Sunteți pe pagina 1din 41

LinkProof

Maintenance Release Notes


Version 4.38.01DL September 27, 2011

North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International Radware Ltd. 22 Raoul Wallenberg St. Tel Aviv 69710, Israel Tel: 972 3 766 8666 www.radware.com

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 2 -

These Maintenance Release Notes describe fixes for LinkProof version 4.38.01DL. These fixes are part of the official product code, build 2, date September 27, 2011
Table of Contents Supported Platforms and Modules ............................................................................................... 2 Maintenance Fixes ......................................................................................................................... 4 Fixed in version 4.38.01DL ........................................................................................................... 4 Fixed in version 4.38.01................................................................................................................ 5 Fixed in version 4.38.00................................................................................................................ 6 Fixed in version 4.37.12................................................................................................................ 7 Fixed in version 4.37.10.............................................................................................................. 11 Fixed in version 4.37.09.............................................................................................................. 13 Fixed in version 4.35.07.............................................................................................................. 15 Fixed in version 4.35.06.............................................................................................................. 19 Fixed in version 4.35.05.............................................................................................................. 21 Fixed in version 4.35.04.............................................................................................................. 26 Fixed in version 4.35.02.............................................................................................................. 31 Fixed in version 4.35.01.............................................................................................................. 36 Fixed in version 4.35.00.............................................................................................................. 39 Known Limitations ....................................................................................................................... 40

Supported Platforms and Modules This version is supported by the following platforms: Note: This version allows the application software to support multiple boot versions. The config.ini file defines the lowest boot version supported (BootRomVersion) and the highest boot version supported (BootRomVersionInPackage). If the current boot version on the device is within these parameters, no boot upgrade is required. Platform Lowest Boot Version 4.53 4.33 Highest Boot Notes and Exceptions Version 6.01 6.07 For Application Switches 1 and 2 with a SynApps license, it is recommended to use 256MB with this version. Large BWM and/or Application Security configurations that fit in 128MB in previous versions might require 256MB with this version. When upgrading Application Switch 1 from version 4.21.02, boot upgrade is required. Use the following procedure: 1. Reboot the device, stop at the countdown and download the new boot
Page 2

Application Switch 1 Application Switch 2

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 3 -

Platform

Lowest Boot Version

Highest Boot Notes and Exceptions Version version via CLI. 2. After the new boot is uploaded to the device, type ' @ ' (do not reboot the device or change any dip-switch). 3. The device loads the old boot file 4.5x and the old software version 4.21.02. Using CLI or Web Based Management, upgrade the device by sending the .tar file. 4. Once the process ends, the following message is displayed in CLI :
Please toggle DPSW 1 to select another boot bank. Reboot will be performed.

5. Change dip-switch number 1, without turning off the device. The device reboots itself automatically and uploads with the new boot and the new version. Application Switch 3 Compact Application Switch 6.04 1.3*, 1.4** 6.04 6.012 * Only when upgrading from 4.30. ** Before starting the upgrade procedure from version 3.81.0x, the boot EPROM must be replaced with boot EPROM version 1.4 or higher (it is recommended to ask for the highest boot version supported by the exact bug fix version you are upgrading to). Contact the Radware ordering department for this. If you are upgrading from version 4.30, no boot change is required. For upgrade from version 3.81.x the lowest boot version to be used is 1.43. For more information on platform specifications, refer to the Installation and Maintenance Guide.

Page 3

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 4 -

This version includes the following modules: Module Application Security (IPS, DoS and BDoS) APSolute OS Other Supported Version 3.402154 Notes and Exceptions

10.03-01.10 11.05.03

Network Driver

This version is supported by APSolute Insite version 2.85.02 and later. Maintenance Fixes The following is a cumulative list of bugs fixed since the release of version 4.38.01DL.

Fixed in version 4.38.01DL


Item 1. 2. 3. Description The trace-route command returned incorrect times Port Rules were not kept in configuration download from the device. Client couldn't create more than 10 local users in the user table, although 100 users were supported. 4. While LinkProof encountered two routers who shared the same MAC address the device crashed with the error: 'not correct FW physical addr table index.' 5. LinkProof stopped sending NTP client update requests after a valid SNMP trap was sent to the device 6. LinkProof crashed when using BWM . The issue was identified as an unreleased memory buffer. 7. When working in Redundancy modo (VRRP) after a failover (preemtion was enabled), when the master device came back online it didn't send GARP . arp-interface-grouping was set to 'avoid' 8. The device crashed after the command 'redundancy vrrp trap-associated-id' was issued from console. 9. When a Health Monitoring binding configuration was created, automatically created health check were available for binding . Binding them caused on some occasions errors since the HC could have been removed reboot. The behavior was fixed. 10. Ping with Source option is not working and is replaced with default gateway option. Bug ID 60363 89618 86831

122394 131095 128295

128681 131256

135788 139547

Page 4

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 5 -

Fixed in version 4.38.01


Item Description 11. In a VRRP configuration, the ARP cache of the primary LinkProof displayed its own VRID MAC Address. As a result, LinkProof stopped forwarding traffic to the NHR. 12. In version 4.37.11, LinkProof was accessible to SNMP traffic, although it was explicitly blocked on specific interfaces via the security interface. 13. In versions 6.1.0.01 and below, when LinkProof responded to an the inbound DNS query, the response DNS packet carried the incorrect corresponding VLAN tag ID. 14. When working with SmartNAT in a full Class C range, the configuration was changed to include a specific No NAT IP address. The No NAT configuration could not be added until LinkProof was rebooted. 15. When configuring application grouping through WBM, if the client table mode was set to Layer 3, LinkProof generated the wrong error message. 16. In a VRRP configuration, the primary LinkProof displayed the console message "ICMPP_prtunrch_reply_ind: no buffer to send to a user", and then after a while froze. 17. After upgrading from version 4.35.07 to 4.37.12DL, the secondary LinkProof did not respond to the primary ICMP requests, and vice versa. 18. After upgrading from version 4.35.07 to 4.37.12, LinkProof used an incorrect MAC address to respond to a packet coming from internal clients that were accessing a VIP on LinkProof. 19. In version 4.37.12 AS3, when passing FTP control traffic in passive mode, the internal IP address of the server, instead of the public IP address, was sent to the client within the payload. 20. On LinkProof AS3, using FTP active mode inbound sessions handling and the accelerator was enabled, in some cases the data session went to a different NHR than the one the control session came from. 21. When LinkProof stopped responding to ICMP requests, LinkProof reached its NHR Tracking Table size limit, and then crashed. 22. When downloading a LinkProof configuration via the CLI and uploading the same configuration to an identical device, LinkProof generated the following console error: "Error 07 in loading configuration - variable number 01 of SNMP packet 637, variable name rsMLBSubnetSrvrStatus". The error was related to the grouping policies setup on LinkProof. 23. When creating a destination grouping rule using APSolute Insite version 2.89, the message "Error in MIB label " was generated in APSolute Insite. This error did not occur using WBM. The bug was on identified in LinkProof and not in APSolute Insite.
Page 5

Bug ID

77358 78615

78871

80417 82593

83673 84154

84344

85230

85362 86104

89839

90975

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 6 -

Fixed in version 4.38.01


Item Description 24. When trying to add application port grouping rules, the message "Resource Unavailable" was displayed, even though source and destination grouping were working as expected. 25. When using SmartNAT with Dynamic NAT, LinkProof did not rewrite the source MAC address when it received a response from the NHR. 26. When creating one BWM policy rule for FTP sessions with the name of ''ftp'', a 'Generic Error" was displayed in WBM, and LinkProof then crashed and rebooted. 27. When a DNS AAAA record request was sent to LinkProof, and the record existed as an A record, LinkProof responded with a "Record Doesn't Exist" message with the Authorization not being set in the Answer. This resulted in the request being discarded by DNS Servers as "Lame Delegation". The behavior was fixed to include the AA Flag. 28. When using application grouping, when creating an incorrect application port entry, the error message was misleading and displayed an illegal port range. Bug ID

97041 106484

119083

120761

128890

Fixed in version 4.38.00


Item Description 29. When configuring Application Grouping using WBM, the value 65535 had to be used to mean "other." The fix included adding the "other" option to represent any non-explicit value. 30. IP address entries in the IP Fast Forwarding Table (IPFFT) that did not belong to any of the device's interface IP networks were not cleared when these addresses were later used in configuring LinkProof. 31. When multiple default gateways were configured, only the gateway that was currently in the routing table could be deleted. 32. Using RIP, the default value for AutoSend was set to Enabled, which should have been set to Disabled because AutoSend is not standard as per the RIP RFC. 33. When reading the values of the octet counters from the following OIDs, the OIDs generated incorrect 64bit numbers: 1.3.6.1.2.1.31.1.1.1.10.1 = Counter64: 1.3.6.1.2.1.31.1.1.1.10.2 = Counter64: 1.3.6.1.2.1.31.1.1.1.6.1 = Counter64: 1.3.6.1.2.1.31.1.1.1.6.2 = Counter64:
Page 6

