Release Notes: Version ST.1.0.090603 Software for the HP ProCurve Threat Management Services zl Module These release notes include information on the following: ■ Downloading documentation from the Web (page 1) ■ Downloading and installing software updates (page 2) ■ Software fixes included in release ST.1.0.090603 (page 7) ■ Known Issues in release ST.1.0.090603 (page 15) S u p p or t N o t i c e s Caution The HP ProCurve Series 5400 zl and 8200zl switches require software version K.13.
© Copyright 2009 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.
Contents Software Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 Download Switch Documentation from the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 View or Download the Software Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(This page intentionally left blank.
Software Management Download Switch Documentation from the Web Software Management Download Switch Documentation from the Web You can download software updates and the corresponding product documentation from the ProCurve Networking Web site as described below. View or Download the Software Manual Set Go to: www.hp.com/go/procurve/manuals You may want to bookmark this Web page for easy access in the future.
Software Management Software Updates Controller 800, and HP ProCurve DCM Controller. The following hardware mobility products have a one-year hardware warranty with extensions available: HP ProCurve M111 Client Bridge, HP ProCurve MSM3xx-R Access Points, HP ProCurve MSM7xx Mobility and Access Controllers, HP ProCurve RF Manager IDS/IPS Systems, HP ProCurve MSM Power Supplies, HP ProCurve 1 Port Power Injector, and HP ProCurve CNMS Appliances.
Software Management Software Updates Updating the Module Software Using the Web Browser Interface This section describes how to use the Web browser interface to download software to the module. For more detailed information, refer to "Update Software with the Web Browser Interface" in the HP ProCurve Threat Management Services zl Module Management and Configuration Guide (ProCurve manuals).
Software Management Software Updates 7. Wait for this message in the Latest Status field: Success: Image download and install have completed successfully. (see Figure 1). 8. Select the Reboot tab and click the Reboot button to complete the installation. Updating the Module Software Using the CLI Three separate processes are available for updating the nodule software using the TMS zl Module CLI.
Software Management Software Updates 4. When the prompt says that the installation is finished, reboot the module to complete the update. hostswitch(tms-module-C)# reboot Using a TFTP Server. 1. Transfer the compressed image onto a TFTP server. 2. Initiate a console session with the host switch. 3. Enter the ProductOS context for the TMS zl Module. hostswitch# services c 2 4. Copy the image from the server and install. 5. Reboot the module to complete the update.
Software Management Software Updates 7. Wait a few seconds, then mount the USB drive. hostswitch(services-module-C:HD)# usb mount 8. Copy the image from the drive to the module. For example, if the image directory name is ST.1.0.090603, you would type: hostswitch(services-module-C:HD)# usb copyfrom ST.1.0.090603 You can type the first few letters of the directory name, then press the Tab key to complete the name.
Software Fixes ST.1.0.090603 Release ST.1.0.090603 Software Fixes ST.1.0.090603 Software fixes are listed in chronological order, oldest to newest. Unless otherwise noted, each new release includes the software fixes added in all previous releases. Release ST.1.0.090213 was the first production software release for the HP ProCurve Threat Manage ment Services zl Module. Release ST.1.0.090603 The following problems were resolved in release ST.1.0.
Software Fixes ST.1.0.090603 Release ST.1.0.090603 ■ PR_18770 — It was possible that a management denial of service would happen with the TMS zl Module if the httpd stopped or crashed. Now the httpd is added to a monitoring watchdog service that will automatically restart the httpd if it stops. ■ PR_19098 — TMS zl Module was not showing any log entries that were generated due to multicast traffic.
Software Fixes ST.1.0.090603 Release ST.1.0.090603 The log messages are no longer logged as critical. Instead the log message is displayed with severity as warning and with the priority as 4. ■ PR_38246 — Log messages with message IDs of 685 and 651 are logged as critical when they are not critical. time="2009-03-25 15:51:17" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="MCAST: packet spoof detected" srczone=INTERNAL src=10.1.70.1 srcport=0 dstzone=UNKNOWN_ZONE dst=224.0.0.
Software Fixes ST.1.0.090603 Release ST.1.0.090603 ■ PR_39231 — Log message with message ID 643 is marked as critical but is not critical. time="2009-04-15 09:25:53" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="ICMP: packet with invalid sequence number appeared, packets dropped" srczone=INTERNAL src=192.168.80.1 dstzone=INTERNAL dst=192.168.80.
Software Fixes ST.1.0.090603 Release ST.1.0.090603 time="2009-04-15 10:18:48" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="ICMP: echo response packet appeared without request, packets dropped" srczone=SELF src=192.168.80.1 dstzone=EXTERNAL dst=255.255.255.255 proto=ICMP icmptype=0 subfamid=icmppacketanomaly mtype=attack mid=642 icmpcode=0 ■ PR_39337 — Log message with the message ID of 1356 is marked as critical but should not be critical.
