■ PR_38385 — Connection reservations do not fail over from the Master to the Participant in an Active-Standby configuration.
Example:
PC DMZ 10.10.30.254 | TMS | Zone1 192.168.1.254 PC Server 10.10.30.1 192.168.1.1 Zone limits DMZ = 5
Connection reservation DMZ, inbound, reserved for 192.168.1.1, Reservation count = 3 If the PC opens TCP connections through the Master, and a fail over situation occurs, the reservation count was not correctly followed.
■ PR_38959 — In High Availability Active-Standby configuration, when running a mix of RTSP and SMTP traffic for a period, the command no connections does not reset some of the current connections.
VPN
■ PR_17972 — In the Web browser interface, in the Help for VPN, the wrong performance numbers are reported.
■ PR_38173 — Misleading error messages appear when adding or editing an IKE policy in the Web browser interface (VPN > Certificates > IPsec Certificates).
Software Fixes in Releases ST.1.0.090213 - ST.1.2.100916 Release ST.1.0.090603 ■ PR_38217 — When setting up an IPsec policy with a Key Exchange of Manual, it was possible
to specify an SPI number that was already in use by another IPsec policy and it would not be detected. Duplicate SPI numbers across IPsec policies are not allowed and an error needs to be displayed.
■ PR_38223 — When adding an IPsec policy with action Bypass or Ignore, and setting the direction to Inbound, the traffic selector's local and remote addresses would be swapped. ■ PR_38226 — Changing a bypass or ignore IPsec policy to apply shows an erroneous key
exchange method.
■ PR_38228 — A misleading error occurs when the traffic selector's IP range starts or ends with 255. Workaround: Correct the range.
■ PR_38229 — IPsec policy advanced settings are displayed incorrectly after the default settings are changed and then edited in the Web browser interface.
■ PR_38231 — On the advanced settings screen (VPN > IPsec > IPsec Policies) Enable fragment before IPsec cannot be disabled.
■ PR_38240 — Cannot import IPsec Certificates (intermittently fails) from the Web browser interface (VPN > Certificates > IPsec Certificates).
■ PR_38887 — In the Web browser interface, when viewing the IPsec VPN Tunnels, the local gateway IP address may be truncated in the display.
■ PR_39898 — A denial of service attack against the TMS zl Module is possible when an IPSecuritas client establishes a VPN connection with the TMS zl Module. Set the IKE authentication method to RSA certificates on both the client and the TMS zl Module. On the IPsecuritas client, clear the Request Certificate, Send Certificate, and Verify Certificate check boxes in the Options tab of the Connections window. When the IPSecuritas client attempts to establish a VPN connection with the TMS zl Module, the module will be inoperable with its current settings.
■ PR_40144 — When using Internet Explorer 7 and viewing IPsec VPN tunnels, the information does not appear. However, when using Firefox 3.x, the IPsec VPN tunnel does show up. This has been changed in this release so that the IPsec VPN tunnel information does appear in Internet Explorer.
■ PR_41209 — A Certificate Revocation List (CRL) was not retained across a reboot. ■ Example:
1. Go to VPN>Certificates> CRL page and load a CRL list. 2. Save the entire configuration.
3. Reboot the TMS zl Module.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.100916 Release ST.1.1.100226
Release ST.1.1.100226
The following problems were resolved in release ST.1.1.100226
General
■ PR_813 — Web browser interface does not function without JavaScript enabled and does not notify user that JavaScript is required.
■ PR_961 — The initial login banner text of the Web browser interface in the TMS zl Module differs in size depending on whether the user is accessing it with HTTP or HTTPS. While noticeable, this difference in size does not impair functionality.
■ PR_1057 — In the command line interface (CLI), for OSPF routing, the ability to specify a Virtual Link between an area and a neighbor was added.
■ PR_1143 — The options for VLAN IPv4 functionality change depending on how a command is accessed. For example, vlan <id> ip options are different than going into the VLAN context via vlan <id> and then typing ip.
■ PR_3198 — In the CLI, the show vlans command now displays the VLAN name.
■ PR_3968 — To always ensure management access, a watchdog process was added to restart management services that may be in an error state and preventing management access. ■ PR_4155 — Port Status displays 10 Megabit speed for Ethernet ports in SNMP-MIB. The
speed should be 10 Gigabit.
■ PR_5104 — Email logging now allows for an anonymous user.
