1 -3424967 +3424967, 3413785 {{sudo}} for TACACS+ users with privilege level 15 does not work when reaching the TACACS+ server through the {{default}} VRF. To work around this issue, specify the interface name that the {{default}} VRF uses in the {{vrf=}} setting of the {{/etc/tacplus_servers}} file or run the NVUE {{nv set system aaa tacacs vrf}} command. If you don't run either command, a TACACS+ user with privilege level 15 can run {{vrf task exec default sudo ...}} to execute the {{sudo}} command. 5.0.0-5.16.1 @@ -5810,7 +5810,7 @@ The ADVA 5401 SFP module with hardware revision 5.01 does not come up at layer 1 -3414866 +3414866, 3536555, 4465009, 4509253, 4732973 Each VLAN is represented as a bitmap on the underlying port and when you add multiple VLANs together, Cumulus Linux iterates over the existing ones and updates the diff. However, in few corner cases, the same bitmap might be repeated again causing the following error. sx_sdk: 22985 [BRIDGE] [ERROR ]: Port(0x200A000D)) already added to a bridge You can ignore this error; it has no impact on switch functionality. @@ -5878,7 +5878,7 @@ You can ignore this error; it has no impact on switch functionality. -3225117 +3225117, 3158720 Occasionally, packet loss might occur on 25G ports when the link is raised without FEC. 5.4.0-5.16.1 @@ -5901,7 +5901,7 @@ To work around this issue, reference the OID without the preceding period ( {{.} -3145869 +3145869, 3430508, 3543102 On a Spectrum-3 switch, the PTP offset in 10GbE changes between plus or minus 27. The average offset is around 7. 5.2.0-5.16.1 @@ -5964,7 +5964,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2904450 +2904450, 2553222 When you run the {{ethtool -m}} or the {{l1-show}} command, the 400G interface optical values do not show. @@ -5972,7 +5972,7 @@ cumulus@switch:~$ sudo ethtool -s swp1 speed 100000 autoneg off lanes 2 -2885305 +2885305, 2887500, 3234087, 3074929, 3293192 Certain Murata PSU attributes show intermittently in the sensors command output. To work around this issue, upgrade to the latest PSU firmware on Murata. 5.0.0-5.16.1 @@ -6025,7 +6025,7 @@ You can safely ignore this warning. Affects -3875419 +3875419, 3871507 The cleanup scrip inadvertently removes the active LTTng session directory used by {{lttng-sessiond}} for trace dumping. This issue occurs under specific conditions when more than five LTTng trace folders are present, leading to intermittent failures in trace logging. To work around this issue, manually move the timestamped {{lttng}} logs to a different directory. 5.8.0 @@ -6040,7 +6040,7 @@ You can safely ignore this warning. 5.8.0 -3837121 +3837121, 3695576 With a large route map and community list configuration, FRR reload takes much longer than normal (approximately 13 seconds) and in some cases, CPU utilization is high. 5.8.0 @@ -6060,7 +6060,7 @@ You can safely ignore this warning. 5.6.0-5.8.0 -3813710 +3813710, 3814673 The What Just Happened service ({{wjhd}}) fails to start if an interface alias (description) contains the text {{Ethernet}} and add syslog messages similar to the following: router1: wjhd: exception: stoi @@ -6104,7 +6104,7 @@ router1: wjhd: Fail to deinit SDK telemetry, error: [3]: [Invalid Handle] 5.8.0 -3770993 +3770993, 3811142 When a supplicant is authorized successfully on an interface in 802.1x multi-host mode, {{ping}} traffic coming into the 802.1x interface towards a local SVI might not be successful. 5.8.0 @@ -6114,7 +6114,7 @@ router1: wjhd: Fail to deinit SDK telemetry, error: [3]: [Invalid Handle] 5.8.0 -3767037 +3767037, 3770312 When you try to upgrade a switch from Cumulus Linux 5.5 or earlier to 5.8.0 with package upgrade, you see errors for expired GPG keys that prevent you from upgrading. To work around this issue, install the new keys with the following commands, then upgrade the switch. cumulus@switch:~$ sudo apt-get update @@ -6170,7 +6170,7 @@ leaf01# exit 5.4.0-5.8.0 -3679478 +3679478, 3701229, 3737814 During switch boot, you see the following messages in the syslog: 2024-03-04T10:34:49.650950+00:00 cumulus sx_sdk: 2262 [TELE] [ERROR ]: Tele impl module is already initialized @@ -6185,12 +6185,12 @@ This is due to both the ASIC Monitoring service and the What Just Happened (WJH) 5.7.0-5.8.0 -3610967 +3610967, 3647761 In an EVPN symmetric routing configuration, running the NVUE {{nv set vrf <vrf> vlan auto}} command to derive layer 3 VNIs automatically might result in duplicate VLAN entries in the system. This most often occurs at scale when many VRFs have similar names. To work around this issue, manually specify a unique VLAN for each VRF. 5.3.0-5.8.0 -3546857 +3546857, 3564377 The {{nv show bridge vlan}} command does not show tagged and untagged VLAN information for the bridge. @@ -6207,7 +6207,7 @@ This is due to both the ASIC Monitoring service and the What Just Happened (WJH) 5.3.0-5.8.0 -3463827 +3463827, 3434515, 3556762 On rare occasions, SPT switchover might not happen cleanly in PIM, resulting in some dropped packets. If you use PIM-SM to replicate EVPN BUM traffic, you might see a brief drop of multicast traffic before recovering due to normal PIM-SM traffic timeout. 5.6.0-5.8.0 @@ -6217,7 +6217,7 @@ This is due to both the ASIC Monitoring service and the What Just Happened (WJH) 5.5.0-5.8.0 -3433577 +3433577, 3433769 When you use a single VXLAN device (SVD) with MLAG and static VXLAN tunnels, Cumulus Linux incorrectly associates the MAC addresses it learns from the VXLAN fabric to the bridge PVID. This issue can lead to a feedback loop between the {{clagd}} service and {{switchd}}, and might result in critical CPU usage with an out of memory condition. Do not use an SVD when enabling MLAG in a static VXLAN environment. 5.5.0-5.8.0 diff --git a/content/cumulus-netq-24/More-Documents/rn.md b/content/cumulus-netq-24/More-Documents/rn.md index 98a6ade5d1..a439d5417c 100644 --- a/content/cumulus-netq-24/More-Documents/rn.md +++ b/content/cumulus-netq-24/More-Documents/rn.md @@ -15,7 +15,7 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | | [2551641](#2551641)
| Infra: NetQ VM installation fails if the designated disk size is greater than 2TB. To work around this issue, specify the disk for cloud deployments to be between 256GB and 2TB SSD, and for on-premises deployments to be between 32 GB and 2TB. | 2.4.0-3.1.1 | 3.2.0-3.3.1| -| [2549246](#2549246)
| NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| +| [2549246, 2549315, 2549518, 2549315](#2549246, 2549315, 2549518, 2549315)
| NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| | [2548560](#2548560)
| When a switch or host reports its memory size in GB rather than MB, the NetQ Agent cannot parse the information and thus fails to register with the NetQ server. Contact customer support if you run into this issue. | 2.4.0-2.4.1 | 3.0.0-3.3.1| | [2547642](#2547642)
| Admin UI: If the Master Installation phase fails during NetQ installation, refreshing the page causes the error log to be lost. On failure, download the error log, then run netq bootstrap reset followed by netq bootstrap master interface on the node before restarting the installation process. | 2.4.1-3.0.1 | 3.1.0-3.3.1| @@ -32,7 +32,7 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | | [2551641](#2551641)
| Infra: NetQ VM installation fails if the designated disk size is greater than 2TB. To work around this issue, specify the disk for cloud deployments to be between 256GB and 2TB SSD, and for on-premises deployments to be between 32 GB and 2TB. | 2.4.0-3.1.1 | 3.2.0-3.3.1| -| [2549246](#2549246)
| NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| +| [2549246, 2549315, 2549518, 2549315](#2549246, 2549315, 2549518, 2549315)
| NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| | [2548560](#2548560)
| When a switch or host reports its memory size in GB rather than MB, the NetQ Agent cannot parse the information and thus fails to register with the NetQ server. Contact customer support if you run into this issue. | 2.4.0-2.4.1 | 3.0.0-3.3.1| | [2546397](#2546397)
| NetQ Admin UI: When installing NetQ with the Admin UI, the job status is presented to show progress. However, when an error is encountered while running individual tasks, the UI may feel unresponsive. Please wait for at least 15 minutes to receive a response. | 2.4.0 | 2.4.1| | [2545685](#2545685)
| NetQ UI: On medium- and large-sized Scheduled Trace cards, the destination field does not accept IPv6 addresses. They are reported as invalid destination IP addresses. The source field on these cards accepts IPv6 addresses. | 2.3.1-2.4.0 | 2.4.1| @@ -43,7 +43,7 @@ pdfhidden: True |--- |--- |--- | | [2545622](#2545622)
| NetQ UI: This only applies to the NetQ 2.3.1 UI installed on the NetQ Server or NetQ Appliance in on-premises deployments. Cloud deployments are not impacted by this bug. Trace results are not shown after running an on-demand or scheduled trace request in the NetQ UI. The medium Trace Result cards are blank whether the trace was successful or not. The full-screen Trace Result card and the NetQ CLI show the results correctly.
To work around this issue, apply the update to your existing 2.3.1 build as follows:

* Download the update tarball.
If your server or appliance has internet access, use wget to perform the download. Be sure to use your download directory in place of _/home/cumulus_ indicated in this example.

cumulus@opta:~$ wget http://netq-shared.s3-us-west-2.amazonaws.com/NetQ-2.3.1.1.tgz -O /home/cumulus/NetQ-2.3.1.1.tgz

If your server or appliance is air-gapped, first download the tarball and then, as a root user, copy it to the appropriate directory on your server or appliance.

root@opta:~# cd /mnt/swinstalls/
root@opta:/mnt/swinstalls# cp /home/cumulus/NetQ-2.3.1.1.tgz ./

* Extract the script.

cumulus@opta:~$ tar -xvzf /home/cumulus/NetQ-2.3.1.1.tgz update-app.sh

* Run the script. On completion, a new GUI container will be running and the card will display the trace result.

cumulus@opta:~$ ./update-app.sh /home/cumulus/NetQ-2.3.1.1.tgz
Loading the new app
e9b2c1648ab5: Loading layer [==================================================>]  2.048kB/2.048kB
e7acfa3378f4: Loading layer [==================================================>]  20.59MB/20.59MB
...
Loaded image: 498186410471.dkr.ecr.us-west-2.amazonaws.com/netq-gui:2.3.1
Restarting the app with new image
deployment.extensions/netq-gui-deploy scaled
Sleeping for 15 seconds
Confirming the app is running with new image
Found the container running with new image.

