RIVERBED PRODUCT RELEASE NOTES

PRODUCT: STEELHEAD CX
RELEASE DATE: JULY 30, 2015
RIOS VERSION: 9.1.0A
CONTENTS
1)
2)
3)
4)
5)
6)
7)
8)

Supported SteelHead Models

New Features in RiOS 9.1.0
Fixed Problems
Known Issues
Upgrading the RiOS Software version
SteelCentral Controller for SteelHead (SCC) Compatibility
Hardware and Software dependencies
Contacting Riverbed Support

1) SUPPORTED STEELHEAD MODELS

Important: RiOS 9.1.0 supports Riverbed CX models xx50, xx55, and xx70.

2) New Features in RiOS 9.1.0

Web Proxy
A single-ended Web proxy transparently intercepts all traffic bound to the Internet. The
Web proxy improves performance by providing optimization services such as Web object
caching and SSL decryption to enable content caching and logging services.
The efficient caching algorithm provides a significant advantage for video traffic. The benefit
comes in the form of multiple users viewing the same video content, thereby saving
significant WAN bandwidth and providing efficient network use. YouTube caching is handled
as a special case given its growing popularity in the enterprise.

Enhanced Live Video Stream Splitting

RiOS improves video handling with the following enhancements:

The stream splitting cache holds more video fragments for a longer period of time to
account for clients that could be out of sync or slower to play back.

A new report plots the cache hit count over time for a particular live video indicating
the amount of video requests that were served locally from the cache instead of
being fetched over the WAN. The graph also includes a plot for the number of total
live video sessions intercepted.

The ability to enable video stream splitting on a per-host basis. The ability to
selectively enable stream splitting on a particular host ensures that the cache does
not fill up with recreational content.

MAPI over HTTP Support

RiOS now automatically detects and enables bandwidth optimization for the MAPI over HTTP
transport protocol. Microsoft implements the MAPI over HTTP transport protocol in Outlook
2010 update, Outlook 2013 SP1, and Exchange Server 2013 SP1.
For details on MAPI over HTTP support with Outlook 2010, see
https://support.microsoft.com/enus/kb/2878264.

Path Selection with Interceptor

New path selection functionality allows SteelHead appliances to operate with SteelHead
Interceptor appliances in cluster deployments, providing high-scale and high-availability
deployment options. A SteelHead Interceptor cluster is one or more SteelHead Interceptors
collaborating with one or more SteelHeads to select paths dynamically in complex
architectures, working together as a unified system. Path selection dynamically assigns
applications and traffic types (optimized and nonoptimized TCPv4 and UDPv4 traffic) to
specific network paths based on intelligent user policies.

Autonegotiate Multi-stream ICA

A new configuration option enables Citrix Multi-stream without the need to configure it on
the Citrix server. This feature provides application class hints to QoS for the four priority
connections when Citrix Multi-stream is negotiated. The application class hints allow
configuration of true network-based QoS policies to the individual priority groups for the
virtual channel traffic that they carry. This feature also provides the ability to apply path
selection to the individual Citrix priority groups.
Autonegotiate Multi-stream ICA provides support for non-Common Gateway Protocol (nonCGP) (plain ICA) connections with XenApp 6.5 and Citrix receiver for Windows 3.0 or later.

Link Aggregation Compatibility

SteelHeads are now compatible with link aggregation protocols, such as EtherChannel, for
in-path deployments to allow use of multiple links in parallel through a SteelHead. Link
aggregation compatibility allows easier integration into networks with preexisting link
aggregation in place. Using multiple links in parallel maximizes throughput and provides
higher physical redundancy.

DSCP Marking for Out-of-Band (OOB) Control Channel Traffic

An OOB connection is a TCP connection that SteelHeads establish with each other when they
begin optimizing traffic. The SteelHeads use the OOB connection to exchange capabilities
and feature information such as licensing, hostname, RiOS version, and so on. The
SteelHeads also use control channel information to detect failures. You can now mark OOB
connections with a DSCP or ToS IP value to prioritize or classify the Riverbed control channel
traffic, preventing dropped packets in a lossy or congested network to guarantee control
packets will get through and not be subject to unexpected tear down.

In-Path Controller Support for Secure Transport

The secure transport client can now use all available interfaces to connect to the secure
transport controller and establish a secure control channel. By default, the client connects
to the controller using the management interface. You can now enable another interface or
select a specific interface using the Riverbed CLI command stp-client controller in-path
enable.

Expanded Application Support for the Application File Engine (AFE)

The AFE was updated with significant additions to the number of popular applications it
recognizes. SteelHeads can now identify more than 1,400 unique applications.

Performance and Scale Improvements to QoS and Path Selection

The improvements include:

Increased configuration responsiveness and scale, allowing more site definitions on

higher-end SteelHead models. This increase effectively provides unlimited rule
configuration with scalable matching.

QoS and path selection can now handle many more optimized connections per
second without classification errors.

SteelHead SaaS Improvements

This release introduces a new SteelHead Universal SaaS licensing that enables customers to
optimize any number of supported SaaS applications on the same license. Riverbed will
continually add support for new SaaS to the Riverbed Cloud Portal, and any registered
SteelHead running version 9.1.0 will be able to avail of optimization to that SaaS.

3) FIXED PROBLEMS
Problems fixed in version 9.1.0a

238846 Fixed an issue with SMB2 implementation on both the client and server-side
SteelHead to correctly handle blacklisting of the client IP address in the presence of
Windows 10 client talking to different versions of server. The fix ensures that once
the blacklisting happens, future connections from that IP address gets latency
bypassed. Riverbed recommends to upgrade both the client and server-side
SteelHeads with this fix.

Problems fixed in version 9.1.0

92015 Fixed a race condition that caused the AppFlow engine classification to fail
with a navl_conn_init failed: 17 error string in the syslog. This caused the affected
connection to be misclassified.
This race condition occurred when:
o A MFE receives a pure-SYN after the inner connection between the client and
the server SteelHead fails.
o The fw-RST feature is enabled for transparent inner connections.
o Packets ricochet from one in-path interface to another.

100602 Eliminated the error messages which were for internal in the CLI that
appeared when customers used dump commands such as, sysdump or tcpdump.
These errors were harmless.

116348 Fixed a problem seen during stress tests when the SMB2 Client Redirector
Cache is disabled on the client SteelHead. The SMB2 blade reused an old search
pattern associated with a file handle, that was used during SMB2 QUERY/FIND
requests in the process of reusing cached file handles. This fix clears the search
pattern when the file handle is closed from the client SteelHead.

139998 Fixed an issue where the interface link state could go down intermittently
due to spurious interrupts with the MSI-X interrupt scheme. Changed to an MSI
interrupt scheme that allows the system to better handle spurious interrupts.

