TMS zl Module Release Notes ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

Release Notes:

Version ST.1.1.100430 Software

for the HP ProCurve Threat Management Services zl Module

These release notes include information on the following:

■ Downloading documentation from the Web (page 1)

■ Downloading and installing software updates (page 2)

■ Special Considerations prior to updating (page 6)

■ Clarifications (page 10)

■ Enhancements (page 15)

■ Software fixes included in release ST.1.1.100430 (page 31)

■ Known Issues (page 35)

Support Notices

Caution

The HP ProCurve Series 5400 zl and 8200zl switches require software version K.13.55 or later to

support the Threat Management Services (TMS) zl Module. To download the latest switch software,

please go to the Software for switches

page on the HP ProCurve Web site.

Caution

Before you update software to a new version, ProCurve strongly recommends that you save a copy

of your config file to an external location. See "Backup and Restore System Configuration" in the

Management and Configuration Guide for the HP ProCurve Threat Management Services zl

Module for more information (ProCurve manuals

Summary of content (96 pages)

PAGE 1
Release Notes: Version ST.1.1.100430 Software for the HP ProCurve Threat Management Services zl Module These release notes include information on the following: ■ Downloading documentation from the Web (page 1) ■ Downloading and installing software updates (page 2) ■ Special Considerations prior to updating (page 6) ■ Clarifications (page 10) ■ Enhancements (page 15) ■ Software fixes included in release ST.1.1.
PAGE 3
Contents Software Management Download Documentation from the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 View or Download the Software Manual Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Software Releases and Support . . . . . . . . . . . . . . . . .
PAGE 4
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.0.090213 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Release ST.1.0.090603 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 5
IPS/IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Monitor Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 VPN . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 6
This page intentionally left blank.
PAGE 7
Software Management Download Documentation from the Web Software Management Download Documentation from the Web You can download software updates and the corresponding product documentation from the ProCurve Networking Web site as described below. View or Download the Software Manual Set Go to: www.hp.com/go/procurve/manuals You may want to bookmark this Web page for easy access in the future.
PAGE 8
Software Management Software Updates Controller 800, and HP ProCurve DCM Controller. The following hardware mobility products have a one-year hardware warranty with extensions available: HP ProCurve M111 Client Bridge, HP ProCurve MSM3xx-R Access Points, HP ProCurve MSM7xx Mobility and Access Controllers, HP ProCurve RF Manager IDS/IPS Systems, HP ProCurve MSM Power Supplies, HP ProCurve 1 Port Power Injector, and HP ProCurve CNMS Appliances.
PAGE 9
Software Management Software Updates 6. Click Download and install to download the software to the module and install it. Figure 1. A Successful TMS zl Module Software Update Using the Web Browser Interface 7. Wait for this message in the Latest Status field: Success: Image download and install have completed successfully. (see Figure 1). 8. Select the Reboot tab and click the Reboot button to complete the installation.
PAGE 10
Software Management Software Updates 3. Enter the ProductOS context for the TMS zl Module. Syntax: services name tms-module Replace with the letter for the chassis slot in which the module is installed. Example: hostswitch# services c name tms-module OR Syntax: services Replace with the letter for the chassis slot in which the module is installed.
PAGE 11
Software Management Software Updates 2. Initiate a console session with the host switch. 3. Enter the ProductOS context for the TMS zl Module. hostswitch# services c 2 4. Copy the image from the server and install. 5. Reboot the module to complete the update. hostswitch(tms-module-C)# reboot For example, suppose that you copied the image to a TFTP server that has the parameters shown below: 1. • IP address—192.168.1.13 • Filename—ST.1.1.100430.
PAGE 12
Software Management Special Considerations Prior to Updating You can type the first few letters of the directory name, then press the Tab key to complete the name. You might need to add the last few characters of the directory name if the USB drive contains more than one image. 9. Update the software. For example, if the new image directory is ST.1.1.100430, you would type: hostswitch(services-module-C:HD)# update product ST.1.1.100430 Again, you can use tab completion for the file name. 10.
PAGE 13
