Release Notes: Version ST.1.2.101122 Software for the HP Threat Management Services zl Module These release notes include information on the following: ■ Downloading documentation from the web (page 1) ■ Downloading and installing software updates (page 3) ■ Special Considerations prior to updating (page 7) ■ Clarifications (page 12) ■ Enhancements (page 17) ■ Software fixes included in release ST.1.2.
© Copyright 2009-2011 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.
Contents Software Management Downloading Software and Documentation from the Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Software Releases and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Downloading Software to the TMS zl Module . . . . . . . . . . . .
ST.1.1.100226 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Command Line Interface (CLI) control of VPN functionality . . . . . . . . . . . . . . . . . . . . . . . . 21 RADIUS authentication for management logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 RADIUS authentication for L2TP users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 IPS/IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Monitor Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 High Availability . . . . . . . . . . . . . . . .
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 VPN . . . . . . . . . . . . . . . . .
Software Management Downloading Software and Documentation from the Web Software Management Downloading Software and Documentation from the Web Use the HP Networking support lookup tool ( www.hp.com/networking, then select Support or http://h17007.www1.hp.com/us/en/support/index.aspx) to locate your product’s documentation and software download files. Use the product number to quickly find this information.
Software Management Software Updates Ti p You can use the Business Support Center search tool to locate information on your HP Networking products, including documentation and FAQs (http://www.hp.com/go/bsc). To narrow your search, click on More options next to the search box. You may want to bookmark this web page for easy access in the future. Software Updates Check the HP Networking web site frequently for software updates for the various HP networking products you may have in your network.
Software Management Software Updates Downloading Software to the TMS zl Module HP Networking periodically provides TMS zl Module software updates through the HP Networking web site. After you acquire a new software file, you can use the web browser interface or the TMS zl Module CLI to install it. Note After installing the update software using one of the methods described below, you must reboot your module to load and begin using the new software.
Software Management Software Updates Figure 1. A Successful TMS zl Module Software Update Using the Web Browser Interface 7. Wait for this message in the Latest Status field: Success: Image download and install have completed successfully. (see Figure 1). 8. Select the Reboot tab and click the Reboot button to complete the installation. Updating the Module Software Using the CLI Three separate processes are available for updating the module software using the TMS zl Module CLI.
Software Management Software Updates 3. Enter the ProductOS context for the TMS zl Module. Syntax: services name tms-module Replace with the letter for the chassis slot in which the module is installed. Example: hostswitch# services c name tms-module OR Syntax: services Replace with the letter for the chassis slot in which the module is installed.
Software Management Software Updates 2. Initiate a console session with the host switch. 3. Enter the ProductOS context for the TMS zl Module. hostswitch# services c 2 4. Copy the image from the server and install. 5. Reboot the module to complete the update. hostswitch(tms-module-C)# reboot For example, suppose that you copied the image to a TFTP server that has the parameters shown below: 1. • IP address—192.168.1.13 • Filename—ST.1.2.101122.
Software Management Special Considerations Prior to Updating You can type the first few letters of the directory name, then press the Tab key to complete the name. You might need to add the last few characters of the directory name if the USB drive contains more than one image. 9. Update the software. For example, if the new image directory is ST.1.2.101122, you would type: hostswitch(services-module-C:HD)# update product ST.1.2.101122 Again, you can use tab completion for the file name. 10.
Software Management Special Considerations Prior to Updating The latest TMS zl Module software is available on the HP Networking web site. We recommended reading these Release Notes prior to updating. We also recommend backing up your current configuration before any update. March 2010 Version, ST.1.1.
Software Management Special Considerations Prior to Updating GRE Tunnels When updating to ST.1.1.100430 from ST.1.0.0901213 or ST.1.0.090603, any configured GRE tunnels will go down and not pass traffic until an additional configuration item, the tunnel peer IP address, is entered. Prior to updating, please schedule the appropriate downtime for these GRE tunnels, as well as document the tunnel peer IP address for each end of the tunnel, so that the re-configuration process goes smoothly.
Software Management Special Considerations Prior to Updating After updating to ST.1.1.100430 from ST.1.0.0901213 or ST.1.0.090603, the traffic selectors are migrated but the GRE tunnel is down.
Software Management Special Considerations Prior to Updating The administrator will have to manually enter the Tunnel Peer IP address to get the GRE tunnel back up. Once the GRE tunnel is back up, the administrator can take advantage of new GRE features available with release ST.1.1.
Software Management Clarifications Clarifications HP Security Policy and Release Notes Per HP policy, a Security Bulletin must be the first published notification of a security defect. Fixes to security defects are not documented in release notes, also by HP policy. The official communication for security defect fixes will always be through HP Security Bulletins. For more information on security bulletins, and information on how to subscribe to them, please see the following: http://bizsupport1.austin.hp.
Software Management Clarifications IAS RADIUS Configuration - Special Steps If you use the IAS wizard, you need to remove the port-type attribute after a remote access policy is configured. The following screens show the process for removing this attribute. First, right-click the policy and choose to view its properties.
