Attach Lp 4-38-01dl Mrn02

North America

Radware Inc.

575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International

Radware Ltd.

22 Raoul Wallenberg St. Tel Aviv 69710, Israel Tel: 972 3 766 8666

www.radware.com

LinkProof

Maintenance Release Notes

Version 4.38.01DL September 27, 2011

LinkProof version 4.38.01 Maintenance Release Notes Date: September 27, 2011

Page - 2 -

Page 2

These Maintenance Release Notes describe fixes for LinkProof version 4.38.01DL. These fixes are

part of the official product code, build 2, date September 27, 2011

Table of Contents

Supported Platforms and Modules ............................................................................................... 2 Maintenance Fixes ......................................................................................................................... 4

Fixed in version 4.38.01DL ........................................................................................................... 4 Fixed in version 4.38.01 ................................................................................................................ 5 Fixed in version 4.38.00 ................................................................................................................ 6 Fixed in version 4.37.12 ................................................................................................................ 7 Fixed in version 4.37.10 .............................................................................................................. 11 Fixed in version 4.37.09 .............................................................................................................. 13 Fixed in version 4.35.07 .............................................................................................................. 15 Fixed in version 4.35.06 .............................................................................................................. 19 Fixed in version 4.35.05 .............................................................................................................. 21 Fixed in version 4.35.04 .............................................................................................................. 26 Fixed in version 4.35.02 .............................................................................................................. 31 Fixed in version 4.35.01 .............................................................................................................. 36 Fixed in version 4.35.00 .............................................................................................................. 39

Known Limitations ....................................................................................................................... 40 Supported Platforms and Modules

This version is supported by the following platforms:

Note: This version allows the application software to support multiple boot versions. The config.ini

file defines the lowest boot version supported (BootRomVersion) and the highest boot version

supported (BootRomVersionInPackage). If the current boot version on the device is within these

parameters, no boot upgrade is required.

Platform Lowest

Boot

Version

Highest Boot

Version

Notes and Exceptions

Application Switch 1 4.53 6.01 For Application Switches 1 and 2 with a

SynApps license, it is recommended to use

256MB with this version. Large BWM

and/or Application Security configurations

that fit in 128MB in previous versions might

require 256MB with this version.

When upgrading Application Switch 1 from

version 4.21.02, boot upgrade is required.

Use the following procedure:

1. Reboot the device, stop at the

countdown and download the new boot

Application Switch 2 4.33 6.07


Page - 3 -

Page 3

Platform Lowest

Boot

Version

Highest Boot

Version

Notes and Exceptions

version via CLI.

2. After the new boot is uploaded to the

device, type ' @ ' (do not reboot the

device or change any dip-switch).

3. The device loads the old boot file –

4.5x and the old software version

4.21.02. Using CLI or Web Based

Management, upgrade the device by

sending the .tar file.

4. Once the process ends, the following

message is displayed in CLI :

Please toggle DPSW 1 to

select another boot bank.

Reboot will be performed.

5. Change dip-switch number 1, without

turning off the device.

The device reboots itself automatically and

uploads with the new boot and the new

version.

Application Switch 3 6.04 6.04

Compact Application

Switch

1.3*, 1.4** 6.012 * Only when upgrading from 4.30.

** Before starting the upgrade procedure

from version 3.81.0x, the boot EPROM must

be replaced with boot EPROM version 1.4

or higher (it is recommended to ask for the

highest boot version supported by the exact

bug fix version you are upgrading to).

Contact the Radware ordering department

for this. If you are upgrading from version

4.30, no boot change is required.

For upgrade from version 3.81.x the lowest

boot version to be used is 1.43.

For more information on platform specifications, refer to the Installation and Maintenance

Guide.


Page - 4 -

Page 4

This version includes the following modules:

Module Supported Version Notes and Exceptions

Application Security

(IPS, DoS and

BDoS)

3.402154

APSolute OS 10.03-01.10

Other 11.05.03 Network Driver

This version is supported by APSolute Insite version 2.85.02 and later.

Maintenance Fixes The following is a cumulative list of bugs fixed since the release of version 4.38.01DL.

Fixed in version 4.38.01DL

Item Description Bug ID

1. The trace-route command returned incorrect times 60363

2. Port Rules were not kept in configuration download from the device. 89618

3. Client couldn't create more than 10 local users in the user table, although

100 users were supported. 86831

4. While LinkProof encountered two routers who shared the same MAC

address the device crashed with the error: 'not correct FW physical addr

table index.' 122394

5. LinkProof stopped sending NTP client update requests after a valid SNMP

trap was sent to the device 131095

6. LinkProof crashed when using BWM .

The issue was identified as an unreleased memory buffer. 128295

7. When working in Redundancy modo (VRRP) after a failover (preemtion

was enabled), when the master device came back online it didn't send G-

ARP . arp-interface-grouping was set to 'avoid' 128681

8. The device crashed after the command 'redundancy vrrp trap-associated-id'

was issued from console. 131256

9. When a Health Monitoring binding configuration was created,

automatically created health check were available for binding . Binding

them caused on some occasions errors since the HC could have been

removed reboot. The behavior was fixed. 135788

10. Ping with Source option is not working and is replaced with default

gateway option. 139547


Page - 5 -

Page 5

Fixed in version 4.38.01


11. In a VRRP configuration, the ARP cache of the primary LinkProof

displayed its own VRID MAC Address. As a result, LinkProof stopped

forwarding traffic to the NHR. 77358

12. In version 4.37.11, LinkProof was accessible to SNMP traffic, although it

was explicitly blocked on specific interfaces via the security interface. 78615

13. In versions 6.1.0.01 and below, when LinkProof responded to an the

inbound DNS query, the response DNS packet carried the incorrect

corresponding VLAN tag ID. 78871

14. When working with SmartNAT in a full Class C range, the configuration

was changed to include a specific No NAT IP address. The No NAT

configuration could not be added until LinkProof was rebooted. 80417

15. When configuring application grouping through WBM, if the client table

mode was set to Layer 3, LinkProof generated the wrong error message. 82593

16. In a VRRP configuration, the primary LinkProof displayed the console

message "ICMPP_prtunrch_reply_ind: no buffer to send to a user", and then

after a while froze. 83673

17. After upgrading from version 4.35.07 to 4.37.12DL, the secondary

LinkProof did not respond to the primary ICMP requests, and vice versa. 84154

18. After upgrading from version 4.35.07 to 4.37.12, LinkProof used an

incorrect MAC address to respond to a packet coming from internal clients

that were accessing a VIP on LinkProof. 84344

19. In version 4.37.12 AS3, when passing FTP control traffic in passive mode,

the internal IP address of the server, instead of the public IP address, was

sent to the client within the payload. 85230

20. On LinkProof AS3, using FTP active mode inbound sessions handling and

the accelerator was enabled, in some cases the data session went to a

different NHR than the one the control session came from. 85362

21. When LinkProof stopped responding to ICMP requests, LinkProof reached

its NHR Tracking Table size limit, and then crashed. 86104

22. When downloading a LinkProof configuration via the CLI and uploading

the same configuration to an identical device, LinkProof generated the

following console error: "Error 07 in loading configuration - variable

number 01 of SNMP packet 637, variable name rsMLBSubnetSrvrStatus".

The error was related to the grouping policies setup on LinkProof. 89839

23. When creating a destination grouping rule using APSolute Insite version

2.89, the message "Error in MIB label " was generated in APSolute Insite.

This error did not occur using WBM. The bug was on identified in

LinkProof and not in APSolute Insite. 90975


Page - 6 -

Page 6



24. When trying to add application port grouping rules, the message "Resource

Unavailable" was displayed, even though source and destination grouping

were working as expected. 97041

25. When using SmartNAT with Dynamic NAT, LinkProof did not rewrite the

source MAC address when it received a response from the NHR. 106484

26. When creating one BWM policy rule for FTP sessions with the name of

''ftp'', a 'Generic Error" was displayed in WBM, and LinkProof then crashed

and rebooted. 119083

27. When a DNS AAAA record request was sent to LinkProof, and the record

existed as an A record, LinkProof responded with a "Record Doesn't Exist"

message with the Authorization not being set in the Answer. This resulted

in the request being discarded by DNS Servers as "Lame Delegation". The

behavior was fixed to include the AA Flag. 120761

28. When using application grouping, when creating an incorrect application

port entry, the error message was misleading and displayed an illegal port

range. 128890



29. When configuring Application Grouping using WBM, the value 65535 had

to be used to mean "other." The fix included adding the "other" option to

represent any non-explicit value. 21457

30. IP address entries in the IP Fast Forwarding Table (IPFFT) that did not

belong to any of the device's interface IP networks were not cleared

when these addresses were later used in configuring LinkProof. 22185

31. When multiple default gateways were configured, only the gateway that

was currently in the routing table could be deleted. 29866

32. Using RIP, the default value for AutoSend was set to Enabled, which

should have been set to Disabled because AutoSend is not standard as per

the RIP RFC. 42558

33. When reading the values of the octet counters from the following OIDs, the

OIDs generated incorrect 64bit numbers:

