Clavister Security Gateway Changes from v8.50.00 to v8.50.02

Clavister Security Gateway Changes from v8.50.00 to v8.50.02

Release date: 2005-08-09 [ISO]

Users upgrading from v7.0x or earlier should read changes-7.0x.xx-to-8.00.02.html first.

Version 8.50.02 contains fixes to problems in the Firewall Core and the Firewall Manager. This document outlines problems solved as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.

Files installed by v8.50.02

How to upgrade earlier v8.0x firewalls to v8.50.02

How to upgrade v6.0x/v7.0x firewalls to v8.0x

HA upgrade procedure

Firewall Manager
[Changes] [Problems Solved]

Firewall Core
[Problems Solved] [Considerations]

For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

Change logs / release notes for earlier versions of Clavister Security Gateway are available in the release notes section of www.clavister.com/support.

Summary of changes and problems solved

Firewall Manager

  Change: Passwords, user names, PSKs etc may now contain backslashes and quotes

  Problem solved: Configuration: Problem with global User Databases

  Problem solved: OSPF "Aggregate Network" field only accepts single hosts

  Problem solved: L2TP/PPTP servers: It is not possible to specify VLAN interfaces in Proxy ARP settings

  Problem solved: Rules: Changing service from "All" to something else via [...] button causes crash

Firewall Core

  Change: ARP timeout setting limit decreased

  Problem solved: HTTP ALG might cause the Security Gateway to freeze in some situations

  Problem solved: Route failover is not working correctly in HA setups

  Problem solved: Netcon ping problems with Virtual Routers

  Problem solved: L2TP does not support requests for usage of sequence numbers in data messages.

  Problem solved: Connected L2TP clients are not updated if ruleset is changed

  Problem solved: Possible crash during reconfiguration if the new configuration fails

  Problem solved: WebAuth login sometimes fails if special characters are used in username/password

  Problem solved: The HTTPALG sometimes wrongly say that a request contains invalid UTF8 encoding

  Problem solved: The PPPoE client fails to connect to some servers when Service Name is empty

  Problem solved: PPPoE tunnels failing to establish might cause tunnel limit to be reached

  Problem solved: A host with statically configured IP can prevent a DHCP enabled host with Windows as host OS from receiving an "valid" IP

  Problem solved: Possible crash when an active L2TP tunnel is removed from configuration

  Problem solved: Interface equivalency problems for nonfirst packets on state-tracked connections

  Problem solved: PPTP/L2TP tunnel status displayed by ifstatus command

  Problem solved: ARP incompatibility with Microsoft Network Load Balancing

  Problem solved: Configuring overly large IP address pool in L2TP/PPTP server would cause crash

  Problem solved: Intel e1000 NIC link problems (gigabit ports in all Clavister appliances)

  Problem solved: Unable to log in via serial / physical console

  Problem solved: User authentication timeouts not reset by traffic passing through FwdFast rules

  Problem solved: No logging information of assigned IP addresses for clients connected to PPTP/L2TP servers

  Problem solved: Routes added by IPsec will in some cases be left active after the tunnel is down

  Problem solved: Log message when PPP license limit is exceeded is not parser friendly

  Problem solved: DSA certificates does not work in IPsec

  Known problem: IPsec: Compatibility issue with MS IPsec NAT Traversal

  Problem solved: PPTP and L2TP tunnels not usable in HA setups

  Problem solved: Loopback interfaces not usable in HA setups

  Known problem: HA: No state synchronization for ALGs

  Known problem: HA: Tunnels unreachable from inactive node

  Known problem: HA: No state synchronization for L2TP and PPTP

Files installed by v8.50.02

This is a list of files that are new to the v8.50.02 release. All paths are relative to your Firewall Manager install folder.

»	Cores/fwc-8.50.02-full.cfx This is the v8.50.02 full firewall core. Upload it to your existing firewall, or create new boot media with it. It contains all available functionality.
»	Cores/fwc-8.50.02-mini.cfx This is a version of the v8.50.02 core with certain features removed. It is less than half the size of the full version. The features removed are: - IPsec VPN - The H.323 Application Layer Gateway - OSPF
»	Docs/changes-8.50.00-to-8.50.02.html This document.
»	FWMgr8.exe This is the v8.50.02 Firewall Manager. Earlier version 8 Firewall Managers will be backed up with the extensions ".old1" and ".old2".