Software Management Clarifications The condition NAS-Port-Type matches ’Virtual [VPN]’ AND, was automatically configured by the wizard, but it is not supported by the TMS zl Module. It must be removed. Highlight this port attribute policy and click Remove. After removing the unsupported port attribute condition, the policy is shown below.
Software Management Clarifications For more information, the updated Management and Configuration Guide for the HP ProCurve Threat Management Services zl Module on the HP Networking web site contains an example of setting up a custom policy using the wizard. This example shows the attributes that the TMS zl Module supports. Any non-supported policy attributes must be removed before a policy can be used with the TMS zl Module. Application Layer Gateways (ALGs) If you upgrade from ST.1.0 to ST.1.
Software Management Clarifications 16
Software Management Enhancements Enhancements Enhancements in ST.1.2.100916 The following enhancements were added in this update. Firewall Throughput Firewall throughput increased from 3.0 Gbps up to 5.0 Gbps (performance may vary depending on network traffic and environment). System Utilization Graphs The dashboard has been enhanced to add System Utilization Graphs.
Software Management Enhancements Updated VPN Client Support Information White papers are being developed to help configure and deploy TMS VPN solutions and will be posted here when available: www.hp.com/networking/whitepapers IPsec Tunneling: 4800 Connections ProCurve VPN client on Windows XP Shrew Soft VPN client 2.1.7* IPSecuritas v3.4 on MacOS Openswan v2.X on Red Hat and SuSE. * XAUTH now supported with Shrew Soft client 2.1.
Software Management Enhancements The IPS engine qualifies traffic as client initiated or server initiated. You can independently set the inspection depth values, in bytes, for client-to-server and server-to-client traffic. This means that you can tune the IPS inspection depth to values desirable to your deployment. For example, if your environment warranted greater scrutiny to be applied to client initiated traffic, you could set a larger inspection depth value for client-to-server traffic.
Software Management Enhancements • Enabling/disabling ICMP message handling settings • Modifying SCEP server information • Importing certificate keys ST.1.1.100430 The following enhancements were added in this update. Log Threshold Monitoring This feature evaluates the logging engine's resource consumption on the TMS zl Module.
Software Management Enhancements IPS Protection Levels The Intrusion Prevention>Signatures>View screen contains a new field, Protection:, where filters are provided to select for viewing IDS/IPS Signatures based on the protection they provide. The filter choices are illustrated below. Please see the updated Management and Configuration Guide for the HP ProCurve Threat Management Services zl Module on the HP Networking web site for details on how to configure and use this new feature.
Software Management Enhancements RADIUS authentication for management logins Please see the updated Management and Configuration Guide for the HP ProCurve Threat Management Services zl Module on the HP Networking web site for details on how to configure and use this new feature.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.0.090213 Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Software fixes are listed in chronological order, oldest to newest. Unless otherwise noted, each new release includes the software fixes added in all previous releases. Release ST.1.0.090213 was the first production software release for the HP Threat Management Services zl Module. Release ST.1.0.090213 No problems resolved in release ST.1.0.090213. (Initial Release.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.0.090603 ■ PR_17313 — For a VLAN association, the user can specify DHCP as a method for getting an IP address for the TMS zl Module. If the user goes in and edits the VLAN association and changes the IP address method to a Static IP address, the DHCP client process still runs in the background and can overwrite the static IP address.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.0.090603 time="2009-03-30 09:17:09" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="FW: packet with invalid tcp flags found, packets dropped" srczone=INTERNAL src=192.168.0.134 srcport=18155 dstzone=EXTERNAL dst=192.168.1.128 dstport=80 proto=TCP subfamid=packetheaderanomaly mtype=attack mid=625 The log messages are no longer logged as critical.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.0.090603 ■ PR_38564 — The log message with the message ID of 648 is marked as critical should not be. time="2009-04-01 11:41:59" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="ICMP:Error message not allowed by firewall" srczone=INTERNAL src=192.168.0.1 dstzone=EXTERNAL dst=192.168.1.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.0.090603 time="2009-04-15 10:20:00" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="FW: icmp header is less than expected, packets dropped" srczone=EXTERNAL src=192.168.80.5 dstzone=SELF dst=192.168.80.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.0.090603 ■ PR_18204 — If you filter signatures by severity, then disable a family of signatures, the expected result is that all displayed signatures in that family will be disabled. However, the actual result is that only some of the signatures displayed get disabled. This can be observed by viewing info signatures, then disabling the XSS family. When the operation completes, refresh the page, and view info signatures.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.0.090603 time="2009-03-19 02:01:49" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=ips_attack_family rule=3189 msg="IPS detection: Allow: BackDoor Digital Root Beer" src=192.168.1.20 srcport=1050 dst=192.168.3.