Clavister Security Gateway Changes from v8.50.02 to v8.50.03

Release date: 2007-01-29 [ISO]

Users upgrading from v7.0x or earlier should read changes-7.0x.xx-to-8.00.02.html first.

Version 8.50.03 contains fixes to problems in the Firewall Core and the Firewall Manager. This document outlines problems solved as well as improvements for each component.

The upgrade procedures in this document refers to upgrades from earlier v8.0x installations.

  • Files installed by v8.50.03
  • How to upgrade earlier v8.0x firewalls to v8.50.03
  • How to upgrade v6.0x/v7.0x firewalls to v8.0x
  • HA upgrade procedure
  • Firewall Manager
    		•  [Changes [Problems Fixed  
  • Firewall Core
    		•  [Changes [Problems Fixed] [Considerations

    For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

    Change logs / release notes for earlier versions of Clavister Security Gateway are available in the release notes section of www.clavister.com/support.



     Summary of changes and problems fixed                       

    Firewall Manager

    Firewall Core
      Change: HTTP ALG now allows compressed data
      Problem fixed: The "ping" command will ignore the interface PBR setting when the "-r " parameter is used.
      Problem fixed: Problems administrating a Security Gateway over Netcon on a virtual router interface.
      Problem fixed: L2TP client/server does not send a unique hostname during negotiations
      Problem fixed: Filtered "conn" console command displays wrong number of not shown connections
      Problem fixed: HTTP ALG might cause the Security Gateway to crash in some situations
      Problem fixed: TCP connections to the Security Gateway itself (Netcon, ALGs, PPTP) do not obey received TCP MSS.
      Problem fixed: HA: Problem with OSPF and HA failover
      Problem fixed: HA: Problem with OSPF and area default stub summary
      Problem fixed: PPTP server sometimes fails to send any traffic at all through a newly connected tunnel.
      Problem fixed: Problems terminating an L2TP session inside a virtual router
      Problem fixed: L2TP server may stop to listen for incoming connection attempts
      Problem fixed: The L2TP engine may use 0 as session ID, which is not allowed according to RFC 2661
      Problem fixed: Problems with handling of L2TP messages with priority bit set
      Problem fixed: Memory leakage using hardware crypto accelerator in SG3100 Series
      Known problem: IPsec: Compatibility issue with MS IPsec NAT Traversal
      Known problem: HA: No state synchronization for ALGs
      Known problem: HA: Tunnels unreachable from inactive node
      Known problem: HA: No state synchronization for L2TP and PPTP



     Files installed by v8.50.03                       
    This is a list of files that are new to the v8.50.03 release. All paths are relative to your Firewall Manager install folder.
    » Cores/fwc-8.50.03-full.cfx
    This is the v8.50.03 full firewall core. Upload it to your existing firewall, or create new boot media with it. It contains all available functionality.
    » Cores/fwc-8.50.03-mini.cfx
    This is a version of the v8.50.03 core with certain features removed. It is less than half the size of the full version. The features removed are:
    - IPsec VPN
    - The H.323 Application Layer Gateway
    - OSPF
    » Docs/changes-8.50.02-to-8.50.03.html
    This document.
    » FWMgr8.exe
    This is the v8.50.03 Firewall Manager. Earlier version 8 Firewall Managers will be backed up with the extensions ".old1" and ".old2".


     How to upgrade earlier v8.0x firewalls to v8.50.03                       
    Upgrading a previous v8.0x firewall to v8.50.03 is completely straightforward.
    Simply upload the new core, "fwc-8.50.03-full.cfx", to your firewall and restart it.
    (Alternatively, upload the "-mini" version if the removed functionality is not required.)

     HA upgrade procedure                       
    Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

    Note: Upgrades from versions prior to v8.40.01: Upgrading directly to v8.50.00 or later from a version prior to v8.40.01 will lead to loss of state synchronization. All open states will be closed as a result of the upgrade. If this is acceptable, continue with the upgrade as described below. Otherwise, first upgrade to v8.40.01 or a later v8.4x core and then upgrade to v8.50.03.

    Simply upload the new firewall core file to the firewalls in your cluster and make sure that the first upload and restart is successful before uploading to the second firewall.

