AAS-28_1_11_0-RN

(1)

Alteon Application Switch

Release Notes

Version 28.1.11

August 01, 2013

(2)

CONTENT ... 4

RELEASE SUMMARY ... 4

SUPPORTED PLATFORMS AND MODULES ... 4

OBTAINING AND INSTALLING THE SOFTWARE... 4

OBTAINING THE SOFTWARE ... 4

INSTALLING THE SOFTWARE ... 5

UPGRADING THE SOFTWARE ... 5

WHAT’S NEW ... 5

NEW IN VERSION 28.1.9.0 ... 5

Password Strength Policy ... 5

Selecting Supported SSL/TLS Protocol Version Text ... 6

Close with RST ... 7

Google Chrome Browser Official Support ... 7

Client-based Service Differentiation ... 7

GSLB in IPv6 Environment ... 8

DNS Layer 7 in IPv6 Environment ... 8

Least Connections per Virtual Service ... 8

Configuration Audit ... 9

SNMP Traps for VRRP ... 9

Configuration Synchronization Feedback ... 9

(3)

Trunk port in VRRP Hot-Standby ... 10

No-Password Uniqueness... 10

CHANGED FEATURES IN VERSION 28.1.5.0 ... 10

IPv6 Link Local Address... 10

Alteon VA Management ... 10

Configuration Capacity Increase ... 10

Downgrade Protection... 10

Layer 7 Sessions Failover ... 11

SSL information HTTP Headers in 2424-SSL Format ... 11

Delete SSH Keys ... 13

Entry Level 5224 ADC-VX... 13

MAINTENANCE FIXES ... 13 FIXED IN VERSION 28.1.11.0 ... 13 FIXED IN VERSION 28.1.10.0 ... 17 FIXED IN VERSION 28.1.9.0 ... 23 FIXED IN VERSION 28.1.8.0 ... 35 FIXED IN VERSION 28.1.7.0 ... 35 FIXED IN VERSION 28.1.6.0 ... 38 FIXED IN VERSION 28.1.5.0 ... 45 FIXED IN VERSION 28.1.2 ... 49 KNOWN LIMITATIONS ... 50 LIMITATIONS IN VERSION 28.1.10.0 ... 51 RELATED DOCUMENTATION ... 55

(4)

Radware announces the release of Alteon Application Switch version 28.1.11.0. These release notes describe new features since the last released version of 28.1.5.0. Alteon Application Switch 28.1.11.0 includes all bug fixes from maintenance version 28.1.5.0.

Release Summary

Release Date: July 22, 2013

Objective: Minor software release addressing software issues.

Supported Platforms and Modules

This version is supported on the following Alteon platforms:

 4408 running on OnDemand Switch™ VL

 4408 XL running on OnDemand Switch VL XL

 4416 running on OnDemand Switch 2

 4416 running on OnDemand Switch 2 XL

 5224 running on OnDemand Switch 3 LS

 5224 running on OnDemand Switch 3 LS XL

 5412 running on OnDemand Switch 3

 5412 running on OnDemand Switch 3 XL

For more information on platform specifications, refer to the Alteon Installation and Maintenance Guide.

This version is supported by APSolute Vision version 1.25 and later.

Obtaining and Installing the Software

This section describes how to obtain and install the software for this version.

Obtaining the Software

1. Go to www.radware.com and log in if prompted.

Note: You must have a username and password before attempting to download a software update. If you do not have a username and password, click My Account and then click Register.

2. Under My Updates > Software Releases, the set of products and software downloads for which you have licenses display.

3. For the release version and platform you want to update or recover, select the Download Software icon, and download the relevant software update or recovery files to a server within your own organization that is accessible using FTP or TFTP.

(5)

Upgrading the Software

For details on upgrading, refer to the Alteon Installation and Maintenance Guide. You can upgrade to this version from any of the following previous AlteonOS versions:

 26.0.x  26.1.x  26.2.x  26.3.x  26.8.x  27.0.x  28.0.x  28.1.x

What’s New

This section describes the new features and components introduced in this version. For more details on all described capabilities, refer to the Alteon Application Switch Operating System Application Guide and the Alteon Application Switch Operating System Command Reference for this version.

New in version 28.1.9.0

Password Strength Policy

Administrators are now able to configure parameters that ensure only strong passwords. The password strength enforces:

 Minimal password length

 Specific characters Complexity

 Password validity (maximum/minimum age)

 Password History.

Note: The strong password policy is not applied on main Administrator (admin username), but is applied on user-defined users with Administrator role.

(6)

version will be rejected before handshake start. Use-cases examples:

 Mitigate the BEAST by allowing only SSLv3 and TLS1.1 in the SSL Policy.

 To completely reject any SSLv2 connection to pass PCI compliance testing (SSLv2 handshake failure on non-matching ciphers as it is done today is non-PCI compliant)

>> HTTPS Server Access# /cfg/slb/ssl/sslpol 1

--- [SSL Policy 1 Menu]

name - Set descriptive policy name

passinfo - Pass SSL Information to Backend Servers Menu frver - Allowed Frontend SSL Protocol Version Menu bever - Allowed Backend SSL Protocol Version Menu cipher - Set allowed cipher-suites in frontend SSL intermca - Set Intermediate CA certificate chain becipher - Set allowed cipher-suites in backend SSL authpol - Set client authentication policy

convuri - Set Host regex for HTTP redirection conversion bessl - Enable/Disable backend SSL encryption

convert - Enable/Disable HTTP redirection conversion ena - Enable policy

dis - Disable policy del - Delete Policy

cur - Display current policy configuration >> SSL Policy 1# frver/

--- [SSL Policy 1 frver Menu]

ssl3 - Enable/Disable frontend SSLv3 protocol version tls10 - Enable/Disable frontend TLS1.0 protocol version tls11 - Enable/Disable frontend TLS1.1 Protocol version

cur - Display current frontend SSL protocol version configuration

>> SSL Policy 1# bever/

--- [SSL Policy 1 bever Menu]

ssl3 - Enable/Disable backend SSLv3 protocol version tls10 - Enable/Disable backend TLS1.0 protocol version tls11 - Enable/Disable backend TLS1.1 Protocol version

(7)

New in version 28.1.7.0

Close with RST

When enabled, upon receiving FIN from either side (client or server), Alteon closes the other side using RST. This causes the session entry to be removed immediately.

When disabled, upon receiving FIN, graceful closure is performed in both sides. Default: disable

Close with RST can be set per virtual service.

Note: To enable, forceproxy must be enabled on that service NFR number: prod00162646

New in version 28.1.5.0

Google Chrome Browser Official Support

Google Chrome Browser (version 17.x and later) is added to the list of supported BBI platforms.

Client-based Service Differentiation

Alteon lets you provide differentiated services for specific client groups: different type of services, different levels of service, and different service access rights.

To implement this feature, source network classification has been added to the Layer 3 service classification as part of virtual server definition.

