AAS-28_1_11_0-RN

Alteon Application Switch

Release Notes

Version 28.1.11 August 01, 2013

Title: Alteon Application Switch version 28.1.11.0 Release Notes, August 01, 2013 Page 2

TABLE OF CONTENTS

CONTENT ..................................................................................................................................................... 4

RELEASE SUMMARY .................................................................................................................................. 4

SUPPORTED PLATFORMS AND MODULES ............................................................................................ 4

OBTAINING AND INSTALLING THE SOFTWARE..................................................................................... 4

OBTAINING THE SOFTWARE ...................................................................................................................... 4

INSTALLING THE SOFTWARE ..................................................................................................................... 5

UPGRADING THE SOFTWARE .................................................................................................................. 5

WHAT’S NEW ............................................................................................................................................... 5

NEW IN VERSION 28.1.9.0 ........................................................................................................................ 5

Password Strength Policy ................................................................................................................ 5

Selecting Supported SSL/TLS Protocol Version Text ...................................................................... 6

NEW IN VERSION 28.1.7.0 ........................................................................................................................ 7

Close with RST ................................................................................................................................ 7

NEW IN VERSION 28.1.5.0 ........................................................................................................................ 7

Google Chrome Browser Official Support ........................................................................................ 7

Client-based Service Differentiation ................................................................................................. 7

GSLB in IPv6 Environment .............................................................................................................. 8

DNS Layer 7 in IPv6 Environment ................................................................................................... 8

Least Connections per Virtual Service ............................................................................................. 8

Configuration Audit ........................................................................................................................... 9

SNMP Traps for VRRP .................................................................................................................... 9

Configuration Synchronization Feedback ........................................................................................ 9

WHAT’S CHANGED AND/OR MODIFIED ................................................................................................... 9


CHANGED FEATURES IN VERSION 28.1.10.0 ............................................................................................. 9

Trap Update for Link-UP Link-Down ................................................................................................ 9


Trunk port in VRRP Hot-Standby ................................................................................................... 10

No-Password Uniqueness.............................................................................................................. 10


IPv6 Link Local Address................................................................................................................. 10

Alteon VA Management ................................................................................................................. 10

Configuration Capacity Increase .................................................................................................... 10

Downgrade Protection.................................................................................................................... 10

Layer 7 Sessions Failover .............................................................................................................. 11

SSL information HTTP Headers in 2424-SSL Format ................................................................... 11

Delete SSH Keys ........................................................................................................................... 13

Entry Level 5224 ADC-VX.............................................................................................................. 13

MAINTENANCE FIXES .............................................................................................................................. 13

FIXED IN VERSION 28.1.11.0 .................................................................................................................. 13

FIXED IN VERSION 28.1.10.0 .................................................................................................................. 17

FIXED IN VERSION 28.1.9.0 .................................................................................................................... 23

FIXED IN VERSION 28.1.8.0 .................................................................................................................... 35

FIXED IN VERSION 28.1.7.0 .................................................................................................................... 35

FIXED IN VERSION 28.1.6.0 .................................................................................................................... 38

FIXED IN VERSION 28.1.5.0 .................................................................................................................... 45

FIXED IN VERSION 28.1.2 ....................................................................................................................... 49

KNOWN LIMITATIONS .............................................................................................................................. 50

LIMITATIONS IN VERSION 28.1.10.0 ......................................................................................................... 51

RELATED DOCUMENTATION .................................................................................................................. 55


Content

Radware announces the release of Alteon Application Switch version 28.1.11.0. These release

notes describe new features since the last released version of 28.1.5.0. Alteon Application

Switch 28.1.11.0 includes all bug fixes from maintenance version 28.1.5.0.

Release Summary

Release Date: July 22, 2013

Objective: Minor software release addressing software issues.

Supported Platforms and Modules

This version is supported on the following Alteon platforms:

4408 running on OnDemand Switch™ VL

4408 XL running on OnDemand Switch VL XL

4416 running on OnDemand Switch 2

4416 running on OnDemand Switch 2 XL

5224 running on OnDemand Switch 3 LS

5224 running on OnDemand Switch 3 LS XL

5412 running on OnDemand Switch 3

5412 running on OnDemand Switch 3 XL

For more information on platform specifications, refer to the Alteon Installation and Maintenance

Guide.

This version is supported by APSolute Vision version 1.25 and later.

Obtaining and Installing the Software

This section describes how to obtain and install the software for this version.

Obtaining the Software

1. Go to www.radware.com and log in if prompted. Note: You must have a username and password before attempting to download a software

update. If you do not have a username and password, click My Account and then click

Register.

2. Under My Updates > Software Releases, the set of products and software downloads for which you have licenses display.

3. For the release version and platform you want to update or recover, select the Download Software icon, and download the relevant software update or recovery files to a server within your own organization that is accessible using FTP or TFTP.

http://www.radware.com/


Installing the Software

For details on installation, refer to the Alteon Installation and Maintenance Guide.

Upgrading the Software

For details on upgrading, refer to the Alteon Installation and Maintenance Guide.

You can upgrade to this version from any of the following previous AlteonOS versions:

26.0.x

26.1.x

26.2.x

26.3.x

26.8.x

27.0.x

28.0.x

28.1.x

What’s New

This section describes the new features and components introduced in this version. For more

details on all described capabilities, refer to the Alteon Application Switch Operating System

Application Guide and the Alteon Application Switch Operating System Command Reference for

this version.

New in version 28.1.9.0

Password Strength Policy

Administrators are now able to configure parameters that ensure only strong passwords.

The password strength enforces:

Minimal password length

Specific characters Complexity

Password validity (maximum/minimum age)

Password History.

Note: The strong password policy is not applied on main Administrator (admin username), but is

applied on user-defined users with Administrator role.

NFR number: prod00158348


Selecting Supported SSL/TLS Protocol Version Text

Alteon Application Switch provided the ability to select the allowed and disallowed SSL/TLS

protocol versions in both frontend and backend connection. Disallowed SSL/TLS protocol

version will be rejected before handshake start.

Use-cases examples:

Mitigate the BEAST by allowing only SSLv3 and TLS1.1 in the SSL Policy.

To completely reject any SSLv2 connection to pass PCI compliance testing (SSLv2 handshake failure on non-matching ciphers as it is done today is non-PCI compliant)

>> HTTPS Server Access# /cfg/slb/ssl/sslpol 1

------------------------------------------------------------

[SSL Policy 1 Menu]

name - Set descriptive policy name

passinfo - Pass SSL Information to Backend Servers Menu

frver - Allowed Frontend SSL Protocol Version Menu

bever - Allowed Backend SSL Protocol Version Menu

cipher - Set allowed cipher-suites in frontend SSL

intermca - Set Intermediate CA certificate chain

becipher - Set allowed cipher-suites in backend SSL

authpol - Set client authentication policy

convuri - Set Host regex for HTTP redirection conversion

bessl - Enable/Disable backend SSL encryption

convert - Enable/Disable HTTP redirection conversion

ena - Enable policy

dis - Disable policy

del - Delete Policy

cur - Display current policy configuration

>> SSL Policy 1# frver/

------------------------------------------------------------

[SSL Policy 1 frver Menu]

ssl3 - Enable/Disable frontend SSLv3 protocol version

tls10 - Enable/Disable frontend TLS1.0 protocol version

tls11 - Enable/Disable frontend TLS1.1 Protocol version

cur - Display current frontend SSL protocol version configuration

>> SSL Policy 1# bever/

------------------------------------------------------------

[SSL Policy 1 bever Menu]

ssl3 - Enable/Disable backend SSLv3 protocol version

tls10 - Enable/Disable backend TLS1.0 protocol version

tls11 - Enable/Disable backend TLS1.1 Protocol version

cur - Display current backend SSL protocol version configuration


Note: SSLv2 is disabled by default in both frontend and backend connections



Close with RST

When enabled, upon receiving FIN from either side (client or server), Alteon closes the other

side using RST. This causes the session entry to be removed immediately.

When disabled, upon receiving FIN, graceful closure is performed in both sides.

Default: disable

Close with RST can be set per virtual service.

Note: To enable, forceproxy must be enabled on that service



Google Chrome Browser Official Support

Google Chrome Browser (version 17.x and later) is added to the list of supported BBI platforms.

Client-based Service Differentiation

Alteon lets you provide differentiated services for specific client groups: different type of

services, different levels of service, and different service access rights.

To implement this feature, source network classification has been added to the Layer 3 service

classification as part of virtual server definition.

For example, in order to provide differentiated HTTP/S services for two separate groups of

clients, you need to configure the following:

Source Network nw1

Source Network nw2

Virtual Server 1: VIP 100.100.100.100, Source Network nw1 o Service HTTP: Group 1 o Service HTTPS: Group 1; SSL Policy ssl1

Virtual Server 2: VIP 100.100.100.100, Source Network nw2 o Service HTTP: Group 2 o Service HTTPS: Group 2; SSL Policy ssl1

If, for example, you want to allow only HTTPS service for nw2 users, no HTTP service would be

configured for Virtual Server 2.


The new Network object type enables configuring complex networks for use in source network

classification. A network object can include and/or exclude multiple IP subnets and/or ranges.

The following is an example for the subnet definition described above:

nw1: o Include 100.100.90.0/255.255.255.0 o Include 100.100.950.0/255.255.255.0 o Include 100.100.20.0 – 100.100.40.255

nw2: o Include 100.100.0.0/255.255.0.0 o Exclude 100.100.90.0/255.255.255.0 o Exclude 100.100.950.0/255.255.255.0 o Exclude 100.100.20.0 – 100.100.40.255

Note: This new capability is currently only configurable via CLI and BBI.

GSLB in IPv6 Environment

Global Server Load Balancing is now supported for IPv6 environments. This support includes:

Support for AAAA query resolution that allows resolving a hostname to an IPv6 address.

Support for IPv6 GSLB networks to enable using the Network metric for IPv6 clients.

Support for IPv6 communication between remote sites.

New DSSP version (version 5) that provides support for IPv6.

DNSsec support for AAAA queries

Note: This new capability is currently only configurable via CLI and BBI.

DNS Layer 7 in IPv6 Environment

Layer 7 load balancing (according to hostname, query type, or DNS versus DNSsec type) is

now also supported for DNS UDP in an IPv6 environment (IPv6 clients and servers).

Least Connections per Virtual Service

The Least Connections per Virtual Service group metric is an extension of the current Least

Connections metric. It allows for real server selection based only on the number of active

connections for the service which is load balanced, and not the total number of connections

active on the server.