Software Management Special Considerations Prior to Updating Environments that should not update ■ TMS zl Modules that are running above 75% CPU utilization1 regardless of configuration. 1. CPU utilization can be determined by looking at the dashboard in the Web browser interface of the TMS zl Module during working hours or during times of high traffic load. GRE Tunnels When updating to ST.1.1.100430 from ST.1.0.0901213 or ST.1.0.
PAGE 14
Software Management Special Considerations Prior to Updating After updating to ST.1.1.100430 from ST.1.0.0901213 or ST.1.0.090603, the traffic selectors are migrated but the GRE tunnel is down.
PAGE 15
Software Management Special Considerations Prior to Updating The administrator will have to manually enter the Tunnel Peer IP address to get the GRE tunnel back up. Once the GRE tunnel is back up, the administrator can take advantage of new GRE features available with release ST.1.1.
PAGE 16
Software Management Clarifications Clarifications HP Security Policy and Release Notes Per HP policy, a Security Bulletin must be the first published notification of a security defect. Fixes to security defects are not documented in release notes, also by HP policy. The official communication for security defect fixes will always be through HP Security Bulletins. For more information on security bulletins, and information on how to subscribe to them, please see the http://www.procurve.
PAGE 17
Software Management Clarifications IAS RADIUS Configuration - Special Steps If you use the IAS wizard, you need to remove the port-type attribute after a remote access policy is configured. The following screens show the process for removing this attribute. First, right-click the policy and choose to view its properties.
PAGE 18
Software Management Clarifications The condition NAS-Port-Type matches ’Virtual [VPN]’ AND, was automatically configured by the wizard, but it is not supported by the TMS zl Module. It must be removed. Highlight this port attribute policy and click Remove. After removing the unsupported port attribute condition, the policy is shown below.
PAGE 19
Software Management Clarifications For more information, the updated Management and Configuration Guide for the HP ProCurve Threat Management Services zl Module on the ProCurve Web site contains an example of setting up a custom policy using the wizard. This example shows the attributes that the TMS zl Module supports. Any non-supported policy attributes must be removed before a policy can be used with the TMS zl Module. Application Layer Gateways (ALGs) If you upgrade from ST.1.0 to ST.1.
PAGE 20
Software Management Clarifications 14
PAGE 21
Software Management Enhancements Enhancements ST.1.1.100430 The following enhancements were added in this update. Log Threshold Monitoring This feature evaluates the logging engine's resource consumption on the TMS zl Module. If the resource consumption becomes high enough to negatively impact the performance of the module, the logging threshold monitor will reset the log severity threshold to Critical and log a critical message to notify an administrator that it did so.
PAGE 22
Software Management Enhancements IPS Protection Levels The Intrusion Prevention>Signatures>View screen contains a new field, Protection:, where filters are provided to select for viewing IDS/IPS Signatures based on the protection they provide. The filter choices are illustrated below. Please see the updated Management and Configuration Guide for the HP ProCurve Threat Management Services zl Module on the ProCurve Web site for details on how to configure and use this new feature.
PAGE 23
Software Management Enhancements RADIUS authentication for management logins Please see the updated Management and Configuration Guide for the HP ProCurve Threat Management Services zl Module on the ProCurve Web site for details on how to configure and use this new feature. RADIUS authentication for L2TP users Please see the updated Management and Configuration Guide for the HP ProCurve Threat Management Services zl Module on the ProCurve Web site for details on how to configure and use this new feature.
PAGE 24
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.0.090213 Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Software fixes are listed in chronological order, oldest to newest. Unless otherwise noted, each new release includes the software fixes added in all previous releases. Release ST.1.0.090213 was the first production software release for the HP ProCurve Threat Management Services zl Module. Release ST.1.0.090213 No problems resolved in release ST.1.0.090213.
PAGE 25
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.0.090603 ■ PR_17313 — For a VLAN association, the user can specify DHCP as a method for getting an IP address for the TMS zl Module. If the user goes in and edits the VLAN association and changes the IP address method to a Static IP address, the DHCP client process still runs in the background and can overwrite the static IP address.
PAGE 26
