Manualshelf

Release Notes Threat Management Services zl Module ST.1.2.110427 06-2011

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
51525354555657585960
54
Known Issues
Release ST.1.1.100430
Workaround: When using this configuration, use tracert to validate connectivity to the TMS. To
validate connectivity to an external destination in this configuration, use trace route from the
TMS.
Monitor Mode
PR_54944 — An invalid critical log message can be generated in monitor mode with no
message content. The message id is 337.
PR_56203 — In Monitor Mode, the log messages with identifiers 100000 and 99999 are
missing content, date, and time.
High Availability
PR_55708 — The command line interface command "show connections" on the Participant
only shows active connections, so it will not show any since the Master is the only module
with active connections.
PR_55976 — In the Command Line Interface, the 'show high-availability' command hangs
for 60 seconds on participant when the participant has been configured incorrectly with same
device id as the master.
PR_55977 — Windows ping command works from one client but not a different client after
a high-availability failover. This behavior occurs when ICMP replay attack is enabled on the
TMS, the ICMP sequence number and Session ID information is continually checked to detect
an ICMP replay attack. This information is available in an active session. This information
is not synced up with the participant and after a failover, the TMS detects the ICMP packets
as bad traffic when the participant takes over from the master.
Here are some Windows ICMP Ping examples that work after failover.
a. If ICMP timeout is 60 seconds
ping -w 60001 -t 10.30.1.6
The '-w' option specifies the time in milliseconds to wait for a response before the next ICMP
echo request is sent. It is not the time between request, and it only has impact in slow
networks or when there is no response. The value should be larger than the default ICMP
timeout.
b. If ICMP timeout is 10 seconds
ping -w 10001 -t 10.30.1.6
c. If ICMP timeout is set to 5 seconds then ICMP ping works without any problem.
ping -t 10.30.1.6
The default timeout for ICMP messages is 60 seconds, but can be configured to a lower number.
The switch CLI command to set ICMP timeout to 5 seconds is.