For example, when selecting a real server for a new HTTP session, a real server serving one

HTTP connection and 20 FTP connections takes precedence over a real server serving two

HTTP connections only.


Note: This feature was first introduced in version 26.3.1.0.

Configuration Audit

Alteon lets you log the details of all configuration changes to the syslog servers.

Note: Enabling this feature may increase the Management Processor (MP) CPU usage

temporarily if the configuration changes are very large.


SNMP Traps for VRRP

SNMP traps are sent when a VRRP virtual server router (VSR) changes status to either master

or backup.


Configuration Synchronization Feedback

Feedback on success or failure of Global Admin configuration synchronization has been added.

Reports are received on success or failure of synchronization with each peer.

What’s Changed and/or Modified

This section describes changes to existing features and components introduced in this version.

Changed Features in version 28.1.10.0

Trap Update for Link-UP Link-Down

The trap information of linkDown and linkUp were updated and added with the following

information:

ifName – return “Port <ID>”, for example, Port 1.

agPortCurCfgPortName – return the port name as defined at "/c/port x/name”.

agPortCurCfgPortAlia - return the port alias as defined at under "/c/port x/alias".

With this change, the linkDown and linkup traps return the following MIBs in this:

altSwTrapDisplayString, ifIndex, altSwTrapSeverity, ifName, ifOperStatus, ifAdminStatus,

agPortCurCfgPortName and agPortCurCfgPortAlias.




Trunk port in VRRP Hot-Standby

In a VRRP Hot-Standby configuration, a trunk port is now considered as failed and its priority is

changed only when all the ports in the trunk are down.


No-Password Uniqueness

In case of pre-defined user password is changed from its default and no local users define, both

user name and password will be prompted upon login instead of only for password



IPv6 Link Local Address

The following enhancements were made to Link Local Address support:

Manual configuration of a VLAN Link Local Address

An address of type Link Local can be configured in a static route Gateway parameter.

Alteon VA Management

Alteon VA can now be managed through VMware API and File System.

Configuration Capacity Increase

The maximum number of configurable instances was increased for the following objects:

The maximum number of TCP scripts has been increased to 256.

The maximum number of static routes has been increased to 1024

The maximum number of GSLB networks for has been increased to 1024

Downgrade Protection

In order to mitigate crash-loops due to configuration parameters that are not supported in earlier

versions, after downgrading from version 28.1.x the configuration is restored to factory defaults

(preserving IPv4 management interface access). Starting with this version, after downgrading

from a version later than 28.1.5.0, the device will perform Apply verification after booting up with

the earlier version.


Layer 7 Sessions Failover

In order to ensure fast Layer 7 session failover to a new master device, the new master device

now induces clients to resend Layer 7 requests upon failover by sending a reset to the client

when requests are received over connections established with the old master.

SSL information HTTP Headers in 2424-SSL Format

In this release, the optional HTTP headers that carry SSL and SSL-based client authentication

information can be set to be in 2424-SSL compatible format. This new functionality eases the

migration of Web applications that used 2424-SSL for SSL offloading to AlteonOS 28.1.5.0, by

eliminating the need to change the Web application header parsing.

The new headers format is available when changing the comply command to enabled in one

of the following paths:

/cfg/slb/ssl/sslpol/passinfo

/cfg/slb/ssl/authpol/passinfo

The following table compares HTTP Headers formats between versions:

Location Info Type 2424-SSL 28.15 when comply

disabled

28.15 when comply

enabled

SSL Policy Cipher-suite N/A Cipher-Suite: AES256-SHA Cipher-Suite: AES256-SHA

SSL Policy SSL Version N/A SSL-Version: TLSv1/SSLv3 SSL-Version: TLSv1/SSLv3

SSL Policy SSL Cipher

Bits

N/A Cipher-Bits: 256 Cipher-Bits: 256

SSL Policy SSL

complied

info

X-SSL:

decrypted=true,

ciphers="TLSv1/SSLv3

RC4-SHA”

N/A X-SSL: decrypted=true,

ciphers="TLSv1/SSLv3

RC4-SHA"

SSL Policy IIS front-end

HTTPS

Front-End-Https: on Front-End-Https: on Front-End-Https: on

Authentica

tion Policy

Client

Certificate

issuer

X-SSL:

peerissuer="emailAddr

[email protected]

m,CN=CT10,OU=CT1

00,O=Radare,L=NA,S

T=NY,CUS"

CCRT-Issuer:

/C=US/ST=NY/L=NA/O=Rad

wae/OU=CT100/CN=CT100/

emailAddress=ct100@radw

are.com

X-SSL:

peerissuer="emailAddress=

[email protected],CN=C

100,OU=CT100,O=Radwar,

L=NA,ST=NY,C=US"

Authentica

tion Policy

Client

Certificate

subject

name

X-SSL:

peersubject="emailAdd

ress=ct100@radware.

com,CN=User_0002,O

CCRT-Subject:

/C=US/ST=NY/L=NA/O=Rad

ware/OU=CT100/CN=User_

0002/e

X-SSL:

peersubject="emailAddress

[email protected],CN=

User_0002,OU=CT100,O=


Location Info Type 2424-SSL 28.15 when comply

disabled

28.15 when comply

enabled

U=CT100,O=Radware,

L=N,ST=NY,C=US"

mailAddress=ct100@radwar

e.com

Radware,L=NA,ST=NY,C=

US"

Authentica

tion Policy

Client

Certificate

serial

number

X-SSL: peerserial=3 CCRT-SN: 03 X-SSL: peerserial=03

Authentica

tion Policy

Client

Certificate

SSL version

N/A CCRT-Version: 3 CCRT-Version: 3

Authentica

tion Policy

Client

Certificate

signing

algorithm

N/A CCRT-SignatureAlgo:

md5WithRSAEncryption

CCRT-SignatureAlgo:

md5WithRSAEncryption

Authentica

tion Policy

Client

Certificate

not valid

before

N/A CCRT-NotBefore: Oct 12

18:05:37 2010 GMT

CCRT-NotBefore: Oct 12

18:05:37 2010 GMT

Authentica

tion Policy

Client

Certificate

not valid

after

N/A CCRT-NotAfter: Oct 12

18:05:37 2011 GMT

CCRT-NotAfter: Oct 12

18:05:37 2011 GMT

Authentica

tion Policy

Client

Certificate

Public key

type

N/A CCRT-publicKeyType:

RSA(1024 bit)

CCRT-publicKeyType:

RSA(1024 bit)

Authentica

tion Policy

Client

Certificate

HASH

N/A CCRT-MD5Hash:

9311345EB64A9D5968AF6

A471D480431

CCRT-MD5Hash:

9311345EB64A9D5968AF6

A471D480431

Authentica

tion Policy

Full client

cert

X-Client-Cert:

-----BEGIN

CERTIFICATE-----

MIIDfjCCAue...XZKw=

=

-----END

CERTIFICATE-----

CCRT-Certificate:

MIIDfjCCAue...XZKw==

X-Client-Cert:

-----BEGIN CERTIFICATE--

--- MIIDfjCCAue...XZKw==

-----END CERTIFICATE----

-

Header names are configurable in AlteonOS 28.x so they can be adjusted to comply with 2424-

SSL fixed header names easily in configuration.



Delete SSH Keys

SSH keys can now be deleted when reconfiguring the device from the /boot menu.


Entry Level 5224 ADC-VX

Alteon 28.1.5.0 supports entry-level ADC-VX (maximum of 10 vADCs) on 5224 with 12 GB

RAM.

Important! This offering is only available in the Americas region, for special promotion.

Maintenance Fixes

This section lists all fixed issues that were reported by the field personnel or mentioned

previously as known limitations or bugs in versions starting from version 28.1.0. Later versions

contain all fixes of earlier versions unless otherwise noted.

Fixed in version 28.1.11.0

Item Description Bug ID

1. Using the APSolute Vision client, configuration sync between two Alteon platforms sometimes caused the Alteon initiating the sync to crash. prod00189736

2. Using APSolute Vision client, it was not possible to set a the Server Group ID in virtual services other than HTTP and HTTPS prod00189732

3. IPv6 scripted health check did not close the TCP session in case of multiple open and close actions in the same script. prod00189690

4. When issuing the 'save' command through the XML API interface, Alteon crashed. prod00189552

5. Using the BBI, it was not possible to configure the USM User Name (an SNMPv3 parameter). prod00189302

6. In a mixed IPv4 and IPv6 environment, after session entries aged, Alteon sometimes crashed. prod00189144

7. In a mixed IPv4 and IPv6 environment, after session entries aged, Alteon sometimes crashed. prod00189143

8. On an Alteon 5000 and 4416, in standalone mode, the throughput usage calculation was incorrect, causing false throughput alert messages to be sent. prod00188880

9. In VRRP hot standby mode, when the ISL port was set to disabled on the backup Alteon, all hot standby ports on the backup remained in DISABLED status and did not change to FORWARDING status. prod00188830

10. With dbind enabled, the ICMP unreachable (Fragmentation Needed) packet was forwarded to the server with the prod00188730




incorrect SEQ number.

