STEELHEAD APPLIANCE RIOS VERSION: 7.0.5b



Comments



Description

RIVERBED PRODUCT RELEASE NOTESPRODUCT: STEELHEAD APPLIANCE RELEASE DATE: DECEMBER 31, 2012 RIOS VERSION: 7.0.5b CONTENTS 1) 2) 3) 4) 5) 6) 7) 8) 9) Supported Steelhead Models New Features in Version 7.0.5 New Features in Version 7.0.4 Fixed Problems Known Issues Upgrading RiOS Software Managing RiOS 7.0.5 with a Riverbed CMC Hardware and Software Requirements Contacting Riverbed Support 1) SUPPORTED STEELHEAD MODELS Important: RiOS 7.0.x does not support any of the Steelhead xx20 models. It can only be installed on xx50 and Steelhead CX xx55 models. 2) NEW FEATURES IN VERSION 7.0.5 RiOS 7.0.5 adds support for Steelhead models CX5055 and CX7055. 3) NEW FEATURES IN VERSION 7.0.4 Web Proxy Auto-licensing This feature enables the web proxy support for auto-licensing feature. This makes it possible for the auto-licensing feature to work in customer setup where the web proxy is configured. User can now supply the proxy details including the user-credentials using the Web Proxy CLI and the auto-licensing infrastructure will automatically use this proxy data while sending the requests. TACACS+ users can change their password at login If the TACACS+ server supports remote password change, it can initiate a change during login. After entering their username and old password, the Steelhead will prompt the user to enter a new password. It will then relay this new password to the TACACS+ server. Additionally, if supported by the TACACS+ server, users can send a password change request to the server by pressing return at the Password: prompt during login. After entering their current password, the Steelhead will prompt them to enter a new password. It will then relay this new password to the TACACS+ server. 4) FIXED PROBLEMS Fixed in Version 7.0.5b  120209 Fixed an issue that resulted in a crash of the optimization service on the client-side Steelhead when an SMBv2 predicted open on a file handle by client-side Steelhead was responded after a lease break notification on that handle. Fixed in Version 7.0.5a  119528 Fixed an issue where DSCP markings were not reflected on the optimized channel until data was sent in that direction. This was visible when using unidirectional protocols or on initial ACK packets sent before data. 122331 Added a hidden CLI command to change the size of store partition to expected size. Additionally added a fix so that new machines being shipped do not need this CLI command and are correctly sized when shipped from factory.  Fixed in Version 7.0.5     74906 Fixed an issue where TACACS user credentials could not be used for VMware console logins on 32 bit appliances. 80555 Fixed a Steelhead reboot caused by a rare kernel bug where the symbol "filldir64" shows up in the kernel stack trace in the system logs. 97398 Added support for Steelhead CX5055 and CX7055 102613 If QoS rules specify that DSCP values should be reflected from the client to the server connection, the initial packets in the TCP connection would not have their DSCP value properly set. This defect was fixed by using the DSCP value received the server side Steelhead appliance when connecting to the server. 111414 In some rare conditions, the Steelhead 7050 can unexpectedly reboot with "General Protection Fault" message.  2  111698 Fixed a rare condition that can cause a Steelhead appliance to become unresponsive by changing internal parameters to reduce the memory use of model 150, 250, and 550 Steelhead Appliances and virtual Steelhead appliances. 114761 This issue may occur for encrypted Outlook Anywhere (eMAPI-OA) traffic via port 443 if the client-side connection forwarding is enabled and an in-path rule for port 443 has been enabled without a pre-optimization policy. In this scenario the Steelhead will not be able to identify these connections as Outlook Anywhere and will perform no optimization. This fix resolves the issue so that all eMAPI-OA connections are properly identified and optimized. 115710 Fixed an issue that resulted in a crash of the optimization service on the client-side Steelhead when the SMB2 optimization feature was enabled and a client issued a close request for a file located on an SMB2 share that had been asynchronously marked for disconnect. 117078 Fixed an issue that occasionally caused a 500 error when logging in to the web interface. This error was seen only when the TACACS+ server configured was unreachable.    Fixed in Version 7.0.4  92015 Fixed an issue in the qos code that caused the steelhead to incorrectly print the error message which said "navl_conn_init failed:" in environments where there is packet ricochet from one in path interface to another. Affected connections would not be classified properly by the AppFlow Engine. 99169 If a CMC disconnects from a Steelhead appliance in the middle of an operation, such a push, the operation fails to resume in RIOS versions 7.0.1 and above. Also the "show cmc" command was not displaying anything for the address/hostname of the managing CMC in those same versions. Both issues are fixed. 101471 Fixed an issue of high CPU utilization of winbindd by first removing Samba database files prior to the first launch of winbindd after an upgrade if the Steelhead appliance is joined to a domain. 101506 Fixed an issue with HTTP optimization where the Strip-Auth-Header feature may cause Internet Explorer to fail to display a web page when the server employs NTLM authentication. 102173 Fixed a rare issue that causes the client-side optimization service to crash if NFS optimization is enabled.     3 the optimization service bypasses SSL optimization for these connections. 106317 Fixed an issue that caused save-as operations on optimized SMB2 connections to fail. typically 40% to 60%. 106143 Updated the interface list in the Duplex Test on the Health Check page to exclude WAN and LAN interfaces. 106238 Resolved an issue that resulted in a crash of the optimization service when SMB2 optimization was enabled and a ReadRequest was canceled while waiting on decode. After the fix. This resulted in a find operation for a single filename receiving a complete directory listing starting from the beginning of the directory.     103107 Made a change to reduce the occurrence where a low memory condition caused the memory paging alarm to trigger in SH1050L/M appliances. 105286 Fixed the network interface list in the Health Check Duplex Test to not show interfaces that cannot be tested. Customers can tune this value to a percentage that will work on their environment. regardless of whether a file with that name existed or not. The fix has been made to reopen the find operation with the client's search pattern if we need to forward the client's find. which are not valid for testing. %show prepop settings Displays the max-mpx-pct value currently set. 106980 Patched ASN. the SSL server handshake is extended beyond a single packet and was causing an optimization service crash. CVE-20122131) 107008 Fixed a case where running the peer reachability test can lead to high CPU usage. 106456 In rare instances. 105679 Fixed an issue that resulted in a crash of the optimization service on the server-side Steelhead when the SMB2 optimization feature was enabled and a client issued a close request for a file located on an SMB2 share that had been asynchronously marked for disconnect. 103022 Fixed an issue which resulted in Windows servers reporting a DoS attack from the Steelhead for CIFS prepopulation traffic. The code responsible for handling find requests was failing to adjust the search pattern if the client restarted a find operation for a single filename.       4 . A new command line option is available that will allow tuning the percentage of maximum number of outstanding requests that will be available to CIFS prepopulation operation. 105606 Fixed an optimization service crash due to reused keys in the FTP blade.1 vulnerability in openssl library (CVE-2012-2110. %prepop settings max-mpx-pct <10-100%> A value of 70% is set by default. 5.        5 . 107355 The MAPI optimization service keeps internal lists of MAPI request/response details.0. This fix will now correctly handle the encrypted MAPI connection setup and no longer leak this memory allocation. The fix will limit the maximum size of the internal lists and close the MAPI connection if the maximum size is reached. 