* Close and reopen the NetQ UI to run the new image. *Note*: You may need to press Cmd+Shift+R to fully clear the cache on the Chrome browser. | | | | [2545549](#2545549)
| When you upgrade both the NetQ Agent and the NetQ Apps in on-premises deployments, a temporary increase in event messages is seen. They are the result of collecting package information from the NetQ Agent on each monitored node. This only happens on initial upgrade and there is no functional impact to the operation of the NetQ software. | 2.3.1 | | -| [2545296](#2545296)
| NetQ UI: When a warning occurs during a VXLAN validation, the small, medium, and large VXLAN Scheduled Validation Result cards incorrectly display the text of the warning instead of the Failed icon and text. | 2.3.1 | | +| [2545296, 2545925](#2545296, 2545925)
| NetQ UI: When a warning occurs during a VXLAN validation, the small, medium, and large VXLAN Scheduled Validation Result cards incorrectly display the text of the warning instead of the Failed icon and text. | 2.3.1 | | | [2545113](#2545113)
| NetQ UI: When troubleshooting a user may wish to disable auto-refresh so that the data is not changed in the middle of analysis. If auto-refresh causes any state loss on the card of interest, pause the auto-refresh feature by clicking the Refresh icon in the workbench header. When finished with the analysis, re-enable the auto-refresh feature by clicking the Refresh icon again to ensure the card data is always the most recent available. | 2.3.1 | | | [2543333](#2543333)
| NetQ UI: Trace configuration information is not captured until the trace has been run at least once, leaving the large Trace Result card blank. The schedule information remains missing even after the trace has been run. | 2.2.2-2.3.1 | | diff --git a/content/cumulus-netq-24/rn.xml b/content/cumulus-netq-24/rn.xml index 6a1eb8cc04..a8b4c9e61f 100644 --- a/content/cumulus-netq-24/rn.xml +++ b/content/cumulus-netq-24/rn.xml @@ -13,7 +13,7 @@ 3.2.0-3.3.1 -2549246 +2549246, 2549315, 2549518, 2549315 NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). 2.4.0-3.2.1 3.3.0-3.3.1 @@ -67,7 +67,7 @@ 3.2.0-3.3.1 -2549246 +2549246, 2549315, 2549518, 2549315 NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). 2.4.0-3.2.1 3.3.0-3.3.1 @@ -145,7 +145,7 @@ Found the container running with new image. 2.3.1 -2545296 +2545296, 2545925 NetQ UI: When a warning occurs during a VXLAN validation, the small, medium, and large VXLAN Scheduled Validation Result cards incorrectly display the text of the warning instead of the Failed icon and text. 2.3.1 diff --git a/content/cumulus-netq-30/More-Documents/rn.md b/content/cumulus-netq-30/More-Documents/rn.md index 2bae8d59f8..425b8cd07d 100644 --- a/content/cumulus-netq-30/More-Documents/rn.md +++ b/content/cumulus-netq-30/More-Documents/rn.md @@ -22,7 +22,7 @@ pdfhidden: True | [2549682](#2549682)
| Performing an upgrade using the lifecycle management feature fails intermittently when SSH key switch access authorization is used. To work around this issue, use basic authentication or retry an upgrade job that uses SSH key authorization. | 3.0.0-3.0.1 | 3.1.0-3.3.1| | [2549344](#2549344)
| UI: The lifecycle management feature does not present general alarm or info events; however, errors related to the upgrade process are reported within the NetQ UI. | 3.0.0-3.1.1 | 3.2.0-3.3.1| | [2549319](#2549319)
| NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.15.1| -| [2549246](#2549246)
| NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| +| [2549246, 2549315, 2549518, 2549315](#2549246, 2549315, 2549518, 2549315)
| NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| | [2547642](#2547642)
| Admin UI: If the Master Installation phase fails during NetQ installation, refreshing the page causes the error log to be lost. On failure, download the error log, then run netq bootstrap reset followed by netq bootstrap master interface on the node before restarting the installation process. | 2.4.1-3.0.1 | 3.1.0-3.3.1| ### Fixed Issues in 3.0.0 diff --git a/content/cumulus-netq-30/rn.xml b/content/cumulus-netq-30/rn.xml index 808104172e..81754b4539 100644 --- a/content/cumulus-netq-30/rn.xml +++ b/content/cumulus-netq-30/rn.xml @@ -80,7 +80,7 @@ systemctl restart netqd.service 4.0.0-4.15.1 -2549246 +2549246, 2549315, 2549518, 2549315 NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). 2.4.0-3.2.1 3.3.0-3.3.1 diff --git a/content/cumulus-netq-31/More-Documents/rn.md b/content/cumulus-netq-31/More-Documents/rn.md index b8dd48b8a8..c09f51fa18 100644 --- a/content/cumulus-netq-31/More-Documents/rn.md +++ b/content/cumulus-netq-31/More-Documents/rn.md @@ -20,7 +20,7 @@ pdfhidden: True | [2551569](#2551569)
| CLI: When a proxy server is configured for NetQ Cloud access and lifecycle management (LCM) is enabled, the associated LCM CLI commands fail due to incorrect port specification. To work around this issue, configure the NetQ Collector to connect directly to NetQ Cloud without a proxy. | 3.1.0-3.1.1 | 3.2.0-3.3.1| | [2549344](#2549344)
| UI: The lifecycle management feature does not present general alarm or info events; however, errors related to the upgrade process are reported within the NetQ UI. | 3.0.0-3.1.1 | 3.2.0-3.3.1| | [2549319](#2549319)
| NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.15.1| -| [2549246](#2549246)
| NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| +| [2549246, 2549315, 2549518, 2549315](#2549246, 2549315, 2549518, 2549315)
| NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| ### Fixed Issues in 3.1.0 | Issue ID | Description | Affects | diff --git a/content/cumulus-netq-31/rn.xml b/content/cumulus-netq-31/rn.xml index 43399289ed..672ae26396 100644 --- a/content/cumulus-netq-31/rn.xml +++ b/content/cumulus-netq-31/rn.xml @@ -43,7 +43,7 @@ 4.0.0-4.15.1 -2549246 +2549246, 2549315, 2549518, 2549315 NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). 2.4.0-3.2.1 3.3.0-3.3.1 diff --git a/content/cumulus-netq-32/Whats-New/rn.md b/content/cumulus-netq-32/Whats-New/rn.md index 1ef709e3f6..ac4c67f576 100644 --- a/content/cumulus-netq-32/Whats-New/rn.md +++ b/content/cumulus-netq-32/Whats-New/rn.md @@ -15,11 +15,11 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | | [2690469](#2690469)
| While upgrading an on-premises deployment from version 2.4.x to 3.x.y then to 4.x, the upgrade fails during the NetQ application stage
To work around this issue, run the following command on the NetQ telemetry server, then start the upgrade again:'netq install opta activate-job config-key EhVuZXRxLWVuZHBvaW50LWdhdGV3YXkYsagDIiw3T2sweW9kR3Y4Wk9sTHU3MkwrQTRjNkhhQkU3bVpBNVlZVjEvWWgyZGJBPQ==' | 3.2.1-4.0.1 | 4.1.0-4.15.1| -| [2556205](#2556205)
| NetQ CLI: User cannot remove a notification channel when threshold-based event rules are configured. | 3.2.1-3.3.0 | 3.3.1| +| [2556205, 2556204](#2556205, 2556204)
| NetQ CLI: User cannot remove a notification channel when threshold-based event rules are configured. | 3.2.1-3.3.0 | 3.3.1| | [2556006](#2556006)
| NetQ Infra: Customers with cloud deployments who wish to use the lifecycle management (LCM) feature in NetQ 3.3.0 must upgrade their NetQ Cloud Appliance or Virtual Machine as well as the NetQ Agent. | 3.2.1 | 3.3.0-3.3.1| | [2553453](#2553453)
| The netqd daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and netq show commands are run. | 3.1.0-3.3.1 | 4.0.0-4.15.1| | [2549319](#2549319)
| NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.15.1| -| [2549246](#2549246)
| NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| +| [2549246, 2549315, 2549518, 2549315](#2549246, 2549315, 2549518, 2549315)
| NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| ### Fixed Issues in 3.2.1 | Issue ID | Description | Affects | @@ -38,7 +38,7 @@ pdfhidden: True | [2553758](#2553758)
| NetQ CLI: When the NetQ Collector is configured with a proxy server for the CLI to access cloud APIs the SSL certificate validation fails because the proxy provides its own self-signed certificate. This causes the CLI to fail with the following error:
cumulus@switch:~# netq show agentsFailed to process command. Check /var/log/netqd.log for more details
You also see an error in _/var/log/netqd.log_ similar to this:
2020-10-01T01:44:51.534875+00:00 leaf01 netqd[4782]: ERROR: GET request failed https://st-ts-01:32708/netq/telemetry/v1/object/bgp?count=2000&offset=02020-10-01T01:44:51.535251+00:00 leaf01 netqd[4782]: ERROR: HTTPSConnectionPool(host='st-ts-01', port=32708): Max retries exceeded with url: /netq/telemetry/v1/object/bgp?count=2000&offset=0 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: {color:#d04437}CERTIFICATE_VERIFY_FAILED{color}] certificate verify failed: self signed certificate (_ssl.c:1056)')))
Two options are available to work around this issue:* If the NetQ Collector has Internet access, configure the CLI to point to the cloud API instance directly:
cumulus@switch:~# netq config add cli server api.netq.cumulusnetworks.com port 443cumulus@switch:~# netq config restart cli
* To use the proxy server:
1. Delete the token file. Run sudo rm /tmp/token.aes.
2. Edit the _/etc/netq/netq.yml_ file as follows. The password is entered as cleartext.
netq-cli:
 port: 32708
 server: \
 vrf: \
 premises: \
 username: \
 password: \
 opid: \

Note: OPID is not directly visible to user. File a [support ticket\|https://cumulusnetworks.com/support/file-a-ticket/] for assistance with completing the configuration.
3. Restart the the CLI. Run netq config restart cli. | 3.2.0 | 3.2.1-3.3.1| | [2553453](#2553453)
| The netqd daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and netq show commands are run. | 3.1.0-3.3.1 | 4.0.0-4.15.1| | [2549319](#2549319)
| NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.15.1| -| [2549246](#2549246)
| NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| +| [2549246, 2549315, 2549518, 2549315](#2549246, 2549315, 2549518, 2549315)
| NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | 3.3.0-3.3.1| ### Fixed Issues in 3.2.0 | Issue ID | Description | Affects | diff --git a/content/cumulus-netq-32/rn.xml b/content/cumulus-netq-32/rn.xml index a5ef5b2e07..b90cbb1591 100644 --- a/content/cumulus-netq-32/rn.xml +++ b/content/cumulus-netq-32/rn.xml @@ -15,7 +15,7 @@ To work around this issue, run the following command on the NetQ telemetry serve 4.1.0-4.15.1 -2556205 +2556205, 2556204 NetQ CLI: User cannot remove a notification channel when threshold-based event rules are configured. 3.2.1-3.3.0 3.3.1 @@ -39,7 +39,7 @@ To work around this issue, run the following command on the NetQ telemetry serve 4.0.0-4.15.1 -2549246 +2549246, 2549315, 2549518, 2549315 NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). 2.4.0-3.2.1 3.3.0-3.3.1 @@ -199,7 +199,7 @@ netq-cli: 4.0.0-4.15.1 -2549246 +2549246, 2549315, 2549518, 2549315 NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). 2.4.0-3.2.1 3.3.0-3.3.1 diff --git a/content/cumulus-netq-33/Whats-New/rn.md b/content/cumulus-netq-33/Whats-New/rn.md index f664cf0413..a582348ab4 100644 --- a/content/cumulus-netq-33/Whats-New/rn.md +++ b/content/cumulus-netq-33/Whats-New/rn.md @@ -28,13 +28,13 @@ pdfhidden: True | [2556275](#2556275)
| NetQ UI: The full-screen BGP Validation card for the default validation can become unresponsive when a very large number of sessions or errors are present. | 3.3.0 | | | [2556268](#2556268)
| NetQ UI: When assigning a switch configuration profile to a switch using the lifecycle management, you cannot save the per-switch variable data. This prevents you from applying the switch configuration. Upgrade to NetQ 3.3.1 to take advantage of this feature. | 3.3.0 | | | [2556227](#2556227)
| Admin UI: For cloud deployments, clicking the _Open NetQ_ link at the bottom of the Admin UI NetQ Health page returns an error _default backend - 404_ as it attempts to open the NetQ UI on the on-site NetQ Cloud Appliance or VM running the NetQ Collector software. In cloud deployments, the NetQ UI is run in the Cloud rather than locally, thus causing the error. To open the NetQ UI and view your data, enter _https://netq.cumulusnetworks.com/_ into the address bar of your browser. | 3.3.0 | | -| [2556205](#2556205)
| NetQ CLI: User cannot remove a notification channel when threshold-based event rules are configured. | 3.2.1-3.3.0 | | +| [2556205, 2556204](#2556205, 2556204)
| NetQ CLI: User cannot remove a notification channel when threshold-based event rules are configured. | 3.2.1-3.3.0 | | | [2556192](#2556192)
| NetQ UI: In multi-site on-premises deployments, when a new premises (created using the Premises card) is selected from the dropdown in the application header, the NetQ UI becomes unresponsive for many navigation tabs. To work around this issue, manually update the database as follows:
In a terminal window, open the database shell (cqlsh)
$ CASSANDRA_POD='kubectl get pods \| grep cassandra \| cut -f1 -d" "' ; kubectl exec -it $CASSANDRA_POD -- cqlsh
Display the premises table
cqlsh> select opid,name,namespace from master.premises ;
The resulting output would be similar to this, with new premises having an empty namespace:

opid  \| name  \| namespace-------+-------+-----------
20001 \| site1 \|      null
    0 \| OPID0 \|      null
20002 \| site2 \|          
20000 \| site0 \|      null
20003 \| site3 \|          (5 rows)
For each new premises, insert a _null_ value into the database to resolve the issue. For example the new premises _site3_ has an empty namespace value, run following query against its opid _20003_ to change the value
cqlsh> insert into master.premises (opid,namespace) values (20003,null);
Verify the new premises now have null values in the database
cqlsh> select opid,name,namespace from master.premises ;
opid  \| name  \| namespace-------+-------+-----------
20001 \| site1 \|      null
    0 \| OPID0 \|      null
20002 \| site2 \|      null     
20000 \| site0 \|      null
20003 \| site3 \|      null(5 rows)
| 3.3.0 | | | [2556117](#2556117)
| NetQ Infra: The NetQ Agent fails to start when switch is running Cumulus Linux version 4.1.1 or 4.2.0. To work around this issue, run the following on each switch:
For CL 4.1.1, rename the WJH types file to the 4.3.3260 version:
cumulus@switch:~$ sudo mv /usr/lib/cumulus/wjh/wjh_types_4.4.3260.py /usr/lib/cumulus/wjh/wjh_types_4.3.3260.py
Then restart the NetQ Agent:
cumulus@switch:~$ netq config restart agent
For CL 4.2.0, edit the following line in the /usr/sbin/netq-agent-prestart script to change the version from 4.4.095 to 4.4.0952:
elif [ $sx_sdk_ver == “4.4.0952” ] \|\| [  $sx_sdk_ver == “4.4.1624” ] \|\| [ $sx_sdk_ver == “4.3.3260” ];
Then restart the NetQ Agent:
cumulus@switch:~$ netq config restart agent
| 3.3.0 | | | [2556007](#2556007)
| NetQ API: Several APIs are presenting the following error when viewed in Swagger UI:
Fetch errorundefined https://api.prod2.netq.cumulusnetworks.com/netq/telemetry/v1/api-docs/events/swagger.json
To correct this presentation issue:Open the netqui YAML file for editing
kubectl edit netquis netqui
Locate the _misc_ section. For example:
misc:
 cassandraReconnectLogOnly: "true"
 clusterName: netq
 forgotPasswordLink: /link/to/set/password
 ...
 smtpSSL: "true"
 tlsEnabled: "true"
Add the document_namespace parameter below the tlsEnabled parameter
misc:
 cassandraReconnectLogOnly: "true"
 clusterName: netq
 forgotPasswordLink: /link/to/set/password
 ...
 smtpSSL: "true"
 tlsEnabled: "true"
 document_namespace: "default"
Save the file. | 3.3.0 | | | [2555848](#2555848)
| NetQ Infra: It is important to plan your upgrade to NetQ 3.3.0 because the NetQ Appliance or VM becomes unavailable for approximately an hour during the process. No data is lost in the process. | 3.3.0 | | | [2555617](#2555617)
| NetQ Infra: Upgrading the NetQ Agent before upgrading the NetQ CLI for version 3.3.0 causes the NetQ CLI to fail the upgrade. To work around this issue, upgrade the NetQ CLI first, then follow with the NetQ Agent upgrade. | 3.3.0 | | -| [2555587](#2555587)
| NetQ UI: Switches with LLDP enabled only on eth0 are not shown on the topology diagram. | 3.3.0 | | +| [2555587, 2555819](#2555587, 2555819)
| NetQ UI: Switches with LLDP enabled only on eth0 are not shown on the topology diagram. | 3.3.0 | | ## 3.3.0 Release Notes ### Open Issues in 3.3.0 @@ -48,13 +48,13 @@ pdfhidden: True | [2556275](#2556275)
| NetQ UI: The full-screen BGP Validation card for the default validation can become unresponsive when a very large number of sessions or errors are present. | 3.3.0 | 3.3.1| | [2556268](#2556268)
| NetQ UI: When assigning a switch configuration profile to a switch using the lifecycle management, you cannot save the per-switch variable data. This prevents you from applying the switch configuration. Upgrade to NetQ 3.3.1 to take advantage of this feature. | 3.3.0 | 3.3.1| | [2556227](#2556227)
| Admin UI: For cloud deployments, clicking the _Open NetQ_ link at the bottom of the Admin UI NetQ Health page returns an error _default backend - 404_ as it attempts to open the NetQ UI on the on-site NetQ Cloud Appliance or VM running the NetQ Collector software. In cloud deployments, the NetQ UI is run in the Cloud rather than locally, thus causing the error. To open the NetQ UI and view your data, enter _https://netq.cumulusnetworks.com/_ into the address bar of your browser. | 3.3.0 | 3.3.1| -| [2556205](#2556205)
| NetQ CLI: User cannot remove a notification channel when threshold-based event rules are configured. | 3.2.1-3.3.0 | 3.3.1| +| [2556205, 2556204](#2556205, 2556204)
| NetQ CLI: User cannot remove a notification channel when threshold-based event rules are configured. | 3.2.1-3.3.0 | 3.3.1| | [2556192](#2556192)
| NetQ UI: In multi-site on-premises deployments, when a new premises (created using the Premises card) is selected from the dropdown in the application header, the NetQ UI becomes unresponsive for many navigation tabs. To work around this issue, manually update the database as follows:
In a terminal window, open the database shell (cqlsh)
$ CASSANDRA_POD='kubectl get pods \| grep cassandra \| cut -f1 -d" "' ; kubectl exec -it $CASSANDRA_POD -- cqlsh
Display the premises table
cqlsh> select opid,name,namespace from master.premises ;
The resulting output would be similar to this, with new premises having an empty namespace:

opid  \| name  \| namespace-------+-------+-----------
20001 \| site1 \|      null
    0 \| OPID0 \|      null
20002 \| site2 \|          
20000 \| site0 \|      null
20003 \| site3 \|          (5 rows)
For each new premises, insert a _null_ value into the database to resolve the issue. For example the new premises _site3_ has an empty namespace value, run following query against its opid _20003_ to change the value
cqlsh> insert into master.premises (opid,namespace) values (20003,null);
Verify the new premises now have null values in the database
cqlsh> select opid,name,namespace from master.premises ;
opid  \| name  \| namespace-------+-------+-----------
20001 \| site1 \|      null
    0 \| OPID0 \|      null
20002 \| site2 \|      null     
20000 \| site0 \|      null
20003 \| site3 \|      null(5 rows)
| 3.3.0 | 3.3.1| | [2556117](#2556117)
| NetQ Infra: The NetQ Agent fails to start when switch is running Cumulus Linux version 4.1.1 or 4.2.0. To work around this issue, run the following on each switch:
For CL 4.1.1, rename the WJH types file to the 4.3.3260 version:
cumulus@switch:~$ sudo mv /usr/lib/cumulus/wjh/wjh_types_4.4.3260.py /usr/lib/cumulus/wjh/wjh_types_4.3.3260.py
Then restart the NetQ Agent:
cumulus@switch:~$ netq config restart agent
For CL 4.2.0, edit the following line in the /usr/sbin/netq-agent-prestart script to change the version from 4.4.095 to 4.4.0952:
elif [ $sx_sdk_ver == “4.4.0952” ] \|\| [  $sx_sdk_ver == “4.4.1624” ] \|\| [ $sx_sdk_ver == “4.3.3260” ];
Then restart the NetQ Agent:
cumulus@switch:~$ netq config restart agent
| 3.3.0 | 3.3.1| | [2556007](#2556007)
| NetQ API: Several APIs are presenting the following error when viewed in Swagger UI:
Fetch errorundefined https://api.prod2.netq.cumulusnetworks.com/netq/telemetry/v1/api-docs/events/swagger.json
To correct this presentation issue:Open the netqui YAML file for editing
kubectl edit netquis netqui
Locate the _misc_ section. For example:
misc:
 cassandraReconnectLogOnly: "true"
 clusterName: netq
 forgotPasswordLink: /link/to/set/password
 ...
 smtpSSL: "true"
 tlsEnabled: "true"
Add the document_namespace parameter below the tlsEnabled parameter
misc:
 cassandraReconnectLogOnly: "true"
 clusterName: netq
 forgotPasswordLink: /link/to/set/password
 ...
 smtpSSL: "true"
 tlsEnabled: "true"
 document_namespace: "default"
Save the file. | 3.3.0 | 3.3.1| | [2555848](#2555848)
| NetQ Infra: It is important to plan your upgrade to NetQ 3.3.0 because the NetQ Appliance or VM becomes unavailable for approximately an hour during the process. No data is lost in the process. | 3.3.0 | 3.3.1| | [2555617](#2555617)
| NetQ Infra: Upgrading the NetQ Agent before upgrading the NetQ CLI for version 3.3.0 causes the NetQ CLI to fail the upgrade. To work around this issue, upgrade the NetQ CLI first, then follow with the NetQ Agent upgrade. | 3.3.0 | 3.3.1| -| [2555587](#2555587)
| NetQ UI: Switches with LLDP enabled only on eth0 are not shown on the topology diagram. | 3.3.0 | 3.3.1| +| [2555587, 2555819](#2555587, 2555819)
| NetQ UI: Switches with LLDP enabled only on eth0 are not shown on the topology diagram. | 3.3.0 | 3.3.1| | [2555197](#2555197)
| NetQ CLI: Occasionally, when a command response contains a large number of objects to be displayed the NetQ CLI does not display all results in the console. When this occurs, view all results using the json format option. | 3.3.0-3.3.1 | 4.0.0-4.15.1| | [2553453](#2553453)
| The netqd daemon logs a traceback to _/var/log/netqd.log_ when the OPTA server is unreachable and netq show commands are run. | 3.1.0-3.3.1 | 4.0.0-4.15.1| | [2549319](#2549319)
| NetQ UI: The legend and segment colors on Switches and Upgrade History card graphs sometimes do not match. These cards appear on the lifecycle management dashboard (Manage Switch Assets view). Hover over graph to view the correct values. | 3.0.0-3.3.1 | 4.0.0-4.15.1| @@ -63,5 +63,5 @@ pdfhidden: True | Issue ID | Description | Affects | |--- |--- |--- | | [2556006](#2556006)
| NetQ Infra: Customers with cloud deployments who wish to use the lifecycle management (LCM) feature in NetQ 3.3.0 must upgrade their NetQ Cloud Appliance or Virtual Machine as well as the NetQ Agent. | 3.2.1 | | -| [2549246](#2549246)
| NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | | +| [2549246, 2549315, 2549518, 2549315](#2549246, 2549315, 2549518, 2549315)
| NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). | 2.4.0-3.2.1 | | diff --git a/content/cumulus-netq-33/rn.xml b/content/cumulus-netq-33/rn.xml index 3cf5b1c813..f483638cc4 100644 --- a/content/cumulus-netq-33/rn.xml +++ b/content/cumulus-netq-33/rn.xml @@ -115,7 +115,7 @@ cumulus@switch:~$ netq config restart agent 3.3.0 -2556205 +2556205, 2556204 NetQ CLI: User cannot remove a notification channel when threshold-based event rules are configured. 3.2.1-3.3.0 @@ -227,7 +227,7 @@ Save the file. 3.3.0 -2555587 +2555587, 2555819 NetQ UI: Switches with LLDP enabled only on eth0 are not shown on the topology diagram. 3.3.0 @@ -328,7 +328,7 @@ cumulus@switch:~$ netq config restart agent 3.3.1 -2556205 +2556205, 2556204 NetQ CLI: User cannot remove a notification channel when threshold-based event rules are configured. 3.2.1-3.3.0 3.3.1 @@ -446,7 +446,7 @@ Save the file. 3.3.1 -2555587 +2555587, 2555819 NetQ UI: Switches with LLDP enabled only on eth0 are not shown on the topology diagram. 3.3.0 3.3.1 @@ -482,7 +482,7 @@ Save the file. 3.2.1 -2549246 +2549246, 2549315, 2549518, 2549315 NetQ UI: Snapshot comparison cards may not render correctly after navigating away from a workbench and then returning to it. If you are viewing the Snapshot comparison card(s) on a custom workbench, refresh the page to reload the data. If you are viewing it on the Cumulus Default workbench, after refreshing the page you must recreate the comparison(s). 2.4.0-3.2.1 diff --git a/content/cumulus-netq-41/Whats-New/rn.md b/content/cumulus-netq-41/Whats-New/rn.md index 74631c06b7..b725782be6 100644 --- a/content/cumulus-netq-41/Whats-New/rn.md +++ b/content/cumulus-netq-41/Whats-New/rn.md @@ -14,7 +14,7 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3085064](#3085064)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.15.1| +| [3085064, 2838027, 2551494](#3085064, 2838027, 2551494)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.15.1| | [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.15.1| | [3011307](#3011307)
| NetQ Agent: The NetQ Agent fails to start in Cumulus Linux on switches with ARM CPUs. The log files show the following message:
systemd: netq-agent.service: Main process exited, code=exited, status=1/FAILURE
| 4.1.1 | 4.2.0-4.15.1| | [2896825](#2896825)
| WJH monitoring fails to start with netq-agent on Cumulus Linux 5.0. To work around this issue, reinstall the netq-agent package and configure the netq agent to start monitoring:1. Add the gpg key for the repository:wget -qO - https://apps3.cumulusnetworks.com/setup/cumulus-apps-deb.pubkey \| sudo apt-key add -2. Add the repository to /etc/apt/sources.list:echo 'deb https://apps3.cumulusnetworks.com/repos/deb CumulusLinux-4 netq-latest' \| sudo tee -a /etc/apt/sources.list3. Reinstall the netq-agent package:sudo apt-get update && sudo apt-get install --reinstall netq-agent | 4.1.0-4.1.1 | 4.2.0-4.15.1| @@ -33,7 +33,7 @@ pdfhidden: True | Issue ID | Description | Affects | Fixed | |--- |--- |--- |--- | -| [3085064](#3085064)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.15.1| +| [3085064, 2838027, 2551494](#3085064, 2838027, 2551494)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.15.1| | [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.15.1| | [2896825](#2896825)
| WJH monitoring fails to start with netq-agent on Cumulus Linux 5.0. To work around this issue, reinstall the netq-agent package and configure the netq agent to start monitoring:1. Add the gpg key for the repository:wget -qO - https://apps3.cumulusnetworks.com/setup/cumulus-apps-deb.pubkey \| sudo apt-key add -2. Add the repository to /etc/apt/sources.list:echo 'deb https://apps3.cumulusnetworks.com/repos/deb CumulusLinux-4 netq-latest' \| sudo tee -a /etc/apt/sources.list3. Reinstall the netq-agent package:sudo apt-get update && sudo apt-get install --reinstall netq-agent | 4.1.0-4.1.1 | 4.2.0-4.15.1| | [2885440](#2885440)
| After upgrading to NetQ 4.1.0, validation checks might show intermittent errors that are not valid while the validation application processess pending messages after upgrade. This condition will clear once all messages are processed. | 4.1.0-4.1.1 | 4.2.0-4.15.1| diff --git a/content/cumulus-netq-41/rn.xml b/content/cumulus-netq-41/rn.xml index 9dcf119840..b55bfd3b45 100644 --- a/content/cumulus-netq-41/rn.xml +++ b/content/cumulus-netq-41/rn.xml @@ -7,7 +7,7 @@ Fixed -3085064 +3085064, 2838027, 2551494 When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. 4.1.0-4.3.0 4.4.0-4.15.1 @@ -172,7 +172,7 @@ To work around this issue, disable RoCE monitoring: Fixed -3085064 +3085064, 2838027, 2551494 When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. 4.1.0-4.3.0 4.4.0-4.15.1 diff --git a/content/cumulus-netq-410/Whats-New/rn.md b/content/cumulus-netq-410/Whats-New/rn.md index 88904bb961..b462f7d154 100644 --- a/content/cumulus-netq-410/Whats-New/rn.md +++ b/content/cumulus-netq-410/Whats-New/rn.md @@ -18,12 +18,12 @@ pdfhidden: True | [3948198](#3948198)
| When you upgrade a Cumulus Linux switch configured with NVUE using NetQ LCM, the upgrade might fail due to NVUE configuration validation if the NVUE object model was changed between the current and new Cumulus Linux version. When this failure occurs, NetQ is unable to rollback to the prior configuration and the switch remains running the default Cumulus Linux configuration. | 4.10.1 | 4.11.0-4.15.1| | [3863195](#3863195)
| When you perform an LCM switch discovery on a Cumulus Linux 5.9.0 switch in your network that was already added in the NetQ inventory on a prior Cumulus Linux version, the switch will appear as Rotten in the NetQ UI. To work around this issue, decommission the switch first,and run LCM discovery again after the switch is upgraded. | 4.10.0-4.10.1 | 4.11.0-4.15.1| | [3858210](#3858210)
| When you upgrade your NetQ VM, DPUs in the inventory are not shown. To work around this issue, restart the DTS container on the DPUs in your network. | 4.10.0-4.11.0 | 4.12.0-4.15.1| -| [3854467](#3854467)
| When a single NetQ cluster VM is offline, the NetQ kafka-connect pods are brought down on other cluster nodes, preventing NetQ data from collecting data. To work around this issue, bring all cluster nodes back into service. | 4.10.0-4.11.0 | 4.12.0-4.15.1| +| [3854467, 3848959, 3845926, 3959779](#3854467, 3848959, 3845926, 3959779)
| When a single NetQ cluster VM is offline, the NetQ kafka-connect pods are brought down on other cluster nodes, preventing NetQ data from collecting data. To work around this issue, bring all cluster nodes back into service. | 4.10.0-4.11.0 | 4.12.0-4.15.1| | [3851922](#3851922)
| After you run an LCM switch discovery in a NetQ cluster environment, NetQ CLI commands on switches might fail with the message Failed to process command. | 4.10.0-4.10.1 | 4.11.0-4.15.1| | [3800434](#3800434)
| When you upgrade NetQ from a version prior to 4.9.0, What Just Happened data that was collected before the upgrade is no longer present. | 4.9.0-4.15.1 | | | [3772274](#3772274)
| After you upgrade NetQ, data from snapshots taken prior to the NetQ upgrade will contain unreliable data and should not be compared to any snapshots taken after the upgrade. In cluster deployments, snapshots from prior NetQ versions will not be visible in the UI. | 4.9.0-4.15.1 | | -| [3769936](#3769936)
| When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. | 4.9.0-4.13.0 | 4.14.0-4.15.1| -| [3721754](#3721754)
| After you decommission a switch, the switch's interfaces are still displayed in the NetQ UI in the Interfaces view. | 4.9.0-4.10.1 | 4.11.0-4.15.1| +| [3769936, 3976289, 4122250](#3769936, 3976289, 4122250)
| When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. | 4.9.0-4.13.0 | 4.14.0-4.15.1| +| [3721754, 3721794](#3721754, 3721794)
| After you decommission a switch, the switch's interfaces are still displayed in the NetQ UI in the Interfaces view. | 4.9.0-4.10.1 | 4.11.0-4.15.1| | [3613811](#3613811)
| LCM operations using in-band management are unsupported on switches that use eth0 connected to an out-of-band network. To work around this issue, configure NetQ to use out-of-band management in the mgmt VRF on Cumulus Linux switches when interface eth0 is in use. | 4.8.0-4.15.1 | | ### Fixed Issues in 4.10.1 @@ -40,12 +40,12 @@ pdfhidden: True | [3876238](#3876238)
| You cannot upgrade a switch to Cumulus Linux 5.9.0 with NetQ LCM. | 4.10.0 | 4.10.1-4.15.1| | [3863195](#3863195)
| When you perform an LCM switch discovery on a Cumulus Linux 5.9.0 switch in your network that was already added in the NetQ inventory on a prior Cumulus Linux version, the switch will appear as Rotten in the NetQ UI. To work around this issue, decommission the switch first,and run LCM discovery again after the switch is upgraded. | 4.10.0-4.10.1 | 4.11.0-4.15.1| | [3858210](#3858210)
| When you upgrade your NetQ VM, DPUs in the inventory are not shown. To work around this issue, restart the DTS container on the DPUs in your network. | 4.10.0-4.11.0 | 4.12.0-4.15.1| -| [3854467](#3854467)
| When a single NetQ cluster VM is offline, the NetQ kafka-connect pods are brought down on other cluster nodes, preventing NetQ data from collecting data. To work around this issue, bring all cluster nodes back into service. | 4.10.0-4.11.0 | 4.12.0-4.15.1| +| [3854467, 3848959, 3845926, 3959779](#3854467, 3848959, 3845926, 3959779)
| When a single NetQ cluster VM is offline, the NetQ kafka-connect pods are brought down on other cluster nodes, preventing NetQ data from collecting data. To work around this issue, bring all cluster nodes back into service. | 4.10.0-4.11.0 | 4.12.0-4.15.1| | [3851922](#3851922)
| After you run an LCM switch discovery in a NetQ cluster environment, NetQ CLI commands on switches might fail with the message Failed to process command. | 4.10.0-4.10.1 | 4.11.0-4.15.1| | [3800434](#3800434)
| When you upgrade NetQ from a version prior to 4.9.0, What Just Happened data that was collected before the upgrade is no longer present. | 4.9.0-4.15.1 | | | [3772274](#3772274)
| After you upgrade NetQ, data from snapshots taken prior to the NetQ upgrade will contain unreliable data and should not be compared to any snapshots taken after the upgrade. In cluster deployments, snapshots from prior NetQ versions will not be visible in the UI. | 4.9.0-4.15.1 | | -| [3769936](#3769936)
| When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. | 4.9.0-4.13.0 | 4.14.0-4.15.1| -| [3721754](#3721754)
| After you decommission a switch, the switch's interfaces are still displayed in the NetQ UI in the Interfaces view. | 4.9.0-4.10.1 | 4.11.0-4.15.1| +| [3769936, 3976289, 4122250](#3769936, 3976289, 4122250)
| When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. | 4.9.0-4.13.0 | 4.14.0-4.15.1| +| [3721754, 3721794](#3721754, 3721794)
| After you decommission a switch, the switch's interfaces are still displayed in the NetQ UI in the Interfaces view. | 4.9.0-4.10.1 | 4.11.0-4.15.1| | [3613811](#3613811)
| LCM operations using in-band management are unsupported on switches that use eth0 connected to an out-of-band network. To work around this issue, configure NetQ to use out-of-band management in the mgmt VRF on Cumulus Linux switches when interface eth0 is in use. | 4.8.0-4.15.1 | | ### Fixed Issues in 4.10.0 @@ -57,7 +57,7 @@ pdfhidden: True | [3819364](#3819364)
| When you attempt to delete a scheduled trace using the NetQ UI, the trace record is not deleted. | 4.7.0-4.9.0 | | | [3813819](#3813819)
| When you perform a switch discovery by specifying an IP range, an error message is displayed if switches included in the range have different credentials. To work around this issue, batch switches based on their credentials and run a switch discovery for each batch. | 4.9.0 | | | [3813078](#3813078)
| When you perform a NetQ upgrade, the upgrade might fail with the following error message:
Command '['kubectl', 'version --client']' returned non-zero exit status 1.
To work around this issue, run the netq bootstrap reset keep-db command and then reinstall NetQ using the netq install command for your deployment. | 4.9.0 | | -| [3808200](#3808200)
| When you perform a netq bootstrap reset on a NetQ cluster VM and perform a fresh install with the netq install command, the install might fail with the following error:
 master-node-installer: Running sanity check on cluster_vip: 10.10.10.10 Virtual IP 10.10.10.10 is already used
To work around this issue, run the netq install command again. | 4.9.0 | | +| [3808200, 3788382](#3808200, 3788382)
| When you perform a netq bootstrap reset on a NetQ cluster VM and perform a fresh install with the netq install command, the install might fail with the following error:
 master-node-installer: Running sanity check on cluster_vip: 10.10.10.10 Virtual IP 10.10.10.10 is already used
To work around this issue, run the netq install command again. | 4.9.0 | | | [3773879](#3773879)
| When you upgrade a switch running Cumulus Linux using NetQ LCM, any configuration files in /etc/cumulus/switchd.d for adaptive routing or other features are not restored after the upgrade. To work around this issue, manually back up these files and restore them after the upgrade. | 4.9.0 | | | [3771124](#3771124)
| When you reconfigure a VNI to map to a different VRF or remove and recreate a VNI in the same VRF, NetQ EVPN validations might incorrectly indicate a failure for the VRF consistency test. | 4.9.0 | | | [3760442](#3760442)
| When you export events from NetQ to a CSV file, the timestamp of the exported events does not match the timestamp reported in the NetQ UI based on the user profile's time zone setting. | 4.9.0 | | diff --git a/content/cumulus-netq-410/rn.xml b/content/cumulus-netq-410/rn.xml index 70ea548989..ae85595dbd 100644 --- a/content/cumulus-netq-410/rn.xml +++ b/content/cumulus-netq-410/rn.xml @@ -31,7 +31,7 @@ 4.12.0-4.15.1 -3854467 +3854467, 3848959, 3845926, 3959779 When a single NetQ cluster VM is offline, the NetQ kafka-connect pods are brought down on other cluster nodes, preventing NetQ data from collecting data. To work around this issue, bring all cluster nodes back into service. 4.10.0-4.11.0 4.12.0-4.15.1 @@ -55,13 +55,13 @@ -3769936 +3769936, 3976289, 4122250 When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. 4.9.0-4.13.0 4.14.0-4.15.1 -3721754 +3721754, 3721794 After you decommission a switch, the switch's interfaces are still displayed in the NetQ UI in the Interfaces view. 4.9.0-4.10.1 4.11.0-4.15.1 @@ -117,7 +117,7 @@ 4.12.0-4.15.1 -3854467 +3854467, 3848959, 3845926, 3959779 When a single NetQ cluster VM is offline, the NetQ kafka-connect pods are brought down on other cluster nodes, preventing NetQ data from collecting data. To work around this issue, bring all cluster nodes back into service. 4.10.0-4.11.0 4.12.0-4.15.1 @@ -141,13 +141,13 @@ -3769936 +3769936, 3976289, 4122250 When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. 4.9.0-4.13.0 4.14.0-4.15.1 -3721754 +3721754, 3721794 After you decommission a switch, the switch's interfaces are still displayed in the NetQ UI in the Interfaces view. 4.9.0-4.10.1 4.11.0-4.15.1 @@ -202,7 +202,7 @@ To work around this issue, run the {{netq bootstrap reset keep-db}} command and 4.9.0 -3808200 +3808200, 3788382 When you perform a {{netq bootstrap reset}} on a NetQ cluster VM and perform a fresh install with the {{netq install}} command, the install might fail with the following error: master-node-installer: Running sanity check on cluster_vip: 10.10.10.10 Virtual IP 10.10.10.10 is already used To work around this issue, run the {{netq install}} command again. diff --git a/content/cumulus-netq-411/Whats-New/rn.md b/content/cumulus-netq-411/Whats-New/rn.md index 373cece61e..ac862e2465 100644 --- a/content/cumulus-netq-411/Whats-New/rn.md +++ b/content/cumulus-netq-411/Whats-New/rn.md @@ -17,17 +17,17 @@ pdfhidden: True | [4612457](#4612457)
| The process monitoring dashboard may display inaccurate CPU utilization values for the NetQ agent. | 4.11.0-4.15.1 | 5.0.0-5.1.0| | [4466349](#4466349)
| When you upgrade an HA cluster deployment from a version that is not part of the supported upgrade path, the upgrade might fail and the UI might not load due to expired control plane certificates on the worker nodes.