11. After rebooting a vADC, with connection management configured on a service and its associated server port defined with VLAN-based PIP, the entire configuration (except the management configuration ) displayed in the diff. prod00188476

12. In VRRP hot standby mode, when using trunk ports in ISL ports and in client or server-side ports, when all ISL ports were down all of the client and server side ports on the backup Alteon changed to FORWARDING statues, causing a Layer 2 network loop. prod00188370

13. After the Global Admin changed the backdoor settings for a vADC user, the backdoor command did not display in the Global Admin configuration dump and also did not display in the vADC. prod00188348

14. When Alteon received a ping destined for a network broadcast address, Alteon sent the ping reply with source MAC address of ff:ff:ff:ff:ff:ff instead of the interface MAC address. prod00188176

15. After rebooting a vADC with static ARP entries configured, the entire configuration displayed in the diff. prod00188160

16. After the admin password was changed in the configuration, the password displayed in clear text in diff and diff flash. prod00188159

17. After Alteon was up for about 200 days, it sometimes experienced the following behavior: - 100% SP CPU utilization - Full system freeze - Sudden system reboot with no panic trace These issues seemed to occur without any network changes, traffic patterns changes, user intervention, or any other direct reason. prod00187911

18. When configuration auditing using TACACS+ was enabled, the following issues occurred: - The commands under the /cfg/sys/mmgmt menu were not logged when entered in a single line. - When configuration was performed using an SSH session, no commands were logged. prod00187747

19. When a feature license was enabled on a vADC, a vadcLicGlobal trap was generated but the vADCNewCfgFeatBWM OID was missing. prod00187636

20. After Alteon rebooted with no space on the hard disk, the configuration that had certificate and keys was not handled correctly, resulting in the entire configuration displaying in the diff. prod00187467

21. After upgrading from version 26.x to 28.x or 29.x, attempting to connect to the platform from APSolute Vision resulted in prod00187168




an error because APSolute Vision could not retrieve the device driver from Alteon

22. Using an SSH connection, uploading a configuration that that defined SSHv1 as disabled changed the SSHv1 setting to enabled (default). prod00187123

23. A high rate of packets with invalid TTL (value 0,1) that are processed by the device could cause health check flip-flops, VRRP flip flops, due to high MP CPU uitilization. prod00187051

24. When setting the DST time zone to the Canada/Eastern-Ontario-&-Quebec time zone and the NTP Timezone Offset (tzone) was +0:00, the NTP Daylight Saving Time (DST) was not adjusted correctly. prod00186863

25. When traffic was processed through the Application Engine, after VRRP failover an outage sometimes occurred. This was because of RST or FIN packets sent by Alteon on sessions that started on the main platform and which failed over, using the VR MAC instead of the interface MAC ("confusing" the Layer 2 switch). prod00186846

26. When accessing device via TACACS authenticated user in some rare cases the TACACS server closed the connections at the same time the device TACACS request timed out and it caused panic on the device. prod00186821

27. After uploading an image using SCP, the subsequent file transfer via SCP (such as get configuration0), sometimes caused Alteon to crash. prod00186670

28. Using the BBI with a RADIUS authenticated user whose name length was longer than 21 characters, after logging out of BBI Alteon panicked. prod00186667

29. SIP Load Balancing did not work with fragmented requests. SIP requires that all fragments are first buffered and then makes the load balancing decision. Because the last fragment was dropped, the load balancing decision was not be performed. prod00186644

30. When the configuration included a group for which backup group is defined and a group with no backup defined, whose ID was higher than the ID of group with backup defined, and the traffic was processed by Acceleration Engine, when the group that has backup was down, the servers in the backup group appear as not in service, even though they are available, resulting in 503 error response to clients. prod00186573

31. A DSR ICMP health check failed on servers running Windows 2008R2 SP1. prod00186546

32. Sessions handled by the Application Engine were not aged, if within 60 seconds after the FIN packet was sent by the server it also sent a SYN (as a result of RST). prod00186501

33. When using an SSH management connection, Alteon experienced instabilities. prod00186464




34. On an Alteon 5412 platform, the throughput was limited to 10G instead of 20G. prod00186287

35. When ADC-VX restarted after a crash or intentional panic (using /maint/panic), Alteon experienced instabilities. prod00186261

36. Using SNMP, the temperature threshold was incorrect. prod00186095

37. When using TACACS+ Authentication, after entering user credentials, sometimes the connection using SSH stacked and no CLI prompt appeared. prod00186092

38. Using the BBI, a trap on a login failure attempt was not generated. prod00185928

39. In VRRP hot standby mode, after a port was operationally disabled and then enabled, the port configuration enable/disable command did not work properly. prod00185423

40. On a backup platform, operationally disabling a hot standby SFP port did not work. prod00185419

41. GSLB HTTP redirection did not work for an HTTPS service. prod00178810

42. Using URL SLB, when the GET URL split over multiple TCP segments, the URL string matching was performed only on the first segment, resulting in incorrect matching. prod00177975

43. In version 28.1.8.x, after setting the re-ARP period and applying and saving in its old path (/cfg/l3/ip) instead of its new path (/cfg/l3/arp), after reboot the command to set the re-ARP period was disabled. prod00174075

44. Per second Interface statistics displayed incorrect values. prod00161478

45. The export tech support dump command did not prompt to provide the file name with a .tar extension. prod00156435

46. In a vADC, the memory utilization output (/stats/sp/mem) always displayed 0 Kbytes. prod00156430

47. The Last apply and Last Save times were not updated when receiving the configuration from a peer switch during a sync operation. prod00156326

48. In some cases, sending BPDIs on the external port failed

due an internal issue, when this happened, debug printouts

appeared on the console. prod00190184

49. Using NAT filter, ICMP "Destination Unreachable" messages response were not processed by Alteon , as session creation and response happened to be on different SP's. prod00186201




50. When the application service log was set to debug

level, a GET/POST request containing %s or

%<number>s arrived, causing Alteon to crash. prod00185487

51. When the time zone was set to a location where DST

(Daylight Saving Time) is applicable but not in effect,

on every reboot the time moved back by one hour.

If after reboot the time changed to a value earlier than

the certificate issued time, the error server

certificate not yet valid displays. prod00185363

52. In a session that had a number of GET requests where

the cookie is bound to a server in down state, the first

GET request was redirected to another server that was

in up state, while the other GET requests were sent

incorrectly to the first server which was in down state. prod00177865

53. Configuration changes for TCP and content class trace

log were incorrectly applied. As a result, warning

messages regarding the Application Services Trace

Log performance impact were potentially sent every

few hours even after all logs were disabled. prod00177729

54. The description for some MIBs related to real server

statistics per SP were updated to reflect their "per SP"

relation. prod00185158

55. In force proxy mode, when the client sent a FIN and

the server answered with an RST, fastage was not

activated on the session entry. prod00177443

56. Throughput license alerts only worked on the Alteon

4408 platform and not on any of the other platforms. prod00177506

57. Resize of the vADC file system:

==========================

In VX versions as 28.1.2.0 and below, the vADCs were

allocated with a low size as ~7.5MB instead of having

more than 50MB.

This caused inability to capture traffic on the vADCs

As upgrade doesn't change the size allocated in

previus version to vADCs, we introduce the command

/maint/debug/resizevadc

The command will check if vADC resize is needed. prod00179399




If so, the user will be asked to confirm the process will

being informed that requires system reboot which may

take up to 1.5 hours.

Resize operation on 28.1.10.0 changes the vADCs size

to ~100MB

Note: USB Recovery procedures to these versions will

also allocate the right sizes to the vADCs

58. After reboot, the ISL VLAN configuration for a vADC

was moved to pending state . prod00177682

59. When the resolution was set to one hour or one day,

the ADC-VX dashboard displayed incorrect statistics. prod00178193

60. When a real server and Alteon VA resided on the same

ESX, HTTP health checks failed. prod00179128

61. When using a passive cookie, dbind forceproxy, and

the hash metric, if the cookie value did not match any

session entry, the cookie value was used as the key to

select the real server instead of using the source IP. prod00184579

62. The administrative user with the Service user class

could not display any information or statuses of the real

servers for which the administrative user was defined

as the owner. prod00138330

63. After the NTP time zone was modified using

/cfg/sys/ntp/tzone, the system time zone was not

updated.

prod00150654,

prod00174180

64. VRRP advertisements were still sent even when all

ports were down, causing the advertisements counter

(/stat/l3/vrrp vrrpOutAdvers) to continue to increase. prod00157795

65. The output of the /info/l3/route/dump command

displayed internal debug information irrelevant to

Alteon end-users. This output now only appear only in

God mode. prod00164538

66. In Global admin mode, the incorrect stat/vadc X/sp

Y/mem command syntax was accepted. The correct

syntax is stat/vadc X/sp/mem. prod00177262

67. In Alteon VA VMware version 28.1.9.0, high MP CPU

utilization was always observed even though the actual prod00185069




CPU utilization was low.

68. When vstat was enabled, the virtual service octets

counter wrapped around at the 4,294,967,295 value

(32-bit). prod00185606

69. The user-defined cipher parameter was incorrectly

limited to 64 characters. prod00178811

70. When a NAT filter was configured, traceroute failed

because ICMP TTL Exceeded Timeout (ICMP type 11)

packets that arrived with NAT address as the

destination IP, were dropped.

prod00178853,

prod00185053

71. If several virtual servers had the same VIP, when a real

server returned an HTTP redirection, an internal tunnel

port was added to the location header. prod00178751

72. After applying and saving a configuration that was

uploaded over a factory default setting, an incorrect

message displayed stating that there may be unapplied

configuration changes, even though all changes were

applied. prod00179387

73. Using BBI, a virtual router could be deleted while still

being a member of a VR group. prod00178423

74. When dbind was enabled on a service, the session

timeout was set to the value configured on the real

server instead of using the timeout configured on the

virtual service. prod00179486

75. vADC SP memory statistics did not function. They

always displayed 0. prod00177007

76. If multiple virtual servers shared the same VIP, when

the virtual server with a higher index was deleted the

Virtual Server Router (VSR) of that VIP was stuck in

the INIT state. prod00177399

77. The SNMP trap always were sent to the default port

(162) regardless of the configured port number. prod00185083

78. On an Alteon VA platform using BBI, it was possible to

install a new image to the active image slot. prod00185159

79. When the Inter-Switch port was down, the hot-standby

ports that belonged to a trunk kept their STG state as

LISTENING after boot-up, even though STG was set to prod00185612




off.

80. The following MIB objects appeared twice in the MIB

file: agTftpImageAdc and agTftpImageVx prod00184976

81. Using BBI, a virtual server with the UDP stateless

protocol displayed as TCP. prod00184977

82. The content class element

Hostname/Path/Filename/Filetype did not match an

empty value. prod00185431

83. In case of script health check, where the expected

response string is bigger than 40 chars, if a health

check bigger than 60 chars did not match the expected

string, the device crashed. prod00184908

84. In a configuration where the Hot-Standby ports belong

to a trunk on both client and server network, in case all

the ISL ports were down, a L2 network loop occurred prod00179395

85. In case of a multiple request connection arrived to a

virtual service configured with HTTP content

modification and connection management,

If the second request arrived at the same time the

service cannot respond (service down or in 100% CPU

for example), the device may crash. prod00178731

86. Traps vadcStateUp, vadcStateDown,

vadcStateShutdown and vadcStateRestart were

removed from the MIB file as they are not supported. prod00178727

87. When TACACS+ logging is enabled, in some cases

when performing apply from the CLI alone with TAB,

before hitting enter, the device may crash. prod00177992

88. In some cases, configuration synchronization from the

VX caused the backup VX to crash prod00185644

89. When application service log was set to debug level, a

GET/POST request containing %s or %<number>s

arrived caused the Alteon to crashed.

prod00185316

90. Setting application service modules log level to none

did not change the TCP module log level to none as

well. prod00185168

91. From performance reasons, we have removed the prod00185738




mechanism that automatically changes the application

log level to debug in case of large amount of messages

per session arrives.

