Release Notes: Version ST.1.1.100330 Software for the HP ProCurve Threat Management Services zl Module These release notes include information on the following: ■ Downloading documentation from the Web (page 1) ■ Downloading and installing software updates (page 2) ■ Special Considerations prior to updating (page 6) ■ Enhancements (page 11) ■ Software fixes included in release ST.1.1.
© Copyright 2009-2010 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.
Contents Software Management Download Documentation from the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 View or Download the Software Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Software Releases and Support . . . . . . . . . . . . . . . . .
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Known Issues Release ST.1.1.100226 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Firewall . . . . . . . . . . .
Software Management Download Documentation from the Web Software Management Download Documentation from the Web You can download software updates and the corresponding product documentation from the ProCurve Networking Web site as described below. View or Download the Software Manual Set Go to: www.hp.com/go/procurve/manuals You may want to bookmark this Web page for easy access in the future.
Software Management Software Updates Controller 800, and HP ProCurve DCM Controller. The following hardware mobility products have a one-year hardware warranty with extensions available: HP ProCurve M111 Client Bridge, HP ProCurve MSM3xx-R Access Points, HP ProCurve MSM7xx Mobility and Access Controllers, HP ProCurve RF Manager IDS/IPS Systems, HP ProCurve MSM Power Supplies, HP ProCurve 1 Port Power Injector, and HP ProCurve CNMS Appliances.
Software Management Software Updates 6. Click Download and install to download the software to the module and install it. Figure 1. A Successful TMS zl Module Software Update Using the Web Browser Interface 7. Wait for this message in the Latest Status field: Success: Image download and install have completed successfully. (see Figure 1). 8. Select the Reboot tab and click the Reboot button to complete the installation.
Software Management Software Updates 3. Enter the ProductOS context for the TMS zl Module. Syntax: services name tms-module Replace with the letter for the chassis slot in which the module is installed. Example: hostswitch# services c name tms-module OR Syntax: services Replace with the letter for the chassis slot in which the module is installed.
Software Management Software Updates 2. Initiate a console session with the host switch. 3. Enter the ProductOS context for the TMS zl Module. hostswitch# services c 2 4. Copy the image from the server and install. 5. Reboot the module to complete the update. hostswitch(tms-module-C)# reboot For example, suppose that you copied the image to a TFTP server that has the parameters shown below: 1. • IP address—192.168.1.13 • Filename—ST.1.1.100330.
Software Management Special Considerations Prior to Updating You can type the first few letters of the directory name, then press the Tab key to complete the name. You might need to add the last few characters of the directory name if the USB drive contains more than one image. 9. Update the software. For example, if the new image directory is ST.1.1.100330, you would type: hostswitch(services-module-C:HD)# update product ST.1.1.100330 Again, you can use tab completion for the file name. 10.
Software Management Special Considerations Prior to Updating May-June 2010 Planned Release Environments that should update: ■ All TMS Environments ProCurve's product development model consistently strives to increase reliability, stability and performance with each successive version of the TMS zl Module software. The maintenance release for March 2010 contains significant improvements in stability and reliability. The current version makes a small trade off in decreased performance.
Software Management Special Considerations Prior to Updating GRE Tunnels When upgrading to ST.1.1.100330 from a previous version, any configured GRE tunnels will go down and not pass traffic until an additional configuration item, the tunnel peer IP address, is entered. Prior to updating, please schedule the appropriate downtime for these GRE tunnels, as well as document the tunnel peer IP address for each end of the tunnel, so that the re-configuration process goes smoothly.
Software Management Special Considerations Prior to Updating After upgrading to ST.1.1.100330, the traffic selectors are migrated but the GRE tunnel is down.
Software Management Special Considerations Prior to Updating The administrator will have to manually enter the Tunnel Peer IP address to get the GRE tunnel back up. Once the GRE tunnel is back up, the administrator can take advantage of new GRE features available with release ST.1.1.