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.0.090603 time="2009-03-30 09:17:09" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="FW: packet with invalid tcp flags found, packets dropped" srczone=INTERNAL src=192.168.0.134 srcport=18155 dstzone=EXTERNAL dst=192.168.1.128 dstport=80 proto=TCP subfamid=packetheaderanomaly mtype=attack mid=625 The log messages are no longer logged as critical.
PAGE 27
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.0.090603 ■ PR_38564 — The log message with the message ID of 648 is marked as critical should not be. time="2009-04-01 11:41:59" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="ICMP:Error message not allowed by firewall" srczone=INTERNAL src=192.168.0.1 dstzone=EXTERNAL dst=192.168.1.
PAGE 28
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.0.090603 time="2009-04-15 10:20:00" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="FW: icmp header is less than expected, packets dropped" srczone=EXTERNAL src=192.168.80.5 dstzone=SELF dst=192.168.80.
PAGE 29
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.0.090603 ■ PR_18204 — If you filter signatures by severity, then disable a family of signatures, the expected result is that all displayed signatures in that family will be disabled. However, the actual result is that only some of the signatures displayed get disabled. This can be observed by viewing info signatures, then disabling the XSS family. When the operation completes, refresh the page, and view info signatures.
PAGE 30
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.0.090603 srcport=1050 dst=192.168.3.
PAGE 31
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.0.090603 ■ PR_38223 — When adding an IPsec policy with action Bypass or Ignore, and setting the direction to Inbound, the traffic selector's local and remote addresses would be swapped. ■ PR_38226 — Changing a bypass or ignore IPsec policy to apply shows an erroneous key exchange method. ■ PR_38228 — A misleading error occurs when the traffic selector's IP range starts or ends with 255. Workaround: Correct the range.
PAGE 32
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.1.100226 Release ST.1.1.100226 The following problems were resolved in release ST.1.1.100226 General ■ PR_813 — Web browser interface does not function without JavaScript enabled and does not notify user that JavaScript is required. ■ PR_961 — The initial login banner text of the Web browser interface in the TMS zl Module differs in size depending on whether the user is accessing it with HTTP or HTTPS.
PAGE 33
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.1.100226 ■ PR_11856 — When using the Web browser interface, an error message is displayed when a valid IP Address is trying to be set in some pages, such as RADIUS, IPsec Policies, and so forth. For example, this may occur when an otherwise valid IP address is added with a final space at the end. ■ PR_12802 — When adding an NSSA or STUB area to the OSPF configuration, leading zeros in the area ID are flagged as an error.
PAGE 34
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.1.100226 ■ PR_18145 — In the Web browser interface, if a VLAN is added with an invalid IP address in the range 224.0.0.0 -254.255.255.255, an error is returned stating: VLAN could not be added. Failed to add VLAN IP address. but the VLAN is actually added, but not associated to any zone. In the CLI, the error message only states: Error: Failed to set VLAN IP address. ■ PR_37988 — Upgrading to an ST.1.1.XXXXXX release from any ST.1.0.
PAGE 35
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.1.100226 Monitor Mode ■ PR_17758 — In monitor mode, when IPS full inspection is turned on and the FTP ALG is turned off, sending an FTP copy of the startup configuration to the network fails with a broken pipe error. High Availability ■ PR_8325 / PR_14916 — When configured for High Availability, the Rebalance button in the Web browser interface is not needed for an Active/Standby configuration.
PAGE 36
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.1.100226 ■ PR_40301 — GRE Tunnel displayed GREv2 Error in tcpdump when attempting to verify the connectivity with a ping packet. ■ PR_40313 — When adding a RADIUS server, the administrator can specify a NAS-ID that accepts a script as input allowing code injection to RADIUS Web interface page. ■ PR_40319 — In the log file, log entries with the following message IDs may truncate the username: 1213, 1214, and 1204.
PAGE 37
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.1.100330 ■ PR_51483 — Enabling IP compression and disabling fragmentation causes a TMS crash in Site-to-Site VPNs. Steps: 1. Configured site-site VPN tunnel with one host each end HOST1(10.11.0.10)-----TMS1----(VPN)----TMS2----HOST2(10.13.0.10) 2. Host2 sends a large ping using: ping 10.11.0.10 -s 64000. TMS2 works fine, TMS1 fails.
PAGE 38
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.1.100430 ■ PR_49894 — TMS zl Module Web browser interface performance Related HA + IPS issue scheduled to be addressed in May-June 2010 release. Should not affect users with < 75% CPU utilization. ■ PR_50615 — Unable to monitor RAM and CPU performance via SNMP.
