Documente Academic
Documente Profesional
Documente Cultură
North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International Radware Ltd. 22 Raoul Wallenberg St. Tel Aviv 69710, Israel Tel: 972 3 766 8666 www.radware.com
These Maintenance Release Notes describe fixes for LinkProof version 4.38.01DL. These fixes are part of the official product code, build 2, date September 27, 2011
Table of Contents Supported Platforms and Modules ............................................................................................... 2 Maintenance Fixes ......................................................................................................................... 4 Fixed in version 4.38.01DL ........................................................................................................... 4 Fixed in version 4.38.01................................................................................................................ 5 Fixed in version 4.38.00................................................................................................................ 6 Fixed in version 4.37.12................................................................................................................ 7 Fixed in version 4.37.10.............................................................................................................. 11 Fixed in version 4.37.09.............................................................................................................. 13 Fixed in version 4.35.07.............................................................................................................. 15 Fixed in version 4.35.06.............................................................................................................. 19 Fixed in version 4.35.05.............................................................................................................. 21 Fixed in version 4.35.04.............................................................................................................. 26 Fixed in version 4.35.02.............................................................................................................. 31 Fixed in version 4.35.01.............................................................................................................. 36 Fixed in version 4.35.00.............................................................................................................. 39 Known Limitations ....................................................................................................................... 40
Supported Platforms and Modules This version is supported by the following platforms: Note: This version allows the application software to support multiple boot versions. The config.ini file defines the lowest boot version supported (BootRomVersion) and the highest boot version supported (BootRomVersionInPackage). If the current boot version on the device is within these parameters, no boot upgrade is required. Platform Lowest Boot Version 4.53 4.33 Highest Boot Notes and Exceptions Version 6.01 6.07 For Application Switches 1 and 2 with a SynApps license, it is recommended to use 256MB with this version. Large BWM and/or Application Security configurations that fit in 128MB in previous versions might require 256MB with this version. When upgrading Application Switch 1 from version 4.21.02, boot upgrade is required. Use the following procedure: 1. Reboot the device, stop at the countdown and download the new boot
Page 2
Platform
Highest Boot Notes and Exceptions Version version via CLI. 2. After the new boot is uploaded to the device, type ' @ ' (do not reboot the device or change any dip-switch). 3. The device loads the old boot file 4.5x and the old software version 4.21.02. Using CLI or Web Based Management, upgrade the device by sending the .tar file. 4. Once the process ends, the following message is displayed in CLI :
Please toggle DPSW 1 to select another boot bank. Reboot will be performed.
5. Change dip-switch number 1, without turning off the device. The device reboots itself automatically and uploads with the new boot and the new version. Application Switch 3 Compact Application Switch 6.04 1.3*, 1.4** 6.04 6.012 * Only when upgrading from 4.30. ** Before starting the upgrade procedure from version 3.81.0x, the boot EPROM must be replaced with boot EPROM version 1.4 or higher (it is recommended to ask for the highest boot version supported by the exact bug fix version you are upgrading to). Contact the Radware ordering department for this. If you are upgrading from version 4.30, no boot change is required. For upgrade from version 3.81.x the lowest boot version to be used is 1.43. For more information on platform specifications, refer to the Installation and Maintenance Guide.
Page 3
This version includes the following modules: Module Application Security (IPS, DoS and BDoS) APSolute OS Other Supported Version 3.402154 Notes and Exceptions
10.03-01.10 11.05.03
Network Driver
This version is supported by APSolute Insite version 2.85.02 and later. Maintenance Fixes The following is a cumulative list of bugs fixed since the release of version 4.38.01DL.
128681 131256
135788 139547
Page 4
Bug ID
77358 78615
78871
80417 82593
83673 84154
84344
85230
85362 86104
89839
90975
97041 106484
119083
120761
128890
Bug ID
21457
22185 29866
42558
56992
35986
36355
Bug ID
54813
54834
55993
14.
56074
15.
56088
16.
57102
17.
