Alteon Application Switch Release Notes Version 28.1.7.0 August 2, 2012 North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International Radware Ltd. 22 Raoul Wallenberg St. Tel Aviv 69710, Israel Tel: 972 3 766 8666 www.radware.com
Page - 2 - Table of Contents Content... 3 Release Summary... 3 Supported Platforms and Modules... 3 Obtaining the Software... 3 Upgrade Path... 5 Upgrade Procedure... 5 Other Upgrade Considerations... 5 Related Documentation... 5 What s New... 6 Maintenance Fixes... 6 Fixed in version 28.1.7.0... 6 Known Limitations... 8 Page 2
Page - 3 - Content Radware announces the release of AlteonOS version 28.1.7.0. These release notes describe new features and software issues fixed since the last released version of AlteonOS 28.1.5.0. Release Summary Release Objective: Minor software release introducing a number of new capabilities and addressing software issues. Supported Platforms and Modules AlteonOS version 28.1.7.0 is supported on the following Alteon platforms: 4408 running on OnDemand Switch VL 4408 XL running on OnDemand Switch VL XL 4416 running on OnDemand Switch 2 4416 XL running on OnDemand Switch 2 XL 5224 running on OnDemand Switch 3 LS 5224 XL running on OnDemand Switch 3 LS XL 5412 running on OnDemand Switch 3 5412 XL running on OnDemand Switch 3 XL Alteon VA running on VMware ESX 5.0, KVM, and OpenXen For more information on platform specifications, see the Radware Alteon Installation and Maintenance Guide. Note: This version is supported by APSolute Vision version 1.25 and later. Obtaining the Software Before you can update your Alteon switch software, obtain the appropriate software update file from Radware, as follows: 1. Go to www.radware.com and locate the software update files. Note: You must have a username and password before attempting to download a software update. If you do not have a username and password, click My Account and then click Register. 2. Under My Updates > Software Releases, the relevant updates for the products you own display. Select the platform for which you want to download the update. 3. Select the release type and release for which you want to download the update. 4. Download the software update files to a server within your own organization that is accessible using FTP or TFTP. Page 3
Page - 4 - The following is the software base for the software update files: File name File Size Comments AlteonOS-28.1.7.0-4408.img 68,761,600 System upgrade software image for AAS 4408 Recovery-AlteonOS-28.1.7.0-4408.zip 86,558,892 Recovery image for AAS 4408 (via USB) AlteonOS-28.1.7.0-4416.img 89,989,120 System upgrade software image for AAS 4416 Recovery-AlteonOS-28.1.7.0-4416.zip 107,576,119 Recovery image for AAS 4416 (via USB) AlteonOS-28.1.7.0-5000.img 224,870,400 System upgrade software image for AAS 5412 and 5224. Used for one-step upgrade of ADC-VX and its vadc instances and Alteon standalone devices. AlteonOS-28.1.7.0-5000-VX.img 86,988,800 ADC-VX Infrastructure-only upgrade image for AAS 5412 and 5224. AlteonOS-28.1.7.0-5000-ADC.img 137,881,600 vadc upgrade image for AAS 5412 and 5224. Requires ADC-VX infrastructure image to be installed first. Recovery-AlteonOS-28.1.7.0-5000.zip 240,662,909 Recovery image for AAS 5412 and 5224 (via USB) AlteonOS-28.1.7.0-VA.img 69,492,954 Upgrade image for Alteon VA Alteon-28.1.7.0.ova 100 218,880 VMware Virtual Appliance image Alteon-28.1.7.0_xen.tgz 81,620,395 Xen Virtual Appliance image Alteon-28.1.7.0_kvm.tgz 100,340,409 KVM Virtual Appliance image Page 4
Page - 5 - Upgrade Path You can upgrade to this AlteonOS version from AlteonOS versions 26.0.x, 26.1.x, 26.2.x, 26.3.x, 26.8.x, 27.0.x, 28.0.x and 28.1.x. This version is a recommended upgrade for AAS 4408/4416 users with 4 GB of RAM. Upgrade Procedure General upgrade instructions are found in the Radware Alteon Installation and Maintenance Guide. For ADC-VX and vadc upgrades, new image management options were added in this version. Refer to the Alteon Application Switch Operating System Application Guide for more information. Note: The reboot time after upgrade may be long. Radware recommends monitoring it via a console connection. Other Upgrade Considerations Once you have upgraded from a version prior to version 27.0.0.0, rollback (downgrade) is possible only to version 26.3.0 or higher. For all rollback scenarios, the configuration is restored to factory defaults (preserving IPv4 management interface access). Make sure to backup configuration prior to upgrade and reload this configuration after the rollback. Related Documentation The following documentation is related to this version: Radware Alteon Installation and Maintenance Guide version 28.1.5.0 Alteon Application Switch Operating System Application Guide version 28.1.5.0 Alteon Application Switch Operating System Command Reference version 28.1.5.0 Alteon Application Switch Troubleshooting Guide version 28.1.5.0 Browser-Based Interface (BBI) Quick Guide version 28.1.5.0 Alteon Application Switch Performance Report version 28.1.0.0 For the latest Radware product documentation, download it from http://www.radware.com/customer/portal/default.asp. Page 5