150590 Fixed an issue where optimization of Microsoft Office 365 connections

through the SteelHead Cloud Accelerator (SCA) would cause delays when Outlook is
first started on a client machine. This happened because Outlook autodiscover
connections that are reset by server were re-established slower than they would
have without SteelHeads, because of a difference in connection entry timeouts. A
hidden command has been introduced to make this interaction with autodiscover
connections better.

154426 Fixed a very rare issue that the caused RiOS optimization service to crash
due to an infinite loop when processing CIFS reads. Please see the KB article S26688
for steps to identify this issue from process dumps.

156420 In rare cases, when enabling the "Object Prefetch Table" on the SteelHead,
there would be page load failures caused by serving stale page data. The expiration
date of cacheable response data was being reset every 12 days. In rare cases, such
responses remained accessible in the cache and would be returned to clients. The
timing mechanism has been corrected by this fix.

157376 The path history in the Connection History report did not list paths in the
correct order when multiple path fail-overs occur in a fraction of a second. The
previously used path was reported first followed by the most recently used path.
This fix enables the path history in the Connection History report to display the
paths based on most recently used at the top and least recently used path at the
bottom.

158949 Fixed an error message so that it is clear that a timeout occurred during the
download of a RiOS image using the secure copy (scp) tool. For clarity, the error
message now starts with "scp timeout:".

159063 Fixed an issue where an internal misconfiguration in QoS shaping might

result in unfairness to a flow with small packets. A large queuing delay might be
observed for small packet flows. The internal misconfiguration in the SFQ quantum
has been fixed.

106732 The Riverbed Support site was changed to display sha256 checksum value
for the SteelHead images. Fixed the CLI command "show images checksum" to show
SHA256 checksum value instead of MD5 checksum value.

161841 Fixed an issue where the heimdal module does not correctly invalidate
closed socket descriptors resulting in a subsequent RiOS crash.

163866 Fixed a rare issue where the optimization service can crash if a MAPI
connection was hitting the Admission Control limit.

163894 Fixed an issue where the QoS deep-packet inspection (DPI) setting for
NetFlow required at least one CascadeFlow collector to be configured. The show
running-config CLI command listed the QoS DPI setting before the collector. If this
output was used to reconfigure the SteelHead, the push for QoS DPI would have
failed. The CLI command, show running-config now recreates the QoS DPI setting
after the NetFlow collector configuration to allow it to check for at least one
configured CascadeFlow collector before enabling QoS DPI.

164769 A thread deadlock race condition has been corrected inside the live video
stream splitting implementation. When encountered it resulted in the watchdog
thread instigating an optimization service restart preceded by an event thread
indicating "not healthy after at least 15s".

164780 Fixed an issue where SMB2 connections were reported as CIFS on the
Current Connections report, if one of the following was also enabled: Path Selection,
Quality of Service, Netflow DPI, or Application Visibility.

164815 Fixed an issue that caused a failure of mapping network shares with
Windows login scripts when SMB2 latency optimization is enabled. With this issue,
Windows machines could not run the login script that automatically maps network
shares when SMB2 latency optimization is enabled. The issue is due to denying read
requests when the file is opened with execute permissions.

165554 Fixed problem where the client-side SteelHead attempts to connect to a

decommissioned Akamai Cloud SteelHead. This would result in pass through
SteelHead Cloud Accelerator connections with the reason: "Inner failed to
establish". Additionally, the logs contain "Peer x.x.x.x is unreachable or
incomparable" or "Error connecting to the peer OOB". The fix improves the system
log output when the log level is set to debug and sets the timeout for the intercept
proxy table entry when the value was incorrect.

168012 Fixed the auto completion for host and port labels for QoS and path
selection CLI commands.

173478 Fixed issue where the SteelHead was not properly releasing memory when
the CLI, Management Console, or SteelCentral Controller (SCC) was viewing or
manipulating the HTTP server/subnet configuration table.

173560 Fixed an issue in the SMB2 blade when handling requests that were split
into multiple PDUs by the client.

187856 Fixed an issue where the path selection service was using stale information
after optimization service was disabled for a relay on the SteelHead.

192781 Fixed an issue that causes an out-of-memory condition on the client-side

SteelHead leading to a crash of the optimization service. The issue is due to the
buffering of write requests during NFS write-behind optimization. The fix enables
NFS flow control by default in the write-data path.
Note: NFS clients using 1M writes might experience bug 231508

193140 Fixed an issue where the Excel file save operation fails on SMB2 connections
on MAC clients. This fix disables the SMB2 idle-foi feature by default, because on
alternate streams it is typically used for metadata operations.

193447 Fixed an issue where an encrypted MAPI connection is reported as MAPI

instead of MAPI-Encrypt on the the Current Connections report when any of the
following was enabled: Path Selection, Quality of Service, Netflow DPI, or
Application Visibility.

195691 Fixed an issue where under certain conditions, TCP acknowledgement is not
sent during connection kickoff. Fixed the logic that generates TCP RST packets
during connection kickoff to set the TCP ACK flag when appropriate.

196320 When optimizing Microsoft Office 365 with SteelHead SaaS, the GeoDNS
feature might not take effect. Fixed this issue by changing the SteelHead code to
remain in synchronization with data delivered by the Cloud Portal, in order to avoid
intermittent lack of GeoDNS.

196456 Fixed an issue to ensure that all compound request (specifically SetInfo
requests) are appropriately released following a failed create on the SMB2 session.
This prevents the RiOS crash seen on this bug

197755 Fixed an issue where, when configuring login security in the SteelHead
Management Console, certain combinations of RADIUS authentication and remote
authorization, without the presence of a RADIUS server, would cause an error
messages to appear out of sequence.

198747 Fixed a problem where a SteelHead REST API service could query another
service while it was starting up. This problem occurred under the following
circumstances:
- SteelHead boot or reboot
- SteelHead upgrade
- Start or restart of the SteelHead process that hosts the REST API service.

200056 Fixed an issue where in a very rare case when flow collectors are configured
and the primary interface's IP address is changed during appliance boot-up, error
messages, [netflow.ERR] - {- -} uninitialized socket error in send, could be seen in
the system log.
The collector exports netflow records using UDP socket. The fix binds the UDP
socket to the interface instead of IP address in order to export the records. With the
fix, the socket bind issue is resolved, caused due to change in IP address by DHCP.

200222 Fixed problem where the "reset factory" CLI command does not reset
configuration settings for all features on the SteelCentral Controller to their default
values.

200780 Fixed an issue where the application options for path selection rules did not
update when a new application was created in another tab or by another user.

201202 Fixed an issue where DSCP/VLAN rules fail to match as expected.

7

201550 Added an enhancement where any errors associated with the QoS migration
process are printed on the Quality of Service page, after a pre-9.0.0 to 9.0.x
upgrade.

202160 Fixed a bug where the "Internet Protocol" setting for the gateway test on
the Network Health Check page was not properly processed and the test always
generated an error.

202581 Fixed a script-execution vulnerability that could be exploited by special tools

that sent specific kinds of URLs to the appliance.

