Aas-28 1 7 0-RN
Aas-28 1 7 0-RN
Aas-28 1 7 0-RN
Release Notes
Version 28.1.7.0 August 2, 2012
North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ 07430 Tel: (888) 234-5763 International Radware Ltd. 22 Raoul Wallenberg St. Tel Aviv 69710, Israel Tel: 972 3 766 8666 www.radware.com
Table of Contents Content ........................................................................................................................................... 3 Release Summary ........................................................................................................................ 3 Supported Platforms and Modules ................................................................................................ 3 Obtaining the Software ................................................................................................................. 3 Upgrade Path .................................................................................................................................. 5 Upgrade Procedure ...................................................................................................................... 5 Other Upgrade Considerations ..................................................................................................... 5 Related Documentation ................................................................................................................. 5 Whats New ..................................................................................................................................... 6 Maintenance Fixes ......................................................................................................................... 6 Fixed in version 28.1.7.0............................................................................................................... 6 Known Limitations ......................................................................................................................... 8
Page 2
Content
Radware announces the release of AlteonOS version 28.1.7.0. These release notes describe new features and software issues fixed since the last released version of AlteonOS 28.1.5.0. Release Summary Release Date: August 2, 2012 Objective: Minor software release introducing a number of new capabilities and addressing software issues. Supported Platforms and Modules AlteonOS version 28.1.7.0 is supported on the following Alteon platforms: 4408 running on OnDemand Switch VL 4408 XL running on OnDemand Switch VL XL 4416 running on OnDemand Switch 2 4416 XL running on OnDemand Switch 2 XL 5224 running on OnDemand Switch 3 LS 5224 XL running on OnDemand Switch 3 LS XL 5412 running on OnDemand Switch 3 5412 XL running on OnDemand Switch 3 XL Alteon VA running on VMware ESX 5.0, KVM, and OpenXen For more information on platform specifications, see the Radware Alteon Installation and Maintenance Guide. Note: This version is supported by APSolute Vision version 1.25 and later.
Obtaining the Software Before you can update your Alteon switch software, obtain the appropriate software update file from Radware, as follows: 1. Go to www.radware.com and locate the software update files. Note: You must have a username and password before attempting to download a software update. If you do not have a username and password, click My Account and then click Register. 2. Under My Updates > Software Releases, the relevant updates for the products you own display. Select the platform for which you want to download the update. 3. Select the release type and release for which you want to download the update. 4. Download the software update files to a server within your own organization that is accessible using FTP or TFTP.
Page 3
The following is the software base for the software update files:
File name AlteonOS-28.1.7.0-4408.img Recovery-AlteonOS-28.1.7.0-4408.zip AlteonOS-28.1.7.0-4416.img Recovery-AlteonOS-28.1.7.0-4416.zip AlteonOS-28.1.7.0-5000.img File Size 68,761,600 86,558,892 89,989,120 107,576,119 224,870,400 Comments System upgrade software image for AAS 4408 Recovery image for AAS 4408 (via USB) System upgrade software image for AAS 4416 Recovery image for AAS 4416 (via USB) System upgrade software image for AAS 5412 and 5224. Used for one-step upgrade of ADC-VX and its vADC instances and Alteon standalone devices. ADC-VX Infrastructure-only upgrade image for AAS 5412 and 5224. vADC upgrade image for AAS 5412 and 5224. Requires ADC-VX infrastructure image to be installed first. Recovery image for AAS 5412 and 5224 (via USB) Upgrade image for Alteon VA VMware Virtual Appliance image Xen Virtual Appliance image KVM Virtual Appliance image
AlteonOS-28.1.7.0-5000-VX.img AlteonOS-28.1.7.0-5000-ADC.img
86,988,800 137,881,600
Page 4
Upgrade Path
You can upgrade to this AlteonOS version from AlteonOS versions 26.0.x, 26.1.x, 26.2.x, 26.3.x, 26.8.x, 27.0.x, 28.0.x and 28.1.x. This version is a recommended upgrade for AAS 4408/4416 users with 4 GB of RAM. Upgrade Procedure General upgrade instructions are found in the Radware Alteon Installation and Maintenance Guide. For ADC-VX and vADC upgrades, new image management options were added in this version. Refer to the Alteon Application Switch Operating System Application Guide for more information. Note: The reboot time after upgrade may be long. Radware recommends monitoring it via a console connection. Other Upgrade Considerations Once you have upgraded from a version prior to version 27.0.0.0, rollback (downgrade) is possible only to version 26.3.0 or higher. For all rollback scenarios, the configuration is restored to factory defaults (preserving IPv4 management interface access). Make sure to backup configuration prior to upgrade and reload this configuration after the rollback.
