Clavister Security Gateway changes from v8.60.02 to v8.60.03

Release date: 2006-10-25 [ISO]

Users upgrading from v7.0x or earlier should read changes-7.0x.xx-to-8.00.02.html first.

Contents of this document

Version 8.60.03 contains fixes to problems in the Security Gateway Core and the Firewall Manager. This document outlines problems fixed as well as improvements for each component.

The upgrade procedures in this document refer to upgrades from earlier v8.0x installations.

  • Summary of changes and problems fixed in v8.60.03
  • Files installed by v8.60.03
  • How to upgrade earlier v8.0x firewalls to v8.60.03
  • How to upgrade v6.0x/v7.0x firewalls to v8.0x
  • HA upgrade procedure
  • Firewall Manager
    		•    [Problems Fixed  
  • Security Gateway Core
    		•    [Problems Fixed] [Known Issues

    For future reference: This document is stored in the "Docs" sub-folder of your Firewall Manager install folder.

    Change logs / release notes for earlier versions of Clavister Security Gateway are available in the release notes section of www.clavister.com/support.



     Summary of changes and problems fixed                       

    Firewall Manager
      Problem fixed: Missing logsection for dynamic routing policy filters.

    Security Gateway Core
      Problem fixed: HA: Radius messages are not sent from shared IP.
      Problem fixed: IPSec: Xauth password gets truncated.
      Problem fixed: TCP connections to the Security Gateway itself (Netcon, ALGs, PPTP) do not obey received TCP MSS.
      Problem fixed: IPsec: The Security Gateway core hangs when a IPsec tunnel is removed under certain circumstances.
      Problem fixed: DHCP Server faulty associates DHCP leases with MAC addresses instead of a client provided identifier.
      Problem fixed: The Dynamic Routing function logs the wrong metric on SG50 appliances.
      Problem fixed: PPTP server sometimes fails to send any traffic at all through a newly connected tunnel.
      Problem fixed: HA: Problem with OSPF and HA failover
      Problem fixed: HA: Problem with OSPF and area default stub summary
      Problem fixed: The L2TP server cannot handle multiple L2TP over IPSec clients that are located behind the same NAT gateway
      Problem fixed: DHCP Server/Relayer persistant leases doesn't work on the SG50 appliance
      Problem fixed: IPSec RSA-vulnerability
      Problem fixed: DHCP Server/Relayer persistant leases doesn't work on the SG50 appliance
      Known problem: HA: Transparent Mode won't work in HA mode
      Known problem: HA: No state synchronization for ALGs
      Known problem: HA: Tunnels unreachable from inactive node
      Known problem: HA: No state synchronization for L2TP and PPTP



     Files installed by v8.60.03                       
    This is a list of files that are new to the v8.60.03 release. All paths are relative to your Firewall Manager install folder.

    Note that it is highly recommended to upgrade the Clavister Firmware to the version supplied with the 8.60.03 release. Upgrade to core version 8.60.03 before upgrading the Clavister Firmware.
    » Cores/sgc-8.60.03-full.cfx
    This is the v8.60.03 full Security Gateway Core. Upload it to your existing Security Gateway, or create new boot media with it. It contains all available functionality.
    » Cores/sgc-8.60.03-sg50.cfx
    This is the v8.60.03 Security Gateway Core for the SG50 appliance. Upload it to your existing Security Gateway. It contains all available functionality.
    » Cores/sgc-8.60.02-mini.cfx
    This is a version of v8.60.02 Security Gateway Core with certain features removed. It is less than half the size of the full version. This version should be used if you would like to start the system on a floppy before copying it over to another media.

    » Docs/changes-8.60.02-to-8.60.03.html
    This document.
    » FWMgr8.exe
    This is the v8.60.03 Firewall Manager. Earlier version 8 Firewall Managers will be backed up with the extensions ".old1" and ".old2".


     How to upgrade earlier v8.0x firewalls to v8.60.03                       
    Upgrading a previous v8.x release to v8.60.03 is completely straightforward.
    First upload the new Clavister Loader, followed by the new Security Gateway Core, "sgc-8.60.03-full.cfx" (or "sgc-8.60.03-sg50.cfx" for the SG50 Series), to your Security Gateway and restart it.