7. the MAPI optimization will try to resend the download request. or pre7. The fix will limit the retry attempts and then close the connection. but fail to clean up the internal lists. This leak caused an internal module to take longer to process data.5.0.3. 108244 We now do not set the prihw device on a Steelhead appliance to promiscuous mode in order to avoid potential primary interface hangs. 6. Previously the MAPI optimization had no limit on the number of retries and would increase its allocated memory. These additional connections do not count towards connection limits on the Steelhead appliance." 107874 Fixed an issue with HTTP optimization where a connection may be dropped if all of the following conditions are met: (1) the HTTP response is chunk-encoded and has an excessive number of chunks. 107130 If encrypted MAPI is optimized in delegation mode it will leak ~500 bytes of memory for every connection during the connection setup. This is due to a defect in determining if a pre-existing connection between peers is a suitable match. Over time this can lead to memory pressure alarms on the appliance that are not cleared even when all traffic has been stopped.1. even though no alarms were raised.5. This crash occurs only if connection forwarding is enabled but no neighbors are configured for the steelhead. This will free resources on Exchange and prevent the Steelhead from running out of memory.0.4. the MAPI optimization service will no longer retry the download indefinitely. If Exchange returns a "busy" error status during attachment download. but do waste small amounts of memory for each open connection. This will lead to memory leaks as long as Exchange returns the busy error status and could result in memory admission control.  107058 Fixed a crash in the connection forwarding code observed during service shutdown 107095 Clients which use DSCP marking to shape traffic throughout the network may inadvertently cause an excessive number of connections to be created between two Steelhead peers.1. (3) the Server-side Steelhead is running pre-6. 107234 Fixed a crash in the connection forwarding code that was observed while disabling or restarting service. or 7. 7. 107640 If Exchange returns an error status stating it is busy or overloaded. (2) the Client-side Steelhead is running 6. 107279 Fixed a memory leak in the server-side component of the HTTP End-to-End Kerberos component.5.4.0. which led to the Steelhead appliance reporting CPUSTATE_SEVERE log messages.2. 5 or 7. 109965 Fixed an issue where QoS settings like the Class Filter Name may be reset to 0 after an upgrade between 7. 109968 Fixed an issue that occurred when upgrading a Steelhead 1050 under the following conditions:       Product is a Steelhead 1050-L or 1050-M being upgraded to a Steelhead 1050-M or 1050-H Upgrade adds new hard disks Steelhead is running RiOS 6. 111698 Fixed a rare condition that can cause a Steelhead appliance to become unresponsive by changing internal parameters to reduce the memory use of model 150. the device reboots (expected).0. 112784 Fixed an issue that would result in a crash of the optimization service if the optimization service was shut down while an optimized SMB2 connection had requests outstanding.x RiOS versions. This affects the Steelhead 1050 and 5050 series of models. which could potentially cause rcud crash.      6 . 110910 Fixed an issue where installing the MSPECHWUP<X> license on the licenses page did not make the X model selectable even if the hardware meets the spec. RAID initialization is delayed until the new disk has been fully setup. 250. 111987 Fixed an issue that kept initial CIFS pre-population syncs from finishing successfully due to locked files. 108452 A defect was fixed that adjusted the LAN socket buffer settings when the WAN socket buffer settings were adjusted.ERR]: web: global name 'pathPrefix' is not defined" after viewing the Health Check report webpage on a Steelhead appliance. and 550 Steelhead Appliances and virtual Steelhead appliances.5.  108421 Fixed race condition in CIFS prepopulation service. this could cause the Steelhead to buffer large amounts of data on the LAN and trigger TCP memory admission control. 109546 Fixed an issue that would cause errors in the system logs such as "[web. Fixed an issue where HSFC classification may enter into an infinite loop. Fixed an issue where default inbound QoS class should be configured if the class stored in the configuration db is invalid.3  Symptoms: After adding the required hardware.0. 111225 For 1050H models with newly added disks. but comes back up as the previous model with the optimization service stopped and the datastore in a degraded state. installing the upgrade license and selecting the new model. When the WAN socket buffer size was quite large. . 107548 Fixed an issue that caused no TCP dump files to be visible when connecting to the Steelhead's embedded shark using Cascade Pilot. 113679 Enhancement to increase the outgoing optimized traffic bandwidth limits on the following models: CX1555. In these circumstances. Problems Fixed in Version 7. 116019 A defect was fixed that prevented SCPS from being negotiated between Steelhead appliances when transparency was enabled. EX1160VH. 107168 Support for Virtual Steelhead 150 model. 113295 Fixed an issue where a hardware model upgrade cannot be activated after a reboot if the MSPEC license and hardware upgrade license were installed prior to the reboot. This issue resulted in an error log of the form: "no links are being stored but there is memory attributed to symlinks". 7   ." 116015 A defect was fixed that caused the configuration for WAN socket buffer settings to be ignored when either full or port transparency was enabled. 107903 The fix will identify all FCIP sessions uniquely and prevent the Rios log messages "expected seq_cnt 12 got 20". This error occurs when the same IPs and ports are used to initiate and accept connections in quick succession.      Problems Fixed in Version 7. 114397 Fixed the log message "unknown structure in ext SpliceSetupInfo:. 43888 Fixed an issue that led to an incorrect tracking of memory attributed to symlinks in the NFS optimization feature.3  23560 Fixed an issue that results in the inability to optimize a connection and the error message "Peer sport id is the same as mine!'.0. 50976 Fixed a rare issue where the optimization service crashed if NFS optimization was enabled and the number of bytes specified in the NFS write reply from the server was more than the amount given in the corresponding write request. and EX1260VH. For only these transparent connections. the amount of data that could be buffered was reduced leading to a potential degradation in WAN performance. 106928 Support for Steelhead 150 model. the Steelhead appliance would not notice as quickly if its peer is unavailable. The environments that use IBM GlobalMirror may benefit from this fix by observing a slight improvement in data reduction. and updated SH 250 model specifications.3a      66684 Backed out MAPI enhancement code to prevent sport crash bug 107745. 116020 A defect was fixed that caused the configuration for the out-of-band keepalive values to be ignored when either full or port transparency was enabled. and updated Virtual SH 250 model specifications..0. 89133 When the steelhead with QoS enabled is configured to operate in an out-ofpath deployment. 86248 Fixed an issue where optimization of SMB-signing or Encrypted MAPI connections in delegation mode resulted in excessive DNS lookups being made to determine and resolve the Key Distribution Center (KDC) of the domain.” This error is benign.c:2598. 63684 Fixed a sport process crash caused by a null pointer dereference in the FTP optimization module. 90154 Fixed an issue where the CLI command "show running-configuration" will generate an invalid CLI command when a QoS class with "packet-order" queue type is present. 88610 Fixed a problem in editing ICA rule in advanced qos. an error message may be captured in the log file with the following string "[intercept. This fix addresses the issue and the connection to the backup Steelhead is now successful. The problem is fixed by removing the "conn-limit" parameter from the generated command.             