Page - 6 - What s New This section describes the new features and components introduced in this version. For more details on all described capabilities, refer to the Alteon Application Switch Operating System Application Guide and the Alteon Application Switch Operating System Command Reference for this version. Server RST on Client FIN Server Reset on Client FIN allows the Alteon to send RST to the server side once a FIN received from the client and the frontend connection is closed. This ensures that the server will close the backend connection immediately instead of graceful closer. The feature is relevant only for session flowing through the application acceleration engine. Maintenance Fixes The following is a cumulative list of bugs fixed since the release of AlteonOS version 28.1.6.0. Fixed in version 28.1.7.0 Item Description Bug ID 1. Using IPv6 script health checks resulted in high MP CPU usage. prod00164420 2. On an Alteon 5412 platform, LACP packets were dropped by Alteon VX. prod00164305 3. On the Alteon 5412 and 5224 VX platforms, when STP was set to off, STP and LACP packets were not forwarded. prod00164227 4. On an Alteon 5412 platform, STP packets were dropped by Alteon VX. prod00164223 5. The SLBadmin user was unable to apply configuration changes. prod00164136 6. When session caching was enabled, IPv6 filter redirection did not work. prod00164003 7. Synchronization of DNSSEC configuration changes were automatically performed on apply, even though no peers were configured. 8. When Layer 7 modification was defined, dbind was automatically changed from enabled to forceproxy. 9. The SSH management connection became inaccessible periodically, and running SSH on/off did not revive the connection. After several such retries, the device reset. prod00163824 prod00163767 prod00163531, prod00163229 10. On an Alteon 5224 platform, BWM was not working on ports 17 through 26. prod00163417 11. On an Alteon VX 5224 platform, in viewing the vadc in the BBI, there was a mismatch between the VLAN table and the Physical Ports table. prod00163394 12. On a Alteon VX 5224 platform, in the BBI L2 Physical Port pane, the port speed of ports 19 through 24 displayed the incorrect values. prod00163392 13. Alteon VX crashed in certain cases due to SSH management connection. prod00163271 14. NAT was not performed on SDP data (in SIP) with response codes other than 200OK Now it is also performed for 180 RINGING and 183 SESSION IN PROGRESS response codes. prod00163262 Page 6
Page - 7 - Fixed in version 28.1.7.0 Item Description Bug ID 15. ADC-VX could capture traffic from only one vadc at a time. Now separate files are saved for each vadc. 16. When 1. creating a disabled virt, adding a content class rule to it, and applying it, and then 2. enabling the virt and applying it again, Alteon replied with a "503" HTTP response code (=servers down) when matching the content class, even though the servers were actually up. Page 7 prod00163247 prod00163224 17. In a Layer 2 DSR environment, DNS UDP health checks caused the device to crash. prod00163185 18. Using RADIUS authentication, SSH user access was blocked for an unlimited time, even though it was defined as authorized. prod00163112 19. In APSolute Vision, the secure cookie insert configuration showed opposite settings from the device prod00163098 20. When the ADC-VX and the vadcs were installed with different versions, vadc sync failed. prod00163077 21. In the BBI, an incorrect breadcrumb appeared in the Layer 3 sub-menus. prod00163017 22. When VRRP failover occurred, it took the default gateway 8 seconds to get back online. prod00162931 23. Using SCP to transfer the configuration and commands to Alteon did not work on ADC-VX/vADC. prod00162738 24. When the device was under heavy load, sometimes FDB table corruption occurred, causing ARP and ICMP packets to be discarded. prod00162636 25. After adding a couple of interfaces, the device panicked. prod00162562 26. Some of the SSH/Telnet management connections were not closed properly in vadc, causing the maximum commotion (4) to be reached. As a result, new management connections could not be