57106 57376
57589
57712
21.
22.
58000 58075
Bug ID
24. 25.
58754 59798
59942
26.
61075
27.
61684
28.
61727 61866
29. 30.
62707
31.
63152
32.
64344
On CAS platforms, Port 1 showed a status of Auto-Negotiation set to "Auto" even after it had been set to "Auto-Off" . 43. On an Application Switch 1 platform, when the LPB was in status IDLE, when a remote server attempted to start the IPSec, the LPB debug message "No ISAkMP_SA" was issued. On a CAS platform, every time the VPN went into IDLE status and the remote sites tried to re-establish the VPN tunnel with it, a new IPSec SA started (even with no timeout on the original IPSec SA). The result was the error "no ISAKMP-SA" on the CAS. 44. When loading the configuration file, the BER certification was incorrect. After uploading the configuration file from LinkProof and then trying to send it back, the error message "Error 07 in loading configuration" was generated. 45. When proximity was configured for 'Full Proximity - Both", it did not work properly and the Dynamic Proximity table remained empty. 46. When working with cluster servers and trying to delete a cluster, the message "deleted successfully" appeared, although the cluster server was not deleted. (For MIB change please refer to the Release Notes)
67511
68307
70695 72438
73576
Page 10
4. 5. 6. 7.
8. 9.
10. Some network ranges could not be accepted by Dynamic NAT local IP ranges. The error message "The parameter 'To Local IP' must be an ip address" was generated. 11. When DNS for a local client was enabled and checksum was disabled, if the device received a DNS packet with a checksum of 0, it changed the checksum instead of ignoring it. 12. While using SSH to manage the device, all management access (HTTPS, SSH, Telnet, HTTP, Serial) froze. However, the device continued to process packets. 13. In VPN Configuration when a VPN rule to a specific host was defined, the new rule did not work. The problem was related to the /32 mask defined on the host. (CAS Platform) 14. After configuring destination grouping and adding a destination Health Check, the Health Check failed. The device needed to be rebooted for the Health Check to succeed. (All Platforms) 15. When a configuration file containing an illegal source or destination IP
Page 11
41616
42048
42049
42094
42168
16. When the fragmentation table reached its limit, a notification message was issued only once. As a result of the fix, the message is now issued every 20 seconds if fragmentation reoccurs. (All Platforms) 17. In a VLAN configuration with NHR, the MAC address of the NHR was missing from the Client table. 18. When working with proprietary redundancy after the main device rebooted and took over the main position the device did not forward traffic as expected. 19. When viewing the Client Table in WBM, the CPU reached 100% capacity. 20. When fragmented traffic passed through the device and the fragmentation table was not large, the device Throughput was much less than expected (CAS) 21. When using the FTP passive command and either a NAT or VIP was changed, during retransmission the device handled the TCP sequence and ACK numbers incorrectly. 22. When NAT was enabled and traffic was set for a specific NHR, if the 'exclude static NAT' flag was disabled, the NAT translation was to an incorrect NHR. (All Platforms) 23. When NAT was enabled and the 'exclude static NAT flag' was disabled, traffic was sent to a specific NHR, but the NAT translation was set to a different NHR. (All Platforms) 24. When processing VPN traffic, when ICMP was forwarded to the device, the device crashed. (CAS) 25. While opening an SSH & SNMP session concurrently, the device console froze, but the device continued to process packets. (AS2) 26. Under the following conditions, the device crashed: - ARP table clean (after the device was booted or a manual cleanup) - ARP Aging time is very short Unknown ARP requests were put in the 'ARP waiting list'. The device started to lose buffers until it crashed. (All platforms) 27. After issuing the 'manage management-port' command from the CLI,
Page 12
46914
47012 47014
47093 47451
47642
48058
48059
52301
28. When a session began with the first packet sent by a server, the application-aging-time was calculated incorrectly according to the source port instead of the destination port. This resulted in various sessions disconnecting as these sessions used the global aging time instead of the configured aging time. The problem was identified on MS Terminal Server connections (RDP - TCP port 3389) 29. LP device did not respond to Telnet command (Insite and WBM were still working)
53767
5. 6. 7. 8. 9.