202583 Management Console denial of service with malicious requests

Details:
A logged-in SteelHead user, using special tooling can make the Management
Console unavailable. The attack requires that a valid login and that a specific request
be altered by an external packet-modification tool.
Fix:
Implemented better exception handling to prevent denial of service attacks due to
malformed requests.
Recommendation:
Upgrade to patched version if applicable.

202809 RiOS v9.1 includes additional log messages and a counter to identify the
delay between connection forwarding neighbors.

203006 Fixed an issue where the connection between the new Windows v10 client
and servers could be black-holed if it is using the new SMB v3.1 dialect and the
feature called Pre-authentication integrity. The SMB2-signing blade, when enabled,
now detects if the client is sending the SMB v3.1 dialect and removes itself out of
the splice, allowing the connection to continue in pass through without latency
optimization.

203283 The size limit for video fragments is no longer incorrectly driven off the
Object Prefetch Table cache limit. This fix restores the higher video fragment limit.

203756 Some users thought that the system time in the upper right-hand corner of
each Web page always reflected the current time on the SteelHead. However, the
time was actually static and never changed. With this fix, the SteelCentral Controller
now keeps the system time current by updating it periodically.

204223 The secure transport client service (stp_client) is designed to retry on such
failures. These are innocuous log messages and their severity level has been
reduced.

204247 In a heterogeneous environment of Windows 2003 and 2008 domain

controllers (DCs), a problem where the SteelHead connects to the Windows 2003 DC
instead of the Windows 2008 DCs to complete NTLM-transparent authentication in
ADI-2k8 mode was fixed.

204386 Fixed an issue where while starting the Virtual SteelHead, a system log
warning might be displayed stating, MSPEC license has expired or been removed.
Terminating sport. This warning is invalid and can be ignored. The fix removes a
redundant licensing check at startup which might cause confusing log messages
about license expiration.

205238 Fixed an issue where the Path Selection page makes a large request every 10
seconds when idle. The information retrieval process was modified to request the
list of application options for path selection rules asynchronously after the initial
page load every 30 seconds instead of every 10 seconds.

205330 RiOS has changed the way it computes output buffer lengths requested in
find requests generated by the client SteelHead. RiOS always requests either 512K
or finds a prefetch window size, whichever is the minimum, thereby ensuring that
the output buffer length is never too small.

205471 Fixed an issue where when WCCP is used to redirect traffic to on a

SteelHead and the encapsulation scheme is set to Either on the SteelHead, packets
could be GRE redirected to a router even though the WCCP redirection was
negotiated to be Layer2 only. The fix addresses when multiple service groups are
configured and either GRE or Layer2 redirects could be the negotiated method for
WCCP.

205495 Fixed an issue so that existing system event log entries are now cached in
RiOS and only new entries need be retrieved through the IPMI. Prior to the fix the
SteelHead Management Console or CLI might become slow and unresponsive and
the following message would appear in the logs:
[mgmtd.NOTICE]: Waited [x] secs for [query request], Bindings (1 of
1):{/hw/hal/ipmi/query/allevents,N/A,N/A}

205588 Fixed a bug were some role-based management users (that is, users who
had "Read-Only" permissions for in-path rules and "Deny" for all other roles)
encountered an error message when viewing the In-Path Rules page.

205609 Fixed an issue that caused SteelHead CX250 models to hit a low memory
condition when datastore encryption is enabled. Fix adjusts memory Admission
Control values for CX250 series to account for datastore encryption.

205796 Fixed an issue where the "Uplink None not defined" error appears when the
path-selection CLI command prevents a user from resetting the path choice in a path
selection rule.

205942 The kernel statistics API has been patched to handle the invalid sockets
gracefully and will no longer crash.

206144 Fixed an issue that caused increased memory usage on repeated accesses to
the Path Selection page on Web3. The information retrieval process was modified to
request the list of application options for path selection rules asynchronously after
the initial page load every 30 seconds.

206287 Fixed an issue where certain CLI commands such as no stp-client controller
and show stp-client status would hang and eventually timeout with an error.
The timeout was due to an unhandled error condition. The error conditions leading
to this timeout are gracefully handled now.

206552 Correctly suppress the inbound QoS bandwidth for the primary interface
since inbound QoS is not supported on it.

206555 Fixed an issue where a monitor user could navigate certain Web pages from
which they are restricted.

206620 Fixed an issue where pass through connections can lead to incorrect
asymmetry warning messages in the system logs, similar to, ITSEELM-WA0008
kernel:[intercept.WARN] it appears as though probes from 10.0.0.1 to 10.10.2.9 are
being filtered. Passing through connections between these two hosts.
The warning has no negative impact on the functioning of the SteelHead. The
spurious warning message is fixed.

206905 QoS rules are fixed to match both application name and description fields.

216469 A memory leak occurs when the SteelHead adds an SSL server to the bypass
table. Over time this can lead to premature admission control. Corrected code that
was failing to deallocate X509 certificate information.

216769 Fixed an issue where the font size on the log pages of the SteelHead
Management Console are sometimes too small or too large for the user.
Now on the SteelHead Management Console Log page, users can adjust the font size
of the logs. This functionality is not available on Internet Explorer v8 or earlier.

216839 Fixed a problem with Current Connections report in the SteelHead

Management Console and the CLI, neither of which showed the per-connection QoS
information in v9.0.0. RiOS v9.0 changed the internal architecture of the QoS
feature. The Current Connections report in the Management Console and the "show
connection/flow" CLI commands were missed in the conversion to the new
architecture.

216980 Fixed an issue where the tooltip for the alarm icon on the header of the
SteelHead Management Console did not change along with the health of the
appliance. The redundant "System Health" text was also removed.

216985 Fixed an issue where the output of the "show running full" CLI command
fails to apply when the Default Profile QoS class names differ from the stock
defaults.

217019 Fixed an issue that caused live video stream splitting functionality to not
work correctly if the video URLs have query parameters.
10

217309 Fixed an issue where entries in the simplified routing table became stale
when the IP address of a SteelHead peer on the same subnet changed. This fix
identifies stale entries and invalidates them.

217580 We have addressed the scenario where large site configurations are being
made with shaping enabled. The improvements should avoid the page swapping and
the memory requirements.

217650 CVE-2014-4877: Wget FTP symbolic link, arbitrary file system access.
Details:
A flaw was found in the way Wget handled symbolic links. A malicious FTP server
could allow Wget running in the mirror mode (using the '-m' command line option)
to write an arbitrary file to a location writable to by the user running Wget possibly
leading to code execution.
Fix:
The Wget package has been upgraded to address CVE-2014-4877.
Recommendation:
Upgrade to patched version if applicable.

217689 Fixed an issue with the output of the "show running full" CLI command
when the QoS configuration items contain space in their names. The output is now
properly escaped for input.

217700 Made the screen scrollable to allow access to all profiles in the Sites and
Networks page.

217835 Fixed an issue where the kernel throws a warning message when a
connection is not in an established state and it receives a packet with SNACK options
set. This message is harmless as the received packet is handled safely. This fix
suppresses this innocuous message.