For example, in order to provide differentiated HTTP/S services for two separate groups of clients, you need to configure the following:

 Source Network nw1

 Source Network nw2

 Virtual Server 1: VIP 100.100.100.100, Source Network nw1 o Service HTTP: Group 1

o Service HTTPS: Group 1; SSL Policy ssl1

 Virtual Server 2: VIP 100.100.100.100, Source Network nw2 o Service HTTP: Group 2

o Service HTTPS: Group 2; SSL Policy ssl1

If, for example, you want to allow only HTTPS service for nw2 users, no HTTP service would be configured for Virtual Server 2.

(8)

 nw1: o Include 100.100.90.0/255.255.255.0 o Include 100.100.950.0/255.255.255.0 o Include 100.100.20.0 – 100.100.40.255  nw2: o Include 100.100.0.0/255.255.0.0 o Exclude 100.100.90.0/255.255.255.0 o Exclude 100.100.950.0/255.255.255.0 o Exclude 100.100.20.0 – 100.100.40.255

Note: This new capability is currently only configurable via CLI and BBI.

GSLB in IPv6 Environment

Global Server Load Balancing is now supported for IPv6 environments. This support includes:

 Support for AAAA query resolution that allows resolving a hostname to an IPv6 address.

 Support for IPv6 GSLB networks to enable using the Network metric for IPv6 clients.

 Support for IPv6 communication between remote sites.

 New DSSP version (version 5) that provides support for IPv6.

 DNSsec support for AAAA queries

Note: This new capability is currently only configurable via CLI and BBI.

DNS Layer 7 in IPv6 Environment

Layer 7 load balancing (according to hostname, query type, or DNS versus DNSsec type) is now also supported for DNS UDP in an IPv6 environment (IPv6 clients and servers).

Least Connections per Virtual Service

The Least Connections per Virtual Service group metric is an extension of the current Least Connections metric. It allows for real server selection based only on the number of active connections for the service which is load balanced, and not the total number of connections active on the server.

For example, when selecting a real server for a new HTTP session, a real server serving one HTTP connection and 20 FTP connections takes precedence over a real server serving two HTTP connections only.

(9)

Configuration Audit

Alteon lets you log the details of all configuration changes to the syslog servers.

Note: Enabling this feature may increase the Management Processor (MP) CPU usage temporarily if the configuration changes are very large.

Note: This feature was first introduced in version 26.3.1.0.

SNMP Traps for VRRP

SNMP traps are sent when a VRRP virtual server router (VSR) changes status to either master or backup.

Configuration Synchronization Feedback

Feedback on success or failure of Global Admin configuration synchronization has been added. Reports are received on success or failure of synchronization with each peer.

What’s Changed and/or Modified

This section describes changes to existing features and components introduced in this version.

Changed Features in version 28.1.10.0

Trap Update for Link-UP Link-Down

The trap information of linkDown and linkUp were updated and added with the following information:

 ifName – return “Port <ID>”, for example, Port 1.

 agPortCurCfgPortName – return the port name as defined at "/c/port x/name”.

 agPortCurCfgPortAlia - return the port alias as defined at under "/c/port x/alias".

With this change, the linkDown and linkup traps return the following MIBs in this:

altSwTrapDisplayString, ifIndex, altSwTrapSeverity, ifName, ifOperStatus, ifAdminStatus, agPortCurCfgPortName and agPortCurCfgPortAlias.

(10)

In a VRRP Hot-Standby configuration, a trunk port is now considered as failed and its priority is changed only when all the ports in the trunk are down.

NFR number: prod00167723

No-Password Uniqueness

In case of pre-defined user password is changed from its default and no local users define, both user name and password will be prompted upon login instead of only for password

NFR number: prod00161402

Changed Features in version 28.1.5.0

IPv6 Link Local Address

The following enhancements were made to Link Local Address support:

 Manual configuration of a VLAN Link Local Address

 An address of type Link Local can be configured in a static route Gateway parameter.

Alteon VA Management

Alteon VA can now be managed through VMware API and File System.

Configuration Capacity Increase

The maximum number of configurable instances was increased for the following objects:

 The maximum number of TCP scripts has been increased to 256.

 The maximum number of static routes has been increased to 1024

 The maximum number of GSLB networks for has been increased to 1024

Downgrade Protection

In order to mitigate crash-loops due to configuration parameters that are not supported in earlier versions, after downgrading from version 28.1.x the configuration is restored to factory defaults (preserving IPv4 management interface access). Starting with this version, after downgrading from a version later than 28.1.5.0, the device will perform Apply verification after booting up with the earlier version.

(11)

when requests are received over connections established with the old master.

SSL information HTTP Headers in 2424-SSL Format

In this release, the optional HTTP headers that carry SSL and SSL-based client authentication information can be set to be in 2424-SSL compatible format. This new functionality eases the migration of Web applications that used 2424-SSL for SSL offloading to AlteonOS 28.1.5.0, by eliminating the need to change the Web application header parsing.

The new headers format is available when changing the comply command to enabled in one of the following paths:

 /cfg/slb/ssl/sslpol/passinfo

 /cfg/slb/ssl/authpol/passinfo

The following table compares HTTP Headers formats between versions:

Location Info Type 2424-SSL 28.15 when comply disabled

28.15 when comply enabled

SSL Policy Cipher-suite N/A Cipher-Suite: AES256-SHA Cipher-Suite: AES256-SHA SSL Policy SSL Version N/A SSL-Version: TLSv1/SSLv3 SSL-Version: TLSv1/SSLv3 SSL Policy SSL Cipher

Bits

N/A Cipher-Bits: 256 Cipher-Bits: 256

SSL Policy SSL complied info X-SSL: decrypted=true, ciphers="TLSv1/SSLv3 RC4-SHA” N/A X-SSL: decrypted=true, ciphers="TLSv1/SSLv3 RC4-SHA"

SSL Policy IIS front-end HTTPS

Front-End-Https: on Front-End-Https: on Front-End-Https: on

Authentica tion Policy Client Certificate issuer X-SSL: peerissuer="emailAddr [email protected] m,CN=CT10,OU=CT1 00,O=Radare,L=NA,S T=NY,CUS" CCRT-Issuer: /C=US/ST=NY/L=NA/O=Rad wae/OU=CT100/CN=CT100/ emailAddress=ct100@radw are.com X-SSL: peerissuer="emailAddress= [email protected],CN=C 100,OU=CT100,O=Radwar, L=NA,ST=NY,C=US" Authentica tion Policy Client Certificate subject name X-SSL: peersubject="emailAdd ress=ct100@radware. com,CN=User_0002,O CCRT-Subject: /C=US/ST=NY/L=NA/O=Rad ware/OU=CT100/CN=User_ 0002/e X-SSL: peersubject="emailAddress [email protected],CN= User_0002,OU=CT100,O=

(12)

L=N,ST=NY,C=US" e.com US" Authentica tion Policy Client Certificate serial number X-SSL: peerserial=3 CCRT-SN: 03 X-SSL: peerserial=03 Authentica tion Policy Client Certificate SSL version

N/A CCRT-Version: 3 CCRT-Version: 3

Authentica tion Policy Client Certificate signing algorithm N/A CCRT-SignatureAlgo: md5WithRSAEncryption CCRT-SignatureAlgo: md5WithRSAEncryption Authentica tion Policy Client Certificate not valid before

