RIVERBED PRODUCT RELEASE NOTES

PRODUCT: STEELHEAD APPLIANCE RELEASE DATE: DECEMBER 31, 2012 RIOS VERSION: 7.0.5b CONTENTS 1) 2) 3) 4) 5) 6) 7) 8) 9) Supported Steelhead Models New Features in Version 7.0.5 New Features in Version 7.0.4 Fixed Problems Known Issues Upgrading RiOS Software Managing RiOS 7.0.5 with a Riverbed CMC Hardware and Software Requirements Contacting Riverbed Support

1) SUPPORTED STEELHEAD MODELS

Important: RiOS 7.0.x does not support any of the Steelhead xx20 models. It can only be installed on xx50 and Steelhead CX xx55 models.

2) NEW FEATURES IN VERSION 7.0.5

RiOS 7.0.5 adds support for Steelhead models CX5055 and CX7055.

3) NEW FEATURES IN VERSION 7.0.4

Web Proxy Auto-licensing
This feature enables the web proxy support for auto-licensing feature. This makes it possible for the auto-licensing feature to work in customer setup where the web proxy is configured. User can now supply the proxy details including the user-credentials using the Web Proxy CLI and the auto-licensing infrastructure will automatically use this proxy data while sending the requests.

TACACS+ users can change their password at login

If the TACACS+ server supports remote password change, it can initiate a change during login. After entering their username and old password, the Steelhead will prompt the user to enter a new password. It will then relay this new password to the TACACS+ server. Additionally, if supported by the TACACS+ server, users can send a password change request to the server by pressing return at the Password: prompt during login. After entering their current password, the Steelhead will prompt them to enter a new password. It will then relay this new password to the TACACS+ server.

4) FIXED PROBLEMS
Fixed in Version 7.0.5b

120209 Fixed an issue that resulted in a crash of the optimization service on the client-side Steelhead when an SMBv2 predicted open on a file handle by client-side Steelhead was responded after a lease break notification on that handle.

Fixed in Version 7.0.5a

119528 Fixed an issue where DSCP markings were not reflected on the optimized channel until data was sent in that direction. This was visible when using unidirectional protocols or on initial ACK packets sent before data. 122331 Added a hidden CLI command to change the size of store partition to expected size. Additionally added a fix so that new machines being shipped do not need this CLI command and are correctly sized when shipped from factory.

Fixed in Version 7.0.5

74906 Fixed an issue where TACACS user credentials could not be used for VMware console logins on 32 bit appliances. 80555 Fixed a Steelhead reboot caused by a rare kernel bug where the symbol "filldir64" shows up in the kernel stack trace in the system logs. 97398 Added support for Steelhead CX5055 and CX7055 102613 If QoS rules specify that DSCP values should be reflected from the client to the server connection, the initial packets in the TCP connection would not have their DSCP value properly set. This defect was fixed by using the DSCP value received the server side Steelhead appliance when connecting to the server. 111414 In some rare conditions, the Steelhead 7050 can unexpectedly reboot with "General Protection Fault" message.

111698 Fixed a rare condition that can cause a Steelhead appliance to become unresponsive by changing internal parameters to reduce the memory use of model 150, 250, and 550 Steelhead Appliances and virtual Steelhead appliances. 114761 This issue may occur for encrypted Outlook Anywhere (eMAPI-OA) traffic via port 443 if the client-side connection forwarding is enabled and an in-path rule for port 443 has been enabled without a pre-optimization policy. In this scenario the Steelhead will not be able to identify these connections as Outlook Anywhere and will perform no optimization. This fix resolves the issue so that all eMAPI-OA connections are properly identified and optimized. 115710 Fixed an issue that resulted in a crash of the optimization service on the client-side Steelhead when the SMB2 optimization feature was enabled and a client issued a close request for a file located on an SMB2 share that had been asynchronously marked for disconnect. 117078 Fixed an issue that occasionally caused a 500 error when logging in to the web interface. This error was seen only when the TACACS+ server configured was unreachable.

Fixed in Version 7.0.4

92015 Fixed an issue in the qos code that caused the steelhead to incorrectly print the error message which said "navl_conn_init failed:" in environments where there is packet ricochet from one in path interface to another. Affected connections would not be classified properly by the AppFlow Engine. 99169 If a CMC disconnects from a Steelhead appliance in the middle of an operation, such a push, the operation fails to resume in RIOS versions 7.0.1 and above. Also the "show cmc" command was not displaying anything for the address/hostname of the managing CMC in those same versions. Both issues are fixed. 101471 Fixed an issue of high CPU utilization of winbindd by first removing Samba database files prior to the first launch of winbindd after an upgrade if the Steelhead appliance is joined to a domain. 101506 Fixed an issue with HTTP optimization where the Strip-Auth-Header feature may cause Internet Explorer to fail to display a web page when the server employs NTLM authentication. 102173 Fixed a rare issue that causes the client-side optimization service to crash if NFS optimization is enabled.

103022 Fixed an issue which resulted in Windows servers reporting a DoS attack from the Steelhead for CIFS prepopulation traffic. A new command line option is available that will allow tuning the percentage of maximum number of outstanding requests that will be available to CIFS prepopulation operation. %prepop settings max-mpx-pct <10-100%> A value of 70% is set by default. Customers can tune this value to a percentage that will work on their environment, typically 40% to 60%. %show prepop settings Displays the max-mpx-pct value currently set.

103107 Made a change to reduce the occurrence where a low memory condition caused the memory paging alarm to trigger in SH1050L/M appliances. 105286 Fixed the network interface list in the Health Check Duplex Test to not show interfaces that cannot be tested. 105606 Fixed an optimization service crash due to reused keys in the FTP blade. 105679 Fixed an issue that resulted in a crash of the optimization service on the server-side Steelhead when the SMB2 optimization feature was enabled and a client issued a close request for a file located on an SMB2 share that had been asynchronously marked for disconnect. 106143 Updated the interface list in the Duplex Test on the Health Check page to exclude WAN and LAN interfaces, which are not valid for testing. 106238 Resolved an issue that resulted in a crash of the optimization service when SMB2 optimization was enabled and a ReadRequest was canceled while waiting on decode. 106317 Fixed an issue that caused save-as operations on optimized SMB2 connections to fail. The code responsible for handling find requests was failing to adjust the search pattern if the client restarted a find operation for a single filename. This resulted in a find operation for a single filename receiving a complete directory listing starting from the beginning of the directory, regardless of whether a file with that name existed or not. The fix has been made to reopen the find operation with the client's search pattern if we need to forward the client's find. 106456 In rare instances, the SSL server handshake is extended beyond a single packet and was causing an optimization service crash. After the fix, the optimization service bypasses SSL optimization for these connections. 106980 Patched ASN.1 vulnerability in openssl library (CVE-2012-2110, CVE-20122131) 107008 Fixed a case where running the peer reachability test can lead to high CPU usage.

107058 Fixed a crash in the connection forwarding code observed during service shutdown 107095 Clients which use DSCP marking to shape traffic throughout the network may inadvertently cause an excessive number of connections to be created between two Steelhead peers. This is due to a defect in determining if a pre-existing connection between peers is a suitable match. These additional connections do not count towards connection limits on the Steelhead appliance, but do waste small amounts of memory for each open connection. Over time this can lead to memory pressure alarms on the appliance that are not cleared even when all traffic has been stopped. 107130 If encrypted MAPI is optimized in delegation mode it will leak ~500 bytes of memory for every connection during the connection setup. This fix will now correctly handle the encrypted MAPI connection setup and no longer leak this memory allocation. 107234 Fixed a crash in the connection forwarding code that was observed while disabling or restarting service. This crash occurs only if connection forwarding is enabled but no neighbors are configured for the steelhead. 107279 Fixed a memory leak in the server-side component of the HTTP End-to-End Kerberos component. This leak caused an internal module to take longer to process data, which led to the Steelhead appliance reporting CPUSTATE_SEVERE log messages, even though no alarms were raised. 107355 The MAPI optimization service keeps internal lists of MAPI request/response details. If Exchange returns a "busy" error status during attachment download, the MAPI optimization will try to resend the download request, but fail to clean up the internal lists. This will lead to memory leaks as long as Exchange returns the busy error status and could result in memory admission control. The fix will limit the maximum size of the internal lists and close the MAPI connection if the maximum size is reached. 107640 If Exchange returns an error status stating it is busy or overloaded, the MAPI optimization service will no longer retry the download indefinitely. Previously the MAPI optimization had no limit on the number of retries and would increase its allocated memory. The fix will limit the retry attempts and then close the connection. This will free resources on Exchange and prevent the Steelhead from running out of memory." 107874 Fixed an issue with HTTP optimization where a connection may be dropped if all of the following conditions are met: (1) the HTTP response is chunk-encoded and has an excessive number of chunks, (2) the Client-side Steelhead is running 6.5.4, 6.5.5, 7.0.1, 7.0.2, or 7.0.3, (3) the Server-side Steelhead is running pre-6.5.4, or pre7.0.1. 108244 We now do not set the prihw device on a Steelhead appliance to promiscuous mode in order to avoid potential primary interface hangs.