1.3.6.1.2.1.31.1.1.1.10.1 = Counter64:

1.3.6.1.2.1.31.1.1.1.10.2 = Counter64:

1.3.6.1.2.1.31.1.1.1.6.1 = Counter64:

1.3.6.1.2.1.31.1.1.1.6.2 = Counter64: 56992


Page - 7 -

Page 7



34. In version 4.37.10, when a static route was added and a metric defined, the

static route could not later be deleted. 70826

35. After tuning the device, LinkProof did not correctly check if enough

memory was available for an application to run. 73010

36. When working with VRRP, the ARP Table incorrectly included the VRID

MAC address of its own associated addresses. 77358

37. When issuing the command "system device-info", the output included

incorrect information for device registration. 78848

38. On an Application Switch 3 platform, LinkProof did not change the TCP

sequence number correctly for active FTP sessions. 80167

39. When using Destination Grouping, if you deleted a destination group, or set

the recovery or grace timers to values > 0, the device rebooted. 82594



1. The help display for 'lp global connectivity-check method help' was

incorrect. 09578

2. The CLI ping command did not have a help display when no flags were

added. 09799

3. For versions 4.35.04 and 4.35.05, the device had to be rebooted for the

Selective Interface Grouping feature to start working. 20983

4. For versions 4.3x, the CLI command 'system device-info' displayed

incorrect CPU information. 30686

5. In WBM, when changing the Static NAT configuration of existing entries

from Regular to Backup, and vice versa, the Submit button was missing

from the pane. 35986

6. On Application Switch 2, when issuing the CLI 'net l2-information"

command, the wrong information was displayed showing an '@' instead of

the port numbers. 36355

7. On Application Switch 1, when issuing the CLI 'system device info'

command, the Media Type was incorrect. It should have been "on board

flash" as the Application Switch does not have a Compact Flash. 36744

8. For version 4.35.07DL, a static NAT entry was mapping to an interface IP

even though static NAT was not working correctly. 43177

9. On Application Switch 2, during an SNMP task while receiving a

configuration upload, the device crashed. 53762

10. When working with Health Monitoring HTTP health-checks, LinkProof

received the HTTP response code 411 for the HTTP POST health-checks. 54007


Page - 8 -

Page 8



According to the RFC, a Length Header must be included in the HTTP data

in the POST request, but LinkProof did not include it.

11. When editing or creating the destination IP in the Client View filters table,

the Client View did not find the correct matches when checking the filtered-

client-table. 54813

12. When editing an existing View Filter for the Client Views destination IP

resulted in the following error: "setting the vlan tag field must be in range

..." 54834

13. On an Application Switch 1 Alterra device using LinkProof Build 26 and

where there was only one port, auto-negotiation was set to "off" but

immediately reverted to "on."

Setting the physical port Auto-Negotiation to 'off' resulted in the changes

being accepted and the Auto-Negotiation configuration immediately

reverting to 'on'. 55993

14. When working in out-of-path mode with no Client Table, if a fragmented

packet entered the device from a different port than the port of the original

fragment, it was forwarded to same port as the original. In some cases, this

caused traffic loops. 56074

15. After upgrading from version 4.37.07 to 4.37.10 and using a redundant

configuration (where the device had multiple associated IP addresses),

when the Master device regained control, the Backup device kept trying to

become the Master. 56088

16. When working with APSolute Insite version 2.70.17DL (build 22) in order

to copy the configuration, SMTP and NTP settings switched back to the

default configuration after the copy. 57102

17. On a CAS platform, after upgrading from version 4.35.04 to 4.37.10,

enabling Any-Any Bandwidth Management rules dropped all of the VPN

tunnels. 57106

18. Health Monitoring Module started toggling up and down after the device

was up for 248 Days.

57376

19. After an upgrade from LP 4.21.07 to LP 4.35.07 Health Monitoring

parameters changed (Check Interval). 57589

20. When working in redundancy mode (VRRP) and the primary device took

over from the secondary device, after a short period the primary device

crashed and rebooted. 57712

21. On an Application Switch 3 platform, when working with VIP and NAT

(NHRs and Firewalls), packets were not forwarded correctly (ACK and

SEQ fields in the packet were incorrect), resulting in a broken session. 58000

22. When creating or deleting a Client View entry, the device froze and 58075


Page - 9 -

Page 9



crashed.

23. When using a configuration with High Availability (two LinkProof devices)

and a Virtual Tunnel was created, the Backup device froze while retrieving

remote LinkProof information. 58754

24. Device froze after 248 days of operation. 59798

25. When using a configuration with both VIP and NAT, when for a specific

session the accelerators were enabled, the PASV FTP sessions were broken

due to miscalculations in the ACK and SEQ fields. 59942

26. When working with Virtual Tunneling with one NHR configured as the

Regular server and another NHR as the Backup server, and using the hash

dispatch method, traffic did not return to the Regular NHR after it entered

the Backup. 61075

27. The 'rdwrClientsTableNumEntries' OID in the Radware MIB file was not

available on the device. The MIB that was monitored was checking the

number of active entries in the Client Table. 61684

28. When working with Virtual Tunneling, the tunnels continued using the

Regular-Backup or Backup-Backup configurations and did not switch back

to a Regular-Regular configuration even after the Regular NHR came back

up. 61727

29. For version 4.37.10, when initiating a Port Scan, the scan showed port 21 as

open, even though FTP services were disabled on the device. 61866

30. On a CAS platform, when working with VPN, ping packets erroneously

passed through the interface which had been administratively brought

down. 62707

31. When working with VRRP, traffic was sent to the device's virtual DNS IP

according to the VRRP MAC address.

When the device port which was blocked and reset (as configured in the

Bandwidth Management policy), the reset contained the wrong MAC

address (the MAC address of the incoming packet.) 63152

32. In version 4.37.11DL (Build 34), when copying the configuration using

APSolute Insite 2.73.21, the VRRP trap summary was changed from "off"

to "on". 63836

33. The CLI command "redundancy vrrp msg-per ip" is no longer in use and

has been replaced by the command "redundancy vrrp trap-associated-id". 63859

34. On Application Switch 2 platforms, when issuing the "system config

immediate" command, the device crashed. 64295

35. When working with Virtual Tunneling and a link was configured as a back

link, the tunnel was configured to be Backup-Backup but LinkProof

erroneously recognized it as Active-Active. This resulted in the Default

Gateway destination grouping configuration to erroneously behave as if it 64344


Page - 10 -

Page 10



were Active-Active.

36. On an Application Switch 3, in FireProof version 3.37.10, the picture of the

device displayed on the WBM interface was 2U although the device was

actually a 1U Application Switch 3. 64457

37. When changing DNAT tuning from Device -> Tuning, the memory check

did not correctly calculate the remaining memory after the tuning change. 64561

38. When setting the RADIUS timeout from Services-> RADIUS-> Timeout,

the timeout value could not be set and the device crashed. 64739

39. LinkProof did not allow creating more than 11 NHRs when the Proximity

Status was set to enabled. The limitation is now fixed, and proximity is only

checked for the first 10 NHRs. 65273

40. The error "REAG_buf_alloc: unable to allocate buffer" was changed to

appear only when Debug level 64 is set. 65474

41. When working in a redundant configuration with VLAN Tagging, the

Backup device took over from the Main device stopped tagging packets. 66948

42. When setting the LPB Port 1 to "auto", it still remained set to "auto off".

On CAS platforms, Port 1 showed a status of Auto-Negotiation set to

"Auto" even after it had been set to "Auto-Off" . 67511

43. On an Application Switch 1 platform, when the LPB was in status IDLE,

when a remote server attempted to start the IPSec, the LPB debug message

"No ISAkMP_SA" was issued.

On a CAS platform, every time the VPN went into IDLE status and the

remote sites tried to re-establish the VPN tunnel with it, a new IPSec SA

started (even with no timeout on the original IPSec SA). The result was the

error "no ISAKMP-SA" on the CAS. 68307

44. When loading the configuration file, the BER certification was incorrect.

After uploading the configuration file from LinkProof and then trying to

send it back, the error message "Error 07 in loading configuration" was

generated. 70695

45. When proximity was configured for 'Full Proximity - Both", it did not work

properly and the Dynamic Proximity table remained empty. 72438

46. When working with cluster servers and trying to delete a cluster, the

message "deleted successfully" appeared, although the cluster server was

not deleted. (For MIB change please refer to the Release Notes) 73576


Page - 11 -

Page 11



1. After configuring and updating BWM policies (with the device in

transparent mode), the device froze.

30471

2. Using Mirroring, when an entry was deleted on the primary device, the

entry was not updated on the backup device.

30693

3. While upgrading from version 4.21.00 to 4.35.06, if there was a

destination grouping in the configuration, the device crashed and

rebooted.

30695

4. On Accelerated Platforms, when the accelerator was enabled the first

packet from the local server was sent without NAT.

30696

5. After removing all the interfaces from a device and rebooting it, a fatal

error occurs along with an error message.