10. When using VPN, the device froze after several hours of operation. 11. When Mirroring was used, both the primary and backup devices crashed.
Page 13
51338
Page 14
3.
09819
4. 5. 6.
7.
24947
8. 9.
25876 22915
10. In a redundancy configuration where the management port is excluded from interface grouping, if no access via the management port was attempted before a interface grouping is activated on the device (due to a failed interface), once interface grouping was activated no management access was available, though management port did not participate in interface grouping. 11. After a device reset previously configured Destination Health Checks would fail. 12. Device upgrade via TFTP (from Insite) would occasionally cause fatal
Page 15
25399
19898 10481
13. Occasionally the device would forward sessions without Dynamic NAT. This occurred on Application Switch 3 only. 14. LinkProof Branch with VPN license would in certain instances crash when it received fragmented IPSEC packets. 15. The values of an NHR warm-up and recovery time were not visible in the output of the system config command. 16. Device sent ARP requests with VLAN MAC as the sender MAC (instead of the physical port's MAC address). 17. OSPF multicast was dropped causing OSPF protocol to fail. 18. Device would sometimes crash when configuration was downloaded from the device via TFTP. 19. Device would occasionally crash when deleting an IP VLAN while under heavy traffic. 20. Software upgrade to version 4.35.07 on an Application Switch 1 version 2 platform, required entering a password from the console. 21. NAT was not performed for passive FTP sessions where the FTP server replied with passive mode entered and not entering passive mode. 22. When user attempted to delete an NHR that was defined as default gateway for the device the message provided was unclear as to the reason why this command fails. 23. When an FTP control session packet with destination address an LP Dynamic NAT IP arrived and its destination port that was already allocated to an ICMP session, the device would crash. 24. Application Switch 3 would occasionally crash under heavy traffic with the message "Fatal Error: REAP_dsptchr_clnt_tbl_add_entry inconsistent client data" due to error in clearing client table entries. Application Switch 3 devices crashed after 248 days, 13 hours, 13 minutes, 50 seconds due to overflow of timer. 25. "Device would crash when the "snmp get rsMLRBRNatHealthmonitoroperstatus.0" command was performed from a MIB browser. 26. Dynamic arp table entries were deleted before the aging time if the arp table aging time was set to values greater than 21,000,000 seconds. 27. The device crashed if user tried to attach IP address to a non-IP VLAN
Page 16
9580
9709, 23541
20381
27711 27577
28. Generic fixes Fixed in Generic 10.02-00.15: a. Health monitoring module did not allow configuring health checks with an empty password. b. When TCP User Defined health check was in used, received packets with binary matching were not matched correctly c. In some cases, when HTTP or HTTPS check was in use and all the check's arguments were configured, it was not possible to edit the argument. d. When multiple health checks with ARP method was configured with the same destination IP address it was not possible to delete any of them. e. The device did not notify to reboot the device via telnet and SSH when a status of features which requires reboot was changed. The device notified only via the serial console. f. In some Read-Only tables, the device displayed a "Delete" column with an option to mark entries for deletion in the Web Based Management. g. In some cases the device did not displayed the "Set" button in the Web Based Management. h. Occasionally if the user tried to download a configuration file via WBM, the download process would abort and the following error message would appear: "tcp:no more packets". i. Occasionally after sending a script via a Telnet session to the device, the Telnet session would disconnect and the following error messages would appear: "tnp_text_handler: No buffers. Text discarded". If the user then tried to reconnect to the device via Telnet the connection would not succeed and in the following error message would appear: "TELNET: New server connection refused. No buffer". j. Occasionally, when trying to download the support file via WBM, only part of the file would be downloaded. k. Occasionally, logins to Telnet, SSH or WBM were reported to the console.
