Clavister Firewall Changes from v8.50.00 to v8.50.01

Release date: 2005-02-22 [ISO]

Users upgrading from v7.0x or earlier should read changes-7.0x.xx-to-8.00.02.html first.

Version 8.50.01 contains bug fixes to the Firewall Core and the Firewall Manager. This document outlines bug fixes as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.

  • Files installed by v8.50.01
  • How to upgrade earlier v8.0x firewalls to v8.50.01
  • How to upgrade v6.0x/v7.0x firewalls to v8.0x
  • HA upgrade procedure
  • Firewall Manager
    		•  [Changes [Bug Fixes  
  • Firewall Core
    		•    [Bug Fixes] [Known Problems / Bugs

    For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

    Change logs / release notes for earlier versions of Clavister Firewall are available in the release notes section of www.clavister.com/support.



     Summary of changes and bug fixes                       

    Firewall Manager
      Change: Passwords, user names, PSKs etc may now contain backslashes and quotes
      Bug fix: OSPF "Aggregate Network" field would only accept single hosts
      Bug fix: L2TP/PPTP servers could not specify VLAN interfaces in Proxy ARP settings
      Bug fix: Rules: Changing service from "All" to something else via [...] button would cause crash

    Firewall Core
      Bug fix: Configuring overly large IP address pool in L2TP/PPTP server would cause crash
      Bug fix: Intel e1000 NIC link problems (gigabit ports in all Clavister appliances)
      Bug fix: Unable to log in via serial / physical console
      Bug fix: User authentication timeouts not reset by traffic passing through FwdFast rules
      Bug fix: PPPoE tunnels failing to establish might cause tunnel limit to be reached
      Bug fix: DSA certificates would not work in IPsec
      Known problem: IPsec: Compatibility issue with MS IPsec NAT Traversal
      Bug fix: PPTP and L2TP tunnels not usable in HA setups
      Bug fix: Loopback interfaces not usable in HA setups
      Known problem: HA: No state synchronization for ALGs
      Known problem: HA: Tunnels unreachable from inactive node
      Known problem: HA: No state synchronization for L2TP and PPTP



     Files installed by v8.50.01                       
    This is a list of files that are new to the v8.50.01 release. All paths are relative to your Firewall Manager install folder.
    » Cores/fwc-8.50.01-full.cfx
    This is the v8.50.01 full firewall core. Upload it to your existing firewall, or create new boot media with it. It contains all available functionality.
    » Cores/fwc-8.50.01-mini.cfx
    This is a version of the v8.50.01 core with certain features removed. It is less than half the size of the full version. The features removed are:
    - IPsec VPN
    - The H.323 Application Layer Gateway
    - OSPF
    » Docs/changes-8.50.00-to-8.50.01.html
    This document.
    » FWMgr8.exe
    This is the v8.50.01 Firewall Manager. Earlier version 8 Firewall Managers will be backed up with the extensions ".old1" and ".old2".


     How to upgrade earlier v8.0x firewalls to v8.50.01                       
    Upgrading a previous v8.0x firewall to v8.50.01 is completely straightforward.
    Simply upload the new core, "fwc-8.50.01-full.cfx", to your firewall and restart it.
    (Alternatively, upload the "-mini" version if the removed functionality is not required.)

     HA upgrade procedure                       
    Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

    Note: Upgrades from versions prior to v8.40.01: Upgrading to directly v8.50.00 or later from a version prior to v8.40.01 will lead to loss of state synchronization. All open states will be closed as a result of the upgrade. If this is acceptable, continue with the upgrade as described below. Otherwise, first upgrade to v8.40.01 or a later v8.4x core and then upgrade to v8.50.01.

    Simply upload the new firewall core file to the firewalls in your cluster and make sure that the first upload and restart is successful before uploading to the second firewall.

    We recommend beginning with the firewall that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

      The "immediate availability" method
    • Upload the core to the currently active firewall ("firewall A") and restart it.
    • Issue a 'reconfigure' on the firewall B to rapidly fail back to the now upgraded firewall A. Make sure firewall A functions properly.
    • Upload the core to firewall B and restart it.
    • End result: Firewall A is now the active node, just as it was before the upgrade procedure.