How to upgrade earlier v8.0x firewalls to v8.50.02

Upgrading a previous v8.0x firewall to v8.50.02 is completely straightforward.
Simply upload the new core, "fwc-8.50.02-full.cfx", to your firewall and restart it.
(Alternatively, upload the "-mini" version if the removed functionality is not required.)

HA upgrade procedure

Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

Note: Upgrades from versions prior to v8.40.01: Upgrading to directly v8.50.00 or later from a version prior to v8.40.01 will lead to loss of state synchronization. All open states will be closed as a result of the upgrade. If this is acceptable, continue with the upgrade as described below. Otherwise, first upgrade to v8.40.01 or a later v8.4x core and then upgrade to v8.50.02.

Simply upload the new firewall core file to the firewalls in your cluster and make sure that the first upload and restart is successful before uploading to the second firewall.

We recommend beginning with the firewall that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

The "immediate availability" method

Upload the core to the currently active firewall ("firewall A") and restart it.
Issue a 'reconfigure' on the firewall B to rapidly fail back to the now upgraded firewall A. Make sure firewall A functions properly.
Upload the core to firewall B and restart it.
End result: Firewall A is now the active node, just as it was before the upgrade procedure.

Note that this leaves the second firewall untested, even though it most likely will work just as well as the first firewall. If you want to specifically test the second firewall, you can:
1) cause two failovers manually, or
2) connect to it via e.g. the remote console just to make sure it's running, or
3) if ALG and tunnel synchronization is not a concern, follow this procedure:

The "long-term safe" procedure:

Upload the core to the currently inactive firewall ("firewall B") and restart it.
Issue a 'reconfigure' on firewall A. This causes failover to firewall B. Make sure firewall B functions properly.
Upload the core to firewall A and restart it.
Issue a 'reconfigure' on firewall B to fall back to firewall A. Make sure firewall A functions properly.
End result: Firewall A is now the active node, just as it was before the upgrade procedure.

Note that the "availability" issues affect only synchroniziation of ALGs and tunnels; there is more information about this in the Considerations section. All other states are, as usual, fully synchronized and not affected in either procedure.

Firewall Manager Changes

Passwords, user names, PSKs etc may now contain backslashes and quotes
Change:	As of v8.50.00, passwords, user names and PSKs may contain backslashes and quotes. This was previously not allowed.
	This is particularily useful in situations when the firewall needs to interact with Microsoft Active Directories without a configured "default domain", in which case one often needs to use a "DOMAIN\username" syntax in user names.

Firewall Manager Problems Solved

Configuration: Problem with global User Databases
Issue:	At least one user database has to be defined in the local (firewall) configuration, otherwize it wont be inherited from a "namespace".
Results:	Only local user databases can be used in the firewall configuration.
Affects:	Firewall Manager v8.50.00 and v8.50.01
Solution:	Solved in v8.50.02

OSPF "Aggregate Network" field only accepts single hosts
Problem:	It is not possible to configure anything else then a single host for the "Aggregate Network" field in the OSPF configuration. This field is used to combine several small routes matching the given aggregate.
Affects:	Firewall Manager v8.50.00
Solution:	Solved in v8.50.01

L2TP/PPTP servers: It is not possible to specify VLAN interfaces in Proxy ARP settings
Issue:	L2TP and PPTP servers may be configured to publish the IP address of incoming clients on one or more interfaces via Proxy ARP. Proxy ARP on VLAN interfaces can not be configured. Proxy ARP on "ALL" interfaces (which would automatically include VLAN interfaces) does however work.
Affects:	Firewall Manager v8.50.00.
Solution:	Solved in v8.50.01

Rules: Changing service from "All" to something else via [...] button causes crash
Issue:	If the service of a rule was set to the built-in service "All", clicking the "[...]" button to change it to something else causes the Firewall Manager to crash.
Affects:	Firewall Manager v8.50.00.
Solution:	Solved in v8.50.01

Firewall Core Changes

ARP timeout setting limit decreased
Issue:	The ARP timeout setting was limited to a minimum value of 10 seconds.
Change:	As of v8.50.02, the ARP timeout setting can now be configured as low as one second.
Note:	It is not recommended that the ARP timeout interval should be set lower than 10 seconds, however, in some scenarios a lower timeout setting may be needed.