8 . 87670 QoS Marking status will be displayed in the output of the CLI command "show qos classification". 75195 Fixed a problem where an HTTP POST request data is delayed from reaching the server. 89873 Fixed a case where CMC policy push causes steelheads to blacklist each other. we did not connect to the backup when the primary is down causing all the connections to pass through the box. This issue applied only when the Steelhead was configured in virtual-inpath (WCCP) mode. preventing SSL optimization from occurring. uninitialized device 0". 59016 When primary and backup Steelhead appliances are configured using fixed target rules. Both the client-side and serverside Steelhead appliances must be upgraded to correct this issue. 90851 Addressed an issue where Inbound QoS was not classifying flows with incoming GRE encapsulated UDP fragments. md_rbt_stats. which could lead to connection timeouts. This message does not affect the appliance operation and has now been removed. The crash could occur if the SMB2 optimization module had entered a shutdown state for a given connection and an SMB2 share was then mapped by that connection.ERR]: md_rbt_get_top_talker_stats(). 88509 Fixed an issue that resulted in a crash of the optimization service in Smb2::ClientParser::process_LeaseBreakRequest() if the SMB2 optimization feature was enabled. 88666 Fixed the error message displayed on the CLI when the protocol field specified in the command "qos basic classification global-app" is invalid. 69516 Fixed an issue that RiOS logs the following error messages in some cases: “[mgmtd.ERR] intercept ioctl 0x40047a14. resulting in restart of the optimization service. build 156_9: Error code 14001 (unexpected NULL) returned. 96214 Fixed uncommon problem where the users are unable to login via the web interface after a system start or restart due to a race condition that caused the system swap to fail to initialize.0). This type of write request may be issued by certain port scanners. unhealthy threads follow" to appear in the log during an image install. 93712 This issue is fixed by monitoring the on-board NICs bypass state and interface link.52) 95657 Additional alarms information.3:            [no] protocol http stream-split [Silverlight | flash] live enable Added new CLI command that will enable/disable stream splitting for all video formats:  [no] protocol http stream-split live enable 9 .txt in the System Dump (Reports > Diagnostics > System Dumps). 96357 The following commands are deprecated as of RiOS 7. 92146 Fixed a problem that caused Outlook to stop receiving new emails from the Microsoft Exchange Server. can now be found in file alarmd_info. and opera(11. 96002 All connections between Outlook and Exchange might end up un-optimized if the connection from the client-side Steelhead to the server-side Steelhead has failed once for any reason even if that reason has been resolved afterwards.3).0. 92015 Fixed an issue in the qos code that caused the steelhead to incorrectly print the error message which said "navl_conn_init failed:" in environments where there is packet ricochet from one inpath interface to another. The fix prevents us from trying to remove the write data from zero-byte write requests. Firefox(8. This issue is now fixed and the connections will be optimized. Problem may occur after sending an email with an attachment that would lead to the optimization service losing synchronization with the Exchange server. 95684 Fixed an issue where a zero-byte SMB2 write request on an optimized connection could cause a crash in the optimization service if it specified a data offset beyond the end of the message. including the alarm hierarchy.0. table. 93954 Fixed an issue which shows system log errors such as "Invalid model for PFS " and sometimes prevents the device's configuration from being reverted while using the "keep-local" option. 91688 Fixed an issue that may cause unhealthy thread warning messages like "One or more threads not responding after at least 16s. and restarting auto-negotiation if the NIC interface gets stuck in bypass. Affected connections would not be classified properly by the AppFlow Engine. 95529 Refreshed the SSL CAs with the most up to date root and intermediate certificates from IE(9. statistics and the config override cache. as an unlimited number of policies and rules can make the policy feature unmanageable. or RSP or VSP is enabled. pkt size = y” where x is the space available in bytes in a frame and y is the length of the packet dropped in bytes. Available frame size = x. The fix now correctly clears cache information for the changed items. 97707 Fixed in an issue which caused some files to be synced during CIFS prepop even when they didn't meet the specified filename regex policy criteria. When Notify responses indicated that a watched directories' content had changed. The following new CLI command has been provided to transfer all files during the sync operation for a given prepop share: prepop share modify remote-path <SHARE_NAME> full-interval <TIME_IN_SECONDS> 97869 Fixed an issue where FTP optimization can fail when parsing PASV responses without parentheses. 97599 Fixed an issue where the SMB2 optimization feature was not properly processing SMB2 Notify responses. 97714 The default scheduled sync operation for CIFS prepop is an incremental sync which only transfers new and modified files. 97306 Fixed a race condition that caused some connections in the process of being setup when the Steelhead entered Admission Control to be passed through instead of optimized. and Length of reassembled IP fragments is larger than 1968 bytes. 10 . the Steelhead would incorrectly identify whether the affected files were cached. 97104 Fixed a problem where it can take minutes for a cancellation of an RSP HA operation to complete if the connection between two Steelheads is down. Terminating sport. This condition would have resulted in the following error level log message at the data receiving Steelhead: "Packets will be dropped: Attempt to write buf exceeding frame size. 96599 Fixed an issue that caused the following warning message to incorrectly appear in the log during Virtual Steelhead startup: MSPEC license has expired or been removed. 97709 Restricted number of CIFS Prepop policies to 10 and rules in each policy to 6. 97921 Fixed a problem where IP packets would be dropped with default configuration of RiOS packet-mode optimization under one of the following conditions:            Any IP packet's length is larger than 1968 bytes. The client IP address is blacklisted for 24 hours to prevent future failures. 99461 Enhanced the behavior of the SMB2 optimization file data cache to ensure that cached read data is not used in scenarios when there are unknown IOCTL operations for a given file. as usually this situation results from wrong MAPI configuration of the Steelheads. 98257 Fixed an optimization service failure issue that could occur if a Steelhead was optimizing many MAPI connections and many of those connections were simultaneously closed. in some cases. 98338 The optimization service can crash when encrypted MAPI connections are being authenticated. If the MAPI connection is closed while the initial authentication request has not been answered. 98372 Benign log errors from the process "virt_wrapperd" could appear when shutting down an appliance with many RSP slots installed. If the Kerberos authentication request from Outlook is not responded to by Active Directory in a timely manner. When this occurs. 99624 Resolved an issue where. 98263 Fixed an issue with QoS where a site's bandwidth can't be set to 0. Outlook Anywhere transported over an HTTPS connection cannot be optimized unless an In-Path rule with a pre-optimization of SSL is used. Outlook Anywhere connections will not be recognized as SSL-type connections and the optimization service will see the encrypted data. This fix will correctly recognize Outlook Anywhere connections over HTTPS as SSLtype connections. 99306 Fixed a problem where Primary interface stats are displayed as zero. 98043 In some cases. 