Bug ID

21457

22185 29866

42558

56992

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 7 -

Fixed in version 4.38.00


Item Description 34. In version 4.37.10, when a static route was added and a metric defined, the static route could not later be deleted. 35. After tuning the device, LinkProof did not correctly check if enough memory was available for an application to run. 36. When working with VRRP, the ARP Table incorrectly included the VRID MAC address of its own associated addresses. 37. When issuing the command "system device-info", the output included incorrect information for device registration. 38. On an Application Switch 3 platform, LinkProof did not change the TCP sequence number correctly for active FTP sessions. 39. When using Destination Grouping, if you deleted a destination group, or set the recovery or grace timers to values > 0, the device rebooted. Bug ID 70826 73010 77358 78848 80167 82594

Fixed in version 4.37.12


Item 1. Description The help display for 'lp global connectivity-check method help' was incorrect. 2. The CLI ping command did not have a help display when no flags were added. 3. For versions 4.35.04 and 4.35.05, the device had to be rebooted for the Selective Interface Grouping feature to start working. 4. For versions 4.3x, the CLI command 'system device-info' displayed incorrect CPU information. 5. In WBM, when changing the Static NAT configuration of existing entries from Regular to Backup, and vice versa, the Submit button was missing from the pane. 6. On Application Switch 2, when issuing the CLI 'net l2-information" command, the wrong information was displayed showing an '@' instead of the port numbers. 7. On Application Switch 1, when issuing the CLI 'system device info' command, the Media Type was incorrect. It should have been "on board flash" as the Application Switch does not have a Compact Flash. 8. For version 4.35.07DL, a static NAT entry was mapping to an interface IP even though static NAT was not working correctly. 9. On Application Switch 2, during an SNMP task while receiving a configuration upload, the device crashed. 10. When working with Health Monitoring HTTP health-checks, LinkProof received the HTTP response code 411 for the HTTP POST health-checks.
Page 7

Bug ID 09578 09799 20983 30686

35986

36355

36744 43177 53762 54007

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 8 -

Fixed in version 4.37.12


Item Description According to the RFC, a Length Header must be included in the HTTP data in the POST request, but LinkProof did not include it. 11. When editing or creating the destination IP in the Client View filters table, the Client View did not find the correct matches when checking the filteredclient-table. 12. When editing an existing View Filter for the Client Views destination IP resulted in the following error: "setting the vlan tag field must be in range ..." 13. On an Application Switch 1 Alterra device using LinkProof Build 26 and where there was only one port, auto-negotiation was set to "off" but immediately reverted to "on." Setting the physical port Auto-Negotiation to 'off' resulted in the changes being accepted and the Auto-Negotiation configuration immediately reverting to 'on'. When working in out-of-path mode with no Client Table, if a fragmented packet entered the device from a different port than the port of the original fragment, it was forwarded to same port as the original. In some cases, this caused traffic loops. After upgrading from version 4.37.07 to 4.37.10 and using a redundant configuration (where the device had multiple associated IP addresses), when the Master device regained control, the Backup device kept trying to become the Master. When working with APSolute Insite version 2.70.17DL (build 22) in order to copy the configuration, SMTP and NTP settings switched back to the default configuration after the copy. On a CAS platform, after upgrading from version 4.35.04 to 4.37.10, enabling Any-Any Bandwidth Management rules dropped all of the VPN tunnels. Health Monitoring Module started toggling up and down after the device was up for 248 Days. After an upgrade from LP 4.21.07 to LP 4.35.07 Health Monitoring parameters changed (Check Interval). When working in redundancy mode (VRRP) and the primary device took over from the secondary device, after a short period the primary device crashed and rebooted. On an Application Switch 3 platform, when working with VIP and NAT (NHRs and Firewalls), packets were not forwarded correctly (ACK and SEQ fields in the packet were incorrect), resulting in a broken session. When creating or deleting a Client View entry, the device froze and
Page 8

Bug ID

54813

54834

55993

14.

56074

15.

56088

16.

57102

17.

18. 19. 20.

57106 57376

57589

57712

21.

22.

58000 58075

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 9 -

Fixed in version 4.37.12


Item 23. Description crashed. When using a configuration with High Availability (two LinkProof devices) and a Virtual Tunnel was created, the Backup device froze while retrieving remote LinkProof information. Device froze after 248 days of operation. When using a configuration with both VIP and NAT, when for a specific session the accelerators were enabled, the PASV FTP sessions were broken due to miscalculations in the ACK and SEQ fields. When working with Virtual Tunneling with one NHR configured as the Regular server and another NHR as the Backup server, and using the hash dispatch method, traffic did not return to the Regular NHR after it entered the Backup. The 'rdwrClientsTableNumEntries' OID in the Radware MIB file was not available on the device. The MIB that was monitored was checking the number of active entries in the Client Table. When working with Virtual Tunneling, the tunnels continued using the Regular-Backup or Backup-Backup configurations and did not switch back to a Regular-Regular configuration even after the Regular NHR came back up. For version 4.37.10, when initiating a Port Scan, the scan showed port 21 as open, even though FTP services were disabled on the device. On a CAS platform, when working with VPN, ping packets erroneously passed through the interface which had been administratively brought down. When working with VRRP, traffic was sent to the device's virtual DNS IP according to the VRRP MAC address. When the device port which was blocked and reset (as configured in the Bandwidth Management policy), the reset contained the wrong MAC address (the MAC address of the incoming packet.) In version 4.37.11DL (Build 34), when copying the configuration using APSolute Insite 2.73.21, the VRRP trap summary was changed from "off" to "on". The CLI command "redundancy vrrp msg-per ip" is no longer in use and has been replaced by the command "redundancy vrrp trap-associated-id". On Application Switch 2 platforms, when issuing the "system config immediate" command, the device crashed. When working with Virtual Tunneling and a link was configured as a back link, the tunnel was configured to be Backup-Backup but LinkProof erroneously recognized it as Active-Active. This resulted in the Default Gateway destination grouping configuration to erroneously behave as if it
Page 9

Bug ID

24. 25.

58754 59798

59942

26.

61075

27.

61684

28.

61727 61866

29. 30.

62707

31.

63152

32.

63836 63859 64295

33. 34. 35.

64344

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 10 -

Fixed in version 4.37.12


Item 36. Description were Active-Active. On an Application Switch 3, in FireProof version 3.37.10, the picture of the device displayed on the WBM interface was 2U although the device was actually a 1U Application Switch 3. When changing DNAT tuning from Device -> Tuning, the memory check did not correctly calculate the remaining memory after the tuning change. When setting the RADIUS timeout from Services-> RADIUS-> Timeout, the timeout value could not be set and the device crashed. LinkProof did not allow creating more than 11 NHRs when the Proximity Status was set to enabled. The limitation is now fixed, and proximity is only checked for the first 10 NHRs. The error "REAG_buf_alloc: unable to allocate buffer" was changed to appear only when Debug level 64 is set. When working in a redundant configuration with VLAN Tagging, the Backup device took over from the Main device stopped tagging packets. When setting the LPB Port 1 to "auto", it still remained set to "auto off". Bug ID

64457 64561 64739

37. 38. 39.

65273 65474 66948

40. 41. 42.

On CAS platforms, Port 1 showed a status of Auto-Negotiation set to "Auto" even after it had been set to "Auto-Off" . 43. On an Application Switch 1 platform, when the LPB was in status IDLE, when a remote server attempted to start the IPSec, the LPB debug message "No ISAkMP_SA" was issued. On a CAS platform, every time the VPN went into IDLE status and the remote sites tried to re-establish the VPN tunnel with it, a new IPSec SA started (even with no timeout on the original IPSec SA). The result was the error "no ISAKMP-SA" on the CAS. 44. When loading the configuration file, the BER certification was incorrect. After uploading the configuration file from LinkProof and then trying to send it back, the error message "Error 07 in loading configuration" was generated. 45. When proximity was configured for 'Full Proximity - Both", it did not work properly and the Dynamic Proximity table remained empty. 46. When working with cluster servers and trying to delete a cluster, the message "deleted successfully" appeared, although the cluster server was not deleted. (For MIB change please refer to the Release Notes)

67511

68307

70695 72438

73576

Page 10

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 11 -

Fixed in version 4.37.10


Item 1. 2. 3. Description After configuring and updating BWM policies (with the device in transparent mode), the device froze. Using Mirroring, when an entry was deleted on the primary device, the entry was not updated on the backup device. While upgrading from version 4.21.00 to 4.35.06, if there was a destination grouping in the configuration, the device crashed and rebooted. On Accelerated Platforms, when the accelerator was enabled the first packet from the local server was sent without NAT. After removing all the interfaces from a device and rebooting it, a fatal error occurs along with an error message. When a virtual IP was configured for the device interface, some health checks for virtual tunneling failed. Configuring some IP addresses in the routing table caused those entries to be deleted due to a problem with the way the device reads the IP address. When working with both virtual DNS IPs and virtual tunnels, some of the tunnel checks failed (CAS). While trying to change VRRP fields when VRID was active, the resulting message was not informative enough. Bug ID 30471 30693 30695

4. 5. 6. 7.