92. Using the BBI to download an image more than once

via HTTPS, occasionally caused Alteon to crash. prod00174597

93. The following changes were made due to BDPU packet

loss in Alteon VX:

- You can now use the /c/sys/acc/rlimit command to

limit the number of BPDUs handled per second per

port on Alteon VX.

- The default BPDU limit was changed to zero

(unlimited). In previous versions it was hard-coded to 5

BPDUs per second per port for Alteon VX, and to 5

BPDUs per second per port for standalone Alteons.

- A counter was added to show the number of BDPU

packets dropped in Alteon VX and can be found at

/stats/vx/counters.

- Alteon vADC now accepts all rlimit values, except for

BPDUs (which are processed in Alteon VX). prod00176509

94. An incorrect trap (vADCInfoStatus) was generated from

GA upon vADC reboot. prod00173256

95. Redirect persistent sessions were not aged out when

rport was configured with the filter. prod00174261

96. When RTS was enabled on client port, the RTS

sessions were wrongly created on all SPs, causing the

sessions on the non-relevant SPs to persist and not

aged out. prod00174301

97. The management port became inaccessible when the

management connection was closed before TFTP

upload/download tasks via the management port (such

as support dump and configuration dump) had ended

completely. prod00177406

98. It was not possible to add a GSLB IPv4 remote site via

Vision. An error related to IPv6 was incorrectly prod00175919




generated.

99. In some cases it was not possible to download the

cached content. prod00176971

100. In a configuration were the data port gateway and a

real server had the same IP address, and both had an

ARP health check, the gateway frequently lost its

connectivity, causing the VIP to become inaccessible. prod00177212

101. Redirection to HTTPS requests failed if the virtual

service was defined with an HTTPS redirection action

which using "$QUERY", and the requests to redirect

contain an odd number of characters in the string. prod00175362

102. After changing the real server operational status to

disable and then to enable, its state changed to block

although its health check succeeded. prod00175800

103. Traps altSwcpuCross80 and altSwcpuFell80 are now

obsolete. prod00173561

104. Incorrect trap OIDs were sent for vADC throughput

limit, vADC ssl limit, and vADC compression limit. prod00173851

105. When a VRRP status change occurred on vADC, an

incorrect trap OID was sent. prod00173921

106. Applying a content rule in a virtual service sometimes

failed when the rule was not added in the consecutive

numerical order to rules already applied. For example,

applying rule 6 failed where rules 5 and 7 were already

running. prod00174209

107. Using the BBI to upload a new image to the active

image bank caused Alteon to become non-bootable

and require USB recovery. prod00176870

108. Incorrect trap host address was shown under

/info/sys/snmp/taddr. prod00174552

109. ColdStart (sent on startup) and WarmStart (sent on

reset) traps were not generated in Alteon versions after

28.x. prod00176003

110. When a feature license was enabled on vADC, an

incorrect trap OID was sent. prod00174181

111. When vADC was deleted, the vadcDelete trap was not

generated. prod00174183




112. When capacity units where added or removed from

vADC, the vadcCapUnit trap was not generated. prod00174185

113. When setting the Alteon health check content in the

group to a value longer than 127, no warning appeared

although Alteon did not accept this content. prod00174273

114. In a standalone Alteon, when trying to set the BWM

user table size using the BBI, an incorrect message

sent stating that the maximum allowed entries is 16K

entries per SP. prod00174400

115. A RADIUS/TACACs+ secret password including "!"

disappeared from configuration after reboot.

prod00175349/

prod00175631

116. For WAP SLB with RADIUS persistence, group

statistics showed that all traffic was sent to one server,

although the traffic was actually load balanced between

several servers. prod00174693



1. In version 28.1.8.40, when uploading the configuration

with a private key, the key extraction failed because the

passphrase was not parsed correctly. prod00174411

2. In version 28.1.8.20, the redirection filter with client

proxy processing enabled did not work. prod00174272

3. When a SIP service with no SIP parsing was used,

various configuration additions (such as adding a filter,

adding Layer 7 parsing for other services, disabling

local DAM) caused session failures on that SIP service. prod00174120

4. HSRP tracking did not work-- the priority was not

increased. prod00173856

5. When some services used the legacy delayed binding

and some used forceproxy, under stress, the HTTP

503 error message could appear on the proxied

session due to server selection failure. prod00173770

6. Using the BBI, when configuring the intermediate

certificate name, the device panicked. prod00173754




7. After switching to verbose 1 mode, a service

configured in verbose 2 mode was erroneously

changed to basic-slb. prod00173750

8. When the scpadmin user on a TACACS server had

the same password as the scpadmin on the device,

logging in with the scpadmin user caused 100% CPU

usage.

In addition, it was not possible to login with any

username that had the same password as the

scpadmin user. prod00173687

9. Least connection load balancing on a real server port

(rmetric) did not work with SLB IPv6-to-IPv4. All of the

requests were load balanced to the first rport of the

server. prod00173370

10. SIP load balancing did not work when DAM was

enabled globally and disabled under the service. prod00173282

11. The SNMP Trap Source IP setting was not taken into

account and was not set as the trap source. Instead,

the first interface that was UP was considered to be the

trap source. prod00173274

12. On traffic matching the IPv4 redirect filter with proxy

processing enabled on the port, and no PIP address

defined, Half NAT was not performed. Half NAT was

performed correctly for the same configuration

processing IPv6 traffic. prod00173219

13. When the device rebooted with an expired certificate in

its configuration, after the reboot all the configuration

remained in pending state. prod00172948

14. In session dumps collected via SNMP, the EAcc and

Acc flags were missing. prod00172918

15. Sessions collected via SNMP were not showing

correctly when session entries were deleted or aged

during the collection process. prod00172917

16. On the 5224 platform, incorrect temperature thresholds

were displayed. prod00172904

17. In an ADC-VX environment, creating or changing Layer

2 configuration items such as trunks or VLANs caused

all the VIPs on the VADCs to stop function for up to 30 prod00172709




seconds.

18. It was not possible to delete session entries by using

the slbOperSessionDelete SNMP SET command. prod00172596

19. Because in version 27.x, the default protocol for DNS

and SIP services was changed from TCP to UDP, after

upgrading from version 26.x to 28.x, configuration

changes in the protocol setting occurred. prod00172595

20. Using the Chrome browser, Alteon did not release the

TCP connection created by opening HTTPS

management to the device via a data port. prod00172310

21. Removed the /boot/udefquit command on

console/telnet/ssh because rebooting the device from

the console using Shift + Ctrl + "-" is not supported on

OnDemand Switch platforms. prod00172213

22. Using BBI or APSolute Vision, it was not possible to

export a configuration with private keys. It is now

possible on HTTPS and SNMPv3 connections. prod00172196

23. Virtual service statistics did not display the content

based-service rules statistics when the service port

was different than 80. prod00172059

24. When accessing the device via BBI using the non-

default OPER user, the Class Of Service is displayed

as USER instead of OPER. prod00172057

25. After an SNMP request to 802.1AB LLDP OIDs, VRRP

flip flopped. prod00171983

26. After configuration sync, the order of the virtual

services section in the configuration dump was

different in the sending peer than in the received peer. prod00171762

27. In a VRRP pair configuration with DNSSSEC enabled,

configuration sync could cause both peers to be set

with keyslave enabled. prod00171761

28. After executing the /stats/sp/c +[tab] command in the

fourth Telnet/SSH session, the device crashed. prod00171758

29. In version 28.1.8.30, a revert apply with an interface

address change could cause the device to hang. prod00171609

30. The BPDU frame length for RSTP and MSTP BPDUs

was incorrect -- Alteon indicates a frame 14 bytes prod00171399




longer.

31. Using BBI, when a real server or virtual server was

added to the GSLB metric, the preference value was

set to 0. Now you can define network preferences

values using BBI. prod00171391

32. In a VRRP owner configuration, editing or deleting the

interface IP address or VIR address did not update the

interface MAC address to the base MAC address. prod00169623

33. After applying configuration changes that affected the

routing table, the device sometimes panicked. prod00169133

34. Due to unnecessary validation during boot-up, the

vADC configuration was not applied automatically and

instead moved to “diff”. Manual apply was then

required to make it active.

prod00162680/

prod00170875

35. It was not possible to delete an IPv6 management

interface. prod00160336

36. When an apply command was performed in parallel

with a configuration change done from another CLI

interface, the CPU utilization increased.

prod00156307

37. When the passphrase configured for certificate sync

contained an "!" character, the configuration was not

loaded after reboot. prod00171765

38. When force proxy was used, the default BWM contract

(ID 1024) did not work, as well as application

acceleration capabilities and SSL acceleration. prod00171616

39. When Alteon inserted an x-forwarded-for header and

dbind is set to enabled, a client request corruption

occurred.

When dbind is set to force-proxy, this client request

corruption does not occur. prod00171441

40. If one of the ports in a trunk was down, the trunk was

declared down for port teaming.

In this version, the trunk is now considered up for port

teaming if at least one trunk port is up. prod00171252

41. Alteon did not process the HTTP CONNECT method.

After a service with application acceleration configured

received the CONNECT method, the service closed the prod00171244




connection by sending [FIN,PSH,ACK] to the client.

42. When rport load-balancing was used with pbind cookie

and dbind force proxy, virtual server statistics were

incorrect prod00171178

43. When receiving multiple GET requests in the same

TCP session that matched both cookie persistency and

URL SLB and that were designated to different real

servers, the persistence sessions that were created

were not removed from the session table, causing the

session table to fill up prod00170976

44. On a device with an ADoS license and DoS attack

enabled on the port, ICMP type 3 packets (destination

port unreachable) where considered as ICMPLEN DOS

attacks, causing the MP CPU to reach 100%. prod00170909

45. After migrating from the 2424 platform to the 5412

platform, WTS load-balancing did not work. This

happened because of the difference between the CPU

chips used in each platform and the way the IP

addresses are stored in memory. prod00170776

46. With GSLB set to enabled, HTTP access set to

disabled, and wport set to 80, it was not possible to

apply a configuration. prod00170745

47. When real server backup with preemption were

disabled, because an apply causes a server to either

go up or down, when the backup server health check

arrived before the primary server health check, the

backup took over even though the primary was still

alive.

prod00170723,

prod00170456

48. The command description for importing and exporting a

certificate component was improved prod00170462

49. In a configuration with the same real server with

preemption disabled was associated to multiple groups

that function in different virtual services, if the primary

server failed, the backup server took over only in one

group.

prod00170454,

prod00170317

50. Configuring real server backup with preemption

disabled created tje following problems:

1. Preemption disabled did not work for some real

servers (depending on their index).

prod00170453,

prod00170067




2. If the primary server came up before the backup (for

the first time after reboot), and the server went down

then up again, preemption acted as if it was enabled.

