Manualshelf

HP Firewall Series - HP AF5000-CMW520-R3206P22 Release Notes

ManualsBrandsHP ManualsComputer AccessoriesHP F5000 Firewall Main Processing Unit
12345678910
4
Restrictions and cautions
ALG restriction
The deny ip destination rules in the ACL for the nat outbound command affects the operation of ALG. we does
not recommend configuring deny ip destination rules with .
Known hardware bus bug
When virtual packet reassembling is enabled, the SPI4.2 bus can process only the first five fragments of a
packet, resulting in fragment loss.
Known PHY chip bug
In forced mode, the BCM 5464 chip does not support automatic cross-over/straight-through adaption. As a
result, a cross-over cable is required to connect two BCM 5464 chips operating in forced mode. If a
straight-through cable is used instead, the link layer cannot come up. The BCM 5464 chip is used on the 12-GE
interface module for the F5000-A5.
RMON statistics restriction
The interfaces on the MPUs and 12-GE interface modules provide packet statistics by packet length in a
different way than the RFC. Therefore, these two types of interfaces do not support RMON statistics. This is
a hardware restriction.
ICMP fragment sending restriction
When the length of an ICMP echo request used for a ping operation is greater than 35000 bytes, the packet will
be fragmented due to the restriction of the interface MTU. The longer the ping packet, the more the fragments.
However, the F5000-A5 does not support QoS queuing, and packets that cannot to be sent out of an interface
are directly dropped. Because the number of credits sent by the RMI fixed port is limited, fragments might not
be able to be sent out successfully when a large number of fragments need to be sent and the burst rate is
greater than the rate of the interface. As a result, some fragments cannot arrive at the intended receiver and the
intended receiver cannot assemble the ICMP packets.
10-GE interface module cannot provide erroneous packet statistics
10-GE interface module cannot provide erroneous packet statistics because its MAC chip does not support
erroneous packet statistics
F5000-A5 does not support ARP detection
The F5000-A5 does not support ARP detection. Do not configure ARP detection.
Open problems and workarounds
HSD51584
Description: If a session already exists when you configure a new security policy, the policy does not take
effect to the session even if the session matches the policy.
Workaround: Reset sessions after you configure a security policy.
HSD60317
Description: When you configure OSPF equal-cost routes with the F5000A as the intermediate device, the
tracert information is incorrect.
Workaround: The device drops the packets whose TTL is 1.
HSD61584
Description: The ARP detection function does not take effect on the F5000-A5.