PAGE 39
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.1.100430 ■ PR_43869 — When a Zone is renamed, the new Zone name does not show up in log files. ■ PR_46963 — When rate limit reaches the limit defined per policy, a log message is generated for every packet drop. ■ PR_50209 — Log messages with mid=615, 1350, 1355, 624, 621, 605 are not critical but classified as critical.
PAGE 40
Software Fixes in Releases ST.1.0.090213 - ST.1.1.100430 Release ST.1.1.100430 the certificate again results in a dialog that indicates "the certificate authority already exists". The CA certificate doesn't display on CLI either. The CA certificate is actually stored and used in communication, but isn't displayed. ■ PR_52763 — In the Web browser interface, the 'operator' user was allowed to flush VPN connections like a 'manager' user.
PAGE 41
Known Issues Release ST.1.1.100430 Known Issues Known issues fixed in a later software release are indicated using the following format: ■ PR_xxxxxxxxxx — To confirm what release fixed the issue, use the issue number to search the PDF file. Known issues that are open as of the latest software release appear as follows: ■ PR_xxxxxxxxxx — Release ST.1.1.100430 The following problems are known issues as of release ST.1.1.100430.
PAGE 42
Known Issues Release ST.1.1.100430 Firewall ■ PR_42671 — A log message is generated for a TCP sequence number but shows ICMP as the protocol. time="2009-07-08 19:39:33" severity=warning pri=5 fw=ProCurve-TMS-zl-Module id=fw_access_control ruleid=10 msg="FW: tcp sequence number translation failed, packets dropped" srczone=INTERNAL src=192.168.80.2 dstzone=INTERNAL dst=192.168.70.2 proto=ICMP rcvd=0 rcvdsc=0 sent=36 sentsc=0 srcnatport=0 destnatport=0 destnatipaddr=0.0.0.
PAGE 43
Known Issues Release ST.1.1.100430 passed in this condition. A troubleshooting technique is to check for VLAN tagging if there is problem with passing traffic. If it occurs, it can be fixed by doing the tagging manually in the switch configuration using the switch CLI. ■ PR_55486 — the Web browser interface limits the insert-at value to be from 1 to 9999 while the command line interface does not impose a higher limit.
PAGE 44
Known Issues Release ST.1.1.100430 Workaround: When using this configuration, use tracert to validate connectivity to the TMS. To validate connectivity to an external destination in this configuration, use trace route from the TMS. Monitor Mode ■ PR_54944 — An invalid critical log message can be generated in monitor mode with no message content. The message id is 337. ■ PR_56203 — In Monitor Mode, the log messages with identifiers 100000 and 99999 are missing content, date, and time.
PAGE 45
Known Issues Release ST.1.1.100430 5406#(config) "connection-settings timeout default icmp 5" Another workaround is to disable FW attack setting ICMP replay ■ PR_54897 — If a VLAN is configured with DHCP and the lease expires, if master gets a different IP address from the DHCP server, the IP address does not get synced to participant. When the participant takes over after a failover, it will use the old IP address.
PAGE 46
Known Issues Release ST.1.1.100430 ■ PR_54925 — Shrew Soft VPN client cannot establish the tunnel when XAUTH is enabled. ■ PR_55003 — VPN client will remain connected even if the IPsec policy is disabled. ■ PR_55116 — Shrew Soft VPN client cannot establish the tunnel when RSA is being used for IPsec authentication. ■ PR_55129 — Shrew Soft VPN client can establish the tunnel 'Enable extended sequence number' option is selected, but no traffic flows.
PAGE 47
Known Issues Release ST.1.1.100430 Note: for ip-addr no mcast ip should be accepted and for distinguished name the valid value should be something like /CN=example.local ■ PR_55807 — The TMS allows user groups to be removed even when there are L2TP users and access-policies associated to it. There should be a warning explaining that removing the group will leave the L2TP user unable to access resources and that any access-policy associated to the group will be deleted as well.
PAGE 48
Known Issues Release ST.1.1.100430 proto=0 rcvd=0 rcvdsc=0 sent=0 sentsc=0 srcnatport=0 username=user1@tms01.local destnatport=0 destnatipaddr=0.0.0.0 subfamid=accessdeny mtype=access_control mid=4521 srcnatipaddr=0.0.0.0 ■ PR_54222 — L2TP/PPP logging does not contain user IP address nor the username. ■ PR_54222 — A terse error message is seen when doing a 'show l2tp user' command and the user is not defined. Example: ProCurve Switch 8212zl(tms-module-D)# show l2tp user a Software Revision : ST.1.1.
PAGE 49
Known Issues Release ST.1.1.100226/ST.1.1.100330 Release ST.1.1.100226/ST.1.1.100330 The following problems are known issues as of release ST.1.1.100226. General ■ PR_9285 / PR_9286 — For RIP, there are some minor issues when interoperating between RIP version 1 and RIP version 2 on the switch. As a general recommendation when using a TMS zl Module, always standardize on RIP version 1 or RIP version 2, with RIP version 2 preferred.