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.0.090603 ■ PR_38217 — When setting up an IPsec policy with a Key Exchange of Manual, it was possible to specify an SPI number that was already in use by another IPsec policy and it would not be detected. Duplicate SPI numbers across IPsec policies are not allowed and an error needs to be displayed.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.1.100226 Release ST.1.1.100226 The following problems were resolved in release ST.1.1.100226 General ■ PR_813 — The web browser interface does not function without JavaScript enabled and does not notify user that JavaScript is required. ■ PR_961 — The initial login banner text of the web browser interface in the TMS zl Module differs in size depending on whether the user is accessing it with HTTP or HTTPS.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.1.100226 ■ PR_11856 — When using the web browser interface, an error message is displayed when a valid IP Address is trying to be set in some pages, such as RADIUS, IPsec Policies, and so forth. For example, this may occur when an otherwise valid IP address is added with a final space at the end. ■ PR_12802 — When adding an NSSA or STUB area to the OSPF configuration, leading zeros in the area ID are flagged as an error.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.1.100226 ■ PR_18145 — In the web browser interface, if a VLAN is added with an invalid IP address in the range 224.0.0.0 -254.255.255.255, an error is returned stating: VLAN could not be added. Failed to add VLAN IP address. but the VLAN is actually added, but not associated to any zone. In the CLI, the error message only states: Error: Failed to set VLAN IP address. ■ PR_37988 — Upgrading to an ST.1.1.XXXXXX release from any ST.1.0.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.1.100226 Monitor Mode ■ PR_17758 — In monitor mode, when IPS full inspection is turned on and the FTP ALG is turned off, sending an FTP copy of the startup configuration to the network fails with a broken pipe error. High Availability ■ PR_8325 / PR_14916 — When configured for High Availability, the Rebalance button in the web browser interface is not needed for an Active/Standby configuration.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.1.100226 ■ PR_40301 — GRE Tunnel displayed GREv2 Error in tcpdump when attempting to verify the connectivity with a ping packet. ■ PR_40313 — When adding a RADIUS server, the administrator can specify a NAS-ID that accepts a script as input allowing code injection to RADIUS web interface page. ■ PR_40319 — In the log file, log entries with the following message IDs may truncate the username: 1213, 1214, and 1204.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.1.100330 ■ PR_51483 — Enabling IP compression and disabling fragmentation causes a TMS crash in Site-to-Site VPNs. Steps: 1. Configured site-site VPN tunnel with one host each end HOST1(10.11.0.10)-----TMS1----(VPN)----TMS2----HOST2(10.13.0.10) 2. Host2 sends a large ping using: ping 10.11.0.10 -s 64000. TMS2 works fine, TMS1 fails.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.1.100430 ■ PR_49894 — TMS zl Module web browser interface performance Related HA + IPS issue scheduled to be addressed in May-June 2010 release. Should not affect users with < 75% CPU utilization. ■ PR_50615 — Unable to monitor RAM and CPU performance via SNMP.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.1.100430 ■ PR_43869 — When a Zone is renamed, the new Zone name does not show up in log files. ■ PR_46963 — When rate limit reaches the limit defined per policy, a log message is generated for every packet drop. ■ PR_50209 — Log messages with mid=615, 1350, 1355, 624, 621, 605 are not critical but classified as critical.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.2.100916 ■ PR_ 52119 — A DSA generated CA certificate does not show on the web browser interface or CLI after the certificate is imported, while an RSA generated CA certificate will display okay. After importing the CA certificate on the web browser interface (VPN> certificates> certificate authorities > import certificate), the CA display is empty.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.2.100916 ■ 1. Client 1 establishes L2TP over IPsec to TMS. The NAT router translates all outgoing connections to its external IP. However, NAT router cannot modify the L2TP port which is encrypted by IPsec. 2. When Client 2 establishes an L2TP over IPsec to the TMS, the NAT router translates all outgoing connections to its external IP but it cannot modify the L2TP port again.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.2.100916 WARNING: You are attempting to save the running configuration on an HA Participant device. This action can disrupt the configuration of the HA cluster and can prevent proper synchronization of the cluster configuration. This action is not recommended.
Software Fixes in Releases ST.1.0.090213 - ST.1.2.101122 Release ST.1.2.101122 Release ST.1.2.101122 The following problems were resolved in release ST.1.2.101122 VPN ■ PR_62599 — L2TP/IPsec VPN fails when traffic is behind a NAT device and the ANY option is used.
Known Issues Release ST.1.2.101122 Known Issues Known issues fixed in a later software release are indicated using the following format: ■ PR_xxxxxxxxxx — To confirm what release fixed the issue, use the issue number to search the PDF file. Known issues that are open as of the latest software release appear as follows: ■ PR_xxxxxxxxxx — Release ST.1.2.101122 The following problems are known issues as of release ST.1.2.101122.
Known Issues Release ST.1.2.101122 VPN ■ PR_60494 — Currently documented in the release notes for the ST.1.2.100916 release (see page 47). ■ PR_63070 — Windows 7 or Vista VPN client configuration. If the Connection Type radio button in the Edit Rule Properties dialog box of the Microsoft Windows 7 or Vista VPN client is set to Remote access, wired connections will be fine, but wireless connections will fail.
