Manualshelf

Release Notes Threat Management Services zl Module ST.1.2.110909 11-2011

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
51525354555657585960
47
Known Issues
Release ST.1.2.101122
PR_66125 — L2TP/IPsec tunnel cannot be established when you configure AH as the
Security Protocol in IPsec Proposal. A workaround is to use ESP instead of AH. The
workaround of using ESP instead of AH is strongly recommended since AH does not provide
confidentiality and will have issues in a NAT environment.
PR_66264 — Shrew Soft VPN client 2.1.6 indicates successful connection when IKE Phase
2 negotiation fails. Shrew Soft VPN clients 2.1.5 and 2.1.7 have been tested and both versions
do not exhibit this issue.
PR_66268 — ProCurve VPN Client will not connect to a TMS zl Module when IPsec is
configured with a protocol of ESP, an encryption algorithm of AES-256, and an authentication
algorithm of SHA-1. This issue is specific to the ProCurve VPN Client. The ProCurve VPN
client will connect to a TMS zl Module with other encryption and authentication algorithms.
In addition, other VPN clients, for example, Shrew Soft, work fine with IPsec using a protocol
of ESP, an encryption algorithm of AES-256, and an authentication algorithm of SHA-1.
PR_66407 — When a L2TP/IPsec tunnel is established a large amount of unrecognized traffic
is detected at the interface where the VPN tunnel finishes. IPs in the packet capture are not
set anywhere on the test scenario. Also a large amount of BAD CHECKSUM traffic is
detected.
When the tunnel is disconnected the traffic disappears as well.
ICSA Documentation Requirements
Invalid TCP Packet Logging — A TMS zl Module drops invalid TCP packets without generating
logs. This is done to protect the TMS zl Module from a potential DOS attack that would force the
module to spend its CPU cycles generating a large number of logs in cases where attackers flood
invalid TCP packets to TMS zl module. The invalid TCP packets are defined as TCP packets arriving
at a TMS zl Module without connection being pre-established. The TMS zl Module is a stateful firewall.
Each TCP connection needs to be established using three-way handshake messages. Any invalid TCP
packets defined here will be dropped without logs being generated.
Raw IP Packet Handling — The TMS does not log packet drops when a Raw IP packet is received
with the protocol field set to 6 and the packet contains a data payload. The product will log packet
drops when other Raw IP packets with different protocol field values are received and it will also log
packet drops when raw IP Protocol 6 packets are received with no data payload. This behavior
happens when traffic originates from either the private network or public network regardless if the
traffic is to or through the TMS.
Time Requirements — The startup time of the HP TMS zl Module is closely coupled with the time
on the switch chassis where the module is housed. When the switch chassis's time is set, either by
SNTP or manually by the user, the TMS zl Module will sync up with the switch's new time stamp.