■ PR_5390 — The administrator cannot change the password for MD5 authentication on an OSPF interface without knowing the previous password.
■ PR_5444 / PR_5446 / PR_5718 — In the CLI, the ability to search the log was significantly enhanced.
ProCurve Switch 5406zl(tms-module-C)# show logging local filter ?
id Filter by log message ID.
search Search for a specified substring in log entries. sip Display messages with this source IP address. dip Display messages with this destination IP address. date-time Filter by log date-time.
severity Filter by log severity.
■ PR_5847 — In the Web browser interface, the number of entries setting in the View Log page will always flip back to 50 when you refresh the browser.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.100916 Release ST.1.1.100226 ■ PR_11856 — When using the Web browser interface, an error message is displayed when a
valid IP Address is trying to be set in some pages, such as RADIUS, IPsec Policies, and so forth. For example, this may occur when an otherwise valid IP address is added with a final space at the end.
■ PR_12802 — When adding an NSSA or STUB area to the OSPF configuration, leading zeros in the area ID are flagged as an error. For instance, 10.10.01.10 would not be accepted but 10.10.1.10 would be accepted.
■ PR_12838 — Using SNMP, the values of system name, contact, and location via the RFC 1213 system table cannot be changed.
■ PR_14783 — When moving a TMS zl Module from one switch to another, DHCP Relay may not start if there is a mismatch in VLAN configuration between the switches. Specifically, if a VLAN is enabled in DHCP Relay and then the TMS zl Module is moved to another switch which doesn't have that VLAN, the DHCP Relay agent doesn't start up and DHCP Relay will not work. When moving a TMS zl Module, if you wish to maintain the TMS zl Module operation, be sure the VLAN information matches before moving the module to another switch.
■ PR_15477 — When adding and removing VLANs via the CLI, additional log messages are created that are not created when using the Web browser interface to add and remove VLANs. ■ PR_15522 — There is a difference in how the timezone information is displayed in the TMS zl Module as compared to the switch. The TMS zl Module follows the POSIX standard for displaying the time, for example, GMT+6 is displayed to indicate the timezone. However, the switch uses a negative number to set the timezone. The time is correctly displayed in both cases, but the process to set the timezone may cause some confusion.
■ PR_15547 — In PCM, the Add/Delete of a trap receiver may fail due to the TMS zl Module’s SNMP agent's response delay.
■ PR_16102 — In PCM, neighbor network mapping between the TMS zl Module and 5400/8200 chassis is not properly done. The TMS zl Module added LLDP functionality based upon the priority VLAN to correct the mapping.
■ PR_16812 — Password authentication failure traps were missing the originating IP address and username for which the password authentication failure was occurring
■ PR_16892 — When the local log contains more than 10,000 entries, the oldest entries (after the 1,000th entry) are displayed in a wrong position.
Steps to reproduce:
1. Get more than 10,000 entries in the local log.
2. Either export the local log or, in the Web browser interface, set the number of entries per page to 500 and go to page 6.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.100916 Release ST.1.1.100226
■ PR_18145 — In the Web browser interface, if a VLAN is added with an invalid IP address in the range 224.0.0.0 -254.255.255.255, an error is returned stating: VLAN could not be added. Failed to add VLAN IP address. but the VLAN is actually added, but not associated to any zone. In the CLI, the error message only states: Error: Failed to set VLAN IP address.
■ PR_37988 — Upgrading to an ST.1.1.XXXXXX release from any ST.1.0.YYYYYY release, the TMS zl Module may report Unknown SW update status even though the software update is still successful. This issue has been addressed in the ST.1.1.100226 software. As a result, future updates from an ST.1.1.100226 image to a newer image will not have this issue. ■ PR_38705 — RIP: Connected VLANs are not sent correctly when Ripv1-v2 is set. The TMS
zl Module does not send the connected VLANs to another router (R1), when RIP version has been set as v1-v2.
■ PR_38775 — Using the Command Line Interface, there is no mechanism to disable PIM globally. The Web browser interface must be used instead.
Firewall
■ PR_2614/PR_4193 / PR_4276 / PR_16778 — In the Web browser interface, the ability to see whether IPS is enabled or disabled on an access policy basis was added.
■ PR_11023 — Log messages tracking the login and logout of authenticated users are not generated by the firewall.