98842 Fixed memory leaks that happen when a site is edited in Basic QoS mode. The fix involved correctly identifying the wildcard characters and allowing the server to respond to those requests. Outlook may send another authentication request. the Dataflow page would fail to display any data after a configuration was switched or reverted. 99536 Fixed an optimization service failure that could occur when an optimized SMB2 client is notified of a directory deletion when the SMB2 cache on the Steelhead contains a node for one of the directory's children with no handles. Without such an In-Path rule. This most commonly occurs when the system is shutting down.01% of the interface rate. 99342 Fixed an issue where the Steelhead SMB2 optimization feature would incorrectly return STATUS_NO_SUCH_FILE for find requests using non-star wildcards. This fix will detect this situation and properly close the MAPI connection. 11            . 99314 Fixed a problem where a QoS rule that uses the SIP protocol to classify and control SIP traffic could result in a crash of the DPI process (qosd) when a specific message format is processed. the optimization service can crash. there is no impact to optimized connections. This message is now correctly logged at the INFO level. 99997 The log message "Received request to enable AsyncEvent" was incorrectly logged at the Error level.py". This is most likely to happen in server-to-server push replication where the attachment write size is very large and/or there is delay between the server-side Steelhead appliance and the server receiving the attachment. The unhealthy thread warning is issued because the SMB2 garbage collection process could potentially enter an infinite loop if the garbage collection began at the second share in our list. 100269 Fixed a problem where Lotus Notes attachments would fail to be sent to server. This is an unlikely event. the optimization service can crash once the Steelhead enters admission control. 100166 Fixed an optimization service crash that occurs when the Extended Peer Table feature was enabled and invalid data was detected on the storage device. This fix will close the MAPI-PREPOP connection correctly and prevent output of the misleading message. and there were less than 1000 nodes in the cache that could all be freed. which is not the case for MAPI-PREPOP connections. 100148 When a MAPI-PREPOP connection is closed on the client side Steelhead it will produce an "Inner channel down prematurely. because it is not closing the connection correctly. since it depends on a specific timing of events during the Steelhead's transition into the admission control state. requesting shutdown" message on the server side Steelhead. 100160 Fixed the RSP service alarm so that it does not trigger than RSP service is enabled or disabled. the second share was no longer in use. The message is harmless and related to permissions issues when checking certain systems at CLI startup. 100276 Upgrades will not add new default NTP servers if the old default NTP servers were removed. The fix will prevent the crash by changing the internal order of processing connection setup. 99808 If a MAPI connection is created just prior to admission control. 99931 The message is "[hald_model.            12 . This message usually indicates network problem on the WAN connection. The fix entails correct accounting of the retransmitted packet counts. 100132 rsp slot * backup restore ? now lists only the relevant backups for the slot. peer probably down. 99924 Eliminated a theoretical security vulnerability in JavaScript code related to Adobe Flash. The warning should no longer appear. 100131 Connection detail reports for Optimized connections always showed the retransmitted packet count as 0. 99637 Fixed an issue where the client-side Steelhead could experience a crash of the optimization service due to an unhealthy thread while optimizing an SMB2 connection.WARNING]: Exit with code 1 from /opt/hal/bin/hwtool. 100812 Fixed an issue that resulted in SMB2-Signed connections getting blocked if the domain controller was unavailable when the end-to-end Kerberos authentication feature was being used. 100664 Fixed an issue where the Steelhead will not send disk pressure changes when working with Interceptors with Fair Peering v2 and pressure monitoring enabled. 100576 The password for the Lotus Notes server file is no longer logged. 100779 Fixed an issue where SMB-Signing optimization fails to obtain a Kerberos ticket in Delegation Mode for a server that has recently changed its machine password in Active Directory. 100368 Fixed an issue where SMB-signing optimization fails when an OS X client connects using Kerberos authentication and the Steelhead Kerberos authentication support is enabled. The solution was to defer certificate updates during a brief critical region when incoming connections are accepted. 100923 If the QoS bandwidth configured is greater than that of the model-specific limit. disallow this configuration and return an error. 100985 Fixed a race condition where the optimization service was referencing a certificate that was being modified or deleted. 100636 Fixed an issue which prevented the user from specifying a max-sync-size value larger than 2GB for a CIFS prepop share. 100557 Fixed an issue where the link status of the primary interface is yes after primary is shutdown from CLI. 101032 Fixed a kernel panic on 32 bit SH like 250 or 550 when both Netflow and RSP are enabled. 13  . 101244 Corrected asymRouteError's definition from              OBJECTS { arcount } to OBJECTS { asymRouteCount }  101311 Fixed an issue where interface receive buffer size was not configured properly for some interface types. regardless of logging level. Please note that the sum of the bandwidths configured for all interfaces on which QoS is enabled needs to be less than or equal to the model-specific bandwidth limit. 101147 Allow DHCP enabled interfaces to be configured as listen interfaces for SNMP server and SSH server. which may cause packet drops in certain high traffic situations. 101500 We have made system resources to be used more efficiently under high connection loads. Customers running near to connection admission control with certain workloads and who were experiencing TCP memory pressure alarms should now notice a reduction or elimination of the memory pressure alarms. 101615 Removed benign log messages that occur when we received a packet with source or destination mac address of all 0s.             14 . 101788 Fixed a memory leak that occurs when obtaining Kerberos tickets during the optimization of Smb-Signing and Encrypted MAPI in delegation mode. 101816 Fixed a problem where Lotus Notes clients could not connect to the server when encrypted Notes optimization was enabled and the connection matched an inpath rule with Data Reduction Policy set to "None". these messages could potentially flood the logs. 101767 Fixed a problem where Server-side Steelhead sends out UDPv4 optimized packets always out of inpath0_0 with packet-mode optimization enabled. It now correctly states: hal: Set interface mode to normal successfully for port [0_0] 102377 Fixed a problem where a Steelhead running RSP could crash upon receiving fragmented packets out of order. 102380 Fixed an issue where Kerberos authentication support in HTTP optimization fails when the HTTP server resets its domain account credential. 102717 The bug fixes an invalid assertion during the check for memory range. packets will go out of the next inpath. as ESX sometimes uses a source of all zeros. This would occur for certain DSCP settings. skb src 00:00:00:00:00:00" These message were more common in Virtual Steelhead deployments. This problem is seen when Server-side steelhead has multiple in-path interface pairs enabled. 102644 Added help text for the "qos classification site add" CLI command to indicate that a special value of 254 indicates that the DSCP value will be inherited from the service class. for instance inpath0_1. for example "Unable to update mac table with src address. In cases where inpath0_0 is not enabled. 101741 Fixed a bug in the qos code that resulted in the steelhead marking a Syn/Ack++ and some reset packets with an incorrect dscp mark. The dscp mark that was put on the packet was for the opposite direction of the connection. 