Release date: 2001-10-31 [ISO]

This document outlines bug fixes as well as improvements for each component.
It also contains information about features and/or changes that did not make it into the user's guide before it was printed.

New files installed by v6.02
How to upgrade a v6.0x firewall to v6.02
Firewall Core	[Changes]	[Bug Fixes]	[Known Bugs / Problems]
VPN Core	[Changes]	[Bug Fixes]	[Known Bugs / Problems]

For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.  

• Cores/fwc_602.exe
  This is the v6.02 standard firewall core. Upload it to your existing (standard) firewall, or create new boot media with it.
  Note: VPN firewalls should, as always, use the VPN core file, below.

• Cores/fwc_602v.exe
  This is the v6.02 VPN firewall core. Upload it to your existing (VPN) firewall, or create new boot media with it.
  Note: This file is not installed by the standard installation package, as only licensed users have access to it. Rather, it is available as a separate installation package (typically a Clavister Upgrader package).

• Docs/Changes-6.01-to-6.02.htm
  This document.

• Allowing 'ALL' didn't allow everything
  Issue: "Allow", "NAT" and "FwdFast" rules regarding the protocol "ALL" should pass all 256 possible IP protocols. This was not the case. Only TCP, UDP, ICMP, AH and ESP were actually passed.
  Affects: Firewall Core v6.00 -- v6.01
  Results: Allowing "ALL" and expecting, for instance, "GRE" to be passed, failed. One had to add an explicit rule to pass IP protocols other than the above.
  Fix: Allowing "ALL" protocols will now pass all possible 256 IP protocols.

• Spurious freezes/crashes on file access fixed
  Issue: Some systems have occasionally frozen or crashed when the file system is accessed after the firewall core has been operational. The likelihood of this occuring increased with time since last reboot, traffic load, and a few other factors. Fortunately, Clavister Firewall does not access its file system during uninterrupted operation; it only does so during configuration uploads and restarts, a fact which has mitigated the problem for affected users.
  Affects: Firewall Core v6.00 -- v6.01
  Fix: This problem has been resolved in v6.02 and v7.00

• Typo in 'event=unexpected_tcp_flags' syslog message
  Issue: Values in Clavister Firewall syslog messages should, if they contain spaces, be quoted by double quotes. The "flags" value in the "event=unexpected_tcp_flags" event was erroneously quoted using single quotes:
      event=unexpected_tcp_flags flags='syn ack'
  Affects: Firewall Core v6.00 -- v6.01
  Results: None, unless you've written your own syslog parser that doesn't understand single-quoted values.
  Fix: Firewall Core v6.02 and v7.00 now use double quotes when quoting this value.

• Erroneous 'usage' values reported via syslog
  Interface throughput values in 'usage' syslog messages have been completely wrong.
  Affects: Firewall Cores before v6.02
  Results: Most likely none, unless you've written your own syslog parser to do further processing on usage entries
  Fix: Firewall Core v6.02 and 7.00 report correct interface throughput values in usage entries.

• State engine is overly strict during TCP initial handshake
  Issue: The state engine currently requires strict conformance to the "SYN", "SYN/ACK", "ACK" initial TCP handshake pattern (possibly with resends). However, some operating systems will respond to resent SYNs with a plain "ACK", which the state engine will not accept.
  Affects: All Firewall Cores, from v5.1
  Results: This may lead to failed connections between certain operating systems, if packet loss occurs in the "right" place during the handshake. The firewall will also send "LogStateViolations" log events regarding "SYN ACK" flags at a later point in the handshake.
  Fix: This problem will be addressed in a future release.

• DEC/Intel Tulip driver may fail to attach during high traffic
  The DEC/Intel Tulip chipset NIC driver may fail to attach on some systems if it receives a large number packets during the attach phase.
  We currently do not know the exact circumstances during which this may occur. It appears like this will only occur on hardware that have PCI bus problems in general. However, this is only a preliminary observation.
  The matter is being researched.
  

• Memory leak fixed
  Issue: A small amount of memory was sometimes leaked during key management, i.e. when new SAs are negotiated.
  Results: With many VPN connections opening and closing, especially with short life times, all available RAM will sooner or later be consumed, leading to a reboot.
  Affects: All VPN gateways v5.11V -- v6.01V.
  Fixed: in v6.02V and v7.00.01V.
  

• Key lengths were transmitted for ciphers with fixed key lengths
  Issue: During IKE negotiation, key lengths for ciphers with fixed key lengths were transmitted, even though they shouldn't be.
  Results: In situations where the Clavister VPN Gateway initiated SA negotiation, some IPsec implementations would not accept such proposals.
  Affects: All VPN gateways v5.11V -- v6.01V.
  Fixed: in v6.02V and 7.00.01V.
  

• 'IkeSnoop' missed the first outbound packet
  Issue: The output of the 'ikesnoop' console command used to miss the first packet in an IKE negotation that was sent by the VPN gateway itself.
  Affects: VPN gateways v6.00V and v6.01V.
  Fixed: in v6.02V and 7.00.01V.
  

• Fragmented IKE packets are dropped
  If an IKE packet sent to the VPN gateway is fragmented, either during transport, or by the originator, it will be dropped.
  Typically, this is not a problem, as IKE packets tend to be only a few hundred bytes of length - well below the MTU of commonly used network types. However, it will be addressed in a future release.
  Workaround: If this behavior causes problems, you may try decreasing the size of your proposal lists, which will decrease the IKE UDP datagram size.