Known Issues Release ST.1.2.101122 ■ PR_66125 — L2TP/IPsec tunnel cannot be established when you configure AH as the Security Protocol in IPsec Proposal. A workaround is to use ESP instead of AH. The workaround of using ESP instead of AH is strongly recommended since AH does not provide confidentiality and will have issues in a NAT environment. ■ PR_66264 — Shrew Soft VPN client 2.1.6 indicates successful connection when IKE Phase 2 negotiation fails. Shrew Soft VPN clients 2.1.5 and 2.1.
Known Issues Release ST.1.2.100916 When a TMS zl Module does a hardware boot, its startup time is acquired from the switch chassis via a serial port on the blade, before the Operating System loads. At the end of the module's booting process, the module will coordinate with the switch chassis to sync up with the switch chassis's time with proper time zone information. If a switch chassis is power cycled, it will cause both the switch and the TMS zl Module to be rebooted.
Known Issues Release ST.1.2.100916 ICMP Error Message. ICMPMessage Type 3 and Code 1 are not allowedseverity: infoid: configdst: 10.1.10.10proto: ICMPicmptype: 3adminname: sipsubfamid: ipsecv4payloadprocessingmtype: ipsecv6mid: 306569icmpcode: 1 ■ PR_60506 — An erroneous log message displayed showing application connect failed but with no details.
Known Issues Release ST.1.2.100916 ■ PR_60478 — A VPN log message incorrectly shows up in monitor mode. Example: date: 2010-08-03 time: 09:55:05 msg: VPN global configuration updated adminname: root severity: warning id: vpn_ipseccommon src: 0.0.0.0 srcport: 0 dst: 0.0.0.
Known Issues Release ST.1.2.100916 Unfortunately, when the previous master is in the middle of shutting down itself, it issues erroneous Gratuitous ARP requests for the previous management IP address which updates the ARP cache on machines local to that subnet. This update has the affect of directing the management IP communication to a device that cannot handle the communication.
Known Issues Release ST.1.1.100430 From the Windows system, the VPN client just returns an error message saying that the connection was interrupted. ■ PR_63072 — RADIUS error messages generated on successful authentication for Windows L2TP/IPsec VPN clients. This occurs on Windows XP, Windows Vista, and Windows 7. The authentication error (for example, IAS Reason-Code IAS_NO_SUCH_USER) is caused by the Windows VPN client first attempting to authenticate using the machine name.
Known Issues Release ST.1.1.100430 Firewall ■ PR_42671 — A log message is generated for a TCP sequence number but shows ICMP as the protocol. time="2009-07-08 19:39:33" severity=warning pri=5 fw=ProCurve-TMS-zl-Module id=fw_access_control ruleid=10 msg="FW: tcp sequence number translation failed, packets dropped" srczone=INTERNAL src=192.168.80.2 dstzone=INTERNAL dst=192.168.70.2 proto=ICMP rcvd=0 rcvdsc=0 sent=36 sentsc=0 srcnatport=0 destnatport=0 destnatipaddr=0.0.0.
Known Issues Release ST.1.1.100430 passed in this condition. A troubleshooting technique is to check for VLAN tagging if there is problem with passing traffic. If it occurs, it can be fixed by doing the tagging manually in the switch configuration using the switch CLI. ■ PR_55486 — the web browser interface limits the insert-at value to be from 1 to 9999 while the command line interface does not impose a higher limit.
Known Issues Release ST.1.1.100430 Workaround: When using this configuration, use tracert to validate connectivity to the TMS. To validate connectivity to an external destination in this configuration, use trace route from the TMS. Monitor Mode ■ PR_54944 — An invalid critical log message can be generated in monitor mode with no message content. The message id is 337. ■ PR_56203 — In Monitor Mode, the log messages with identifiers 100000 and 99999 are missing content, date, and time.
Known Issues Release ST.1.1.100430 5406#(config) "connection-settings timeout default icmp 5" Another workaround is to disable FW attack setting ICMP replay ■ PR_54897 — If a VLAN is configured with DHCP and the lease expires, if master gets a different IP address from the DHCP server, the IP address does not get synced to participant. When the participant takes over after a failover, it will use the old IP address.
Known Issues Release ST.1.1.100430 ■ PR_54925 — Shrew Soft VPN client cannot establish the tunnel when XAUTH is enabled. ■ PR_55003 — VPN client will remain connected even if the IPsec policy is disabled. ■ PR_55116 — Shrew Soft VPN client cannot establish the tunnel when RSA is being used for IPsec authentication. ■ PR_55129 — Shrew Soft VPN client can establish the tunnel 'Enable extended sequence number' option is selected, but no traffic flows.
Known Issues Release ST.1.1.100430 Note: for ip-addr no mcast ip should be accepted and for distinguished name the valid value should be something like /CN=example.local ■ PR_55807 — The TMS allows user groups to be removed even when there are L2TP users and access-policies associated to it. There should be a warning explaining that removing the group will leave the L2TP user unable to access resources and that any access-policy associated to the group will be deleted as well.