Software Management Enhancements Enhancements The following improvements have been added in ST.1.1.100226: ■ Command Line Interface (CLI) control of VPN functionality Please see the updated Management and Configuration Guide for the HP ProCurve Threat Management Services zl Module on the ProCurve Web site for details on how to configure and use this new feature.
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Release ST.1.0.090213 Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Software fixes are listed in chronological order, oldest to newest. Unless otherwise noted, each new release includes the software fixes added in all previous releases. Release ST.1.0.090213 was the first production software release for the HP ProCurve Threat Management Services zl Module. Release ST.1.0.090213 No problems resolved in release ST.1.0.090213.
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Release ST.1.0.090603 ■ PR_17313 — For a VLAN association, the user can specify DHCP as a method for getting an IP address for the TMS zl Module. If the user goes in and edits the VLAN association and changes the IP address method to a Static IP address, the DHCP client process still runs in the background and can overwrite the static IP address.
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Release ST.1.0.090603 time="2009-03-30 09:17:09" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="FW: packet with invalid tcp flags found, packets dropped" srczone=INTERNAL src=192.168.0.134 srcport=18155 dstzone=EXTERNAL dst=192.168.1.128 dstport=80 proto=TCP subfamid=packetheaderanomaly mtype=attack mid=625 The log messages are no longer logged as critical.
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Release ST.1.0.090603 time="2009-04-01 11:41:59" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="ICMP:Error message not allowed by firewall" srczone=INTERNAL src=192.168.0.1 dstzone=EXTERNAL dst=192.168.1.56 proto=ICMP icmptype=3 subfamid=icmppacketanomaly mtype=attack mid=648 icmpcode=1 The severity has been changed to warning and the priority attribute has been changed from 1 to 4.
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Release ST.1.0.090603 time="2009-04-15 10:19:33" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="ICMPREPLAY: packets with duplicate sequence number found, packets dropped" srczone=EXTERNAL src=192.168.80.5 dstzone=SELF dst=192.168.80.
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Release ST.1.0.090603 by viewing info signatures, then disabling the XSS family. When the operation completes, refresh the page, and view info signatures. When you inspect the XSS family you will see that not all XSS family info signatures are disabled. ■ PR_37450 — TMS zl Module was not saving the IPS or IDS configuration in its configuration backup file.
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Release ST.1.0.090603 rulefam=BACKDOOR ruledsc="BackDoor Digital Root Beer" subfamid=ips_signature_based_logs attackid=no-id mtype=iips_l5_l7_attack mid=3189 timetolive=3 actiontype=terminate ■ PR_38512 — When the same IPS attack was continuously launched against the TMS zl Module and generating log entries, log throttling was not working and many of the same IPS log entries were populating the log file.
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Release ST.1.0.090603 ■ PR_38226 — Changing a bypass or ignore IPsec policy to apply shows an erroneous key exchange method. ■ PR_38228 — A misleading error occurs when the traffic selector's IP range starts or ends with 255. Workaround: Correct the range. ■ PR_38229 — IPsec policy advanced settings are displayed incorrectly after the default settings are changed and then edited in the Web browser interface.
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Release ST.1.1.100226 Release ST.1.1.100226 The following problems were resolved in release ST.1.1.100226 General ■ PR_813 — Web browser interface does not function without JavaScript enabled and does not notify user that JavaScript is required. ■ PR_961 — The initial login banner text of the Web browser interface in the TMS zl Module differs in size depending on whether the user is accessing it with HTTP or HTTPS.
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Release ST.1.1.100226 ■ PR_11856 — When using the Web browser interface, an error message is displayed when a valid IP Address is trying to be set in some pages, such as RADIUS, IPsec Policies, and so forth. For example, this may occur when an otherwise valid IP address is added with a final space at the end. ■ PR_12802 — When adding an NSSA or STUB area to the OSPF configuration, leading zeros in the area ID are flagged as an error.