To check whether the certificates have expired, run sudo su followed by kubeadm certs check-expiration. If the output displays a date in the past, your certificates are expired. To update the certificates, run kubeadm certs renew all on each worker node in the cluster. Next, restart the control plane components with crictl stop CONTAINER_ID, followed by systemctl restart kubelet. | 4.8.0-4.14.0 | 4.15.0-4.15.1| | [4181296](#4181296)
| NetQ might become unresponsive when someone with a non-admin (user) role attempts to create or clone workbenches, add cards to a workbench, create validations, or run a flow analysis. | 4.11.0-4.12.0 | 4.13.0-4.15.1| -| [4023716](#4023716)
| NetQ might display duplicate validations results. | 4.11.0-4.15.1 | 5.0.0-5.1.0| +| [4023716, 4022819, 4282514](#4023716, 4022819, 4282514)
| NetQ might display duplicate validations results. | 4.11.0-4.15.1 | 5.0.0-5.1.0| | [4001098](#4001098)
| When you use NetQ LCM to upgrade a Cumulus Linux switch from version 5.9 to 5.10, and if the upgrade fails, NetQ rolls back to version 5.9 and reverts the cumulus user password to the default password. After rollback, reconfigure the password with the nv set system aaa user cumulus password \ command. | 4.11.0 | 4.12.0-4.15.1| | [4000939](#4000939)
| When you upgrade a NetQ VM with devices in the inventory that have been rotten for 7 or more days, NetQ inventory cards in the UI and table output might show inconsistent results and might not display the rotten devices. To work around this issue, decommission the rotten device and ensure it's running the appropriate NetQ agent version. | 4.11.0 | 4.12.0-4.15.1| | [3995266](#3995266)
| When you use NetQ LCM to upgrade a Cumulus Linux switch with NTP configured using NVUE in a VRF that is not mgmt, the upgrade fails to complete. To work around this issue, first unset the NTP configuration with the nv unset service ntp and nv config apply commands, and reconfigure NTP after the upgrade completes. | 4.11.0 | 4.12.0-4.15.1| -| [3993538](#3993538)
| When you re-position a card on your workbench and then manually refresh the workbench, NetQ might reposition the cards. | 4.11.0-4.15.1 | 5.0.0-5.1.0| +| [3993538, 4379389](#3993538, 4379389)
| When you re-position a card on your workbench and then manually refresh the workbench, NetQ might reposition the cards. | 4.11.0-4.15.1 | 5.0.0-5.1.0| | [3981655](#3981655)
| When you upgrade your NetQ VM, some devices in the NetQ inventory might appear as rotten. To work around this issue, restart NetQ agents on devices or upgrade them to the latest agent version after the NetQ VM upgrade is completed. | 4.11.0 | 4.12.0-4.15.1| | [3858210](#3858210)
| When you upgrade your NetQ VM, DPUs in the inventory are not shown. To work around this issue, restart the DTS container on the DPUs in your network. | 4.10.0-4.11.0 | 4.12.0-4.15.1| -| [3854467](#3854467)
| When a single NetQ cluster VM is offline, the NetQ kafka-connect pods are brought down on other cluster nodes, preventing NetQ data from collecting data. To work around this issue, bring all cluster nodes back into service. | 4.10.0-4.11.0 | 4.12.0-4.15.1| +| [3854467, 3848959, 3845926, 3959779](#3854467, 3848959, 3845926, 3959779)
| When a single NetQ cluster VM is offline, the NetQ kafka-connect pods are brought down on other cluster nodes, preventing NetQ data from collecting data. To work around this issue, bring all cluster nodes back into service. | 4.10.0-4.11.0 | 4.12.0-4.15.1| | [3800434](#3800434)
| When you upgrade NetQ from a version prior to 4.9.0, What Just Happened data that was collected before the upgrade is no longer present. | 4.9.0-4.15.1 | | | [3772274](#3772274)
| After you upgrade NetQ, data from snapshots taken prior to the NetQ upgrade will contain unreliable data and should not be compared to any snapshots taken after the upgrade. In cluster deployments, snapshots from prior NetQ versions will not be visible in the UI. | 4.9.0-4.15.1 | | -| [3769936](#3769936)
| When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. | 4.9.0-4.13.0 | 4.14.0-4.15.1| +| [3769936, 3976289, 4122250](#3769936, 3976289, 4122250)
| When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. | 4.9.0-4.13.0 | 4.14.0-4.15.1| | [3613811](#3613811)
| LCM operations using in-band management are unsupported on switches that use eth0 connected to an out-of-band network. To work around this issue, configure NetQ to use out-of-band management in the mgmt VRF on Cumulus Linux switches when interface eth0 is in use. | 4.8.0-4.15.1 | | ### Fixed Issues in 4.11.0 @@ -36,5 +36,5 @@ pdfhidden: True | [3948198](#3948198)
| When you upgrade a Cumulus Linux switch configured with NVUE using NetQ LCM, the upgrade might fail due to NVUE configuration validation if the NVUE object model was changed between the current and new Cumulus Linux version. When this failure occurs, NetQ is unable to rollback to the prior configuration and the switch remains running the default Cumulus Linux configuration. | 4.10.1 | | | [3863195](#3863195)
| When you perform an LCM switch discovery on a Cumulus Linux 5.9.0 switch in your network that was already added in the NetQ inventory on a prior Cumulus Linux version, the switch will appear as Rotten in the NetQ UI. To work around this issue, decommission the switch first,and run LCM discovery again after the switch is upgraded. | 4.10.0-4.10.1 | | | [3851922](#3851922)
| After you run an LCM switch discovery in a NetQ cluster environment, NetQ CLI commands on switches might fail with the message Failed to process command. | 4.10.0-4.10.1 | | -| [3721754](#3721754)
| After you decommission a switch, the switch's interfaces are still displayed in the NetQ UI in the Interfaces view. | 4.9.0-4.10.1 | | +| [3721754, 3721794](#3721754, 3721794)
| After you decommission a switch, the switch's interfaces are still displayed in the NetQ UI in the Interfaces view. | 4.9.0-4.10.1 | | diff --git a/content/cumulus-netq-411/rn.xml b/content/cumulus-netq-411/rn.xml index 0085edcd36..ef3b8782ab 100644 --- a/content/cumulus-netq-411/rn.xml +++ b/content/cumulus-netq-411/rn.xml @@ -25,7 +25,7 @@ 4.13.0-4.15.1 -4023716 +4023716, 4022819, 4282514 NetQ might display duplicate validations results. 4.11.0-4.15.1 5.0.0-5.1.0 @@ -49,7 +49,7 @@ 4.12.0-4.15.1 -3993538 +3993538, 4379389 When you re-position a card on your workbench and then manually refresh the workbench, NetQ might reposition the cards. 4.11.0-4.15.1 5.0.0-5.1.0 @@ -67,7 +67,7 @@ 4.12.0-4.15.1 -3854467 +3854467, 3848959, 3845926, 3959779 When a single NetQ cluster VM is offline, the NetQ kafka-connect pods are brought down on other cluster nodes, preventing NetQ data from collecting data. To work around this issue, bring all cluster nodes back into service. 4.10.0-4.11.0 4.12.0-4.15.1 @@ -85,7 +85,7 @@ -3769936 +3769936, 3976289, 4122250 When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. 4.9.0-4.13.0 4.14.0-4.15.1 @@ -119,7 +119,7 @@ 4.10.0-4.10.1 -3721754 +3721754, 3721794 After you decommission a switch, the switch's interfaces are still displayed in the NetQ UI in the Interfaces view. 4.9.0-4.10.1 diff --git a/content/cumulus-netq-412/Whats-New/rn.md b/content/cumulus-netq-412/Whats-New/rn.md index a52d9b92bc..5e8c1f35bd 100644 --- a/content/cumulus-netq-412/Whats-New/rn.md +++ b/content/cumulus-netq-412/Whats-New/rn.md @@ -19,17 +19,17 @@ pdfhidden: True | [4371014](#4371014)
| In the full-screen switch card, the interface charts display incorrect values for transmit (Tx) and receive (Rx) byte rates. The actual values are slightly higher than the displayed values. | 4.12.0-4.13.0 | 4.14.0-4.15.1| | [4280023](#4280023)
| After backing up and restoring your NetQ data, any modifications to default suppression rules will be lost. | 4.12.0-4.13.0 | 4.14.0-4.15.1| | [4181296](#4181296)
| NetQ might become unresponsive when someone with a non-admin (user) role attempts to create or clone workbenches, add cards to a workbench, create validations, or run a flow analysis. | 4.11.0-4.12.0 | 4.13.0-4.15.1| -| [4162383](#4162383)
| When you upgrade a NetQ VM with devices in the inventory that have been rotten for 7 or more days, NetQ's global search field might fail to return results for individual devices. To work around this issue, decommission rotten devices and ensure they are running the appropriate NetQ agent version. | 4.12.0 | 4.13.0-4.15.1| -| [4157785](#4157785)
| When you add a new switch to the NetQ inventory, the NetQ UI might not display interface statistics or interface validation data for the new switch for up to one hour.
To work around this issue, adjust the poll period to 60 seconds on the new switch with the netq config add agent command service-key ports poll-period 60 command. When interface data is displayed in the NetQ UI, change it back to the default value of 3600 with the netq config add agent command service-key ports poll-period 3600 command. | 4.12.0 | 4.13.0-4.15.1| +| [4162383, 4209212](#4162383, 4209212)
| When you upgrade a NetQ VM with devices in the inventory that have been rotten for 7 or more days, NetQ's global search field might fail to return results for individual devices. To work around this issue, decommission rotten devices and ensure they are running the appropriate NetQ agent version. | 4.12.0 | 4.13.0-4.15.1| +| [4157785, 4158463, 4285543](#4157785, 4158463, 4285543)
| When you add a new switch to the NetQ inventory, the NetQ UI might not display interface statistics or interface validation data for the new switch for up to one hour.
To work around this issue, adjust the poll period to 60 seconds on the new switch with the netq config add agent command service-key ports poll-period 60 command. When interface data is displayed in the NetQ UI, change it back to the default value of 3600 with the netq config add agent command service-key ports poll-period 3600 command. | 4.12.0 | 4.13.0-4.15.1| | [4155900](#4155900)
| When a fan’s sensor state is “high”, NetQ correctly displays the count information on the sensor health card. When the card is expanded to the detailed view, fans with a “high” sensor state will not be included among the fans with problematic states. | 4.12.0 | 4.13.0-4.15.1| | [4131550](#4131550)
| When you run a topology validation, the full-screen topology validation view might not display the latest results. To work around this issue, refresh the page. | 4.12.0-4.15.1 | | | [4124724](#4124724)
| External notifications for DPU RoCE threshold-crossing events are not supported. To work around this issue, use the UI or CLI to view DPU RoCE threshold-crossing events. | 4.12.0 | 4.13.0-4.15.1| -| [4100882](#4100882)
| When you attempt to export a file that is larger than 200MB, your browser might crash or otherwise prevent you from exporting the file. To work around this issue, use filters in the UI to decrease the size of the dataset that you intend to export. | 4.12.0-4.15.1, 5.0.0-5.1.0 | | -| [4023716](#4023716)
| NetQ might display duplicate validations results. | 4.11.0-4.15.1 | 5.0.0-5.1.0| -| [3993538](#3993538)
| When you re-position a card on your workbench and then manually refresh the workbench, NetQ might reposition the cards. | 4.11.0-4.15.1 | 5.0.0-5.1.0| +| [4100882, 4119697](#4100882, 4119697)
| When you attempt to export a file that is larger than 200MB, your browser might crash or otherwise prevent you from exporting the file. To work around this issue, use filters in the UI to decrease the size of the dataset that you intend to export. | 4.12.0-4.15.1, 5.0.0-5.1.0 | | +| [4023716, 4022819, 4282514](#4023716, 4022819, 4282514)
| NetQ might display duplicate validations results. | 4.11.0-4.15.1 | 5.0.0-5.1.0| +| [3993538, 4379389](#3993538, 4379389)
| When you re-position a card on your workbench and then manually refresh the workbench, NetQ might reposition the cards. | 4.11.0-4.15.1 | 5.0.0-5.1.0| | [3800434](#3800434)
| When you upgrade NetQ from a version prior to 4.9.0, What Just Happened data that was collected before the upgrade is no longer present. | 4.9.0-4.15.1 | | | [3772274](#3772274)
| After you upgrade NetQ, data from snapshots taken prior to the NetQ upgrade will contain unreliable data and should not be compared to any snapshots taken after the upgrade. In cluster deployments, snapshots from prior NetQ versions will not be visible in the UI. | 4.9.0-4.15.1 | | -| [3769936](#3769936)
| When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. | 4.9.0-4.13.0 | 4.14.0-4.15.1| +| [3769936, 3976289, 4122250](#3769936, 3976289, 4122250)
| When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. | 4.9.0-4.13.0 | 4.14.0-4.15.1| | [3613811](#3613811)
| LCM operations using in-band management are unsupported on switches that use eth0 connected to an out-of-band network. To work around this issue, configure NetQ to use out-of-band management in the mgmt VRF on Cumulus Linux switches when interface eth0 is in use. | 4.8.0-4.15.1 | | ### Fixed Issues in 4.12.0 @@ -40,5 +40,5 @@ pdfhidden: True | [3995266](#3995266)
| When you use NetQ LCM to upgrade a Cumulus Linux switch with NTP configured using NVUE in a VRF that is not mgmt, the upgrade fails to complete. To work around this issue, first unset the NTP configuration with the nv unset service ntp and nv config apply commands, and reconfigure NTP after the upgrade completes. | 4.11.0 | | | [3981655](#3981655)
| When you upgrade your NetQ VM, some devices in the NetQ inventory might appear as rotten. To work around this issue, restart NetQ agents on devices or upgrade them to the latest agent version after the NetQ VM upgrade is completed. | 4.11.0 | | | [3858210](#3858210)
| When you upgrade your NetQ VM, DPUs in the inventory are not shown. To work around this issue, restart the DTS container on the DPUs in your network. | 4.10.0-4.11.0 | | -| [3854467](#3854467)
| When a single NetQ cluster VM is offline, the NetQ kafka-connect pods are brought down on other cluster nodes, preventing NetQ data from collecting data. To work around this issue, bring all cluster nodes back into service. | 4.10.0-4.11.0 | | +| [3854467, 3848959, 3845926, 3959779](#3854467, 3848959, 3845926, 3959779)
| When a single NetQ cluster VM is offline, the NetQ kafka-connect pods are brought down on other cluster nodes, preventing NetQ data from collecting data. To work around this issue, bring all cluster nodes back into service. | 4.10.0-4.11.0 | | diff --git a/content/cumulus-netq-412/rn.xml b/content/cumulus-netq-412/rn.xml index c9a6978de7..a1ed8d397b 100644 --- a/content/cumulus-netq-412/rn.xml +++ b/content/cumulus-netq-412/rn.xml @@ -37,13 +37,13 @@ 4.13.0-4.15.1 -4162383 +4162383, 4209212 When you upgrade a NetQ VM with devices in the inventory that have been rotten for 7 or more days, NetQ's global search field might fail to return results for individual devices. To work around this issue, decommission rotten devices and ensure they are running the appropriate NetQ agent version. 4.12.0 4.13.0-4.15.1 -4157785 +4157785, 4158463, 4285543 When you add a new switch to the NetQ inventory, the NetQ UI might not display interface statistics or interface validation data for the new switch for up to one hour. To work around this issue, adjust the poll period to 60 seconds on the new switch with the <code>netq config add agent command service-key ports poll-period 60</code> command. When interface data is displayed in the NetQ UI, change it back to the default value of 3600 with the <code>netq config add agent command service-key ports poll-period 3600</code> command. 4.12.0 @@ -68,19 +68,19 @@ To work around this issue, adjust the poll period to 60 seconds on the new switc 4.13.0-4.15.1 -4100882 +4100882, 4119697 When you attempt to export a file that is larger than 200MB, your browser might crash or otherwise prevent you from exporting the file. To work around this issue, use filters in the UI to decrease the size of the dataset that you intend to export. 4.12.0-4.15.1, 5.0.0-5.1.0 -4023716 +4023716, 4022819, 4282514 NetQ might display duplicate validations results. 4.11.0-4.15.1 5.0.0-5.1.0 -3993538 +3993538, 4379389 When you re-position a card on your workbench and then manually refresh the workbench, NetQ might reposition the cards. 4.11.0-4.15.1 5.0.0-5.1.0 @@ -98,7 +98,7 @@ To work around this issue, adjust the poll period to 60 seconds on the new switc -3769936 +3769936, 3976289, 4122250 When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. 4.9.0-4.13.0 4.14.0-4.15.1 @@ -142,7 +142,7 @@ To work around this issue, adjust the poll period to 60 seconds on the new switc 4.10.0-4.11.0 -3854467 +3854467, 3848959, 3845926, 3959779 When a single NetQ cluster VM is offline, the NetQ kafka-connect pods are brought down on other cluster nodes, preventing NetQ data from collecting data. To work around this issue, bring all cluster nodes back into service. 4.10.0-4.11.0 diff --git a/content/cumulus-netq-413/Whats-New/rn.md b/content/cumulus-netq-413/Whats-New/rn.md index 03a306901b..7b93585897 100644 --- a/content/cumulus-netq-413/Whats-New/rn.md +++ b/content/cumulus-netq-413/Whats-New/rn.md @@ -18,28 +18,28 @@ pdfhidden: True | [4466349](#4466349)
| When you upgrade an HA cluster deployment from a version that is not part of the supported upgrade path, the upgrade might fail and the UI might not load due to expired control plane certificates on the worker nodes.