     HA upgrade procedure                       
    Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

    Note: Upgrades from versions prior to v8.40.01: Upgrading directly to v8.50.00 or later from a version prior to v8.40.01 will lead to loss of state synchronization. All open states will be closed as a result of the upgrade. If this is acceptable, continue with the upgrade as described below. Otherwise, first upgrade to v8.40.01 or a later v8.4x core and then upgrade to v8.60.03.

    Simply upload the new Security Gateway Core file to the Security Gateways in your cluster and make sure that the first upload and restart is successful before uploading to the second Security Gateway.

    We recommend beginning with the Security Gateway that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

      The "immediate availability" method
    • Upload the core to the currently active Security Gateway ("Security Gateway A") and restart it.
    • Issue a 'reconfigure' on the Security Gateway B to rapidly fail back to the now upgraded Security Gateway A. Make sure Security Gateway A functions properly.
    • Upload the core to Security Gateway B and restart it.
    • End result: Security Gateway A is now the active node, just as it was before the upgrade procedure.

    Note that this leaves the second Security Gateway untested, even though it most likely will work just as well as the first Security Gateway. If you want to specifically test the second Security Gateway, you can:
    1) cause two failovers manually,   or
    2) connect to it via e.g. the remote console just to make sure it's running,   or
    3) if ALG and tunnel synchronization is not a concern, follow this procedure:

      The "long-term safe" procedure:
    • Upload the core to the currently inactive Security Gateway ("Security Gateway B") and restart it.
    • Issue a 'reconfigure' on Security Gateway A. This causes failover to Security Gateway B. Make sure Security Gateway B functions properly.
    • Upload the core to Security Gateway A and restart it.
    • Issue a 'reconfigure' on Security Gateway B to fall back to Security Gateway A. Make sure Security Gateway A functions properly.
    • End result: Security Gateway A is now the active node, just as it was before the upgrade procedure.
    Note that the "availability" issues affect only synchronization of ALGs and tunnels; there is more information about this in the Known Issues section. All other states are, as usual, fully synchronized and not affected in either procedure.

     Firewall Manager Problems Fixed                       
    Missing logsection for dynamic routing policy filters.
        Issue: In the security gateway configuration you can specify logreceiver to enable logging when the filter is matched. This is not possible to configure in the Firewall Manager GUI.
        Results: Firewall Manager could not configure logreceivers for dynamic routing policy filters.
        Affects: Firewall Manager v8.50.00 and up.
        Solution: Fixed in v8.60.03



     Security Gateway Core Problems Fixed                       
    HA: Radius messages are not sent from shared IP.
        Problem: When a Security Gateway running High Availability communicates with radius servers it uses the unique IP of the active member as source IP. The shared IP should be used instead. This is mainly a problem for Radius Accounting, the behaviour is however the same for Radius Authentication.
        Results: A High Availability failover might result in the Accounting Start and Accounting Stop messages being sent from different High Availability nodes. This in turn will make it hard for the Radius server and/or end user to associate the two messages to each other.
        Affects: v8.60.02 and earlier
        Solution: Fixed in v8.60.03
        Note: This change might require reconfiguration of Radius servers used by Security Gateways running High Availability. This is true for radius servers configured to only accept traffic from specific IPs. Until now, the unique IP of one of the High Availability nodes has been used as the source IP. Both nodes are now using the shared IP.

    IPSec: Xauth password gets truncated.
        Problem: The password sent to the radius server is truncated to the length of the username.
        Results: This will cause the radius server to reject the password if the password originally is longer than the username.
        Affects: v8.60.02
        Solution: Fixed in v8.60.03

    TCP connections to the Security Gateway itself (Netcon, ALGs, PPTP) do not obey received TCP MSS.
        Problem: The Clavister Security Gateway ignores incoming TCP MSS settings and uses only the configured MSS value. This is faulty since the lower of these two values should be used.
        Results: This bug can result in loss of TCP data.
        Affects: v8.60.02 and earlier
        Solution: Fixed in v8.60.03

    IPsec: The Security Gateway core hangs when a IPsec tunnel is removed under certain circumstances.
        Problem: A dead-lock occurs under some circumstances when a IPsec tunnel is removed.
    This can happen when for example a IPsec tunnel is removed because a remote peer received a new IP address from a DHCP server or the IPsec tunnel is reconfigured manually.
        Results: The Security Gateway hangs and become unresponsive until the watchdog reboots the system.
        Affects: v8.60.02 and earlier
        Solution: Fixed in v8.60.03