30696 31622 34081 34165

8. 9.

35472 36317 41436

10. Some network ranges could not be accepted by Dynamic NAT local IP ranges. The error message "The parameter 'To Local IP' must be an ip address" was generated. 11. When DNS for a local client was enabled and checksum was disabled, if the device received a DNS packet with a checksum of 0, it changed the checksum instead of ignoring it. 12. While using SSH to manage the device, all management access (HTTPS, SSH, Telnet, HTTP, Serial) froze. However, the device continued to process packets. 13. In VPN Configuration when a VPN rule to a specific host was defined, the new rule did not work. The problem was related to the /32 mask defined on the host. (CAS Platform) 14. After configuring destination grouping and adding a destination Health Check, the Health Check failed. The device needed to be rebooted for the Health Check to succeed. (All Platforms) 15. When a configuration file containing an illegal source or destination IP
Page 11

41616

42048

42049

42094

42168

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 12 -

Fixed in version 4.37.10


Item Description in a BWM policy was uploaded to the device, the device crashed during boot. As part of the fix, the policy is now not loaded and a warning is issued at boot time. Bug ID

16. When the fragmentation table reached its limit, a notification message was issued only once. As a result of the fix, the message is now issued every 20 seconds if fragmentation reoccurs. (All Platforms) 17. In a VLAN configuration with NHR, the MAC address of the NHR was missing from the Client table. 18. When working with proprietary redundancy after the main device rebooted and took over the main position the device did not forward traffic as expected. 19. When viewing the Client Table in WBM, the CPU reached 100% capacity. 20. When fragmented traffic passed through the device and the fragmentation table was not large, the device Throughput was much less than expected (CAS) 21. When using the FTP passive command and either a NAT or VIP was changed, during retransmission the device handled the TCP sequence and ACK numbers incorrectly. 22. When NAT was enabled and traffic was set for a specific NHR, if the 'exclude static NAT' flag was disabled, the NAT translation was to an incorrect NHR. (All Platforms) 23. When NAT was enabled and the 'exclude static NAT flag' was disabled, traffic was sent to a specific NHR, but the NAT translation was set to a different NHR. (All Platforms) 24. When processing VPN traffic, when ICMP was forwarded to the device, the device crashed. (CAS) 25. While opening an SSH & SNMP session concurrently, the device console froze, but the device continued to process packets. (AS2) 26. Under the following conditions, the device crashed: - ARP table clean (after the device was booted or a manual cleanup) - ARP Aging time is very short Unknown ARP requests were put in the 'ARP waiting list'. The device started to lose buffers until it crashed. (All platforms) 27. After issuing the 'manage management-port' command from the CLI,
Page 12

46914

47012 47014

47093 47451

47642

48058

48059

49091 50162 52293

52301

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 13 -

Fixed in version 4.37.10


Item Description the device froze. Bug ID 53930

28. When a session began with the first packet sent by a server, the application-aging-time was calculated incorrectly according to the source port instead of the destination port. This resulted in various sessions disconnecting as these sessions used the global aging time instead of the configured aging time. The problem was identified on MS Terminal Server connections (RDP - TCP port 3389) 29. LP device did not respond to Telnet command (Insite and WBM were still working)

53767

Fixed in version 4.37.09


Item 1. 2. 3. 4. Description While trying to download the configuration file to LinkProof in BER format, the download aborted. In VLAN configuration with NHR, the MAC address of the NHR was missing from the Client table. If Switch VLAN configuration was applied, the operational status remained UP even though the VLAN ports were down. When NAT was enabled and the 'exclude static NAT flag' was disabled, while traffic was sent to a specific NHR, the device performed NAT translations according to a different NHR. When processing VPN traffic, when ICMP was sent to LinkProof it crashed. CAS platform. The LinkProof Device console froze while opening an SSH & SNMP session concurrently, and the device continued to process packets. When using RIP with a basic configuration, the device crashed. When Mirroring was activated in VRRP configurations (AS3), the device crashed and rebooted. While handling VPN session with fragmented traffic, the device crashed. Bug ID 43867 47012 47716 48059

5. 6. 7. 8. 9.

49091 50162 19215 20952 25938 26129 26539

10. When using VPN, the device froze after several hours of operation. 11. When Mirroring was used, both the primary and backup devices crashed.
Page 13

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 14 -

Fixed in version 4.37.09


Item Description 12. While using mirroring, the primary device crashed. 13. NTP configuration was not saved after loading the configuration file to the device. 14. While in VRRP mode. When the main device reboots, the mirrored entries were not copied to the backup device. 15. On Accelerated Platforms when mirroring was enabled, the backup device reached high CPU usage. 16. When virtual tunneling was used, when one of the NHR's modes was changed (from backup to regular, or vice versa), the NHR mode was not updated. 17. After upgrading from version 3.81.06 to 4.35.04 using Insite, the device crashed. 18. After 'more-prompt' was enabled, when displaying more than one page on the terminal, the actual behavior was as if it was disabled. 19. When trying to add a Remote Station entry to the Remote Station Table while using virtual tunneling, the device crashed. 20. When VLAN Routed Redundant configuration and Interface Grouping were enabled using Proprietary Redundancy, the device did not respond to an ARP request. (All Platforms) 21. When the command "system device-info" was initiated, the device crashed. (Application Switch 1,Application Switch 2, and CAS ) 22. LP Version 4.35.07 (all licenses) BWM did not classify traffic that was destined for the device IP itself. 23. While trying to download the configuration file to the device in BER format, the download aborted. (CAS Platform) 24. VRRP had to be configured on the master device before it could be configured on the backup device. 25. When NTP was enabled, the following message was displayed "WARNING Connection to NTP server timed out". The device then had to be rebooted (All platforms) 26. After issuing the 'system paste-config start' command in CLI, the device froze. Bug ID 26540 27695 30694 30697 31088

32969 37641 37708 39842

41210 43786 43867 46145 47320

51338

Page 14

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 15 -

Fixed in version 4.35.07


Item 1. 2. Description When AAAA query is received by LinkProof, the UDP length of its reply was miscalculated and set to indicate 3 bytes longer payload. When a TCP proximity check failed, the device sent the check through different NHRs but using wrong parameters, causing insertion of wrong latency value in the proximity table. It was not possible to block or limit access to the device Virtual DNS or Remote Virtual IP address. Please note that now BWM policies are applied to all device IPs as well (Virtual DNS, Remote VIP or interface IP) and use of Any to Any block policies can prevent access to device management as well. In configurations where RIP is enabled, routing between two class A subnets did not work properly. When BWM module used per-session classification mode, the policy statistics were incorrect In VRRP redundancy configuration, when the main device failed and than came back up it took over all VR IPs before the backup device had a chance to mirror its client table to the main. This caused some of the current active sessions to fail. Trace route command from the device, destined to a network for which a static route entry existed, would go out via the default gateway NHR when ping health checks were configured for this NHR, instead of the NHR configured in the static route. The WBM device zoom was missing for Application Switch 2 - Dual Power Supply. When Application Switch 3 worked with remove at session end parameter enabled, it would occasionally send FIN/RST packets to clients. Bug ID 19865 26175

3.

09819

4. 5. 6.

09701 9892 19103

7.

24947

8. 9.

25876 22915

10. In a redundancy configuration where the management port is excluded from interface grouping, if no access via the management port was attempted before a interface grouping is activated on the device (due to a failed interface), once interface grouping was activated no management access was available, though management port did not participate in interface grouping. 11. After a device reset previously configured Destination Health Checks would fail. 12. Device upgrade via TFTP (from Insite) would occasionally cause fatal
Page 15

25399

19898 10481

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 16 -

Fixed in version 4.35.07


Item Description error and the device reboots. Bug ID 18515 19802 24367 22748 24907 10165 20003 24221 25722 27386

13. Occasionally the device would forward sessions without Dynamic NAT. This occurred on Application Switch 3 only. 14. LinkProof Branch with VPN license would in certain instances crash when it received fragmented IPSEC packets. 15. The values of an NHR warm-up and recovery time were not visible in the output of the system config command. 16. Device sent ARP requests with VLAN MAC as the sender MAC (instead of the physical port's MAC address). 17. OSPF multicast was dropped causing OSPF protocol to fail. 18. Device would sometimes crash when configuration was downloaded from the device via TFTP. 19. Device would occasionally crash when deleting an IP VLAN while under heavy traffic. 20. Software upgrade to version 4.35.07 on an Application Switch 1 version 2 platform, required entering a password from the console. 21. NAT was not performed for passive FTP sessions where the FTP server replied with passive mode entered and not entering passive mode. 22. When user attempted to delete an NHR that was defined as default gateway for the device the message provided was unclear as to the reason why this command fails. 23. When an FTP control session packet with destination address an LP Dynamic NAT IP arrived and its destination port that was already allocated to an ICMP session, the device would crash. 24. Application Switch 3 would occasionally crash under heavy traffic with the message "Fatal Error: REAP_dsptchr_clnt_tbl_add_entry inconsistent client data" due to error in clearing client table entries. Application Switch 3 devices crashed after 248 days, 13 hours, 13 minutes, 50 seconds due to overflow of timer. 25. "Device would crash when the "snmp get rsMLRBRNatHealthmonitoroperstatus.0" command was performed from a MIB browser. 26. Dynamic arp table entries were deleted before the aging time if the arp table aging time was set to values greater than 21,000,000 seconds. 27. The device crashed if user tried to attach IP address to a non-IP VLAN
Page 16