    Note that this leaves the second firewall untested, even though it most likely will work just as well as the first firewall. If you want to specifically test the second firewall, you can:
    1) cause two failovers manually,   or
    2) connect to it via e.g. the remote console just to make sure it's running,   or
    3) if ALG and tunnel synchronization is not a concern, follow this procedure:

      The "long-term safe" procedure:
    • Upload the core to the currently inactive firewall ("firewall B") and restart it.
    • Issue a 'reconfigure' on firewall A. This causes failover to firewall B. Make sure firewall B functions properly.
    • Upload the core to firewall A and restart it.
    • Issue a 'reconfigure' on firewall B to fall back to firewall A. Make sure firewall A functions properly.
    • End result: Firewall A is now the active node, just as it was before the upgrade procedure.
    Note that the "availability" issues affect only synchroniziation of ALGs and tunnels; there is more information about this in the Known Problems section. All other states are, as usual, fully synchronized and not affected in either procedure.

     Firewall Manager Changes                       
    Passwords, user names, PSKs etc may now contain backslashes and quotes
        Change: As of v8.50.00, passwords, user names and PSKs may contain backslashes and quotes. This was previously not allowed.
        This is particularily useful in situations when the firewall needs to interact with Microsoft Active Directories without a configured "default domain", in which case one often needs to use a "DOMAIN\username" syntax in user names.



     Firewall Manager Bug Fixes                       
    OSPF "Aggregate Network" field would only accept single hosts
        Problem: The "Aggregate Network" field in the OSPF configuration is used to combine several small routes matching the given aggregate. route into a single announcement for that aggregate. This parameter could only be given as a single host.
        Affects: Firewall Manager v8.50.00
        Fix: Fixed in v8.50.01

    L2TP/PPTP servers could not specify VLAN interfaces in Proxy ARP settings
        Issue: L2TP and PPTP servers may be configured to publish the IP address of incoming clients on one or more interfaces via Proxy ARP to assist in scenarios where the clients are assigned IP addresses that actually belong on one (or more) of the directly attached LANs.
        Problem: Proxy ARP on VLAN interfaces could not be configured. Proxy ARP on "ALL" interfaces (which would automatically include VLAN interfaces) would however work.
        Affects: Firewall Manager v8.50.00.
        Fix: Fixed in v8.50.01

    Rules: Changing service from "All" to something else via [...] button would cause crash
        Issue: If the service of a rule was set to the built-in service "All", clicking the "[...]" button to change it to something else would cause the Firewall Manager to crash.
        Affects: Firewall Manager v8.50.00.
        Fix: Fixed in v8.50.01



     Firewall Core Bug Fixes                       
    Configuring overly large IP address pool in L2TP/PPTP server would cause crash
        Problem: Configuring an IP pool larger than the total RAM could hold, e.g. "0.0.0.0/0" or an entire class A network (16 million addresses), would lead to a crash.
        Affects: Clavister Firewall v8.50.00
        Fix: As of v8.50.01, the pool size is limited to 1 million addresses. Configuring a pool larger than that will lead to a warning message and the pool being set to zero length.

    Intel e1000 NIC link problems (gigabit ports in all Clavister appliances)
        Issue: Some Intel e1000 series chips would have link problems establishing or maintaining link with some equipment.
        Affects: Clavister Firewall v7.00 and up.
        Fix: Fixed in v8.40.05 and v8.50.01.

    Unable to log in via serial / physical console
        Issue: The serial console (and physical, in the case of non-appliances), may be password protected.
        Problem: A change in v8.50.00 broke the routine responsible for receiving the password from the serial port / local keyboard.
        Results: If a console password had been set, one would be unable to login using the serial (and physical) console. Firewall Manager use would not be affected.
        Affects: Clavister Firewall v8.50.00.
        Fix: Fixed in v8.50.01.