    DHCP Server faulty associates DHCP leases with MAC addresses instead of a client provided identifier.
        Problem: The DHCP Server tracks the clients by their MAC addresses which cause problems if the same client (MAC address) requests more than one DHCP lease.
        Results: The security gateway won't be able to handle multiple DHCP leases from the same MAC address.
        Affects: v8.60.02 and earlier
        Solution: Fixed in v8.60.03

    The Dynamic Routing function logs the wrong metric on SG50 appliances.
        Problem: When a FWLog receiver is used in combination with a SG50 appliance it will cause the wrong metric to be logged for Dynamic Routing events.
        Results: A faulty metric will be logged in the FWLog receiver
        Affects: v8.60.02 and earlier
        Solution: Fixed in v8.60.03

    PPTP server sometimes fails to send any traffic at all through a newly connected tunnel.
        Problem: When connecting from a PPTP client to the PPTP server in the Security Gateway it is sometimes not possible to communicate through the tunnel. Packets can only be sent from the client to the server, not from the server to the client.
        Results: The PPTP client might have to be reconnected to the PPTP server one or more times before packets can be sent in both directions through the tunnel.
        Affects: v8.60.02 and earlier
        Solution: Fixed in v8.60.03

    HA: Problem with OSPF and HA failover
        Problem: The self originated Link State Acknowledgments (LSA) doesn't get their refresh timer updated correctly at HA failover.
        Results: An LSA can reach its maximum allowed age and be discarded resulting in some networks being unreachable.
        Affects: v8.60.02 and earlier
        Solution: Fixed in v8.60.03

    HA: Problem with OSPF and area default stub summary
        Problem: Area default stub summary are only built once.
        Results: If the summary for some reason are flushed it will never be rebuilt resulting in unreachable networks.
        Affects: v8.60.02 and earlier
        Solution: Fixed in v8.60.03

    The L2TP server cannot handle multiple L2TP over IPSec clients that are located behind the same NAT gateway
        Problem: The L2TP server cannot handle incoming L2TP client requests sent over IPSec if the clients are located behind the same NAT gateway.
        Results: Only one of the clients can be connected to the L2TP server at the same time.
        Affects: Clavister Security Gateway Core v8.50.00 and up.
        Solution: Fixed in v8.60.03.

    DHCP Server/Relayer persistant leases doesn't work on the SG50 appliance
        Problem: The DHCP server and relayer cannot store information about leases on the SG50 appliance in a persistant manner.
        Results: If the SG50 appliance is rebooted, the lease information will be lost.
        Affects: Clavister Security Gateway Core v8.60.02.
        Solution: Fixed in v8.60.03.

    IPSec RSA-vulnerability
        Problem: The IPSec engine is vulnerable as described in http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html
        Results: An attacker may potentially use this vulnerability to its advantage.
        Affects: Clavister Security Gateway Core v8.60.00 and up.
        Solution: Fixed in v8.60.03.

    DHCP Server/Relayer persistant leases doesn't work on the SG50 appliance
        Problem: The DHCP server and relayer cannot store information about leases on the SG50 appliance in a persistant manner.
        Results: If the SG50 appliance is rebooted, the lease information will be lost.
        Affects: Clavister Security Gateway Core v8.60.02.
        Solution: Fixed in v8.60.03.



     Security Gateway Core Known Issues                       
    HA: Transparent Mode won't work in HA mode
        Problem: There is no state synchronization for Transparent Mode and there is no loop avoidance.
        Results: Transparent Mode won't work in HA mode. There is no state synchronization and loop avoidance is not in place.

    HA: No state synchronization for ALGs
        Problem: No aspect of ALGs are state synchronized
        Results: This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again.
    Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

    HA: Tunnels unreachable from inactive node
        Problem: The inactive node in a HA cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node.
        Results:
    » Inactive HA member cannot send log events over tunnels.
    » Inactive HA member cannot be managed / monitored over tunnels.
    » OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

    HA: No state synchronization for L2TP and PPTP
        Problem: There is no state synchronization for L2TP and PPTP tunnels.
        Results: On failover, incoming clients will re-establish their tunnels after the tunnels are deemed non-functional. This timeout is typically in the 30 -- 120 second range.