Firewall Core Problems Solved

HTTP ALG might cause the Security Gateway to freeze in some situations
Problem:	In some scenarios when the HTTP ALG handles a lot of traffic, it might cause the Security Gateway to stop responding.
Results:	The Security Gateway will freeze a few minutes and will then automatically reboot.
Affects:	Clavister Firewall v8.40.00 and up
Solution:	Solved in v8.50.02.

Route failover is not working correctly in HA setups
Problem:	When gateway ARP resolution is used to monitor a route in HA setups, the shared ip and MAC address is not used. Instead, each node uses its own addresses.
Results:	When gateway ARP resolution is used to monitor a route in HA setups, the surrounding equipment will get ARP requests from each node instead of only from the active node.
Affects:	Clavister Firewall v8.50.00 and up
Solution:	Solved in v8.50.02.

Netcon ping problems with Virtual Routers
Problem:	When trying to admin a Security Gateway on a interface bound to a virtual router, netcon udp pings does not work.
Results:	When trying to admin a Security Gateway on a interface bound to a virtual router, the manager can't poll the Security Gateway to verify that the Security Gateway is still up.
Affects:	Clavister Firewall v8.50.00 and up
Solution:	Solved in v8.50.02.

L2TP does not support requests for usage of sequence numbers in data messages.
Problem:	If L2TP clients requests to use sequence numbers for data messages, the L2TP server will deny the connection attempt and disconnect the user.
Results:	If the L2TP server receives a request for a new session with requirements to use sequence numbers for data messages, the L2TP server will treat the message as invalid and close down the connection attempt.
Affects:	Clavister Firewall v8.50.00 and up
Solution:	Solved in v8.50.02.
Note:	The L2TP server still does not support sequence numbers for data messages, only for control messages. Now clients are allowed to request usage of sequence numbers for data messages, but the L2TP server will not use sequence numbers for data messages.

Connected L2TP clients are not updated if ruleset is changed
Problem:	If the advanced setting L2TPBeforeRules is set to false and a rule allowing L2TP traffic to the L2TP server is configured, clients can connect to the L2TP server. If the rule is changed or removed, the connected clients are not updated to comply to the new ruleset.
Results:	If a rule allowing L2TP connections to the L2TP server is removed when the advanced setting L2TPBeforeRules is false, the already connected clients are not disconnected.
Affects:	Clavister Firewall v8.50.00 and up
Solution:	Solved in v8.50.02.

Possible crash during reconfiguration if the new configuration fails
Problem:	If the Security Gateway is configured with many IPsec tunnels and a new faulty configuration is uploaded to the Security Gateway it is possible that the Security Gateway will crash during reconfiguration.
Results:	The Security Gateway can possibly crash during reconfiguration if many IPsec tunnels are configured and the new configuration fails.
Affects:	Clavister Firewall v8.50.00 and up
Solution:	Solved in v8.50.02.

WebAuth login sometimes fails if special characters are used in username/password
Problem:	When logging in through WebAuth, the login can sometimes fail if special characters such as the swedish characters �,�,�, are used in the username or password.
Results:	The HTTP/HTTPS WebAuth login will fail.
Affects:	Clavister Firewall v8.40.00 and up
Solution:	Solved in v8.50.02.

No logging information of assigned IP addresses for clients connected to PPTP/L2TP servers
Problem:	The logs generated when a client connects to a PPTP/L2TP server does not contain information of the assigned IP address for the client.
Results:	With no assigned IP information, it is hard to track client activities.
Affects:	Clavister Firewall v8.50.00 and up
Solution:	Solved in v8.50.02.

The HTTPALG sometimes wrongly say that a request contains invalid UTF8 encoding
Problem:	If a special character is found at the end of a request, such as the swedish characters �,�,�, the HTTP ALG sometimes fails to calculate the length of the request correctly and denies the request.
Results:	The user will be presented with a 403 forbidden page.
Affects:	Clavister Firewall v8.40.00 and up
Solution:	Solved in v8.50.02.