9580

9709, 23541

20381

27711 27577

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 17 -

Fixed in version 4.35.07


Item Description interface. Bug ID a. b. c. d. e. f. g. h. i. j. k. l. m. n. o. N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A 23770 N/A 23541 21716, 22354 p. 23334 q. 23018 r. 28242

28. Generic fixes Fixed in Generic 10.02-00.15: a. Health monitoring module did not allow configuring health checks with an empty password. b. When TCP User Defined health check was in used, received packets with binary matching were not matched correctly c. In some cases, when HTTP or HTTPS check was in use and all the check's arguments were configured, it was not possible to edit the argument. d. When multiple health checks with ARP method was configured with the same destination IP address it was not possible to delete any of them. e. The device did not notify to reboot the device via telnet and SSH when a status of features which requires reboot was changed. The device notified only via the serial console. f. In some Read-Only tables, the device displayed a "Delete" column with an option to mark entries for deletion in the Web Based Management. g. In some cases the device did not displayed the "Set" button in the Web Based Management. h. Occasionally if the user tried to download a configuration file via WBM, the download process would abort and the following error message would appear: "tcp:no more packets". i. Occasionally after sending a script via a Telnet session to the device, the Telnet session would disconnect and the following error messages would appear: "tnp_text_handler: No buffers. Text discarded". If the user then tried to reconnect to the device via Telnet the connection would not succeed and in the following error message would appear: "TELNET: New server connection refused. No buffer". j. Occasionally, when trying to download the support file via WBM, only part of the file would be downloaded. k. Occasionally, logins to Telnet, SSH or WBM were reported to the console.
Page 17

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 18 -

Fixed in version 4.35.07


Item Description l. Occasionally, when the user tried to connect to a device with HTTPS (secure web), a regular HTTP page would appear. m. In some cases, when the uses accessed the check table via any of the management interfaces, the device crashed. n. After 248 days, 13 hours, 13 minutes, 50 seconds there would be a fatal error regarding the tAxlUtils causing the device to crash. Fixed in Generic 10.02-00.16: o. On LinkProof with DHCP Client, when a NHR IP address was updated, the health check still used the old IP Address of the NHR. p. SNMP vulnerability fix: SNMP packet with very long community string to the management interface causes a nested fatal error: Fatal Error Version 3.00.00 (Jan 24 2006, 23:28:21): Exception vector number: 0x300 Pointer to exception stack frame: 0xaecf0e8 Program counter: 0x778158 Machine state register: 0xb030 Data access register: 0x399636c5 Data storage interrupt status register: 0x40000000 NESTED FATAL ERROR (exception) NESTED FATAL ERROR (exception) q. Occasionally, the device crashed with the following fatal error: Fatal Error: Fatal Error Version 8.20.03 (Dec 27 2004, 10:11:59): Exception vector number: 0xc00 Pointer to exception stack frame: 0x3412268 Program counter: 0x264340 Machine state register: 0xb030 Data access register: 0 Data storage interrupt status register: 0 Date: 09-06-2005 11:12:47 Task Name : SNMP 09-01-2006 03:59:37 ERROR RADP_send_radius: Function failed. 09-01-2006 03:59:41 ERROR RADP_send_radius: Function failed. Fixed in Generic 10.02-00.17: r. When OMPC or Content searching BWM rules were configured on Application Switch 3, all the traffic was processed by Master CPU,
Page 18

Bug ID

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 19 -

Fixed in version 4.35.07


Item Description causing device crash when CPU reached 100% utilization. Bug ID a. b. c. d. 18348 12419 N/A 19447 a. 8 2 4 2

29. BSP fixes: a. Creation of a new directory in the file-system using the CLI command "system file-system files mkdir" and a wrong path name caused the device to freeze. b. During the software upgrade and using a TAR file of an incorrect platform the upgrade failed with no error message. A new test is now done in order to verify that the TAR file matches the hardware platform. c. Starting BOOT version 6.06 Application Switch 2 supports automatic boot PROM burning during the software upgrade process. Notes: In order to be able to perform automatic upgrades to AS2, BOOT 6.06 must be burnt manually. Upgrading from 6.06 to future versions will be done automatically. Automatic Software upgrade supported on hardware revisions 4.45, 4.50 and above. d. After stopping the INIT of the Application Switch 3 device and choosing to load the application from the compact flash, the device generated the following error message: "Invalid value 1 for the NewApplication". 30. Fixed in IDS 1.53.20: The summarized security log doesn't display the right info when multiple source IPs are used. In addition source IPs of heavy attacks are displayed inaccurately. 31. VRRP configurations with VLAN did not work properly due to the fact that when the main device failed and the VLAN was disabled (interface grouping) the physical ports of the VLAN were not physically disconnected. The switch to which physical ports of the VLAN interface were connected did not clear its MAC tables and continued to send traffic to the main device though it had become inactive. To fix this the Force Port Down feature was added. Please see the relevant section in the user guide for details and limitations.

N/A

N/A

Fixed in version 4.35.06


Item Description
Page 19

Bug ID

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 20 -

Fixed in version 4.35.06


Item 1. 2. 3. Description In certain circumstances when LinkProof Branch used VPN that required packet fragmentation assembly In certain circumstances when LinkProof in VRRP configuration is switching master appliance New look support. Version 4.35.06 provides support for Radware appliances new look design. This version is backward compatible with old look as well. The following changes were done in this version: a. The Synapps phrase was replaced with the phrase "BWM, IPS", in all the management applications (CWI, Web, CLI). b. In the CLI the term "License code" was changed to "License Key" c. New licensing text is introduced. Instead of the word Synapps, the words BWM, IPS will appear. For example if you had an LP license that looked like lp-synapps, it will be replaced by lp-bwm-ips. d. In CWI and the Web, new look gifs will be seen if the appliance is of new look design. Generic libraries fixes: Fixed in Generic 10.02-00.14: a. If a Path length + attack database file name length was above 106 characters the TFTP upload via Insite did not work and the following error message appeared - "File too long". b. When a request to download a configuration file that didn't exist to the device was preformed, the device sent a read request to the server. When it got the response "file doesn't exist", it sent a write request with the same name, causing the file to be created. c. In case a field in a MIB contained strings with %X (%s, %d, etc) the device would crash when the CLI command "system config immediate" was executed. d. A capture of an SSL session could not be analyzed when a DiffieHellman key exchange scheme was in use - due to it involving random seed numbers. Current version supports only the RSA scheme. e. New Basic filters are now available for the P2P group: Baidux, Poco and PPlive f. In some case, enabling Bandwidth Management Statistics Collection caused the device to generate a generic error message. g. When multiple health checks with ARP methods was configured
Page 20

Bug ID N/A N/A N/A

4.

a. b. c. d. e. f. g. h. i. j. k. l.

9820 18334 N/A N/A N/A 19653 19813 19783 N/A N/A N/A N/A

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 21 -

Fixed in version 4.35.06


Item Description Bug ID with the same destination IP, some checks passed and some failed. Starting this version it is not possible to configure more that a single ARP check with the same destination IP address. h. When multiple LDAP health checks were configured, after rebooting the device all the LDAP checks, except the last check, failed. i. After a configuration file was sent to the device via TFTP using the CLI command "manage tftp config-file get" the device did not notify once the download was completed. j. The device accepted any illegal IP address/Mask and changes it on its own after pressing the "SET" button on the WBM. k. When a malformed configuration file was send to the device the software upload failed and it was not possible to send a new configuration file to the device. l. In some cases the device did not accept HTTP connection (for device management) even if Web Based Management was enabled. Disabling and enabling Web Based Management did not solve the problem. Application security fixes: Fixed in IDS 1.51.16: a. In CLI, when typing the command security alerts-table get 0 (index=0) the device used to print an empty alert, instead of printing the error message no such instance or wrong value. b. When updating a new signature file that included new attack groups, the new groups did not appear till device was rebooted. N/A

5.

Fixed in version 4.35.05


Item 1. 2. Description Occasionally device crashed due to client table mirroring problem. When forwarding ICMP unreachable messages, whose original packet had data, the device set incorrect ICMP header checksum, causing MTU problems. When RIP is enabled there is wrong routing for whole class A IPs (or 1st prefix IPs) when specific route with same prefix is statically defined. For device in static forwarding configuration, when attacks with the IP
Page 21

Bug ID 1168 1740

3. 4.