218734 In Internet Explorer v8 (IE8), when editing an application that has metadata
fields (such as those for HTTP), a field no longer disappears after opening and closing
the drop-down list. Additional checks are made for IE8 to prevent the problem.

218794 Auto refresh logic was implemented so that CLI changes are reflected on the
Path Selection page of the Management Console without refreshing the page.

218799 The SteelHead now parses authenticated EPM connections and optimizes
related MAPI connections. Note: When Outlook is using authenticated EPM
connections to the SteelHead you cannot use the MAPI port remapping feature.

218996 Fixed an issue where receiving jumbo packets on the SteelHead in a

connection forwarding or WCCP deployment can lead to kernel traces in the logs.
The SteelHead now properly handles jumbo frames received in connection
forwarding or WCCP setups. This no longer causes kernel traces in the logs.

11

219085 Fixed an issue that was causing fragment reassembly to fail leading to
packet drops. Reassembly failures are recorded with the following error message in
system log: "kernel:[intercept.ERR] ip_defrag failed with -12".

219137 Fixed an issue with database connection management that can lead to a
crash of the collectord process when the system is under high load.

219485 Fixed an issue where a user without QoS read permissions, instead of being
taken to the My Accounts page, sees an error in the SteelHead Management
Console when attempting to view the Inbound or Outbound QoS reports.

215931 Tcpdump: Multiple denial of service attacks caused by malformed PPP,

AODV & OLSR packets.
Details:
CVE-2014-8767: Integer underflow in the olsr_print function in tcpdump 3.9.6
through 4.6.2, when in verbose mode allows remote attackers to cause a denial of
service (crash) via a crafted length value in an OLSR frame.
CVE-2014-8769: Tcpdump 3.8 through 4.6.2 might allow remote attackers to obtain
sensitive information from memory or cause a denial of service (packet loss or
segmentation fault) via a crafted Ad hoc On-Demand Distance Vector (AODV) packet
which triggers an out-of-bounds memory access.
CVE-2014-9140: Buffer overflow in the ppp_hdlc function in print-ppp.c in tcpdump
4.6.2 and earlier allows remote attackers to cause a denial of service (crash) cia a
crafted PPP packet.
Fix:
The Tcpdump library has been updated to fix CVE-2014-8767, CVE-2014-8769, and
CVE-2014-9140. Note that RiOS is not impacted by CVE-2014-8768, a related issue
which affects GeoNet frames.
Recommendation:
Upgrade to patched version if applicable.

219670 Fixed an issue with a specific QoS workflow, when adding the same rule
twice, the system no longer displays "ValueError" errors when subsequent, valid
actions are attempted.

219678 The reset button removes the red error popup bubble.

219870 The failure handling mechanism for GeoDNS for SteelHead SaaS Office 365
optimization has been enhanced so that unreachable IP addresses are temporarily
blacklisted instead of being permanently purged.

12

221108 The CLI command "configuration write to" triggers a restart of the
SteelHead internal service. In some cases, that are timing specific, the restart
request is intercepted and discarded by the SteelFlow Web transaction analysis
(WTA) feature. Because the internal service never restarts, further attempts to write
the configuration file to memory fail. This issue can occur even if SteelFlow WTA is
not enabled. This fix prevents restarts by preventing SteelFlow WTA from
intercepting this request.

221252 Fixed an issue where the RiOS optimization service might crash when the
SMB2 servers send asynchronous responses to synchronous read-ahead requests
from the client-side SteelHead. This is more likely to happen when the server is
under high load.

221435 After the fix, starting the secure transport controller succeeds even if the
management system is unresponsive. Thus, secure transport clients are able to
connect to the secure transport controller and no controller connectivity alarms are
triggered on the SteelHead.

221489 Fixed an issue where the MAC header size is not accounted for during
inbound QoS shaping, leading to higher than expected inbound throughput.

221492 CVE-2014-8500 BIND library: Delegation handling denial of service attack.

Details:
A denial of service flaw was found in the way BIND followed DNS delegations. A
remote attacker could use a specially crafted zone containing a large number of
referrals which, when looked up and processed would cause those named to use
excessive amounts of memory or crash.
Fix:
The BIND library has been patched for CVE-2014-8500.
Recommendation:
Upgrade to patched version if applicable.

221576 The optimization service no longer crashes if a network error results in the
closure of an optimized MAPI connection.

221793 The SteelHead uses the same authentication information for the HTTPS
connections to the SCC and the secure transport controller. Thus, when the HTTPS
connection between the SteelHead and the SCC is renewed, any failed HTTPS
connection between the SteelHead and the secure transport controller is now
renewed with the updated authentication information. As a result, the SteelHead
now attempts to connect to the secure transport controller when the connection to
the SCC is established.

13

222156 When Citrix optimization is enabled on the SteelHead, it no longer leaks

memory for each Citrix connection using secure ICA and RC5 encryption. The
memory leak occurred once during the Citrix connection while parsing the ICA
packet with Diffie-Hellman parameters sent by the Citrix server.

222333 Cross-Frame Scripting (XFS) vulnerabilities in path selection and QoS pages.
Details:
Some of the new path selection and QoS pages were vulnerable to Cross-Frame
Scripting (XFS) vulnerabilities by logged-in users.
Fix:
Sanitized user input on path selection and QoS pages, preventing scripting tags from
being rendered.
Recommendation:
Upgrade to patched version if applicable.

222718 NTP: Network Time Protocol cumulative security update RHSA-2014:2024-1

Details:
This security update addresses the following issues:
CVE-2014-9293: It was found that the ntpd protocol automatically generated weak
keys for internal use if no ntpdc request authentication key was specified in the
ntp.conf configuration file. A remote attacker, able to match the configured IP
restrictions, could guess the generated key and possibly use it to send an ntpdc
query or configuration requests.
CVE-2014-9294: It was found that the ntp-keygen program used a weak method for
generating MD5 keys. This could possibly allow an attacker to guess generated MD5
keys that could then be used to spoof an NTP client or server. CVE-2014-9295:
Multiple buffer overflow flaws were discovered in the ntpd crypto_recv(),
ctl_putdata(), and configure() functions. A remote attacker could use either of these
flaws to send a specially crafted request packet that could crash ntpd, or potentially,
execute arbitrary code with the privileges of the NTP user.
CVE-2014-9296: A missing return statement in the receive() function could
potentially allow a remote attacker to bypass the NTP authentication mechanism.
Fix:
RiOS, in its default setting, is not impacted by any of the above issues. However, the
NTP module has been upgraded to a version that addresses these issues.
Recommendation:
Upgrade to a v9.1 of RiOS that has the updated NTP module.

