TMS zl Module Release Notes ST.1.2.100916
Table Of Contents
- Release Notes: Version ST.1.2.100916 Software for the HP ProCurve Threat Management Services zl Module
- Contents
- Software Management
- Download Documentation from the Web
- Software Updates
- Special Considerations Prior to Updating
- Clarifications
- Enhancements
- Enhancements in ST.1.2.100916
- ST.1.1.100430
- ST.1.1.100226
- Command Line Interface (CLI) control of VPN functionality
- RADIUS authentication for management logins
- RADIUS authentication for L2TP users
- Renaming zones
- 256 VLANs now supported, increased from 19 VLANs
- Enhanced sort and filter capabilities for displaying log files
- Improved SNMP Monitoring for network traffic and key system resources
- Software Fixes in Releases ST.1.0.090213 - ST.1.2.100916
- Known Issues
48
Known Issues
Release ST.1.1.100430
Monitor Mode
■ PR_54944 — An invalid critical log message can be generated in monitor mode with no
message content. The message id is 337.
■ PR_56203 — In Monitor Mode, the log messages with identifiers 100000 and 99999 are
missing content, date, and time.
High Availability
■ PR_55708 — The command line interface command "show connections" on the Participant
only shows active connections, so it will not show any since the Master is the only module
with active connections.
■ PR_55976 — In the Command Line Interface, the 'show high-availability' command hangs
for 60 seconds on participant when the participant has been configured incorrectly with same
device id as the master.
■ PR_55977 — Windows ping command works from one client but not a different client after
a high-availability failover. This behavior occurs when ICMP replay attack is enabled on the
TMS, the ICMP sequence number and Session ID information is continually checked to detect
an ICMP replay attack. This information is available in an active session. This information
is not synced up with the participant and after a failover, the TMS detects the ICMP packets
as bad traffic when the participant takes over from the master.
Here are some Windows ICMP Ping examples that work after failover.
a. If ICMP timeout is 60 seconds
ping -w 60001 -t 10.30.1.6
The '-w' option specifies the time in milliseconds to wait for a response before the next ICMP
echo request is sent. It is not the time between request, and it only has impact in slow
networks or when there is no response. The value should be larger than the default ICMP
timeout.
b. If ICMP timeout is 10 seconds
ping -w 10001 -t 10.30.1.6
c. If ICMP timeout is set to 5 seconds then ICMP ping works without any problem.
ping -t 10.30.1.6
The default timeout for ICMP messages is 60 seconds, but can be configured to a lower number.
The switch CLI command to set ICMP timeout to 5 seconds is.
5406#(config) "connection-settings timeout default icmp 5"
Another workaround is to disable FW attack setting ICMP replay