N/A CCRT-NotBefore: Oct 12 18:05:37 2010 GMT CCRT-NotBefore: Oct 12 18:05:37 2010 GMT Authentica tion Policy Client Certificate not valid after

N/A CCRT-NotAfter: Oct 12 18:05:37 2011 GMT CCRT-NotAfter: Oct 12 18:05:37 2011 GMT Authentica tion Policy Client Certificate Public key type N/A CCRT-publicKeyType: RSA(1024 bit) CCRT-publicKeyType: RSA(1024 bit) Authentica tion Policy Client Certificate HASH N/A CCRT-MD5Hash: 9311345EB64A9D5968AF6 A471D480431 CCRT-MD5Hash: 9311345EB64A9D5968AF6 A471D480431 Authentica tion Policy Full client cert X-Client-Cert: ---BEGIN CERTIFICATE--- MIIDfjCCAue...XZKw= = ---END CERTIFICATE--- CCRT-Certificate: MIIDfjCCAue...XZKw== X-Client-Cert: ---BEGIN CERTIFICATE--- MIIDfjCCAue...XZKw== ---END CERTIFICATE---

Header names are configurable in AlteonOS 28.x so they can be adjusted to comply with 2424-SSL fixed header names easily in configuration.

(13)

Entry Level 5224 ADC-VX

Alteon 28.1.5.0 supports entry-level ADC-VX (maximum of 10 vADCs) on 5224 with 12 GB RAM.

Important! This offering is only available in the Americas region, for special promotion.

Maintenance Fixes

This section lists all fixed issues that were reported by the field personnel or mentioned

previously as known limitations or bugs in versions starting from version 28.1.0. Later versions contain all fixes of earlier versions unless otherwise noted.

Fixed in version 28.1.11.0

Item Description Bug ID

1. Using the APSolute Vision client, configuration sync between two Alteon platforms sometimes caused the Alteon initiating

the sync to crash. prod00189736

2. Using APSolute Vision client, it was not possible to set a the Server Group ID in virtual services other than HTTP and

HTTPS prod00189732

3. IPv6 scripted health check did not close the TCP session in

case of multiple open and close actions in the same script. prod00189690

4. When issuing the 'save' command through the XML API

interface, Alteon crashed. prod00189552

5. Using the BBI, it was not possible to configure the USM User

Name (an SNMPv3 parameter). prod00189302

6. In a mixed IPv4 and IPv6 environment, after session entries

aged, Alteon sometimes crashed. prod00189144

7. In a mixed IPv4 and IPv6 environment, after session entries

aged, Alteon sometimes crashed. prod00189143

8. On an Alteon 5000 and 4416, in standalone mode, the throughput usage calculation was incorrect, causing false

throughput alert messages to be sent. prod00188880

9. In VRRP hot standby mode, when the ISL port was set to disabled on the backup Alteon, all hot standby ports on the backup remained in DISABLED status and did not change to

FORWARDING status. prod00188830

10. With dbind enabled, the ICMP unreachable (Fragmentation

(14)

incorrect SEQ number.

11. After rebooting a vADC, with connection management configured on a service and its associated server port defined with VLAN-based PIP, the entire configuration

(except the management configuration ) displayed in the diff. prod00188476

12. In VRRP hot standby mode, when using trunk ports in ISL ports and in client or server-side ports, when all ISL ports were down all of the client and server side ports on the backup Alteon changed to FORWARDING statues, causing

a Layer 2 network loop. prod00188370

13. After the Global Admin changed the backdoor settings for a vADC user, the backdoor command did not display in the Global Admin configuration dump and also did not display in

the vADC. prod00188348

14. When Alteon received a ping destined for a network broadcast address, Alteon sent the ping reply with source MAC address of ff:ff:ff:ff:ff:ff instead of the interface MAC

address. prod00188176

15. After rebooting a vADC with static ARP entries configured,

the entire configuration displayed in the diff. prod00188160

16. After the admin password was changed in the configuration,

the password displayed in clear text in diff and diff flash. prod00188159

17. After Alteon was up for about 200 days, it sometimes experienced the following behavior:

- 100% SP CPU utilization - Full system freeze

- Sudden system reboot with no panic trace

These issues seemed to occur without any network changes, traffic patterns changes, user intervention, or any

other direct reason. prod00187911

18. When configuration auditing using TACACS+ was enabled, the following issues occurred:

- The commands under the /cfg/sys/mmgmt menu were not logged when entered in a single line.

- When configuration was performed using an SSH session,

no commands were logged. prod00187747

19. When a feature license was enabled on a vADC, a vadcLicGlobal trap was generated but the

vADCNewCfgFeatBWM OID was missing. prod00187636

20. After Alteon rebooted with no space on the hard disk, the configuration that had certificate and keys was not handled correctly, resulting in the entire configuration displaying in

the diff. prod00187467

21. After upgrading from version 26.x to 28.x or 29.x, attempting

(15)

an error because APSolute Vision could not retrieve the device driver from Alteon

22. Using an SSH connection, uploading a configuration that that defined SSHv1 as disabled changed the SSHv1 setting

to enabled (default). prod00187123

23. A high rate of packets with invalid TTL (value 0,1) that are processed by the device could cause health check flip-flops,

VRRP flip flops, due to high MP CPU uitilization. prod00187051

24. When setting the DST time zone to the Canada/Eastern-Ontario-&-Quebec time zone and the NTP Timezone Offset (tzone) was +0:00, the NTP Daylight Saving Time (DST) was

not adjusted correctly. prod00186863

25. When traffic was processed through the Application Engine, after VRRP failover an outage sometimes occurred. This was because of RST or FIN packets sent by Alteon on sessions that started on the main platform and which failed over, using the VR MAC instead of the interface MAC

("confusing" the Layer 2 switch). prod00186846

26. When accessing device via TACACS authenticated user in some rare cases the TACACS server closed the connections at the same time the device TACACS request timed out and

it caused panic on the device. prod00186821

27. After uploading an image using SCP, the subsequent file transfer via SCP (such as get configuration0), sometimes

caused Alteon to crash. prod00186670

28. Using the BBI with a RADIUS authenticated user whose name length was longer than 21 characters, after logging out

of BBI Alteon panicked. prod00186667

29. SIP Load Balancing did not work with fragmented requests. SIP requires that all fragments are first buffered and then makes the load balancing decision. Because the last fragment was dropped, the load balancing decision was not

be performed. prod00186644

30. When the configuration included a group for which backup group is defined and a group with no backup defined, whose ID was higher than the ID of group with backup defined, and the traffic was processed by Acceleration Engine, when the group that has backup was down, the servers in the backup group appear as not in service, even though they are

available, resulting in 503 error response to clients. prod00186573

31. A DSR ICMP health check failed on servers running

Windows 2008R2 SP1. prod00186546

32. Sessions handled by the Application Engine were not aged, if within 60 seconds after the FIN packet was sent by the

server it also sent a SYN (as a result of RST). prod00186501

33. When using an SSH management connection, Alteon

(16)