Page 17
Bug ID
29. BSP fixes: a. Creation of a new directory in the file-system using the CLI command "system file-system files mkdir" and a wrong path name caused the device to freeze. b. During the software upgrade and using a TAR file of an incorrect platform the upgrade failed with no error message. A new test is now done in order to verify that the TAR file matches the hardware platform. c. Starting BOOT version 6.06 Application Switch 2 supports automatic boot PROM burning during the software upgrade process. Notes: In order to be able to perform automatic upgrades to AS2, BOOT 6.06 must be burnt manually. Upgrading from 6.06 to future versions will be done automatically. Automatic Software upgrade supported on hardware revisions 4.45, 4.50 and above. d. After stopping the INIT of the Application Switch 3 device and choosing to load the application from the compact flash, the device generated the following error message: "Invalid value 1 for the NewApplication". 30. Fixed in IDS 1.53.20: The summarized security log doesn't display the right info when multiple source IPs are used. In addition source IPs of heavy attacks are displayed inaccurately. 31. VRRP configurations with VLAN did not work properly due to the fact that when the main device failed and the VLAN was disabled (interface grouping) the physical ports of the VLAN were not physically disconnected. The switch to which physical ports of the VLAN interface were connected did not clear its MAC tables and continued to send traffic to the main device though it had become inactive. To fix this the Force Port Down feature was added. Please see the relevant section in the user guide for details and limitations.
N/A
N/A
Bug ID
4.
a. b. c. d. e. f. g. h. i. j. k. l.
9820 18334 N/A N/A N/A 19653 19813 19783 N/A N/A N/A N/A
5.
3. 4.
1686 1667
5. 6.
1604 1513
7. 8.
N/A N/A
9.
10. Device crashed after entering the command net ospf parameters lsa 11. When an FTP control session packet with destination address a LP Dynamic NAT IP arrived and its destination port that was already allocated to an ICMP session, the device would crash. 12. In certain instances, problems with client table mirroring of FTP sessions (redundant configurations) occurred, creating inconsistencies in the client table and causing the device to crash. 13. Basic NAT range was limited to 70,000 entries; it has now been increased to 224-1. 14. Via CLI illegal configurations of Basic NAT were allowed, causing device failure after reboot event. 15. When using DNS health checks, if the DNS response contained 2 answers (CNAME and A record), a fatal error would occur. 16. Qmail servers would discard the mail alerts (traps) sent by the device. 17. Support for license that limits throughput to 100 Mbps was added. This license is available on Application Switch 1 only. 18. Fixed in Network Driver: Application Switch 1 version 2 supported both cross and straight cable. Starting this version, Application Switch 1 version 2 supports only crossover cables. 19. Fixed in Network Driver: Application Switch 2 lost synchronization with copper GBICs upon reboots.
Page 22
N/A
N/A
Bug ID N/A
N/A
N/A
N/A
a. Configuring 10 security policies or more caused the device to crash. b. When adding or removing attacks from a policy that includes a userdefined attack, the device reported an error "couldn't delete dummy classification entry" c. Update Policy command performed via Configware Insite could cause device to crash. 26. Telnet session hung up when a large client table was displayed. 27. Dynamic host name definition was recorded in the configuration as a regular host name entry with corrupted URL. 28. DNS for Local Clients capability was not working when the request source and destination UDP ports were the same. 29. If the length of the Virtual Tunneling remote service name was longer than 14 characters the device sent the following messages: "Problem in create tunnels" / "Tunnel health monitoring description problem (1)". The supported length was increased to 20 characters. 30. Could not add VLAN tag to a VLAN interface. 31. Vlan Tag max value (4095) could not be set. 32. The options date and time were missing from the system CLI menu. 33. If device reboot was performed after date/time change a warning
Page 23