The PPPoE client fails to connect to some servers when Service Name is empty
Issue:	PPPoE clients can use an empty Service Name tag to specify that they can accept any Service Name. If the PPPoE client is configured with a empty Service Name it will however only accept connections to servers that has no Service Name set.
Results:	The result of this problem is that the Service Name has to be known when the PPPoE client is configured. If the Service Name is left empty, the client will fail to connect to a PPPoE server that has a Service Name configured.
Affects:	Clavister Firewall v8.30.00 and up.
Solution:	Solved in v8.50.02.

Routes added by IPsec will in some cases be left active after the tunnel is down
Issue:	When IPsec dynamically add routes, the routes may still be left active after the tunnel is down.
Results:	Leaving routes still active may lead to memory leakage and routing failures.
Affects:	Clavister Firewall v8.20.00 and up.
Solution:	Solved in v8.50.02.

PPPoE tunnels failing to establish might cause tunnel limit to be reached
Issue:	When a PPPoE tunnel failes to establish, it does not close properly. The next attempt to establish the tunnel will use a new tunnel.
Results:	After the count of open PPP tunnels reaches the system's limit, the PPPoE tunnel(s) cease to make connection attempts. A reboot would be required to flush the open tunnels.
Affects:	Clavister Firewall v8.50.00.
Solution:	Solved in v8.50.02.

A host with statically configured IP can prevent a DHCP enabled host with Windows as host OS from receiving an "valid" IP
Problem:	The DHCPServer expects that the client should check if the offered IP is in use before it accepts it. Windows does not do this verification until after it have accepted the IP. Since the DHCPServer does not accept decline in BOUND state the declines are dropped.
Results:	The DHCPServer keeps offering the same IP to the client whose decline will be ignored.
Affects:	Clavister Firewall v8.30.00 and up
Solution:	Solved in v8.50.02.

Possible crash when an active L2TP tunnel is removed from configuration
Problem:	When an active L2TP tunnel is removed from the configuration, the Security Gateway may in some cases crash when the L2TP tunnel is closed.
Affects:	Clavister Firewall v8.50.00 and up
Solution:	Solved in v8.50.02.

Interface equivalency problems for nonfirst packets on state-tracked connections
Problem:	Non-first packets of a state-tracked connection is not handled correctly regarding interface equivalency.
Results:	If fragmented packets are sent over a connection, and routing gets changed so the data stream starts arriving on a different interface, the nonfirst fragments won't make it through.
Affects:	Clavister Firewall v8.00.00 and up
Solution:	Solved in v8.50.02.

PPTP/L2TP tunnel status displayed by ifstatus command
Problem:	The PPTP/L2TP tunnel status is not displayed in a general fashion using the ifstatus command.
Affects:	Clavister Firewall v8.00.00 and up
Solution:	As of v8.50.02 the ifstatus command displays the PPTP/L2TP tunnel status in a general fashion like other interface types.

ARP incompatibility with Microsoft Network Load Balancing
Problem:	The core sends ARP responses to the MAC address found in the ethernet header of the query. Microsoft NLB apparently does rely on the response to be sent to the source MAC address in the ARP data.
Affects:	Clavister Firewall v5.00 and up
Solution:	As of v8.50.02 the core sends ARP responses to the source MAC address in the ARP data.

Log message when PPP license limit is exceeded is not parser friendly
Problem:	The log message generated when the PPP licenese limit is exceeded is not parser friendly. It is written in the form: "tunnels=x/y" where x is the number of active tunnels and y is the total number of tunnels the license allows.
Results:	Some log parsers may fail to parse the license limit exceeded message.
Affects:	Clavister Firewall v8.40.00 and up
Solution:	Solved in v8.50.02.
Note:	Only the license limit is now displayed in the log message and not the current usage.

Configuring overly large IP address pool in L2TP/PPTP server would cause crash
Problem:	Configuring an IP pool larger than the total RAM can hold, e.g. "0.0.0.0/0" or an entire class A network (16 million addresses), will lead to a crash when configuration is deployed.
Affects:	Clavister Firewall v8.50.00
Solution:	As of v8.50.01, the pool size is limited to 1 million addresses. Configuring a pool larger than that will lead to a warning message and the pool being set to zero length.