Related Documentation
The following documentation is related to this version: Radware Alteon Installation and Maintenance Guide version 28.1.5.0 Alteon Application Switch Operating System Application Guide version 28.1.5.0 Alteon Application Switch Operating System Command Reference version 28.1.5.0 Alteon Application Switch Troubleshooting Guide version 28.1.5.0 Browser-Based Interface (BBI) Quick Guide version 28.1.5.0 Alteon Application Switch Performance Report version 28.1.0.0 For the latest Radware product documentation, download it from http://www.radware.com/Customer/Portal/default.asp.
Page 5
Whats New
This section describes the new features and components introduced in this version. For more details on all described capabilities, refer to the Alteon Application Switch Operating System Application Guide and the Alteon Application Switch Operating System Command Reference for this version. Server RST on Client FIN Server Reset on Client FIN allows the Alteon to send RST to the server side once a FIN received from the client and the frontend connection is closed. This ensures that the server will close the backend connection immediately instead of graceful closer. The feature is relevant only for session flowing through the application acceleration engine.
Maintenance Fixes
The following is a cumulative list of bugs fixed since the release of AlteonOS version 28.1.6.0. Fixed in version 28.1.7.0 Item Description
1. 2. 3. 4. 5. 6. 7. 8. 9. Using IPv6 script health checks resulted in high MP CPU usage. On an Alteon 5412 platform, LACP packets were dropped by Alteon VX. On the Alteon 5412 and 5224 VX platforms, when STP was set to off, STP and LACP packets were not forwarded. On an Alteon 5412 platform, STP packets were dropped by Alteon VX. The SLBadmin user was unable to apply configuration changes. When session caching was enabled, IPv6 filter redirection did not work. Synchronization of DNSSEC configuration changes were automatically performed on apply, even though no peers were configured. When Layer 7 modification was defined, dbind was automatically changed from enabled to forceproxy. The SSH management connection became inaccessible periodically, and running SSH on/off did not revive the connection. After several such retries, the device reset. On an Alteon 5224 platform, BWM was not working on ports 17 through 26. On an Alteon VX 5224 platform, in viewing the vADC in the BBI, there was a mismatch between the VLAN table and the Physical Ports table. On a Alteon VX 5224 platform, in the BBI L2 Physical Port pane, the port speed of ports 19 through 24 displayed the incorrect values. Alteon VX crashed in certain cases due to SSH management connection. NAT was not performed on SDP data (in SIP) with response codes other than 200OK Now it is also performed for 180 RINGING and 183 SESSION IN PROGRESS response codes. Page 6
Bug ID
prod00164420 prod00164305 prod00164227 prod00164223 prod00164136 prod00164003 prod00163824 prod00163767 prod00163531, prod00163229 prod00163417 prod00163394 prod00163392 prod00163271
prod00163262
Bug ID
prod00163247
prod00163224 prod00163185 prod00163112 prod00163098 prod00163077 prod00163017 prod00162931 prod00162738 prod00162636 prod00162562
17. 18. 19. 20. 21. 22. 23. 24. 25. 26.
27. 28. 29. 30. 31. 32. 33. 34. 35. 36. 37. 38.
prod00162450 prod00162440 prod00162382 prod00162230 prod00162090 prod00162051 prod00162044 prod00161980 prod00161975 prod00161441 prod00161245 prod00160917 prod00157497
Known Limitations
The following are known limitations for this version: Item Description 1. Only ICMP health check can be used for virtual service for type IP 2. The put image option /boot/ptimg is not supported 3. The configuration dump done from BBI does not use Courier-New font. For this reason, the PKI components included in the dump looks like they are not formatted correctly. 4. When using HTTP connection management (HTTP Multiplexing) and group server maximum connections (maxconn) is reached, the persistent connections opened for multiplexing are also not reused to server client requests. 5. Capture and decrypt capture functionality is supported only using the CLI. BBI does not support this functionality. 6. Importing the 2424- SSL processor configuration file to migrate its certificate repository to version 27.x is supported only using the CLI. 7. BGP does not remove from its table a route that was learned from RIP, even though the route had been withdrawn. When redistribution of RIP routes to BGP is configured, and a route that is learned from RIP has failed, BGP should send an UPDATE message containing the withdrawn route to its peers and state that it is not removing the route entry from the routing and BGP tables. 8. The /stats/mp/cpu option shows the MP CPU utilization for one second, the average for four seconds, and the average for 64 seconds. It takes up to 25 seconds for the four-second average to get updated properly and almost 5 minutes for the 64-second average to get updated properly. 9. The scheduled reboot option /boot/sched is not supported. 10. BWM statistics are different when used with different contracts within the same policy. When the user assigns different contracts for different ports with equal capacity within the same policy, statistics of both ports differ even though the same policy is applied. This means that the number of total packets and discarded packets varied for two different ports. 11. A new image is downloaded to the image2 slot even though the instruction was to download to the image1 slot. The new image is downloaded to image 1, but after being written to the CompactFlash, the images are then swapped. 12. The upgrade process does not ask the user to confirm the upgrade after the new image is downloaded. 13. The upgrade process cannot be aborted when the wrong password is provided. Currently, there is no way to abort the upgrade process other than waiting for the idle time out (5 minutes) to expire. 14. The GSLB, command /info/slb/gslb/geo (geographical preference information) does not display the region list. 15. If an image is downloaded to an active bank, the warning is displayed only after the download is finished and file writing is aborted. 16. On a 4416 platform, there is a bottleneck on throughput when DAM enabled
Page 8
114941
114952 114967
Item
17. 18.