PAGE 50
Known Issues Release ST.1.1.100226/ST.1.1.100330 ■ PR_42753 — In the TMS zl Module CLI, the show ip command's output has domain misspelled as Dommain. ■ PR_42760 — The TMS zl Module SNMPv3 server only supports security level authPriv for SNMPv3 users. ■ PR_42887 — Changing the hostname in the Web browser interface does not change the hostname in the CLI immediately. A current user of the CLI must logout and log back in again to see the change reflected in the prompt.
PAGE 51
Known Issues Release ST.1.1.100226/ST.1.1.100330 ■ PR_44788 — When trying to add an IP route via the CLI, an error is shown without any error message. This situation happens when there are two CLI sessions and when one CLI session does a show ip route, and then the other CLI session tries to add a route. ProCurve Switch 5406zl(tms-module-C)# 10.10.10.254 ip route 192.168.3.27 255.255.255.
PAGE 52
Known Issues Release ST.1.1.100226/ST.1.1.100330 8. In the destination field, specify a Unicast IP address. Unicast IP address in the destination field should cause an error message. Instead, no error message is displayed and the incorrect IP address is accepted. ■ PR_45671 — In the Web browser interface, Firewall>Access Policies>Addresses, duplicate Network (IP/mask) entries can be added for a given name. For instance, 10.10.10.0/24, 10.10.20.0/24, 10.10.10.0/24 could be added under a given name.
PAGE 53
Known Issues Release ST.1.1.100226/ST.1.1.100330 3. Add a Source NAT policy (e.g., NAT from Zone1 >External Services FTP, HTTP,SSH; Source Any, dst 10.10.100.1-10-10.100.20 NAT value 10.10.100.111) 4. Open FTP server or any of the basic services 5. Verify IP address gets translated on the destination zone 6. Send ICMP traffic 7. Verify IP address gets translated on the destination zone when it should not be.
PAGE 54
Known Issues Release ST.1.1.100226/ST.1.1.100330 ■ PR_ 52440 — Performance Related IPS issue - scheduled to be addressed in May-June 2010 release. Should not affect users with < 75% CPU utilization. ■ PR_52604 — In the Web browser interface the Dashboard has a field for Chassis Name but never displays anything. In the TMS zl Module CLI, the command show system-information also shows a field for Chassis Name but doesn't display any value for it.
PAGE 55
Known Issues Release ST.1.1.100226/ST.1.1.100330 ■ PR_15088 — The connection for DNS will have a high timeout value in some circumstances when a customer uses a DNS address object and performs a modification to the address object content. Customer will see a high timeout when doing show connections and can use the no connections command to remove any problematic sessions. ■ PR_15293 — A lot of firewall logs are generated for normal management activities.
PAGE 56
Known Issues Release ST.1.1.100226/ST.1.1.100330 ■ PR_42210 — The local users cannot login to the TMS zl Module Web browser interface via HTTP. Steps: 1. Open the browser and connect to TMS zl Module Web browser interface via http. 2. Set the local user's name into the User name text field. 3. Set the local user's password into the Password text field. 4. Press the Login button. The logon fails; the TMS zl Module Web browser interface displays Invalid Login!.
PAGE 57
Known Issues Release ST.1.1.100226/ST.1.1.100330 DMZ maps to the name in the 4th row of the Zone table (4). ZONE1 maps to the name in the 5th row of the Zone table (5). ZONE2 maps to the name in the 6th row of the Zone table (6). ZONE3 maps to the name in the 7th row of the Zone table (7). ZONE4 maps to the name in the 8th row of the Zone table (8). ZONE5 maps to the name in the 9th row of the Zone table (9). ZONE6 maps to the name in the 10th row of the Zone table (10).
PAGE 58
Known Issues Release ST.1.1.100226/ST.1.1.100330 msg: IP header checksum failed msg: FW: gre packet header length is less than expected, packets dropped msg: MCAST: icmp packet type is unknown, packets dropped ■ PR_50433 — When DHCP is used as the IP address acquisition method for VLANs, the TMS zl Module can take a long time to reboot as it has to acquire an IP address for each VLAN serially.
PAGE 59
Known Issues Release ST.1.1.100226/ST.1.1.100330 Monitor Mode ■ PR_42670 — Firewall Logs are shown for broadcast packets in monitor mode. time="2009-07-08 19:36:37" severity=warning pri=5 fw=ProCurve-TMS-zl-Module id=fw_access_control ruleid=0 msg="FW: no access policy found, packets dropped" srczone=ZONE6 src=10.255.134.37 srcport=137 dstzone=ZONE6 dst=10.255.135.255 dstport=137 proto=UDP rcvd=0 rcvdsc=0 sent=0 sentsc=0 srcnatport=0 destnatport=0 destnatipaddr=0.0.0.
PAGE 60
Known Issues Release ST.1.1.100226/ST.1.1.100330 Master device in the cluster. This happens because the participant device is not reachable from NIMv2 and the Master device show high-availability does not show in its output the real identity of the Participant. ■ PR_14506 — Last Signature Download field is not synchronized on HA. ■ PR_18230 — Members for Cluster Id dialog showing Chassis IP No Switch Manag.