    User authentication timeouts not reset by traffic passing through FwdFast rules
        Issue: When a user authenticated to the firewall has an "idle timeout" configured, it should be reset by traffic passing through the firewall.
        Problem: The idle timeout was only reset by traffic being permitted by "Allow" and "NAT" rules - state-tracked connections. Not by statelessly permitted traffic via "FwdFast" rules.
        Result: If all traffic for a logged-on user was permitted by FwdFast rules, they would be logged out when the "idle timeout" period expired regardless of sending traffic through the firewall or not.
        Affects: Clavister Firewall v8.10.00 and up.
        Fix: Fixed in v8.40.05 and v8.50.01.

    PPPoE tunnels failing to establish might cause tunnel limit to be reached
        Issue: When a PPPoE tunnel failed to establish, it would not be closed properly. The next attempt to establish the tunnel would use a new tunnel.
        Results: After the count of open PPP tunnels reached the system's limit, the PPPoE tunnel(s) would (correctly) cease trying to connect. A reboot would be required to flush the open tunnels.
        Affects: Clavister Firewall v8.50.00.
        Fix: Fixed in v8.50.01.

    DSA certificates would not work in IPsec
        Issue: IPsec can use RSA and DSA certificates for authentication. RSA is by far and large the more common of the two.
        Problem: Attempting to upload a configuration using DSA certificates to the firewall would result in an error message: "Error: Failed to decode private key for name-of-your-cert"
        Affects: Clavister Firewall v8.10.00 -- .02, v8.20.00 -- .01, v8.30.00 -- .01, v8.40.00 -- .04, v8.50.00.
        Fix: Fixed in v8.10.03, v8.20.02, v8.30.02, v8.40.05 and v8.50.01.

    PPTP and L2TP tunnels not usable in HA setups
        Problem: Configuring PPTP and L2TP tunnels (both servers and clients) on a High Availability cluster would result in configuration warnings, and the Slave unit entering "Local Lockdown" mode, in which no traffic passes through it.
        Affects: Clavister Firewall v8.50.00.
        Fix: As of v8.50.01, PPTP and L2TP servers behave as can be expected. PPTP and L2TP clients will establish their outbound connections from the unique IP addresses of the cluster members, and quite often both members will have their tunnels up at the same time.
        Note: For PPTP and L2TP clients on a HA cluster, the only outbound traffic that is likely to work through the tunnels is dynamically NATed connections. The reason for this is that the PPTP/L2TP server in the other end otherwise will not know where to send the return traffic, as there would be two tunnels with the same IP networks "behind" them.

    Loopback interfaces not usable in HA setups
        Problem: Configuring loopback interfaces on a High Availability cluster would result in configuration warnings, and the Slave unit entering "Local Lockdown" mode, in which no traffic passes through it.
        Affects: Clavister Firewall v8.50.00.
        Fix: Fixed in v8.50.01.



     Firewall Core Known Problems / Bugs                       
    HA: No state synchronization for ALGs
        Problem: No aspect of ALGs are state synchronized
        Results: This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again.
    Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

    HA: Tunnels unreachable from inactive node
        Problem: The inactive node in a HA cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node.
        Results:
    » Inactive HA member cannot send log events over tunnels.
    » Inactive HA member cannot be managed / monitored over tunnels.
    » OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

    HA: No state synchronization for L2TP and PPTP
        Problem: There is no state synchronization for L2TP and PPTP tunnels.
        Results: On failover, incoming clients will re-establish their tunnels after the tunnels are deemed non-functional. This timeout is typically in the 30 -- 120 second range.

    IPsec: Compatibility issue with MS IPsec NAT Traversal
        Problem: Microsoft's IPsec NAT traversal is incompatible with the NAT traversal implementation in Clavister Firewall.
        Results: Microsoft's IPsec client would fail to establish an IPsec tunnel to a Clavister Firewall if there was a NATing gateway in between.
        This will be resolved in a future release of Clavister Firewall.
        More info: KB #10074: Using L2TP behind NAT in Windows XP without IPSec