opened. prod00162450 27. Querying the vadc interface using a 64-bit counter MIB returned a value of 0. prod00162440 28. It was not possible to set a virtual service IP supporting both UDP and TCP protocols in the same service. prod00162382 29. Executing many putdumps commands sometimes caused ADC-VX to crash prod00162230 30. Adding a second VIP with RTSP SLB that uses the same real server as the first RTSP SLB service caused the sessions to the first VIP to fail. prod00162090 31. An empty "name" in the "team" configuration dump caused restoring the configuration to fail. prod00162051 32. Dynamic proximity calculation results were incorrect. prod00162044 33. When exporting the configuration using the putdump command, the user password displayed in clear text. prod00161980 34. Using the BBI, in a VRRP service based group, it was not possible to disable share and preempt. prod00161975 35. Using the BBI, it was not possible to change an SSL service rport to 443 when back-end SSL was disabled. prod00161441 36. Virtual service statistics were incorrect for services with dbind enabled and pbind set to sslid prod00161245 37. Some validation checks for matching between the server certificate and private key were missing. prod00160917 38. The output of the real server group mapping command (/info/slb/bind) was incorrect. prod00157497
Page - 8 - Known Limitations The following are known limitations for this version: Item Description Bug ID 1. Only ICMP health check can be used for virtual service for type IP 141916 2. The put image option /boot/ptimg is not supported 110769 3. The configuration dump done from BBI does not use Courier-New font. For this reason, the PKI components included in the dump looks like they are not formatted correctly. 110848 4. When using HTTP connection management (HTTP Multiplexing) and group server maximum connections (maxconn) is reached, the persistent connections opened for multiplexing are also not reused to server client requests. 5. Capture and decrypt capture functionality is supported only using the CLI. BBI does not support this functionality. 6. Importing the 2424- SSL processor configuration file to migrate its certificate repository to version 27.x is supported only using the CLI. 7. BGP does not remove from its table a route that was learned from RIP, even though the route had been withdrawn. When redistribution of RIP routes to BGP is configured, and a route that is learned from RIP has failed, BGP should send an UPDATE message containing the withdrawn route to its peers and state that it is not removing the route entry from the routing and BGP tables. 8. The /stats/mp/cpu option shows the MP CPU utilization for one second, the average for four seconds, and the average for 64 seconds. It takes up to 25 seconds for the four-second average to get updated properly and almost 5 minutes for the 64-second average to get updated properly. Page 8 110952 111085 111453 112196 114941 9. The scheduled reboot option /boot/sched is not supported. 114952 10. BWM statistics are different when used with different contracts within the same policy. When the user assigns different contracts for different ports with equal capacity within the same policy, statistics of both ports differ even though the same policy is applied. This means that the number of total packets and discarded packets varied for two different ports. 114967 11. A new image is downloaded to the image2 slot even though the instruction was to download to the image1 slot. The new image is downloaded to image 1, but after being written to the CompactFlash, the images are then swapped. 12. The upgrade process does not ask the user to confirm the upgrade after the new image is downloaded. 13. The upgrade process cannot be aborted when the wrong password is provided. Currently, there is no way to abort the upgrade process other than waiting for the idle time out (5 minutes) to expire. 114968 114987 114988 14. The GSLB, command /info/slb/gslb/geo (geographical preference information) 115002 does not display the region list. 15. If an image is downloaded to an active bank, the warning is displayed only after 115009 the download is finished and file writing is aborted. 16. On a 4416 platform, there is a bottleneck on throughput when DAM enabled 115834