Known Issues Release ST.1.1.100430 proto=0 rcvd=0 rcvdsc=0 sent=0 sentsc=0 srcnatport=0 username=user1@tms01.local destnatport=0 destnatipaddr=0.0.0.0 subfamid=accessdeny mtype=access_control mid=4521 srcnatipaddr=0.0.0.0 ■ PR_54222 — L2TP/PPP logging does not contain user IP address nor the username. ■ PR_54222 — A terse error message is seen when doing a 'show l2tp user' command and the user is not defined. Example: HP E-8212zl(tms-module-D)# show l2tp user a Software Revision : ST.1.1.
Known Issues Release ST.1.1.100226/ST.1.1.100330 Release ST.1.1.100226/ST.1.1.100330 The following problems are known issues as of release ST.1.1.100226. General ■ PR_9285 / PR_9286 — For RIP, there are some minor issues when interoperating between RIP version 1 and RIP version 2 on the switch. As a general recommendation when using a TMS zl Module, always standardize on RIP version 1 or RIP version 2, with RIP version 2 preferred.
Known Issues Release ST.1.1.100226/ST.1.1.100330 ■ PR_42753 — In the TMS zl Module CLI, the show ip command's output has domain misspelled as Dommain. ■ PR_42760 — The TMS zl Module SNMPv3 server only supports security level authPriv for SNMPv3 users. ■ PR_42887 — Changing the hostname in the web browser interface does not change the hostname in the CLI immediately. A current user of the CLI must logout and log back in again to see the change reflected in the prompt.
Known Issues Release ST.1.1.100226/ST.1.1.100330 ■ PR_44788 — When trying to add an IP route via the CLI, an error is shown without any error message. This situation happens when there are two CLI sessions and when one CLI session does a show ip route, and then the other CLI session tries to add a route. HP E-5406zl(tms-module-C)# ip route 192.168.3.27 255.255.255.255 10.10.10.
Known Issues Release ST.1.1.100226/ST.1.1.100330 8. In the destination field, specify a Unicast IP address. Unicast IP address in the destination field should cause an error message. Instead, no error message is displayed and the incorrect IP address is accepted. ■ PR_45671 — In the web browser interface, Firewall>Access Policies>Addresses, duplicate Network (IP/mask) entries can be added for a given name. For instance, 10.10.10.0/24, 10.10.20.0/24, 10.10.10.0/24 could be added under a given name.
Known Issues Release ST.1.1.100226/ST.1.1.100330 3. Add a Source NAT policy (e.g., NAT from Zone1 >External Services FTP, HTTP,SSH; Source Any, dst 10.10.100.1-10-10.100.20 NAT value 10.10.100.111) 4. Open FTP server or any of the basic services 5. Verify IP address gets translated on the destination zone 6. Send ICMP traffic 7. Verify IP address gets translated on the destination zone when it should not be.
Known Issues Release ST.1.1.100226/ST.1.1.100330 ■ PR_ 52440 — Performance Related IPS issue - scheduled to be addressed in May-June 2010 release. Should not affect users with < 75% CPU utilization. ■ PR_52604 — In the web browser interface the Dashboard has a field for Chassis Name but never displays anything. In the TMS zl Module CLI, the command show system-information also shows a field for Chassis Name but doesn't display any value for it.
Known Issues Release ST.1.1.100226/ST.1.1.100330 ■ PR_15088 — The connection for DNS will have a high timeout value in some circumstances when a customer uses a DNS address object and performs a modification to the address object content. Customer will see a high timeout when doing show connections and can use the no connections command to remove any problematic sessions. ■ PR_15293 — A lot of firewall logs are generated for normal management activities.
Known Issues Release ST.1.1.100226/ST.1.1.100330 ■ PR_42210 — The local users cannot login to the TMS zl Module web browser interface via HTTP. Steps: 1. Open the browser and connect to TMS zl Module web browser interface via http. 2. Set the local user's name into the User name text field. 3. Set the local user's password into the Password text field. 4. Press the Login button. The logon fails; the TMS zl Module web browser interface displays Invalid Login!.
Known Issues Release ST.1.1.100226/ST.1.1.100330 DMZ maps to the name in the 4th row of the Zone table (4). ZONE1 maps to the name in the 5th row of the Zone table (5). ZONE2 maps to the name in the 6th row of the Zone table (6). ZONE3 maps to the name in the 7th row of the Zone table (7). ZONE4 maps to the name in the 8th row of the Zone table (8). ZONE5 maps to the name in the 9th row of the Zone table (9). ZONE6 maps to the name in the 10th row of the Zone table (10).
Known Issues Release ST.1.1.100226/ST.1.1.100330 msg: IP header checksum failed msg: FW: gre packet header length is less than expected, packets dropped msg: MCAST: icmp packet type is unknown, packets dropped ■ PR_50433 — When DHCP is used as the IP address acquisition method for VLANs, the TMS zl Module can take a long time to reboot as it has to acquire an IP address for each VLAN serially.