To check whether the certificates have expired, run sudo su followed by kubeadm certs check-expiration. If the output displays a date in the past, your certificates are expired. To update the certificates, run kubeadm certs renew all on each worker node in the cluster. Next, restart the control plane components with crictl stop CONTAINER_ID, followed by systemctl restart kubelet. | 4.8.0-4.14.0 | 4.15.0-4.15.1| | [4371014](#4371014)
| In the full-screen switch card, the interface charts display incorrect values for transmit (Tx) and receive (Rx) byte rates. The actual values are slightly higher than the displayed values. | 4.12.0-4.13.0 | 4.14.0-4.15.1| | [4360421](#4360421)
| When you back up your data from a prior NetQ release and restore it after installing NetQ 4.13.0, any switches that were in a rotten state are missing from the NetQ inventory after the upgrade. To work around this issue, decommission any rotten switches before you upgrade and reconnect the agents after the upgrade is complete. | 4.13.0 | 4.14.0-4.15.1| -| [4360420](#4360420)
| When you upgrade to 4.13, network snapshots taken prior to upgrading are not restored. | 4.13.0 | 4.14.0-4.15.1| +| [4360420, 4316305](#4360420, 4316305)
| When you upgrade to 4.13, network snapshots taken prior to upgrading are not restored. | 4.13.0 | 4.14.0-4.15.1| | [4310939](#4310939)
| When a switch becomes rotten or is connected to a different NetQ server without decommissioning it first, the link health view dashboard displays outdated counter values. To work around this issue, wait for NetQ to update and display accurate counter values. | 4.13.0-4.14.0 | 4.15.0-4.15.1| -| [4309191](#4309191)
| In cloud deployments, lifecycle management operations such as device discovery or switch decommissioning might time out and ultimately fail. To work around this issue, restart the LCM executor on the OPTA VM with lcm_pod='kubectl get pod \| grep -m1 lcm \| awk ‘{print $1}’'; kubectl delete pod $lcm_pod. | 4.13.0-4.14.0 | 4.15.0-4.15.1| +| [4309191, 4309888, 4343075, 4351684, 4411619, 4291885, 4493616](#4309191, 4309888, 4343075, 4351684, 4411619, 4291885, 4493616)
| In cloud deployments, lifecycle management operations such as device discovery or switch decommissioning might time out and ultimately fail. To work around this issue, restart the LCM executor on the OPTA VM with lcm_pod='kubectl get pod \| grep -m1 lcm \| awk ‘{print $1}’'; kubectl delete pod $lcm_pod. | 4.13.0-4.14.0 | 4.15.0-4.15.1| | [4280023](#4280023)
| After backing up and restoring your NetQ data, any modifications to default suppression rules will be lost. | 4.12.0-4.13.0 | 4.14.0-4.15.1| -| [4261089](#4261089)
| When you upgrade a cloud deployment, some switches might not appear in the search field or list of hostnames. To work around this issue, decommission the switches, then restart the agent on each switch with the sudo netq config restart agent command. | 4.13.0 | 4.14.0-4.15.1| +| [4261089, 4303877](#4261089, 4303877)
| When you upgrade a cloud deployment, some switches might not appear in the search field or list of hostnames. To work around this issue, decommission the switches, then restart the agent on each switch with the sudo netq config restart agent command. | 4.13.0 | 4.14.0-4.15.1| | [4248942](#4248942)
| When you assign a role to a switch, NetQ might take up to five minutes to reflect the new or updated role in the queue histogram fabric overview page. | 4.13.0-4.14.0 | 4.15.0-4.15.1| | [4236491](#4236491)
| When you click within a comparison view chart in link health view, the link utilization values in the side menu might differ from the values displayed in the comparison view chart. The values in the comparison chart are aggregated ever hour, whereas the values in the side menu reflect the most recent data. | 4.13.0 | 4.14.0-4.15.1| | [4131550](#4131550)
| When you run a topology validation, the full-screen topology validation view might not display the latest results. To work around this issue, refresh the page. | 4.12.0-4.15.1 | | -| [4100882](#4100882)
| When you attempt to export a file that is larger than 200MB, your browser might crash or otherwise prevent you from exporting the file. To work around this issue, use filters in the UI to decrease the size of the dataset that you intend to export. | 4.12.0-4.15.1, 5.0.0-5.1.0 | | -| [4023716](#4023716)
| NetQ might display duplicate validations results. | 4.11.0-4.15.1 | 5.0.0-5.1.0| -| [3993538](#3993538)
| When you re-position a card on your workbench and then manually refresh the workbench, NetQ might reposition the cards. | 4.11.0-4.15.1 | 5.0.0-5.1.0| +| [4100882, 4119697](#4100882, 4119697)
| When you attempt to export a file that is larger than 200MB, your browser might crash or otherwise prevent you from exporting the file. To work around this issue, use filters in the UI to decrease the size of the dataset that you intend to export. | 4.12.0-4.15.1, 5.0.0-5.1.0 | | +| [4023716, 4022819, 4282514](#4023716, 4022819, 4282514)
| NetQ might display duplicate validations results. | 4.11.0-4.15.1 | 5.0.0-5.1.0| +| [3993538, 4379389](#3993538, 4379389)
| When you re-position a card on your workbench and then manually refresh the workbench, NetQ might reposition the cards. | 4.11.0-4.15.1 | 5.0.0-5.1.0| | [3800434](#3800434)
| When you upgrade NetQ from a version prior to 4.9.0, What Just Happened data that was collected before the upgrade is no longer present. | 4.9.0-4.15.1 | | | [3772274](#3772274)
| After you upgrade NetQ, data from snapshots taken prior to the NetQ upgrade will contain unreliable data and should not be compared to any snapshots taken after the upgrade. In cluster deployments, snapshots from prior NetQ versions will not be visible in the UI. | 4.9.0-4.15.1 | | -| [3769936](#3769936)
| When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. | 4.9.0-4.13.0 | 4.14.0-4.15.1| +| [3769936, 3976289, 4122250](#3769936, 3976289, 4122250)
| When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. | 4.9.0-4.13.0 | 4.14.0-4.15.1| | [3613811](#3613811)
| LCM operations using in-band management are unsupported on switches that use eth0 connected to an out-of-band network. To work around this issue, configure NetQ to use out-of-band management in the mgmt VRF on Cumulus Linux switches when interface eth0 is in use. | 4.8.0-4.15.1 | | ### Fixed Issues in 4.13.0 | Issue ID | Description | Affects | |--- |--- |--- | | [4181296](#4181296)
| NetQ might become unresponsive when someone with a non-admin (user) role attempts to create or clone workbenches, add cards to a workbench, create validations, or run a flow analysis. | 4.11.0-4.12.0 | | -| [4162383](#4162383)
| When you upgrade a NetQ VM with devices in the inventory that have been rotten for 7 or more days, NetQ's global search field might fail to return results for individual devices. To work around this issue, decommission rotten devices and ensure they are running the appropriate NetQ agent version. | 4.12.0 | | -| [4157785](#4157785)
| When you add a new switch to the NetQ inventory, the NetQ UI might not display interface statistics or interface validation data for the new switch for up to one hour.
To work around this issue, adjust the poll period to 60 seconds on the new switch with the netq config add agent command service-key ports poll-period 60 command. When interface data is displayed in the NetQ UI, change it back to the default value of 3600 with the netq config add agent command service-key ports poll-period 3600 command. | 4.12.0 | | +| [4162383, 4209212](#4162383, 4209212)
| When you upgrade a NetQ VM with devices in the inventory that have been rotten for 7 or more days, NetQ's global search field might fail to return results for individual devices. To work around this issue, decommission rotten devices and ensure they are running the appropriate NetQ agent version. | 4.12.0 | | +| [4157785, 4158463, 4285543](#4157785, 4158463, 4285543)
| When you add a new switch to the NetQ inventory, the NetQ UI might not display interface statistics or interface validation data for the new switch for up to one hour.
To work around this issue, adjust the poll period to 60 seconds on the new switch with the netq config add agent command service-key ports poll-period 60 command. When interface data is displayed in the NetQ UI, change it back to the default value of 3600 with the netq config add agent command service-key ports poll-period 3600 command. | 4.12.0 | | | [4155900](#4155900)
| When a fan’s sensor state is “high”, NetQ correctly displays the count information on the sensor health card. When the card is expanded to the detailed view, fans with a “high” sensor state will not be included among the fans with problematic states. | 4.12.0 | | | [4124724](#4124724)
| External notifications for DPU RoCE threshold-crossing events are not supported. To work around this issue, use the UI or CLI to view DPU RoCE threshold-crossing events. | 4.12.0 | | diff --git a/content/cumulus-netq-413/rn.xml b/content/cumulus-netq-413/rn.xml index 661e8d104c..3c61a0de56 100644 --- a/content/cumulus-netq-413/rn.xml +++ b/content/cumulus-netq-413/rn.xml @@ -31,7 +31,7 @@ 4.14.0-4.15.1 -4360420 +4360420, 4316305 When you upgrade to 4.13, network snapshots taken prior to upgrading are not restored. 4.13.0 4.14.0-4.15.1 @@ -43,7 +43,7 @@ 4.15.0-4.15.1 -4309191 +4309191, 4309888, 4343075, 4351684, 4411619, 4291885, 4493616 In cloud deployments, lifecycle management operations such as device discovery or switch decommissioning might time out and ultimately fail. To work around this issue, restart the LCM executor on the OPTA VM with {{lcm_pod='kubectl get pod | grep -m1 lcm | awk ‘{print $1}’'; kubectl delete pod $lcm_pod}}. 4.13.0-4.14.0 4.15.0-4.15.1 @@ -55,7 +55,7 @@ 4.14.0-4.15.1 -4261089 +4261089, 4303877 When you upgrade a cloud deployment, some switches might not appear in the search field or list of hostnames. To work around this issue, decommission the switches, then restart the agent on each switch with the <code> sudo netq config restart agent </code> command. 4.13.0 4.14.0-4.15.1 @@ -79,19 +79,19 @@ -4100882 +4100882, 4119697 When you attempt to export a file that is larger than 200MB, your browser might crash or otherwise prevent you from exporting the file. To work around this issue, use filters in the UI to decrease the size of the dataset that you intend to export. 4.12.0-4.15.1, 5.0.0-5.1.0 -4023716 +4023716, 4022819, 4282514 NetQ might display duplicate validations results. 4.11.0-4.15.1 5.0.0-5.1.0 -3993538 +3993538, 4379389 When you re-position a card on your workbench and then manually refresh the workbench, NetQ might reposition the cards. 4.11.0-4.15.1 5.0.0-5.1.0 @@ -109,7 +109,7 @@ -3769936 +3769936, 3976289, 4122250 When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. 4.9.0-4.13.0 4.14.0-4.15.1 @@ -133,12 +133,12 @@ 4.11.0-4.12.0 -4162383 +4162383, 4209212 When you upgrade a NetQ VM with devices in the inventory that have been rotten for 7 or more days, NetQ's global search field might fail to return results for individual devices. To work around this issue, decommission rotten devices and ensure they are running the appropriate NetQ agent version. 4.12.0 -4157785 +4157785, 4158463, 4285543 When you add a new switch to the NetQ inventory, the NetQ UI might not display interface statistics or interface validation data for the new switch for up to one hour. To work around this issue, adjust the poll period to 60 seconds on the new switch with the <code>netq config add agent command service-key ports poll-period 60</code> command. When interface data is displayed in the NetQ UI, change it back to the default value of 3600 with the <code>netq config add agent command service-key ports poll-period 3600</code> command. 4.12.0 diff --git a/content/cumulus-netq-414/Whats-New/rn.md b/content/cumulus-netq-414/Whats-New/rn.md index 01af68cd50..52b86468d6 100644 --- a/content/cumulus-netq-414/Whats-New/rn.md +++ b/content/cumulus-netq-414/Whats-New/rn.md @@ -20,12 +20,12 @@ pdfhidden: True | [4466349](#4466349)
| When you upgrade an HA cluster deployment from a version that is not part of the supported upgrade path, the upgrade might fail and the UI might not load due to expired control plane certificates on the worker nodes.