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Release ST.1.1.100226 ■ PR_18145 — In the Web browser interface, if a VLAN is added with an invalid IP address in the range 224.0.0.0 -254.255.255.255, an error is returned stating: VLAN could not be added. Failed to add VLAN IP address. but the VLAN is actually added, but not associated to any zone. In the CLI, the error message only states: Error: Failed to set VLAN IP address. ■ PR_37988 — Upgrading to an ST.1.1.XXXXXX release from any ST.1.0.
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Release ST.1.1.100226 Monitor Mode ■ PR_17758 — In monitor mode, when IPS full inspection is turned on and the FTP ALG is turned off, sending an FTP copy of the startup configuration to the network fails with a broken pipe error. High Availability ■ PR_8325 / PR_14916 — When configured for High Availability, the Rebalance button in the Web browser interface is not needed for an Active/Standby configuration.
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Release ST.1.1.100226 ■ PR_40301 — GRE Tunnel displayed GREv2 Error in tcpdump when attempting to verify the connectivity with a ping packet. ■ PR_40313 — When adding a RADIUS server, the administrator can specify a NAS-ID that accepts a script as input allowing code injection to RADIUS Web interface page. ■ PR_40319 — In the log file, log entries with the following message IDs may truncate the username: 1213, 1214, and 1204.
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100330 Release ST.1.1.100330 ■ PR_51483 — Enabling IP compression and disabling fragmentation causes a TMS crash in Site-to-Site VPNs. Steps: 1. Configured site-site VPN tunnel with one host each end HOST1(10.11.0.10)-----TMS1----(VPN)----TMS2----HOST2(10.13.0.10) 2. Host2 sends a large ping using: ping 10.11.0.10 -s 64000. TMS2 works fine, TMS1 fails.
Known Issues Release ST.1.1.100226 Known Issues Known issues fixed in a later software release are indicated using the following format: ■ PR_xxxxxxxxxx — To confirm what release fixed the issue, use the issue number to search the PDF file. Known issues that are open as of the latest software release appear as follows: ■ PR_xxxxxxxxxx — Release ST.1.1.100226 The following problems are known issues as of release ST.1.1.100226.
Known Issues Release ST.1.1.100226 ■ PR_ 39670 — LLDP protocol sends localhost as the name of the system instead of configured hostname in monitor mode. ■ PR_41166 — In the routing CLI, ip rip send should work as enabling sending updates. ■ PR_41291 — In the CLI, show logging local filter date-time accepts invalid time values.
Known Issues Release ST.1.1.100226 ■ PR_44372 — Inconsistency between the TMS zl Module and 5400/8200 zl switches on OSPF Priority range. The switch OSPF Priority range is 0-255 and on the TMS zl Module it is 1-255. ■ PR_44476 — TMS zl Module does not log all administrative changes to the configuration. As a result, the log files do not show all the necessary information to audit configuration changes appropriately. For example, modifying an access policy does not produce a log entry.
Known Issues Release ST.1.1.100226 1. Go to Firewall/Access policies/Multicast 2. Click on Add a policy 3. On the source field, go to Options button and select Enter custom IP,IP/mask or IP-Range and enter a non-multicast IP address. 4. On the destination field, go to Options button and select Enter custom IP,IP/mask or IP-Range and enter a multicast IP address. 5. Before you click on Apply button and Close button, make sure you make a note of what zones you picked for the policy. 6.
Known Issues Release ST.1.1.100226 ■ PR_50252 — Performance Related HA + 256 VLAN configured issue - scheduled to be addressed in May-June 2010 release. ■ PR_50394 — In the Web browser interface in the Settings->Logging->View Log page, when positioning the mouse cursor over a log, the text false is displayed at the bottom of the page. This behavior appears when using Internet Explorer 6.
Known Issues Release ST.1.1.100226 This will not happen for new TMS zl Modules running ST.1.1.YYYYY but will happen for any TMS zl Module that updates from ST.1.0.XXXXXX to ST.1.1.YYYYYY. Unfortunately, the only known workaround is to erase the startup-config for the TMS zl Module, reboot, and create a brand new configuration. ■ PR_52365 — When adding a static route with a reachable gateway and then changing the VLAN unique MAC address attribute, traffic is no longer routed. Workaround: 1.