1686 1667

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 22 -

Fixed in version 4.35.05


Item Description header bigger then 20 bytes (has timestamp in the IP option) occurs, the attack is not matched by Application Security. The device changed the sequence number of retransmitted TCP packets, and therefore the TCP packets got out of order. One trap settings did not work on "WARNING Routing to NextHopRouter x.x.x.x is problematic messages and therefore separate messages were sent for each occurrence. Fixed in Network Driver: Application Switch 2 device dropped packet with Ethernet type 0x9000. Fixed in Network Driver: When copper GBICs were in use on Application Switch 2 with 7G, in some cases the device recognized the links as down, but traffic was forwarded successfully. It was not possible to configure OSPF interfaces metric via WBM or CLI, only via Insite. Bug ID

5. 6.

1604 1513

7. 8.

N/A N/A

9.

1281 1821 N/A

10. Device crashed after entering the command net ospf parameters lsa 11. When an FTP control session packet with destination address a LP Dynamic NAT IP arrived and its destination port that was already allocated to an ICMP session, the device would crash. 12. In certain instances, problems with client table mirroring of FTP sessions (redundant configurations) occurred, creating inconsistencies in the client table and causing the device to crash. 13. Basic NAT range was limited to 70,000 entries; it has now been increased to 224-1. 14. Via CLI illegal configurations of Basic NAT were allowed, causing device failure after reboot event. 15. When using DNS health checks, if the DNS response contained 2 answers (CNAME and A record), a fatal error would occur. 16. Qmail servers would discard the mail alerts (traps) sent by the device. 17. Support for license that limits throughput to 100 Mbps was added. This license is available on Application Switch 1 only. 18. Fixed in Network Driver: Application Switch 1 version 2 supported both cross and straight cable. Starting this version, Application Switch 1 version 2 supports only crossover cables. 19. Fixed in Network Driver: Application Switch 2 lost synchronization with copper GBICs upon reboots.
Page 22

N/A

N/A N/A N/A 1512 N/A N/A

N/A

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 23 -

Fixed in version 4.35.05


Item Description 20. Fixed in Boot: In some cases, after upgrading from Pre-File-System version to File-System version the Application Switch 1 device lost its license. 21. Fixed in Boot: In case the command "system file-system copy-to-flash" was executed with invalid index on Application Switch 2 or Application Switch 3, the device erased the internal flash. 22. Fixed in Boot: A new protection is now available to protect uploading incorrect files when burning the BOOT file on Application Switch 2 and Application Switch 3. 23. Fixed in Boot: When downgrading the device to lower versions, Application Switch 2 and Application Switch 3 did not erase the old software versions from the compact flash. 24. Fixed in Boot: The Application Switch 3 device displayed incorrect hardware version under "system device-information". 25. Application Security fixes:
Fixed in IDS 1.51.16:

Bug ID N/A

N/A

N/A

N/A

N/A m. 1620 n. N/A o. N/A

a. Configuring 10 security policies or more caused the device to crash. b. When adding or removing attacks from a policy that includes a userdefined attack, the device reported an error "couldn't delete dummy classification entry" c. Update Policy command performed via Configware Insite could cause device to crash. 26. Telnet session hung up when a large client table was displayed. 27. Dynamic host name definition was recorded in the configuration as a regular host name entry with corrupted URL. 28. DNS for Local Clients capability was not working when the request source and destination UDP ports were the same. 29. If the length of the Virtual Tunneling remote service name was longer than 14 characters the device sent the following messages: "Problem in create tunnels" / "Tunnel health monitoring description problem (1)". The supported length was increased to 20 characters. 30. Could not add VLAN tag to a VLAN interface. 31. Vlan Tag max value (4095) could not be set. 32. The options date and time were missing from the system CLI menu. 33. If device reboot was performed after date/time change a warning
Page 23

1618 1672, 1677 1777 1764

1825 N/A N/A N/A

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 24 -

Fixed in version 4.35.05


Item Description message appeared. Bug ID N/A 1698

34. When adding a VPN rule via Insite, the following message appeared on CLI: "Problem to get the next tunnel entry: remote service not match. 35. A message was received on LinkProof Application Switch 3, software version 4.21.07, that the number of free client table entries is larger than the total number of client table entries configured, followed by device crash. 36. When upgrading the device via Configware Insite, the password was verified only after the file was downloaded to the device, now it is verifying the password at the beginning of the process, to save time in case of incorrect password. 37. 802.1q environment support (VLAN environment) could not be enabled (after reboot, the functionality would still be disabled). 38. Destination health monitoring functionality did not work automatic health checks were not created causing a loop after first device reboot. 39. Personality change for NFR units (not for resale) between products such as DP to LP is problematic. 40. System uptime readings did not change over time. 41. Classification did not work properly with one way Layer 4 Bandwidth Management policies. 42. Device crash when trying to edit/add VPN rule via CWI. 43. Problems with SW Download via the WBM. No indication is received that download finished. SW download started again without user request. 44. Error message appeared on CLI after using command: lp global clienttable aging-time set 100. 45. When a fragmented IPSec packet would arrive to the Integrated VPN gateway on the LinkProof Branch, an ICMP error was sent to the source VPN gateway to stop sending fragmented packets and reduce MTU. Some gateways recognize this message and act accordingly and some do not. In this version the fragmented message is reassembled and decrypted in order to find the IP address of the originating client, and an ICMP error message asking it to lower its MTU is sent to this client. Of course the message is encrypted and sent via the source VPN gateway. Reassembled and decrypted message is forwarded to the destination, in case its size is less than current MTU on the forwarding port.
Page 24

N/A

1780 1675 1396 1652 N/A N/A N/A

N/A N/A

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 25 -

Fixed in version 4.35.05


Item Description 46. Generic libraries fixes: Fixed in Generic 10.01.00-13: a. When Bandwidth Management policies were used to classify P2P traffic, in some cases, packets were classified incorrectly. b. A SYN packet with an illegal TCP option could cause the accelerator to hang when replying to the SYN packet with a SYN cookie. In such cases the master CPU would then crash with no log messages (Application Switch 3 only). c. When "SSL Hello" health check was in use, and the SSL version was "SSL V3.0" the device did not include the SSL version when it generated the check. d. The SSH client did not process "window adjust" messages. e. Sending configuration files to the device, which were not in BER format, caused the configuration to be erased. f. After upgrading to software versions that supports SNMPv3, it was not possible to connect to the device using SNMP anymore. g. vacmAccess* entries in ASCII configuration did not have the correct snmpGroup key h. When SSL based check was in use (HTTPS or LDAPS) and the server was using the CBC ciphers, the check failed. i. When SSL check was in use, and the physical link, which was use to send the check, became disconnected, the check did not fail. j. In some cases UDP Port Health Checks succeeded even if the UDP port was unavailable. k. 2 new Basic Filters for BitTorrent (UDP) are now available. P2P filters group is also updated with the new filters. l. When Port Bandwidth Statistics were collected and BWM module was disabled, the device crashed with a fatal error. m. When BWM module was disabled, it was possible to delete basic filters, which were used by BWM policies. n. When Using BWM policies with Bandwidth Limitations and the maximum bandwidth allowed was 1K, the device did not classify the traffic correctly. The Minimum Bandwidth Limitation for policy is now limited to 12K. o. TCP and UDP traffic on port 512 caused high CPU utilization. p. When Bandwidth Management was enabled and Application Security was disabled and Session Table was full, the device crashes with the following fatal error: "Fatal Error: bwmSessionTableProcessCallback error - linked session wasn't
Page 25

Bug ID a. 1632 b. N/A c. N/A d. 5275 e. N/A f. N/A g. N/A h. N/A i. N/A j. N/A k. N/A l. 1707 m.N/A n. 1726 o. 1738 p. 1697 q. 1716 r. N/A s. N/A t. N/A u. N/A v. 1813 w. N/A x. N/A y. N/A

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 26 -

Fixed in version 4.35.05


Item Description found". q. When HTTP or HTTPS health checks were is use and the servers replied with "HTTP 1/0" and "200 OK" in two packets, the check failed. r. A new argument is now available for "TCP Port" health checks "Complete with FIN". When this argument is enabled, the device ends the TCP check with a FIN Packet. In case the server replies to this FIN with an ACK, the device sends another ACK to the server. In case the server doesn't reply to the FIN packet the check doesnt fail (the check fails only if the server doesn't reply to the SYN packet). The default value of the argument is "Disable". s. After sending a configuration file, that contained two (or more) entries in the Community Table with the same community string, only the first community sting appeared in the community table. t. After converting the configuration file to a newer software version using Configware Insite, and uploading the converted configuration to the device, it was not possible to connect to the device using SNMP. u. The device allowed uploading configuration files which were not in BER format and deleted the current configuration afterwards. v. In order to delete an entry from the OSPF interface table, it was required to use the command net ospf interface del <ip address> <interface number>. However it should only be required to specify the IP address. w. In order to improve DoS Shield performance, a new DoS Shield filter is now available. x. When the configuration file was downloaded from the device, the SNMP community table was missing was the downloaded configuration file. y. A bug in the escaping sequence of Health Monitoring Module did not read the methods arguments correctly. Bug ID