To check whether the certificates have expired, run sudo su followed by kubeadm certs check-expiration. If the output displays a date in the past, your certificates are expired. To update the certificates, run kubeadm certs renew all on each worker node in the cluster. Next, restart the control plane components with crictl stop CONTAINER_ID, followed by systemctl restart kubelet. | 4.8.0-4.14.0 | 4.15.0-4.15.1| | [4402969](#4402969)
| When you upgrade a cluster deployment from NetQ 4.13 to 4.14 using Base Command Manager (BCM), the operation might appear to fail with the error message Warning: Ping to admin app failed. 10.141.0.1 Traceback (most recent call last): File “/usr/bin/netq”, line 404, in rx_reply(sock, sys.argv) File “/usr/bin/netq”, line 126, in rx_reply rx_data = sock.recv(4096) BlockingIOError: [Errno 11] Resource temporarily unavailable. You can ignore this message and wait for the upgrade to complete. To verify the actual NetQ version and upgrade status, run the netq show status command
| 4.14.0 | 4.15.0-4.15.1| | [4310939](#4310939)
| When a switch becomes rotten or is connected to a different NetQ server without decommissioning it first, the link health view dashboard displays outdated counter values. To work around this issue, wait for NetQ to update and display accurate counter values. | 4.13.0-4.14.0 | 4.15.0-4.15.1| -| [4309191](#4309191)
| In cloud deployments, lifecycle management operations such as device discovery or switch decommissioning might time out and ultimately fail. To work around this issue, restart the LCM executor on the OPTA VM with lcm_pod='kubectl get pod \| grep -m1 lcm \| awk ‘{print $1}’'; kubectl delete pod $lcm_pod. | 4.13.0-4.14.0 | 4.15.0-4.15.1| +| [4309191, 4309888, 4343075, 4351684, 4411619, 4291885, 4493616](#4309191, 4309888, 4343075, 4351684, 4411619, 4291885, 4493616)
| In cloud deployments, lifecycle management operations such as device discovery or switch decommissioning might time out and ultimately fail. To work around this issue, restart the LCM executor on the OPTA VM with lcm_pod='kubectl get pod \| grep -m1 lcm \| awk ‘{print $1}’'; kubectl delete pod $lcm_pod. | 4.13.0-4.14.0 | 4.15.0-4.15.1| | [4248942](#4248942)
| When you assign a role to a switch, NetQ might take up to five minutes to reflect the new or updated role in the queue histogram fabric overview page. | 4.13.0-4.14.0 | 4.15.0-4.15.1| | [4131550](#4131550)
| When you run a topology validation, the full-screen topology validation view might not display the latest results. To work around this issue, refresh the page. | 4.12.0-4.15.1 | | -| [4100882](#4100882)
| When you attempt to export a file that is larger than 200MB, your browser might crash or otherwise prevent you from exporting the file. To work around this issue, use filters in the UI to decrease the size of the dataset that you intend to export. | 4.12.0-4.15.1, 5.0.0-5.1.0 | | -| [4023716](#4023716)
| NetQ might display duplicate validations results. | 4.11.0-4.15.1 | 5.0.0-5.1.0| -| [3993538](#3993538)
| When you re-position a card on your workbench and then manually refresh the workbench, NetQ might reposition the cards. | 4.11.0-4.15.1 | 5.0.0-5.1.0| +| [4100882, 4119697](#4100882, 4119697)
| When you attempt to export a file that is larger than 200MB, your browser might crash or otherwise prevent you from exporting the file. To work around this issue, use filters in the UI to decrease the size of the dataset that you intend to export. | 4.12.0-4.15.1, 5.0.0-5.1.0 | | +| [4023716, 4022819, 4282514](#4023716, 4022819, 4282514)
| NetQ might display duplicate validations results. | 4.11.0-4.15.1 | 5.0.0-5.1.0| +| [3993538, 4379389](#3993538, 4379389)
| When you re-position a card on your workbench and then manually refresh the workbench, NetQ might reposition the cards. | 4.11.0-4.15.1 | 5.0.0-5.1.0| | [3800434](#3800434)
| When you upgrade NetQ from a version prior to 4.9.0, What Just Happened data that was collected before the upgrade is no longer present. | 4.9.0-4.15.1 | | | [3772274](#3772274)
| After you upgrade NetQ, data from snapshots taken prior to the NetQ upgrade will contain unreliable data and should not be compared to any snapshots taken after the upgrade. In cluster deployments, snapshots from prior NetQ versions will not be visible in the UI. | 4.9.0-4.15.1 | | | [3613811](#3613811)
| LCM operations using in-band management are unsupported on switches that use eth0 connected to an out-of-band network. To work around this issue, configure NetQ to use out-of-band management in the mgmt VRF on Cumulus Linux switches when interface eth0 is in use. | 4.8.0-4.15.1 | | @@ -35,9 +35,9 @@ pdfhidden: True |--- |--- |--- | | [4371014](#4371014)
| In the full-screen switch card, the interface charts display incorrect values for transmit (Tx) and receive (Rx) byte rates. The actual values are slightly higher than the displayed values. | 4.12.0-4.13.0 | | | [4360421](#4360421)
| When you back up your data from a prior NetQ release and restore it after installing NetQ 4.13.0, any switches that were in a rotten state are missing from the NetQ inventory after the upgrade. To work around this issue, decommission any rotten switches before you upgrade and reconnect the agents after the upgrade is complete. | 4.13.0 | | -| [4360420](#4360420)
| When you upgrade to 4.13, network snapshots taken prior to upgrading are not restored. | 4.13.0 | | +| [4360420, 4316305](#4360420, 4316305)
| When you upgrade to 4.13, network snapshots taken prior to upgrading are not restored. | 4.13.0 | | | [4280023](#4280023)
| After backing up and restoring your NetQ data, any modifications to default suppression rules will be lost. | 4.12.0-4.13.0 | | -| [4261089](#4261089)
| When you upgrade a cloud deployment, some switches might not appear in the search field or list of hostnames. To work around this issue, decommission the switches, then restart the agent on each switch with the sudo netq config restart agent command. | 4.13.0 | | +| [4261089, 4303877](#4261089, 4303877)
| When you upgrade a cloud deployment, some switches might not appear in the search field or list of hostnames. To work around this issue, decommission the switches, then restart the agent on each switch with the sudo netq config restart agent command. | 4.13.0 | | | [4236491](#4236491)
| When you click within a comparison view chart in link health view, the link utilization values in the side menu might differ from the values displayed in the comparison view chart. The values in the comparison chart are aggregated ever hour, whereas the values in the side menu reflect the most recent data. | 4.13.0 | | -| [3769936](#3769936)
| When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. | 4.9.0-4.13.0 | | +| [3769936, 3976289, 4122250](#3769936, 3976289, 4122250)
| When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. | 4.9.0-4.13.0 | | diff --git a/content/cumulus-netq-414/rn.xml b/content/cumulus-netq-414/rn.xml index c332907be2..d694bed9b6 100644 --- a/content/cumulus-netq-414/rn.xml +++ b/content/cumulus-netq-414/rn.xml @@ -46,7 +46,7 @@ 4.15.0-4.15.1 -4309191 +4309191, 4309888, 4343075, 4351684, 4411619, 4291885, 4493616 In cloud deployments, lifecycle management operations such as device discovery or switch decommissioning might time out and ultimately fail. To work around this issue, restart the LCM executor on the OPTA VM with {{lcm_pod='kubectl get pod | grep -m1 lcm | awk ‘{print $1}’'; kubectl delete pod $lcm_pod}}. 4.13.0-4.14.0 4.15.0-4.15.1 @@ -64,19 +64,19 @@ -4100882 +4100882, 4119697 When you attempt to export a file that is larger than 200MB, your browser might crash or otherwise prevent you from exporting the file. To work around this issue, use filters in the UI to decrease the size of the dataset that you intend to export. 4.12.0-4.15.1, 5.0.0-5.1.0 -4023716 +4023716, 4022819, 4282514 NetQ might display duplicate validations results. 4.11.0-4.15.1 5.0.0-5.1.0 -3993538 +3993538, 4379389 When you re-position a card on your workbench and then manually refresh the workbench, NetQ might reposition the cards. 4.11.0-4.15.1 5.0.0-5.1.0 @@ -117,7 +117,7 @@ 4.13.0 -4360420 +4360420, 4316305 When you upgrade to 4.13, network snapshots taken prior to upgrading are not restored. 4.13.0 @@ -127,7 +127,7 @@ 4.12.0-4.13.0 -4261089 +4261089, 4303877 When you upgrade a cloud deployment, some switches might not appear in the search field or list of hostnames. To work around this issue, decommission the switches, then restart the agent on each switch with the <code> sudo netq config restart agent </code> command. 4.13.0 @@ -137,7 +137,7 @@ 4.13.0 -3769936 +3769936, 3976289, 4122250 When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. 4.9.0-4.13.0 diff --git a/content/cumulus-netq-42/Whats-New/rn.md b/content/cumulus-netq-42/Whats-New/rn.md index 21f759d61a..3b879b3308 100644 --- a/content/cumulus-netq-42/Whats-New/rn.md +++ b/content/cumulus-netq-42/Whats-New/rn.md @@ -18,8 +18,8 @@ pdfhidden: True | [3442456](#3442456)
| When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. | 4.2.0-4.6.0 | 4.7.0-4.15.1| | [3157803](#3157803)
| The netq show commands to view MACs, IP addresses, neighbors, and routes might show a higher value compared to the corresponding entries in the NetQ UI. The netq show commands display additional values from the NetQ server or OPTA in addition to monitored devices in the NetQ inventory. | 4.2.0-4.3.0 | 4.4.0-4.15.1| | [3136898](#3136898)
| On switches running Cumulus Linux 5.2.0 and NetQ agent 4.2.0 or earlier, NetQ commands might fail and errors are logged to /var/log/netq-agent.log. To work around this issue, use NetQ agent version 4.3.0. | 4.2.0 | 4.3.0-4.15.1| -| [3131311](#3131311)
| Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. | 4.2.0-4.3.0 | 4.4.0-4.15.1| -| [3085064](#3085064)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.15.1| +| [3131311, 3234182](#3131311, 3234182)
| Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. | 4.2.0-4.3.0 | 4.4.0-4.15.1| +| [3085064, 2838027, 2551494](#3085064, 2838027, 2551494)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.15.1| | [3085017](#3085017)
| When you hover over a device with WJH events in the flow analysis graph, the number of WJH packet drops in the event summary might display 0 drops. This is because the device did not detect any WJH events on the selected path. To view the WJH events, select different paths to display any WJH events for that device. | 4.2.0 | 4.3.0-4.15.1| | [3053143](#3053143)
| The MLAG Session card might not show all MLAG events. | 4.2.0-4.3.0 | 4.4.0-4.15.1| | [3047149](#3047149)