34. On an Alteon 5412 platform, the throughput was limited to

10G instead of 20G. prod00186287

35. When ADC-VX restarted after a crash or intentional panic

(using /maint/panic), Alteon experienced instabilities. prod00186261

36. Using SNMP, the temperature threshold was incorrect. prod00186095

37. When using TACACS+ Authentication, after entering user credentials, sometimes the connection using SSH stacked

and no CLI prompt appeared. prod00186092

38. Using the BBI, a trap on a login failure attempt was not

generated. prod00185928

39. In VRRP hot standby mode, after a port was operationally disabled and then enabled, the port configuration

enable/disable command did not work properly. prod00185423

40. On a backup platform, operationally disabling a hot standby

SFP port did not work. prod00185419

41. GSLB HTTP redirection did not work for an HTTPS service. prod00178810

42. Using URL SLB, when the GET URL split over multiple TCP segments, the URL string matching was performed only on

the first segment, resulting in incorrect matching. prod00177975

43. In version 28.1.8.x, after setting the re-ARP period and applying and saving in its old path (/cfg/l3/ip) instead of its new path (/cfg/l3/arp), after reboot the command to set the

re-ARP period was disabled. prod00174075

44. Per second Interface statistics displayed incorrect values. prod00161478

45. The export tech support dump command did not prompt to

provide the file name with a .tar extension. prod00156435

46. In a vADC, the memory utilization output (/stats/sp/mem)

always displayed 0 Kbytes. prod00156430

47. The Last apply and Last Save times were not updated when receiving the configuration from a peer switch during a sync

operation. prod00156326

48. In some cases, sending BPDIs on the external port failed due an internal issue, when this happened, debug printouts

appeared on the console. _prod00190184

49. Using NAT filter, ICMP "Destination Unreachable" messages response were not processed by Alteon , as session creation

(17)

50. When the application service log was set to debug level, a GET/POST request containing %s or

%<number>s arrived, causing Alteon to crash. prod00185487 51. When the time zone was set to a location where DST

(Daylight Saving Time) is applicable but not in effect, on every reboot the time moved back by one hour.

If after reboot the time changed to a value earlier than the certificate issued time, the error server

certificate not yet valid displays. prod00185363 52. In a session that had a number of GET requests where

the cookie is bound to a server in down state, the first GET request was redirected to another server that was in up state, while the other GET requests were sent

incorrectly to the first server which was in down state. prod00177865 53. Configuration changes for TCP and content class trace

log were incorrectly applied. As a result, warning messages regarding the Application Services Trace Log performance impact were potentially sent every

few hours even after all logs were disabled. prod00177729 54. The description for some MIBs related to real server

statistics per SP were updated to reflect their "per SP"

relation. prod00185158

55. In force proxy mode, when the client sent a FIN and the server answered with an RST, fastage was not

activated on the session entry. prod00177443

56. Throughput license alerts only worked on the Alteon

4408 platform and not on any of the other platforms. prod00177506 57. Resize of the vADC file system:

==========================

In VX versions as 28.1.2.0 and below, the vADCs were allocated with a low size as ~7.5MB instead of having more than 50MB.

This caused inability to capture traffic on the vADCs As upgrade doesn't change the size allocated in previus version to vADCs, we introduce the command /maint/debug/resizevadc

(18)

If so, the user will be asked to confirm the process will being informed that requires system reboot which may take up to 1.5 hours.

Resize operation on 28.1.10.0 changes the vADCs size to ~100MB

Note: USB Recovery procedures to these versions will also allocate the right sizes to the vADCs

58. After reboot, the ISL VLAN configuration for a vADC

was moved to pending state . prod00177682

59. When the resolution was set to one hour or one day,

the ADC-VX dashboard displayed incorrect statistics. prod00178193 60. When a real server and Alteon VA resided on the same

ESX, HTTP health checks failed. prod00179128

61. When using a passive cookie, dbind forceproxy, and the hash metric, if the cookie value did not match any session entry, the cookie value was used as the key to

select the real server instead of using the source IP. prod00184579 62. The administrative user with the Service user class

could not display any information or statuses of the real servers for which the administrative user was defined

as the owner. prod00138330

63. After the NTP time zone was modified using /cfg/sys/ntp/tzone, the system time zone was not updated.

prod00150654, prod00174180 64. VRRP advertisements were still sent even when all

ports were down, causing the advertisements counter

(/stat/l3/vrrp vrrpOutAdvers) to continue to increase. prod00157795 65. The output of the /info/l3/route/dump command

displayed internal debug information irrelevant to Alteon end-users. This output now only appear only in

God mode. prod00164538

66. In Global admin mode, the incorrect stat/vadc X/sp Y/mem command syntax was accepted. The correct

syntax is stat/vadc X/sp/mem. prod00177262

67. In Alteon VA VMware version 28.1.9.0, high MP CPU

(19)

CPU utilization was low.

68. When vstat was enabled, the virtual service octets counter wrapped around at the 4,294,967,295 value

(32-bit). prod00185606

69. The user-defined cipher parameter was incorrectly

limited to 64 characters. prod00178811

70. When a NAT filter was configured, traceroute failed because ICMP TTL Exceeded Timeout (ICMP type 11) packets that arrived with NAT address as the

destination IP, were dropped.

prod00178853, prod00185053 71. If several virtual servers had the same VIP, when a real

server returned an HTTP redirection, an internal tunnel

port was added to the location header. prod00178751 72. After applying and saving a configuration that was

uploaded over a factory default setting, an incorrect message displayed stating that there may be unapplied configuration changes, even though all changes were

applied. prod00179387

73. Using BBI, a virtual router could be deleted while still

being a member of a VR group. prod00178423

74. When dbind was enabled on a service, the session timeout was set to the value configured on the real server instead of using the timeout configured on the

virtual service. prod00179486

75. vADC SP memory statistics did not function. They

always displayed 0. prod00177007

76. If multiple virtual servers shared the same VIP, when the virtual server with a higher index was deleted the Virtual Server Router (VSR) of that VIP was stuck in

the INIT state. prod00177399

77. The SNMP trap always were sent to the default port

(162) regardless of the configured port number. prod00185083 78. On an Alteon VA platform using BBI, it was possible to

install a new image to the active image slot. prod00185159 79. When the Inter-Switch port was down, the hot-standby

ports that belonged to a trunk kept their STG state as

(20)

off.

80. The following MIB objects appeared twice in the MIB

file: agTftpImageAdc and agTftpImageVx prod00184976 81. Using BBI, a virtual server with the UDP stateless

protocol displayed as TCP. prod00184977

82. The content class element

Hostname/Path/Filename/Filetype did not match an

empty value. prod00185431

83. In case of script health check, where the expected response string is bigger than 40 chars, if a health check bigger than 60 chars did not match the expected

string, the device crashed. prod00184908

84. In a configuration where the Hot-Standby ports belong to a trunk on both client and server network, in case all

the ISL ports were down, a L2 network loop occurred prod00179395 85. In case of a multiple request connection arrived to a

virtual service configured with HTTP content modification and connection management, If the second request arrived at the same time the service cannot respond (service down or in 100% CPU

for example), the device may crash. prod00178731 86. Traps vadcStateUp, vadcStateDown,

vadcStateShutdown and vadcStateRestart were

removed from the MIB file as they are not supported. prod00178727 87. When TACACS+ logging is enabled, in some cases

when performing apply from the CLI alone with TAB,

before hitting enter, the device may crash. prod00177992 88. In some cases, configuration synchronization from the

VX caused the backup VX to crash prod00185644 89. When application service log was set to debug level, a

GET/POST request containing %s or %<number>s arrived caused the Alteon to crashed.

prod00185316 90. Setting application service modules log level to none

did not change the TCP module log level to none as

well. prod00185168

(21)

mechanism that automatically changes the application log level to debug in case of large amount of messages per session arrives.