Fixed in version 4.35.04


Item 1. 2. Description Occasionally an FTP session where many data sessions were attached to the same control session would cause the device to crash. Proximity checks do not reach the minimum packet size of 60 bytes. In
Page 26

Bug ID 1315 N/A

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 27 -

Fixed in version 4.35.04


Item Description the past this caused the packet to be padded by garbage. Now every TCP and ICMP check packet that is smaller than 60 bytes is padded with zeroes. To the UDP proximity checks packets the linkproof.proximity.advance packet is added. In certain cases the MAC table was update according to dynamic ARP packets, even though there was a static entry in the ARP table. BootP messages were not forwarded by the device when it was configured as BootP relay. The application port number that could be configured for aging per application functionality was limited to 49151 instead of 65534 (fixed in CLI and Web). Using CLI, strange numbers were displayed in the output of net l2information command when it was used after the command system infstats reset. It was possible to set a Gig port to 100Mb via CLI. The caption of the Port Mirroring parameter Receive Broadcast was changed to Promiscuous Mode. In certain conditions, when using passive FTP in environment with many retransmissions, new traffic sessions would stop being forwarded, due to lack of available Dynamic NAT ports. Bug ID

3. 4. 5.

1477 1500 N/A

6.

1334

7. 8. 9.

1320 1337 N/A

10. When using Virtual Tunneling between two sites in certain configurations, the tunnel health was not detected correctly (one site detected tunnel as active while the other side detected it as failed) causing the traffic for this tunnel to fail permanently. 11. If an ARP packet was received from subnet not defined on the device, the device did not answer. Now it will answer, if routing entry to that subnet is defined. 12. Dual power supply is supported on Application Switch 2 and 3. 13. During software upgrade between minor versions password was required. This is fixed for updates from this version on. 14. New information has been added to the system device-info command output: network driver version, health monitoring module version, active and secondary boot version. 15. When upgrading a device with a file-system, and there is not enough free space on the flash, the device generated an error message. During software upgrades the device now erases the old version in case there is
Page 27

1446

N/A

N/A N/A N/A

1082

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 28 -

Fixed in version 4.35.04


Item Description not enough space on the flash. Bug ID N/A

16. A spelling mistake was fixed in CLI output: "Couldn't prepare temporary directory cm:/TARTMP for tar extration." (extration instead of extraction). 17. In rare conditions, Application Switch 2 and Application Switch 3 Strata Flash (Internal Flash), would loose its content upon frequent reboots. 18. Application Switch 2 and Application Switch 3 device would suddenly crash with the following error: "Warning: Non-formatted Strata Flash media. Please, prepare Strata Flash for File System ('z') and execute DOS format ('y')" 19. On Application Switch 3 with 9 Giga Ports (Fireproof on Voyager only) when one port which was part of Static Forwarding ports was down, the device did not fail to second port. 20. On Application Switch 3 the 10G port did not work properly. 21. When bandwidth management per traffic flow was used, the device occasionally crashed. 22. Fixed in Generic 10.00-00.13a: When Protocol Discovery was enabled and the device did not have enough memory, the device crashed with a fatal error: Fatal Error: No Memory available to create statistics table. 23. Fixed in Generic 10.00-00.13a: When Bandwidth Management was configured to block or limit eDonkey traffic the CPU was overloaded. 24. Fixed in Generic 10.00-00.13a: When updating policies, sometimes the device crashed with a fatal error: "Fatal Error: Accelerator: 0, CPU: 0, no longer responding". 25. Fixed in Generic 10.00-00.13a: The device would become inaccessible via Telnet or SSH, if multiple successive attempts to login were done by the user. 26. When using LP Branch VPN gateway, if the VPN Rule local subnet (for example 10.2.1.0) was included in the same VPN Rule remote subnet (for example 10.0.0.0) the device didnt reply to messages sent to its IP belonging to the local subnet, because it recognized the session as VPN session. 27. Occasionally an FTP session where many data sessions were attached to the same control session would cause the device to crash
Page 28

1424, 1489 1489

N/A

N/A 1487 1433

1476 1511

1481

N/A

1315

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 29 -

Fixed in version 4.35.04


Item Description 28. Proximity checks do not reach the minimum packet size of 60 bytes. In the past this caused the packet to be padded by garbage. Now every TCP and ICMP check packet that is smaller than 60 bytes is padded with zeroes. To the UDP proximity checks packets the linkproof.proximity.advance packet is added. 29. In certain cases the MAC table was update according to dynamic ARP packets, even though there was a static entry in the ARP table. 30. BootP messages were not forwarded by the device when it was configured as BootP relay. 31. The application port number that could be configured for aging per application functionality was limited to 49151 instead of 65534 (fixed in CLI and Web). 32. Using CLI, strange numbers were displayed in the output of net l2information command when it was used after the command system infstats reset. 33. It was possible to set a Gig port to 100Mb via CLI. 34. The caption of the Port Mirroring parameter Receive Broadcast was changed to Promiscuous Mode. 35. In certain conditions, when using passive FTP in environment with many retransmissions, new traffic sessions would stop being forwarded, due to lack of available Dynamic NAT ports. 36. When using Virtual Tunneling between two sites in certain configurations, the tunnel health was not detected correctly (one site detected tunnel as active while the other side detected it as failed) causing the traffic for this tunnel to fail permanently. 37. If an ARP packet was received from subnet not defined on the device, the device did not answer. Now it will answer, if routing entry to that subnet is defined. 38. Dual power supply is supported on Application Switch 2 and 3. 39. During software upgrade between minor versions password was required. This is fixed for updates from this version on. 40. New information has been added to the system device-info command output: network driver version, health monitoring module version, active and secondary boot version. 41. When upgrading a device with a file-system, and there is not enough free space on the flash, the device generated an error message. During
Page 29

Bug ID N/A

1477 1500

1334

1320 1337 N/A

1446

N/A

N/A N/A N/A

1082

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 30 -

Fixed in version 4.35.04


Item Description software upgrades the device now erases the old version in case there is not enough space on the flash. Bug ID

42. A spelling mistake was fixed in CLI output: "Couldn't prepare temporary directory cm:/TARTMP for tar extration." (extration instead of extraction). 43. In rare conditions, Application Switch 2 and Application Switch 3 Strata Flash (Internal Flash), would loose its content upon frequent reboots. 44. Application Switch 2 and Application Switch 3 device would suddenly crash with the following error: "Warning: Non-formatted Strata Flash media. 45. Please, prepare Strata Flash for File System ('z') and execute DOS format ('y')". 46. On Application Switch 3 with 9 Giga Ports (Fireproof on Voyager only) when one port which was part of Static Forwarding ports was down, the device did not fail to second port. 47. On Application Switch 3 the 10G port did not work properly. 48. When bandwidth management per traffic flow was used, the device occasionally crashed. 49. Fixed in Generic 10.00-00.13a: When Protocol Discovery was enabled and the device did not have enough memory, the device crashed with a fatal error: Fatal Error: No Memory available to create statistics table. 50. Fixed in Generic 10.00-00.13a: When Bandwidth Management was configured to block or limit eDonkey traffic the CPU was overloaded. 51. Fixed in Generic 10.00-00.13a: When updating policies, sometimes the device crashed with a fatal error: "Fatal Error: Accelerator: 0, CPU: 0, no longer responding". 52. Fixed in Generic 10.00-00.13a: The device would become inaccessible via Telnet or SSH, if multiple successive attempts to login were done by the user. 53. When using LP Branch VPN gateway, if the VPN Rule local subnet (for example 10.2.1.0) was included in the same VPN Rule remote subnet (for example 10.0.0.0) the device didnt reply to messages sent to its IP belonging to the local subnet, because it recognized the session as VPN session. 54. After reset the default status of virtual tunnels (Virtual Tunneling functionality) was active. A flag has been added now (available only via
Page 30

N/A

1424, 1489

1489 N/A

N/A 1487 1433

1476 1511

1481

N/A

N/A

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 31 -

Fixed in version 4.35.04


Item Description CLI) that allows to determine the initial status of the virtual tunnel Active (default) or Not-In-service (NIS). If initial status is Not-inservice, the virtual tunnel status will be updated to active only after tunnel health monitoring checks are successfully completed. The CLI command to change the initial status of the virtual tunnel is lp vir-tunnel tweaks vt-init-oper-stat. Notes: 1. The new flag is manageable only via CLI. 2. The new flag's value is not kept during upload or download of the configuration. 55. When a virtual tunnel was defined, health monitoring checks were created even if global Health Monitoring status was Disable. 56. After reboot device did not send ARPs via the last physical port. 57. In VLAN redundancy configuration, in case the device interface grouping parameter is enabled and some of the interfaces in VLAN are disconnected or/and connected the device did not detect the port status change. 58. Device hung - no CLI, no ping reply, no management at all after changing the configuration of VRRP settings. 59. Fixed in AS 1.51.11: Anti scanning problem sometimes the device detected scanning attempt but did not block the attack. N/A N/A N/A Bug ID

1559 N/A

Fixed in version 4.35.02


Item 1. 2. Description The number of VPN tunnels supported has been increased to 30 (previously it was 10). Backup gateways configured for a VPN Rule were not saved in the configuration. As a result during upload\download configuration process the backup gateways were lost. The Keep Alive interval could accept negative values. The CLI command system config was not displaying the VPN commands in the correct order. When VPN functionality was enabled proprietary redundancy mechanism did not work properly.
Page 31

Bug ID N/A N/A

3. 4. 5.