14

222800 CVE-2014-3583: Apache HTTP Server v2.4.10 FastCGI Denial of service. The
the Apache HTTP Server v2.4.10 allows remote FastCGI servers to cause a denial of
service via long response headers.
Details:
The handle_headers function in mod_proxy_fcgi.c and the mod_proxy_fcgi module
in the Apache HTTP Server v2.4.10 allows remote FastCGI servers to cause a denial
of service (buffer over-read and daemon crash) via long response headers.
Fix:
Apache v2.4.10 in RiOS has been patched for CVE-2014-3583.
Recommendation:
Upgrade to patched version if applicable.

222888 A new winbind integrity task for processes count has been added to check
the number of running processes against a limit. This task runs once a day and
restarts the winbind process automatically if the threshold is exceeded.
The existing memory check of the winbind integrity task has also been enhanced to
check the total memory consumption (sum of the memory usage of all winbind
processes) against a limit.

223129 Fixed an issue where a kernel crash could occur on systems with a 10 gigabit
interface card, when the system in the process of shutting down. The adapter is now
declared down immediately entering the shutdown process so that all other threads
can bypass the down adapter.

223187 Unzip utility: Multiple buffer overflows and out-of-bounds vulnerabilities.

Details:
Multiple buffer overflows and out-of-bounds vulnerabilities were reported in the
'Unzip' utility.
CVE-2014-8139: Heap overflow condition in the CRC32 verification of Unzip which
might result in arbitrary code execution.
CVE-2014-8140: Out-of-bounds write in Unzip's test_compr_eb() function due to
bad uncompressed size value.
CVE-2014-8141: Out-of-bounds read in Unzip's getZip64Data() function due to lack
of error detection and reporting.
Fix:
'Unzip' utility has been updated to patch the following vulnerabilities: CVE-20148139, CVE-2014-8140 & CVE-2014-8141.
Recommendation:
Upgrade to patched version if applicable.

15

223242 Fixed an issue where the help pages on the SteelHead dashboard were
returning a 401 unauthorized error.

223254 Fixed an issue where a SteelHead CX255L/M/H running RiOS v8.6.2 raised a
fan speed alarm, when there is no fan or fan speed failure. This problem impacts
the CX255 running RiOS v8.6.2 only. No other products are impacted when running
RiOS v8.6.2. The CX255 is not impacted if it is running a different RiOS version.

223474 Outlook uses regular HTTP requests (for example, for Exchange Web
Services) on an optimized HTTP(S) connection. If the SteelHead has enabled Outlook
Anywhere optimization for these connections, the SteelHead failed to start Outlook
Anywhere optimization if the HTTP connection did not start with Remote Procedure
Call (RPC) over HTTP requests. The fix in RiOS v9.1 allows the optimization service to
start Outlook Anywhere MAPI optimization on HTTP connections at any time.

223624 RiOS now correctly handles prefetch requests larger than 1 MB. In RIOS
8.5.3 or later, HTTP connections would go into a bypass state after seeing a
response larger than 1 MB. In newer versions the SteelHead only stops buffering
response data, and this results in prefetches of the larger object missing content
when requested by the client.

223760 CVE-2014-6272 libevent: Multiple integer overflow flaws were found in the
evbuffer API of Libevent.
Details:
Multiple integer overflow flaws were found in the evbuffer API of libevent. An
attacker, able to make an application pass on an excessively long input to the
libevent via evbuffer API, could use this flaw to make the application enter an
infinite loop crash, and, possibly, execute arbitrary code.
Fix:
The Libevent library has been removed from RiOS. Prior to this fix, RiOS was not
impacted by this vulnerability since the Libevent library was not being used.
Recommendation:
Upgrade to a RiOS version that does not have the libevent library.

223798 This defect in the QoS rule matching logic is resolved and now correctly
matches the expected QoS rule.

16

223897 CVE-2014-8150 Libcurl: HTTP response splitting attacks via a CRLF injection
vulnerability.
Details:
A CRLF injection vulnerability in libcurl v6.0-7.x and before 7.40.0, when using an
HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct
HTTP response splitting attacks via CRLF sequences in a URL.
Fix:
The Curl library has been patched for CVE-2014-8150.
Recommendation:
Upgrade to patched version if applicable.

223930 An alarm flash error was triggered on the SteelHead after 3 days. For certain
models of SteelHead (SHxx50, CX1555, EX1160, EX1260), RiOS uses a system to have
a redundant copy of the contents of the flash device. This fix addresses an issue
wherein errors while writing to the flash device would trigger faulty error handling
in the data synchronization code.

224044 Fixed an issue where a rare error in reading hardware sensors was not
handled properly and might cause a sysdump not to complete on the SteelHead
models 3070, 5070, and 7070.

224081 Fixed the handling of port label updates during SteelCentral Controller (SCC)
pushes of hybrid network policies to prevent "DP_SETUP_ERROR" messages from
occurring when the SCC pushes QoS policies to the SteelHead.

224128 Fixed an issue where HTTP cache statistics displayed in the Management
Console and CLI are incorrect. The root cause was inaccurate counts for total HTTP
requests. This resulted in a bad denominator in the rate computation that has been
corrected with this fix.

224439 The message is for information only and does not impact system operation.
Request to get a system event log (SEL) entry during a system shutdown is handled
by dropping the command.

224505 Fixed a problem with Current Connections in both Management Console

and CLI, neither of which showed per-connection QoS information in v9.0.0. This
release changed the internal architecture of the QoS feature. The Current
Connections report in the Management Console and the "show connection/flow"
CLI commands were missed in the conversion to the new architecture.

224536 Fixed the CLI output for "show application" CLI command when the DSCP
value is set to 0.

224580 Fixed a crash by ensuring that the initial connection validation routine for
signed SMB connections in delegation mode does not make repeated IO checks for
availability of the secure vault.
17

224738 OpenSSL cumulative security update for advisory - secadv_20150108.

Details:
This update addresses the following issues:
CVE-2014-3571: DTLS segmentation fault in the dtls1_get_record.
CVE-2015-0206: DTLS memory leak in thedtls1_buffer_record.
CVE-2014-3569: no-ssl3 configuration sets method to NULL.
CVE-2014-3572: ECDHE silently downgrades to ECDH [Client].
CVE-2015-0204: RSA silently downgrades to EXPORT_RSA [Client].
CVE-2015-0205: DH client certificates accepted without verification [Server].
CVE-2014-8275: Certificate fingerprints can be modified.
CVE-2014-3570: Bignum squaring might produce incorrect results.
For more information, see: https://www.openssl.org/news/secadv_20150108.txt
Fix:
Of the issues listed above, RiOS management is not impacted by CVE-2014-3571,
CVE-2015-0206, CVE-2014-3572 and CVE-2015-0204. However, the OpenSSL library
has been updated to a version that patches all of the above issues.
Recommendation:
Upgrade to patched version if applicable.

224739 Fixed an issue when inbound QoS is enabled where QoS migration calculates
the upstream bandwidth for all remote sites by dividing the local downstream
bandwidth by the number of remote sites. This might result in unduly constrained
bandwidth from each remote site.