    We recommend beginning with the firewall that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

      The "immediate availability" method
    • Upload the core to the currently active firewall ("firewall A") and restart it.
    • Issue a 'reconfigure' on the firewall B to rapidly fail back to the now upgraded firewall A. Make sure firewall A functions properly.
    • Upload the core to firewall B and restart it.
    • End result: Firewall A is now the active node, just as it was before the upgrade procedure.

    Note that this leaves the second firewall untested, even though it most likely will work just as well as the first firewall. If you want to specifically test the second firewall, you can:
    1) cause two failovers manually,   or
    2) connect to it via e.g. the remote console just to make sure it's running,   or
    3) if ALG and tunnel synchronization is not a concern, follow this procedure:

      The "long-term safe" procedure:
    • Upload the core to the currently inactive firewall ("firewall B") and restart it.
    • Issue a 'reconfigure' on firewall A. This causes failover to firewall B. Make sure firewall B functions properly.
    • Upload the core to firewall A and restart it.
    • Issue a 'reconfigure' on firewall B to fall back to firewall A. Make sure firewall A functions properly.
    • End result: Firewall A is now the active node, just as it was before the upgrade procedure.
    Note that the "availability" issues affect only synchronization of ALGs and tunnels; there is more information about this in the Considerations section. All other states are, as usual, fully synchronized and not affected in either procedure.

     Firewall Manager Changes                       


     Firewall Manager Problems Fixed                       


     Firewall Core Changes                       
    HTTP ALG now allows compressed data
        Issue: The HTTP ALG always asked the web server not to send compressed data as this does not work with content stripping.
        Change: As of v8.50.03, the HTTP ALG will allow the server to send compressed data as long as the HTTP ALG isn't configured to do content stripping.
        Note: This means that compressed data is allowed as long as the HTTP ALG isn't configured to perform stripping of ActiveX objects, Java Applets and Javascripts/VBScripts.



     Firewall Core Problems Fixed                       
    The "ping" command will ignore the interface PBR setting when the "-r " parameter is used.
        Problem: The "ping" console command will ignore the PBR setting for an interface when the "-r " parameter is supplied to the console command.
        Results: The "ping" command will not use the correct routing table.
        Affects: Clavister Security Gateway v8.50.00 and up
        Solution: Fixed in v8.50.03.

    Problems administrating a Security Gateway over Netcon on a virtual router interface.
        Problem: If a Security Gateway is administrated via the manager and the management interface of the Security Gateway is inside a virtual router, connection problems may uccur.
        Results: It is not possible to use for instance a remote console on a Security Gateway if the management interface is inside a virtual router.
        Affects: Clavister Security Gateway v8.50.00 and up
        Solution: Fixed in v8.50.03.

    Problems terminating an L2TP session inside a virtual router
        Problem: If a Security Gateway is configured to accept incoming L2TP connections on an interface inside a virtual router, connections from clients will fail.
        Results: It is not possible for clients to connect to an L2TP server that is configured to listen on an interface inside a virtual router.
        Affects: Clavister Security Gateway v8.50.00 and up
        Solution: Fixed in v8.50.03.

    L2TP server may stop to listen for incoming connection attempts
        Problem: If the load is high on the Security Gateway and the concurrect connection limit has been reached, the Security Gateway may stop listening to incoming L2TP connection attempts.
        Results: Once the limit has been reached, the Security Gateway will start to flush old connections. The listening connection for the L2TP server may be subject of being flushed which means that the L2TP server may stop to listen on incoming connection attempts.
        Affects: Clavister Security Gateway v8.50.00 and up
        Solution: Fixed in v8.50.03.

    The L2TP engine may use 0 as session ID, which is not allowed according to RFC 2661
        Problem: The L2TP engine may use a session ID value of 0, which is not allowed to be used according to RFC 2661.
        Results: Some clients/servers react to this RFC violation and refuse to set up a new session.
        Affects: Clavister Security Gateway v8.50.00 and up
        Solution: Fixed in v8.50.03.

    Problems with handling of L2TP messages with priority bit set
        Problem: The L2TP engine does not understand how to handle L2TP messages with the priority bit set.
        Results: The message will be treated as a malformed packet, which will lead to the packet being dropped.
        Affects: Clavister Security Gateway v8.50.00 and up
        Solution: Fixed in v8.50.03.
        Note: The Security Gateway can now handle L2TP messages with priority bit set, but it does not actually prioritize these packets.