Page - 9 - Item Description Bug ID (only 3G can be reached). 17. On a 5412 platform, the link status displays incorrectly when changing some 115899 port parameters. 18. The number of free pports reflected by the commands /stats/slb/pip and 116638 /stats/slb/sp x/pip is calculated for a single real server, where it should be multiplied by number of real servers. 19. Alteon HTTP cache does not respect the range HTTP header to request only 119892 part of an object. 20. Using HTTP modifications with the file type element, only the replace action is 119911 supported. If removing or inserting a file type (file extension) is required, use the modification of element of type URL. 21. When a client port is part of multiple VLAN, and multiplexing is used, the 121126 VLAN used in the back-end connection (to the server) is always the one used to initiate the connection. This problem does not exist when proxy IP (PIP) is done on the egress port, as recommended in Radware s best practices for connection management (multiplexing). 22. With large configurations, the Revert-Apply operation may fail with multiple 121285 errors generated that are related to a legitimate CLI command that did not succeed. Workaround: Run the Revert-Apply operation again. 23. Proxy IP (PIP) statistics are available only when multiplexing is enabled on the 121299 virtual service. 24. Jumbo frames are not supported in this release. 121765 25. Fragmented traffic is not supported when accessing the device management. 134531 26. Alteon legacy content-based switching with delayed binding enabled does not 139880 work with fragmented traffic. Work around: Use pbind force-proxy mode 27. When more than 390 certificates and keys of different types are configured, 142396 accessing the BBI certificate repository page might cause the device failure. 28. Overlapping NAT capability is not supported for IPv6 filters. 143690 29. The number of concurrent connections (CEC) for IPv6/IPv4 gateway traffic is 144719 limited to 64K per SP. 30. When HEAD requests are sent to a VIP which is configured with HTTP to 146287 HTTPS Body URL rewrite, session failures occur. 31. After downgrading from 28.1.x.0 to 26.3.x, the user is prompted to keep or 146536 discard the management IP. Even if the user answers No, the management IP is saved. 32. IPv6 traffic destined to directly connected network is forwarded to the gateway instead of the configured IPv6 interfaces. Workaround: Define the local route cache for the immediately connected network using /cfg/l3/frwd/local/add6 command. 152729 Page 9
Page - 10 - Item Description Bug ID 33. Passive FTP doesn't work over IPv6 155745 34. Highly fragmented connections that include more than 20,000 fragments drop 121288 fragments. 35. On Alteon 4408, the power LED does not turn red when there is a power supply N/A failure. 36. Live capture (TCPdump) mode is not supported via a serial console. N/A 37. When downloading an image, you cannot have the same image version in both N/A image banks (image1 and image2). When downloading the same version, the older image is overwritten by the newly downloaded image. 38. Session clear on reset applicable only for non accelerated session entries 162128 ADC-VX / vadc Specific Limitations 39. User backdoor does not work for vadc users created by the Global Administrator. 116544 40. TFTP SLB is not supported when using IP. 121238 41. vadc Admin passwords are not encrypted. 121718 42. MP Virtualization (vmp) goes to 100% utilization VRRP when using a shared VLAN 131075 for ISL. When this occurs, both vadcs in the HA pair become the master with or without traffic for a short while. 43. When the device is working in ADC-VX mode, uploading the global configuration 143192 (gtcfg by global administrator) does not replace existing vadcs with the ones in the new configuration. Instead, it merges them. If the uploaded file includes vadc IDs that are already on the device, the user is prompted to overwrite the existing vadc configuration with the imported one. Workaround: Manually delete all vadcs before importing a new configuration. 44. When using a script to configure several vadcs in parallel, the server certificate 144673 Generate command might stop working until reboot is performed. 45. When a vadc is rebooted, it shows an incorrect alert message saying a throughput 144918 limit of 0 has been reached. This message should be ignored. 46. An incorrect VLAN ID appears in a warning message when HAID 0 is used for two 145673 vadcs on the same shared VLAN. 47. In case Global Admin context process restarts, the user is not able to perform Revert 146405 Apply to the last configuration. 48. When synchronizing the configuration between a vadc instance running on a 5224 device and a standalone 5412 device that uses different physical ports, a "bad port" error is received, even after disabling ID ports synchronization using /cfg/slb/sync/ports. 146570 Page 10
Page - 11-2012 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A. Page 11