Software Fixes ST.1.0.090603 Release ST.1.0.090603 ■ PR_37838 — The log does not display the correct message when an attack is detected by IPS The following log is displayed during an IPS attack: time="2009-03-19 09:57:14" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=ips_attack_family rule=3331 msg="IPS detection: Allow: Backdoor FeRAT 1.00" src=192.168.1.20 srcport=1079 dst=192.168.3.
Software Fixes ST.1.0.090603 Release ST.1.0.090603 Monitor Mode ■ PR_14582 — In monitor mode, the CLI command ips help does not reflect the commands that are actually available in monitor mode as opposed to routing mode. High Availability ■ PR_38385 — Connection reservations do not fail over from the Master to the Participant in an Active-Standby configuration. Example: PC DMZ 10.10.30.254 10.10.30.1 | TMS | Zone1 192.168.1.254 PC Server 192.168.1.
Software Fixes ST.1.0.090603 Release ST.1.0.090603 ■ PR_38240 — Cannot import IPsec Certificates (intermittently fails) from the Web browser interface (VPN > Certificates > IPsec Certificates). ■ PR_38887 — In the Web browser interface, when viewing the IPsec VPN Tunnels, the local gateway IP address may be truncated in the display. ■ PR_39898 — A denial of service attack against the TMS zl Module is possible when an IPSecuritas client establishes a VPN connection with the TMS zl Module.
Known Issues Release ST.1.0.090603 Known Issues Known issues fixed in a later software release are indicated using the following format: ■ PR_xxxxxxxxxx — To confirm what release fixed the issue, use the issue number to search the PDF file. Known issues that are open as of the latest software release appear as follows: ■ PR_xxxxxxxxxx — Release ST.1.0.090603 The following problems are known issues as of release ST.1.0.090603. Upgrading to ST.1.0.090603 from ST.1.0.
Known Issues Release ST.1.0.090603 After the TMS zl Module has been updated to ST.1.0.090603, the following behavior is observed: The output of the switch CLI command, show services detail reports the software version initially installed rather than the updated version. The output of the TMS zl Module CLI command, show version, is correct. Additionally, the software version information in the TMS zl Module's Web browser interface correctly identifies the updated version, ST.1.0.
Known Issues Release ST.1.0.090603 ■ PR_38154 — A misleading log entry generated when logging in as the user Operator. 1. Open the TMS zl Module Web browser interface. 2. Login as Operator. 3. Go to the logging section. 4. Select the View Log tab. 5. Search for the log entry generated when logging in as Operator. 6.
Known Issues Release ST.1.0.090603 ■ PR_38705 — RIP: Connected VLANs are not sent correctly when Ripv1-v2 is set. The TMS zl Module does not send the connected VLANs to another router (R1), when RIP version has been set as v1-v2. In the following example the TMS zl Module is using Ripv1-v2 and router R1 has RIP version 2 set. Routes in TMS zl Module Destination Gateway Metric Distance VLAN Type 10.10.30.0/24 10.10.30.254 1 0 lan30 connected 10.10.40.0/24 10.10.40.
Known Issues Release ST.1.0.090603 Routes in R1 when VLAN300 has v1-v2 enabled in TMS zl Module Destination Gateway Metric Distance VLAN Type 192.168.1.0/24 192.168.3.254 3 100 vlan300 rip 192.168.2.0/24 192.168.2.250 1 0 vlan200 connected 192.168.3.0/24 192.168.3.250 1 0 vlan300 connected 192.168.5.0/24 192.168.3.254 3 100 vlan300 rip 192.168.11.0/24 192.168.11.95 1 0 vlan1 connected As a workaround, use RIP version 2 in the TMS zl Module.
Known Issues Release ST.1.0.090603 Status and Counters - PIM-SM Learned RP-Set Information 3. Group Address Group Mask RP Address Hold Time Expire Time 224.0.0.0 240.0.0.0 192.168.3.253 150 100 239.0.0.0 255.192.0.0 92.168.3.253 150 100 Set a static RP #router pim rp-address 192.168.2.253 224.0.0.0/6 4. Verify learned and static RP #show ip pim rp-set Status and Counters - PIM-SM Static RP-Set Information Group Address Group Mask RP Address 224.0.0.0 240.0.0.0 192.168.2.
Known Issues Release ST.1.0.090603 The "Log in" and "log out" log entries are displayed properly but this log entry should not be generated. ■ PR_39239 — Some OSPF log entries have different priorities, can have duplicate entries, and lack general details.