Known Issues Release ST.1.1.100226/ST.1.1.100330 Monitor Mode ■ PR_42670 — Firewall Logs are shown for broadcast packets in monitor mode. time="2009-07-08 19:36:37" severity=warning pri=5 fw=ProCurve-TMS-zl-Module id=fw_access_control ruleid=0 msg="FW: no access policy found, packets dropped" srczone=ZONE6 src=10.255.134.37 srcport=137 dstzone=ZONE6 dst=10.255.135.255 dstport=137 proto=UDP rcvd=0 rcvdsc=0 sent=0 sentsc=0 srcnatport=0 destnatport=0 destnatipaddr=0.0.0.
Known Issues Release ST.1.1.100226/ST.1.1.100330 ■ PR_46778 — High Availability cannot be disabled without serious service disruption and loss of connectivity. When high availability is disabled, the following message is displayed: HP E-5406zl(tms-module-C:config)# no high-availability Shutting down HA will remove the IP addresses of the TMS VLANs, and any remote connections to the TMS zl Module will be lost.
Known Issues Release ST.1.1.100226/ST.1.1.100330 HP E-5406zl(tms-module-C:config)#exit HP E-5406zl(tms-module-C)#write memory HP E-5406zl(tms-module-C)#boot Device will be rebooted, do you want to continue [y/n]? y At this point, the TMS product will initialize the VLANs correctly and new VLANs can be added. VPN ■ PR_40382 — Importing a CRL file which does not contain the 'nextUpdate' field is not successful. ■ PR_41431 — Field Validation failure for IKEv1 identities, distinguished-name field.
Known Issues Release ST.1.1.100226/ST.1.1.100330 ■ PR_44479 — TMS zl Module will use the old CRL past the next CRL update time if it has not retrieved the new CRL. ■ PR_44555 — When checking the IKE SA status on the web browser interface, the SA lifetime value is not automatically updated. For example, if a user clicks on View Status several times, the SA lifetime remains the same and is not updated.
Known Issues Release ST.1.1.100226/ST.1.1.100330 3. On the source field, go to Options button and select Enter custom IP,IP/mask or IP-Range and enter a non-multicast IP address. 4. On the destination field, go to Options button and select Enter custom IP,IP/mask or IP-Range and enter a multicast IP address. 5. Before you click on Apply button and Close button, make sure you make a note of what zones you picked for the policy. 6. Click on Apply button. 7.
Known Issues Release ST.1.1.100226/ST.1.1.100330 time="2009-11-18 18:22:36" severity=warning pri=5 fw=ProCurve-TMS-zl-Module id=fw_access_control ruleid=125 msg="FW: VPN inbound processing deny, packets dropped" srczone=EXTERNAL src=10.60.0.10 srcport=60 dstzone=INTERNAL dst=10.50.0.10 dstport=60 proto=UDP rcvd=0 rcvdsc=0 sent=138592 sentsc=0 ruleaction=permit srcnatport=0 destnatport=0 destnatipaddr=0.0.0.
Known Issues Release ST.1.0.090603 1. Delete all of the static routes associated with the VLAN using CLI "no ip route .... " (faster method) or the web browser interface (slower method) 2. Add back the static routes again using CLI "ip route ..." (faster method) or the web browser interface (slower method). ■ PR_52093 — The TMS zl Module cannot import certificates where the signing algorithm is different from the key generation algorithm.
Known Issues Release ST.1.0.090603 When the TMS zl Module is running ST.1.0.090213, the following behavior is observed: The output of the switch CLI command, show services detail, and the output of the TMS zl Module CLI command, show version, are both correct. After the TMS zl Module has been updated to ST.1.0.
Known Issues Release ST.1.0.090603 3. Select the View Log tab. 4. Open a tool that allows to connect via SSH to the TMS zl Module. 5. Try to login to the TMS with an invalid user. 6. The following log entries are displayed: time="2009-03-20 17:14:30" severity=warning pri=4 fw=ProCurve-TMS-zl-Module id=ssh msg="Failed password for invalid user one from 192.168.8.
Known Issues Release ST.1.0.090603 3. Go to the logging section. 4. Select the View Log tab. 5. Search for the log entry generated when logging in as Local user previously created. 6. The following log entry is displayed: time="2009-03-24 17:00:02" severity=warning pri=4 fw=ProCurve-TMS-zl-Module id=user_statistics msg="Radius authentication failed" srczone=SELF dstzone=SELF logintime=0 logouttime=0 useripaddr=0.0.0.
Known Issues Release ST.1.0.090603 Routes in R1 when VLAN300 has v2 enabled in TMS zl Module Destination Gateway Metric Distance VLAN Type 10.10.30.0/24 192.168.3.254 3 100 vlan300 rip 10.10.40.0/24 192.168.3.254 3 100 vlan300 rip 192.168.1.0/24 192.168.3.254 3 100 vlan300 rip 192.168.2.0/24 192.168.2.250 1 0 vlan200 connected 192.168.3.0/24 192.168.3.250 1 0 vlan300 connected 192.168.5.0/24 192.168.3.254 3 100 vlan300 rip 192.168.11.0/24 192.168.11.