31622

6. When a virtual IP was configured for the device interface, some health

checks for virtual tunneling failed.

34081

7. Configuring some IP addresses in the routing table caused those entries

to be deleted due to a problem with the way the device reads the IP

address.

34165

8. When working with both virtual DNS IPs and virtual tunnels, some of

the tunnel checks failed (CAS).

35472

9. While trying to change VRRP fields when VRID was active, the

resulting message was not informative enough.

36317

10. Some network ranges could not be accepted by Dynamic NAT local IP

ranges. The error message "The parameter 'To Local IP' must be an ip

address" was generated.

41436

11. When DNS for a local client was enabled and checksum was disabled, if

the device received a DNS packet with a checksum of 0, it changed the

checksum instead of ignoring it.

41616

12. While using SSH to manage the device, all management access

(HTTPS, SSH, Telnet, HTTP, Serial) froze. However, the device

continued to process packets.

42048

13. In VPN Configuration when a VPN rule to a specific host was defined,

the new rule did not work. The problem was related to the /32 mask

defined on the host. (CAS Platform)

42049

14. After configuring destination grouping and adding a destination Health

Check, the Health Check failed. The device needed to be rebooted for

the Health Check to succeed. (All Platforms)

42094

15. When a configuration file containing an illegal source or destination IP 42168


Page - 12 -

Page 12



in a BWM policy was uploaded to the device, the device crashed during

boot. As part of the fix, the policy is now not loaded and a warning is

issued at boot time.

16. When the fragmentation table reached its limit, a notification message

was issued only once. As a result of the fix, the message is now issued

every 20 seconds if fragmentation reoccurs. (All Platforms)

46914

17. In a VLAN configuration with NHR, the MAC address of the NHR was

missing from the Client table.

47012

18. When working with proprietary redundancy after the main device

rebooted and took over the main position the device did not forward

traffic as expected.

47014

19. When viewing the Client Table in WBM, the CPU reached 100%

capacity.

47093

20. When fragmented traffic passed through the device and the

fragmentation table was not large, the device Throughput was much less

than expected (CAS)

47451

21. When using the FTP passive command and either a NAT or VIP was

changed, during retransmission the device handled the TCP sequence

and ACK numbers incorrectly.

47642

22. When NAT was enabled and traffic was set for a specific NHR, if the

'exclude static NAT' flag was disabled, the NAT translation was to an

incorrect NHR. (All Platforms)

48058

23. When NAT was enabled and the 'exclude static NAT flag' was disabled,

traffic was sent to a specific NHR, but the NAT translation was set to a

different NHR. (All Platforms)

48059

24. When processing VPN traffic, when ICMP was forwarded to the device,

the device crashed. (CAS)

49091

25. While opening an SSH & SNMP session concurrently, the device

console froze, but the device continued to process packets. (AS2)

50162

26. Under the following conditions, the device crashed:

- ARP table clean (after the device was booted or a manual cleanup)

- ARP Aging time is very short

Unknown ARP requests were put in the 'ARP waiting list'. The device

started to lose buffers until it crashed. (All platforms)

52293

27. After issuing the 'manage management-port' command from the CLI, 52301


Page - 13 -

Page 13



the device froze.

28. When a session began with the first packet sent by a server, the

“application-aging-time” was calculated incorrectly according to the

source port instead of the destination port. This resulted in various

sessions disconnecting as these sessions used the global aging time

instead of the configured aging time. The problem was identified on MS

Terminal Server connections (RDP - TCP port 3389)

53930

29. LP device did not respond to Telnet command (Insite and WBM were

still working)

53767



1. While trying to download the configuration file to LinkProof in BER

format, the download aborted.

43867

2. In VLAN configuration with NHR, the MAC address of the NHR was

missing from the Client table.

47012

3. If Switch VLAN configuration was applied, the operational status

remained UP even though the VLAN ports were down.

47716

4. When NAT was enabled and the 'exclude static NAT flag' was disabled,

while traffic was sent to a specific NHR, the device performed NAT

translations according to a different NHR.

48059

5. When processing VPN traffic, when ICMP was sent to LinkProof it

crashed. CAS platform.

49091

6. The LinkProof Device console froze while opening an SSH & SNMP

session concurrently, and the device continued to process packets.

50162

7. When using RIP with a basic configuration, the device crashed. 19215

8. When Mirroring was activated in VRRP configurations (AS3), the

device crashed and rebooted.

20952

9. While handling VPN session with fragmented traffic, the device

crashed.

25938

10. When using VPN, the device froze after several hours of operation. 26129

11. When Mirroring was used, both the primary and backup devices

crashed.

26539


Page - 14 -

Page 14



12. While using mirroring, the primary device crashed. 26540

13. NTP configuration was not saved after loading the configuration file to

the device.

27695

14. While in VRRP mode. When the main device reboots, the mirrored

entries were not copied to the backup device.

30694

15. On Accelerated Platforms when mirroring was enabled, the backup

device reached high CPU usage.

30697

16. When virtual tunneling was used, when one of the NHR's modes was

changed (from backup to regular, or vice versa), the NHR mode was not

updated.

31088

17. After upgrading from version 3.81.06 to 4.35.04 using Insite, the device

crashed.

32969

18. After 'more-prompt' was enabled, when displaying more than one page

on the terminal, the actual behavior was as if it was disabled.

37641

19. When trying to add a Remote Station entry to the Remote Station Table

while using virtual tunneling, the device crashed.

37708

20. When VLAN Routed Redundant configuration and Interface Grouping

were enabled using Proprietary Redundancy, the device did not respond

to an ARP request. (All Platforms)

39842

21. When the command "system device-info" was initiated, the device

crashed. (Application Switch 1,Application Switch 2, and CAS )

41210

22. LP Version 4.35.07 (all licenses) BWM did not classify traffic that was

destined for the device IP itself.

43786

23. While trying to download the configuration file to the device in BER

format, the download aborted. (CAS Platform)

43867

24. VRRP had to be configured on the master device before it could be

configured on the backup device.

46145

25. When NTP was enabled, the following message was displayed

"WARNING Connection to NTP server timed out". The device then had

to be rebooted (All platforms)

47320

26. After issuing the 'system paste-config start' command in CLI, the device

froze.

51338


Page - 15 -

Page 15



1. When AAAA query is received by LinkProof, the UDP length of its

reply was miscalculated and set to indicate 3 bytes longer payload.

19865

2. When a TCP proximity check failed, the device sent the check through

different NHRs but using wrong parameters, causing insertion of wrong

latency value in the proximity table.

26175

3. It was not possible to block or limit access to the device Virtual DNS or

Remote Virtual IP address. Please note that now BWM policies are

applied to all device IPs as well (Virtual DNS, Remote VIP or interface

IP) and use of “Any to Any” block policies can prevent access to device

management as well.

09819

4. In configurations where RIP is enabled, routing between two class A

subnets did not work properly.

09701

5. When BWM module used per-session classification mode, the policy

statistics were incorrect

9892

6. In VRRP redundancy configuration, when the main device failed and

than came back up it took over all VR IPs before the backup device had

a chance to mirror its client table to the main. This caused some of the

current active sessions to fail.

19103

7. Trace route command from the device, destined to a network for which

a static route entry existed, would go out via the default gateway NHR

when ping health checks were configured for this NHR, instead of the

NHR configured in the static route.

24947

8. The WBM device zoom was missing for Application Switch 2 - Dual

Power Supply.

25876

9. When Application Switch 3 worked with remove at session end

parameter enabled, it would occasionally send FIN/RST packets to

clients.

22915

10. In a redundancy configuration where the management port is excluded

from interface grouping, if no access via the management port was

attempted before a interface grouping is activated on the device (due to

a failed interface), once interface grouping was activated no

management access was available, though management port did not

participate in interface grouping.

25399

11. After a device reset previously configured Destination Health Checks

would fail.

19898

12. Device upgrade via TFTP (from Insite) would occasionally cause fatal 10481


Page - 16 -

Page 16



error and the device reboots.

13. Occasionally the device would forward sessions without Dynamic NAT.

This occurred on Application Switch 3 only.

18515

14. LinkProof Branch with VPN license would in certain instances crash

when it received fragmented IPSEC packets.

19802

15. The values of an NHR warm-up and recovery time were not visible in

the output of the system config command.

24367

16. Device sent ARP requests with VLAN MAC as the sender MAC

(instead of the physical port's MAC address).

22748

17. OSPF multicast was dropped causing OSPF protocol to fail. 24907

18. Device would sometimes crash when configuration was downloaded

from the device via TFTP.

10165

19. Device would occasionally crash when deleting an IP VLAN while

under heavy traffic.

20003

20. Software upgrade to version 4.35.07 on an Application Switch 1 version

2 platform, required entering a password from the console.

24221

21. NAT was not performed for passive FTP sessions where the FTP server

replied with passive mode entered and not entering passive mode.

25722

22. When user attempted to delete an NHR that was defined as default

gateway for the device the message provided was unclear as to the

reason why this command fails.