224747 Fixed a bug where a certificate, created using a CSR from the SteelHead,
could not be used to "replace" the current certificate through the Secure Peering
(SSL) page.

224982 Fixed an issue where long HTTP headers were not being handled correctly.
This error corresponds to the 'HTTP_ERR_LINE_TOO_LARGE' message in the log.

225109 Fixed an issue where the QoS scheduler is not automatically updated when
the interface MTU changes. Added logic to automatically update the SFQ quantum
value when an interface MTU changes.

225250 Fixed a CLI freeze when showing connections on a SteelHead with 130,000
or more connections. The "show connections" command now displays a maximum
of 50,000 connections. Filters can be used to ensure that desired connections are
shown.

225257 Added validation to prevent configuring a peer IP address that is already

configured as a /32 subnet in an existing site.

18

225301 Fixed an issue where the SteelHead Management Console would not be
accessible after upgrading to a RiOS v8.6.2 and v9.0.0, if an optical 1 Gig add-on NIC
was installed. This problem occurs only if the configuration is set to Auto speed and
duplex.

225347 Fixed a memory leak in the SSL certificate expiring alarm function.

225488 CVE-2015-0235 - The glibc gethostbyname buffer overflow (GHOST

vulnerability). A heap-based buffer overflow was found in the glibc
__nss_hostname_digits_dots()function that is used by the gethostbyname() and
gethostbyname2() glibc function calls.
Details:
A heap-based buffer overflow was found in the glibc__nss_hostname_digits_dots()
function that is used by the gethostbyname() and gethostbyname2() glibc function
calls. A remote attacker, able to make an application call to either of these
functions, could use this flaw to execute arbitrary code with the permissions of the
user running the application. (that is, a GHOST vulnerability)
Fix:
The glibc library has been updated to patch the GHOST vulnerability.
Recommendation:
Upgrade to patched version if applicable. See knowledge base article S25833 for
more details.

225828 CVE-2014-9130: Libyaml: Denial of service when processing wrapped strings.

Details:
An assertion failure was found in the way the libyaml library parsed wrapped strings.
An attacker able to load specially crafted YAML input into an application using
libyaml could cause the application to crash.
Fix:
Libyaml module has been patched for CVE-2014-9130
Recommendation:
Upgrade to patched version if applicable.

225712 Fixed incorrect optimized flows and WAN capacity configuration for CX570,
CX770, and CX3070 models.

226206 Fixed the issue so that SteelCentral Controller (SCC) Communication

Service comes back up once the network error on the SteelHead recovers,
reestablishing the communication channel between the SteelHead and the SCC. The
following error appeared in the logs
[yarder.services.ERROR] Failed to load service module lumberjack-svc-ocd

19

227550 Fixed an issue where GeoDNS for SteelHead SaaS would have failed to find
the optimum SteelHead against certain destinations of Office 365 Exchange server
regions, potentially causing degradation in performance.

227734 Fixed an issue that ensures that the RiOS optimization service does not crash
while processing lease notification if the lease has already been deleted from the
lease store while notification is being processed.

227878 The time zone data has been upgraded to 2015a to properly handle the leap
second at 2015/06/30 23:59:60 UTC.

228019 Fixed an issue where the QoS profile options would stay hidden when
adding or editing a nonlocal site after editing the local site. The local site does not
have any QoS profiles, but every other site does.

228262 Fixed an issue where setting the maximum domain child processes for the
winbind daemon, with "domain settings max-children" set to less than the total
number of trusted domains, results in high CPU utilization in the winbindd process.
The algorithm to release idle processes in the winbind daemon had an issue that
could, in some situations, lead to looping indefinitely over the list of child processes,
causing 100% CPU utilization. The fix consists of rewriting the stop condition of the
iteration to break the loop when all processes have been looked at.

229673 Security update for the glibc functions getaddrinfo() and gethostbyname_r().
Details:
CVE-2013-7423: It was discovered that, under certain circumstances, the glibc
getaddrinfo() function would send DNS queries to random file descriptors. An
attacker could potentially use this flaw to send DNS queries to unintended
recipients, resulting in information disclosure or data loss due to the application
encountering corrupted data.
CVE-2015-1781: A buffer overflow flaw was found in the way glibc's
gethostbyname_r() and other related functions computed the size of a buffer when
passed a misaligned buffer as input. An attacker able to make an application call any
of these functions with a misaligned buffer could use this flaw to crash the
application, or potentially, execute arbitrary code with the permissions of the user
running the application.
Fix:
The glibc library has been updated to patch CVE-2013-7423 and CVE-2015-1781.
Recommendation:
Upgrade to patched version if applicable.

20

229846 CVE-2015-1349: BIND trust anchor management remote DoS.

Details:
A flaw was found in the way BIND handled trust anchor management. A remote
attacker could use this flaw to cause the BIND daemon (named) to crash under
certain conditions.
Fix:
The BIND library has been updated to patch CVE-2015-1349.
Recommendation:
Upgrade to patched version if applicable.

230034 Fixed an issue where QoS and path selection classification is bypassed for
optimized connections after a configuration push from the SteelCentral Controller
(SCC) occurs, while the SteelHead is experiencing a high number of new connections
per second. This fix improves the handling of configuration updates while traffic is
running to avoid classification bypass for optimized connections.

230154 OpenSSL cumulative update for security advisory secadv_20150319.

Details:
The OpenSSL security advisory https://www.openssl.org/news/secadv_20150319.txt
identifies several vulnerabilities of which the following impact RiOS: CVE-20150204: RSA silently downgrades to EXPORT_RSA (Severity: High) CVE-2015-0286:
Segmentation fault in ASN1_TYPE_cmp (Severity: Moderate)
Fix:
OpenSSL has been upgraded to patch the vulnerabilities identified in the security
advisory secadv_20150319.
Recommendation:
Upgrade to patched version if applicable.

230606 The Quality of Service feature does not support IPv6. This fix suppresses the
display of QoS information for IPv6 traffic.

230912 RIOS was making a legal, but optimistic interpretation of HTTP cache
guidelines. Evaluation of the cache validator headers has been reverted to more
conservative guidelines to avoid the conflict.

230982 Fixed an issue where a redundant power supply failure was not raising an
alarm.

231397 Fixed an issue preventing the creation of applications using host labels for
which DNS resolution is still pending.

21

231500 Fixed an issue when signing is negotiated on a CIFS/SMB session using the
MAC OS 10.9 or 10.10 as a client, the connection might be terminated during server
access. However, the client transparently reconnected without impacting the user.
Connection termination on a signed CIFS/SMB connection as a client has been fixed.
This issue was happening because of the incorrect calculation of the SMB signing
value.

231508 Fixed an issue in NFS implementation of client-side SteelHead which was

slowing down large-sized (1MB) writes to server. The slowness was due to
SteelHead taking too long to prepare the packet to send over the WAN and then
starving to get next packet from all the way back from client as part of fix for bug
192781. The fix ensures storing a packet for future processing while actively
processing a packet so the starving does not happen.