N/A N/A N/A

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 32 -

Fixed in version 4.35.02


Item 6. 7. 8. 9. Description Configuration that included Switch IP VLAN could not be uploaded to the device. On Application Switch 3 a single network processor was activated causing performance degradation. Device working in VRRP redundancy mode with priority 255 was not sending ARP requests. On Web Based Management there was a spelling mistake in the name of the DNS Virtual IP menu (under LinkProof/DNS Configuration). Bug ID 1346 1327 1158 1318 N/A

10. If a DNS request for a record type not supported by the device was received (such as MX record), device was not answering. Now device will answer that the record type is not supported. The device will answer with Authoritative Answer 0, which specifies that the responding name server is not an authority for the domain name in question. Return code is set to 0 No error meaning that the request was completed successfully. 11. The device will answer only if the specified URL is configured on the device. If the URL is not configured then the device will continue not to answer. 12. In redundancy configurations where VLAN was used, after redundancy is enforced twice, messages sent by the device to email server or syslog server did not reach their destination (the server MAC was learnt on the wrong physical port). 13. The maximum number of SNMP communities supported by the device was increased from 16 to 256. 14. Fixed in network driver: When Interface Grouping was enabled and a port, with the negotiation mode set to off, became unavailable, the device switched off all other interfaces, but the LEDs remained illuminated. 15. Fixed in network driver: When Interface Grouping was enabled and the Interface Admin Status of a port, with negotiation mode set to off, was changed to "Down" the LED remained illuminated. 16. Fixed in network driver: Application Switch 2 with 7 Giga ports did not detect changes in link status on ports 5-7. As a result it did not detect that the links are up and did not forward traffic to those ports. 17. Fixed in BSP: Sometimes, the device did not write correctly to the Strata Flash (Internal Flash). 18. In Virtual Tunneling configurations when one tunnel was down, all the
Page 32

1272

N/A

N/A N/A

N/A

1300

N/A N/A

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 33 -

Fixed in version 4.35.02


Item Description clients that used any virtual tunnel were deleted, not only those using the failed tunnel. Bug ID

19. When the device crashes due to a Fatal Error, the error is now logged into the NVRAM, rather then the Flash memory. After the device is reloaded, the application copies the log to the Flash. 20. The Network Processors on Application Switch 3 could occasionally crash and stop responding. 21. Application Switch 3 with port rules configuration occasionally stopped forwarding traffic. 22. If the value of the SYN Flood Protection parameter was changed, when trying to retrieve configuration file from the device using WBM, the following error message was displayed: Error 10 in loading configuration - variable number 01 of SNMP packet 001, variable name unknown. 23. On Application Switch 3 device when Static NAT was performed for local traffic the following message appeared: WARNING: reaPrepareFlowEntry - Unexpected Configuration (2)!! 24. When Application Switch 3 device had a very large numbers of entries in ARP table, the device would stop forwarding traffic. 25. Fixed in BSP: In some cases, during software upgrades (or downgrades) on Application Switch 2 and 3, the boot upgrade failed. 26. Fixed in BSP: In previous versions of BSP, configuration changes were saved to the Compact Flash every second (on Application Switch 2 and 3). Now BSP saves the changes to the Compact Flash immediately. 27. Health Monitoring module fixes: Fixed in Generic 10.00-00.10: a. Username and Password fields size were limited to 20 characters for HTTP and SSL checks. This Health Monitoring Module version enlarges the size of each field to 80 characters. Please note that the total size of all fields cannot exceed 80 characters. b. The Health Monitoring Module used to send a trap with an "info" severity when a health check failed. Starting with this version the "warning" severity is used when a check fails and "info" severity is used when a check passes. c. In some cases, when the user pasted a configuration file to the device with CDBSET commands and TCP User Defined health
Page 33

N/A

N/A N/A N/A

N/A

1328 N/A 1166

N/A

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 34 -

Fixed in version 4.35.02


Item Description checks were in use, the device crashed with a Fatal Error. d. When the Health Monitoring Module was using DNS and SNMP checks, it would not reuse the UDP ports. When all the UDP ports were already in use, the device stopped performing DNS and SNMP checks and generated the following trap: "ERROR UDPP_alloc_free_port: no free ports. e. When hundreds of health checks were in use, occasionally the device would stop performing health checks. Bug ID

28. Terminal module fixes: Fixed in Generic 10.00-00.10: a. The "system config" command was missing flags and command parts. b. Using the CLI command "system paste-config while the device has several hundreds of configured objects, the following errors occurred: "TCP: No more packets ", and the Telnet / SSH sessions were disconnected. c. The last physical port was not visible in the output of the CLI command "management management-ports". d. The device would hang if the user entered the " ' " character (a single quote in the Hebrew language character set) in the device login or prompt. e. In some cases, when the output of messages was too long, the device crashed. 29. When the majority of the traffic to the device was Telnet Sessions, the device generated the following error message: "tnp_text_handler: no more buffers". 30. Help for CLI commands "manage snmp versions" and "manage snmp versions 31. Fixed in Generic 10.0:0: Downloading configurations from the device using Configware Insite, using long file name (more than 100 characters), caused the device to crash with a fatal error: 32. Bandwidth Management module fixes: Fixed in Generic 10.00-00.10: a. In some cases BWM rules resulted in false positives, and blocked legitimate sessions or packets.
Page 34

a. b. c. d. e.

1332 1265 N/A N/A N/A

1325

N/A 1290

a. b. c. d. e.

1319 N/A N/A 1371, 1376 1248

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 35 -

Fixed in version 4.35.02


Item Description Bug ID b. In order to improve performance and classification speed, the FastTrack filter is now using the OMPC mechanism instead of URL search. c. In cases where the first fragmented IP packet that contained a TCP header was not the first session packet, the device did not classify the packet correctly. d. When Bandwidth Management was used and there was a policy with a specific IP address in the source network or in the destination network, the device would crash. e. Bandwidth Management Tuning and Session table were not available without a SynApps license. The users could not tune the Bandwidth Management (for number of policies) or the session table.

33. Protocol Statistics module fixes: N/A Fixed in Generic 10.00-00.10: a. When Bandwidth Management was Disabled, and Protocol Statistics was Enabled, the device would crash after "Update Policy" action. b. A new memory protection is used in order to verity that the device has enough memory for Protocol Statistics Module. c. When Protocol Statistic table was full the device continuously sent traps notifying the user about it. 34. Application Security fixes: Fixed in Application Security 1.51.10: a. In some rare cases the device stopped responding to management commands via SNMP, WEB, SSL, SSH, Telnet, CLI. Static forwarding ports however did continue to operate normally. b. Sometimes using CWIS it was not possible to retrieve the device security log file when using TFTP. c. CLI printouts of internal Application Security tables could not be interrupted. d. On AS-III platform setting attack filters to match SYN packets did not block the attacks. e. When application security global action mode was set to forward, port-scanning filters continued to block scanning traffic. a. b. c. d. e. 1398 1355 1399 1368 1322

Page 35

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 36 -

Fixed in version 4.35.01


Item 1. Description This version allows application software to support multiple boot versions. The config.ini file defines the lowest boot version supported (BootRomVersion) and the highest boot version supported (BootRomVersionInPackage). If the current boot version on the device is within these parameters, no boot upgrade is required. In VLAN configurations, when BWM was enabled, device would occasionally crash in task L2. When using proprietary redundancy mechanism with Backup Fake ARP functionality enabled, the following problem was observed. When main device came up the advertisements sent by the backup device on behalf of the main device did not include the Virtual DNS address. Instead of the Virtual DNS address, an address equal to the highest Static NAT address plus one was advertised. In some cases when backup interface grouping was enabled, the backup device was reporting some of the interfaces as active. If broadcast was heard from the main device the backup device replied directly to the main that the interface belonged to. This confused some L3 switches and the redundancy was broken. In some cases, usually in VLAN configuration, destination grouping entries could not be added. The following error message was observed: "DSGRP_add_dest_subnet: NULL default destination subnet". The flag Use grouping decision inside proximity was checked even when proximity was disabled. This caused DNS reply to always use the NHR from which the request arrived. In VRRP configurations when the active device changed traps where sent to all management interfaces for each associated IP. In cases where there were large numbers of associated IPs the large number of traps sent every time the active device changed was problematic. A flag is now available via the CLI interface that allows disabling these messages. In case the flag redundancy vrrp ms-per-ip is disabled the only trap received will be to announce the new active VRID. The flag is enabled by default. If Use Port Rules in Advertisement is enabled for RIP or OSPF routing, device would occasionally crash. The message of the SNMP traps for NTP and VRRP errors were incorrect and did not match Syslog messages.
Page 36

Bug ID N/A

2. 3.