Known Issues Release ST.1.0.090603 ■ PR_40312 — Log messages with message IDs of 609, 618, 629, and 659 are marked as critical but should not be critical. They should be a warning. time="2009-05-08 21:13:47" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="FW: udp packet header length is less than expected, packets dropped" srczone=INTERNAL src=192.168.70.100 srcport=0 dstzone=ZONE6 dst=192.168.70.
Known Issues Release ST.1.0.090603 The initial output will show the erroneous output, but the rest of the output is unaffected. Firewall ■ PR_38165 — When editing a connection reservation, the direction can't be modified. Example: 1. Go to Firewall>Settings>Connection Allocations page. 2. Add a connection reservation. For example: Zone INTERNAL, direction = inbound, 10.10.40.1, Reservation count = 3 3. Edit the connection reservation added in step 2 and change the direction to outbound. 4.
Known Issues Release ST.1.0.090603 time="2009-05-17 16:06:33" severity=major pri=2 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="PingOfDeath attack detected" srczone=UNKNOWN_ZONE src=192.168.70.67 dstzone=UNKNOWN_ZONE dst=192.168.70.1 proto=ICMP subf amid=dosattack mtype=attack mid=1000 ■ PR_40664 — Even though ICMP Error and ICMP Replay Message are not enabled in Attack Protection, the following log entry is still generated.
Known Issues Release ST.1.0.090603 ■ PR_40903 — When an L2TP Policy exists and is disabled, traffic continues passing through the tunnel. The L2TP Policy must be deleted. Example: 1. Go to VPN -> IPSec -> L2TP Remote Access. 2. Add an L2TP Policy. 3. Create access policies. 4. Verify that the traffic gets through the tunnel. 5. Edit the L2TP Policy, uncheck the Enable this policy check box. Traffic gets through the tunnel.
Known Issues Release ST.1.0.090213 Monitor Mode ■ PR_39263 — The following log messages are shown in Monitor Mode and are not applicable to Monitor Mode: mid=625, mid=626, mid=675, mid=715, mid=1008, and mid=1356. time="2009-04-15 15:59:01" severity=warning pri=4 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="FW: packet with invalid tcp flags found, packets dropped" srczone=INTERNAL src=192.168.80.5 srcport=48654 dstzone=INTERNAL dst=192.168.80.
Known Issues Release ST.1.0.090213 Related PRs: PR_0000000665 PR_0000001794 PR_0000002068 PR_0000002252 PR_0000002253 PR_0000002254 PR_0000002424 PR_0000002613 PR_0000003824 ■ PR_0000000906 — When the Web browser interface of the TMS zl Module is left at the login screen without the user logging into the TMS zl Module, the inactivity timer still applies, resulting in the user having to go back to the login screen manually.
Known Issues Release ST.1.0.090213 ■ PR_0000003186 — From the CLI, the schedule command does not auto-complete when the Tab key is pressed as other commands from the command line do. For example, the following command will not auto-complete to daily when the Tab key is pressed after only dail is typed: ProCurve Switch(tms-module-D:config)#schedule time1 dail The impact to the user is that the entire parameter must be typed out.
Known Issues Release ST.1.0.090213 ■ PR_0000006127/ PR_0000016218 — The output of the show run command will show an FDPoll Returned Error message, which is not relevant to the output and inconsequential. It can safely be ignored. ■ PR_0000007300/PR_0000007303 — From the CLI, the logging command does not auto-complete when the Tab key is pressed as other commands from the command line do. As a result, the user must fully type the parameter needed.
Known Issues Release ST.1.0.090213 ■ PR_0000008044 — The TMS zl Module has been configured for VLAN IP addresses and HA is enabled but not configured (that is, there is only one device in the cluster). If HA is subsequently disabled, the VLAN IP addresses are lost. This could result in a loss of management connectivity. ■ PR_0000008136 — Only 1,000 NAT Policies are supported on the TMS zl Module. The TMS zl Module incorrectly accepts more than 1,000 NAT policies.
Known Issues Release ST.1.0.090213 time="2008-09-30 22:14:25" severity=warning pri=5 fw=ProCurve-TMS-zl-Module id=ssh msg="fatal: buffer_get_string: buffer error" time="2008-09-30 22:14:25" severity=info pri=6 fw=ProCurve-TMS-zl-Module id=ssh msg="fatal: buffer_get_string: buffer error" time="2008-09-30 22:14:25" severity=minor pri=3 fw=ProCurve-TMS-zl-Module id=ssh msg="fatal: buffer_get_string: buffer error" ■ PR_0000009486 — ICQ ALG does not allow two-way file transfer, but only one-way file transfer.