PAGE 61
Known Issues Release ST.1.1.100226/ST.1.1.100330 Although the user is warned, if the HA VLAN and HA IP Address are not configured prior to reboot, the TMS will fail to initialize VLANs properly and no new VLANs can be added. To return to proper operation, configure the HA VLAN and HA IP Address appropriate for your network. For example: ProCurve 5406zl(tms-module-C:config)# high-availability vlan 10 Success: HA VLAN set to: 10 ProCurve5406zl(tms-module-C:config)# high-availability ip 172.16.100.100 255.
PAGE 62
Known Issues Release ST.1.1.100226/ST.1.1.100330 ■ PR_43471 — With IPsec using a DSA or RSA Certificate, a TMS zl Module and a ProCurve Secure Router 7100 fail to authenticate as IPsec peers. ■ PR_43916 — RADIUS authentication for L2TP users could result in the user's connection getting established and immediately getting disconnected without notification. The RADIUS server must return the service-type attribute with a value of framed.
PAGE 63
Known Issues Release ST.1.1.100226/ST.1.1.100330 Notice a log similar to this one: time="2009-09-24 17:19:33" severity=minor pri=3 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="Invalid source & destination: dropping packet" srczone=ZONE6 src=172.15.2.254 srcport=0 dstzone=ZONE5 dst=172.15.2.250 dstport=0 proto=GRE subfamid=dosattack mtype=attack mid=1530 ■ PR_45634 — An incorrect IP address is accepted in the destination field when editing a multicast policy. Steps: 1.
PAGE 64
Known Issues Release ST.1.1.100226/ST.1.1.100330 5. Click Generate Certificate Request 6. Click the Save link to save the configuration 7. Make a backup of the configuration 8. Restore default configuration of the TMS zl Module 9. Restore to the previously saved configuration 10. Verify that the IPsec Certificates are properly restored Actual certificates are saved and restored, but Certificate Signing Requests are not. ■ PR_48372 — VPN traffic can be denied without a proper log message.
PAGE 65
Known Issues Release ST.1.1.100226/ST.1.1.100330 ■ ■ PR_50586 — RADIUS server modification is not allowed after an L2TP connection. Steps to recreate: 1. Create a global RADIUS server (the server for example.com) 2. Use an L2TP connection to login a user with the domain name that corresponds to the global name (example.com), but without specifying the domain name. 3. Log out the user. 4. Attempt to delete/modify global RADIUS server is not allowed.
PAGE 66
Known Issues Release ST.1.0.090603 Release ST.1.0.090603 The following problems are known issues as of release ST.1.0.090603. Upgrading to ST.1.0.090603 from ST.1.0.090213 PR_41849/PR_41855 — After upgrading, the switch command line reports the first installed TMS zl Module software version (ST.1.0.090213) rather than the updated version (ST.1.0.090603) When the TMS zl Module is running ST.1.0.
PAGE 67
Known Issues Release ST.1.0.090603 General ■ PR_38053 — Unnecessary log information is displayed when an invalid user tries to login via SSH. 1. Open the TMS zl Module Web browser interface. 2. Go to the logging section. 3. Select the View Log tab. 4. Open a tool that allows to connect via SSH to the TMS zl Module. 5. Try to login to the TMS with an invalid user. 6.
PAGE 68
Known Issues Release ST.1.0.090603 The second log entry should not be displayed. ■ PR_38181 — The wrong log entry generated when logging in as a local user. 1. Open the TMS zl Module Web browser interface. 2. Login as a previously created local user. 3. Go to the logging section. 4. Select the View Log tab. 5. Search for the log entry generated when logging in as Local user previously created. 6.
PAGE 69
Known Issues Release ST.1.0.090603 Routes in R1 when VLAN300 has v2 enabled in TMS zl Module Destination Gateway Metric Distance VLAN Type 10.10.30.0/24 192.168.3.254 3 100 vlan300 rip 10.10.40.0/24 192.168.3.254 3 100 vlan300 rip 192.168.1.0/24 192.168.3.254 3 100 vlan300 rip 192.168.2.0/24 192.168.2.250 1 0 vlan200 connected 192.168.3.0/24 192.168.3.250 1 0 vlan300 connected 192.168.5.0/24 192.168.3.254 3 100 vlan300 rip 192.168.11.0/24 192.168.11.
PAGE 70
Known Issues Release ST.1.0.090603 Routes in R1 when VLAN300 has v1-v2 enabled in TMS zl Module Destination Gateway Metric Distance VLAN Type 192.168.1.0/24 192.168.3.254 3 100 vlan300 rip 192.168.2.0/24 192.168.2.250 1 0 vlan200 connected 192.168.3.0/24 192.168.3.250 1 0 vlan300 connected 192.168.5.0/24 192.168.3.254 3 100 vlan300 rip 192.168.11.0/24 192.168.11.95 1 0 vlan1 connected As a workaround, use RIP version 2 in the TMS zl Module.
PAGE 71
Known Issues Release ST.1.0.090603 Status and Counters - PIM-SM Learned RP-Set Information 3. Group Address Group Mask RP Address Hold Time Expire Time 224.0.0.0 240.0.0.0 192.168.3.253 150 100 239.0.0.0 255.192.0.0 92.168.3.253 150 100 Set a static RP #router pim rp-address 192.168.2.253 224.0.0.0/6 4. Verify learned and static RP #show ip pim rp-set Status and Counters - PIM-SM Static RP-Set Information Group Address Group Mask RP Address 224.0.0.0 240.0.0.0 192.168.2.
PAGE 72