34. When adding a VPN rule via Insite, the following message appeared on CLI: "Problem to get the next tunnel entry: remote service not match. 35. A message was received on LinkProof Application Switch 3, software version 4.21.07, that the number of free client table entries is larger than the total number of client table entries configured, followed by device crash. 36. When upgrading the device via Configware Insite, the password was verified only after the file was downloaded to the device, now it is verifying the password at the beginning of the process, to save time in case of incorrect password. 37. 802.1q environment support (VLAN environment) could not be enabled (after reboot, the functionality would still be disabled). 38. Destination health monitoring functionality did not work automatic health checks were not created causing a loop after first device reboot. 39. Personality change for NFR units (not for resale) between products such as DP to LP is problematic. 40. System uptime readings did not change over time. 41. Classification did not work properly with one way Layer 4 Bandwidth Management policies. 42. Device crash when trying to edit/add VPN rule via CWI. 43. Problems with SW Download via the WBM. No indication is received that download finished. SW download started again without user request. 44. Error message appeared on CLI after using command: lp global clienttable aging-time set 100. 45. When a fragmented IPSec packet would arrive to the Integrated VPN gateway on the LinkProof Branch, an ICMP error was sent to the source VPN gateway to stop sending fragmented packets and reduce MTU. Some gateways recognize this message and act accordingly and some do not. In this version the fragmented message is reassembled and decrypted in order to find the IP address of the originating client, and an ICMP error message asking it to lower its MTU is sent to this client. Of course the message is encrypted and sent via the source VPN gateway. Reassembled and decrypted message is forwarded to the destination, in case its size is less than current MTU on the forwarding port.
Page 24
N/A
N/A N/A
Bug ID a. 1632 b. N/A c. N/A d. 5275 e. N/A f. N/A g. N/A h. N/A i. N/A j. N/A k. N/A l. 1707 m.N/A n. 1726 o. 1738 p. 1697 q. 1716 r. N/A s. N/A t. N/A u. N/A v. 1813 w. N/A x. N/A y. N/A
3. 4. 5.
6.
1334
7. 8. 9.
10. When using Virtual Tunneling between two sites in certain configurations, the tunnel health was not detected correctly (one site detected tunnel as active while the other side detected it as failed) causing the traffic for this tunnel to fail permanently. 11. If an ARP packet was received from subnet not defined on the device, the device did not answer. Now it will answer, if routing entry to that subnet is defined. 12. Dual power supply is supported on Application Switch 2 and 3. 13. During software upgrade between minor versions password was required. This is fixed for updates from this version on. 14. New information has been added to the system device-info command output: network driver version, health monitoring module version, active and secondary boot version. 15. When upgrading a device with a file-system, and there is not enough free space on the flash, the device generated an error message. During software upgrades the device now erases the old version in case there is
Page 27
1446
N/A
1082
16. A spelling mistake was fixed in CLI output: "Couldn't prepare temporary directory cm:/TARTMP for tar extration." (extration instead of extraction). 17. In rare conditions, Application Switch 2 and Application Switch 3 Strata Flash (Internal Flash), would loose its content upon frequent reboots. 18. Application Switch 2 and Application Switch 3 device would suddenly crash with the following error: "Warning: Non-formatted Strata Flash media. Please, prepare Strata Flash for File System ('z') and execute DOS format ('y')" 19. On Application Switch 3 with 9 Giga Ports (Fireproof on Voyager only) when one port which was part of Static Forwarding ports was down, the device did not fail to second port. 20. On Application Switch 3 the 10G port did not work properly. 21. When bandwidth management per traffic flow was used, the device occasionally crashed. 22. Fixed in Generic 10.00-00.13a: When Protocol Discovery was enabled and the device did not have enough memory, the device crashed with a fatal error: Fatal Error: No Memory available to create statistics table. 23. Fixed in Generic 10.00-00.13a: When Bandwidth Management was configured to block or limit eDonkey traffic the CPU was overloaded. 24. Fixed in Generic 10.00-00.13a: When updating policies, sometimes the device crashed with a fatal error: "Fatal Error: Accelerator: 0, CPU: 0, no longer responding". 25. Fixed in Generic 10.00-00.13a: The device would become inaccessible via Telnet or SSH, if multiple successive attempts to login were done by the user. 26. When using LP Branch VPN gateway, if the VPN Rule local subnet (for example 10.2.1.0) was included in the same VPN Rule remote subnet (for example 10.0.0.0) the device didnt reply to messages sent to its IP belonging to the local subnet, because it recognized the session as VPN session. 27. Occasionally an FTP session where many data sessions were attached to the same control session would cause the device to crash