101825 Fixed a problem where a small amount of memory is leaked on the serverside Steelhead appliance for every optimized encrypted Lotus Notes connection. 102019 Added boot-time options to fix time drifts on 64 bit virtual products 102104 The log message has been changed to correctly reflect the interface state. 102708 Fixed problem where a specific QoS rule's details on the Advanced QoS page would show "All" in the DSCP field even though the actual value was set to something different.  101569 Fixed an error during Citrix CGP(SR) session resume that cause certain versions of RiOS to process Citrix Reconnect payload incorrectly. Since we printed a log message per packet. essentially making packets to go out of only one inpath at all times. Previously: hal: Set interface mode to bypass successfully for port [0_0]. This is most likely to occur with high-speed links.   103039 Fixed an issue that caused the client-side optimization service to crash if it received a malformed SMB Notify Change response while CIFS optimization was enabled. A new command line option is available that will allow tuning the percentage of maximum number of outstanding requests that will be available to CIFS prepopulation operation. 103197 Fixed a problem where. This would lead to a crash of the optimization service due to out-of-memory (OOM) conditions. 103265 Fixed issues where Steelhead with RSP enabled may reboot while handling a connection with fragmented packets. 102960 Fixed an issue where the hardware LED color could be incorrect until another change of health.     %prepop settings max-mpx-pct <10-100%> A value of 70% is set by default. a Steelhead running RSP could crash upon receiving fragmented packets. EX1260 and CX1555 series appliances. This consolidates Flash and Silverlight stream splitting. 103088 Fixed the way the system LED information was queried on the EX1160. 103347 Fixed a problem where a Steelhead attempts to optimize both multicast and broadcast packets when packet-mode optimization is enabled. 103022 Fixed an issue which resulted in Windows servers reporting a DoS attack from the Steelhead for CIFS prepopulation traffic. 103003 HTTP video optimizations are now controlled by a single checkbox. typically 40% to 60%. Now the LED correctly reflects health state. Customers can tune this value to a percentage that will work on their environment. The fix causes latency optimization to be disabled upon receiving a malformed response and an SMB_SHUTDOWN_ERR_MALFORMED error message is logged. 15         . The following CLI commands may be used to configure encrypted-LDAP support: protocol domain-auth encrypted-ldap enable 103337 Added CLI commands "show rsp images checksum" and "show rsp packages checksum" to show the MD5 checksum values for RSP images and packages. The health state on the UI and CLI would have still been correct. 102855 Fixed an issue that prevented the optimization of SMB2 connections to an EMC-Celera filer when SMB2-Signing Optimization was enabled but the server did not require Signing. %show prepop settings Displays the max-mpx-pct value currently set. due to a rare race condition. 103273 Provided new CLI commands to allow support for Auto-Delegation Mode in Active Directory environments that require encrypted-LDAP communication. 103238 Fixed an issue which allowed an unbounded amount of data to be cached for optimized SMB2 connections when the names encoder is overwhelmed. thereby causing optimization of Encrypted MAPI and SMB Signing connections to get suspended. 103876 Added functionality to resolve the condition where SRV lookups return unroutable KDCs by providing CLI commands to allow hardcoding of KDCs for individual domains. 16              . 104027 Fixed an issue that resulted in a crash of the optimization service when SMB2 optimization was enabled and the server returned an invalid create action in response to a create request on the root of an SMB2 share. 104411 On Steelhead EX. 103459 Fix a rarely occurring issue with on-board.py: No such file or directory ". The Steelhead will contact the hardcoded KDCs directly without doing DNS SRV lookups. it will restart itself. 103604 Fixed an issue that caused the optimization service to crash when an unexpected packet was encountered while using native Kerberos support in http protocol optimization. 103994 Fixed a condition where users may see an average connection count larger than the peak connection count in connection history page. An alarm will now be triggered if a profile switch to perform repartitioning is unsuccessful. This bug fix resolves the issue by eliminating the traversal of the list of requests. 103681 fixed an issue which resulted in LAN bound packets not being properly classified for QoS when virtual-inpath RSP was enabled 103693 System Detail Reporting Alarm has been disabled by default. primary & aux Intel Ethernet controllers 82574/82571 using e1000e driver that triggered false Tx hang when the link speed was set to 100Mbps. 104505 This addresses the issue where a virtual steelhead configured with a hardware bypass card sees the log line: " /opt/hal/bin/hal: line 129: /opt/hal/bin/vm/vsh_bypass_init. disks can be repartitioned to allow Granite and VSP to use different amounts of storage. User can enable it when needed. 104021 SSL private keys are no longer logged when the "Import Existing Private Key and CA-Signed Public Certificate" feature is used. 104047 Fixed an issue in the way KDC lookups are done and validated that can potentially lead to longer delays in connecting to a valid KDC. 103366 Fixed an issue that resulted in a crash of the optimization service when SMB2 optimization was enabled and a create response sent by the server for the root share did not have the directory bit set. 103370 In certain cases. Once the optimization process detects a high delay. NFS/CIFS read requests can create large chains of requests which can add significant delay in processing packets and events. 104126 Added software support for new 4-port copper bypass card 410-00047-01 used on CXxx55 and EXxx60 models.  104680 Fixed a problem with packets getting dropped by the Management Inpath interface function when they are received on the WAN interface with WAN mac addresses. If. The commands are: 17 . 105631 Fixed an issue which caused an SMB2 connection to hang on the client-side steelhead if SMB2 optimization was enabled and the request to get file security information failed on the server.        Problems Fixed in Version 7.-} Dir list has error for [/proxy/<PREPOP_SHARE_PATH>]” 105247 Fixed an issue which resulted in an empty directory listing even when there were files that matched the requested pattern for the directory listing if the SMB2 optimization feature was enabled with idle for optimization. which Outlook will wait for. the optimization service encounters difficulty completing a request/response.  103022 Fixed an issue which resulted in Windows servers reporting a DoS attack from the Steelhead for CIFS prepopulation traffic. it will reset the connection so that new emails are successfully delivered to the inbox. 105797 Fixed an issue that could result in a crash of the optimization service when optimizing an SMB2 connection if a notification indicating an expired directory was deleted that we still have handles for the children. The optimization service crash is avoided by ensuring the necessary state always exists rather than attempting to remove it when it’s unnecessary. 105990 Fixed an issue where logging into the CLI on a xx55 or xx60 model before the Steelhead is licensed may take a long time to get to the command prompt. A new command line option is available that will allow tuning the percentage of maximum number of outstanding requests that will be available to CIFS prepopulation operation. This happens because the optimization service can lose a request/response while sending an attachment.0. 105504 Fixed an issue where TCP Westwood wasn't performing optimally in some cases. 104818 Fixed an issue with CIFS prepop shares which causes error messages of the form “[rcud/fsutil/. New emails in the Inbox will not show in Outlook. but never receive. 104797 Add a default access rule to always allow incoming WCCP packet when WCCP is enabled.