Known Issues Release ST.1.1.100226 port-trigger 34 any service cmd allow-any-inbound outbound tcp 32 inbound tcp 32 port-trigger 500 any tcp 50 inbound tcp 50 port-trigger pt-one any service biff allow-any-inbound outbound tcp 1 inbound tcp 1 The CLI command sh port-trigger 500 will display all the port-trigger policies configured even though the port trigger 500 exists.
Known Issues Release ST.1.1.100226 time="2009-05-21 14:15:05" severity=info pri=6 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="Reassembly is currently disabled" srczone=UNKNOWN_ZONE src=88.1.20.151 srcport=0 dstzone=UNKNOWN_ZONE dst=88.1.10.
Known Issues Release ST.1.1.100226 2. Enable igmp on the VLAN 3. Try to show config using: show ip igmp config Nothing is displayed in the table. However, show ip pim does show the IGMP status for the VLAN. ■ PR_43431 — In the Web browser interface, 'Firewall>Settings>Connection Allocation>Connection Reservations', the TMS zl Module allows a user to add a connection reservation for the same IP, same zone, with different connection allocations.
Known Issues Release ST.1.1.100226 A log message should not be generated for every packet drop unless logging is enabled per policy so behavior is the same as other access policies.
Known Issues Release ST.1.1.100226 ■ 2. TMS zl Module allows traffic based on the proxy server's ip address instead of the user's ip address. (TMS zl Module only checks for IP) 3. Now the proxy server has the logged in user's access policy applied and user's using the proxy server can have those policies too. PR_52458 — Active TCP sessions are incorrectly closed when a failover occurs as a result of modifying a Firewall policy or policies prior to the failover.
Known Issues Release ST.1.1.100226 srcport: 135 dstzone: INTERNAL dst: 10.255.133.182 dstport: 58319 proto: TCP subfamid: tcpconnectionanomaly mtype: attack "mid: 675 High Availability ■ PR_14222 — NIMv2 does not display the HA Configuration already set on a device and the log shows Driver Operation Fails with Exception. A user has directly used CLI to setup a High-Availability Active-Standby cluster using two TMS zl Modules successfully.
Known Issues Release ST.1.1.100226 ■ PR_46900 — High Availability Master and Participant can get out of synch in regards to connections when a large amount of connections have been established. ■ PR_47206 / PR_10554 / PR_16655 — In High Availability mode, VPN connections are not failing over for 'Client-to-Site'. 'Site-to-Site' connections fail over correctly.
Known Issues Release ST.1.1.100226 ■ PR_42272 — In the Web browser interface, an obscure error message is displayed if the Peer IP address is set with a value 224.x.x.x or greater. Steps to recreate: A GRE Tunnel has already been created. 1. Open the TMS zl Module Web browser interface. 2. Go to the VPN section. 3. Select the GRE link. 4. Go to the GRE Tunnels tab 5. Click the edit button from the previously created GRE tunnel. 6. Edit the Peer IP address field with a value 224.x.x.x or greater.
Known Issues Release ST.1.1.100226 ■ PR_44860 — The TMS zl Module Log messages do not provide enough detail to help troubleshoot IPsec using certificate authentication. ■ PR_44911 — Removing an IKE policy displays different output from removing an IPsec policy and proposal. For consistency, this should be reworded. ■ PR_45392 — No logging messages are generated when attempting to retrieve a certificate from a server by SCEP.
Known Issues Release ST.1.1.100226 ■ PR_45757 — The spinning icon in the bottom left hand corner of the Firewall - Schedule dialog does not show when adding/editing a schedule. ■ PR_47774 — A GRE tunnel name limited to 10 characters, which is not enough for a good descriptive name. ■ PR_47952 — IPsec Certificates Signing Requests are not being saved or restored. Steps to recreate: 1. Launch TMS zl Module app 2. Go to the VPN section 3. Select the Certificates link 4.