Page 28
N/A
1476 1511
1481
N/A
1315
Bug ID N/A
1477 1500
1334
1446
N/A
1082
42. A spelling mistake was fixed in CLI output: "Couldn't prepare temporary directory cm:/TARTMP for tar extration." (extration instead of extraction). 43. In rare conditions, Application Switch 2 and Application Switch 3 Strata Flash (Internal Flash), would loose its content upon frequent reboots. 44. Application Switch 2 and Application Switch 3 device would suddenly crash with the following error: "Warning: Non-formatted Strata Flash media. 45. Please, prepare Strata Flash for File System ('z') and execute DOS format ('y')". 46. On Application Switch 3 with 9 Giga Ports (Fireproof on Voyager only) when one port which was part of Static Forwarding ports was down, the device did not fail to second port. 47. On Application Switch 3 the 10G port did not work properly. 48. When bandwidth management per traffic flow was used, the device occasionally crashed. 49. Fixed in Generic 10.00-00.13a: When Protocol Discovery was enabled and the device did not have enough memory, the device crashed with a fatal error: Fatal Error: No Memory available to create statistics table. 50. Fixed in Generic 10.00-00.13a: When Bandwidth Management was configured to block or limit eDonkey traffic the CPU was overloaded. 51. Fixed in Generic 10.00-00.13a: When updating policies, sometimes the device crashed with a fatal error: "Fatal Error: Accelerator: 0, CPU: 0, no longer responding". 52. Fixed in Generic 10.00-00.13a: The device would become inaccessible via Telnet or SSH, if multiple successive attempts to login were done by the user. 53. When using LP Branch VPN gateway, if the VPN Rule local subnet (for example 10.2.1.0) was included in the same VPN Rule remote subnet (for example 10.0.0.0) the device didnt reply to messages sent to its IP belonging to the local subnet, because it recognized the session as VPN session. 54. After reset the default status of virtual tunnels (Virtual Tunneling functionality) was active. A flag has been added now (available only via
Page 30
N/A
1424, 1489
1489 N/A
1476 1511
1481
N/A
N/A
1559 N/A
3. 4. 5.
10. If a DNS request for a record type not supported by the device was received (such as MX record), device was not answering. Now device will answer that the record type is not supported. The device will answer with Authoritative Answer 0, which specifies that the responding name server is not an authority for the domain name in question. Return code is set to 0 No error meaning that the request was completed successfully. 11. The device will answer only if the specified URL is configured on the device. If the URL is not configured then the device will continue not to answer. 12. In redundancy configurations where VLAN was used, after redundancy is enforced twice, messages sent by the device to email server or syslog server did not reach their destination (the server MAC was learnt on the wrong physical port). 13. The maximum number of SNMP communities supported by the device was increased from 16 to 256. 14. Fixed in network driver: When Interface Grouping was enabled and a port, with the negotiation mode set to off, became unavailable, the device switched off all other interfaces, but the LEDs remained illuminated. 15. Fixed in network driver: When Interface Grouping was enabled and the Interface Admin Status of a port, with negotiation mode set to off, was changed to "Down" the LED remained illuminated. 16. Fixed in network driver: Application Switch 2 with 7 Giga ports did not detect changes in link status on ports 5-7. As a result it did not detect that the links are up and did not forward traffic to those ports. 17. Fixed in BSP: Sometimes, the device did not write correctly to the Strata Flash (Internal Flash). 18. In Virtual Tunneling configurations when one tunnel was down, all the
Page 32
1272
N/A
N/A N/A