| When you reboot the OPTA, the NetQ validation summary might show an incorrect number of validations. This condition will resolve itself within an hour of the reboot. | 4.2.0 | 4.3.0-4.15.1| diff --git a/content/cumulus-netq-42/rn.xml b/content/cumulus-netq-42/rn.xml index c13be11397..b5da5d04dd 100644 --- a/content/cumulus-netq-42/rn.xml +++ b/content/cumulus-netq-42/rn.xml @@ -31,13 +31,13 @@ 4.3.0-4.15.1 -3131311 +3131311, 3234182 Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. 4.2.0-4.3.0 4.4.0-4.15.1 -3085064 +3085064, 2838027, 2551494 When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. 4.1.0-4.3.0 4.4.0-4.15.1 diff --git a/content/cumulus-netq-43/Whats-New/rn.md b/content/cumulus-netq-43/Whats-New/rn.md index 46e6c64dbe..3dfd235426 100644 --- a/content/cumulus-netq-43/Whats-New/rn.md +++ b/content/cumulus-netq-43/Whats-New/rn.md @@ -24,8 +24,8 @@ pdfhidden: True | [3205778](#3205778)
| In some high scale environments, NetQ agents might appear as rotten during high load. | 4.3.0 | 4.4.0-4.15.1| | [3179145](#3179145)
| The NetQ agent does not collect VLAN information from WJH data. This has been resolved, however when you upgrade to a NetQ version with the fix, historical WJH data will not be displayed in the UI. | 4.3.0-4.4.1 | 4.5.0-4.15.1| | [3157803](#3157803)
| The netq show commands to view MACs, IP addresses, neighbors, and routes might show a higher value compared to the corresponding entries in the NetQ UI. The netq show commands display additional values from the NetQ server or OPTA in addition to monitored devices in the NetQ inventory. | 4.2.0-4.3.0 | 4.4.0-4.15.1| -| [3131311](#3131311)
| Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. | 4.2.0-4.3.0 | 4.4.0-4.15.1| -| [3085064](#3085064)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.15.1| +| [3131311, 3234182](#3131311, 3234182)
| Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. | 4.2.0-4.3.0 | 4.4.0-4.15.1| +| [3085064, 2838027, 2551494](#3085064, 2838027, 2551494)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | 4.4.0-4.15.1| | [3053143](#3053143)
| The MLAG Session card might not show all MLAG events. | 4.2.0-4.3.0 | 4.4.0-4.15.1| | [3015875](#3015875)
| NetQ trace might report incomplete route information when there are multiple default routes in a VRF in the path between the source and destination. | 4.1.0-4.4.1 | 4.5.0-4.15.1| | [2605545](#2605545)
| Sort functionality is disabled when the number of records exceeds 10,000 entries in a full-screen, tabular view. | 4.3.0 | 4.4.0-4.15.1| diff --git a/content/cumulus-netq-43/rn.xml b/content/cumulus-netq-43/rn.xml index 4f79163cba..762db32b5a 100644 --- a/content/cumulus-netq-43/rn.xml +++ b/content/cumulus-netq-43/rn.xml @@ -79,13 +79,13 @@ ERROR: Expecting value: line 1 column 1 (char 0) 4.4.0-4.15.1 -3131311 +3131311, 3234182 Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. 4.2.0-4.3.0 4.4.0-4.15.1 -3085064 +3085064, 2838027, 2551494 When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. 4.1.0-4.3.0 4.4.0-4.15.1 diff --git a/content/cumulus-netq-44/Whats-New/rn.md b/content/cumulus-netq-44/Whats-New/rn.md index cfe9711f62..5f31d93bbf 100644 --- a/content/cumulus-netq-44/Whats-New/rn.md +++ b/content/cumulus-netq-44/Whats-New/rn.md @@ -60,8 +60,8 @@ pdfhidden: True | [3157803](#3157803)
| The netq show commands to view MACs, IP addresses, neighbors, and routes might show a higher value compared to the corresponding entries in the NetQ UI. The netq show commands display additional values from the NetQ server or OPTA in addition to monitored devices in the NetQ inventory. | 4.2.0-4.3.0 | | | [3141723](#3141723)
| When you edit a TCA rule, an error will prevent the rule from updating. To work around this problem, delete the existing rule and create a new one. | | | | [3140425](#3140425)
| LCM NetQ install or upgrade will silently fail if a target switch's hostname is still set to the default (cumulus for Cumulus Linux or sonic} for SONiC). | | | -| [3131311](#3131311)
| Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. | 4.2.0-4.3.0 | | -| [3085064](#3085064)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | | +| [3131311, 3234182](#3131311, 3234182)
| Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. | 4.2.0-4.3.0 | | +| [3085064, 2838027, 2551494](#3085064, 2838027, 2551494)
| When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. | 4.1.0-4.3.0 | | | [3053143](#3053143)
| The MLAG Session card might not show all MLAG events. | 4.2.0-4.3.0 | | | [2605545](#2605545)
| Sort functionality is disabled when the number of records exceeds 10,000 entries in a full-screen, tabular view. | 4.3.0 | | diff --git a/content/cumulus-netq-44/rn.xml b/content/cumulus-netq-44/rn.xml index 58bf39282e..560ac299e3 100644 --- a/content/cumulus-netq-44/rn.xml +++ b/content/cumulus-netq-44/rn.xml @@ -265,12 +265,12 @@ local variable ‘url’ referenced before assignment -3131311 +3131311, 3234182 Sensor validation checks might still reflect a failure in NetQ after the sensor failure has recovered. 4.2.0-4.3.0 -3085064 +3085064, 2838027, 2551494 When you attempt to install NetQ on a device using LCM and configure the incorrect VRF, the installation will be reflected as successful but the switch will not be present in the inventory in the LCM UI. 4.1.0-4.3.0 diff --git a/content/cumulus-netq-46/Whats-New/rn.md b/content/cumulus-netq-46/Whats-New/rn.md index c873cedad8..4e2eaa35d0 100644 --- a/content/cumulus-netq-46/Whats-New/rn.md +++ b/content/cumulus-netq-46/Whats-New/rn.md @@ -23,7 +23,7 @@ pdfhidden: True | [3442456](#3442456)
| When an event notification is resolved or acknowledged, the NetQ UI might display a duplicate event with the original notification content and timestamp. | 4.2.0-4.6.0 | 4.7.0-4.15.1| | [3436299](#3436299)
| RoCE validations might not display data in the NetQ UI and CLI for Cumulus Linux switches when the NVUE service is not running. This issue will resolve itself within 24 hours after the next full status update from the NetQ agent. | 4.6.0 | 4.7.0-4.15.1| | [3431386](#3431386)
| When you upgrade your NetQ VM from NetQ 4.5.0 to 4.6.0 using the netq upgrade bundle command, certain pods are not correctly retagged. To work around this issue, retag and restart the affected pods with the following commands for your deployment after upgrading:On-premises VMs:
sudo docker tag localhost:5000/fluend-aggregator-opta:1.14.3 docker-registry:5000/fluend-aggregator-opta:1.14.3sudo docker push docker-registry:5000/fluend-aggregator-opta:1.14.3sudo kubectl get pods -n default\|grep -i fluend-aggregator-opta\|awk '{print $1}'\|xargs kubectl delete pod -n defaultsudo docker tag localhost:5000/cp-schema-registry:7.2.0 docker-registry:5000/cp-schema-registry:7.2.0sudo docker push docker-registry:5000/cp-schema-registry:7.2.0sudo kubectl get pods -n default\|grep -i cp-schema-registry\|awk '{print $1}'\|xargs kubectl delete pod -n defaultsudo docker tag localhost:5000/cp-kafka:7.2.0 docker-registry:5000/cp-kafka:7.2.0sudo docker push docker-registry:5000/cp-kafka:7.2.0sudo kubectl get pods -n default\|grep -i kafka-broker\|awk '{print $1}'\|xargs kubectl delete pod -n default
Cloud VMs:
sudo docker tag localhost:5000/fluend-aggregator-opta:1.14.3 docker-registry:5000/fluend-aggregator-opta:1.14.3sudo docker push docker-registry:5000/fluend-aggregator-opta:1.14.3sudo kubectl get pods -n default\|grep -i fluend-aggregator-opta\|awk '{print $1}'\|xargs kubectl delete pod -n default
| 4.5.0-4.6.0 | 4.7.0-4.15.1| -| [3429528](#3429528)
| EVPN and RoCE validation cards in the NetQ UI might not display data when Cumulus Linux switches are configured with high VNI scale. | 4.6.0-4.8.0 | 4.9.0-4.15.1| +| [3429528, 3588417](#3429528, 3588417)
| EVPN and RoCE validation cards in the NetQ UI might not display data when Cumulus Linux switches are configured with high VNI scale. | 4.6.0-4.8.0 | 4.9.0-4.15.1| ### Fixed Issues in 4.6.0 | Issue ID | Description | Affects | diff --git a/content/cumulus-netq-46/rn.xml b/content/cumulus-netq-46/rn.xml index 9ed6be66e5..35605310e3 100644 --- a/content/cumulus-netq-46/rn.xml +++ b/content/cumulus-netq-46/rn.xml @@ -104,7 +104,7 @@ sudo kubectl get pods -n default|grep -i fluend-aggregator-opta|awk '{print $1}' 4.7.0-4.15.1 -3429528 +3429528, 3588417 EVPN and RoCE validation cards in the NetQ UI might not display data when Cumulus Linux switches are configured with high VNI scale. 4.6.0-4.8.0 4.9.0-4.15.1 diff --git a/content/cumulus-netq-47/Whats-New/rn.md b/content/cumulus-netq-47/Whats-New/rn.md index 96ded8fd39..0427a06a0e 100644 --- a/content/cumulus-netq-47/Whats-New/rn.md +++ b/content/cumulus-netq-47/Whats-New/rn.md @@ -22,7 +22,7 @@ pdfhidden: True | [3555031](#3555031)
| NetQ incorrectly reports a low health SSD event on SN5600 switches. To work around this issue, configure an event suppression rule for ssdutil messages from SN5600 switches in your network. | 4.7.0 | 4.8.0-4.15.1| | [3549877](#3549877)
| NetQ cloud deployments might unexpectedly display validation results for checks that did not run on any nodes. | 4.6.0-4.8.0 | 4.9.0-4.15.1| | [3530739](#3530739)
| Queue histogram data received from switches might encounter a delay before appearing in the NetQ UI. | 4.7.0 | 4.8.0-4.15.1| -| [3429528](#3429528)
| EVPN and RoCE validation cards in the NetQ UI might not display data when Cumulus Linux switches are configured with high VNI scale. | 4.6.0-4.8.0 | 4.9.0-4.15.1| +| [3429528, 3588417](#3429528, 3588417)
| EVPN and RoCE validation cards in the NetQ UI might not display data when Cumulus Linux switches are configured with high VNI scale. | 4.6.0-4.8.0 | 4.9.0-4.15.1| ### Fixed Issues in 4.7.0 | Issue ID | Description | Affects | diff --git a/content/cumulus-netq-47/rn.xml b/content/cumulus-netq-47/rn.xml index 6c8fd0185b..b30a6b7d21 100644 --- a/content/cumulus-netq-47/rn.xml +++ b/content/cumulus-netq-47/rn.xml @@ -55,7 +55,7 @@ 4.8.0-4.15.1 -3429528 +3429528, 3588417 EVPN and RoCE validation cards in the NetQ UI might not display data when Cumulus Linux switches are configured with high VNI scale. 4.6.0-4.8.0 4.9.0-4.15.1 diff --git a/content/cumulus-netq-48/Whats-New/rn.md b/content/cumulus-netq-48/Whats-New/rn.md index 6c0ea28ba8..1c5805d547 100644 --- a/content/cumulus-netq-48/Whats-New/rn.md +++ b/content/cumulus-netq-48/Whats-New/rn.md @@ -17,7 +17,7 @@ pdfhidden: True | [4466349](#4466349)
| When you upgrade an HA cluster deployment from a version that is not part of the supported upgrade path, the upgrade might fail and the UI might not load due to expired control plane certificates on the worker nodes.