Known Issues Release ST.1.1.100226 ■ PR_48459 — NIMv2.1: Delete CA Certificates shows Status "Completed Successfully" but it actually does not delete the CA Certificates due to the Script MIB introducing a extra escape MIB. ■ PR_49913 — If a Certificate Signing Request is created, then a software update is performed, the Certificate Signing request is not saved across a software update.
Known Issues Release ST.1.0.090603 ■ PR_52480 — In SCEP Settings, a user cannot clear the unique CA identifier field, either through the Web browser interface or the CLI interface. If a user fills in all the text fields in the SCEP settings except for the Unique CA Identifier, then presses Apply My Changes, no error is thrown and the settings are applied successfully. When the user clicks the SCEP tab again, the Unique CA Identifier contains the string "scep".
Known Issues Release ST.1.0.090603 After the TMS zl Module has been updated to ST.1.0.090603, the following behavior is observed: The output of the switch CLI command, show services detail reports the software version initially installed rather than the updated version. The output of the TMS zl Module CLI command, show version, is correct. Additionally, the software version information in the TMS zl Module's Web browser interface correctly identifies the updated version, ST.1.0.
Known Issues Release ST.1.0.090603 ■ PR_38154 — A misleading log entry generated when logging in as the user Operator. 1. Open the TMS zl Module Web browser interface. 2. Login as Operator. 3. Go to the logging section. 4. Select the View Log tab. 5. Search for the log entry generated when logging in as Operator. 6.
Known Issues Release ST.1.0.090603 ■ PR_38705 — RIP: Connected VLANs are not sent correctly when Ripv1-v2 is set. The TMS zl Module does not send the connected VLANs to another router (R1), when RIP version has been set as v1-v2. In the following example the TMS zl Module is using Ripv1-v2 and router R1 has RIP version 2 set. Routes in TMS zl Module Destination Gateway Metric Distance VLAN Type 10.10.30.0/24 10.10.30.254 1 0 lan30 connected 10.10.40.0/24 10.10.40.
Known Issues Release ST.1.0.090603 Routes in R1 when VLAN300 has v1-v2 enabled in TMS zl Module Destination Gateway Metric Distance VLAN Type 192.168.1.0/24 192.168.3.254 3 100 vlan300 rip 192.168.2.0/24 192.168.2.250 1 0 vlan200 connected 192.168.3.0/24 192.168.3.250 1 0 vlan300 connected 192.168.5.0/24 192.168.3.254 3 100 vlan300 rip 192.168.11.0/24 192.168.11.95 1 0 vlan1 connected As a workaround, use RIP version 2 in the TMS zl Module.
Known Issues Release ST.1.0.090603 Status and Counters - PIM-SM Learned RP-Set Information 3. Group Address Group Mask RP Address Hold Time Expire Time 224.0.0.0 240.0.0.0 192.168.3.253 150 100 239.0.0.0 255.192.0.0 92.168.3.253 150 100 Set a static RP #router pim rp-address 192.168.2.253 224.0.0.0/6 4. Verify learned and static RP #show ip pim rp-set Status and Counters - PIM-SM Static RP-Set Information Group Address Group Mask RP Address 224.0.0.0 240.0.0.0 192.168.2.
Known Issues Release ST.1.0.090603 The "Log in" and "log out" log entries are displayed properly but this log entry should not be generated. ■ PR_39239 — Some OSPF log entries have different priorities, can have duplicate entries, and lack general details.
Known Issues Release ST.1.0.090603 ■ PR_40312 — Log messages with message IDs of 609, 618, 629, and 659 are marked as critical but should not be critical. They should be a warning. time="2009-05-08 21:13:47" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="FW: udp packet header length is less than expected, packets dropped" srczone=INTERNAL src=192.168.70.100 srcport=0 dstzone=ZONE6 dst=192.168.70.