Known Issues Release ST.1.0.090213 ■ PR_0000011703 — When a TMS zl Module is moved between two switch chassis with different configurations, references to VLANs can remain on the OSPF and Multicast pages. Example: 1. Add several VLANs to the VLAN Associations page. 2. Enable RIP on one of the VLANs just added, for example, VLAN 40. 3. Enable OSPF on the same VLAN, for example, VLAN 40. 4. Enable Multicast on the same VLAN for example, VLAN 40. 5. Save changes. 6.
Known Issues Release ST.1.0.090213 2. Go to Maintenance > Update Software > Server Type drop down selection box. or Go to Authentication > RADIUS > Protocol drop down selection box. ■ PR_0000012250 — In environments where high connection rates and high connection counts are in use, management interfaces can be slow or locked up. This will occur when the administrator has not specified a Priority VLAN for management in their configuration.
Known Issues Release ST.1.0.090213 ■ PR_0000013220 — When a software update is performed by retrieving the image via FTP, SCP, or TFTP, a generic error message is displayed for any user input error. For example, if the IP address is incorrect, if the username is wrong, or if the password is wrong, the error message simply indicates a failure and does not call out the specific problem. ■ PR_0000013324 — In the TMS zl Module CLI, the Help text for the copy command needs to be updated.
Known Issues Release ST.1.0.090213 ■ PR_0000014762 — In the Web browser interface, when the primary and secondary DNS servers’ values are cleared, no error is reported, but the secondary DNS server's value is not cleared. ■ PR_0000014783 — When moving a TMS zl Module from one switch to another, DHCP Relay may not start if there is a mismatch in VLAN configuration between the switches.
Known Issues Release ST.1.0.090213 ■ PR_0000015448 — In the TMS zl Module CLI, when the attempt is made to modify the protocol or port number in a connection-settings command, the CLI displays the following message: Success: Updated connection timeout: , but when the show connection-settings timeout command is issued, the protocol or the port number wasn't changed. Example: 1.
Known Issues Release ST.1.0.090213 ■ PR_0000016231 — Some log entries for warning logs and information logs have messages that are truncated in the log viewer. The most log messages are not truncated and those that are contain enough information that a user can tell what they are about. However, the messages have more information in them than can be displayed. ■ PR_0000016539 — When using the TMS zl Module CLI, the radius-server help command gives options that are not available.
Known Issues Release ST.1.0.090213 ■ PR_0000002485 — When there are a large number of firewall access policies, the Web browser interface may take some time to load these policies to display to a user. For example, with approximately 2,000 policies, loading them takes about 15 seconds or less. However, when the number of firewall access policies increased, to around 15,000, the time to load the Web page approaches three minutes.
Known Issues Release ST.1.0.090213 ■ 2. From a separate management session, delete all access for that user group 3. The user still has access through firewall PR_0000011874 — On the Firewall > Access Policy > Unicast page in the Web browser interface, when adding a policy there is an advanced tab that allows for limit settings. . The valid range for entries in connections, Kilobytes, packets, and seconds are not listed.
Known Issues Release ST.1.0.090213 IPS/IDS ■ PR_0000010287 — In the signature file for the TMS zl Module, there are a few mentions of IPv6. This is incorrect. The TMS zl Module is an IPv4 only device. ■ PR_0000018204 — If you filter signatures by severity, then disable a family of signatures, the expected result is that all displayed signatures in that family will be disabled. However, the actual result is that only some of the signatures displayed get disabled.
Known Issues Release ST.1.0.090213 ■ PR_0000038240 — Cannot import IPsec Certificates (intermittently fails) from the Web browser interface (VPN > Certificates > IPsec Certificates). ■ PR_0000038887 — VPN connections truncate local gateway addresses, preventing a user from seeing all the information for an established tunnel. High Availability (Active/Standby) ■ PR_0000007372 — From the TMS zl Module CLI, the high-availability command does not accept CIDR notation.
Known Issues Release ST.1.0.090213 Expected Results: The module with priority set to one (original Mater) becomes Master again. Actual Results: Device with lower priority joins the cluster as Master and the one with higher priority joins as Participant. At first glance, this seems to be incorrect, but it is actually done by design. It is assumed that there is something wrong with the module that failed, for example, an intermittent problem.
Known Issues Release ST.1.0.090213 ■ PR_0000007533 — If the TMS zl Module is in monitor mode, the IDS logs incorrectly show zones Internal and Zone6 in the logs for data and management. These zone references are not correct and should be ignored. ■ PR_0000011929 — When in monitor mode and using the TMS zl Module CLI, if you add an management IP address, the CIDR format of IP-Address/mask is not accepted and you must enter the IP address and Subnet Mask as separate values.
© 2009 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.