To check whether the certificates have expired, run sudo su followed by kubeadm certs check-expiration. If the output displays a date in the past, your certificates are expired. To update the certificates, run kubeadm certs renew all on each worker node in the cluster. Next, restart the control plane components with crictl stop CONTAINER_ID, followed by systemctl restart kubelet. | 4.8.0-4.14.0 | 4.15.0-4.15.1| | [3819364](#3819364)
| When you attempt to delete a scheduled trace using the NetQ UI, the trace record is not deleted. | 4.7.0-4.9.0 | 4.10.0-4.15.1| | [3782784](#3782784)
| After performing a new NetQ cluster installation, some MLAG and EVPN NetQ validations might incorrectly report errors. To work around this issue, run the netq check mlag legacy and netq check evpn legacy commands instead of running a default streaming check. | 4.8.0 | 4.9.0-4.15.1| -| [3781503](#3781503)
| When you upgrade a Cumulus Linux switch running the nslcd service with NetQ LCM, the nslcd service fails to start after the upgrade. To work around this issue, manually back up your nslcd configuration and restore it after the upgrade. | 4.8.0 | 4.9.0-4.15.1| +| [3781503, 3775625](#3781503, 3775625)
| When you upgrade a Cumulus Linux switch running the nslcd service with NetQ LCM, the nslcd service fails to start after the upgrade. To work around this issue, manually back up your nslcd configuration and restore it after the upgrade. | 4.8.0 | 4.9.0-4.15.1| | [3761602](#3761602)
| NetQ does not display queue histogram data for switches running Cumulus Linux 5.8.0 and NetQ agent version 4.8.0. To work around this issue, upgrade the NetQ agent package to 4.9.0. | 4.8.0 | 4.9.0-4.15.1| | [3739222](#3739222)
| The opta-check command does not properly validate if the required 16 CPU cores are present on the system for NetQ. The command only presents an error if there are fewer than 8 CPU cores detected. | 4.2.0-4.8.0 | 4.9.0-4.15.1| | [3738840](#3738840)
| When you upgrade a Cumulus Linux switch configured for TACACS authentication using NetQ LCM, the switch's TACACS configuration is not restored after upgrade. | 4.8.0-4.9.0 | 4.10.0-4.15.1| @@ -30,7 +30,7 @@ pdfhidden: True | [3632378](#3632378)
| After you upgrade your on-premises NetQ VM from version 4.7.0 to 4.8.0, NIC telemetry using the Prometheus adapter is not collected. To work around this issue, run the following commands on your NetQ VM:
sudo kubectl set image deployment/netq-prom-adapter netq-prom-adapter=docker-registry:5000/netq-prom-adapter:4.8.0
sudo kubectl set image deployment/netq-prom-adapter prometheus=docker-registry:5000/prometheus-v2.41.0:4.8.0
| 4.8.0 | 4.9.0-4.15.1| | [3613811](#3613811)
| LCM operations using in-band management are unsupported on switches that use eth0 connected to an out-of-band network. To work around this issue, configure NetQ to use out-of-band management in the mgmt VRF on Cumulus Linux switches when interface eth0 is in use. | 4.8.0-4.15.1 | | | [3549877](#3549877)
| NetQ cloud deployments might unexpectedly display validation results for checks that did not run on any nodes. | 4.6.0-4.8.0 | 4.9.0-4.15.1| -| [3429528](#3429528)
| EVPN and RoCE validation cards in the NetQ UI might not display data when Cumulus Linux switches are configured with high VNI scale. | 4.6.0-4.8.0 | 4.9.0-4.15.1| +| [3429528, 3588417](#3429528, 3588417)
| EVPN and RoCE validation cards in the NetQ UI might not display data when Cumulus Linux switches are configured with high VNI scale. | 4.6.0-4.8.0 | 4.9.0-4.15.1| ### Fixed Issues in 4.8.0 | Issue ID | Description | Affects | diff --git a/content/cumulus-netq-48/rn.xml b/content/cumulus-netq-48/rn.xml index 9f02dcc9fc..3e0939fd6f 100644 --- a/content/cumulus-netq-48/rn.xml +++ b/content/cumulus-netq-48/rn.xml @@ -25,7 +25,7 @@ 4.9.0-4.15.1 -3781503 +3781503, 3775625 When you upgrade a Cumulus Linux switch running the nslcd service with NetQ LCM, the {{nslcd}} service fails to start after the upgrade. To work around this issue, manually back up your {{nslcd}} configuration and restore it after the upgrade. 4.8.0 4.9.0-4.15.1 @@ -106,7 +106,7 @@ sudo kubectl set image deployment/netq-prom-adapter prometheus=docker-registry:5 4.9.0-4.15.1 -3429528 +3429528, 3588417 EVPN and RoCE validation cards in the NetQ UI might not display data when Cumulus Linux switches are configured with high VNI scale. 4.6.0-4.8.0 4.9.0-4.15.1 diff --git a/content/cumulus-netq-49/Whats-New/rn.md b/content/cumulus-netq-49/Whats-New/rn.md index 211ecac404..fa03691b57 100644 --- a/content/cumulus-netq-49/Whats-New/rn.md +++ b/content/cumulus-netq-49/Whats-New/rn.md @@ -21,22 +21,22 @@ pdfhidden: True | [3819364](#3819364)
| When you attempt to delete a scheduled trace using the NetQ UI, the trace record is not deleted. | 4.7.0-4.9.0 | 4.10.0-4.15.1| | [3813819](#3813819)
| When you perform a switch discovery by specifying an IP range, an error message is displayed if switches included in the range have different credentials. To work around this issue, batch switches based on their credentials and run a switch discovery for each batch. | 4.9.0 | 4.10.0-4.15.1| | [3813078](#3813078)
| When you perform a NetQ upgrade, the upgrade might fail with the following error message:
Command '['kubectl', 'version --client']' returned non-zero exit status 1.
To work around this issue, run the netq bootstrap reset keep-db command and then reinstall NetQ using the netq install command for your deployment. | 4.9.0 | 4.10.0-4.15.1| -| [3808200](#3808200)
| When you perform a netq bootstrap reset on a NetQ cluster VM and perform a fresh install with the netq install command, the install might fail with the following error:
 master-node-installer: Running sanity check on cluster_vip: 10.10.10.10 Virtual IP 10.10.10.10 is already used
To work around this issue, run the netq install command again. | 4.9.0 | 4.10.0-4.15.1| +| [3808200, 3788382](#3808200, 3788382)
| When you perform a netq bootstrap reset on a NetQ cluster VM and perform a fresh install with the netq install command, the install might fail with the following error:
 master-node-installer: Running sanity check on cluster_vip: 10.10.10.10 Virtual IP 10.10.10.10 is already used
To work around this issue, run the netq install command again. | 4.9.0 | 4.10.0-4.15.1| | [3800434](#3800434)
| When you upgrade NetQ from a version prior to 4.9.0, What Just Happened data that was collected before the upgrade is no longer present. | 4.9.0-4.15.1 | | | [3773879](#3773879)
| When you upgrade a switch running Cumulus Linux using NetQ LCM, any configuration files in /etc/cumulus/switchd.d for adaptive routing or other features are not restored after the upgrade. To work around this issue, manually back up these files and restore them after the upgrade. | 4.9.0 | 4.10.0-4.15.1| | [3772274](#3772274)
| After you upgrade NetQ, data from snapshots taken prior to the NetQ upgrade will contain unreliable data and should not be compared to any snapshots taken after the upgrade. In cluster deployments, snapshots from prior NetQ versions will not be visible in the UI. | 4.9.0-4.15.1 | | | [3771124](#3771124)
| When you reconfigure a VNI to map to a different VRF or remove and recreate a VNI in the same VRF, NetQ EVPN validations might incorrectly indicate a failure for the VRF consistency test. | 4.9.0 | 4.10.0-4.15.1| -| [3769936](#3769936)
| When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. | 4.9.0-4.13.0 | 4.14.0-4.15.1| +| [3769936, 3976289, 4122250](#3769936, 3976289, 4122250)
| When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. | 4.9.0-4.13.0 | 4.14.0-4.15.1| | [3760442](#3760442)
| When you export events from NetQ to a CSV file, the timestamp of the exported events does not match the timestamp reported in the NetQ UI based on the user profile's time zone setting. | 4.9.0 | 4.10.0-4.15.1| | [3738840](#3738840)
| When you upgrade a Cumulus Linux switch configured for TACACS authentication using NetQ LCM, the switch's TACACS configuration is not restored after upgrade. | 4.8.0-4.9.0 | 4.10.0-4.15.1| -| [3721754](#3721754)
| After you decommission a switch, the switch's interfaces are still displayed in the NetQ UI in the Interfaces view. | 4.9.0-4.10.1 | 4.11.0-4.15.1| +| [3721754, 3721794](#3721754, 3721794)
| After you decommission a switch, the switch's interfaces are still displayed in the NetQ UI in the Interfaces view. | 4.9.0-4.10.1 | 4.11.0-4.15.1| | [3613811](#3613811)
| LCM operations using in-band management are unsupported on switches that use eth0 connected to an out-of-band network. To work around this issue, configure NetQ to use out-of-band management in the mgmt VRF on Cumulus Linux switches when interface eth0 is in use. | 4.8.0-4.15.1 | | ### Fixed Issues in 4.9.0 | Issue ID | Description | Affects | |--- |--- |--- | | [3782784](#3782784)
| After performing a new NetQ cluster installation, some MLAG and EVPN NetQ validations might incorrectly report errors. To work around this issue, run the netq check mlag legacy and netq check evpn legacy commands instead of running a default streaming check. | 4.8.0 | | -| [3781503](#3781503)
| When you upgrade a Cumulus Linux switch running the nslcd service with NetQ LCM, the nslcd service fails to start after the upgrade. To work around this issue, manually back up your nslcd configuration and restore it after the upgrade. | 4.8.0 | | +| [3781503, 3775625](#3781503, 3775625)
| When you upgrade a Cumulus Linux switch running the nslcd service with NetQ LCM, the nslcd service fails to start after the upgrade. To work around this issue, manually back up your nslcd configuration and restore it after the upgrade. | 4.8.0 | | | [3761602](#3761602)
| NetQ does not display queue histogram data for switches running Cumulus Linux 5.8.0 and NetQ agent version 4.8.0. To work around this issue, upgrade the NetQ agent package to 4.9.0. | 4.8.0 | | | [3739222](#3739222)
| The opta-check command does not properly validate if the required 16 CPU cores are present on the system for NetQ. The command only presents an error if there are fewer than 8 CPU cores detected. | 4.2.0-4.8.0 | | | [3688985](#3688985)
| After upgrading a NetQ VM with LDAP authentication configured, adding a new LDAP user to NetQ fails with the error message "LDAP not enabled." | 4.8.0 | | @@ -47,5 +47,5 @@ pdfhidden: True | [3634648](#3634648)
| The topology graph might show unexpected connections when devices in the topology do not have LLDP adjacencies. | 4.8.0 | | | [3632378](#3632378)
| After you upgrade your on-premises NetQ VM from version 4.7.0 to 4.8.0, NIC telemetry using the Prometheus adapter is not collected. To work around this issue, run the following commands on your NetQ VM:
sudo kubectl set image deployment/netq-prom-adapter netq-prom-adapter=docker-registry:5000/netq-prom-adapter:4.8.0
sudo kubectl set image deployment/netq-prom-adapter prometheus=docker-registry:5000/prometheus-v2.41.0:4.8.0
| 4.8.0 | | | [3549877](#3549877)
| NetQ cloud deployments might unexpectedly display validation results for checks that did not run on any nodes. | 4.6.0-4.8.0 | | -| [3429528](#3429528)
| EVPN and RoCE validation cards in the NetQ UI might not display data when Cumulus Linux switches are configured with high VNI scale. | 4.6.0-4.8.0 | | +| [3429528, 3588417](#3429528, 3588417)
| EVPN and RoCE validation cards in the NetQ UI might not display data when Cumulus Linux switches are configured with high VNI scale. | 4.6.0-4.8.0 | | diff --git a/content/cumulus-netq-49/rn.xml b/content/cumulus-netq-49/rn.xml index 749cf4b412..0d8159bccf 100644 --- a/content/cumulus-netq-49/rn.xml +++ b/content/cumulus-netq-49/rn.xml @@ -55,7 +55,7 @@ To work around this issue, run the {{netq bootstrap reset keep-db}} command and 4.10.0-4.15.1 -3808200 +3808200, 3788382 When you perform a {{netq bootstrap reset}} on a NetQ cluster VM and perform a fresh install with the {{netq install}} command, the install might fail with the following error: master-node-installer: Running sanity check on cluster_vip: 10.10.10.10 Virtual IP 10.10.10.10 is already used To work around this issue, run the {{netq install}} command again. @@ -88,7 +88,7 @@ restore them after the upgrade. 4.10.0-4.15.1 -3769936 +3769936, 3976289, 4122250 When there is a NetQ interface validation failure for admin state mismatch, the validation failure might clear unexpectedly while one side of the link is still administratively down. 4.9.0-4.13.0 4.14.0-4.15.1 @@ -106,7 +106,7 @@ restore them after the upgrade. 4.10.0-4.15.1 -3721754 +3721754, 3721794 After you decommission a switch, the switch's interfaces are still displayed in the NetQ UI in the Interfaces view. 4.9.0-4.10.1 4.11.0-4.15.1 @@ -130,7 +130,7 @@ restore them after the upgrade. 4.8.0 -3781503 +3781503, 3775625 When you upgrade a Cumulus Linux switch running the nslcd service with NetQ LCM, the {{nslcd}} service fails to start after the upgrade. To work around this issue, manually back up your {{nslcd}} configuration and restore it after the upgrade. 4.8.0 @@ -188,7 +188,7 @@ sudo kubectl set image deployment/netq-prom-adapter prometheus=docker-registry:5 4.6.0-4.8.0 -3429528 +3429528, 3588417 EVPN and RoCE validation cards in the NetQ UI might not display data when Cumulus Linux switches are configured with high VNI scale. 4.6.0-4.8.0