92. Using the BBI to download an image more than once

via HTTPS, occasionally caused Alteon to crash. prod00174597 93. The following changes were made due to BDPU packet

loss in Alteon VX:

- You can now use the /c/sys/acc/rlimit command to limit the number of BPDUs handled per second per port on Alteon VX.

- The default BPDU limit was changed to zero

(unlimited). In previous versions it was hard-coded to 5 BPDUs per second per port for Alteon VX, and to 5 BPDUs per second per port for standalone Alteons. - A counter was added to show the number of BDPU packets dropped in Alteon VX and can be found at /stats/vx/counters.

- Alteon vADC now accepts all rlimit values, except for

BPDUs (which are processed in Alteon VX). prod00176509 94. An incorrect trap (vADCInfoStatus) was generated from

GA upon vADC reboot. prod00173256

95. Redirect persistent sessions were not aged out when

rport was configured with the filter. prod00174261 96. When RTS was enabled on client port, the RTS

sessions were wrongly created on all SPs, causing the sessions on the non-relevant SPs to persist and not

aged out. prod00174301

97. The management port became inaccessible when the management connection was closed before TFTP upload/download tasks via the management port (such as support dump and configuration dump) had ended

completely. prod00177406

98. It was not possible to add a GSLB IPv4 remote site via

(22)

generated.

99. In some cases it was not possible to download the

cached content. prod00176971

100. In a configuration were the data port gateway and a real server had the same IP address, and both had an ARP health check, the gateway frequently lost its

connectivity, causing the VIP to become inaccessible. prod00177212 101. Redirection to HTTPS requests failed if the virtual

service was defined with an HTTPS redirection action which using "$QUERY", and the requests to redirect

contain an odd number of characters in the string. prod00175362 102. After changing the real server operational status to

disable and then to enable, its state changed to block

although its health check succeeded. prod00175800 103. Traps altSwcpuCross80 and altSwcpuFell80 are now

obsolete. prod00173561

104. Incorrect trap OIDs were sent for vADC throughput

limit, vADC ssl limit, and vADC compression limit. prod00173851 105. When a VRRP status change occurred on vADC, an

incorrect trap OID was sent. prod00173921

106. Applying a content rule in a virtual service sometimes failed when the rule was not added in the consecutive numerical order to rules already applied. For example, applying rule 6 failed where rules 5 and 7 were already

running. prod00174209

107. Using the BBI to upload a new image to the active image bank caused Alteon to become non-bootable

and require USB recovery. prod00176870

108. Incorrect trap host address was shown under

/info/sys/snmp/taddr. prod00174552

109. ColdStart (sent on startup) and WarmStart (sent on reset) traps were not generated in Alteon versions after

28.x. prod00176003

110. When a feature license was enabled on vADC, an

incorrect trap OID was sent. prod00174181

111. When vADC was deleted, the vadcDelete trap was not

(23)

112. When capacity units where added or removed from

vADC, the vadcCapUnit trap was not generated. prod00174185 113. When setting the Alteon health check content in the

group to a value longer than 127, no warning appeared

although Alteon did not accept this content. prod00174273 114. In a standalone Alteon, when trying to set the BWM

user table size using the BBI, an incorrect message sent stating that the maximum allowed entries is 16K

entries per SP. prod00174400

115. A RADIUS/TACACs+ secret password including "!" disappeared from configuration after reboot.

prod00175349/ prod00175631 116. For WAP SLB with RADIUS persistence, group

statistics showed that all traffic was sent to one server, although the traffic was actually load balanced between

several servers. prod00174693

Fixed in version 28.1.9.0

1. In version 28.1.8.40, when uploading the configuration with a private key, the key extraction failed because the

passphrase was not parsed correctly. prod00174411 2. In version 28.1.8.20, the redirection filter with client

proxy processing enabled did not work. prod00174272 3. When a SIP service with no SIP parsing was used,

various configuration additions (such as adding a filter, adding Layer 7 parsing for other services, disabling

local DAM) caused session failures on that SIP service. prod00174120 4. HSRP tracking did not work-- the priority was not

increased. prod00173856

5. When some services used the legacy delayed binding and some used forceproxy, under stress, the HTTP 503 error message could appear on the proxied

session due to server selection failure. prod00173770 6. Using the BBI, when configuring the intermediate

(24)

7. After switching to verbose 1 mode, a service configured in verbose 2 mode was erroneously

changed to basic-slb. prod00173750

8. When the scpadmin user on a TACACS server had the same password as the scpadmin on the device, logging in with the scpadmin user caused 100% CPU usage.

In addition, it was not possible to login with any username that had the same password as the

scpadmin user. prod00173687

9. Least connection load balancing on a real server port (rmetric) did not work with SLB IPv6-to-IPv4. All of the requests were load balanced to the first rport of the

server. prod00173370

10. SIP load balancing did not work when DAM was

enabled globally and disabled under the service. prod00173282 11. The SNMP Trap Source IP setting was not taken into

account and was not set as the trap source. Instead, the first interface that was UP was considered to be the

trap source. prod00173274

12. On traffic matching the IPv4 redirect filter with proxy processing enabled on the port, and no PIP address defined, Half NAT was not performed. Half NAT was performed correctly for the same configuration

processing IPv6 traffic. prod00173219

13. When the device rebooted with an expired certificate in its configuration, after the reboot all the configuration

remained in pending state. prod00172948

14. In session dumps collected via SNMP, the EAcc and

Acc flags were missing. prod00172918

15. Sessions collected via SNMP were not showing correctly when session entries were deleted or aged

during the collection process. prod00172917

16. On the 5224 platform, incorrect temperature thresholds

were displayed. prod00172904

17. In an ADC-VX environment, creating or changing Layer 2 configuration items such as trunks or VLANs caused

(25)

seconds.