231669 Changed the Management Console Current Connections report to not

highlight 100% reduction with the same red border as 0% reduction. This
erroneously suggested that near-100% reduction was bad. The red highlight for 0%
is retained.

231844 Fixed an issue causing periodic transient CPU usage spikes, leading to CPU
alarms on lower-end models.

232047 Fixed an issue that caused the following WARNING messages, which are
harmless, to appear on the message log:
[rgpd.WARNING]: Binding /rbt/support/config/sfp-branding/enable not consumed
during reverse mapping
[rgpd.WARNING]: Binding /sfp/config/branding/supported not consumed during
reverse mapping

232178 Fixed an issue where the QoS bottleneck bandwidth calculated to each
remote site might be incorrect.

232476 Fixed and issue where high traffic load would lead to an incomplete QoS
daemon to shutdown, leading to a process core. The shutdown will now complete
gracefully without a process core.

232526 Because MAC OSX clients with SMB2 optimization use alternate streams
problems occur while saving Excel files. This fix provides a hidden CLI command to
disable optimization for alternate streams. This is the default behavior.

232561 The change fixes the handling of short invalid kerberos request packets on
HTTP connections.

232630 Fixed an issue where path selection details would disappear from the
Current Connections page during a path failover. This issue was due to a new
variable (i.e., the least recently used path index) that was not accounted for in the
Management Console code.

232692 Fixed potential vulnerabilities in the Linux kernel for 2015 leap second
adjustment.
22

233913 This error message "[pm.ERR]: Output from yarder_core: svc-upgrader:

error: argument -y/--yaml_dir is required." is harmless and does not impact the
functionality of the system.

234195 Fixed an issue preventing the QoS feature from being enabled after the
optimization service is disabled.

234833 When upgrading from 8.6.0, 9.0.0 or 9.0.1 to 9.1.0, the QoS configuration is
now migrated successfully without error.

235961 Fixed an issue where a role-based management user with read-only

permissions was allowed to click the "Save" and "Revert" buttons on the
Configuration page, even though the functionality did not work. These buttons are
now disabled for role-based management users with read-only permissions.

236287 Fixed an issue where QoS statistics would not be collected when the
SteelHead has limited memory and is configured with a very large number of sites.

236335 The Optimization Service was intermittently crashing while users were
accessing Sharepoint services through the SteelHead. Identified and fixed a problem
related to the parsing of HTTP WebDAV responses with a status code of 207 (MultiStatus). Multi-Status responses lacking XML-namespace prefixes were causing the
optimization service to terminate improperly.

236443 Fixed an issue so that CLI commands for QoS or path selection rules with
spaces in the "application" or "apptag" names no longer fail.

236486 Fixed an issue that caused RiOS optimization service to halt unnecessarily
for a recoverable connection error. This issue occurs when an optimized connection
is aborted during connection set up. With this fix, the aborted connection is dropped
but the optimization service keeps running.

236548 Fixed an issue where copying a QoS profiles did not set the default class
properly. If the default rule had been changed from its original value, the new
profile properly copies this change into the new profile. The new profile previously
copied the original default rule.

236863 The RiOS optimization failure no longer occurs with an error message saying
"Content-Length exceeded, but in a non-expected HTTP state." The MAPI
optimization service was changed to drop the problematic connection instead of
crashing in the event that it encounters the unexpected condition that the content
length is exceeded but it is not in the expected HTTP state.

23

236995 Fixed an issue where in a rare cases, the optimization service could crash
where an Outlook Anywhere (OA) connection would send a message to the other
virtually connected OA connection that had already been deleted.
A Virtual Connection (VC) object is used to handle Request and Responses from two
half duplex OA connections, and it has definite knowledge of the OA connection
existence. The message sent by one OA connection to another is now routed
through the VC, and the VC makes sure that the message is not forwarded to the
deleted OA connection.

237070 Fixed a scrolling issue with "Edit Sites" option on the Sites page. Now the
option remains in the same place whereas previously it could scroll off the screen.

237637 Fixed problem where role-based management users were unable to run
scheduled jobs, seeing log errors "Permission denied: mkdir(/var/opt/tms/sched/3,
755)".

237820 Fixed an issue where the creation and deletion of many sites can lead to
failures when enabling QoS shaping. The following log message is seen when this
issue occurs: "Could not parse tc error: Error: argument "invalid class ID" is wrong:
1:10000:".

237939 On a SteelHead with path selection enabled it slowly leaks memory in cases
where the customer has a Layer2 network with a high number of unreachable paths.
As a result, the SteelHead requires a restart every few days. This bug addresses the
memory leak issue.

238607 Fixed an issue where cached authentication cookies could lead to data
leakage between O365 SharePoint users. Identified and corrected a problem where
authentication cookies were being cached.

238925 Fixed an issue where QoS-related processes crash repeatedly after reboot
when a new in-path interface is added after configuring remote sites.

239117 Fixed and issue where the "show flows" and "show connections" CLI
commands would show pass through traffic before optimized traffic. Optimized
traffic is now displayed before pass-through traffic.

4) KNOWN ISSUES

161036 SteelHead fails to connect to the Cloud Portal through a proxy server for
SteelHead SaaS service if the proxy disallows 'Content-Length' header added to the
CONNECT request. When connecting to the Cloud Portal through a proxy server for
SteelHead SaaS, the SteelHead adds a Content-Length header to the CONNECT
request. Some proxy services will fail the CONNECT request with a 400 status.
SteelHead will not be able to register/connect with the Cloud Portal.
Configure the proxy server to allow requests with a Content-Length header.
24

165137 The SteelHead peer-version string might be displayed incorrectly in the

Current Connections page. This issue occurs if the SteelHead being monitored is
connected to multiple SteelHead peers that have the same public IP address. No
known workaround.

195507 A SteelHead is not reachable for Path Selection from remote peers if its
optimization service is disabled. No known workaround.

198015 The SteelHead cannot be managed by the SteelCentral Controller for

SteelHead (versions 9.0.0 and above) when requisite management channels are not
established. SCC versions 9.0.0 and above require two channels to the appliance an SSH channel and an HTTPS channel. The status of these channels can be viewed
on the SteelHead terminal with the command: show scc
A sample output of this command is shown below:
amnesiac > show scc
Auto-registration:
Enabled
HTTPS connection (to the CMC):
Status:
Connected
Hostname:
bravo-sh378
SSH connection (from the CMC):
Status:
Connected
Hostname:
bravo-sh378 (10.5.39.87)
When the host for the HTTPs and SSH connection are different or both the channels
do not have Connected status, the appliance cannot be fully managed by the SCC.
In order to connect a SteelHead to the SCC, you can use the command:
scc hostname <hostname> in configure mode to establish the connections.
If both connections show Connected to two different SCC's, please remove the
appliance from the Manage -> Appliances page on the SCC which is incorrect and
update the appliance username and password on the correct SCC.
If the SCC hostname was never configured on the appliance, the appliance will try to
connect to the host riverbedcmc. Please make sure to update your DNS to point the
hostname riverbedcmc to the correct SCC which is managing the appliance.