108421 Fixed race condition in CIFS prepopulation service, which could potentially cause rcud crash. 108452 A defect was fixed that adjusted the LAN socket buffer settings when the WAN socket buffer settings were adjusted. When the WAN socket buffer size was quite large, this could cause the Steelhead to buffer large amounts of data on the LAN and trigger TCP memory admission control. 109546 Fixed an issue that would cause errors in the system logs such as "[web.ERR]: web: global name 'pathPrefix' is not defined" after viewing the Health Check report webpage on a Steelhead appliance. 109965 Fixed an issue where QoS settings like the Class Filter Name may be reset to 0 after an upgrade between 7.0.x RiOS versions. Fixed an issue where default inbound QoS class should be configured if the class stored in the configuration db is invalid. Fixed an issue where HSFC classification may enter into an infinite loop. 109968 Fixed an issue that occurred when upgrading a Steelhead 1050 under the following conditions:

Product is a Steelhead 1050-L or 1050-M being upgraded to a Steelhead 1050-M or 1050-H Upgrade adds new hard disks Steelhead is running RiOS 6.5.5 or 7.0.3

Symptoms: After adding the required hardware, installing the upgrade license and selecting the new model, the device reboots (expected), but comes back up as the previous model with the optimization service stopped and the datastore in a degraded state. 110910 Fixed an issue where installing the MSPECHWUP<X> license on the licenses page did not make the X model selectable even if the hardware meets the spec. This affects the Steelhead 1050 and 5050 series of models. 111225 For 1050H models with newly added disks, RAID initialization is delayed until the new disk has been fully setup. 111698 Fixed a rare condition that can cause a Steelhead appliance to become unresponsive by changing internal parameters to reduce the memory use of model 150, 250, and 550 Steelhead Appliances and virtual Steelhead appliances. 111987 Fixed an issue that kept initial CIFS pre-population syncs from finishing successfully due to locked files. 112784 Fixed an issue that would result in a crash of the optimization service if the optimization service was shut down while an optimized SMB2 connection had requests outstanding.

113295 Fixed an issue where a hardware model upgrade cannot be activated after a reboot if the MSPEC license and hardware upgrade license were installed prior to the reboot. 113679 Enhancement to increase the outgoing optimized traffic bandwidth limits on the following models: CX1555, EX1160VH, and EX1260VH. 114397 Fixed the log message "unknown structure in ext SpliceSetupInfo:..." 116015 A defect was fixed that caused the configuration for WAN socket buffer settings to be ignored when either full or port transparency was enabled. For only these transparent connections, the amount of data that could be buffered was reduced leading to a potential degradation in WAN performance. 116019 A defect was fixed that prevented SCPS from being negotiated between Steelhead appliances when transparency was enabled. 116020 A defect was fixed that caused the configuration for the out-of-band keepalive values to be ignored when either full or port transparency was enabled. In these circumstances, the Steelhead appliance would not notice as quickly if its peer is unavailable.

Problems Fixed in Version 7.0.3a

66684 Backed out MAPI enhancement code to prevent sport crash bug 107745. 106928 Support for Steelhead 150 model, and updated SH 250 model specifications. 107168 Support for Virtual Steelhead 150 model, and updated Virtual SH 250 model specifications. 107548 Fixed an issue that caused no TCP dump files to be visible when connecting to the Steelhead's embedded shark using Cascade Pilot. 107903 The fix will identify all FCIP sessions uniquely and prevent the Rios log messages "expected seq_cnt 12 got 20". The environments that use IBM GlobalMirror may benefit from this fix by observing a slight improvement in data reduction.

Problems Fixed in Version 7.0.3

23560 Fixed an issue that results in the inability to optimize a connection and the error message "Peer sport id is the same as mine!'. This error occurs when the same IPs and ports are used to initiate and accept connections in quick succession. 43888 Fixed an issue that led to an incorrect tracking of memory attributed to symlinks in the NFS optimization feature. This issue resulted in an error log of the form: "no links are being stored but there is memory attributed to symlinks". 50976 Fixed a rare issue where the optimization service crashed if NFS optimization was enabled and the number of bytes specified in the NFS write reply from the server was more than the amount given in the corresponding write request. 7

59016 When primary and backup Steelhead appliances are configured using fixed target rules, we did not connect to the backup when the primary is down causing all the connections to pass through the box. This fix addresses the issue and the connection to the backup Steelhead is now successful. 63684 Fixed a sport process crash caused by a null pointer dereference in the FTP optimization module, resulting in restart of the optimization service. 69516 Fixed an issue that RiOS logs the following error messages in some cases: [mgmtd.ERR]: md_rbt_get_top_talker_stats(), md_rbt_stats.c:2598, build 156_9: Error code 14001 (unexpected NULL) returned. This error is benign. 75195 Fixed a problem where an HTTP POST request data is delayed from reaching the server, which could lead to connection timeouts. Both the client-side and serverside Steelhead appliances must be upgraded to correct this issue. 86248 Fixed an issue where optimization of SMB-signing or Encrypted MAPI connections in delegation mode resulted in excessive DNS lookups being made to determine and resolve the Key Distribution Center (KDC) of the domain. 87670 QoS Marking status will be displayed in the output of the CLI command "show qos classification". 88509 Fixed an issue that resulted in a crash of the optimization service in Smb2::ClientParser::process_LeaseBreakRequest() if the SMB2 optimization feature was enabled. The crash could occur if the SMB2 optimization module had entered a shutdown state for a given connection and an SMB2 share was then mapped by that connection. 88610 Fixed a problem in editing ICA rule in advanced qos. 88666 Fixed the error message displayed on the CLI when the protocol field specified in the command "qos basic classification global-app" is invalid. 89133 When the steelhead with QoS enabled is configured to operate in an out-ofpath deployment, an error message may be captured in the log file with the following string "[intercept.ERR] intercept ioctl 0x40047a14, uninitialized device 0". This message does not affect the appliance operation and has now been removed. 89873 Fixed a case where CMC policy push causes steelheads to blacklist each other, preventing SSL optimization from occurring. 90154 Fixed an issue where the CLI command "show running-configuration" will generate an invalid CLI command when a QoS class with "packet-order" queue type is present. The problem is fixed by removing the "conn-limit" parameter from the generated command. 90851 Addressed an issue where Inbound QoS was not classifying flows with incoming GRE encapsulated UDP fragments. This issue applied only when the Steelhead was configured in virtual-inpath (WCCP) mode.