27386

23. When an FTP control session packet with destination address an LP

Dynamic NAT IP arrived and its destination port that was already

allocated to an ICMP session, the device would crash.

9580

24. Application Switch 3 would occasionally crash under heavy traffic with

the message "Fatal Error: REAP_dsptchr_clnt_tbl_add_entry -

inconsistent client data" due to error in clearing client table entries.

Application Switch 3 devices crashed after 248 days, 13 hours, 13

minutes, 50 seconds due to overflow of timer.

9709,

23541

25. "Device would crash when the "snmp get

rsMLRBRNatHealthmonitoroperstatus.0" command was performed

from a MIB browser.

20381

26. Dynamic arp table entries were deleted before the aging time if the arp

table aging time was set to values greater than 21,000,000 seconds.

27711

27. The device crashed if user tried to attach IP address to a non-IP VLAN 27577


Page - 17 -

Page 17



interface.

28. Generic fixes

Fixed in Generic 10.02-00.15:

a. Health monitoring module did not allow configuring health checks

with an empty password.

b. When TCP User Defined health check was in used, received packets

with binary matching were not matched correctly

c. In some cases, when HTTP or HTTPS check was in use and all the

check's arguments were configured, it was not possible to edit the

argument.

d. When multiple health checks with ARP method was configured with

the same destination IP address it was not possible to delete any of

them.

e. The device did not notify to reboot the device via telnet and SSH

when a status of features which requires reboot was changed. The

device notified only via the serial console.

f. In some Read-Only tables, the device displayed a "Delete" column

with an option to mark entries for deletion in the Web Based

Management.

g. In some cases the device did not displayed the "Set" button in the

Web Based Management.

h. Occasionally if the user tried to download a configuration file via

WBM, the download process would abort and the following error

message would appear: "tcp:no more packets".

i. Occasionally after sending a script via a Telnet session to the device,

the Telnet session would disconnect and the following error

messages would appear: "tnp_text_handler: No buffers. Text

discarded".

If the user then tried to reconnect to the device via Telnet the

connection would not succeed and in the following error message

would appear: "TELNET: New server connection refused. No

buffer".

j. Occasionally, when trying to download the support file via WBM,

only part of the file would be downloaded.

k. Occasionally, logins to Telnet, SSH or WBM were reported to the

console.

a. N/A

b. N/A

c. N/A

d. N/A

e. N/A

f. N/A

g. N/A

h. N/A

i. N/A

j. N/A

k. N/A

l. 23770

m. N/A

n. 23541

o. 21716,

22354

p. 23334

q. 23018

r. 28242


Page - 18 -

Page 18



l. Occasionally, when the user tried to connect to a device with

HTTPS (secure web), a regular HTTP page would appear.

m. In some cases, when the uses accessed the check table via any of the

management interfaces, the device crashed.

n. After 248 days, 13 hours, 13 minutes, 50 seconds there would be a

fatal error regarding the tAxlUtils causing the device to crash.

Fixed in Generic 10.02-00.16: o. On LinkProof with DHCP Client, when a NHR IP address was

updated, the health check still used the old IP Address of the NHR.

p. SNMP vulnerability fix: SNMP packet with very long community

string to the management interface causes a nested fatal error:

Fatal Error Version 3.00.00 (Jan 24 2006, 23:28:21):

Exception vector number: 0x300

Pointer to exception stack frame: 0xaecf0e8

Program counter: 0x778158

Machine state register: 0xb030

Data access register: 0x399636c5

Data storage interrupt status register: 0x40000000

NESTED FATAL ERROR (exception)

NESTED FATAL ERROR (exception)

q. Occasionally, the device crashed with the following fatal error:

Fatal Error:

Fatal Error Version 8.20.03 (Dec 27 2004, 10:11:59):

Exception vector number: 0xc00

Pointer to exception stack frame: 0x3412268

Program counter: 0x264340

Machine state register: 0xb030

Data access register: 0

Data storage interrupt status register: 0

Date: 09-06-2005 11:12:47

Task Name : SNMP

09-01-2006 03:59:37 ERROR RADP_send_radius: Function failed.

09-01-2006 03:59:41 ERROR RADP_send_radius: Function failed.

Fixed in Generic 10.02-00.17: r. When OMPC or Content searching BWM rules were configured on

Application Switch 3, all the traffic was processed by Master CPU,


Page - 19 -

Page 19



causing device crash when CPU reached 100% utilization.

29. BSP fixes:

a. Creation of a new directory in the file-system using the CLI

command "system file-system files mkdir" and a wrong path name

caused the device to freeze.

b. During the software upgrade and using a TAR file of an incorrect

platform the upgrade failed with no error message. A new test is

now done in order to verify that the TAR file matches the hardware

platform.

c. Starting BOOT version 6.06 Application Switch 2 supports

automatic boot PROM burning during the software upgrade process.

Notes:

º In order to be able to perform automatic upgrades to AS2, BOOT

6.06 must be burnt manually. Upgrading from 6.06 to future

versions will be done automatically.

º Automatic Software upgrade supported on hardware revisions

4.45, 4.50 and above.

d. After stopping the INIT of the Application Switch 3 device and

choosing to load the application from the compact flash, the device

generated the following error message: "Invalid value 1 for the

NewApplication".

a. 18348

b. 12419

c. N/A

d. 19447

a. 8

2

4

2

30. Fixed in IDS 1.53.20:

The summarized security log doesn't display the right info when

multiple source IPs are used. In addition source IPs of heavy attacks are

displayed inaccurately.

N/A

31. VRRP configurations with VLAN did not work properly due to the fact

that when the main device failed and the VLAN was disabled (interface

grouping) the physical ports of the VLAN were not physically

disconnected. The switch to which physical ports of the VLAN interface

were connected did not clear its MAC tables and continued to send

traffic to the main device though it had become inactive. To fix this the

Force Port Down feature was added. Please see the relevant section in

the user guide for details and limitations.

N/A




Page - 20 -

Page 20



1. In certain circumstances when LinkProof Branch used VPN that

required packet fragmentation assembly

N/A

2. In certain circumstances when LinkProof in VRRP configuration is

switching master appliance

N/A

3. New look support. Version 4.35.06 provides support for Radware

appliances new look design. This version is backward compatible with

old look as well. The following changes were done in this version:

a. The Synapps phrase was replaced with the phrase "BWM, IPS", in

all the management applications (CWI, Web, CLI).

b. In the CLI the term "License code" was changed to "License Key"

c. New licensing text is introduced. Instead of the word Synapps, the

words BWM, IPS will appear. For example if you had an LP license

that looked like lp-synapps, it will be replaced by lp-bwm-ips.

d. In CWI and the Web, new look gifs will be seen if the appliance is

of new look design.

N/A

4. Generic libraries fixes:


a. If a Path length + attack database file name length was above 106

characters the TFTP upload via Insite did not work and the

following error message appeared - "File too long".

b. When a request to download a configuration file that didn't exist to

the device was preformed, the device sent a read request to the

server. When it got the response "file doesn't exist", it sent a write

request with the same name, causing the file to be created.

c. In case a field in a MIB contained strings with %X (%s, %d, etc) the

device would crash when the CLI command "system config

immediate" was executed.

d. A capture of an SSL session could not be analyzed when a Diffie-

Hellman key exchange scheme was in use - due to it involving

random seed numbers. Current version supports only the RSA

scheme.

e. New Basic filters are now available for the P2P group: Baidux, Poco

and PPlive

f. In some case, enabling Bandwidth Management Statistics Collection

caused the device to generate a generic error message.

g. When multiple health checks with ARP methods was configured

a. 9820

b. 18334

c. N/A

d. N/A

e. N/A

f. 19653

g. 19813

h. 19783

i. N/A

j. N/A

k. N/A

l. N/A


Page - 21 -

Page 21



with the same destination IP, some checks passed and some failed.

Starting this version it is not possible to configure more that a single

ARP check with the same destination IP address.

h. When multiple LDAP health checks were configured, after

rebooting the device all the LDAP checks, except the last check,

failed.

i. After a configuration file was sent to the device via TFTP using the

CLI command "manage tftp config-file get" the device did not notify

once the download was completed.

j. The device accepted any illegal IP address/Mask and changes it on

its own after pressing the "SET" button on the WBM.

k. When a malformed configuration file was send to the device the

software upload failed and it was not possible to send a new

configuration file to the device.

l. In some cases the device did not accept HTTP connection (for

device management) even if Web Based Management was enabled.

Disabling and enabling Web Based Management did not solve the

problem.

5. Application security fixes:

Fixed in IDS 1.51.16:

a. In CLI, when typing the command „security alerts-table get 0‟

(index=0) the device used to print an empty alert, instead of printing

the error message „no such instance or wrong value‟.

b. When updating a new signature file that included new attack groups,

the new groups did not appear till device was rebooted.

N/A



1. Occasionally device crashed due to client table mirroring problem. 1168

2. When forwarding ICMP unreachable messages, whose original packet

had data, the device set incorrect ICMP header checksum, causing MTU

problems.

