TMS zl Module Release Notes ST.1.2.100916
Table Of Contents
- Release Notes: Version ST.1.2.100916 Software for the HP ProCurve Threat Management Services zl Module
- Contents
- Software Management
- Download Documentation from the Web
- Software Updates
- Special Considerations Prior to Updating
- Clarifications
- Enhancements
- Enhancements in ST.1.2.100916
- ST.1.1.100430
- ST.1.1.100226
- Command Line Interface (CLI) control of VPN functionality
- RADIUS authentication for management logins
- RADIUS authentication for L2TP users
- Renaming zones
- 256 VLANs now supported, increased from 19 VLANs
- Enhanced sort and filter capabilities for displaying log files
- Improved SNMP Monitoring for network traffic and key system resources
- Software Fixes in Releases ST.1.0.090213 - ST.1.2.100916
- Known Issues
44
Known Issues
Release ST.1.2.100916
Unfortunately, when the previous master is in the middle of shutting down itself, it issues
erroneous Gratuitous ARP requests for the previous management IP address which updates the
ARP cache on machines local to that subnet. This update has the affect of directing the
management IP communication to a device that cannot handle the communication.
Workarounds:
• Using the CLI, you can issue a ping to a router or unknown local address from the Master
which will update the ARP cache.
• Delete the ARP cache entry from the machine or router that is being used to access the
TMS.
• Wait for the ARP cache to timeout.
VPN
■ PR_44359 — IP Compression does not work with the Openswan v2.X VPN Client.
■ PR_44820 — XAUTH does not work with the Openswan v2.X VPN Client on SuSE and
XAUTH does not work with the Openswan v2.X VPN Client on Red Hat using the generic
method.
■ PR_58513 — For client-to-site VPN scenario with IRAS enabled in TMS, when an user
configures the corresponding IPsec policy (Web browser interface location: VPN->
IPsec->IPsec Policies-> page 1 / 4), the IPsec tunnel will be established regardless what the
user enter for remote address. Suggestion is for the user to enter 0.0.0.0/0 (any) for remote
address since TMS only cares for the IRAS IP address, not the remote address field, once
IRAS is enabled.
■ PR_62599 — L2TP/IPsec VPN fails when traffic is behind a NAT device and the ANY option
is used.
Example Topology
L2TP/IPsec client-----NAT Device-------------TMS------Protected server
A client using Windows native L2TP/IPsec client will fail to authenticate when it is behind a NAT
device and the "ANY" option is used for the Remote address field in the IPsec policy. If the user
configures the TMS to use a specific IP address, the remote device NAT external IP address, then
the VPN gets established and authenticated. Also, if there is no NAT device present, then the ANY
option allows the client to establish the tunnel and authenticate successfully.
Using the combination of NAT device and ANY has the following effect:
1. IPsec tunnel gets established
2. ESP packets get dropped at the firewall. The following message shows up on the logs:
SA selectors are not matching with the received packet selectors.
Dropping packet