91688 Fixed an issue that may cause unhealthy thread warning messages like "One or more threads not responding after at least 16s; unhealthy threads follow" to appear in the log during an image install. 92015 Fixed an issue in the qos code that caused the steelhead to incorrectly print the error message which said "navl_conn_init failed:" in environments where there is packet ricochet from one inpath interface to another. Affected connections would not be classified properly by the AppFlow Engine. 92146 Fixed a problem that caused Outlook to stop receiving new emails from the Microsoft Exchange Server. Problem may occur after sending an email with an attachment that would lead to the optimization service losing synchronization with the Exchange server. 93712 This issue is fixed by monitoring the on-board NICs bypass state and interface link, and restarting auto-negotiation if the NIC interface gets stuck in bypass. 93954 Fixed an issue which shows system log errors such as "Invalid model for PFS " and sometimes prevents the device's configuration from being reverted while using the "keep-local" option. 95529 Refreshed the SSL CAs with the most up to date root and intermediate certificates from IE(9.0.3), Firefox(8.0), and opera(11.52) 95657 Additional alarms information, including the alarm hierarchy, table, statistics and the config override cache, can now be found in file alarmd_info.txt in the System Dump (Reports > Diagnostics > System Dumps). 95684 Fixed an issue where a zero-byte SMB2 write request on an optimized connection could cause a crash in the optimization service if it specified a data offset beyond the end of the message. The fix prevents us from trying to remove the write data from zero-byte write requests. This type of write request may be issued by certain port scanners. 96002 All connections between Outlook and Exchange might end up un-optimized if the connection from the client-side Steelhead to the server-side Steelhead has failed once for any reason even if that reason has been resolved afterwards. This issue is now fixed and the connections will be optimized. 96214 Fixed uncommon problem where the users are unable to login via the web interface after a system start or restart due to a race condition that caused the system swap to fail to initialize. 96357 The following commands are deprecated as of RiOS 7.0.3:

[no] protocol http stream-split [Silverlight | flash] live enable

Added new CLI command that will enable/disable stream splitting for all video formats:

[no] protocol http stream-split live enable

96599 Fixed an issue that caused the following warning message to incorrectly appear in the log during Virtual Steelhead startup: MSPEC license has expired or been removed. Terminating sport. 97104 Fixed a problem where it can take minutes for a cancellation of an RSP HA operation to complete if the connection between two Steelheads is down. 97306 Fixed a race condition that caused some connections in the process of being setup when the Steelhead entered Admission Control to be passed through instead of optimized. 97599 Fixed an issue where the SMB2 optimization feature was not properly processing SMB2 Notify responses. When Notify responses indicated that a watched directories' content had changed, the Steelhead would incorrectly identify whether the affected files were cached. The fix now correctly clears cache information for the changed items. 97707 Fixed in an issue which caused some files to be synced during CIFS prepop even when they didn't meet the specified filename regex policy criteria. 97709 Restricted number of CIFS Prepop policies to 10 and rules in each policy to 6, as an unlimited number of policies and rules can make the policy feature unmanageable. 97714 The default scheduled sync operation for CIFS prepop is an incremental sync which only transfers new and modified files. The following new CLI command has been provided to transfer all files during the sync operation for a given prepop share: prepop share modify remote-path <SHARE_NAME> full-interval <TIME_IN_SECONDS> 97869 Fixed an issue where FTP optimization can fail when parsing PASV responses without parentheses. 97921 Fixed a problem where IP packets would be dropped with default configuration of RiOS packet-mode optimization under one of the following conditions:

Any IP packet's length is larger than 1968 bytes, or RSP or VSP is enabled, and Length of reassembled IP fragments is larger than 1968 bytes. This condition would have resulted in the following error level log message at the data receiving Steelhead: "Packets will be dropped: Attempt to write buf exceeding frame size. Available frame size = x, pkt size = y where x is the space available in bytes in a frame and y is the length of the packet dropped in bytes.

10

98043 In some cases, Outlook Anywhere transported over an HTTPS connection cannot be optimized unless an In-Path rule with a pre-optimization of SSL is used. Without such an In-Path rule, Outlook Anywhere connections will not be recognized as SSL-type connections and the optimization service will see the encrypted data. This fix will correctly recognize Outlook Anywhere connections over HTTPS as SSLtype connections. 98257 Fixed an optimization service failure issue that could occur if a Steelhead was optimizing many MAPI connections and many of those connections were simultaneously closed. This most commonly occurs when the system is shutting down. 98263 Fixed an issue with QoS where a site's bandwidth can't be set to 0.01% of the interface rate. 98338 The optimization service can crash when encrypted MAPI connections are being authenticated. If the Kerberos authentication request from Outlook is not responded to by Active Directory in a timely manner, Outlook may send another authentication request. If the MAPI connection is closed while the initial authentication request has not been answered, the optimization service can crash. This fix will detect this situation and properly close the MAPI connection. The client IP address is blacklisted for 24 hours to prevent future failures, as usually this situation results from wrong MAPI configuration of the Steelheads. 98372 Benign log errors from the process "virt_wrapperd" could appear when shutting down an appliance with many RSP slots installed. 98842 Fixed memory leaks that happen when a site is edited in Basic QoS mode. 99306 Fixed a problem where Primary interface stats are displayed as zero. 99314 Fixed a problem where a QoS rule that uses the SIP protocol to classify and control SIP traffic could result in a crash of the DPI process (qosd) when a specific message format is processed. When this occurs, there is no impact to optimized connections. 99342 Fixed an issue where the Steelhead SMB2 optimization feature would incorrectly return STATUS_NO_SUCH_FILE for find requests using non-star wildcards. The fix involved correctly identifying the wildcard characters and allowing the server to respond to those requests. 99461 Enhanced the behavior of the SMB2 optimization file data cache to ensure that cached read data is not used in scenarios when there are unknown IOCTL operations for a given file. 99536 Fixed an optimization service failure that could occur when an optimized SMB2 client is notified of a directory deletion when the SMB2 cache on the Steelhead contains a node for one of the directory's children with no handles. 99624 Resolved an issue where, in some cases, the Dataflow page would fail to display any data after a configuration was switched or reverted. 11

99637 Fixed an issue where the client-side Steelhead could experience a crash of the optimization service due to an unhealthy thread while optimizing an SMB2 connection. The unhealthy thread warning is issued because the SMB2 garbage collection process could potentially enter an infinite loop if the garbage collection began at the second share in our list, the second share was no longer in use, and there were less than 1000 nodes in the cache that could all be freed. 99808 If a MAPI connection is created just prior to admission control, the optimization service can crash once the Steelhead enters admission control. This is an unlikely event, since it depends on a specific timing of events during the Steelhead's transition into the admission control state. The fix will prevent the crash by changing the internal order of processing connection setup. 99924 Eliminated a theoretical security vulnerability in JavaScript code related to Adobe Flash. 99931 The message is "[hald_model.WARNING]: Exit with code 1 from /opt/hal/bin/hwtool.py". The message is harmless and related to permissions issues when checking certain systems at CLI startup. The warning should no longer appear. 99997 The log message "Received request to enable AsyncEvent" was incorrectly logged at the Error level. This message is now correctly logged at the INFO level. 100131 Connection detail reports for Optimized connections always showed the retransmitted packet count as 0. The fix entails correct accounting of the retransmitted packet counts. 100132 rsp slot * backup restore ? now lists only the relevant backups for the slot. 100148 When a MAPI-PREPOP connection is closed on the client side Steelhead it will produce an "Inner channel down prematurely, peer probably down; requesting shutdown" message on the server side Steelhead, because it is not closing the connection correctly. This message usually indicates network problem on the WAN connection, which is not the case for MAPI-PREPOP connections. This fix will close the MAPI-PREPOP connection correctly and prevent output of the misleading message. 100160 Fixed the RSP service alarm so that it does not trigger than RSP service is enabled or disabled. 100166 Fixed an optimization service crash that occurs when the Extended Peer Table feature was enabled and invalid data was detected on the storage device. 100269 Fixed a problem where Lotus Notes attachments would fail to be sent to server. This is most likely to happen in server-to-server push replication where the attachment write size is very large and/or there is delay between the server-side Steelhead appliance and the server receiving the attachment. 100276 Upgrades will not add new default NTP servers if the old default NTP servers were removed.