Known Issues Release ST.1.0.090603 3. Press the tab key. end exit logout show Return to the Manager Exec context. Return to the previous context or terminate session. Terminate current session. Display TMS device operation information. The rp-address should be listed in PIM context. ■ PR_38778 — Learned RP are deleted when setting a static RP from the TMS module. Example: 1. Open CLI session 2.
Known Issues Release ST.1.0.090603 ■ PR_38849 — A incorrect log entry is generated when logging in with a user authenticated by a RADIUS server: 1. Open the TMS zl Module web browser interface. 2. Login as correctly a user associated with a RADIUS user previously created (i.e. user1@tms.local) 3. Click the log out button 4. Log in as Manager 5. Go to the logging section 6. Select the View Log tab 7.
Known Issues Release ST.1.0.090603 ■ PR_40292 — When a user has a local account on the TMS zl Module and has an account with the same name on the RADIUS server, the user will always be authenticated to the local account and no attempt is made to access the RADIUS server, even if the user name includes the realm, as in username@domain. ■ PR_40313 — When adding a RADIUS server, the administrator can specify a NAS-ID that accepts a script as input allowing code injection to RADIUS web interface page.
Known Issues Release ST.1.0.090603 time="2009-05-08 22:03:53" severity=critical pri=1 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="FW: protocol value is not set, packets dropped" srczone=EXTERNAL src=192.168.70.100 srcport=0 dstzone=INTERNAL dst=192.168.70.100 dstport=0 proto=0 subfamid=protocolanomaly mtype=attack mid=659 ■ PR_40662 — Log entries with mid=681 and mid=611 are marked as critical when they should not be considered critical.
Known Issues Release ST.1.0.090603 The connection allocation must be deleted and recreated to change the direction. ■ PR_39730 — Using the Authenticated Firewall feature, the TMS zl Module could experience an httpd crash on malformed RADIUS packets coming from the trusted RADIUS server on the internal network. ■ PR_40534 — An error message is displayed after applying changes on an attack settings page.
Known Issues Release ST.1.0.090603 time="2009-05-17 16:17:20" severity=warning pri=4 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="IRC:Size of Message is more than MAX_IRCSIZE" srczone=INTERNAL src=192.168.80.100 srcport=39489 dstzone=EXTERNAL dst=192.168.70.100 dstport=6667 proto=TCP subfamid=intergritycheck mtype=attack mid=118 time="2009-05-17 16:11:58" severity=warning pri=4 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="TFTP-ALG: Request size length exceeded Max size...
Known Issues Release ST.1.0.090603 High Availability (HA) ■ PR_38143 — A better description should be added to the log message when the Participant leaves the Active-Standby configuration. The current message is as follows: 19:11:44" severity=info pri=6 fw=POSTMR id=hacl_vsrp msg="Detected device down" proto=VRRP masterid=2 vsrpstate="MASTER" clusterstatus="Disabled" mgmt_ipaddress="10.10.10.
Known Issues Release ST.1.0.090213 time="2009-04-15 16:14:04" severity=warning pri=4 fw=ProCurve-TMS-zl-Module id=fw_l2l3_attack msg="TCP: invalid ACK packet, packets dropped" srczone=INTERNAL src=192.168.80.5 srcport=60290 dstzone=INTERNAL dst=192.168.80.
Known Issues Release ST.1.0.090213 ■ PR_961 — The initial login banner text of the web browser interface in the TMS zl Module differs in size depending on whether the user is accessing it with HTTP or HTTPS. While noticeable, this difference in size does not impair functionality. ■ PR_1044 — From the TMS zl Module CLI, when a TMS zl Module is operating in Routing Mode using OSPF, the command show ip ospf neighbor has an output that is not the same as a HP E switch that is running OSPF.
Known Issues Release ST.1.0.090213 ■ PR_4577 — When the CLI command show logging local is used with paging disabled, extra blank lines are seen. These blank lines should be ignored. ■ PR_4766 — When there are multiple syslog servers on the same IP address, differing by facility or port, the user is unable to delete the specific entry in question because only the syslog IP address is used for removing a syslog server.
Known Issues Release ST.1.0.090213 ■ PR_7723 — In the TMS zl Module CLI, an error message should be displayed and the entry rejected when an invalid mask value is used for IP Address/Mask when specifying an IP address for a VLAN. The user must carefully validate their input. In the following example the incorrect mask value may result in the wrong subnet mask being used: HP Switch(tms-module-D:config)# vlan 1 ip address 192.168.11.25/2254 Success: Set VLAN 1 IP address to: 192.168.11.25 255.255.252.
Known Issues Release ST.1.0.090213 ■ PR_8428 — Multicast routing is enabled after adding or editing multicast on a VLAN and refreshing the screen. If multicast routing is going to be configured and disabled until a later time, the user should always disable multicast routing as the last step, after configuring VLAN Settings. Example: 1. Launch the TMS zl Module’s web browser interface. 2. Go to the Network section. 3. Select the Routing. 4. Go to the Multicast tab. 5.