Known Issues Release ST.1.0.090603 The "Log in" and "log out" log entries are displayed properly but this log entry should not be generated. ■ PR_39239 — Some OSPF log entries have different priorities, can have duplicate entries, and lack general details.
PAGE 73
Known Issues Release ST.1.0.090603 ■ PR_40312 — Log messages with message IDs of 609, 618, 629, and 659 are marked as critical but should not be critical. They should be a warning. time="2009-05-08 21:13:47" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="FW: udp packet header length is less than expected, packets dropped" srczone=INTERNAL src=192.168.70.100 srcport=0 dstzone=ZONE6 dst=192.168.70.
PAGE 74
Known Issues Release ST.1.0.090603 Firewall ■ PR_15088 — A stateful firewall connection using a DNS object will have a high timeout value when the DNS address object is modified while the connection is active. Using the show connections command from the TMS zl Module CLI will show a high timeout value. For these connections, the no connections command can be used to remove any problematic sessions. ■ PR_38165 — When editing a connection reservation, the direction can't be modified. Example: 1.
PAGE 75
Known Issues Release ST.1.0.090603 time="2009-05-17 16:06:33" severity=major pri=2 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="Jolt attack detected" srczone=UNKNOWN_ZONE src=192.168.70.67 srcport=0 dstzone=UNKNOWN_ZONE dst=192.016870.1 dstport=0 proto=UDP subfamid=dosattack mtype=attack mid=1001 time="2009-05-17 16:06:33" severity=major pri=2 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="PingOfDeath attack detected" srczone=UNKNOWN_ZONE src=192.168.70.67 dstzone=UNKNOWN_ZONE dst=192.168.70.
PAGE 76
Known Issues Release ST.1.0.090603 VPN ■ PR_40354 — When 4893 Internet Key Exchange Security Associations are established, no more IKE responses are generated by the TMS zl Module and no logs reporting this condition are generated. ■ PR_40903 — When an L2TP Policy exists and is disabled, traffic continues passing through the tunnel. The L2TP Policy must be deleted. Example: 1. Go to VPN > IPsec > L2TP Remote Access. 2. Add an L2TP Policy. 3. Create access policies. 4.
PAGE 77
Known Issues Release ST.1.0.090603 ■ PR_38948 — In an HA environment, should the administrator need to delete the fail-over connections on a participant, they can only delete up to 200,000 connections at a time and not the entire connection list (up to 600,000). Monitor Mode ■ PR_39263 — The following log messages are shown in Monitor Mode and are not applicable to Monitor Mode: mid=625, mid=626, mid=675, mid=715, mid=1008, and mid=1356.
PAGE 78
Known Issues Release ST.1.0.090213 Release ST.1.0.090213 The following problems are known issues as of release ST.1.0.090213. ■ PR_665 — When an IPv4 address is entered into a field, regardless of whether the administrator is using the Web browser interface or CLI interface, the TMS zl Module is not doing the complete validation on the address based upon the field being used. For example, a multicast or broadcast address can be entered into source address fields.
PAGE 79
Known Issues Release ST.1.0.090213 address igmp rip ospf pim-sparse Set IP parameters for communication within an IP network. Enable IGMP on the VLAN. Configure RIP on the VLAN. Configure OSPF settings. Enables PIM-SM on the VLAN. The impact to the user is that some commands cannot be typed in a single line and the VLAN configuration context must be entered in order to configure some items.
PAGE 80
Known Issues Release ST.1.0.090213 The first syslog server is deleted and there is no way to specify the second syslog server except to execute the no logging syslog 192.168.1.59 command again. ■ PR_5390 — The administrator cannot change the password for MD5 authentication on an OSPF interface without knowing the previous password. As a workaround, first disable the VLAN from OSPF and then re-enable it with the new password.
PAGE 81
Known Issues Release ST.1.0.090213 3. Login as manager. The TMS zl Module prompts to interrupt current manager, click cancel. 4. This brings up the logout prompt (Save&Logout, Do Not Save& Logout, Cancel), click Cancel. Now, the additional client is logged into the Web browser interface as manager. ■ PR_8044 — The TMS zl Module has been configured for VLAN IP addresses and HA is enabled but not configured (that is, there is only one device in the cluster).
PAGE 82
Known Issues Release ST.1.0.090213 ■ PR_9404 — SSH Buffer errors are shown in logs with varying severity. These messages represent temporary and recoverable conditions, but they should all be of the same severity.
PAGE 83
Known Issues Release ST.1.0.090213 ■ PR_11190 — When a RADIUS user attempts to login to a TMS zl Module, a log is always generated with Attempted to login with a wrong name despite the user being able to successfully login. ■ PR_11703 — When a TMS zl Module is moved between two switch chassis with different configurations, references to VLANs can remain on the OSPF and Multicast pages. Example: 1. Add several VLANs to the VLAN Associations page. 2.