12

100368 Fixed an issue where SMB-signing optimization fails when an OS X client connects using Kerberos authentication and the Steelhead Kerberos authentication support is enabled. 100557 Fixed an issue where the link status of the primary interface is yes after primary is shutdown from CLI. 100576 The password for the Lotus Notes server file is no longer logged, regardless of logging level. 100636 Fixed an issue which prevented the user from specifying a max-sync-size value larger than 2GB for a CIFS prepop share. 100664 Fixed an issue where the Steelhead will not send disk pressure changes when working with Interceptors with Fair Peering v2 and pressure monitoring enabled. 100779 Fixed an issue where SMB-Signing optimization fails to obtain a Kerberos ticket in Delegation Mode for a server that has recently changed its machine password in Active Directory. 100812 Fixed an issue that resulted in SMB2-Signed connections getting blocked if the domain controller was unavailable when the end-to-end Kerberos authentication feature was being used. 100923 If the QoS bandwidth configured is greater than that of the model-specific limit, disallow this configuration and return an error. Please note that the sum of the bandwidths configured for all interfaces on which QoS is enabled needs to be less than or equal to the model-specific bandwidth limit. 100985 Fixed a race condition where the optimization service was referencing a certificate that was being modified or deleted. The solution was to defer certificate updates during a brief critical region when incoming connections are accepted. 101032 Fixed a kernel panic on 32 bit SH like 250 or 550 when both Netflow and RSP are enabled. 101147 Allow DHCP enabled interfaces to be configured as listen interfaces for SNMP server and SSH server. 101244 Corrected asymRouteError's definition from

OBJECTS { arcount } to OBJECTS { asymRouteCount }

101311 Fixed an issue where interface receive buffer size was not configured properly for some interface types, which may cause packet drops in certain high traffic situations. 101500 We have made system resources to be used more efficiently under high connection loads. Customers running near to connection admission control with certain workloads and who were experiencing TCP memory pressure alarms should now notice a reduction or elimination of the memory pressure alarms. 13

101569 Fixed an error during Citrix CGP(SR) session resume that cause certain versions of RiOS to process Citrix Reconnect payload incorrectly. 101615 Removed benign log messages that occur when we received a packet with source or destination mac address of all 0s, for example "Unable to update mac table with src address, skb src 00:00:00:00:00:00" These message were more common in Virtual Steelhead deployments, as ESX sometimes uses a source of all zeros. Since we printed a log message per packet, these messages could potentially flood the logs. 101741 Fixed a bug in the qos code that resulted in the steelhead marking a Syn/Ack++ and some reset packets with an incorrect dscp mark. The dscp mark that was put on the packet was for the opposite direction of the connection. 101767 Fixed a problem where Server-side Steelhead sends out UDPv4 optimized packets always out of inpath0_0 with packet-mode optimization enabled. This problem is seen when Server-side steelhead has multiple in-path interface pairs enabled. In cases where inpath0_0 is not enabled, packets will go out of the next inpath, for instance inpath0_1, essentially making packets to go out of only one inpath at all times. 101788 Fixed a memory leak that occurs when obtaining Kerberos tickets during the optimization of Smb-Signing and Encrypted MAPI in delegation mode. 101816 Fixed a problem where Lotus Notes clients could not connect to the server when encrypted Notes optimization was enabled and the connection matched an inpath rule with Data Reduction Policy set to "None". 101825 Fixed a problem where a small amount of memory is leaked on the serverside Steelhead appliance for every optimized encrypted Lotus Notes connection. 102019 Added boot-time options to fix time drifts on 64 bit virtual products 102104 The log message has been changed to correctly reflect the interface state. Previously: hal: Set interface mode to bypass successfully for port [0_0]. It now correctly states: hal: Set interface mode to normal successfully for port [0_0] 102377 Fixed a problem where a Steelhead running RSP could crash upon receiving fragmented packets out of order. 102380 Fixed an issue where Kerberos authentication support in HTTP optimization fails when the HTTP server resets its domain account credential. 102644 Added help text for the "qos classification site add" CLI command to indicate that a special value of 254 indicates that the DSCP value will be inherited from the service class. 102708 Fixed problem where a specific QoS rule's details on the Advanced QoS page would show "All" in the DSCP field even though the actual value was set to something different. This would occur for certain DSCP settings. 102717 The bug fixes an invalid assertion during the check for memory range.

14

102855 Fixed an issue that prevented the optimization of SMB2 connections to an EMC-Celera filer when SMB2-Signing Optimization was enabled but the server did not require Signing. 102960 Fixed an issue where the hardware LED color could be incorrect until another change of health. The health state on the UI and CLI would have still been correct. Now the LED correctly reflects health state. 103003 HTTP video optimizations are now controlled by a single checkbox. This consolidates Flash and Silverlight stream splitting. 103022 Fixed an issue which resulted in Windows servers reporting a DoS attack from the Steelhead for CIFS prepopulation traffic. A new command line option is available that will allow tuning the percentage of maximum number of outstanding requests that will be available to CIFS prepopulation operation.

%prepop settings max-mpx-pct <10-100%> A value of 70% is set by default. Customers can tune this value to a percentage that will work on their environment, typically 40% to 60%. %show prepop settings Displays the max-mpx-pct value currently set.

103039 Fixed an issue that caused the client-side optimization service to crash if it received a malformed SMB Notify Change response while CIFS optimization was enabled. The fix causes latency optimization to be disabled upon receiving a malformed response and an SMB_SHUTDOWN_ERR_MALFORMED error message is logged. 103088 Fixed the way the system LED information was queried on the EX1160, EX1260 and CX1555 series appliances. 103197 Fixed a problem where, due to a rare race condition, a Steelhead running RSP could crash upon receiving fragmented packets. 103238 Fixed an issue which allowed an unbounded amount of data to be cached for optimized SMB2 connections when the names encoder is overwhelmed. This would lead to a crash of the optimization service due to out-of-memory (OOM) conditions. This is most likely to occur with high-speed links. 103265 Fixed issues where Steelhead with RSP enabled may reboot while handling a connection with fragmented packets. 103273 Provided new CLI commands to allow support for Auto-Delegation Mode in Active Directory environments that require encrypted-LDAP communication. The following CLI commands may be used to configure encrypted-LDAP support: protocol domain-auth encrypted-ldap enable 103337 Added CLI commands "show rsp images checksum" and "show rsp packages checksum" to show the MD5 checksum values for RSP images and packages. 103347 Fixed a problem where a Steelhead attempts to optimize both multicast and broadcast packets when packet-mode optimization is enabled. 15

103366 Fixed an issue that resulted in a crash of the optimization service when SMB2 optimization was enabled and a create response sent by the server for the root share did not have the directory bit set. 103370 In certain cases, NFS/CIFS read requests can create large chains of requests which can add significant delay in processing packets and events. Once the optimization process detects a high delay, it will restart itself. This bug fix resolves the issue by eliminating the traversal of the list of requests. 103459 Fix a rarely occurring issue with on-board, primary & aux Intel Ethernet controllers 82574/82571 using e1000e driver that triggered false Tx hang when the link speed was set to 100Mbps. 103604 Fixed an issue that caused the optimization service to crash when an unexpected packet was encountered while using native Kerberos support in http protocol optimization. 103681 fixed an issue which resulted in LAN bound packets not being properly classified for QoS when virtual-inpath RSP was enabled 103693 System Detail Reporting Alarm has been disabled by default. User can enable it when needed. 103876 Added functionality to resolve the condition where SRV lookups return unroutable KDCs by providing CLI commands to allow hardcoding of KDCs for individual domains. The Steelhead will contact the hardcoded KDCs directly without doing DNS SRV lookups. 103994 Fixed a condition where users may see an average connection count larger than the peak connection count in connection history page. 104021 SSL private keys are no longer logged when the "Import Existing Private Key and CA-Signed Public Certificate" feature is used. 104027 Fixed an issue that resulted in a crash of the optimization service when SMB2 optimization was enabled and the server returned an invalid create action in response to a create request on the root of an SMB2 share. 104047 Fixed an issue in the way KDC lookups are done and validated that can potentially lead to longer delays in connecting to a valid KDC, thereby causing optimization of Encrypted MAPI and SMB Signing connections to get suspended. 104126 Added software support for new 4-port copper bypass card 410-00047-01 used on CXxx55 and EXxx60 models. 104411 On Steelhead EX, disks can be repartitioned to allow Granite and VSP to use different amounts of storage. An alarm will now be triggered if a profile switch to perform repartitioning is unsuccessful. 104505 This addresses the issue where a virtual steelhead configured with a hardware bypass card sees the log line: " /opt/hal/bin/hal: line 129: /opt/hal/bin/vm/vsh_bypass_init.py: No such file or directory ". 16

