Release Notes Threat Management Services zl Module ST.1.2.110427 06-2011

Software Fixes in Releases ST.1.0.090213 - ST.1.2.110427

Release ST.1.2.101122

The following problems were resolved in release ST.1.2.101122

VPN

■ PR_62599 — L2TP/IPsec VPN fails when traffic is behind a NAT device and the ANY option

is used.

Example Topology

L2TP/IPsec client-----NAT Device-------------TMS------Protected server

A client using Windows native L2TP/IPsec client will fail to authenticate when it is behind a NAT

device and the "ANY" option is used for the Remote address field in the IPsec policy. If the user

configures the TMS to use a specific IP address, the remote device NAT external IP address, then

the VPN gets established and authenticated. Also, if there is no NAT device present, then the ANY

option allows the client to establish the tunnel and authenticate successfully.

Using the combination of NAT device and ANY has the following effect:

1. IPsec tunnel gets established

2. ESP packets get dropped at the firewall. The following message shows up on the logs:

SA selectors are not matching with the received packet selectors.

Dropping packet

From the Windows system, the VPN client just returns an error message saying that the

connection was interrupted.

Release ST.1.2.110301

The following problems were resolved in release ST.1.2.110301

Firewall

■ PR_65612 — Create a scenario where five hosts are getting NATted by a TMS zl Module

from Internal zone to External zone (source NAT). Three of five hosts can ping hosts on the

External zone.

Clear the connections using the no connections command on the TMS zl Module CLI.

After clearing connections, all hosts were able to ping for 2 seconds, then two of them (not always

the same as before) stopped pinging.

Captures on the External interface just show packets flowing from the External VLAN IP to the

target host.