18. It was not possible to delete session entries by using

the slbOperSessionDelete SNMP SET command. prod00172596 19. Because in version 27.x, the default protocol for DNS

and SIP services was changed from TCP to UDP, after upgrading from version 26.x to 28.x, configuration

changes in the protocol setting occurred. prod00172595 20. Using the Chrome browser, Alteon did not release the

TCP connection created by opening HTTPS

management to the device via a data port. prod00172310 21. Removed the /boot/udefquit command on

console/telnet/ssh because rebooting the device from the console using Shift + Ctrl + "-" is not supported on

OnDemand Switch platforms. prod00172213

22. Using BBI or APSolute Vision, it was not possible to export a configuration with private keys. It is now

possible on HTTPS and SNMPv3 connections. prod00172196 23. Virtual service statistics did not display the content

based-service rules statistics when the service port

was different than 80. prod00172059

24. When accessing the device via BBI using the non-default OPER user, the Class Of Service is displayed

as USER instead of OPER. prod00172057

25. After an SNMP request to 802.1AB LLDP OIDs, VRRP

flip flopped. prod00171983

26. After configuration sync, the order of the virtual services section in the configuration dump was

different in the sending peer than in the received peer. prod00171762 27. In a VRRP pair configuration with DNSSSEC enabled,

configuration sync could cause both peers to be set

with keyslave enabled. prod00171761

28. After executing the /stats/sp/c +[tab] command in the

fourth Telnet/SSH session, the device crashed. prod00171758 29. In version 28.1.8.30, a revert apply with an interface

address change could cause the device to hang. prod00171609 30. The BPDU frame length for RSTP and MSTP BPDUs

(26)

longer.

31. Using BBI, when a real server or virtual server was added to the GSLB metric, the preference value was set to 0. Now you can define network preferences

values using BBI. prod00171391

32. In a VRRP owner configuration, editing or deleting the interface IP address or VIR address did not update the

interface MAC address to the base MAC address. prod00169623 33. After applying configuration changes that affected the

routing table, the device sometimes panicked. prod00169133 34. Due to unnecessary validation during boot-up, the

vADC configuration was not applied automatically and instead moved to “diff”. Manual apply was then

required to make it active.

prod00162680/ prod00170875 35. It was not possible to delete an IPv6 management

interface. prod00160336

36. When an apply command was performed in parallel with a configuration change done from another CLI interface, the CPU utilization increased.

prod00156307

37. When the passphrase configured for certificate sync contained an "!" character, the configuration was not

loaded after reboot. prod00171765

38. When force proxy was used, the default BWM contract (ID 1024) did not work, as well as application

acceleration capabilities and SSL acceleration. prod00171616 39. When Alteon inserted an x-forwarded-for header and

dbind is set to enabled, a client request corruption occurred.

When dbind is set to force-proxy, this client request

corruption does not occur. prod00171441

40. If one of the ports in a trunk was down, the trunk was declared down for port teaming.

In this version, the trunk is now considered up for port

teaming if at least one trunk port is up. prod00171252 41. Alteon did not process the HTTP CONNECT method.

After a service with application acceleration configured

(27)

connection by sending [FIN,PSH,ACK] to the client. 42. When rport load-balancing was used with pbind cookie

and dbind force proxy, virtual server statistics were

incorrect prod00171178

43. When receiving multiple GET requests in the same TCP session that matched both cookie persistency and URL SLB and that were designated to different real servers, the persistence sessions that were created were not removed from the session table, causing the

session table to fill up prod00170976

44. On a device with an ADoS license and DoS attack enabled on the port, ICMP type 3 packets (destination port unreachable) where considered as ICMPLEN DOS

attacks, causing the MP CPU to reach 100%. prod00170909 45. After migrating from the 2424 platform to the 5412

platform, WTS load-balancing did not work. This happened because of the difference between the CPU chips used in each platform and the way the IP

addresses are stored in memory. prod00170776

46. With GSLB set to enabled, HTTP access set to disabled, and wport set to 80, it was not possible to

apply a configuration. prod00170745

47. When real server backup with preemption were disabled, because an apply causes a server to either go up or down, when the backup server health check arrived before the primary server health check, the backup took over even though the primary was still alive.

prod00170723, prod00170456 48. The command description for importing and exporting a

certificate component was improved prod00170462 49. In a configuration with the same real server with

preemption disabled was associated to multiple groups that function in different virtual services, if the primary server failed, the backup server took over only in one group.

prod00170454, prod00170317 50. Configuring real server backup with preemption

disabled created tje following problems:

1. Preemption disabled did not work for some real servers (depending on their index).

prod00170453, prod00170067

(28)

2. If the primary server came up before the backup (for the first time after reboot), and the server went down then up again, preemption acted as if it was enabled. 51. After failover, on the ex-Master, the status of some

primary servers with backup preemption disabled changes to operator DISABLED and backup server took over.

prod00170451

52. Using a redirect filter, if a real server with preemption enabled failed, its backup real server took over and acted as if preemption was disabled when the primary real server came back up (traffic was still sent to the

backup server even though the primary was up). prod00170374 53. Network class deletion was not synced to a peer

switch. prod00170347

54. backup group real server showed in service info output as "group dis, up" and no traffic sent to that real

although the backup group was up.

This happened when the primary group went down and the backup group became active and then 2 more groups were added using the same real server from

the backup group prod00170175

55. In an ADC-VX environment, MSTP/RTSP was not

working. prod00169943

56. In a vADC environment, a tsdump command caused a VRRP to flip flop (meaning that the backup became master and after a short time became the backup again) and all services defined on that vADC went

down. prod00169942

57. Throughput information showed much higher values

than the actual throughput. prod00169940

58. When an IP fragment ping was sent to a VIR, VIP, or VSR, the interface MAC address was used as the

source MAC of the ping reply. prod00169338

59. When the IP address of a VIP was changed, the ARP entry with the old VIP address was not removed even though there was no other VR with the same address

(29)

60. On an OnDemand Switch 3 platform, traffic from source TCP ports 4 or 5 displayed incorrectly in the session table, as follows:

1. Aged-out sessions still appeared in the session dump

2. Live sessions were displayed incorrectly as BWM sessions. Their source IP addresses and ingress ports

appeared as 0. prod00169037

61. SLB VIP was added automatically to the OSPF

database and distributed to the peers even though the default route redistribution was configured (no host

redistribution defined). prod00168364

62. When entering a new virtual service menu without changing anything under that menu, Alteon considered it as a configuration change even though diff was

empty. prod00167509

63. Wrong FAN failure Syslog messages were sent while the tsdmp showed FAN OK.

prod00153747/ prod00153290 64. In a vADC environment, after importing a configuration

without its private key, even though the apply was successful after the import it was not possible to

access the server certificate menu. prod00156551 65. In DSR mode, ICMP health checks were sent to real

server IP rather than to sending it to the loopback

address (the VIP IP address) prod00170244

66. SIP session entry was not aged properly in a case where INVITE reuses a session that was already

deleted/moved to fastage. prod00169941

67. Network mask of localnet was not displayed properly prod00169609 68. When using configuration with multiple interfaces, the

device became inaccessible, within 5 minutes from upgrade to 28.1.8.20

prod00169565, prod00169455, prod00169458 69. SNMP Get/GetNext request to 1.3.6.1.2.1.2.2.1.3.x

caused the Alteon to enter freeze state. Reboot was

needed to exit this state. prod00169455

70. BPDUs of disabled VLAN were flooded on all ports. prod00169555 71. _{Alteon device sometimes panicked after applying} prod00169333

(30)

configuration changes that affected routing table.