Known Issues Release ST.1.0.090603 Firewall ■ PR_15088 — A stateful firewall connection using a DNS object will have a high timeout value when the DNS address object is modified while the connection is active. Using the show connections command from the TMS zl Module CLI will show a high timeout value. For these connections, the no connections command can be used to remove any problematic sessions. ■ PR_38165 — When editing a connection reservation, the direction can't be modified. Example: 1.
Known Issues Release ST.1.0.090603 time="2009-05-17 16:06:33" severity=major pri=2 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="Jolt attack detected" srczone=UNKNOWN_ZONE src=192.168.70.67 srcport=0 dstzone=UNKNOWN_ZONE dst=192.016870.1 dstport=0 proto=UDP subfamid=dosattack mtype=attack mid=1001 time="2009-05-17 16:06:33" severity=major pri=2 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="PingOfDeath attack detected" srczone=UNKNOWN_ZONE src=192.168.70.67 dstzone=UNKNOWN_ZONE dst=192.168.70.
Known Issues Release ST.1.0.090603 VPN ■ PR_40354 — When 4893 Internet Key Exchange Security Associations are established, no more IKE responses are generated by the TMS zl Module and no logs reporting this condition are generated. ■ PR_40903 — When an L2TP Policy exists and is disabled, traffic continues passing through the tunnel. The L2TP Policy must be deleted. Example: 1. Go to VPN -> IPsec -> L2TP Remote Access. 2. Add an L2TP Policy. 3. Create access policies. 4.
Known Issues Release ST.1.0.090603 ■ PR_38948 — In an HA environment, should the administrator need to delete the fail-over connections on a participant, they can only delete up to 200,000 connections at a time and not the entire connection list (up to 600,000). Monitor Mode ■ PR_39263 — The following log messages are shown in Monitor Mode and are not applicable to Monitor Mode: mid=625, mid=626, mid=675, mid=715, mid=1008, and mid=1356.
Known Issues Release ST.1.0.090213 Release ST.1.0.090213 The following problems are known issues as of release ST.1.0.090213. ■ PR_665 — When an IPv4 address is entered into a field, regardless of whether the administrator is using the Web browser interface or CLI interface, the TMS zl Module is not doing the complete validation on the address based upon the field being used. For example, a multicast or broadcast address can be entered into source address fields.
Known Issues Release ST.1.0.090213 address igmp rip ospf pim-sparse Set IP parameters for communication within an IP network. Enable IGMP on the VLAN. Configure RIP on the VLAN. Configure OSPF settings. Enables PIM-SM on the VLAN. The impact to the user is that some commands cannot be typed in a single line and the VLAN configuration context must be entered in order to configure some items.
Known Issues Release ST.1.0.090213 The first syslog server is deleted and there is no way to specify the second syslog server except to execute the no logging syslog 192.168.1.59 command again. ■ PR_5390 — The administrator cannot change the password for MD5 authentication on an OSPF interface without knowing the previous password. As a workaround, first disable the VLAN from OSPF and then re-enable it with the new password.
Known Issues Release ST.1.0.090213 3. Login as manager. The TMS zl Module prompts to interrupt current manager, click cancel. 4. This brings up the logout prompt (Save&Logout, Do Not Save& Logout, Cancel), click Cancel. Now, the additional client is logged into the Web browser interface as manager. ■ PR_8044 — The TMS zl Module has been configured for VLAN IP addresses and HA is enabled but not configured (that is, there is only one device in the cluster).
Known Issues Release ST.1.0.090213 ■ PR_9404 — SSH Buffer errors are shown in logs with varying severity. These messages represent temporary and recoverable conditions, but they should all be of the same severity.
Known Issues Release ST.1.0.090213 ■ PR_11190 — When a RADIUS user attempts to login to a TMS zl Module, a log is always generated with Attempted to login with a wrong name despite the user being able to successfully login. ■ PR_11703 — When a TMS zl Module is moved between two switch chassis with different configurations, references to VLANs can remain on the OSPF and Multicast pages. Example: 1. Add several VLANs to the VLAN Associations page. 2.