104680 Fixed a problem with packets getting dropped by the Management Inpath interface function when they are received on the WAN interface with WAN mac addresses. 104797 Add a default access rule to always allow incoming WCCP packet when WCCP is enabled. 104818 Fixed an issue with CIFS prepop shares which causes error messages of the form [rcud/fsutil/.WARN] - {- -} Dir list has error for [/proxy/<PREPOP_SHARE_PATH>] 105247 Fixed an issue which resulted in an empty directory listing even when there were files that matched the requested pattern for the directory listing if the SMB2 optimization feature was enabled with idle for optimization. 105504 Fixed an issue where TCP Westwood wasn't performing optimally in some cases. 105631 Fixed an issue which caused an SMB2 connection to hang on the client-side steelhead if SMB2 optimization was enabled and the request to get file security information failed on the server. 105797 Fixed an issue that could result in a crash of the optimization service when optimizing an SMB2 connection if a notification indicating an expired directory was deleted that we still have handles for the children. The optimization service crash is avoided by ensuring the necessary state always exists rather than attempting to remove it when its unnecessary. 105990 Fixed an issue where logging into the CLI on a xx55 or xx60 model before the Steelhead is licensed may take a long time to get to the command prompt.

Problems Fixed in Version 7.0.2c

92146 After sending an email with an attachment Outlook may no longer receive updates from Exchange. New emails in the Inbox will not show in Outlook. This happens because the optimization service can lose a request/response while sending an attachment, which Outlook will wait for, but never receive.
If, after the fix, the optimization service encounters difficulty completing a request/response, it will reset the connection so that new emails are successfully delivered to the inbox.

103022 Fixed an issue which resulted in Windows servers reporting a DoS attack from the Steelhead for CIFS prepopulation traffic. A new command line option is available that will allow tuning the percentage of maximum number of outstanding requests that will be available to CIFS prepopulation operation. The commands are:

17

%prepop settings max-mpx-pct <10-100%> A value of 70% is set by default. Customers can tune this value to a percentage that will work on their environment, typically 40% to 60%. %show prepop settings Displays the max-mpx-pct value currently set.

103197 Fixed a problem where, due to a rare race condition, a Steelhead running RSP could crash upon receiving fragmented packets. 103265 Fixed issues where Steelhead with RSP enabled may reboot while handling a connection with fragmented packets.

Problems Fixed in Version 7.0.2a

98257 The MAPI optimization service keeps an internal list of MAPI connections and details of the Outlook client. This list can grow over time if many different Outlook clients are optimized. When a MAPI connection is closed the list is traversed to print a summary of currently open MAPI connections. If a Steelhead is optimizing many thousands of MAPI connections, traversing the list can take a long time. If many MAPI connections are closed at the same time, traversing the list can take longer than 30 seconds, which will alert a service watchdog. This is more likely to happen during optimization service shutdown, as at that time all MAPI connections are closed. This fix will avoid delays during MAPI connection shutdowns. 104126 Added software support for new 4-port copper bypass card used on Steelhead CX xx55 and EX xx60 models. 104505 This addresses the issue where a virtual Steelhead configured with a hardware bypass card sees the log line: " /opt/hal/bin/hal: line 129: /opt/hal/bin/vm/vsh_bypass_init.py: No such file or directory ".

Problems Fixed in Version 7.0.2

76458 This features makes available hardware based fail-to-wire/fail-to-block capabilities for virtual steelheads running on ESXi 4.1 hosts with qualified Riverbed bypass cards installed. The configured failure mode will be triggered if the ESXi host loses power or is unable to run the Virtual Steelhead guest, or if the Virtual Steelhead guest is powered off, or if the Virtual Steelhead guest experiences a significant fault (utilizing the same logic as physical Steelhead appliances). Currently qualified Riverbed bypass cards are P/N NIC-001-2TX (2 port copper gigabit) and NIC-002-4TX (4 port copper gigabit). A special ESXi bypass driver, available from the Riverbed support site, must also be installed on the ESXi host. 102230 Fixed a memory leak issue taking place when HTTP parse-and-prefetch optimization is enabled.

18

102625 Deprecated the Virtual Steelhead datastore zero CLI command and alarm. 102630 Added RiOS CLI commands remote access enable and no remote access enable to enable/disable remote management port access. Also added an additional line to the output of show remote ip to show the access status of the remote port. 102634 Fixed a memory pressure issue taking place when HTTP optimization is enabled with OPT and Gratuitous 401 in conjunction with Codec flow control. 103060 Fixed an issue where show hardware all shows system LED color to be orange instead of red when the system is in critical state on models CX1555, EX1160 and EX1260.

Problems Fixed in Version 7.0.1

32364 Fixed a problem where the optimization process will not start if its configuration file is too large. Creating more than 300 in path rules can cause this issue. 38156 Added Kerberos port (88) to default secure port label 38239 The limits for the MTU (Maximum Transmission Unit) are now consistent between the CLI and web interface. 55692 Fixed a rare bug in the SMB optimization feature that led to the crash of the optimization service on the client-side Steelhead. The fix will result in a termination of the offending SMB connection with the error SMB_SHUTDOWN_ERR_NULL_FILE. 56653 Added RTSPS port (322) and Operations Manager port (5723) to default secure port label 65078 The 'Peering Trust' and 'Bypassed Servers' reports have been enhanced to include the expiration time and error reason for each entry. Added a new report called 'splice policy' This report keeps track of connections that are not fully optimized due to reasons listed in the entry. 69585 Port label modifications can lead to an increase or decrease in the number of QoS rules. Currently, the code does not control the change in the number of rules when a port label is edited, which can lead to issues if the increase in the number of rules is substantial. The fix ensures that the system generates a warning if we exceed the safeguard limit after the port label is modified. 69587 Fixed an issue that caused a disk from not showing up in the RSP/Slots/Disk web UI or CLI when the disk name has a period before the ".vmdk" extension. For example "SOME.DISK.vmdk" 70646 When adding rules using CLI while qos is enabled and not specifying source/destination port an error message will be observed in the log file. The message doesn't affect the appliance operation. 71492 Fixed a QoS issue where the "show run" command reordered the QoS sites and rules 19

74919 Establish optimized connections for FTP and MAPI data connections using the results of the auto-discovery process for the preceding control connections. 76869 Fixed a problem where an improperly formatted chunk-encoded HTTP request could result in an unexpected shutdown of the optimization service on the serverside Steelhead appliance. The problem can be fixed by upgrading both the client-side and server-side Steelhead appliances. 79751 Fixed a problem where the optimization service stops unexpectedly when HTTP connections use chunked-encoded transfers. This would occur when the chunk trailer was split into its own packet in between Steelhead appliances on the widearea network. 81252 Enhancement that added an incident counter and a warning log message which reads "Dropping gre packet possibly due to a loop". This message is printed when a GRE packet is dropped due to the Time-To-Live field in the IP header reaching zero after it is decremented. This helps in detecting a possible loop in the network. 81361 Added checks to ensure the secure vault (containing needed credentials) is open on the server side steelhead before attempting to process encrypted MAPI traffic using end-to-end Kerberos or Kerberos delegation. 88327 Fixed an issue that increased memory consumption of the optimization service due to redundant caching of data structures used in encryption of optimized data over the WAN. 88572 Adding additional page validation checks during data store sync. A page that does not pass the validation is removed from the sync list. If the number of pages removed crosses a pre-defined threshold, Steelheads would re-sync the pages. 88751 Clarified the documentation to state that the ALL IP limitation applies to packet-mode optimization (UDP and IPV6) fixed-target in-path rules only. 91096 Fixed an issue where a server-side Steelhead in a connection forwarding setup attempts to establish an optimized connection when it receives a duplicate or retransmitted SYN+ before its connection forwarding neighbor(s) has acknowledged the connection. 92002 Fixed an issue where cached results of previous FTP and MAPI connections to a particular server were reused for subsequent connections to the same server without consulting the in-path rules table. 92667 Fixed an issue where the Steelhead reports different ingress and egress interfaces in Netflow records for optimized connections that have packet ricochet through the Steelhead. 94211 Fixed an issue that caused CLI to return an error message "% Internal error (code 1003)" after issuing a HTTP prepop start command, even though the prepop task was actually started.