1161 1244

4.

1239

5.

1246

6.

N/A

7.

N/A

8. 9.

N/A 1163

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 37 -

Fixed in version 4.35.01


Item Description 10. Device was occasionally sending incorrect warning messages regarding NTP (server unsynchronized according to leap indicator and Stratum unspecified). 11. Terminal module fixes: Fixed in Terminal Module: a. When using the CLI command "system config", the device might have crashed with the following message: Fatal Error: termCfgFilePrintf: text is too long. b. When manage terminal trap-outputs command was used, it was not saved as part of the configuration and returned to its default value after reboot. c. Security risk in the terminal login page allowed users to exploit a possible vulnerability. d. Using the CLI command to check memory usage of device internal modules, such as web, SSH, Terminal and others occasionally showed negative values. e. Using the CLI command "system paste-config while the device has several hundreds of configured objects, the following errors occurred: "TCP: No more packets ", and the Telnet / SSH sessions were disconnected. f. g. h. Problems were encountered in certain units due to new strataflash technology the application failed during boot up. Device upgrade via Secure WBM interface failed. In certain cases it was not possible to delete a Local Service entry from Virtual tunneling tables. The following message was displayed: Error: resource unavailable. Virtual Tunneling fixes: a. When Dispatch Method was set to Cyclic and more than one NHR was defined as backup, only the first backup NHR was ever selected. b. TRP was not working properly; it only kept TRP data for one tunnel per remote station. c. When Dispatch Method was set to a value other than Cyclic and Hash (weight dispatch method) for local device and an NHR was defined as backup, destination grouping was not applied properly.
Page 37

Bug ID 1014

a. b. c. d. e.

1001 1148 N/A N/A 1265

1018 996 N/A

i.

a. b. c. d. e.

N/A 1108 N/A N/A N/A

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 38 -

Fixed in version 4.35.01


Item Description d. When Dispatch Method was Cyclic for both local and remote devices, tunnels whose VT Mode was Backup-Backup, were never selected. e. When Dispatch Method was set to a value other than Cyclic and Hash for local device, the local NHR load was not taken into consideration. f. The Dispatch Method on the local device determines the remote link selection now: if local Dispatch Method is set to a value other than Hash, the remote link selection will use Cyclic mode, if local Dispatch Method is set to Hash, the remote link selection will use Hash mode. The Remote Link Weight parameter is now obsolete and has been removed. Bandwidth Management fixes: Fixed in Bandwidth Management: a. Bandwidth Management module was identifying traffic it monitored as belonging to wrong port. b. When SYN protection was enabled, packets were forwarded with wrong sequence/ack numbers. This could cause session disconnection. c. When SYN protection and BWM were enabled performance was affected excessively. d. When the group to which a policy belonged was changed, after Update Policies command, all change attempts to any policy parameter resulted in error. e. If Dynamic Borrowing parameter was enabled, though Classification was disabled the device would be in an infinite loop. f. Uploading a configuration that included policies and policy groups to a device that had BWM module disabled, failed. g. The tuning memory check did not take into account the filters assigned to the application security, thus when the application security was enabled device could crash after reboot, if not enough memory was available. h. On Application Switch 3 policies that looked for layer 7 information were not always properly matched. When tuning changes for protocol discovery caused lack of memory,
Page 38

Bug ID

j.

a. b. c. d. e. f. g. h.

N/A N/A N/A N/A N/A N/A N/A 1106

k.

N/A

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 39 -

Fixed in version 4.35.01


Item l. Description after reboot the device would enter infinite boot loop. If device ran out of entries in the protocol discovery table, the device would crash. Bug ID N/A

m. When Protocol Discovery functionality was enabled the Update Policies command occasionally caused device to crash. n. Fixed in Boot/BSP: Bandwidth limitations enforced by BWM module on Application Switch 3, did not work due to synchronization problems between master and accelerator CPUs. CLI command "system file-system copy-to-flash help" would sometimes delete the internal flash. Configuration changes that were performed closely to device power switch or power failure were sometimes lost, partially or completely . CLI display results for "system file-system config act-appl" were misaligned. When an Application Switch 3 device was used in redundancy configuration with an Application Switch 2 or Application Switch 1 device and client table mirroring as enabled, corrupted client table and fatal error were caused in the backup device. When DoS Shield module is enabled in Static forwarding, but no filters are configured, the overload mechanism was sometimes activated even though there were no active filters. When Source Grouping was configured and Use grouping decision inside proximity was enabled, the proximity did not take into consideration the Source Grouping settings. For inbound traffic load balancing the proximity data was not taken into consideration. Configuration upload/download failed if VLAN was defined. 1117

o. p. q. r.

1150 917 1078 N/A

s.

865

t.

N/A

u. v.

N/A N/A

Fixed in version 4.35.00


Item 1. Description Health Monitoring module fixes: Fixed in Health Monitoring Module: a. Using TCP User Defined and creating a packet sequence with more than 512 characters, the device ignored the sting without
Page 39

Bug ID a. 997 b. 1000 c. 1004 d. N/A e. N/A

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 40 -

Fixed in version 4.35.00


Item Description any error message. b. In some cases, after editing a string of TCP User Defined packet sequence, the data moved from the "string" field to the "description" field and from the "Regular Expression" field to the "Sequence String" field. c. Using Packet sequence TCP User Defined health check and defining a health check, the device accepted value of 0 for destination TCP port, and then alerts next message : "ERROR cckArgError: bad arg for func contol2". d. Using TCP User Defined checks, the device does not increase the sequence number after sending packets. e. Using Health Monitoring module, the device accepted TCP or UDP port 0 in several checks. When CLI command manage terminal grid-mode set disabled is used, it doesn't apply for all cases for example it does not apply for system internal driver stat all command. Bug ID

2.

878

Known Limitations The following are known limitations for this maintenance version: Item 1. 2. 3. Description Destination Health Check web page is missing webhelp Application Switch 2 7G with copper Gbics does not recognize link failures. Bug ID 135405 N/A

If large numbers of Static NAT or Basic NAT public addresses is N/A configured (thousands), after a reboot or during redundancy failover process the device must advertise this large number of IP addresses and this can cause problems in device functionality. In such cases it is recommended that no configuration changes are performed for the first 5 minutes after reboot, and in case of redundancy the VRRP method is used. Insite does not support License Upgrade for LinkProof Branch (It can be performed via the WBM and CLI interfaces). On Application Switch 3 ports can only be attached to pre-defined switched VLAN and not to user-defined switched VLANs. On Application Switch 1 platforms that have 8Mb flash, if 4.35.01 and an additional version are loaded on the device, the device boots up slowly because of the small amount of free memory available on the strataflash.
Page 40

4. 5. 6.

N/A N/A N/A

LinkProof version 4.38.01 Maintenance Release Notes


Date: September 27, 2011 Page - 41 -

Item

Description The boot up time can be improved by deleting the second (inactive) software version to free memory space. On Application Switch 3, queuing, prioritization and bandwidth guarantee capabilities are not supported for accelerated traffic (traffic that is processed by accelerators only). Access control, bandwidth limitations per policies and per traffic flow are supported by ASIII for all types of traffic (accelerated or not). The bandwidth limitation capabilities allow AS3 to provide attack isolation functionality. Application Switch 3 cannot work in 802.1q environment and does not support switched VLAN on Fast Ethernet ports. Health checks created automatically (by the Virtual Tunneling or Destination Health Monitoring functions) should not be manually bound to any element. They are automatically bound to the relevant elements. This can cause problems after reboot.

Bug ID

7.

N/A

8. 9.

N/A N/A

10. In the health monitoring module, the "SIP TCP" health check method is not supported. 11. In the Health Monitoring Check Table view (via all management tools) the Method of the existing health checks is displayed as a number instead of a string (Ping, HTTP, etc). Versions 4.35.05 and up do not work properly on Application Switch 1 hardware revision 2.40. 12. Cluster Server support supported only in WBM and CLI 13. Force Port Down Feature supported only in WBM and CLI 14. Client Views supported only in WBM and CLI 15. Transparent Load Balancing supported only in WBM and CLI 16. Subnet Persistency Mask Mode supported only in WBM and CLI 17. New dispatch methods (L3 Hashing, SrcIP Hashing & Customized Hash) supported only in WBM and CLI 18. Mirroring is not supported.

N/A N/A

N/A N/A N/A N/A N/A N/A N/A N/A

2011 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners.

Page 41