Known Issues Release ST.1.0.090213 Example: 1. Log in as an operator. 2. Go to Maintenance > Update Software > Server Type drop down selection box. or Go to Authentication > RADIUS > Protocol drop down selection box. ■ PR_12250 — In environments where high connection rates and high connection counts are in use, management interfaces can be slow or locked up. This will occur when the administrator has not specified a Priority VLAN for management in their configuration.
Known Issues Release ST.1.0.090213 5. Display VLAN information by using the show vlans command. ■ PR_13220 — When a software update is performed by retrieving the image via FTP, SCP, or TFTP, a generic error message is displayed for any user input error. For example, if the IP address is incorrect, if the username is wrong, or if the password is wrong, the error message simply indicates a failure and does not call out the specific problem.
Known Issues Release ST.1.0.090213 ■ PR_14561 — An unexpected group already exists error may show up when a user deletes a group and then adds a group with the same name again. The TMS zl Module marks groups for deletion, but the actual deletion may take a few seconds. Simply wait a few seconds before adding a group with the same name as a group that was previously deleted and the error will not appear.
Known Issues Release ST.1.0.090213 when using insert-at 1 there must be at least one policy or rule available. There must be a valid policy or rule at the position number for whatever number is specified. If one does not exist, an error is reported, but the zone information is not included in the error message.
Known Issues Release ST.1.0.090213 ■ PR_16231 — Some log entries for warning logs and information logs have messages that are truncated in the log viewer. The most log messages are not truncated and those that are contain enough information that a user can tell what they are about. However, the messages have more information in them than can be displayed. ■ PR_16539 — When using the TMS zl Module CLI, the radius-server help command gives options that are not available.
Known Issues Release ST.1.0.090213 ■ PR_2485 — When there are a large number of firewall access policies, the Web browser interface may take some time to load these policies to display to a user. For example, with approximately 2,000 policies, loading them takes about 15 seconds or less. However, when the number of firewall access policies increased, to around 15,000, the time to load the Web page approaches three minutes.
Known Issues Release ST.1.0.090213 ■ 2. From a separate management session, delete all access for that user group 3. The user still has access through firewall PR_11874 — On the Firewall > Access Policy > Unicast page in the Web browser interface, when adding a policy there is an advanced tab that allows for limit settings. . The valid range for entries in connections, Kilobytes, packets, and seconds are not listed.
Known Issues Release ST.1.0.090213 IPS/IDS ■ PR_10287 — In the signature file for the TMS zl Module, there are a few mentions of IPv6. This is incorrect. The TMS zl Module is an IPv4 only device. ■ PR_18204 — If you filter signatures by severity, then disable a family of signatures, the expected result is that all displayed signatures in that family will be disabled. However, the actual result is that only some of the signatures displayed get disabled.
Known Issues Release ST.1.0.090213 ■ PR_38240 — Cannot import IPsec Certificates (intermittently fails) from the Web browser interface (VPN > Certificates > IPsec Certificates). ■ PR_38887 — VPN connections truncate local gateway addresses, preventing a user from seeing all the information for an established tunnel. High Availability (Active/Standby) ■ PR_7372 — From the TMS zl Module CLI, the high-availability command does not accept CIDR notation.
Known Issues Release ST.1.0.090213 Expected Results: The module with priority set to one (original Mater) becomes Master again. Actual Results: Device with lower priority joins the cluster as Master and the one with higher priority joins as Participant. At first glance, this seems to be incorrect, but it is actually done by design. It is assumed that there is something wrong with the module that failed, for example, an intermittent problem.
Known Issues Release ST.1.0.090213 ■ PR_7533 — If the TMS zl Module is in monitor mode, the IDS logs incorrectly show zones Internal and Zone6 in the logs for data and management. These zone references are not correct and should be ignored. ■ PR_11929 — When in monitor mode and using the TMS zl Module CLI, if you add an management IP address, the CIDR format of IP-Address/mask is not accepted and you must enter the IP address and Subnet Mask as separate values.
© 2009-2010 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.