20

94242 Fixed an issue where getting the delegated Kerberos tickets required for SMBsigning or Encrypted MAPI optimization failed if prior clock skew errors had been encountered. The first time that the clocks on the Steelhead and Domain Controller (DC) differed by more than 5 minutes, the optimization service calculated the difference and compensated for the clock skew. However, if the clock was reset on the Steelhead it would continue to incorrectly apply the prior time compensation when requesting Kerberos tickets, leading to a failure in that operation. 94306 Fixed a race condition that led to an optimization service crash after the Steelhead entered connection admission control. 94479 This solution ensures HTTP optimization is only triggered when enabled on both the client and server Steelheads. 94531 Fixed a crash in the optimization service when an SMB2 client tries to open up an invalid filename for a stream. The client makes requests for a filename where a stream name immediately follows a directory separator. Windows rejects this as an invalid filename, but NetApp allows the open as though the directory separator isn't there, which has been accounted for by adjusting the name on a successful open. 94808 Added a UI option to enable Flash Stream Splitting and renamed the original option to clarify that it controls Silverlight Stream Splitting. 94932 Fixed an issue where the primary interface remains physically up after being shut down. 94933 Added the ability to view total peak stats for all SRDF traffic on the general reporting page. 95127 Perform a check for sufficient disk space before allowing the installation of RSP images. 95137 Improved the error handling around MX-TCP QoS rules and the pass-through traffic type. MX-TCP rules can no longer be set to pass-through. 95481 Renamed CLI command "no protocol notes encrypt blacklist" command to "protocol notes encrypt blacklist remove-ip all", so it is consistent with "protocol notes encrypt blacklist remove-ip <ip address>". 95489 Fixed an issue that would incorrectly allow an optimized SMB2 client to reopen a newly created file it recently closed. If the file inherited access control entries on creation from its parent that would prevent a subsequent open using the same access mask, we would keep the handle open so long as all other idle handle criteria were met. If the client then re-opened the file within the idle handle timeout, we would allow the open to succeed. 95497 This patch invalidates HTTP domain name/relative path changes that do not satisfy the requirements. 95642 Fixed an optimization service failure that could occur when an optimized SMB2 client is notified of a directory deletion at the same time a file contained in that directory is closed. 21

95668 Fixed an issue that caused users with "Reports" RBM role unable to execute the CLI command "show connections". 95765 CIFS and CIFS-Signed traffic are now properly categorized in the statistical reports. 95863 Fixed an error message "Interface with index <id> not found" that could occur when updating the data flow VNI settings. 95871 This fixes a bug in 7.0.0 wherein the value of the Application field for an Advanced QoS rule could not be removed (by setting the field selection to "--"). 95899 Corrected an issue where the QoS interface rate was not displayed while showing the appliance configuration from the CLI 95987 Fixed an issue where SMB-Signed Transparent Mode blocks signed CIFS connection if the joined domain has NTLM disabled. The fix transparently blacklists and passes through the connection. 95989 Fixed a QoS Classification problem. Classification of more than 10,000 simultaneous optimized connections with DPI would fail with errors like "[qosd.ERR]: qosd_sport_connect_handler(), qosd.c:1484, build (null): Too many open files: accept." 95995 Fixed an issue that could result in Outlook clients repeatedly showing a password prompt to the user if encrypted MAPI optimization was enabled on the Steelhead and the attempts to authenticate the connection resulted in an error from the domain controller (DC). The fix involves properly categorizing the error codes returned by the DC to ensure that the encrypted MAPI connection is blacklisted and passed-through to the Exchange server in this scenario. 96049 Fixed an issue that caused "Domain Join Error" alarm, when triggered or cleared, to not generate email notifications. 96070 Fixed an issue that would corrupt the segstore segment containing the SMB negotiate request at the server-side steelhead when an SMB2 client that is blacklisted for optimization would negotiate protocols with the server. 96336 Corrected diagnostic message in the log file when pushing system configuration to the classification component. The destination subnet of the rule is logged incorrectly. This problem did not affect system functionality and does not require a workaround. 96421 Fixed a problem where the site bandwidth was displayed in the CLI while in Advanced QoS mode. In Advanced QoS mode the sites and rules are configured separately from classes. Therefore sites and rules do not have an associated bandwidth allocation. 96432 Prevent sites from being deleted if they contain non-default rules.

22

96541 Fixed a problem that could cause an optimization service crash while optimizing Outlook Anywhere traffic. If an error condition occurred when the Outlook Anywhere connection was closed the optimization service could crash. 96627 "Peer Mismatch" alarm is now aggregated into "Software Mismatch" alarm. 96637 Fixed cross-Site scripting vulnerabilities on the RSP Dataflow page, as well as a CRLF Injection vulnerability with the _fragment parameter. 96675 Enhanced the "protocol domain-auth test dns" command to check to make sure that the necessary DNS SRV records are present in the Active Directory Domain to which the Steelhead will be joined. 96691 Fixed an issue where email notifications would not be sent out for certain secure vault alarms when triggered. The affected alarms are secure_vault_rekey_needed and secure_vault_uninitialized. 96696 We now allow the user to disable the exporting of SSL Server Certificates via a button on the SSL Main Settings page. Once disabled, though, this change is irreversible for security reasons. 96708 Fixed an issue that caused "datastore_sync_error" alarm, when triggered or cleared, to not generate email notifications. 96712 Fixed an issue that caused the notification not being sent when "Non-443 SSL Servers" alarm is triggered. 96713 Fixed an issue that caused the notification not being sent when "SSL Certificates SCEP" alarm is triggered. 96743 Fixed an optimization service crash when the Extended Peer Table (EPT) feature was enabled and peer Steelheads or Steelhead Mobiles were disconnected from a Steelhead. 96822 Fixed an issue where there may be more than one smb_alert triggering emails (e.g. "DC communication failure" and "delegation user failure") but only one clearing email. 96914 Fixed an issue where Steelhead still goes into "Critical" state even after disabling "Optimization Service" alarm. 97015 Enhanced Optimization Service Status alarm notification emails to indicate the triggering reasons. 97084 Removed an error msg in the logs when adding/editing an invalid inpath rule. A warning message still remains to remind the user that the invalid rule they tried to add is invalid. The error message is like the following: "[mgmtd.ERR]: md_rbt_add_rule(), md_rbt_intercept.cc:1329, build (null): Required condition was not met" 97091 Fixed an issue where adding a global application from the CLI without specifying the protocol returned and "Internal Error."

23

97098 Generate ICMP packet-too-big error messages when trying to pass through IPv6 packets that are larger than the MTU of the in-path interface. 97136 Fixed an issue where certain factory installed licenses were removed when executing the "reset factory" CLI command. 97198 Fixed an issue where the RAID alarm would trigger, but no email or SNMP trap would be generated. 97199 Fixed an issue that caused RSP errors when making a backup of a powered off HA cloned VM. 97209 When a disk partition is full and an alarm is raised, a user will not receive email or SNMP trap notification. 97295 Fixed an issue that an RBM user with "Reports" role was unable to execute the command "show packet-mode ip-channels". 97323 Fixed an issue where Delegation Mode times out SMB2-Signed connections when constraint delegation fails to authenticate with the server. The fix limits SMB2Signed Delegation Mode to a maximum of three failed attempts before blacklisting and passing through the connection. 97414 Disabling SRDF on the Configure > SRDF page by unchecking "Enable SRDF" and clicking on Apply would cause a "No ports provided." error message to appear, and also delete the contents of the "SRDF Ports" field. This error message shows up when it is not needed, and this bug does not prevent the user from disabling or enabling SRDF. This problem also occurred with the "FCIP Ports" field on the FCIP page. 97512 Fixed a memory leak in the QoS configuration management code 97676 Some ioctl requests may affect the content of a file's meta data. When steelhead s encounter such requests it is not safe to reply on cached metadata, so they invalidated it. The FSCTL_READ_FILE_USN_DATA does not have such a result, but was formerly not identified as "safe." This change now includes this request among operations that will not invalidate cached metadata. 97740 Fixed a problem where defining bandwidth policy in Basic QoS mode an error 1003 is displayed if dscp_out parameter is not specified. 97793 Fixed an issue that caused speed and duplex changes to fail on the 2 Port 100BASE-FX/1000BASE-LX Fiber Network Bypass Card 410-00107. 97839 Fixed an issue that could cause sport main thread to become unhealthy and result in stack dump and message like the following in the log: "sport[26148]: [eventthread/watch/mgmt_debug/8.WARN] - {- -} watcher: EventThread(main)[LWP 26148] 0x24fb800 is not healthy".