{.2c  92146 After sending an email with an attachment Outlook may no longer receive updates from Exchange. after the fix.WARN] . available from the Riverbed support site.2  76458 This features makes available hardware based fail-to-wire/fail-to-block capabilities for virtual steelheads running on ESXi 4. 104505 This addresses the issue where a virtual Steelhead configured with a hardware bypass card sees the log line: " /opt/hal/bin/hal: line 129: /opt/hal/bin/vm/vsh_bypass_init. traversing the list can take a long time. traversing the list can take longer than 30 seconds. or if the Virtual Steelhead guest experiences a significant fault (utilizing the same logic as physical Steelhead appliances).0.   103197 Fixed a problem where. typically 40% to 60%.  18 . Problems Fixed in Version 7. If a Steelhead is optimizing many thousands of MAPI connections.0. If many MAPI connections are closed at the same time. due to a rare race condition. This is more likely to happen during optimization service shutdown. must also be installed on the ESXi host.1 hosts with qualified Riverbed bypass cards installed. 104126 Added software support for new 4-port copper bypass card used on Steelhead CX xx55 and EX xx60 models. When a MAPI connection is closed the list is traversed to print a summary of currently open MAPI connections.%prepop settings max-mpx-pct <10-100%> A value of 70% is set by default. which will alert a service watchdog.   Problems Fixed in Version 7. or if the Virtual Steelhead guest is powered off. The configured failure mode will be triggered if the ESXi host loses power or is unable to run the Virtual Steelhead guest.py: No such file or directory ". 103265 Fixed issues where Steelhead with RSP enabled may reboot while handling a connection with fragmented packets. Customers can tune this value to a percentage that will work on their environment. A special ESXi bypass driver.2a  98257 The MAPI optimization service keeps an internal list of MAPI connections and details of the Outlook client. as at that time all MAPI connections are closed. This list can grow over time if many different Outlook clients are optimized. %show prepop settings Displays the max-mpx-pct value currently set. This fix will avoid delays during MAPI connection shutdowns. 102230 Fixed a memory leak issue taking place when HTTP parse-and-prefetch optimization is enabled. a Steelhead running RSP could crash upon receiving fragmented packets. Currently qualified Riverbed bypass cards are P/N NIC-001-2TX (2 port copper gigabit) and NIC-002-4TX (4 port copper gigabit). the code does not control the change in the number of rules when a port label is edited.0.vmdk" extension.vmdk" 70646 When adding rules using CLI while qos is enabled and not specifying source/destination port an error message will be observed in the log file. 56653 Added RTSPS port (322) and Operations Manager port (5723) to default secure port label 65078 The 'Peering Trust' and 'Bypassed Servers' reports have been enhanced to include the expiration time and error reason for each entry. Creating more than 300 in path rules can cause this issue.   Problems Fixed in Version 7. 55692 Fixed a rare bug in the SMB optimization feature that led to the crash of the optimization service on the client-side Steelhead.1  32364 Fixed a problem where the optimization process will not start if its configuration file is too large. For example "SOME.  102625 Deprecated the Virtual Steelhead datastore zero CLI command and alarm. The message doesn't affect the appliance operation. Added a new report called 'splice policy' This report keeps track of connections that are not fully optimized due to reasons listed in the entry.DISK. EX1160 and EX1260. 103060 Fixed an issue where show hardware all shows system LED color to be orange instead of red when the system is in critical state on models CX1555. 102630 Added RiOS CLI commands remote access enable and no remote access enable to enable/disable remote management port access. 71492 Fixed a QoS issue where the "show run" command reordered the QoS sites and rules 19          . 69587 Fixed an issue that caused a disk from not showing up in the RSP/Slots/Disk web UI or CLI when the disk name has a period before the ". Currently. The fix ensures that the system generates a warning if we exceed the safeguard limit after the port label is modified. 38156 Added Kerberos port (88) to default secure port label 38239 The limits for the MTU (Maximum Transmission Unit) are now consistent between the CLI and web interface. The fix will result in a termination of the offending SMB connection with the error SMB_SHUTDOWN_ERR_NULL_FILE. 69585 Port label modifications can lead to an increase or decrease in the number of QoS rules. which can lead to issues if the increase in the number of rules is substantial. Also added an additional line to the output of show remote ip to show the access status of the remote port. 102634 Fixed a memory pressure issue taking place when HTTP optimization is enabled with OPT and Gratuitous 401 in conjunction with Codec flow control. 92667 Fixed an issue where the Steelhead reports different ingress and egress interfaces in Netflow records for optimized connections that have packet ricochet through the Steelhead. 76869 Fixed a problem where an improperly formatted chunk-encoded HTTP request could result in an unexpected shutdown of the optimization service on the serverside Steelhead appliance.           20 . 81252 Enhancement that added an incident counter and a warning log message which reads "Dropping gre packet possibly due to a loop". 88572 Adding additional page validation checks during data store sync.  74919 Establish optimized connections for FTP and MAPI data connections using the results of the auto-discovery process for the preceding control connections. 88327 Fixed an issue that increased memory consumption of the optimization service due to redundant caching of data structures used in encryption of optimized data over the WAN. 92002 Fixed an issue where cached results of previous FTP and MAPI connections to a particular server were reused for subsequent connections to the same server without consulting the in-path rules table. A page that does not pass the validation is removed from the sync list. 91096 Fixed an issue where a server-side Steelhead in a connection forwarding setup attempts to establish an optimized connection when it receives a duplicate or retransmitted SYN+ before its connection forwarding neighbor(s) has acknowledged the connection. This helps in detecting a possible loop in the network. The problem can be fixed by upgrading both the client-side and server-side Steelhead appliances. This message is printed when a GRE packet is dropped due to the Time-To-Live field in the IP header reaching zero after it is decremented. 79751 Fixed a problem where the optimization service stops unexpectedly when HTTP connections use chunked-encoded transfers. This would occur when the chunk trailer was split into its own packet in between Steelhead appliances on the widearea network. even though the prepop task was actually started. If the number of pages removed crosses a pre-defined threshold. 88751 Clarified the documentation to state that the ALL IP limitation applies to packet-mode optimization (UDP and IPV6) fixed-target in-path rules only. 94211 Fixed an issue that caused CLI to return an error message "% Internal error (code 1003)" after issuing a HTTP prepop start command. Steelheads would re-sync the pages. 81361 Added checks to ensure the secure vault (containing needed credentials) is open on the server side steelhead before attempting to process encrypted MAPI traffic using end-to-end Kerberos or Kerberos delegation. 21             . 94242 Fixed an issue where getting the delegated Kerberos tickets required for SMBsigning or Encrypted MAPI optimization failed if prior clock skew errors had been encountered. the optimization service calculated the difference and compensated for the clock skew. If the file inherited access control entries on creation from its parent that would prevent a subsequent open using the same access mask. Windows rejects this as an invalid filename. 95497 This patch invalidates HTTP domain name/relative path changes that do not satisfy the requirements. 