204204 After a report has been viewed for a long time without being refreshed, an
error dialog "Unable to parse response" can appear. On a heavily loaded appliance,
this could happen in 1-2 hours, but may not at all. Refresh the report to clear the
dialog.

217457 On a heavily loaded SteelHead, clicking the "after waiting, click here" link
does not work. Log in appears successful, but there are errors in the Management
Console after log in. Log out and log in to clear the issue.

218352 When class names are manually selected for display in a Web QoS report in
a version lower than v9.0 and the SteelHead is upgraded to v9.0 or later, the report
data might appear to be missing because the class names can change during
migration. Reselect the desired classes using their post-migration names.

25

220338 Since v8.5.0, the "monitor" user has been unable to select the units to be
displayed in the QoS reports. No known workaround.

225148 Importing a configuration will fail if the user's password contains an at sign
(@). During configuration import, this is erroneously read as a user@host pair and
the import will not succeed. Avoid using the at-sign (@) in passwords.

227509 Under some circumstances, a customer's explicitly defined configurations

for admission control, datastore, MAPI prepopulation, SSL bypass table, HTTP
stream splitting inflight cache will be overwritten with default values upon upgrade
to Baffin. If changes have been made to admission control, datastore, MAPI
prepopulation, SSL bypass table configurations or HTTP stream splitting inflight
cache, note their values prior to an upgrade to Baffin and reconfigure them if not
correct after upgrade.

229980 When the Web proxy feature is enabled, eligible traffic is handled using
Web Proxy, ignoring transparency options on the applicable in-path rule. If
transparency options are set on the in-path rule, they are ignored. No workaround is
available. You should be aware that transparency options do not apply to traffic
optimized by Web Proxy.

232641 In some situations, as part of system reboot, the application stats service
fails to properly initialize.
Error level log messages reporting AppStats service start-up failure are logged in this
situation. Workaround: system restart.

233903 On Virtual SteelHead xx50 models, the configuration partition may become
full, resulting in errors similar to [mgmtd.ERR]: lf_write_bytes_tbuf(),
file_utils.c:1077, build (null): Error code 14014 (generic IO error) returned. If errors
occur in the logs after attempting to save the configuration, manually delete the
saved configuration backup files that are no longer required from the Management
Console or CLI.

235131 EtherChannel does not support bundling of management in-path interfaces

along with in-path interfaces. Since there is no bundling of management in-paths,
link failover between the management interfaces is not supported when
EtherChannel is enabled. No known workaround.

236023 When 'Auto-Negotiation of MultiStream ICA' is enabled on a SteelHead, a

Citrix XA/XD 7.6 server is used and a priority 0/2/3 connection is broken, the 'Auto
Client Reconnect' on the Citrix Receiver will not automatically reconnect the Citrix
session. The user can manually restart and resume the Citrix session if the session
was saved on the Citrix server.

236824 Occasionally, the SteelHead might log "Connection reset by peer" error
message when connection between SteelHead and SteelCentral Controller is
interrupted. The errors can be safely ignored since the connection will be reestablished immediately.

26

237024 Disabling REST API access on SH will cause hybrid networking, QoS, Secure
Transport and SEPIA policy push from SCC to fail. Enable 'REST API' access on SH.
This configuration is on the Configure Security REST API Access page.

237223 Intermittently Citrix multi-stream applications are not identified and tracked
by the application stats service. No known workaround.

237772 For SteelHead models CX255, CX570, and CX770, the LAN and WAN
interface links can go down briefly during an optimization service restart. This issue
currently exists with all versions of RiOS. No workarounds exist.

238175 For connections optimized by Web Proxy, the table on the Current
Connections report will always show 'W' for Connection Type even if the connection
is opening or closing. Open the connection detail, which shows the correct icon.

238497 Menu commands are hidden, not disabled, for "monitor" users. This is a
change from v8.6, where the commands were visible but disabled. In a future
release, the original behavior will be restored. No known workaround.

238599 When the SteelHead is an Interceptor cluster, but no cluster channels are
configured, the Current Connections report may incorrectly show that Path
Selection is occurring. The report will show correct information once channels are
configured but will continue to show erroneous Path Selection information as long
as they are not.

238799 An RBM user with no read or read-write roles assigned is denied access to
the WebUI with the following error "Unable to sign in: Failed obtaining authorization
data for user." Ensure that RBM users have at least one read or read-write role
assigned to their account.

238959 The Current Connections report in the Web UI may not always report path
usage in the correct order, as the timestamp is not always indicative of the most
recent path usage. When knowledge of path order is critical, use the corresponding
CLI command, which will always show correct information.

240317 Application statistics is missing from appliance's configuration restore

procedure. This happens when downgrading from 9.1.0 to an earlier release, and
then upgrading to 9.1.0. Upon configuration restore completion explicitly enable
application statistics if needed.

5) UPGRADING THE RIOS SOFTWARE VERSION

UPGRADING ALERT

Path Selection: Upon upgrading a SteelHead from RiOS version 8.6.x or earlier to
9.0.0 and later, existing path selection rules are not automatically migrated. Please
refer to Knowledge Base article S25533 for details.

27

QoS: RiOS version 9.0.0 and later uses a completely new QoS management and
syntax compared to RiOS version 8.6.x and earlier. Please refer to Knowledge Base
article S25532 for details prior to upgrading to RiOS version 9.0.0 and later.

Review the SteelHead CX Installation and Configuration Guide for information on upgrading
the RiOS software version on SteelHead appliances. For Virtual SteelHeads, see the Virtual
SteelHead CX Installation Guide. If running Cloud SteelHeads, see the Riverbed Cloud
Services User's Guide.

6) STEELCENTRAL CONTROLLER FOR STEELHEAD (SCC)

COMPATIBILITY
SCC was formally known as Central Management Console (CMC). Review the SteelHead CX
Installation and Configuration Guide for information on SCC compatibility.

7) HARDWARE AND SOFTWARE DEPENDENCIES

Review the SteelHead CX Installation and Configuration Guide for information on hardware
and software dependencies. For Virtual SteelHeads, see the Virtual SteelHead CX Installation
Guide. If running Cloud SteelHeads, see the Riverbed Cloud Services User's Guide.

8) CONTACTING RIVERBED SUPPORT

Visit the Riverbed Support site to download software updates and documentation, browse
our library of Knowledge Base articles and manage your account. To open a support case,
choose one of the options below.

Phone
Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). Outside the U.S. dial
+1 415-247-7381.

Online
You can also submit a support case online

Email
Send email to support@riverbed.com. A member of the support team will reply as quickly as
possible.

28

2015 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo
used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their
respective owners. The trademarks and logos displayed herein may not be used without the prior written
consent of Riverbed Technology or their respective owners.

29