■ PR_11874 — On the Firewall > Access Policy > Unicast page in the Web browser interface, when adding a policy, there is an advanced tab that allows for limit settings and the valid range for entries in connections, Kilobytes, packets, and seconds are not listed.
■ PR_12607 — ICMP replay will generate a log entry even when the setting is disabled. ■ PR_40627 — The TFTP ALG wasn't invoked with the allow tftp firewall policy but it is
invoked with the allow any firewall policy.
IPS/IDS
■ PR_3020 — Added the following note to the IPS signature download page to help setup access policies correctly:
Note: To download signatures there must be an Access Policy that allows TCP/443 access from Self to the signature server. If using a proxy server, there must be an Access Policy that allows TCP/proxy-port access from Self to the proxy server.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.100916 Release ST.1.1.100226
Monitor Mode
■ PR_17758 — In monitor mode, when IPS full inspection is turned on and the FTP ALG is turned off, sending an FTP copy of the startup configuration to the network fails with a broken pipe error.
High Availability
■ PR_8325 / PR_14916 — When configured for High Availability, the Rebalance button in the Web browser interface is not needed for an Active/Standby configuration.
■ PR_10844 — When a Participant joins or leaves a cluster, there is very little detail to the log entries describing these important events and these events must be inferred.
VPN
■ PR_4983 — A Safestrcopy error would sometimes be shown when editing the first page of an IPsec policy.
■ PR_10767 — When using RADIUS authentication, the field NAS-Identifier is sent for CHAP and MS-CHAP authentication requests, but not for PAP requests.
■ PR_15755 — In the Web browser interface for VPN, there are twice the number of pages listed for the IPsec VPN Tunnels Table as necessary. As an example, if there are 9900 IPsec SAs, reflected in 99 pages of this table, the pages 100-198 are all blank.
■ PR_38218 — Cannot change a bypass or ignore policy to apply with key exchange method manual. Workaround: Delete the policy and add a new one.
■ PR_38232 — Moving an IPsec policy to another position may not set it in the desired position. Workaround: Delete the policy and add a new one in the correct position. ■ PR_38238 — A misleading error occurs when importing an invalid certificate file.
■ PR_38849 — A incorrect log entry is generated when logging in with a user authenticated by a RADIUS server.
■ PR_39123 — In the Web browser interface, a warning is displayed about the lockout of the management interface even when IPsec policy is disabled.
■ PR_39897 — The allowed RADIUS IP pool range was too small. It was increased to allow up to 10,200 IP addresses.
■ PR_40292 — When a user has a local account on the TMS zl Module and has an account with the same name on the RADIUS server, the user will always be authenticated to the local account and no attempt is made to access the RADIUS server, even if the user name includes the realm, as in username@domain.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.100916 Release ST.1.1.100226
■ PR_40301 — GRE Tunnel displayed GREv2 Error in tcpdump when attempting to verify the connectivity with a ping packet.
■ PR_40313 — When adding a RADIUS server, the administrator can specify a NAS-ID that accepts a script as input allowing code injection to RADIUS Web interface page.
■ PR_40319 — In the log file, log entries with the following message IDs may truncate the username: 1213, 1214, and 1204. Other information, such as the user's IP address and login time are displayed correctly.
■ PR_40321 — When a RADIUS authentication fails, the log entry with message ID of 4579 displays the wrong user IP address. The username is displayed correctly
■ PR_40340 — A trusted administrator is not prevented from adding thousands of RADIUS server entries in the Web browser interface. The maximum number of RADIUS servers that can be added is now 10.
■ PR_40380 — Importing certificates in VPN incorrectly shows the text as Self-signed certificate rather than IPsec certificate.
■ PR_40568 — In the Web browser interface for VPN, when retrieving an IPsec certificate using the same private key as a previous certificate, an error would be returned. Steps to reproduce:
1. SCEP Server installed and configured. 2. CA was retrieved from SCEP server. 3. Go to VPN> Certificates > IPsec Certificates
4. Retrieve an IPsec certificate with Private Key ID: test
5. Try to retrieve another certificate using the same ID for private key: test 6. After waiting 10 seconds a message error is displayed:
The IPsec certificate could not be retrieved within the timeout
Instead of this message, a more appropriate error message is displayed indicating to the user that the same private key ID cannot be used.