Intel e1000 NIC link problems (gigabit ports in all Clavister appliances)
Issue:	Some Intel e1000 series chips has problems establishing or maintaining link with some equipment.
Affects:	Clavister Firewall v7.00 and up.
Solution:	Solved in v8.40.05 and v8.50.01.

Unable to log in via serial / physical console
Issue:	The serial console (and physical, in the case of non-appliances), may be password protected.
Problem:	A change in v8.50.00 broke the routine responsible for receiving the password from the serial port / local keyboard.
Results:	If a console password had been set, one would be unable to login using the serial (and physical) console. Firewall Manager use would not be affected.
Affects:	Clavister Firewall v8.50.00.
Solution:	Solved in v8.50.01.

User authentication timeouts not reset by traffic passing through FwdFast rules
Issue:	When a user authenticated to the Security Gateway has an "idle timeout" configured, it should be reset by traffic passing through the Security Gateway.
Problem:	The idle timeout gets reset only by traffic being permitted by "Allow" and "NAT" rules - state-tracked connections. Not by statelessly permitted traffic via "FwdFast" rules.
Result:	If all traffic for a logged-on user is permitted by FwdFast rules, the user is logged out when the "idle timeout" period expired regardless of sending traffic through the Security Gateway or not.
Affects:	Clavister Firewall v8.10.00 and up.
Solution:	Solved in v8.40.05 and v8.50.01.

DSA certificates does not work in IPsec
Issue:	IPsec can use RSA and DSA certificates for authentication. RSA is by far and large the more common of the two.
Problem:	Attempting to upload a configuration using DSA certificates to the Security Gateway results in an error message: "Error: Failed to decode private key for name-of-your-cert"
Affects:	Clavister Firewall v8.10.00 -- .02, v8.20.00 -- .01, v8.30.00 -- .01, v8.40.00 -- .04, v8.50.00.
Solution:	Solved in v8.10.03, v8.20.02, v8.30.02, v8.40.05 and v8.50.01.

PPTP and L2TP tunnels not usable in HA setups
Problem:	Configuring PPTP and L2TP tunnels (both servers and clients) on a High Availability cluster results in configuration warnings, and the Slave unit enters "Local Lockdown" mode, in which no traffic passes through it.
Affects:	Clavister Firewall v8.50.00.
Solution:	As of v8.50.01, PPTP and L2TP servers behave as can be expected. PPTP and L2TP clients will establish their outbound connections from the unique IP addresses of the cluster members, and quite often both members will have their tunnels up at the same time.
Note:	For PPTP and L2TP clients on a HA cluster, the only outbound traffic that is likely to work through the tunnels is dynamically NATed connections. The reason for this is that the PPTP/L2TP server in the other end otherwise will not know where to send the return traffic, as there would be two tunnels with the same IP networks "behind" them.

Loopback interfaces not usable in HA setups
Problem:	Configuring loopback interfaces on a High Availability cluster results in configuration warnings, and the Slave unit enters "Local Lockdown" mode, in which no traffic passes through it.
Affects:	Clavister Firewall v8.50.00.
Solution:	Solved in v8.50.01.

Firewall Core Considerations

HA: No state synchronization for ALGs
Problem:	No aspect of ALGs are state synchronized
Results:	This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again. Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

HA: Tunnels unreachable from inactive node

Problem:

The inactive node in a HA cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node.

Results:

»	Inactive HA member cannot send log events over tunnels.
»	Inactive HA member cannot be managed / monitored over tunnels.
»	OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

HA: No state synchronization for L2TP and PPTP
Problem:	There is no state synchronization for L2TP and PPTP tunnels.
Results:	On failover, incoming clients will re-establish their tunnels after the tunnels are deemed non-functional. This timeout is typically in the 30 -- 120 second range.

IPsec: Compatibility issue with MS IPsec NAT Traversal
Problem:	Microsoft's IPsec NAT traversal is incompatible with the NAT traversal implementation in Clavister Security Gateway.
Results:	Microsoft's IPsec client would fail to establish an IPsec tunnel to a Clavister Security Gateway if there was a NATing gateway in between.
	This will be resolved in a future release of Clavister Security Gateway.
More info:	KB #10074: Using L2TP behind NAT in Windows XP without IPSec