51. After failover, on the ex-Master, the status of some

primary servers with backup preemption disabled

changes to operator DISABLED and backup server

took over.

prod00170451

52. Using a redirect filter, if a real server with preemption

enabled failed, its backup real server took over and

acted as if preemption was disabled when the primary

real server came back up (traffic was still sent to the

backup server even though the primary was up). prod00170374

53. Network class deletion was not synced to a peer

switch. prod00170347

54. backup group real server showed in service info output

as "group dis, up" and no traffic sent to that real

although the backup group was up.

This happened when the primary group went down and

the backup group became active and then 2 more

groups were added using the same real server from

the backup group prod00170175

55. In an ADC-VX environment, MSTP/RTSP was not

working. prod00169943

56. In a vADC environment, a tsdump command caused a

VRRP to flip flop (meaning that the backup became

master and after a short time became the backup

again) and all services defined on that vADC went

down. prod00169942

57. Throughput information showed much higher values

than the actual throughput. prod00169940

58. When an IP fragment ping was sent to a VIR, VIP, or

VSR, the interface MAC address was used as the

source MAC of the ping reply. prod00169338

59. When the IP address of a VIP was changed, the ARP

entry with the old VIP address was not removed even

though there was no other VR with the same address

as the old VIP. prod00169334




60. On an OnDemand Switch 3 platform, traffic from

source TCP ports 4 or 5 displayed incorrectly in the

session table, as follows:

1. Aged-out sessions still appeared in the session

dump

2. Live sessions were displayed incorrectly as BWM

sessions. Their source IP addresses and ingress ports

appeared as 0. prod00169037

61. SLB VIP was added automatically to the OSPF

database and distributed to the peers even though the

default route redistribution was configured (no host

redistribution defined). prod00168364

62. When entering a new virtual service menu without

changing anything under that menu, Alteon considered

it as a configuration change even though diff was

empty. prod00167509

63. Wrong FAN failure Syslog messages were sent while

the tsdmp showed FAN OK.

prod00153747/

prod00153290

64. In a vADC environment, after importing a configuration

without its private key, even though the apply was

successful after the import it was not possible to

access the server certificate menu. prod00156551

65. In DSR mode, ICMP health checks were sent to real

server IP rather than to sending it to the loopback

address (the VIP IP address) prod00170244

66. SIP session entry was not aged properly in a case

where INVITE reuses a session that was already

deleted/moved to fastage. prod00169941

67. Network mask of localnet was not displayed properly prod00169609

68. When using configuration with multiple interfaces, the

device became inaccessible, within 5 minutes from

upgrade to 28.1.8.20

prod00169565,

prod00169455,

prod00169458

69. SNMP Get/GetNext request to 1.3.6.1.2.1.2.2.1.3.x

caused the Alteon to enter freeze state. Reboot was

needed to exit this state. prod00169455

70. BPDUs of disabled VLAN were flooded on all ports. prod00169555

71. Alteon device sometimes panicked after applying prod00169333




configuration changes that affected routing table.

72. HTTP traffic affected by vADC SSL CPS limit. prod00169253

73. After running SNMP traffic for some time, all

management activities became inaccessible due to a

memory leak

prod00169141,

prod00169111

74. SNMP services became down after upgrade. That

happened due to a changed added in SMTP Health

check in version 28.1.8.10.

Now, SMTP HC made common for both IPV4 and

IPV6, meaning that SMTP HC will send a "vrfy" even if

there is no content is configured. Some SMTP servers

does not reply to "vrfy" since they are waiting for

additional data and therefore can be considered as

down prod00169052

75. vADC reset occured when accessed a virtual service of

type ''service ip''. prod00169012

76. In a URL redirect from HTTP to HTTPs setting, GET

request without the host header caused the device to

crash prod00168862

77. When adding PIP for port range via BBI, an error

message appeared prod00168757

78. Passive cookie persistency with rport load-balancing,

when the cookie is not found and the client request is

within the same TCP connection, rport persistency was

not maintained prod00168751

79. Health Check Script above 156 caused the virtual

service to go down for several seconds prod00168588

80. HTTP content class and http modification did not work

together when both made a decision according to

HOST header prod00168515

81. SIP outbound call was not working prod00168443

82. It was not possible to define Script health check

between 64 to 256 prod00168271

83. nonat on RTSP virtual service was not working. prod00166915

84. Some syslog messages on management port were

missing,

No message was sent after the management IPv6 prod00166720




gateway address and therefore it was thought to be not

UP

85. In hot-standby environment, when there are more than

256 VSRs, the following syslog message appeared in

the backup: "vrrp: received incorrect addresses" prod00165484

86. Querying the vADC interface using a 64-bit counter

MIB returned a value of 0. prod00162440

87. A change in the Layer 3 configuration caused the

default gateway status to flap. prod00168365

88. After upgrade, the pending configuration message

displayed even though no pending configuration

existed.

prod00167780

89. With the TACACS+ command login enabled, after

executing an Alteon global command (such as save,

apply, or diff. Alteon sometimes crashed.

prod00167541

90. When a hot-standby port was not part of VLAN

assigned to the vADC, it was not tracked for VRRP

priority.

prod00167398

91. An IPv6 VIP responded with the incorrect source MAC

address. prod00167397

92. In a DNS hostname configuration using regular

expressions, uppercase characters were always

changed to lowercase.

prod00167326

93. On a 4408 platform, sometimes a FAN status alert was

sent for non-existing fans. prod00167173

94. When a Layer 7 DNS string was configured to match at

the end of the chain (using the $ symbol), if the string

existed twice in the DNS query, it was considered to be

no match.

prod00167152

95. Alteon dropped broadcast ARP replies with a unicast

target MAC address. prod00167139

96. In an ADC-VX environment, the OID of

vadcStateVrrpMaster / vadcStateVrrpBackup trap was

incorrect.

prod00167105

97. The TACACS usernames did not display in the login

syslog message. prod00166917

98. In an ADC-VX environment, in the BBI dashboard the prod00166916




SSL CPS information was incorrect.

99. On a 4408 platform, during upgrade a “file missing”

error message displayed. prod00166885

100. The SNMP trap for link up and link down was not clear

and did not indicate the port number and its state. prod00166805

101. When the Technical Support dump was issued via SSH

and the terminal immediately closed without writing the

output, Alteon would sometimes crash.

prod00166745

102. In a vADC, when its two CUs were located on the

same SP core (with a different HAID),a VRRP

advertisement conflict occurred .

prod00166743

103. After issuing the "session clear" command, sessions

that were removed on the master were not cleared on

the backup.

prod00166740

104. NTP requests were not sent from an IPv6 management

port. prod00166538

105. Using BBI, when exporting all VX and vADC

configurations, the vADC configurations were not

restored properly.

prod00166537

106. On a 5224 platform using BBI, the displayed

management IP was different than the one configured

in CLI.

prod00166536

107. The Spain daylight savings timezone was incorrect. prod00166534

108. An IPv6 VR did not reply to ICMPv6 requests. prod00166453

109. ICMPv6 router advertisements were not dropped by

the deny filter. prod00166448

110. Configuration synchronization was not working prod00166199

111. Redirection filters did not work correctly when proxy

was enabled on the port and the filter was defined with

rport, even though no proxy IP was configured in the

filter.

prod00165876

112. OSPF static/fixed selective route redistribution using

route maps did not work. prod00165847

113. Latency occurred due to a high port reuse rate. prod00165578

114. In a VRRP hot-standby configuration, when the ISL link

went down, the IP interface also went down on the prod00165487




backup vADC.

115. Script health checks were not allowed for an IP type

virtual service. prod00164543

116. In a VRRP hot-standby configuration, when the master

vADC panicked (booted up very quickly), the failover

was not performed properly.

prod00162893

117. After importing a file that contains more than one

certificate, Alteon crashed. prod00160343

118. The SNMP trap for link up/down did not indicate the

related port number.

prod00167018

119. Using RTSP SLB, TRCP and RTP sessions were not

cleared from the session table on

time.

prod00166549

120. On a 5412 platform, when manually disabling an SFP

copper port, the link did not go

down on the peer switch.

prod00166339

121. When multiple VIPs used the same real server, in the

traffic that returned to the client

that caused a session failure, the real server IP to VIP

translation was wrong.

prod00166243

122. On an Alteon 10000 platform, an irrelevant reboot log

appeared.

prod00166207

123. Rarely, after upgrading to version 28.1.5.0, an HTTP

1.0 request from a proxy caused

the device to crash.

prod00166193,

prod00166980

124. In a filter with session table caching disabled and

tunable hash based on the source or

destination IP, group redirection did not occur.

prod00165795

125. When setting the backup group for a group with no real

server, an unclear message

displayed.

prod00165506

126. When the request header was larger than 16K, SSL

decryption failed.

prod00165389

127. When DSR was configured, many sessions were

created for a single HTTP request,

prod00165358




causing the session table to fill up even though the load

was minimal.

128. BWM statistics sent to an SMTP server configured on a

data port caused a device panic.

prod00165357

129. On an Alteon 5412 platform with 32GB memory, a

client request that reached 50K TPS

caused the device to crash.

prod00165275

130. When compression was used along with multiplexing,

an HTTP 1.0 client, and server

keep-alive, transactions did not finish because a FIN

was not sent by the server.

prod00165251,

prod00166979

131. SSHv2 management connection did not work with a

Sun Solaris client.

prod00165231

132. SSH management on data port caused a device panic. prod00165216

133. When a second HTTPS request arrived on an existing

TCP session, Alteon sent the

request to the same real server selected for the first

HTTPS request without checking if there was a new

URL SLB match.

prod00165016

134. Using BBI, configuring port mirroring caused the Alteon

device to panic.

prod00164932

135. In a redirect filter with session caching disabled, when

all the real servers were down,

the packets were dropped instead of being forwarded

to the default route

prod00164910

136. When SNMPv1 and v2 where disabled, Alteon

answered SNMPv1 requests with an

error message instead of not answering at all.

prod00164896

137. The td-config and shared maintenance debug

commands were available in normal mode

instead of being available only in god mode.

prod00164787

138. CISCO PVST and BPDU frames were not always

tagged when sent out from a tagged

port.

prod00164731

139. Alteon did not forward BPDU frames in VX mode. prod00164710




140. In a GSLB environment, when more than 10 VIPs were

configured with the same

domain, the device panicked on a DNS response for

that domain.

prod00164708

141. The real server state was not set to block when one of

the services it served was down.