1740

3. When RIP is enabled there is wrong routing for whole class A IPs (or

1st prefix IPs) when specific route with same prefix is statically defined.

1686

4. For device in static forwarding configuration, when attacks with the IP 1667


Page - 22 -

Page 22



header bigger then 20 bytes (has timestamp in the IP option) occurs, the

attack is not matched by Application Security.

5. The device changed the sequence number of retransmitted TCP packets,

and therefore the TCP packets got out of order.

1604

6. One trap settings did not work on "WARNING Routing to

NextHopRouter x.x.x.x is problematic” messages and therefore separate

messages were sent for each occurrence.

1513

7. Fixed in Network Driver: Application Switch 2 device dropped packet

with Ethernet type 0x9000.

N/A

8. Fixed in Network Driver: When copper GBICs were in use on

Application Switch 2 with 7G, in some cases the device recognized the

links as down, but traffic was forwarded successfully.

N/A

9. It was not possible to configure OSPF interfaces metric via WBM or

CLI, only via Insite.

1281

10. Device crashed after entering the command net ospf parameters lsa 1821

11. When an FTP control session packet with destination address a LP

Dynamic NAT IP arrived and its destination port that was already

allocated to an ICMP session, the device would crash.

N/A

12. In certain instances, problems with client table mirroring of FTP

sessions (redundant configurations) occurred, creating inconsistencies in

the client table and causing the device to crash.

N/A

13. Basic NAT range was limited to 70,000 entries; it has now been

increased to 224

-1.

N/A

14. Via CLI illegal configurations of Basic NAT were allowed, causing

device failure after reboot event.

N/A

15. When using DNS health checks, if the DNS response contained 2

answers (CNAME and A record), a fatal error would occur.

N/A

16. Qmail servers would discard the mail alerts (traps) sent by the device. 1512

17. Support for license that limits throughput to 100 Mbps was added. This

license is available on Application Switch 1 only.

N/A

18. Fixed in Network Driver: Application Switch 1 version 2 supported

both cross and straight cable. Starting this version, Application Switch 1

version 2 supports only crossover cables.

N/A

19. Fixed in Network Driver: Application Switch 2 lost synchronization

with copper GBICs upon reboots.

N/A


Page - 23 -

Page 23



20. Fixed in Boot: In some cases, after upgrading from Pre-File-System

version to File-System version the Application Switch 1 device lost its

license.

N/A

21. Fixed in Boot: In case the command "system file-system copy-to-flash"

was executed with invalid index on Application Switch 2 or Application

Switch 3, the device erased the internal flash.

N/A

22. Fixed in Boot: A new protection is now available to protect uploading

incorrect files when burning the BOOT file on Application Switch 2 and

Application Switch 3.

N/A

23. Fixed in Boot: When downgrading the device to lower versions,

Application Switch 2 and Application Switch 3 did not erase the old

software versions from the compact flash.

N/A

24. Fixed in Boot: The Application Switch 3 device displayed incorrect

hardware version under "system device-information".

N/A

25. Application Security fixes:

Fixed in IDS 1.51.16:

a. Configuring 10 security policies or more caused the device to crash.

b. When adding or removing attacks from a policy that includes a user-

defined attack, the device reported an error "couldn't delete dummy

classification entry"

c. Update Policy command performed via Configware Insite could

cause device to crash.

m. 1620

n. N/A

o. N/A

26. Telnet session hung up when a large client table was displayed. 1618

27. Dynamic host name definition was recorded in the configuration as a

regular host name entry with corrupted URL.

1672,

1677

28. DNS for Local Clients capability was not working when the request

source and destination UDP ports were the same.

1777

29. If the length of the Virtual Tunneling remote service name was longer

than 14 characters the device sent the following messages:

"Problem in create tunnels" / "Tunnel health monitoring description

problem (1)". The supported length was increased to 20 characters.

1764

30. Could not add VLAN tag to a VLAN interface. 1825

31. Vlan Tag max value (4095) could not be set. N/A

32. The options date and time were missing from the system CLI menu. N/A

33. If device reboot was performed after date/time change a warning N/A


Page - 24 -

Page 24



message appeared.

34. When adding a VPN rule via Insite, the following message appeared on

CLI: "Problem to get the next tunnel entry: remote service not match”.

N/A

35. A message was received on LinkProof Application Switch 3, software

version 4.21.07, that the number of free client table entries is larger than

the total number of client table entries configured, followed by device

crash.

1698

36. When upgrading the device via Configware Insite, the password was

verified only after the file was downloaded to the device, now it is

verifying the password at the beginning of the process, to save time in

case of incorrect password.

N/A

37. 802.1q environment support (VLAN environment) could not be enabled

(after reboot, the functionality would still be disabled).

1780

38. Destination health monitoring functionality did not work – automatic

health checks were not created causing a loop after first device reboot.

1675

39. Personality change for NFR units (not for resale) between products such

as DP to LP is problematic.

1396

40. System uptime readings did not change over time. 1652

41. Classification did not work properly with one way Layer 4 Bandwidth

Management policies.

N/A

42. Device crash when trying to edit/add VPN rule via CWI. N/A

43. Problems with SW Download via the WBM. No indication is received

that download finished. SW download started again without user

request.

N/A

44. Error message appeared on CLI after using command: lp global client-

table aging-time set 100.

N/A

45. When a fragmented IPSec packet would arrive to the Integrated VPN

gateway on the LinkProof Branch, an ICMP error was sent to the source

VPN gateway to stop sending fragmented packets and reduce MTU.

Some gateways recognize this message and act accordingly and some do

not. In this version the fragmented message is reassembled and

decrypted in order to find the IP address of the originating client, and an

ICMP error message asking it to lower its MTU is sent to this client. Of

course the message is encrypted and sent via the source VPN gateway.

Reassembled and decrypted message is forwarded to the destination, in

case its size is less than current MTU on the forwarding port.

N/A


Page - 25 -

Page 25



46. Generic libraries fixes:

Fixed in Generic 10.01.00-13:

a. When Bandwidth Management policies were used to classify P2P

traffic, in some cases, packets were classified incorrectly.

b. A SYN packet with an illegal TCP option could cause the

accelerator to hang when replying to the SYN packet with a SYN

cookie. In such cases the master CPU would then crash with no log

messages (Application Switch 3 only).

c. When "SSL Hello" health check was in use, and the SSL version

was "SSL V3.0" the device did not include the SSL version when it

generated the check.

d. The SSH client did not process "window adjust" messages.

e. Sending configuration files to the device, which were not in BER

format, caused the configuration to be erased.

f. After upgrading to software versions that supports SNMPv3, it was

not possible to connect to the device using SNMP anymore.

g. vacmAccess* entries in ASCII configuration did not have the correct

snmpGroup key

h. When SSL based check was in use (HTTPS or LDAPS) and the

server was using the CBC ciphers, the check failed.

i. When SSL check was in use, and the physical link, which was use to

send the check, became disconnected, the check did not fail.

j. In some cases UDP Port Health Checks succeeded even if the UDP

port was unavailable.

k. 2 new Basic Filters for BitTorrent (UDP) are now available. P2P

filters group is also updated with the new filters.

l. When Port Bandwidth Statistics were collected and BWM module

was disabled, the device crashed with a fatal error.

m. When BWM module was disabled, it was possible to delete basic

filters, which were used by BWM policies.

n. When Using BWM policies with Bandwidth Limitations and the

maximum bandwidth allowed was 1K, the device did not classify the

traffic correctly. The Minimum Bandwidth Limitation for policy is

now limited to 12K.

o. TCP and UDP traffic on port 512 caused high CPU utilization.

p. When Bandwidth Management was enabled and Application

Security was disabled and Session Table was full, the device crashes

with the following fatal error: "Fatal Error:

bwmSessionTableProcessCallback error - linked session wasn't

a. 1632

b. N/A

c. N/A

d. 5275

e. N/A

f. N/A

g. N/A

h. N/A

i. N/A

j. N/A

k. N/A

l. 1707

m. N/A

n. 1726

o. 1738

p. 1697

q. 1716

r. N/A

s. N/A

t. N/A

u. N/A

v. 1813

w. N/A

x. N/A

y. N/A


Page - 26 -

Page 26



found".

q. When HTTP or HTTPS health checks were is use and the servers

replied with "HTTP 1/0" and "200 OK" in two packets, the check

failed.

r. A new argument is now available for "TCP Port" health checks –

"Complete with FIN". When this argument is enabled, the device

ends the TCP check with a FIN Packet. In case the server replies to

this FIN with an ACK, the device sends another ACK to the server.

In case the server doesn't reply to the FIN packet – the check doesn‟t

fail (the check fails only if the server doesn't reply to the SYN

packet). The default value of the argument is "Disable".

s. After sending a configuration file, that contained two (or more)

entries in the Community Table with the same community string,

only the first community sting appeared in the community table.

t. After converting the configuration file to a newer software version

using Configware Insite, and uploading the converted configuration

to the device, it was not possible to connect to the device using

SNMP.

u. The device allowed uploading configuration files which were not in

BER format and deleted the current configuration afterwards.

v. In order to delete an entry from the OSPF interface table, it was

required to use the command net ospf interface del <ip address>

<interface number>. However it should only be required to specify

the IP address.

w. In order to improve DoS Shield performance, a new DoS Shield

filter is now available.

x. When the configuration file was downloaded from the device, the

SNMP community table was missing was the downloaded

configuration file.

y. A bug in the escaping sequence of Health Monitoring Module did

not read the methods arguments correctly.