24

98061 Fixed an issue that causes an optimization service failure on the server-side Steelhead in an optimized SMB2 connection when multiple simultaneous closes for a handle are sent when there are in progress operations that need to complete before the close. 98116 If the port labels are used in any of the QoS classification rules, they may potentially expand the rule count beyond the limit allowed on the appliance. This patch ensures that the limit applies to the rules before port label expansion 98181 Fixed an issue where the "ip flow-export" in "show run" output could be out of order and resulting in error messages when pasted back into a Steelhead. 98253 Fixed a memory leak which occurred when attempting to install a license which was already installed on the appliance. 98335 Restored the public key authentication method for SSH, which was affected by a recent change to the interaction between SSH and PAM library. 98353 Model numbers SH100, SH50, SH200 are no longer supported in RiOS 7.0.x. 98574 There are certain IOCTL operations that may modify the contents of a file on a server. When a steelhead encounters such an operation it will now invalidate any cached data it may have stored for the affected files. 98884 Fixed an issue where Auto-Delegation updates in Active Directory are not performed if all the Domain Controllers specified during the domain join operation are configured via their IP address instead of their hostname. 98940 Fixed an issue where ethtool reported speed & duplex on FX/LX NIC 41000107 even when the interface was down. It now reports unknown/unknown. 99037 Fixed a problem where servers are blacklisted from receiving optimization for encrypted Lotus Notes traffic when a user's internet certificates have been updated. 99261 Fix a race in flush pages and making the pages dirty. 99345 Fixed an issue where the memory usage by mgmtd process would continually increase when viewing SRDF reports. 99669 Restore fragmentation of the egress pass-through traffic in RSP mode. 99795 Fixed the issue which resulted in a memory leak if an SMB Echo request was received with a multiple echo count. The problem only occurred when the connection had been idle for 30 seconds or longer and an SMB Echo request with multiple echo response count was issued by the client.

Problems Fixed In Version 7.0.0

64967 Fixed an issue where an empty routing table could cause error messages to appear in the logs at appliance startup.

25

66436 Fixed an issue where the "show ip route static" CLI command would fail to show configured ip routing. The command would also cause bail messages to appear in the log. 66674 Fixed an issue where issuing any CLI command with the prefix "domain settings" on a Steelhead that was not joined to a windows domain would result in an exit loop of the winbind process. This would result in log messages of the form: "Unexpected exit of process winbind" and "Waiting 3600 seconds before relaunching winbind" 72899 Fixed an issue where IPv6 address ::1/128 conflicts during RiOS boot. 74618 If encrypted MAPI optimization is enabled and invalid MAPI data is received on the configured MAPI port (7830), the optimization service may fail. 75430 Fixed an issue where the Steelhead was using an incorrect vlan id for outgoing packets of optimized connections. This occurred when the Steelhead was using simplified routing and vlan-conn-based was enabled. This was because the Steelhead was using an incorrect simplified routing table entry for a given connection. The issue is only seen when there is a packet ricochet with a corresponding vlan change on the ricocheted packet. 76622 For tcpdump command -s0 for unlimited snaplength is converted to snaplength of maximum MTU in order to reduce the chance of seeing memory pressure resulting in kernel messages like "tcpdump: page allocation failure. order:5, mode:0xd0". 79396 'qos classification max-data' is a hidden command to allow adjustment to the "max-data" setting. For the same reason, 'show qos classification max-data' command should be hidden as well. With this fix, the "max-data" option is not displayed in the command line help when user types 'show qos classification' command. 80001 Fixed an issue that executing "restart" command multiple times quickly can cause the CLI session to hang. 81252 Added an incident counter and a WARN log message which reads "Dropping gre packet possibly due to a loop". This message is printed when a GRE packet is dropped due to the Time-To-Live field in the IP header reaching zero after it is decremented. This helps in detecting a possible loop in the network. 90312 Adding information on why an RSP HA transfer might Fail. This includes sending emails when a scheduled transfer fails for RiOS 7.0 and 6.5 and adding notice that a transfer failed in the system logs. 91004 Demoted "Short or invalid MAPI DoConnectEx response" log message to INFO level. 91096 Fixed an issue where a Server Side Steelhead in a connection forwarding setup continues to optimize the connection on a duplicate probe from the client side steelhead even if the connection forwarding neighbor fails to respond to the owner. 26

91124 Fixed an issue where HTTP connections can may not operate correctly, if the web server employs chunked transfer-encoding. More specifically, the Steelhead appliance would aggregate response chunks to reduce the number of packets transmitted on the WAN but this behavior can hinder some applications from dynamically generating subsequent chunks. 91347 Fixed an issue where a scheduled tcpdump job including the primary interface would fail to execute. 91509 Fixed a problem that could cause Outlook to become unresponsive during authentication if communication with a Domain Controller fails on the server side steelhead while using delegation mode for encrypted MAPI. 91744 Added MAPI encryption support for Office 365. 92015 Fixed an issue in the qos code that caused the steelhead to incorrectly print the error message which said "navl_conn_init failed:". This will be seen in environments where there is packet ricochet from one in-path interface to another. 92517 Improved the performance of opening up AutoCad files from AutoCad when using an optimized SMB2 connection by allowing handles to be kept idle at the clientside Steelhead under a wider range of conditions. 92748 Maximum rules per site and maximum rules per Steelhead Appliance correspond to the number of rules configured by the user. If the user uses portlabels, Steelhead will complain if the number of rules per site and per Steelhead Appliance after portlabel translation, goes beyond the safeguard limit. 93189 Fixed a problem that could cause Outlook to become unresponsive in some rare circumstances when forwarding messages. 93327 The command 'show running-config' improperly showed RSP stats bindings as part of its output. This change removes them. 93793 Fixed a problem where connections were not optimized under the following conditions:

Full or Port Transparency were enabled. The Steelhead was configured to get packets using a Multi-In path WCCP setup. The packets that flowed in the forward direction (client => server) reached the Steelhead on a different in-path interface from the packets that flowed in the reverse direction (server => client). The problem occurred when the outer SYN from client arrives on one in-path, but the inner SYN from client-side Steelhead was wrongly sent on the second in-path and resulted in a failure to establish a connection between two Steelheads and a pass-through connection. The client-side Steelhead CFE sent the inner packets to the second router with a MAC address of the first router resulting in packet drop.