72. HTTP traffic affected by vADC SSL CPS limit. prod00169253 73. After running SNMP traffic for some time, all

management activities became inaccessible due to a memory leak

prod00169141, prod00169111 74. SNMP services became down after upgrade. That

happened due to a changed added in SMTP Health check in version 28.1.8.10.

Now, SMTP HC made common for both IPV4 and IPV6, meaning that SMTP HC will send a "vrfy" even if there is no content is configured. Some SMTP servers does not reply to "vrfy" since they are waiting for additional data and therefore can be considered as

down prod00169052

75. vADC reset occured when accessed a virtual service of

type ''service ip''. prod00169012

76. In a URL redirect from HTTP to HTTPs setting, GET request without the host header caused the device to

crash prod00168862

77. When adding PIP for port range via BBI, an error

message appeared prod00168757

78. Passive cookie persistency with rport load-balancing, when the cookie is not found and the client request is within the same TCP connection, rport persistency was

not maintained prod00168751

79. Health Check Script above 156 caused the virtual

service to go down for several seconds prod00168588 80. HTTP content class and http modification did not work

together when both made a decision according to

HOST header prod00168515

81. SIP outbound call was not working prod00168443

82. It was not possible to define Script health check

between 64 to 256 prod00168271

83. nonat on RTSP virtual service was not working. prod00166915 84. Some syslog messages on management port were

missing,

(31)

gateway address and therefore it was thought to be not UP

85. In hot-standby environment, when there are more than 256 VSRs, the following syslog message appeared in

the backup: "vrrp: received incorrect addresses" prod00165484 86. Querying the vADC interface using a 64-bit counter

MIB returned a value of 0. prod00162440

87. A change in the Layer 3 configuration caused the

default gateway status to flap. prod00168365

88. After upgrade, the pending configuration message displayed even though no pending configuration existed.

prod00167780

89. With the TACACS+ command login enabled, after executing an Alteon global command (such as save, apply, or diff. Alteon sometimes crashed.

prod00167541

90. When a hot-standby port was not part of VLAN assigned to the vADC, it was not tracked for VRRP priority.

prod00167398

91. An IPv6 VIP responded with the incorrect source MAC

address. prod00167397

92. In a DNS hostname configuration using regular expressions, uppercase characters were always changed to lowercase.

prod00167326

93. On a 4408 platform, sometimes a FAN status alert was

sent for non-existing fans. prod00167173

94. When a Layer 7 DNS string was configured to match at the end of the chain (using the $ symbol), if the string existed twice in the DNS query, it was considered to be no match.

prod00167152

95. Alteon dropped broadcast ARP replies with a unicast

target MAC address. prod00167139

96. In an ADC-VX environment, the OID of

vadcStateVrrpMaster / vadcStateVrrpBackup trap was incorrect.

prod00167105

97. The TACACS usernames did not display in the login

syslog message. prod00166917

(32)

SSL CPS information was incorrect.

99. On a 4408 platform, during upgrade a “file missing”

error message displayed. prod00166885

100. The SNMP trap for link up and link down was not clear

and did not indicate the port number and its state. prod00166805 101. When the Technical Support dump was issued via SSH

and the terminal immediately closed without writing the output, Alteon would sometimes crash.

prod00166745

102. In a vADC, when its two CUs were located on the same SP core (with a different HAID),a VRRP advertisement conflict occurred .

prod00166743

103. After issuing the "session clear" command, sessions that were removed on the master were not cleared on the backup.

prod00166740

104. NTP requests were not sent from an IPv6 management

port. prod00166538

105. Using BBI, when exporting all VX and vADC configurations, the vADC configurations were not restored properly.

prod00166537

106. On a 5224 platform using BBI, the displayed

management IP was different than the one configured in CLI.

prod00166536

107. The Spain daylight savings timezone was incorrect. prod00166534 108. An IPv6 VR did not reply to ICMPv6 requests. prod00166453 109. ICMPv6 router advertisements were not dropped by

the deny filter. prod00166448

110. Configuration synchronization was not working prod00166199 111. Redirection filters did not work correctly when proxy

was enabled on the port and the filter was defined with rport, even though no proxy IP was configured in the filter.

prod00165876

112. OSPF static/fixed selective route redistribution using

route maps did not work. prod00165847

113. Latency occurred due to a high port reuse rate. prod00165578 114. In a VRRP hot-standby configuration, when the ISL link

(33)

backup vADC.

115. Script health checks were not allowed for an IP type

virtual service. prod00164543

116. In a VRRP hot-standby configuration, when the master vADC panicked (booted up very quickly), the failover was not performed properly.

prod00162893

117. After importing a file that contains more than one

certificate, Alteon crashed. prod00160343

118. The SNMP trap for link up/down did not indicate the related port number.

prod00167018

119. Using RTSP SLB, TRCP and RTP sessions were not cleared from the session table on

time.

prod00166549

120. On a 5412 platform, when manually disabling an SFP copper port, the link did not go

down on the peer switch.

prod00166339

121. When multiple VIPs used the same real server, in the traffic that returned to the client

that caused a session failure, the real server IP to VIP translation was wrong.

prod00166243

122. On an Alteon 10000 platform, an irrelevant reboot log appeared.

prod00166207

123. Rarely, after upgrading to version 28.1.5.0, an HTTP 1.0 request from a proxy caused

the device to crash.

prod00166193, prod00166980

124. In a filter with session table caching disabled and tunable hash based on the source or

destination IP, group redirection did not occur.

prod00165795

125. When setting the backup group for a group with no real server, an unclear message

displayed.

prod00165506

126. When the request header was larger than 16K, SSL decryption failed.

prod00165389

127. When DSR was configured, many sessions were created for a single HTTP request,

(34)

causing the session table to fill up even though the load was minimal.

128. BWM statistics sent to an SMTP server configured on a data port caused a device panic.

prod00165357

129. On an Alteon 5412 platform with 32GB memory, a client request that reached 50K TPS

caused the device to crash.

prod00165275

130. When compression was used along with multiplexing, an HTTP 1.0 client, and server

keep-alive, transactions did not finish because a FIN was not sent by the server.

prod00165251, prod00166979

131. SSHv2 management connection did not work with a Sun Solaris client.

prod00165231

132. SSH management on data port caused a device panic. prod00165216 133. When a second HTTPS request arrived on an existing

TCP session, Alteon sent the

request to the same real server selected for the first HTTPS request without checking if there was a new URL SLB match.

prod00165016

134. Using BBI, configuring port mirroring caused the Alteon device to panic.

prod00164932

135. In a redirect filter with session caching disabled, when all the real servers were down,

the packets were dropped instead of being forwarded to the default route

prod00164910

136. When SNMPv1 and v2 where disabled, Alteon answered SNMPv1 requests with an

error message instead of not answering at all.

prod00164896

137. The td-config and shared maintenance debug commands were available in normal mode instead of being available only in god mode.

prod00164787

138. CISCO PVST and BPDU frames were not always tagged when sent out from a tagged

port.

prod00164731

(35)

140. In a GSLB environment, when more than 10 VIPs were configured with the same

domain, the device panicked on a DNS response for that domain.