1. Occasionally an FTP session where many data sessions were attached to

the same control session would cause the device to crash.

1315

2. Proximity checks do not reach the minimum packet size of 60 bytes. In N/A


Page - 27 -

Page 27



the past this caused the packet to be padded by garbage. Now every

TCP and ICMP check packet that is smaller than 60 bytes is padded

with zeroes. To the UDP proximity checks packets the

linkproof.proximity.advance packet is added.

3. In certain cases the MAC table was update according to dynamic ARP

packets, even though there was a static entry in the ARP table.

1477

4. BootP messages were not forwarded by the device when it was

configured as BootP relay.

1500

5. The application port number that could be configured for aging per

application functionality was limited to 49151 instead of 65534 (fixed in

CLI and Web).

N/A

6. Using CLI, strange numbers were displayed in the output of net l2-

information command when it was used after the command system inf-

stats reset.

1334

7. It was possible to set a Gig port to 100Mb via CLI. 1320

8. The caption of the Port Mirroring parameter Receive Broadcast was

changed to Promiscuous Mode.

1337

9. In certain conditions, when using passive FTP in environment with

many retransmissions, new traffic sessions would stop being forwarded,

due to lack of available Dynamic NAT ports.

N/A

10. When using Virtual Tunneling between two sites in certain

configurations, the tunnel health was not detected correctly (one site

detected tunnel as active while the other side detected it as failed)

causing the traffic for this tunnel to fail permanently.

1446

11. If an ARP packet was received from subnet not defined on the device,

the device did not answer. Now it will answer, if routing entry to that

subnet is defined.

N/A

12. Dual power supply is supported on Application Switch 2 and 3. N/A

13. During software upgrade between minor versions password was

required. This is fixed for updates from this version on.

N/A

14. New information has been added to the system device-info command

output: network driver version, health monitoring module version,

active and secondary boot version.

N/A

15. When upgrading a device with a file-system, and there is not enough

free space on the flash, the device generated an error message. During

software upgrades the device now erases the old version in case there is

1082


Page - 28 -

Page 28



not enough space on the flash.

16. A spelling mistake was fixed in CLI output: "Couldn't prepare

temporary directory cm:/TARTMP for tar extration." (extration instead

of extraction).

N/A

17. In rare conditions, Application Switch 2 and Application Switch 3 Strata

Flash (Internal Flash), would loose its content upon frequent reboots.

1424,

1489

18. Application Switch 2 and Application Switch 3 device would suddenly

crash with the following error:

"Warning: Non-formatted Strata Flash media.

Please, prepare Strata Flash for File System ('z') and execute DOS

format ('y')"

1489

19. On Application Switch 3 with 9 Giga Ports (Fireproof on Voyager only)

when one port which was part of Static Forwarding ports was down, the

device did not fail to second port.

N/A

20. On Application Switch 3 the 10G port did not work properly. N/A

21. When bandwidth management per traffic flow was used, the device

occasionally crashed.

1487

22. Fixed in Generic 10.00-00.13a: When Protocol Discovery was enabled

and the device did not have enough memory, the device crashed with a

fatal error: “Fatal Error: No Memory available to create statistics table”.

1433

23. Fixed in Generic 10.00-00.13a: When Bandwidth Management was

configured to block or limit eDonkey traffic the CPU was overloaded.

1476

24. Fixed in Generic 10.00-00.13a: When updating policies, sometimes the

device crashed with a fatal error: "Fatal Error: Accelerator: 0, CPU: 0,

no longer responding".

1511

25. Fixed in Generic 10.00-00.13a: The device would become inaccessible

via Telnet or SSH, if multiple successive attempts to login were done by

the user.

1481

26. When using LP Branch VPN gateway, if the VPN Rule local subnet (for

example 10.2.1.0) was included in the same VPN Rule remote subnet

(for example 10.0.0.0) the device didn‟t reply to messages sent to its IP

belonging to the local subnet, because it recognized the session as VPN

session.

N/A

27. Occasionally an FTP session where many data sessions were attached to

the same control session would cause the device to crash

1315


Page - 29 -

Page 29



28. Proximity checks do not reach the minimum packet size of 60 bytes. In

the past this caused the packet to be padded by garbage. Now every

TCP and ICMP check packet that is smaller than 60 bytes is padded

with zeroes. To the UDP proximity checks packets the

linkproof.proximity.advance packet is added.

N/A

29. In certain cases the MAC table was update according to dynamic ARP

packets, even though there was a static entry in the ARP table.

1477

30. BootP messages were not forwarded by the device when it was

configured as BootP relay.

1500

31. The application port number that could be configured for aging per

application functionality was limited to 49151 instead of 65534 (fixed in

CLI and Web).

32. Using CLI, strange numbers were displayed in the output of net l2-

information command when it was used after the command system inf-

stats reset.

1334

33. It was possible to set a Gig port to 100Mb via CLI. 1320

34. The caption of the Port Mirroring parameter Receive Broadcast was

changed to Promiscuous Mode.

1337

35. In certain conditions, when using passive FTP in environment with

many retransmissions, new traffic sessions would stop being forwarded,

due to lack of available Dynamic NAT ports.

N/A

36. When using Virtual Tunneling between two sites in certain

configurations, the tunnel health was not detected correctly (one site

detected tunnel as active while the other side detected it as failed)

causing the traffic for this tunnel to fail permanently.

1446

37. If an ARP packet was received from subnet not defined on the device,

the device did not answer. Now it will answer, if routing entry to that

subnet is defined.

N/A

38. Dual power supply is supported on Application Switch 2 and 3. N/A

39. During software upgrade between minor versions password was

required. This is fixed for updates from this version on.

N/A

40. New information has been added to the system device-info command

output: network driver version, health monitoring module version,

active and secondary boot version.

N/A

41. When upgrading a device with a file-system, and there is not enough

free space on the flash, the device generated an error message. During

1082


Page - 30 -

Page 30



software upgrades the device now erases the old version in case there is

not enough space on the flash.

42. A spelling mistake was fixed in CLI output: "Couldn't prepare

temporary directory cm:/TARTMP for tar extration." (extration instead

of extraction).

N/A

43. In rare conditions, Application Switch 2 and Application Switch 3 Strata

Flash (Internal Flash), would loose its content upon frequent reboots.

1424,

1489

44. Application Switch 2 and Application Switch 3 device would suddenly

crash with the following error:

"Warning: Non-formatted Strata Flash media.

45. Please, prepare Strata Flash for File System ('z') and execute DOS

format ('y')".

1489

46. On Application Switch 3 with 9 Giga Ports (Fireproof on Voyager only)

when one port which was part of Static Forwarding ports was down, the

device did not fail to second port.

N/A

47. On Application Switch 3 the 10G port did not work properly. N/A

48. When bandwidth management per traffic flow was used, the device

occasionally crashed.

1487

49. Fixed in Generic 10.00-00.13a: When Protocol Discovery was enabled

and the device did not have enough memory, the device crashed with a

fatal error: “Fatal Error: No Memory available to create statistics table”.

1433

50. Fixed in Generic 10.00-00.13a: When Bandwidth Management was

configured to block or limit eDonkey traffic the CPU was overloaded.

1476

51. Fixed in Generic 10.00-00.13a: When updating policies, sometimes the

device crashed with a fatal error: "Fatal Error: Accelerator: 0, CPU: 0,

no longer responding".

1511

52. Fixed in Generic 10.00-00.13a: The device would become inaccessible

via Telnet or SSH, if multiple successive attempts to login were done by

the user.

1481

53. When using LP Branch VPN gateway, if the VPN Rule local subnet (for

example 10.2.1.0) was included in the same VPN Rule remote subnet

(for example 10.0.0.0) the device didn‟t reply to messages sent to its IP

belonging to the local subnet, because it recognized the session as VPN

session.

N/A

54. After reset the default status of virtual tunnels (Virtual Tunneling

functionality) was active. A flag has been added now (available only via

N/A


Page - 31 -

Page 31



CLI) that allows to determine the initial status of the virtual tunnel –

Active (default) or Not-In-service (NIS). If initial status is Not-in-

service, the virtual tunnel status will be updated to active only after

tunnel health monitoring checks are successfully completed. The CLI

command to change the initial status of the virtual tunnel is lp vir-tunnel

tweaks vt-init-oper-stat.

Notes:

1. The new flag is manageable only via CLI.

2. The new flag's value is not kept during upload or download

of the configuration.

55. When a virtual tunnel was defined, health monitoring checks were

created even if global Health Monitoring status was Disable.