This happened when the real server was defined with

multiple addports associated with

prod00164632

142. Only ICMP health check can be used for virtual

service for type IP

prod00141916



1. Configuration synchronization was not working prod00166199

2. BPDUs were not always tagged when sent out from

tagged port prod00166164



1. Using IPv6 script health checks resulted in high MP

CPU usage. prod00164420

2. On an Alteon 5412 platform, LACP packets were

dropped by Alteon VX. prod00164305

3. On the Alteon 5412 and 5224 VX platforms, when STP

was set to off, STP and LACP packets were not

forwarded. prod00164227

4. On an Alteon 5412 platform, STP packets were

dropped by Alteon VX. prod00164223

5. It was not possible to connect using Vision to Alteon

28.1.6.0 prod00164196

6. The SLBadmin user was unable to apply configuration

changes. prod00164136




7. When session caching was enabled, IPv6 filter

redirection did not work. prod00164003

8. Synchronization of DNSSEC configuration changes

were automatically performed on apply, even though

no peers were configured. prod00163824

9. When Layer 7 modification was defined, dbind was

automatically changed from enabled to forceproxy. prod00163767

10. The SSH management connection became

inaccessible periodically, and running SSH on/off did

not revive the connection. After several such retries,

the device reset.

prod00163531,

prod00163229

11. On an Alteon 5224 platform, BWM was not working on

ports 17 through 26. prod00163417

12. On an Alteon VX 5224 platform, in viewing the vADC in

the BBI, there was a mismatch between the VLAN

table and the Physical Ports table. prod00163394

13. On a Alteon VX 5224 platform, in the BBI L2 Physical

Port pane, the port speed of ports 19 through 24

displayed the incorrect values. prod00163392

14. Alteon VX crashed in certain cases due to SSH

management connection. prod00163271

15. NAT was not performed on SDP data (in SIP) with

response codes other than 200OK

Now it is also performed for 180 RINGING and 183

SESSION IN PROGRESS response codes. prod00163262

16. ADC-VX could capture traffic from only one vADC at a

time. Now separate files are saved for each vADC. prod00163247

17. When 1. creating a disabled virt, adding a content class

rule to it, and applying it, and then 2. enabling the virt

and applying it again, Alteon replied with a "503" HTTP

response code (=servers down) when matching the

content class, even though the servers were actually

up. prod00163224

18. In a Layer 2 DSR environment, DNS UDP health

checks caused the device to crash. Upgrade from

27.0.3 to 28.x results in panic once VRRP activated. prod00163185




19. Using RADIUS authentication, SSH user access was

blocked for an unlimited time, even though it was

defined as authorized. prod00163112

20. In APSolute Vision, the secure cookie insert

configuration showed opposite settings from the device prod00163098

21. When the ADC-VX and the vADCs were installed with

different versions, vADC sync failed. prod00163077

22. In the BBI, an incorrect breadcrumb appeared in the

Layer 3 sub-menus. prod00163017

23. When VRRP failover occurred, it took the default

gateway 8 seconds to get back online. prod00162931

24. Using SCP to transfer the configuration and commands

to Alteon did not work on ADC-VX/vADC. prod00162738

25. When the device was under heavy load, sometimes

FDB table corruption occurred, causing ARP and ICMP

packets to be discarded. prod00162636

26. After adding a couple of interfaces, the device

panicked. prod00162562

27. Some of the SSH/Telnet management connections

were not closed properly in vADC, causing the

maximum commotion (4) to be reached. As a result,

new management connections could not be opened. prod00162450

28. Querying the vADC interface using a 64-bit counter

MIB returned a value of 0. prod00162440

29. It was not possible to set a virtual service IP supporting

both UDP and TCP protocols in the same service. prod00162382

30. Executing many putdumps commands sometimes

caused ADC-VX to crash prod00162230

31. Adding a second VIP with RTSP SLB that uses the

same real server as the first RTSP SLB service caused

the sessions to the first VIP to fail. prod00162090

32. An empty "name" in the "team" configuration dump

caused restoring the configuration to fail. prod00162051

33. Dynamic proximity calculation results were incorrect. prod00162044

34. When exporting the configuration using the putdump

command, the user password displayed in clear text. prod00161980




35. Using the BBI, in a VRRP service based group, it was

not possible to disable share and preempt. prod00161975

36. Using the BBI, it was not possible to change an SSL

service rport to 443 when back-end SSL was disabled. prod00161441

37. Virtual service statistics were incorrect for services with

dbind enabled and pbind set to sslid prod00161245

38. Some validation checks for matching between the

server certificate and private key were missing. prod00160917

39. The output of the real server group mapping command

(/info/slb/bind) was incorrect. prod00157497



1. When cookie insert for persistency and Layer 7 string

matching were configured in an HTTPS offloading

service, and the traffic did not contain any matching

cookie or string, a server was selected instead of

responding with HTTP error 503 (server unavailable). prod00162602

2. With a heavy load of HTTP "Connection: close" traffic

and connection management enabled, software panic

sometimes occurred when several responses were

sent from the server for one request. prod00162148

3. When the port command was retransmitted, Active

FTP load balancing did not work properly. prod00162078

4. Under certain circumstances, unpredictable behavior

occurred with certificate management (such as loss of

keys, unable to connect via SSH, the diff flash holds

the configuration after reboot, and so on). prod00161974

5. When a client HTTPS request did not match any of the

strings assigned to the real servers, after Alteon reset

no response was received and SSL terminated. prod00161818

6. When the GSLB network IP version was not manually

defined, the proximity GSLB worked incorrectly. prod00161647

7. The redundant capability of setting an SNMP service

with TCP protocol was removed. prod00161584




8. The configuration apply command generated incorrect

and irrelevant VRRP syslog messages. prod00161579

9. Transferring a large file using an HTTPS service took

much longer compared to an HTTP service, because a

small TCP window size was set. prod00161459

10. For virtual services configured with SSL offloading

where the front-end and back-end ports are the same,

the service back-end port on the backup device was

changed during configuration synchronization. prod00161446

11. Using VRRP with stateful failover configured, when the

backup device booted up after upgrading to version

28.1.5, the master device rebooted repeatedly. prod00161442

12. In version 28.1.5.0, when X-Forwarded-For was using

with dbind enabled, the sequence number on the

second get request to server was incorrect. prod00161266

13. In version 28.1.2.0, an image upgrade via HTTP

transport caused a panic. prod00161254

14. In BBI, a clear operation in SLB monitoring cleared the

session table instead of clearing SLB statistics prod00161019

15. In an HTTP persistency configuration, the path was

added to the cookie header even though it was not

configured in the pbind cookie insert configuration. prod00161011

16. The connection splicing statistic was not updated with

dbind forceproxy. prod00161007

17. Alteon panicked when "host:" string was not found in

the URI of a request. prod00160900

18. The RADIUS secret password was synced during

configuration sync. prod00160668

19. When all the real servers in a group and backup group

were down, the virtual server information displayed the

backup group as disabled. prod00160637

20. On Alteon with SSL acceleration card, a very heavy

load can cause a switch panic prod00160610

21. The swkey (license information) command did not

display the installed default throughput license. prod00160459

22. A non-updated Geo database was used, causing Geo

IP resolution for a DNS query to be incorrect. prod00160397




23. In certain cases, out-of-order fragments traffic with

proxy IP configured caused the device to crash. prod00160348

24. After upgrading from version 28.0 to 28.1, an apply

failed due to a certificate synchronization error, even

though no certificate was configured. prod00160341

25. Active FTP load balancing did not work properly when

PORT command retransmission occurs. prod00160294

26. On a virtual service with both caching and compression

policies, when compression was set disabled, caching

also stopped working prod00160249

27. After USB recovery, redundant message appeared

before the login prompt prod00159887

28. On on Alteon 5224, STP and LACP packets that were

received on ports without a VLAN tag configured were

dropped. prod00159860

29. In a vADC hot-standby configuration with Layer 4

switch port tracking enabled, resetting the master

vADC caused the backup vADC to take over only until

the master vADC started again. prod00159834

30. session matched on redirect filter with Linklb and FTPA

enabled where created with ageing 0 and got

disconnected quickly prod00159775

31. On 4408/4408-XL devices, throughput license

information showed irrelevant value when default

throughput license was installed prod00159763

32. It was possible to set the default gateway address to a

virtual server and PIP. prod00159741

33. In a vADC, server responses with the destination MAC

of a different vADC were not processed and were then

dropped. prod00159723

34. During image download on VX, LACP trunks where

blocked for about 2 minutes causing network traffic

instability prod00159550

35. When persistent entry exists but corresponding real

server was down or disabled, Alteon answered with

HTTP Error 503 (Service unavailable) instead of

selecting new server prod00159531




36. When TCP based health checks (i.e HTTP, FTP) were

configured for UDP based services, TCP port health

check was performed instead of ICMP prod00159427

37. The ADC-VX MIB-II did not support 64-bit counters.

ADC-VX interfaces were incorrectly displayed as

10/100 instead of Gigabit or 10Gigabit. prod00159381

38. In curtain cases, Direct Server Return (nonat enabled)

caused switch panic prod00159357

39. SSL session failed after configuration apply due to

certificate synchronization prod00159323

40. BBI showed incorrect user login information when

login-in from the same host with different users which

has the same COS prod00159298

41. PIP statistics update of VLAN based PIP, caused the

vADC to crash prod00159297

42. In an ADC-VX environment, XL devices were not

indicated as XL in CLI displays. prod00159257

43. Switch panicked when real comes back up causing the

backup real servers to become disabled prod00158835

44. Navigation option between the Virtual Servers BBI

pages was missing prod00158669

45. After disabling connection management functionality in

a service, a persistency problem occurred. prod00158650

46. Active FTP load balancing did not work properly

because of the wrong adjustment to the sequence

number prod00158622

47. When static route is not covered by localnet, default

gateway will be used. Removed confusing warning

message appeared in such cases prod00158609

48. Update of server certificate name via BBI was not

possible prod00158590

49. Active FTP load balancing did not work properly due to

wrong adjustment of the sequence number prod00158572

50. Certain SNMP traps caused the device to crash prod00158525

51. Virtual server current session statistics, showed

strange value via BBI prod00158470




52. It was not possible to disable SSL offloading for a VIP

via BBI prod00158456

53. Responses from Virtual Server were linked to the

same port of the trunk and therefore limit the

throughput to 1 Gbps. This happened since the trunk

load balancing algorithm used only source IP instead of

source IP + destination IP prod00158403

54. Enable "IP TOS matching" on a filter through BBI also

enabled the "IP Option Matching" prod00158281

55. Empty trunk name appeared in the configuration dump

caused failure in restoring configuration prod00158111

56. On a 5412 platform, TACACS+ authentication caused

the device to crash.