prod00164708

141. The real server state was not set to block when one of the services it served was down.

This happened when the real server was defined with multiple addports associated with

prod00164632

142. Only ICMP health check can be used for virtual service for type IP

prod00141916

Fixed in version 28.1.8.0

1. Configuration synchronization was not working prod00166199 2. BPDUs were not always tagged when sent out from

tagged port prod00166164

Fixed in version 28.1.7.0

1. Using IPv6 script health checks resulted in high MP

CPU usage. prod00164420

2. On an Alteon 5412 platform, LACP packets were

dropped by Alteon VX. prod00164305

3. On the Alteon 5412 and 5224 VX platforms, when STP was set to off, STP and LACP packets were not

forwarded. prod00164227

4. On an Alteon 5412 platform, STP packets were

dropped by Alteon VX. prod00164223

5. It was not possible to connect using Vision to Alteon

28.1.6.0 prod00164196

6. The SLBadmin user was unable to apply configuration

(36)

7. When session caching was enabled, IPv6 filter

redirection did not work. prod00164003

8. Synchronization of DNSSEC configuration changes were automatically performed on apply, even though

no peers were configured. prod00163824

9. When Layer 7 modification was defined, dbind was

automatically changed from enabled to forceproxy. prod00163767 10. The SSH management connection became

inaccessible periodically, and running SSH on/off did not revive the connection. After several such retries, the device reset.

prod00163531, prod00163229 11. On an Alteon 5224 platform, BWM was not working on

ports 17 through 26. prod00163417

12. On an Alteon VX 5224 platform, in viewing the vADC in the BBI, there was a mismatch between the VLAN

table and the Physical Ports table. prod00163394 13. On a Alteon VX 5224 platform, in the BBI L2 Physical

Port pane, the port speed of ports 19 through 24

displayed the incorrect values. prod00163392

14. Alteon VX crashed in certain cases due to SSH

management connection. prod00163271

15. NAT was not performed on SDP data (in SIP) with response codes other than 200OK

Now it is also performed for 180 RINGING and 183

SESSION IN PROGRESS response codes. prod00163262 16. ADC-VX could capture traffic from only one vADC at a

time. Now separate files are saved for each vADC. prod00163247 17. When 1. creating a disabled virt, adding a content class

rule to it, and applying it, and then 2. enabling the virt and applying it again, Alteon replied with a "503" HTTP response code (=servers down) when matching the content class, even though the servers were actually

up. prod00163224

18. In a Layer 2 DSR environment, DNS UDP health checks caused the device to crash. Upgrade from

(37)

19. Using RADIUS authentication, SSH user access was blocked for an unlimited time, even though it was

defined as authorized. prod00163112

20. In APSolute Vision, the secure cookie insert

configuration showed opposite settings from the device prod00163098 21. When the ADC-VX and the vADCs were installed with

different versions, vADC sync failed. prod00163077 22. In the BBI, an incorrect breadcrumb appeared in the

Layer 3 sub-menus. prod00163017

23. When VRRP failover occurred, it took the default

gateway 8 seconds to get back online. prod00162931 24. Using SCP to transfer the configuration and commands

to Alteon did not work on ADC-VX/vADC. prod00162738 25. When the device was under heavy load, sometimes

FDB table corruption occurred, causing ARP and ICMP

packets to be discarded. prod00162636

26. After adding a couple of interfaces, the device

panicked. prod00162562

27. Some of the SSH/Telnet management connections were not closed properly in vADC, causing the maximum commotion (4) to be reached. As a result,

new management connections could not be opened. prod00162450 28. Querying the vADC interface using a 64-bit counter

MIB returned a value of 0. prod00162440

29. It was not possible to set a virtual service IP supporting

both UDP and TCP protocols in the same service. prod00162382 30. Executing many putdumps commands sometimes

caused ADC-VX to crash prod00162230

31. Adding a second VIP with RTSP SLB that uses the same real server as the first RTSP SLB service caused

the sessions to the first VIP to fail. prod00162090 32. An empty "name" in the "team" configuration dump

caused restoring the configuration to fail. prod00162051 33. Dynamic proximity calculation results were incorrect. prod00162044 34. When exporting the configuration using the putdump

(38)

35. Using the BBI, in a VRRP service based group, it was

not possible to disable share and preempt. prod00161975 36. Using the BBI, it was not possible to change an SSL

service rport to 443 when back-end SSL was disabled. prod00161441 37. Virtual service statistics were incorrect for services with

dbind enabled and pbind set to sslid prod00161245 38. Some validation checks for matching between the

server certificate and private key were missing. prod00160917 39. The output of the real server group mapping command

(/info/slb/bind) was incorrect. prod00157497

Fixed in version 28.1.6.0

1. When cookie insert for persistency and Layer 7 string matching were configured in an HTTPS offloading service, and the traffic did not contain any matching cookie or string, a server was selected instead of

responding with HTTP error 503 (server unavailable). prod00162602 2. With a heavy load of HTTP "Connection: close" traffic

and connection management enabled, software panic sometimes occurred when several responses were

sent from the server for one request. prod00162148 3. When the port command was retransmitted, Active

FTP load balancing did not work properly. prod00162078 4. Under certain circumstances, unpredictable behavior

occurred with certificate management (such as loss of keys, unable to connect via SSH, the diff flash holds

the configuration after reboot, and so on). prod00161974 5. When a client HTTPS request did not match any of the

strings assigned to the real servers, after Alteon reset

no response was received and SSL terminated. prod00161818 6. When the GSLB network IP version was not manually

defined, the proximity GSLB worked incorrectly. prod00161647 7. The redundant capability of setting an SNMP service

(39)

8. The configuration apply command generated incorrect

and irrelevant VRRP syslog messages. prod00161579 9. Transferring a large file using an HTTPS service took

much longer compared to an HTTP service, because a

small TCP window size was set. prod00161459

10. For virtual services configured with SSL offloading where the front-end and back-end ports are the same, the service back-end port on the backup device was

changed during configuration synchronization. prod00161446 11. Using VRRP with stateful failover configured, when the

backup device booted up after upgrading to version

28.1.5, the master device rebooted repeatedly. prod00161442 12. In version 28.1.5.0, when X-Forwarded-For was using

with dbind enabled, the sequence number on the

second get request to server was incorrect. prod00161266 13. In version 28.1.2.0, an image upgrade via HTTP

transport caused a panic. prod00161254

14. In BBI, a clear operation in SLB monitoring cleared the

session table instead of clearing SLB statistics prod00161019 15. In an HTTP persistency configuration, the path was

added to the cookie header even though it was not

configured in the pbind cookie insert configuration. prod00161011 16. The connection splicing statistic was not updated with

dbind forceproxy. prod00161007

17. Alteon panicked when "host:" string was not found in

the URI of a request. prod00160900

18. The RADIUS secret password was synced during

configuration sync. prod00160668

19. When all the real servers in a group and backup group were down, the virtual server information displayed the

backup group as disabled. prod00160637

20. On Alteon with SSL acceleration card, a very heavy

load can cause a switch panic prod00160610

21. The swkey (license information) command did not

display the installed default throughput license. prod00160459 22. A non-updated Geo database was used, causing Geo