95137 Improved the error handling around MX-TCP QoS rules and the pass-through traffic type. 94808 Added a UI option to enable Flash Stream Splitting and renamed the original option to clarify that it controls Silverlight Stream Splitting. 94933 Added the ability to view total peak stats for all SRDF traffic on the general reporting page. 95489 Fixed an issue that would incorrectly allow an optimized SMB2 client to reopen a newly created file it recently closed. 94932 Fixed an issue where the primary interface remains physically up after being shut down. MX-TCP rules can no longer be set to pass-through. but NetApp allows the open as though the directory separator isn't there. if the clock was reset on the Steelhead it would continue to incorrectly apply the prior time compensation when requesting Kerberos tickets. we would keep the handle open so long as all other idle handle criteria were met. The client makes requests for a filename where a stream name immediately follows a directory separator. If the client then re-opened the file within the idle handle timeout. 94306 Fixed a race condition that led to an optimization service crash after the Steelhead entered connection admission control. 95642 Fixed an optimization service failure that could occur when an optimized SMB2 client is notified of a directory deletion at the same time a file contained in that directory is closed. The first time that the clocks on the Steelhead and Domain Controller (DC) differed by more than 5 minutes. 94531 Fixed a crash in the optimization service when an SMB2 client tries to open up an invalid filename for a stream. 94479 This solution ensures HTTP optimization is only triggered when enabled on both the client and server Steelheads. we would allow the open to succeed. which has been accounted for by adjusting the name on a successful open. leading to a failure in that operation. 95127 Perform a check for sufficient disk space before allowing the installation of RSP images. so it is consistent with "protocol notes encrypt blacklist remove-ip <ip address>". However. 95481 Renamed CLI command "no protocol notes encrypt blacklist" command to "protocol notes encrypt blacklist remove-ip all". 95899 Corrected an issue where the QoS interface rate was not displayed while showing the appliance configuration from the CLI 95987 Fixed an issue where SMB-Signed Transparent Mode blocks signed CIFS connection if the joined domain has NTLM disabled.000 simultaneous optimized connections with DPI would fail with errors like "[qosd. This problem did not affect system functionality and does not require a workaround. qosd. 96421 Fixed a problem where the site bandwidth was displayed in the CLI while in Advanced QoS mode. 96070 Fixed an issue that would corrupt the segstore segment containing the SMB negotiate request at the server-side steelhead when an SMB2 client that is blacklisted for optimization would negotiate protocols with the server. The destination subnet of the rule is logged incorrectly.c:1484. 95765 CIFS and CIFS-Signed traffic are now properly categorized in the statistical reports. to not generate email notifications. 95871 This fixes a bug in 7. In Advanced QoS mode the sites and rules are configured separately from classes.0. when triggered or cleared. 96336 Corrected diagnostic message in the log file when pushing system configuration to the classification component. Classification of more than 10.0 wherein the value of the Application field for an Advanced QoS rule could not be removed (by setting the field selection to "--")." 95995 Fixed an issue that could result in Outlook clients repeatedly showing a password prompt to the user if encrypted MAPI optimization was enabled on the Steelhead and the attempts to authenticate the connection resulted in an error from the domain controller (DC). build (null): Too many open files: accept. The fix involves properly categorizing the error codes returned by the DC to ensure that the encrypted MAPI connection is blacklisted and passed-through to the Exchange server in this scenario.ERR]: qosd_sport_connect_handler(). 96049 Fixed an issue that caused "Domain Join Error" alarm.        22 . Therefore sites and rules do not have an associated bandwidth allocation.      95668 Fixed an issue that caused users with "Reports" RBM role unable to execute the CLI command "show connections". 95863 Fixed an error message "Interface with index <id> not found" that could occur when updating the data flow VNI settings. 95989 Fixed a QoS Classification problem. The fix transparently blacklists and passes through the connection. 96432 Prevent sites from being deleted if they contain non-default rules. 96627 "Peer Mismatch" alarm is now aggregated into "Software Mismatch" alarm. 96708 Fixed an issue that caused "datastore_sync_error" alarm. 97084 Removed an error msg in the logs when adding/editing an invalid inpath rule. when triggered or cleared. "DC communication failure" and "delegation user failure") but only one clearing email. as well as a CRLF Injection vulnerability with the _fragment parameter. build (null): Required condition was not met" 97091 Fixed an issue where adding a global application from the CLI without specifying the protocol returned and "Internal Error.ERR]: md_rbt_add_rule(). The affected alarms are secure_vault_rekey_needed and secure_vault_uninitialized. Once disabled. 96637 Fixed cross-Site scripting vulnerabilities on the RSP Dataflow page. 96713 Fixed an issue that caused the notification not being sent when "SSL Certificates SCEP" alarm is triggered. 96675 Enhanced the "protocol domain-auth test dns" command to check to make sure that the necessary DNS SRV records are present in the Active Directory Domain to which the Steelhead will be joined. 96822 Fixed an issue where there may be more than one smb_alert triggering emails (e. to not generate email notifications.cc:1329. 96696 We now allow the user to disable the exporting of SSL Server Certificates via a button on the SSL Main Settings page. 96541 Fixed a problem that could cause an optimization service crash while optimizing Outlook Anywhere traffic. A warning message still remains to remind the user that the invalid rule they tried to add is invalid.g. The error message is like the following: "[mgmtd."               23 . If an error condition occurred when the Outlook Anywhere connection was closed the optimization service could crash. though. 96712 Fixed an issue that caused the notification not being sent when "Non-443 SSL Servers" alarm is triggered. 96914 Fixed an issue where Steelhead still goes into "Critical" state even after disabling "Optimization Service" alarm. md_rbt_intercept. 96691 Fixed an issue where email notifications would not be sent out for certain secure vault alarms when triggered. 96743 Fixed an optimization service crash when the Extended Peer Table (EPT) feature was enabled and peer Steelheads or Steelhead Mobiles were disconnected from a Steelhead. this change is irreversible for security reasons. 97015 Enhanced Optimization Service Status alarm notification emails to indicate the triggering reasons. The fix limits SMB2Signed Delegation Mode to a maximum of three failed attempts before blacklisting and passing through the connection.       24 ." error message to appear." This change now includes this request among operations that will not invalidate cached metadata. but was formerly not identified as "safe. 97198 Fixed an issue where the RAID alarm would trigger. 97209 When a disk partition is full and an alarm is raised. 97323 Fixed an issue where Delegation Mode times out SMB2-Signed connections when constraint delegation fails to authenticate with the server. 97136 Fixed an issue where certain factory installed licenses were removed when executing the "reset factory" CLI command. so they invalidated it. When steelhead s encounter such requests it is not safe to reply on cached metadata. 97839 Fixed an issue that could cause sport main thread to become unhealthy and result in stack dump and message like the following in the log: "sport[26148]: [eventthread/watch/mgmt_debug/8. and this bug does not prevent the user from disabling or enabling SRDF. a user will not receive email or SNMP trap notification. 