19. 20.
21.
22.
32.
Description (only 3G can be reached). On a 5412 platform, the link status displays incorrectly when changing some port parameters. The number of free pports reflected by the commands /stats/slb/pip and /stats/slb/sp x/pip is calculated for a single real server, where it should be multiplied by number of real servers. Alteon HTTP cache does not respect the range HTTP header to request only part of an object. Using HTTP modifications with the file type element, only the replace action is supported. If removing or inserting a file type (file extension) is required, use the modification of element of type URL. When a client port is part of multiple VLAN, and multiplexing is used, the VLAN used in the back-end connection (to the server) is always the one used to initiate the connection. This problem does not exist when proxy IP (PIP) is done on the egress port, as recommended in Radwares best practices for connection management (multiplexing). With large configurations, the Revert-Apply operation may fail with multiple errors generated that are related to a legitimate CLI command that did not succeed. Workaround: Run the Revert-Apply operation again. Proxy IP (PIP) statistics are available only when multiplexing is enabled on the virtual service. Jumbo frames are not supported in this release. Fragmented traffic is not supported when accessing the device management. Alteon legacy content-based switching with delayed binding enabled does not work with fragmented traffic. Work around: Use pbind force-proxy mode When more than 390 certificates and keys of different types are configured, accessing the BBI certificate repository page might cause the device failure. Overlapping NAT capability is not supported for IPv6 filters. The number of concurrent connections (CEC) for IPv6/IPv4 gateway traffic is limited to 64K per SP. When HEAD requests are sent to a VIP which is configured with HTTP to HTTPS Body URL rewrite, session failures occur. After downgrading from 28.1.x.0 to 26.3.x, the user is prompted to keep or discard the management IP. Even if the user answers No, the management IP is saved. IPv6 traffic destined to directly connected network is forwarded to the gateway instead of the configured IPv6 interfaces. Workaround: Define the local route cache for the immediately connected network using /cfg/l3/frwd/local/add6 command.
Page 9
121285
121299 121765 134531 139880 142396 143690 144719 146287 146536 152729
Item
33. 34. 35. 36. 37.
Description Passive FTP doesn't work over IPv6 Highly fragmented connections that include more than 20,000 fragments drop fragments. On Alteon 4408, the power LED does not turn red when there is a power supply failure. Live capture (TCPdump) mode is not supported via a serial console. When downloading an image, you cannot have the same image version in both image banks (image1 and image2). When downloading the same version, the older image is overwritten by the newly downloaded image. Session clear on reset applicable only for non accelerated session entries ADC-VX / vADC Specific Limitations
User backdoor does not work for vADC users created by the Global Administrator. TFTP SLB is not supported when using IP. vADC Admin passwords are not encrypted. MP Virtualization (vMP) goes to 100% utilization VRRP when using a shared VLAN for ISL. When this occurs, both vADCs in the HA pair become the master with or without traffic for a short while. When the device is working in ADC-VX mode, uploading the global configuration (gtcfg by global administrator) does not replace existing vADCs with the ones in the new configuration. Instead, it merges them. If the uploaded file includes vADC IDs that are already on the device, the user is prompted to overwrite the existing vADC configuration with the imported one. Workaround: Manually delete all vADCs before importing a new configuration. When using a script to configure several vADCs in parallel, the server certificate Generate command might stop working until reboot is performed. When a vADC is rebooted, it shows an incorrect alert message saying a throughput limit of 0 has been reached. This message should be ignored. An incorrect VLAN ID appears in a warning message when HAID 0 is used for two vADCs on the same shared VLAN. In case Global Admin context process restarts, the user is not able to perform Revert Apply to the last configuration. When synchronizing the configuration between a vADC instance running on a 5224 device and a standalone 5412 device that uses different physical ports, a "bad port" error is received, even after disabling ID ports synchronization using /cfg/slb/sync/ports.
43.
44. 45.
Page 10
Page 11