prod00157976

57. In BBI, the Alteon-VX dashboard did not work.

Also, HTTP request over management port with an

empty Host header caused the device to crash

prod00157799

58. VRRP flap occurred when uploading tech support

dump or viewing real servers information on backup

vADC1. prod00157771

59. On 4408 and 4416 devices, the putdumps

maintenance command failed.

prod00157731

60. On a 5412 platform, the device crashed with a link load

balancing configuration with fragmented traffic.

prod00157666

61. In CLI and BBI displays, an Alteon 4408 device with an

SSL card was not identified as 4408XL.

prod00157617

62. Heavy load caused Alteon to sent irrelevant trap

(OCSP related) prod00157309

63. When "regex" or "none" where incorrectly defined as

the HTTP modification element, a panic occurred.

prod00157033

64. The default compression license for 5224XL was

changed from 500 Mbps to 1Gbps.

prod00157011

65. On device startup, a duplicate SNMP temperature trap

was sent where one of the messages had incorrect

information.

prod00156974

66. When only one power supply was installed in a dual

power supply device, an SNMP trap reporting this

problem was not generated.

prod00156903




67. After upgrading to version 28.1.5, all vADCs went down

and their image statuses were displayed as

Incompatible.

prod00156868

68. In SNMP traps sent on data port, the wrong agent-

address was included, and the incorrect OID was

reported in slbCurCfgRealServerOid.0

prod00156813

69. In a vADC environment, when the syslog default port

was configured on a management port, the source IP

address of the syslog packets was the ADC-VX

management IP instead of the vADC management IP.

prod00156720

70. Persistency break sometime occurred when a cookie

arrived to an SP which did not contain the persistent

entry of that cookie prod00156706

71. During configuration sync, port number was replaced

with port allies causing a problem in VRRP failover prod00156661

72. When all primary servers were configured as disabled,

the backup servers moved from the blocked to the up

state when one of the backup servers was disabled

operationally. prod00156636

73. In certain cases, active FTP LB with client NAT did not

work.

prod00156619

74. When VLAN based PIP was configured, no PIP

statistics were generated.

prod00156548

75. An Apply generated incorrect and irrelevant VRRP

syslog messages.

prod00156531

76. In a vADC, a user with CoS set to user was unable to

enable or disable the real servers that were assigned

to him, while the l3oper user was able to do enable or

disable real servers that were not assigned to him. prod00156384

77. After upgrading from version 28.0 to 28.1, an apply

failed when VRRP hot-standby was configured.

prod00156344

78. The string "v4" was mistakenly added to the SMTP

hostname in the configuration dump.

prod00156070

79. False fan traps were sent on a vADC. prod00155948

80. When a vADC was down, BPDUs in corresponding

VLAN were not blocked.

prod00155824

81. After upgrading from version 27.0.x to 28.1.2.x, An prod00155794




apply failed when X-ForwardedFfor configured for a

service.

82. Throughput license is up to 16 Gbps for the 5224 and

5224XLplatforms. This was incorrectly stated in

previous release notes.

prod00155691

83. After upgrade from 27.0.2.0 to 28.1.2.0 with dbind

disabled and X-Forward-For enabled, after changing

dbind to enabled on a service, an error message was

issued, and the device crashed.

prod00155689

84. A vADC panic caused the SYS LED to turn red. Only

rebooting the device turned the LED back to green.

prod00154297

85. During the upgrade process of a cluster, after one

device was upgraded from version 28.0. to 28.1, the

cluster changed to the VRRP Master-Master state.

prod00153379

86. A link UP was reported on port with the Copper SFP

module inserted, even though the cable was not

connected.

prod00152580

87. vADC throughput statistic was shown in MB rather than

Mbps prod00152104

88. When attempting to reset a vADC or device, a

message is issued that there is an unapplied/unsaved

configuration even though the configuration was

applied and saved.

prod00151807

89. An NTP server IP address could not be deleted (set to

default 0.0.0.0 value).

prod00151632

90. After SSH login, the SSH management session

sometimes hangs.

prod00151316

91. In dbind forceproxy service, If the client delayed in

sending the FIN,ACK to Alteon as a response to FIN,

the session entry was aged in slow aging rather than

fast aging prod00151145

92. After applying system configuration changes, incorrect

SLB log messages were issued.

prod00151057

93. When an IPv4 VRRP group was enabled, it was

possible to define an IPv6 VSR. This caused the IPv6

VSR to be unreachable.

prod00150485

94. When connection management was enabled and prod00141402




egress PIP was configured (as recommended), Alteon

still required the ingress PIP address to be configured.



1. The switch blocked TCP sequence zero and direct

ARP request (non broadcast) packets, treating them as

attack packets.

136092

2. SSL offloading with SSL reuse did not work properly on

Alteon 5412 XL.

155194

3. When delayed binding was enabled, an HTTP request

with malformed HTTP version parameter caused a

panic.

155172

4. When performing SNMP walk of the Alteon switch MIB,

the walk stopped once it reached the

agAccessNewCfgHttpsCert.0

(1.3.6.1.4.1.1872.2.5.1.1.19.4.6.0) OID.

153699

5. When a configuration included real servers with buddy

servers, after Apply unnecessary notices regarding

server statuses were sent.

153555

6. The virtual server status was reported via BBI as

blocked when one real server went down.

153554

7. When delayed binding was enabled, an HTTP request

with malformed HTTP version parameter caused a

panic.

153491

8. When Alteon 5224 ports 1 and 2 are administratively

disabled (/cfg/port x/dis), the links connected to

Alteon 5224 ports 3 and 4 went down.

153297

9. Performing the /maint/applog/showlog command

caused a vADC restart, and no panic dump was

available.

153167

10. A Header Modification rule to remove the Date header

did not remove the header from HTTP requests.

152927

Could not enable SSH from Telnet in 28.1.2.0. 152888

11. The upgrade from version 27 to 28 failed if the device 152803




configuration included certificates.

12. A panic occurred on a vADC when a SAVE command

was performed via SNMP.

152787

13. When Web cache redirection and server load

balancing were performed using a filter with a non-zero

server port (rport), the server port was not updated in

the session table resulting in a session failure.

152506

14. Even though a vADC management port was locked by

the Global Administrator, the vADC management port

could be deleted by pasting a script without a

management setting.

152487

15. When changing proxy IPs and virtual servers using

BBI, the device panicked.

152226

16. The default SSL CPS license was incorrectly set to 500

CPS for Alteon 5224XL.

152224

17. When an interface was disabled and then enabled,

OSPF did not recover after the link came back up.

152132

18. MNG-2 management port could be configured but did

not work properly. Currently this port cannot be

configured.

152131

19. Interface statistics showed incorrect values. 152056

20. Load balancing between device gateways using the

round robin metric did not work properly and resulted in

uneven allocation.

152044

21. When attempting to reset a vADC or device, a

message displayed that there was an

unapplied/unsaved configuration even through the

configuration has been applied and saved

151807

22. Load balancing of WTS traffic caused a panic on the

device.

151681

23. Alteon VA responded to ping to VIR only when the

request came from the VLAN to which the VIR

belonged.

151590

24. When configuring the NTP primary server with an

empty string, a fake IPv6 address was set as the

server address.

151407

25. When NTP servers were connected behind a gateway, 151406




an NTP warning message was displaying the gateway

address instead of the NTP server IP address.

26. The device did not allow enabling egress PIP (epip) on

a service when the server-side port was proxy enabled

but was not assigned a PIP.

151019

27. VRRP group settings could not be configured using the

BBI.

150921

28. Alteon discarded ACK packets sent by client in

response to server TCP keep-alive packets.

150750

29. The XML configuration API could not be used to

change a vADC configuration.

150484

30. The message sent when Alteon was shut down due to

critical temperature was not accurate.

150456

31. Importing a certificate in PKCS12 format to a vADC

failed with the error "Error: Failed to extract cert+key".

150376

32. When user "user” was disabled for a vADC, it could still

be used to access the vADC.

150327

33. Fragmented traffic that arrived for a virtual service

which was processed by the Acceleration Engine

caused a device panic.

150326

34. When an Intermediate CA Certificate Group and

Intermediate CA Certificate had the same name, and

the group was attached to an SSL policy, Alteon sent

an Intermediate CA Certificate instead.

150306

35. When querying the VRRP status using SNMP in the

Global Admin context of an ADC-VX device, the state

of the Virtual Routers was incorrectly reported.

149938

36. Occasionally when Alteon did not forward an RST from

the client to the server, the client received packets with

the real server IP as the source instead of the VIP.

149875

37. Using the BBI, the user was able to configure a

different application type for a standard service port

when using IE6. After device/vADC restart, the

configuration of such services was erased.

149702

38. The /info/slb/gslb/geo command did not display

anything.

149636

39. When the HTTP method was split across packets, 149554




Alteon dropped the first packet which contained an

invalid method and sent an HTTP_501 error message

to the client.

40. There was an inconsistency between the actual

altSwBulkApply trap packet and the description in MIB

file.

149539

41. Bandwidth Management did not work on IPv6 traffic in

Alteon version 28.1.

149497

42. Alteon allowed using the same IP address for a vADC

peer address and a Global Admin management

address.

148866

43. A group could not be deleted from CLI; the following

error message displayed during the apply phase:

"Unable to lock cli, no response from configuration

thread!" The group still appeared in the configuration

dump, but it was empty.

148726

44. On sessions for which delayed binding was performed,

if a FIN packet arrived from the client immediately after

HTTP request packet the switch dropped the FIN

packet.

148673

45. When user authentication was performed using

RADIUS, if the RADIUS servers were unavailable and

the user existed in the local user data base and had

backdoor enabled, Alteon asked for user/password

credentials again, instead of using the credentials

provided the first time.

148671

46. When persistency using cookie insert was configured,

the age of the actual session entry was updated to 4

minutes instead of using the selected real server

timeout value.

148661

47. When Alteon performed delayed binding, if, in addition

to persistency, content hash based load-balancing

(such as URL hash or WTS user hash) was configured,

TCP requests retransmissions were dropped.

148649

48. When an NTP and a DNS service were configured for

the same virtual server, an NTP request that arrived

immediately after a DNS request was sent to the DNS

server group instead of the NTP server group.

148640




49. The admin password could not be changed using a

SSH connection.