    Memory leakage using hardware crypto accelerator in SG3100 Series
        Problem: In 8.40.00 and up, memory leakages can occur when the SG3100 Series hardware accelerator is used for IPSec traffic.
        Results: The memory usage of the system will increase until the system finally is out of memory, forcing a reboot of the Security Gateway.
        Affects: Clavister Security Gateway SG3100 Series, core v8.40.00 and up
        Solution: Fixed in v8.50.03.

    L2TP client/server does not send a unique hostname during negotiations
        Problem: The L2TP client/server sent an empty hostname during negotiation with the other peer.
        Results: L2TP clients/servers that rely on the other peer to send a unique hostname may have problems negotiating with Clavister Security Gateways.
        Affects: Clavister Security Gateway v8.50.00 and up
        Solution: Fixed in v8.50.03
        Note: The hostname can be configured using the advanced setting SNMPSysName.

    Filtered "conn" console command displays wrong number of not shown connections
        Problem: When using a filtered "conn" console command, the printout of the number of not shown connections is wrong.
        Results: The number of not shown connections is not the number of not shown filtered connections, but the total number of connections not shown.
        Affects: Clavister Security Gateway v8.50.00 and up
        Solution: Fixed in v8.50.03

    HTTP ALG might cause the Security Gateway to crash in some situations
        Problem: In some scenarios when the HTTP ALG handles a lot of traffic, it might cause the Security Gateway to crash.
        Results: The Security Gateway will crash and will then automatically reboot.
        Affects: Clavister Firewall v8.40.00 and up
        Solution: Fixed in v8.50.03

    TCP connections to the Security Gateway itself (Netcon, ALGs, PPTP) do not obey received TCP MSS.
        Problem: The Security Gateway ignores incoming TCP MSS settings and uses only the configured MSS value. This is faulty since the lower of these two values should be used.
        Results: This bug can result in loss of TCP data.
        Affects: v8.50.02 and earlier
        Solution: Fixed in v8.50.03

    HA: Problem with OSPF and HA failover
        Problem: The self originated Link State Acknowledgments (LSA) don't get their refresh timer updated correctly at HA failover.
        Results: An LSA can reach its maximum allowed age and be discarded resulting in some networks being unreachable.
        Affects: v8.50.02 and earlier
        Solution: Fixed in v8.50.03

    HA: Problem with OSPF and area default stub summary
        Problem: Area default stub summary are only built once.
        Results: If the summary for some reason is flushed it will never be rebuilt resulting in unreachable networks.
        Affects: v8.50.02 and earlier
        Solution: Fixed in v8.50.03

    PPTP server sometimes fails to send any traffic at all through a newly connected tunnel.
        Problem: When connecting from a PPTP client to the PPTP server in the Security Gateway it is sometimes not possible to communicate through the tunnel. Packets can only be sent from the client to the server, not from the server to the client.
        Results: The PPTP client might have to be reconnected to the PPTP server one or more times before packets can be sent in both directions through the tunnel.
        Affects: v8.50.02 and earlier
        Solution: Fixed in v8.50.03



     Firewall Core Known Issues                       
    HA: No state synchronization for ALGs
        Issue: No aspect of ALGs are state synchronized
        Results: This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again.
    Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

    HA: Tunnels unreachable from inactive node
        Issue: The inactive node in an HA cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node.
        Results:
    » Inactive HA member cannot send log events over tunnels.
    » Inactive HA member cannot be managed / monitored over tunnels.
    » OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

    HA: No state synchronization for L2TP and PPTP
        Issue: There is no state synchronization for L2TP and PPTP tunnels.
        Results: On failover, incoming clients will re-establish their tunnels after the tunnels are deemed non-functional. This timeout is typically in the 30 -- 120 seconds range.

    IPsec: Compatibility issue with MS IPsec NAT Traversal
        Issue: Microsoft's IPsec NAT traversal is incompatible with the NAT traversal implementation in Clavister Security Gateway.
        Results: Microsoft's IPsec client would fail to establish an IPsec tunnel to a Clavister Security Gateway if there was a NATing gateway in between.
        This will be resolved in a future release of Clavister Security Gateway.
        More info: KB #10074: Using L2TP behind NAT in Windows XP without IPSec