N/A

56. After reboot device did not send ARPs via the last physical port. N/A

57. In VLAN redundancy configuration, in case the device interface

grouping parameter is enabled and some of the interfaces in VLAN are

disconnected or/and connected the device did not detect the port status

change.

N/A

58. Device hung - no CLI, no ping reply, no management at all after

changing the configuration of VRRP settings.

1559

59. Fixed in AS 1.51.11: Anti scanning problem – sometimes the device

detected scanning attempt but did not block the attack.

N/A



1. The number of VPN tunnels supported has been increased to 30

(previously it was 10).

N/A

2. Backup gateways configured for a VPN Rule were not saved in the

configuration. As a result during upload\download configuration

process the backup gateways were lost.

N/A

3. The Keep Alive interval could accept negative values. N/A

4. The CLI command system config was not displaying the VPN

commands in the correct order.

N/A

5. When VPN functionality was enabled proprietary redundancy

mechanism did not work properly.

N/A


Page - 32 -

Page 32



6. Configuration that included Switch IP VLAN could not be uploaded to

the device.

1346

7. On Application Switch 3 a single network processor was activated

causing performance degradation.

1327

8. Device working in VRRP redundancy mode with priority 255 was not

sending ARP requests.

1158

9. On Web Based Management there was a spelling mistake in the name of

the DNS Virtual IP menu (under LinkProof/DNS Configuration).

1318

10. If a DNS request for a record type not supported by the device was

received (such as MX record), device was not answering. Now device

will answer that the record type is not supported. The device will answer

with Authoritative Answer 0, which specifies that the responding name

server is not an authority for the domain name in question. Return code

is set to 0 No error meaning that the request was completed successfully.

N/A

11. The device will answer only if the specified URL is configured on the

device. If the URL is not configured then the device will continue not to

answer.

1272

12. In redundancy configurations where VLAN was used, after redundancy

is enforced twice, messages sent by the device to email server or syslog

server did not reach their destination (the server MAC was learnt on the

wrong physical port).

N/A

13. The maximum number of SNMP communities supported by the device

was increased from 16 to 256.

N/A

14. Fixed in network driver: When Interface Grouping was enabled and a

port, with the negotiation mode set to off, became unavailable, the

device switched off all other interfaces, but the LEDs remained

illuminated.

N/A

15. Fixed in network driver: When Interface Grouping was enabled and the

Interface Admin Status of a port, with negotiation mode set to off, was

changed to "Down" the LED remained illuminated.

N/A

16. Fixed in network driver: Application Switch 2 with 7 Giga ports did not

detect changes in link status on ports 5-7. As a result it did not detect

that the links are up and did not forward traffic to those ports.

1300

17. Fixed in BSP: Sometimes, the device did not write correctly to the

Strata Flash (Internal Flash).

N/A

18. In Virtual Tunneling configurations when one tunnel was down, all the N/A


Page - 33 -

Page 33



clients that used any virtual tunnel were deleted, not only those using the

failed tunnel.

19. When the device crashes due to a Fatal Error, the error is now logged

into the NVRAM, rather then the Flash memory. After the device is

reloaded, the application copies the log to the Flash.

N/A

20. The Network Processors on Application Switch 3 could occasionally

crash and stop responding.

N/A

21. Application Switch 3 with port rules configuration occasionally stopped

forwarding traffic.

N/A

22. If the value of the SYN Flood Protection parameter was changed, when

trying to retrieve configuration file from the device using WBM, the

following error message was displayed: “Error 10 in loading

configuration - variable number 01 of SNMP packet 001, variable name

unknown”.

N/A

23. On Application Switch 3 device when Static NAT was performed for

local traffic the following message appeared: “WARNING:

reaPrepareFlowEntry - Unexpected Configuration (2)!!”

N/A

24. When Application Switch 3 device had a very large numbers of entries

in ARP table, the device would stop forwarding traffic.

1328

25. Fixed in BSP: In some cases, during software upgrades (or

downgrades) on Application Switch 2 and 3, the boot upgrade failed.

N/A

26. Fixed in BSP: In previous versions of BSP, configuration changes were

saved to the Compact Flash every second (on Application Switch 2 and

3). Now BSP saves the changes to the Compact Flash immediately.

1166

27. Health Monitoring module fixes:


a. Username and Password fields size were limited to 20 characters for

HTTP and SSL checks. This Health Monitoring Module version

enlarges the size of each field to 80 characters. Please note that the

total size of all fields cannot exceed 80 characters.

b. The Health Monitoring Module used to send a trap with an "info"

severity when a health check failed. Starting with this version the

"warning" severity is used when a check fails and "info" severity is

used when a check passes.

c. In some cases, when the user pasted a configuration file to the

device with CDBSET commands and TCP User Defined health

N/A


Page - 34 -

Page 34



checks were in use, the device crashed with a Fatal Error.

d. When the Health Monitoring Module was using DNS and SNMP

checks, it would not reuse the UDP ports. When all the UDP ports

were already in use, the device stopped performing DNS and SNMP

checks and generated the following trap: "ERROR

UDPP_alloc_free_port: no free ports”.

e. When hundreds of health checks were in use, occasionally the

device would stop performing health checks.

28. Terminal module fixes:


a. The "system config" command was missing flags and command

parts.

b. Using the CLI command "system paste-config” while the device has

several hundreds of configured objects, the following errors

occurred: "TCP: No more packets ", and the Telnet / SSH sessions

were disconnected.

c. The last physical port was not visible in the output of the CLI

command "management management-ports".

d. The device would hang if the user entered the " ' " character (a single

quote in the Hebrew language character set) in the device login or

prompt.

e. In some cases, when the output of messages was too long, the device

crashed.

a. 1332

b. 1265

c. N/A

d. N/A

e. N/A

29. When the majority of the traffic to the device was Telnet Sessions, the

device generated the following error message: "tnp_text_handler: no

more buffers".

1325

30. Help for CLI commands "manage snmp versions" and "manage snmp

versions

N/A

31. Fixed in Generic 10.0:0: Downloading configurations from the device

using Configware Insite, using long file name (more than 100

characters), caused the device to crash with a fatal error:

1290

32. Bandwidth Management module fixes:


a. In some cases BWM rules resulted in false positives, and blocked

legitimate sessions or packets.

a. 1319

b. N/A

c. N/A

d. 1371, 1376

e. 1248


Page - 35 -

Page 35



b. In order to improve performance and classification speed, the

FastTrack filter is now using the OMPC mechanism instead of URL

search.

c. In cases where the first fragmented IP packet that contained a TCP

header was not the first session packet, the device did not classify

the packet correctly.

d. When Bandwidth Management was used and there was a policy with

a specific IP address in the source network or in the destination

network, the device would crash.

e. Bandwidth Management Tuning and Session table were not

available without a SynApps license. The users could not tune the

Bandwidth Management (for number of policies) or the session

table.

33. Protocol Statistics module fixes:


a. When Bandwidth Management was Disabled, and Protocol Statistics

was Enabled, the device would crash after "Update Policy" action.

b. A new memory protection is used in order to verity that the device

has enough memory for Protocol Statistics Module.

c. When Protocol Statistic table was full the device continuously sent

traps notifying the user about it.

N/A

34. Application Security fixes:

Fixed in Application Security 1.51.10:

a. In some rare cases the device stopped responding to management

commands via SNMP, WEB, SSL, SSH, Telnet, CLI. Static

forwarding ports however did continue to operate normally.

b. Sometimes using CWIS it was not possible to retrieve the device

security log file when using TFTP.

c. CLI printouts of internal Application Security tables could not be

interrupted.

d. On AS-III platform setting attack filters to match SYN packets did

not block the attacks.

e. When application security global action mode was set to forward,

port-scanning filters continued to block scanning traffic.

a. 1398

b. 1355

c. 1399

d. 1368

e. 1322


Page - 36 -

Page 36



1. This version allows application software to support multiple boot

versions. The config.ini file defines the lowest boot version supported

(BootRomVersion) and the highest boot version supported

(BootRomVersionInPackage). If the current boot version on the device

is within these parameters, no boot upgrade is required.

N/A

2. In VLAN configurations, when BWM was enabled, device would

occasionally crash in task L2.

1161

3. When using proprietary redundancy mechanism with Backup Fake ARP

functionality enabled, the following problem was observed. When main

device came up the advertisements sent by the backup device on behalf

of the main device did not include the Virtual DNS address. Instead of

the Virtual DNS address, an address equal to the highest Static NAT

address plus one was advertised.

1244

4. In some cases when backup interface grouping was enabled, the backup

device was reporting some of the interfaces as active. If broadcast was

heard from the main device the backup device replied directly to the

main that the interface belonged to. This confused some L3 switches and

the redundancy was broken.

1239

5. In some cases, usually in VLAN configuration, destination grouping

entries could not be added. The following error message was observed:

"DSGRP_add_dest_subnet: NULL default destination subnet".

1246

6. The flag “Use grouping decision inside proximity” was checked even

when proximity was disabled. This caused DNS reply to always use the

NHR from which the request arrived.