■ PR_40895 — The Clear DF bit cannot be set for an IPsec policy. When the option Clear DF bit is selected as DF Bit Handling in Step 4 of IPsec policy wizard, an error message is displayed saying that this option is invalid
■ PR_40903 — When an L2TP Policy exists and is disabled, traffic continues passing through the tunnel. The L2TP Policy must be deleted. L2TP policies were removed as they were no longer required - IPsec policies provide the needed functionality.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.100916 Release ST.1.1.100330 ■ PR_51483 — Enabling IP compression and disabling fragmentation causes a TMS crash in
Site-to-Site VPNs. Steps:
1. Configured site-site VPN tunnel with one host each end -
HOST1(10.11.0.10)---TMS1----(VPN)----TMS2----HOST2(10.13.0.10) 2. Host2 sends a large ping using: ping 10.11.0.10 -s 64000.
TMS2 works fine, TMS1 fails.
The combination of ENABLE ip compression and DISABLE fragment before IPsec causes TMS2 problems for packets >= 24000 bytes in size.
Release ST.1.1.100330
The following problem was resolved in release ST.1.1.100330
General
■ PR_54398 — When updating to ST.1.1.100226, the DHCP Relay service will fail to start due to a migration issue with the configuration file. DHCP Relay will not function correctly on ST.1.1.100226 regardless of whether DHCP Relay was ever enabled. Please update to ST.1.1.100330 (or greater) if you require DHCP Relay.
Release ST.1.1.100430
The following problems were resolved in release ST.1.1.100430
General
■ PR_44556 — When a RADIUS server is accessed for user login requests, the RADIUS servers will be tried in a round robin order.
■ PR_44968 — Performance Related IPS issue - scheduled to be addressed in May-June 2010 release. Should not affect users with < 75% CPU utilization.
■ PR_47641 — During a reboot, the network interfaces could be brought up prior to the Firewall starting.
■ PR_ 49883 — Performance Related ALG issue - scheduled to be addressed in May-June 2010 release. Should not affect users with < 75% CPU utilization.
■ PR_ 49885 — Performance Related HA issue - scheduled to be addressed in May-June 2010 release. Should not affect users with < 75% CPU utilization.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.100916 Release ST.1.1.100430
■ PR_49894 — TMS zl Module Web browser interface performance Related HA + IPS issue - scheduled to be addressed in May-June 2010 release. Should not affect users with < 75% CPU utilization.
■ PR_50615 — Unable to monitor RAM and CPU performance via SNMP. ■ PR_50102 — Incorrect values for the SNMP objects ifSpeed and ifHighSpeed
■ PR_3743/PR_11770/PR_2838 — Cannot change sysName, sysContact, or sysLocation objects via SNMP
■ PR_50035 — Performance Related Maximum Configured Access Policies issue - scheduled to be addressed in May-June 2010 release. Should not affect users with < 75% CPU utilization. ■ PR_50252 — Performance Related HA + 256 VLAN configured issue - scheduled to be
addressed in May-June 2010 release.
■ PR_50465 — Performance Related - excessive logging during times of high packet throughput - scheduled to be addressed in May-June 2010 release.
■ PR_51091 — IP Addresses may get translated for ICMP traffic when they shouldn't be. ■ PR_51159 — When restoring a TMS configuration via the Web browser interface, the http
daemon could halt and prevent the configuration from being loaded. The http daemon would restart, but the configuration file would not have been loaded.
■ PR_51303 — If a RIP interface is disabled, deleted, then added back with the same IP configuration, re-enabled again, it will not send out RIP updates any more. Workaround: disable the RIP interface again and then re-enable it.
■ PR_51502 — In the CLI, the command capture file any ether ? does not list choices available. ■ PR_52023 — Performance Related IPS issue - Scheduled to be addressed in May-June 2010
release - Should not affect users with < 75% CPU utilization.
■ PR_52365 — When adding a static route with a reachable gateway and then changing the VLAN unique MAC address attribute, traffic is no longer routed.
■ PR_ 52440 — Performance Related IPS issue - scheduled to be addressed in May-June 2010 release. Should not affect users with < 75% CPU utilization.
Firewall
■ PR_2379 — In the Web browser interface, when adding a Service Object, if the Service Object already exists, an error message is displayed. The error message refers to an Address Object instead of a Service Object.
■ PR_15293 — A lot of firewall logs are generated for normal management activities. Showing this log will lead a user to thinking the firewall is blocking legitimate traffic.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.100916 Release ST.1.1.100430 ■ PR_43869 — When a Zone is renamed, the new Zone name does not show up in log files.