N/A
1300
N/A N/A
19. When the device crashes due to a Fatal Error, the error is now logged into the NVRAM, rather then the Flash memory. After the device is reloaded, the application copies the log to the Flash. 20. The Network Processors on Application Switch 3 could occasionally crash and stop responding. 21. Application Switch 3 with port rules configuration occasionally stopped forwarding traffic. 22. If the value of the SYN Flood Protection parameter was changed, when trying to retrieve configuration file from the device using WBM, the following error message was displayed: Error 10 in loading configuration - variable number 01 of SNMP packet 001, variable name unknown. 23. On Application Switch 3 device when Static NAT was performed for local traffic the following message appeared: WARNING: reaPrepareFlowEntry - Unexpected Configuration (2)!! 24. When Application Switch 3 device had a very large numbers of entries in ARP table, the device would stop forwarding traffic. 25. Fixed in BSP: In some cases, during software upgrades (or downgrades) on Application Switch 2 and 3, the boot upgrade failed. 26. Fixed in BSP: In previous versions of BSP, configuration changes were saved to the Compact Flash every second (on Application Switch 2 and 3). Now BSP saves the changes to the Compact Flash immediately. 27. Health Monitoring module fixes: Fixed in Generic 10.00-00.10: a. Username and Password fields size were limited to 20 characters for HTTP and SSL checks. This Health Monitoring Module version enlarges the size of each field to 80 characters. Please note that the total size of all fields cannot exceed 80 characters. b. The Health Monitoring Module used to send a trap with an "info" severity when a health check failed. Starting with this version the "warning" severity is used when a check fails and "info" severity is used when a check passes. c. In some cases, when the user pasted a configuration file to the device with CDBSET commands and TCP User Defined health
Page 33
N/A
N/A
N/A
28. Terminal module fixes: Fixed in Generic 10.00-00.10: a. The "system config" command was missing flags and command parts. b. Using the CLI command "system paste-config while the device has several hundreds of configured objects, the following errors occurred: "TCP: No more packets ", and the Telnet / SSH sessions were disconnected. c. The last physical port was not visible in the output of the CLI command "management management-ports". d. The device would hang if the user entered the " ' " character (a single quote in the Hebrew language character set) in the device login or prompt. e. In some cases, when the output of messages was too long, the device crashed. 29. When the majority of the traffic to the device was Telnet Sessions, the device generated the following error message: "tnp_text_handler: no more buffers". 30. Help for CLI commands "manage snmp versions" and "manage snmp versions 31. Fixed in Generic 10.0:0: Downloading configurations from the device using Configware Insite, using long file name (more than 100 characters), caused the device to crash with a fatal error: 32. Bandwidth Management module fixes: Fixed in Generic 10.00-00.10: a. In some cases BWM rules resulted in false positives, and blocked legitimate sessions or packets.
Page 34
a. b. c. d. e.
1325
N/A 1290
a. b. c. d. e.
33. Protocol Statistics module fixes: N/A Fixed in Generic 10.00-00.10: a. When Bandwidth Management was Disabled, and Protocol Statistics was Enabled, the device would crash after "Update Policy" action. b. A new memory protection is used in order to verity that the device has enough memory for Protocol Statistics Module. c. When Protocol Statistic table was full the device continuously sent traps notifying the user about it. 34. Application Security fixes: Fixed in Application Security 1.51.10: a. In some rare cases the device stopped responding to management commands via SNMP, WEB, SSL, SSH, Telnet, CLI. Static forwarding ports however did continue to operate normally. b. Sometimes using CWIS it was not possible to retrieve the device security log file when using TFTP. c. CLI printouts of internal Application Security tables could not be interrupted. d. On AS-III platform setting attack filters to match SYN packets did not block the attacks. e. When application security global action mode was set to forward, port-scanning filters continued to block scanning traffic. a. b. c. d. e. 1398 1355 1399 1368 1322
Page 35
Bug ID N/A
2. 3.