27

93995 Fixed a bug where class selections on the QoS Report pages were not always retained after a page refresh. 94026 Fixed an issue which caused CIFS prefetch to use default instead of negotiated value. When default value is higher than value set at CSH(client side steelhead), it would result in excessive CIFS prefetch. 94090 Fixed an issue where SMB-Signed connections are continuously dropped when using Delegation Mode against a domain which has NTLM disabled. The fix allows blacklisting of the SMB-Signed connection when the Steelhead detects that the domain has NTLM disabled and SMB-Signed is configured to use Delegation Mode. 94218 Added ability to disable "Proxy File Service" alarm with the "no stats alarm pfs_operation enable" command. 94242 Fixed an issue where getting the delegated tickets fails in smb-signing and encrypted MAPI optimization with clock skew errors. The first time that the clocks on the steelhead and the DC differ by more than 5 minutes the optimization service calculates the difference and attempts to compensate for the skew. Once the clock is reset on the steelhead, the service continues to compensate for the skew that leads to skew errors when getting the delegated tickets. 94280 Limited default SSL ciphers used by web server to resist CVE-2011-3389 "BEAST" attack. Disabled default OpenSSL flag SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for CVE-2011-3389. OpenSSL 0.9.6d added an SSL 3.0 / TLS 1.0 CBC vulnerability workaround for this same problem (then thought to be impractical to exploit). But OpenSSL 0.9.6e disabled it by default because some broken SSL/TLS implementations did not work properly with it. Reenabling this workaround resists the CVE-2011-3889 "BEAST" attack. All users are advised to check for security updates for the web browsers as well. 94452 Fixed the counter in log messages that dump number of blocked log messages. The issue manifests itself as the following log message "[asynclogger.NOTICE] - {- -} blocked 1081100528 times on syslogd" with incorrect counter 1081100528. 94479 This solution ensures HTTP optimization is only triggered when enabled on both the client and server Steelheads. 94513 Fixed the memory leak by destroying unused objects. 94531 Fixed a crash in the optimization service when an SMB2 client tries to open up an invalid filename for a stream. The client makes requests for a filename where a stream name immediately follows a directory separator. Windows rejects this as an invalid filename, but NetApp allows the open as though the directory separator isn't there, which has been accounted for by adjusting the name on a successful open. 94767 Fixed an issue that caused lan-addrs to be always on in commands "ip flowexport destination * * lan-addrs *" as part of "show run" output.

28

94836 Enhancement to allow administrators to modify the list of domain controllers used by the Steelhead for Active Directory related communication via the CLI. 94900 Fixed a problem that could result in a failure to connect with encrypted MAPI when Steelhead communication with a Domain Controller fails with an NT_STATUS_PIPE_DISCONNECTED or NT_STATUS_BUFFER_TOO_SMALL error. 95111 Fixed issue that would result in error log messages when the user tried to tab complete "protocol smb2" or "no protocol smb2" in the cli. If the user tried to tab complete on either prefix an error message of the form "[cli.ERR]: user admin: keyword 'ipc' is missing v1 capabilities. Add capab_required keyword parameter to the Command." would be printed. 95195 Fixed an issue where in the rare case of secure vault creation failure upon system boot up, the Steelhead appliance will have the 'Secure Vault Not Initialized' alarm triggered and in critical state. Rebooting Steelhead does not clear the alarm. 95489 Fixed an issue that would allow an optimized SMB2 client to reopen a newly created file it recently closed. If the file inherited access control entries on creation from its parent that would prevent a subsequent open using the same access mask, we would keep the handle open so long as all other idle handle criteria were met. If the client then re-opened the file within the idle handle timeout, we would allow the open to succeed. 95627 Fixed an issue where smb-signing and encrypted MAPI optimization is disabled when the netlogon service on the DC that the optimization service is talking to is paused or stopped. The service will now attempt to discover other DCs and will failover to another DC if one is available. 95668 A fix to the "show connections" cmd so that it is usable by an rbm user with just the "reports" role. 95737 Resolved rare problem where, when VM's are configured in RSP Dataflow, certain unexpected failures of MgmtD sometimes left all traffic blocked until the device is restarted. 95765 CIFS and CIFS-Signed traffics are now properly categorized in the statistical reports. 95798 When using RSP slots at log level "info", messages of the form "Sending event for state change of interface `v^M\230*. The link is now up." sometimes appear in the log, which reference invalid interface names. These messages have been removed. 95851 Fixed a service failure when VLAN tagging and simplified routing is enabled and a connection's source and destination IP and port numbers are reused within a short time period. 95868 Fixed two issues on the RSP Data Flow page: the '# Rules' column did not always appear and the value in the column was wrong for virtual in-path VNIs with DNAT rules. 29

96049 Fixed an issue that caused "Domain Join Error" alarm, when triggered or cleared, to not generate email notifications. 96070 Fixed an issue that would corrupt the segstore segment containing the SMB negotiate request at the server-side steelhead when an SMB2 client that is blacklisted for optimization would negotiate protocols with the server. 96198 Fixed a small memory leak when configuring NTP servers. 96201 Fixed a small memory leak when taking tcpdumps from web UI or with "tcpdump-x" CLI command. 96371 'upper-limit-pct' option was incorrectly set to hidden. The fix is to show the option in command line help when user types "'qos classification class modify classname <class-name>" command. 96643 Fixed an issue where permission changes for a credential might not take effect immediately in Delegation Mode. By default, Delegation Mode caches all Kerberos service tickets, hence subsequent authentication will use the cached service tickets with stale privileges. The fix allows the user to either disable ticket caching or reset the ticket cache. 96659 Fixed an issue which prevented the Steelhead from joining a domain if the Steelhead is not able to get Kerberos tickets. Domain join operation will fall back to NTLM authentication if using Kerberos authentication fails. 96926 Fixed an issue that caused enabling datastore sync not to prompt for a service restart.

5) KNOWN ISSUES

83059 Upgrading to 7.0.0 does not preserve any user configured settings for the software version mismatch alarm. Workaround: Reapply software version mismatch alarm configurations after upgrade. 96830 Disabled and IPv4 only in-path rules are indistinguishable from the show output. To determine the exact status of an in-path rule denoted with an asterisk, consider the following cases:

The in-path rule is disabled. Currently, Web GUI has such information. The in-path rule is not applicable. For instance, the in-path rule has IPv6 subnet while IPv6 support is not enabled on the Steelhead. The in-path rule is only partially effective. For example, an in-path rule has "all-ip" as source/destination network while IPv6 support is not enabled on the Steelhead.

For the last two cases, please check whether IPv6 is enabled or not.

30

6) UPGRADING RIOS SOFTWARE

What upgrades are allowed?
You can upgrade this version of RiOS to another version that is both higher in version number and chronologically newer. For detailed information about upgrading and downgrading, see the article RiOS Upgrade and Downgrade Rules.

Steps to upgrade RiOS Software

Download the software image from the Software tab of the support site to a location such as your desktop. 1. Log in to the Management Console using the Administrator account (admin). 2. Navigate to the Setup: Software Upgrade page and choose one of the following options: 3. From URL. Type the URL that points to the software image in the text box 4. From Local File. Browse your file system and select the software image 5. Click Install Upgrade. The software image is quite large; uploading the image will take a few minutes. Do not press Ctrl-C, unplug, or otherwise shut down the system during this first boot. There is no indication displayed during system boot that the recovery flash device is being configured. After the upload is complete, you are reminded to reboot the appliance in order to switch to the new version of the software. After reboot, the software version is displayed on the Home page of the Management Console.

7) MANAGING RIOS 7.0.5 WITH A RIVERBED CMC

RiOS version 7.0.5 can be managed by Riverbed Central Management Console (CMC) version 6.5.3 (for features found in RiOS 6.5.x) and CMC version 7.0.0.

8) HARDWARE AND SOFTWARE REQUIREMENTS

Steelhead Appliance
The appliance is designed to be installed in a 19 inch (483 mm) two-post or four-post rack. WARNING: The system must be properly grounded (earthed) to reduce the risk of electrical shock. On European systems, the Green/Yellow tab on the power cord must be grounded 31

(earthed).

Steelhead Management Console

Any computer that supports a Web browser with a color image display. The Management Console has been tested with Mozilla Firefox versions 1.0.x through 3.6.x and Microsoft Internet Explorer versions 6, 7 and 8. : Javascript and cookies must be enabled in your Web browser.

Steelhead Command-Line Interface

An ASCII terminal or emulator that can connect to the serial console (9600 baud, 8 bits, no parity, 1 stop bit, and no flow control) or A computer with a Secure Shell (ssh) client that is connected by an IP network to the Steelhead appliance Primary interface. Free ssh clients include PuTTY for Windows computers, OpenSSH for many Unix and Unix-like operating systems, or Cygwin.

9) CONTACTING RIVERBED SUPPORT

Visit the Riverbed Support site to download software updates and documentation, browse our library of Knowledge Base articles and manage your account. To open a support case, choose one of the options below.

Phone
Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). Outside the U.S. dial +1 415 247 7381.

Online
You can also submit a support case online

Email
Send email to support@riverbed.com. A member of the support team will reply as quickly as possible.

2012 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.

32