N/A

7. In VRRP configurations when the active device changed traps where

sent to all management interfaces for each associated IP. In cases where

there were large numbers of associated IPs the large number of traps

sent every time the active device changed was problematic. A flag is

now available via the CLI interface that allows disabling these

messages. In case the flag redundancy vrrp ms-per-ip is disabled the

only trap received will be to announce the new active VRID. The flag is

enabled by default.

N/A

8. If “Use Port Rules in Advertisement” is enabled for RIP or OSPF

routing, device would occasionally crash.

N/A

9. The message of the SNMP traps for NTP and VRRP errors were

incorrect and did not match Syslog messages.

1163


Page - 37 -

Page 37



10. Device was occasionally sending incorrect warning messages regarding

NTP (“server unsynchronized according to leap indicator” and “Stratum

unspecified”).

1014

11. Terminal module fixes:

Fixed in Terminal Module:

a. When using the CLI command "system config", the device

might have crashed with the following message: “Fatal Error:

termCfgFilePrintf: text is too long”.

b. When “manage terminal trap-outputs” command was used, it

was not saved as part of the configuration and returned to its

default value after reboot.

c. Security risk in the terminal login page allowed users to

exploit a possible vulnerability.

d. Using the CLI command to check memory usage of device

internal modules, such as web, SSH, Terminal and others

occasionally showed negative values.

e. Using the CLI command "system paste-config” while the

device has several hundreds of configured objects, the

following errors occurred: "TCP: No more packets ", and the

Telnet / SSH sessions were disconnected.

a. 1001

b. 1148

c. N/A

d. N/A

e. 1265

f. Problems were encountered in certain units due to new strataflash

technology – the application failed during boot up.

1018

g. Device upgrade via Secure WBM interface failed. 996

h. In certain cases it was not possible to delete a Local Service entry from

Virtual tunneling tables. The following message was displayed: ”Error:

resource unavailable”.

N/A

i. Virtual Tunneling fixes:

a. When Dispatch Method was set to Cyclic and more than one

NHR was defined as backup, only the first backup NHR was

ever selected.

b. TRP was not working properly; it only kept TRP data for one

tunnel per remote station.

c. When Dispatch Method was set to a value other than Cyclic and

Hash (weight dispatch method) for local device and an NHR was

defined as backup, destination grouping was not applied

properly.

a. N/A

b. 1108

c. N/A

d. N/A

e. N/A


Page - 38 -

Page 38



d. When Dispatch Method was Cyclic for both local and remote

devices, tunnels whose VT Mode was Backup-Backup, were

never selected.

e. When Dispatch Method was set to a value other than Cyclic and

Hash for local device, the local NHR load was not taken into

consideration.

f. The Dispatch Method on the local device determines the remote

link selection now: if local Dispatch Method is set to a value

other than Hash, the remote link selection will use Cyclic mode,

if local Dispatch Method is set to Hash, the remote link selection

will use Hash mode. The Remote Link Weight parameter is now

obsolete and has been removed.

j. Bandwidth Management fixes:

Fixed in Bandwidth Management:

a. Bandwidth Management module was identifying traffic it

monitored as belonging to wrong port.

b. When SYN protection was enabled, packets were forwarded with

wrong sequence/ack numbers. This could cause session

disconnection.

c. When SYN protection and BWM were enabled performance was

affected excessively.

d. When the group to which a policy belonged was changed, after

Update Policies command, all change attempts to any policy

parameter resulted in error.

e. If Dynamic Borrowing parameter was enabled, though

Classification was disabled the device would be in an infinite

loop.

f. Uploading a configuration that included policies and policy

groups to a device that had BWM module disabled, failed.

g. The tuning memory check did not take into account the filters

assigned to the application security, thus when the application

security was enabled device could crash after reboot, if not

enough memory was available.

h. On Application Switch 3 policies that looked for layer 7

information were not always properly matched.

a. N/A

b. N/A

c. N/A

d. N/A

e. N/A

f. N/A

g. N/A

h. 1106

k. When tuning changes for protocol discovery caused lack of memory, N/A


Page - 39 -

Page 39



after reboot the device would enter infinite boot loop.

l. If device ran out of entries in the protocol discovery table, the device

would crash.

N/A

m. When Protocol Discovery functionality was enabled the “Update

Policies” command occasionally caused device to crash.

n. Fixed in Boot/BSP: Bandwidth limitations enforced by BWM module

on Application Switch 3, did not work due to synchronization problems

between master and accelerator CPUs.

1117

o. CLI command "system file-system copy-to-flash help" would sometimes

delete the internal flash.

1150

p. Configuration changes that were performed closely to device power

switch or power failure were sometimes lost, partially or completely .

917

q. CLI display results for "system file-system config act-appl" were

misaligned.

1078

r. When an Application Switch 3 device was used in redundancy

configuration with an Application Switch 2 or Application Switch 1

device and client table mirroring as enabled, corrupted client table and

fatal error were caused in the backup device.

N/A

s. When DoS Shield module is enabled in Static forwarding, but no filters

are configured, the overload mechanism was sometimes activated even

though there were no active filters.

865

t. When Source Grouping was configured and Use grouping decision

inside proximity was enabled, the proximity did not take into

consideration the Source Grouping settings.

N/A

u. For inbound traffic load balancing the proximity data was not taken into

consideration.

N/A

v. Configuration upload/download failed if VLAN was defined. N/A



1. Health Monitoring module fixes:

Fixed in Health Monitoring Module:

a. Using TCP User Defined and creating a packet sequence with

more than 512 characters, the device ignored the sting without

a. 997

b. 1000

c. 1004

d. N/A

e. N/A


Page - 40 -

Page 40



any error message.

b. In some cases, after editing a string of TCP User Defined packet

sequence, the data moved from the "string" field to the

"description" field and from the "Regular Expression" field to

the "Sequence String" field.

c. Using Packet sequence TCP User Defined health check and

defining a health check, the device accepted value of 0 for

destination TCP port, and then alerts next message : "ERROR

cckArgError: bad arg for func contol2".

d. Using TCP User Defined checks, the device does not increase

the sequence number after sending packets.

e. Using Health Monitoring module, the device accepted TCP or

UDP port 0 in several checks.

2. When CLI command manage terminal grid-mode set disabled is used, it

doesn't apply for all cases – for example it does not apply for system

internal driver stat all command.

878

Known Limitations The following are known limitations for this maintenance version:


1. Destination Health Check web page is missing webhelp 135405

2. Application Switch 2 7G with copper Gbics does not recognize link

failures.

N/A

3. If large numbers of Static NAT or Basic NAT public addresses is

configured (thousands), after a reboot or during redundancy failover process

the device must advertise this large number of IP addresses and this can

cause problems in device functionality. In such cases it is recommended

that no configuration changes are performed for the first 5 minutes after

reboot, and in case of redundancy the VRRP method is used.

N/A

4. Insite does not support License Upgrade for LinkProof Branch (It can be

performed via the WBM and CLI interfaces).

N/A

5. On Application Switch 3 ports can only be attached to pre-defined switched

VLAN and not to user-defined switched VLANs.

N/A

6. On Application Switch 1 platforms that have 8Mb flash, if 4.35.01 and an

additional version are loaded on the device, the device boots up slowly

because of the small amount of free memory available on the strataflash.

N/A


Page - 41 -

Page 41


The boot up time can be improved by deleting the second (inactive)

software version to free memory space.

7. On Application Switch 3, queuing, prioritization and bandwidth guarantee

capabilities are not supported for accelerated traffic (traffic that is processed

by accelerators only). Access control, bandwidth limitations per policies

and per traffic flow are supported by ASIII for all types of traffic

(accelerated or not). The bandwidth limitation capabilities allow AS3 to

provide attack isolation functionality.

N/A

8. Application Switch 3 cannot work in 802.1q environment and does not

support switched VLAN on Fast Ethernet ports.

N/A

9. Health checks created automatically (by the Virtual Tunneling or

Destination Health Monitoring functions) should not be manually bound to

any element. They are automatically bound to the relevant elements. This

can cause problems after reboot.

N/A

10. In the health monitoring module, the "SIP TCP" health check method is not

supported.

N/A

11. In the Health Monitoring Check Table view (via all management tools) the

Method of the existing health checks is displayed as a number instead of a

string (Ping, HTTP, etc).

N/A

Versions 4.35.05 and up do not work properly on Application Switch 1

hardware revision 2.40.

N/A

12. Cluster Server support supported only in WBM and CLI N/A

13. Force Port Down Feature supported only in WBM and CLI N/A

14. Client Views supported only in WBM and CLI N/A

15. Transparent Load Balancing supported only in WBM and CLI N/A

16. Subnet Persistency Mask Mode supported only in WBM and CLI N/A

17. New dispatch methods (L3 Hashing, SrcIP Hashing & Customized Hash)

supported only in WBM and CLI

N/A

18. Mirroring is not supported. N/A

© 2011 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners.

Date post:	26-Oct-2014
Category:	Documents
Upload:	anirban-das
View:	149 times
Download:	19 times

Attach Lp 4-38-01dl Mrn02

Documents