148469

50. Configuration synchronization failed after upgrade from

27.0.1.0 to 28.1. The remote peer reset the connection.

148214

51. When DSR VIP health checking was enabled and the

health check was UDP, the health check was sent to

the real server IP instead of the VIP.

148213

52. SP memory utilization could not be monitored through

SNMP.

147657

53. The persistency entry age update behavior when

modifying Real Server Inactivity Timeout

(/cfg/slb/real x/tmout) and when changing

Virtual Service Persistency Timeout (/cfg/slb/virt

x/service x/tmout) was inconsistent.

147523

54. The switch gateway was temporarily down when

adding a local static route.

143262

Fixed in version 28.1.2


1. When using the /maint/tsdmp command, the device

failed.

147546

2. When the route from the client to a VIP had an MTU

less than 1460, the router sent an ICMP error that

forced Alteon to split packets into smaller segments.

On Alteon, this client IP’s repository was limited to 10,

so the 11th client still received high MTU traffic,

resulting in no traffic being forwarded from the router to

this client.

148516

3. When a POST request was sent, it could be divided

into a header section and data section.

When the header section reached the server, the

server could send 200 OKs before receiving the data

section. When this happened, the next HTTP request

was not forwarded to the server and the connection

was not terminated.

147992

4. On a 5412 platform, boot-up time took more than 5 114954


Fixed in version 28.1.2


minutes.

5. Using BBI, when deleting an object attached to a virtual

service (such as a caching policy, compression policy,

or an HTTP modifications rule list), you had to remove

it from the virtual service in order for the Apply to

succeed. However, after it was deleted, the object did

not appear as selected in the virtual service, which may

have been misleading.

121073

6. There was no SNMP configuration (MIB) support for

new features added in version 27.0.0.0, including

caching, compression, HTTP modifications, and HTTP

connection management.

SNMP (MIB) support for status and monitoring is now

fully available.

121097

7. An HTTPS certificate change did not take effect until

the HTTPS service was restarted (disabled and then

enabled).

146716

8. When Alteon was configured with VRRP and a high

volume of SSL traffic was sent for a long period, a

failure could have occurred.

146876

9. The device sometimes stopped advertising OSPF

routes due to timer issue.

285641

10. On sessions for which delayed binding was performed;

if a FIN packet arrived from the client immediately after

HTTP request packet the switch dropped the FIN

packet.

148673

11. vADC statistics limit command showed incorrect values

for SSL CPS and device throughput

147825

12. BPDU frame with MAC address 00:00:00:00:00:00

were forwarded by Alteon

147168

Known Limitations

This section lists all known limitations for this release.


Limitations in version 28.1.10.0


1. In Alteon VA, as all its ports are in the same VLAN by

default, its ports can be interconnected to the same

broadcast domain causing a network loop.

Workaround: define port 2 in VLAN 2 as port 1 is

defined in VLAN1

(Fixed in 29.0)

170110

2. When x-forward-for was enabled on a service with

least connection rmetric, its starts corrupting PIP

address when sending traffic to backend. (fixed in 29.0)

173659

3. Sometimes, software image download process failed.

In most of the times, download retry was successful 167409

4. When "httpslb or urlslb" is configured, in a group with

least connection matric. The string match is checked in

both httpslb and urlslb although the precedence is set

to OR and not AND.

(fixed in 29.0)

170004

5. Alteon only supports IPv4 as agent address in the

SNMP trap

166454

6. The put image option /boot/ptimg is not supported 110769

7. The configuration dump done from BBI does not use

Courier-New font. For this reason, the PKI components

included in the dump looks like they are not formatted

correctly.

110848

8. When using HTTP connection management (HTTP

Multiplexing) and group server maximum connections

(maxconn) is reached, the persistent connections

opened for multiplexing are also not reused to server

client requests.

110952

9. Capture and decrypt capture functionality is supported

only using the CLI. BBI does not support this

functionality.

111085

10. Importing the 2424- SSL processor configuration file to

migrate its certificate repository to version 27.x is

supported only using the CLI.

111453

11. BGP does not remove from its table a route that was

learned from RIP, even though the route had been

withdrawn. When redistribution of RIP routes to BGP is

configured, and a route that is learned from RIP has

112196




failed, BGP should send an UPDATE message

containing the withdrawn route to its peers and state

that it is not removing the route entry from the routing

and BGP tables.

12. The /stats/mp/cpu option shows the MP CPU utilization

for one second, the average for four seconds, and the

average for 64 seconds. It takes up to 25 seconds for

the four-second average to get updated properly and

almost 5 minutes for the 64-second average to get

updated properly.

114941

13. The scheduled reboot option /boot/sched is not

supported.

114952

14. BWM statistics are different when used with different

contracts within the same policy. When the user

assigns different contracts for different ports with equal

capacity within the same policy, statistics of both ports

differ even though the same policy is applied. This

means that the number of total packets and discarded

packets varied for two different ports.

114967

15. A new image is downloaded to the image2 slot even

though the instruction was to download to the image1

slot. The new image is downloaded to image 1, but

after being written to the CompactFlash, the images

are then swapped.

114968

16. The upgrade process does not ask the user to confirm

the upgrade after the new image is downloaded.

114987

17. The upgrade process cannot be aborted when the

wrong password is provided. Currently, there is no way

to abort the upgrade process other than waiting for the

idle time out (5 minutes) to expire.

114988

18. The GSLB, command /info/slb/gslb/geo (geographical

preference information) does not display the region list.

115002

19. If an image is downloaded to an active bank, the

warning is displayed only after the download is finished

and file writing is aborted.

115009

20. On a 4416 platform, there is a bottleneck on throughput

when DAM enabled (only 3G can be reached).

115834

21. On a 5412 platform, the link status displays incorrectly 115899




when changing some port parameters.

22. The number of free pports reflected by the commands

/stats/slb/pip and /stats/slb/sp x/pip is calculated for a

single real server, where it should be multiplied by

number of real servers.

116638

23. Alteon HTTP cache does not respect the range HTTP

header to request only part of an object.

119892

24. Using HTTP modifications with the file type element,

only the replace action is supported. If removing or

inserting a file type (file extension) is required, use the

modification of element of type URL.

119911

25. When a client port is part of multiple VLAN, and

multiplexing is used, the VLAN used in the back-end

connection (to the server) is always the one used to

initiate the connection.

This problem does not exist when proxy IP (PIP) is

done on the egress port, as recommended in

Radware’s best practices for connection management

(multiplexing).

121126

26. With large configurations, the Revert-Apply operation

may fail with multiple errors generated that are related

to a legitimate CLI command that did not succeed.

Workaround: Run the Revert-Apply operation again.

121285

27. Proxy IP (PIP) statistics are available only when

multiplexing is enabled on the virtual service.

121299

28. Jumbo frames are not supported in this release. 121765

29. Fragmented traffic is not supported when accessing

the device management.

134531

30. Alteon legacy content-based switching with delayed

binding enabled does not work with fragmented traffic.

Work around: Use pbind force-proxy mode

139880

31. When more than 390 certificates and keys of different

types are configured, accessing the BBI certificate

repository page might cause the device failure.

142396

32. Overlapping NAT capability is not supported for IPv6

filters.

143690

33. After downgrading from 28.1.x.0 to 26.3.x, the user is 146536




prompted to keep or discard the management IP. Even

if the user answers No, the management IP is saved.

34. IPv6 traffic destined to directly connected network is

forwarded to the gateway instead of the configured

IPv6 interfaces.

Workaround: Define the local route cache for the

immediately connected network using

/cfg/l3/frwd/local/add6 command.

152729

35. Passive FTP doesn't work over IPv6

(fixed in 29.0)

155745

36. Highly fragmented connections that include more than

20,000 fragments drop fragments.

121288

37. On Alteon 4408, the power LED does not turn red

when there is a power supply failure.

N/A

38. Live capture (TCPdump) mode is not supported via a

serial console.

N/A

39. When downloading an image, you cannot have the

same image version in both image banks (image1 and

image2). When downloading the same version, the

older image is overwritten by the newly downloaded

image.

N/A

ADC-VX / vADC Specific Limitations

40. MP Virtualization (vMP) goes to 100% utilization VRRP

when using VLAN tag and shared VLAN for ISL. When

this occurs, both vADCs in the HA pair become the

master with or without traffic for a short while.

131075

41. When the device is working in ADC-VX mode,

uploading the global configuration (gtcfg by global

administrator) does not replace existing vADCs with

the ones in the new configuration. Instead, it merges

them. If the uploaded file includes vADC IDs that are

already on the device, the user is prompted to

overwrite the existing vADC configuration with the

imported one.

Workaround: Manually delete all vADCs before

importing a new configuration.

143192

42. When using a script to configure several vADCs in

parallel, the server certificate Generate command

144673




might stop working until reboot is performed.

43. When a vADC is rebooted, it shows an incorrect alert

message saying a throughput limit of 0 has been

reached.

This message should be ignored.

144918

44. An incorrect VLAN ID appears in a warning message

when HAID 0 is used for two vADCs on the same

shared VLAN.

145673

45. In case Global Admin context process restarts, the

user is not able to perform Revert Apply to the last

configuration.

146405

46. When synchronizing the configuration between a vADC

instance running on a 5224 device and a standalone

5412 device that uses different physical ports, a "bad

port" error is received, even after disabling ID ports

synchronization using /cfg/slb/sync/ports.

146570

Related Documentation

The following documentation is related to this version:

Alteon Application Switch Operating System Application Guide version 28.1.11.0

Alteon Application Switch Operating System Command Reference version 28.1.11.0

Alteon Application Switch Operating System Browser-Based Interface Quick Guide version 28.1.11.0

Alteon Application Switch Operating System Troubleshooting Guide version 28.1.11.0

Browser-Based Interface (BBI) Quick Guide version 28.1.11.0

Alteon Application Switch Performance Report version 28.1.0.0

For the latest Radware product documentation, refer to the product CD/DVD that was shipped

with your product, or download it from http://www.radware.com/Customer/Portal/default.asp.

http://www.radware.com/Customer/Portal/default.asp


North America International

Radware Inc. Radware Ltd.

575 Corporate Drive 22 Raoul Wallenberg St.

Mahwah, NJ 07430 Tel Aviv 69710, Israel

Tel: +1-888-234-5763 Tel: 972 3 766 8666

© 2013 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A

Date post:	27-Dec-2015
Category:	Documents
Upload:	george-cuyang-bagsao-jr
View:	202 times
Download:	2 times

AAS-28_1_11_0-RN

Documents