PAGE 84
Known Issues Release ST.1.0.090213 Example: 1. Log in as an operator. 2. Go to Maintenance > Update Software > Server Type drop down selection box. or Go to Authentication > RADIUS > Protocol drop down selection box. ■ PR_12250 — In environments where high connection rates and high connection counts are in use, management interfaces can be slow or locked up. This will occur when the administrator has not specified a Priority VLAN for management in their configuration.
PAGE 85
Known Issues Release ST.1.0.090213 5. Display VLAN information by using the show vlans command. ■ PR_13220 — When a software update is performed by retrieving the image via FTP, SCP, or TFTP, a generic error message is displayed for any user input error. For example, if the IP address is incorrect, if the username is wrong, or if the password is wrong, the error message simply indicates a failure and does not call out the specific problem.
PAGE 86
Known Issues Release ST.1.0.090213 ■ PR_14561 — An unexpected group already exists error may show up when a user deletes a group and then adds a group with the same name again. The TMS zl Module marks groups for deletion, but the actual deletion may take a few seconds. Simply wait a few seconds before adding a group with the same name as a group that was previously deleted and the error will not appear.
PAGE 87
Known Issues Release ST.1.0.090213 when using insert-at 1 there must be at least one policy or rule available. There must be a valid policy or rule at the position number for whatever number is specified. If one does not exist, an error is reported, but the zone information is not included in the error message.
PAGE 88
Known Issues Release ST.1.0.090213 ■ PR_16231 — Some log entries for warning logs and information logs have messages that are truncated in the log viewer. The most log messages are not truncated and those that are contain enough information that a user can tell what they are about. However, the messages have more information in them than can be displayed. ■ PR_16539 — When using the TMS zl Module CLI, the radius-server help command gives options that are not available.
PAGE 89
Known Issues Release ST.1.0.090213 ■ PR_2485 — When there are a large number of firewall access policies, the Web browser interface may take some time to load these policies to display to a user. For example, with approximately 2,000 policies, loading them takes about 15 seconds or less. However, when the number of firewall access policies increased, to around 15,000, the time to load the Web page approaches three minutes.
PAGE 90
Known Issues Release ST.1.0.090213 ■ 2. From a separate management session, delete all access for that user group 3. The user still has access through firewall PR_11874 — On the Firewall > Access Policy > Unicast page in the Web browser interface, when adding a policy there is an advanced tab that allows for limit settings. . The valid range for entries in connections, Kilobytes, packets, and seconds are not listed.
PAGE 91
Known Issues Release ST.1.0.090213 IPS/IDS ■ PR_10287 — In the signature file for the TMS zl Module, there are a few mentions of IPv6. This is incorrect. The TMS zl Module is an IPv4 only device. ■ PR_18204 — If you filter signatures by severity, then disable a family of signatures, the expected result is that all displayed signatures in that family will be disabled. However, the actual result is that only some of the signatures displayed get disabled.
PAGE 92
Known Issues Release ST.1.0.090213 ■ PR_38240 — Cannot import IPsec Certificates (intermittently fails) from the Web browser interface (VPN > Certificates > IPsec Certificates). ■ PR_38887 — VPN connections truncate local gateway addresses, preventing a user from seeing all the information for an established tunnel. High Availability (Active/Standby) ■ PR_7372 — From the TMS zl Module CLI, the high-availability command does not accept CIDR notation.
PAGE 93
Known Issues Release ST.1.0.090213 Expected Results: The module with priority set to one (original Mater) becomes Master again. Actual Results: Device with lower priority joins the cluster as Master and the one with higher priority joins as Participant. At first glance, this seems to be incorrect, but it is actually done by design. It is assumed that there is something wrong with the module that failed, for example, an intermittent problem.
PAGE 94
Known Issues Release ST.1.0.090213 ■ PR_7533 — If the TMS zl Module is in monitor mode, the IDS logs incorrectly show zones Internal and Zone6 in the logs for data and management. These zone references are not correct and should be ignored. ■ PR_11929 — When in monitor mode and using the TMS zl Module CLI, if you add an management IP address, the CIDR format of IP-Address/mask is not accepted and you must enter the IP address and Subnet Mask as separate values.
PAGE 95
This page intentionally left blank.
PAGE 96
© 2009-2010 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.