1161 1244
4.
1239
5.
1246
6.
N/A
7.
N/A
8. 9.
N/A 1163
Bug ID 1014
a. b. c. d. e.
i.
a. b. c. d. e.
Bug ID
j.
a. b. c. d. e. f. g. h.
k.
N/A
m. When Protocol Discovery functionality was enabled the Update Policies command occasionally caused device to crash. n. Fixed in Boot/BSP: Bandwidth limitations enforced by BWM module on Application Switch 3, did not work due to synchronization problems between master and accelerator CPUs. CLI command "system file-system copy-to-flash help" would sometimes delete the internal flash. Configuration changes that were performed closely to device power switch or power failure were sometimes lost, partially or completely . CLI display results for "system file-system config act-appl" were misaligned. When an Application Switch 3 device was used in redundancy configuration with an Application Switch 2 or Application Switch 1 device and client table mirroring as enabled, corrupted client table and fatal error were caused in the backup device. When DoS Shield module is enabled in Static forwarding, but no filters are configured, the overload mechanism was sometimes activated even though there were no active filters. When Source Grouping was configured and Use grouping decision inside proximity was enabled, the proximity did not take into consideration the Source Grouping settings. For inbound traffic load balancing the proximity data was not taken into consideration. Configuration upload/download failed if VLAN was defined. 1117
o. p. q. r.
s.
865
t.
N/A
u. v.
N/A N/A
2.
878
Known Limitations The following are known limitations for this maintenance version: Item 1. 2. 3. Description Destination Health Check web page is missing webhelp Application Switch 2 7G with copper Gbics does not recognize link failures. Bug ID 135405 N/A
If large numbers of Static NAT or Basic NAT public addresses is N/A configured (thousands), after a reboot or during redundancy failover process the device must advertise this large number of IP addresses and this can cause problems in device functionality. In such cases it is recommended that no configuration changes are performed for the first 5 minutes after reboot, and in case of redundancy the VRRP method is used. Insite does not support License Upgrade for LinkProof Branch (It can be performed via the WBM and CLI interfaces). On Application Switch 3 ports can only be attached to pre-defined switched VLAN and not to user-defined switched VLANs. On Application Switch 1 platforms that have 8Mb flash, if 4.35.01 and an additional version are loaded on the device, the device boots up slowly because of the small amount of free memory available on the strataflash.
Page 40
4. 5. 6.
Item
Description The boot up time can be improved by deleting the second (inactive) software version to free memory space. On Application Switch 3, queuing, prioritization and bandwidth guarantee capabilities are not supported for accelerated traffic (traffic that is processed by accelerators only). Access control, bandwidth limitations per policies and per traffic flow are supported by ASIII for all types of traffic (accelerated or not). The bandwidth limitation capabilities allow AS3 to provide attack isolation functionality. Application Switch 3 cannot work in 802.1q environment and does not support switched VLAN on Fast Ethernet ports. Health checks created automatically (by the Virtual Tunneling or Destination Health Monitoring functions) should not be manually bound to any element. They are automatically bound to the relevant elements. This can cause problems after reboot.
Bug ID
7.
N/A
8. 9.
N/A N/A
10. In the health monitoring module, the "SIP TCP" health check method is not supported. 11. In the Health Monitoring Check Table view (via all management tools) the Method of the existing health checks is displayed as a number instead of a string (Ping, HTTP, etc). Versions 4.35.05 and up do not work properly on Application Switch 1 hardware revision 2.40. 12. Cluster Server support supported only in WBM and CLI 13. Force Port Down Feature supported only in WBM and CLI 14. Client Views supported only in WBM and CLI 15. Transparent Load Balancing supported only in WBM and CLI 16. Subnet Persistency Mask Mode supported only in WBM and CLI 17. New dispatch methods (L3 Hashing, SrcIP Hashing & Customized Hash) supported only in WBM and CLI 18. Mirroring is not supported.
N/A N/A
2011 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners.
Page 41