Known Issues Release ST.1.0.090213 • Invalidly fragmented UDP packets The TMS zl Module only detects invalidly fragmented UDP packets and generates a log with mid=1001 with msg="Jolt attack detected". This log message should identify jolt2. The TMS zl Module does not detect the following: • Jolt- which sends very large fragmented ICMP packets to a target machine.
Known Issues Release ST.1.0.090213 10. Again add VLAN 40 to the VLAN Association page. Actual Result: VLAN 40 is displayed on OSPF and Multicast pages. Expected Result: VLAN 40 should only be displayed on the VLAN Associations page. ■ ■ PR_11856 — When using the web browser interface, an error message is displayed when a valid IP Address is trying to be set in some pages, such as RADIUS, IPsec Policies, and so forth.
Known Issues Release ST.1.0.090213 session to be deleted. If IPS is enabled, the TMS zl Module will forward the RST packet to IPS. After IPS finishes processing the packet, the TMS zl Module gets the RST packet. Since TMS zl Module has already marked the session to be deleted and the RST timeout value is 0, the RST packet is not forwarded to the peer and is dropped. The problem only happens for RST packets. By setting the RST timeout value to something other than zero, this issue can be avoided.
Known Issues Release ST.1.0.090213 ■ PR_13560 — When a user is in a TMS zl Module CLI session and they copy the startup-config file to an FTP server when the ALG for FTP is disabled, the copy command appears to hang. After about 60 seconds, the copy command will timeout and the user session can be recovered. Example: 1. Open a TMS zl Module CLI session. 2. Disable alg ftpv4 HP Switch (tms-module-D:config)# no alg ftpv4 3.
Known Issues Release ST.1.0.090213 ■ PR_14823 — When adding a VLAN to a zone, the log displays two entries with the exact same message, but containing a different priority. The message describes the routing interface coming up. For example, if VLAN 50 is added to a zone, the following two log messages are created: time="2008-12-12 13:14:24" severity=warning pri=4 fw=ProCurve-TMS-zl-Module id=routing msg="if_rtup: UP route for interface vlan50 10.10.10.1/255.255.
Known Issues Release ST.1.0.090213 The protocol and the port number of the custom connection timeout should be updated, but they are not. ■ PR_15462 — The VLAN name is not checked for special characters. If a VLAN name is created with special characters, when the VLAN name is displayed in the web browser interface, problems can occur in the display of the VLAN name. The workaround is to use alphanumeric VLAN names, avoiding spaces and characters such as: @, #, $, ^, &, *, (, and ).
Known Issues Release ST.1.0.090213 ■ PR_18145 — In the web browser interface, if a VLAN is added with an invalid IP address in the range 224.0.0.0 - 254.255.255.255, an error is returned stating: VLAN could not be added. Failed to add VLAN IP address, but the VLAN is actually added, but not associated to any zone. In the CLI, the error message only states: Error: Failed to set VLAN IP address: ■ PR_18197 — The web browser interface Help incorrectly states the number of VLAN associations supported as 21.
Known Issues Release ST.1.0.090213 Expected result: The access policy should be added in the first position. Actual Result: An error message is displayed but the policy is added. ■ PR_8074 — When a new named object (for example, an Address Object, Service Object, and so on) is added, a log entry is generated referring to an IPDB record modified. This simply means that the IP database that keeps track of these things was modified.
Known Issues Release ST.1.0.090213 ■ PR_12598 — In the web browser interface, address objects and address groups can be added using the same name. This results in ambiguity when adding an access policy. To prevent such ambiguity, make sure address objects and address groups have unique names. Service objects and service groups also should have unique names.
Known Issues Release ST.1.0.090213 ■ PR_38217 — When setting up an IPsec policy with a Key Exchange of Manual, it is possible to specify an SPI number that is already in use by another IPsec policy and it would not be detected. Duplicate SPI numbers across IPsec policies are not allowed and an error needs to be displayed. ■ PR_38218 — Cannot change a bypass or ignore policy to apply with key exchange method manual. Workaround: Delete the policy and add a new one.
Known Issues Release ST.1.0.090213 1. Open the switch management web browser interface 2. Select the Configuration tab 3. In the Device View page in the Switch web browser interface press the Details link on the TMS Zl Module. Expected Results: the link should direct the user to the management IP address. Actual Results: the link directs the user to the High Availability IP address.
Known Issues Release ST.1.0.090213 In the output, the Last Signature Download field appears as None even though the signatures were synchronized. ■ PR_14823/14916 — When using the TMS zl Module CLI, the high-availability command lists a rebalance option that is not valid for Active/Standby mode. In the web browser interface for High Availability, a rebalance button is also present.
Known Issues Release ST.1.0.090213 ■ PR_17758 — In monitor mode, when IPS full inspection is turned on and the FTP ALG is turned off, sending an FTP copy of the startup configuration to the network fails with a broken pipe error.
© 2009-2011 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice.