97793 Fixed an issue that caused speed and duplex changes to fail on the 2 Port 100BASE-FX/1000BASE-LX Fiber Network Bypass Card 410-00107. and also delete the contents of the "SRDF Ports" field.       97098 Generate ICMP packet-too-big error messages when trying to pass through IPv6 packets that are larger than the MTU of the in-path interface. This error message shows up when it is not needed. This problem also occurred with the "FCIP Ports" field on the FCIP page. 97512 Fixed a memory leak in the QoS configuration management code 97676 Some ioctl requests may affect the content of a file's meta data. 97740 Fixed a problem where defining bandwidth policy in Basic QoS mode an error 1003 is displayed if dscp_out parameter is not specified. 97295 Fixed an issue that an RBM user with "Reports" role was unable to execute the command "show packet-mode ip-channels".{. The FSCTL_READ_FILE_USN_DATA does not have such a result. 97199 Fixed an issue that caused RSP errors when making a backup of a powered off HA cloned VM. but no email or SNMP trap would be generated.WARN] .-} watcher: EventThread(main)[LWP 26148] 0x24fb800 is not healthy". 97414 Disabling SRDF on the Configure > SRDF page by unchecking "Enable SRDF" and clicking on Apply would cause a "No ports provided. 98940 Fixed an issue where ethtool reported speed & duplex on FX/LX NIC 41000107 even when the interface was down. which was affected by a recent change to the interaction between SSH and PAM library.x. It now reports unknown/unknown. 99037 Fixed a problem where servers are blacklisted from receiving optimization for encrypted Lotus Notes traffic when a user's internet certificates have been updated. 98335 Restored the public key authentication method for SSH. 98574 There are certain IOCTL operations that may modify the contents of a file on a server. When a steelhead encounters such an operation it will now invalidate any cached data it may have stored for the affected files. SH200 are no longer supported in RiOS 7. This patch ensures that the limit applies to the rules before port label expansion 98181 Fixed an issue where the "ip flow-export" in "show run" output could be out of order and resulting in error messages when pasted back into a Steelhead. 98353 Model numbers SH100. 98884 Fixed an issue where Auto-Delegation updates in Active Directory are not performed if all the Domain Controllers specified during the domain join operation are configured via their IP address instead of their hostname.0.              Problems Fixed In Version 7. 25 .0  64967 Fixed an issue where an empty routing table could cause error messages to appear in the logs at appliance startup.0. 99795 Fixed the issue which resulted in a memory leak if an SMB Echo request was received with a multiple echo count. 99345 Fixed an issue where the memory usage by mgmtd process would continually increase when viewing SRDF reports. 99261 Fix a race in flush pages and making the pages dirty. 98253 Fixed a memory leak which occurred when attempting to install a license which was already installed on the appliance. SH50. The problem only occurred when the connection had been idle for 30 seconds or longer and an SMB Echo request with multiple echo response count was issued by the client. 98061 Fixed an issue that causes an optimization service failure on the server-side Steelhead in an optimized SMB2 connection when multiple simultaneous closes for a handle are sent when there are in progress operations that need to complete before the close. 98116 If the port labels are used in any of the QoS classification rules. they may potentially expand the rule count beyond the limit allowed on the appliance. 99669 Restore fragmentation of the egress pass-through traffic in RSP mode. 91096 Fixed an issue where a Server Side Steelhead in a connection forwarding setup continues to optimize the connection on a duplicate probe from the client side steelhead even if the connection forwarding neighbor fails to respond to the owner. 90312 Adding information on why an RSP HA transfer might Fail. the "max-data" option is not displayed in the command line help when user types 'show qos classification' command. This occurred when the Steelhead was using simplified routing and vlan-conn-based was enabled. For the same reason. The command would also cause bail messages to appear in the log. This message is printed when a GRE packet is dropped due to the Time-To-Live field in the IP header reaching zero after it is decremented. the optimization service may fail. 75430 Fixed an issue where the Steelhead was using an incorrect vlan id for outgoing packets of optimized connections. 'show qos classification max-data' command should be hidden as well. 66436 Fixed an issue where the "show ip route static" CLI command would fail to show configured ip routing. With this fix. 74618 If encrypted MAPI optimization is enabled and invalid MAPI data is received on the configured MAPI port (7830). 79396 'qos classification max-data' is a hidden command to allow adjustment to the "max-data" setting. This helps in detecting a possible loop in the network. This includes sending emails when a scheduled transfer fails for RiOS 7. order:5. This would result in log messages of the form: "Unexpected exit of process winbind" and "Waiting 3600 seconds before relaunching winbind" 72899 Fixed an issue where IPv6 address ::1/128 conflicts during RiOS boot. mode:0xd0". 80001 Fixed an issue that executing "restart" command multiple times quickly can cause the CLI session to hang. This was because the Steelhead was using an incorrect simplified routing table entry for a given connection.5 and adding notice that a transfer failed in the system logs.0 and 6. 81252 Added an incident counter and a WARN log message which reads "Dropping gre packet possibly due to a loop". 91004 Demoted "Short or invalid MAPI DoConnectEx response" log message to INFO level. 26            . The issue is only seen when there is a packet ricochet with a corresponding vlan change on the ricocheted packet. 66674 Fixed an issue where issuing any CLI command with the prefix "domain settings" on a Steelhead that was not joined to a windows domain would result in an exit loop of the winbind process. 76622 For tcpdump command -s0 for unlimited snaplength is converted to snaplength of maximum MTU in order to reduce the chance of seeing memory pressure resulting in kernel messages like "tcpdump: page allocation failure. More specifically. 92748 Maximum rules per site and maximum rules per Steelhead Appliance correspond to the number of rules configured by the user. Steelhead will complain if the number of rules per site and per Steelhead Appliance after portlabel translation. The client-side Steelhead CFE sent the inner packets to the second router with a MAC address of the first router resulting in packet drop. 27 . 93327 The command 'show running-config' improperly showed RSP stats bindings as part of its output. 92015 Fixed an issue in the qos code that caused the steelhead to incorrectly print the error message which said "navl_conn_init failed:". This change removes them. goes beyond the safeguard limit. If the user uses portlabels. the Steelhead appliance would aggregate response chunks to reduce the number of packets transmitted on the WAN but this behavior can hinder some applications from dynamically generating subsequent chunks. 92517 Improved the performance of opening up AutoCad files from AutoCad when using an optimized SMB2 connection by allowing handles to be kept idle at the clientside Steelhead under a wider range of conditions. The Steelhead was configured to get packets using a Multi-In path WCCP setup. This will be seen in environments where there is packet ricochet from one in-path interface to another. 93189 Fixed a problem that could cause Outlook to become unresponsive in some rare circumstances when forwarding messages. 91744 Added MAPI encryption support for Office 365. 91509 Fixed a problem that could cause Outlook to become unresponsive during authentication if communication with a Domain Controller fails on the server side steelhead while using delegation mode for encrypted MAPI. but the inner SYN from client-side Steelhead was wrongly sent on the second in-path and resulted in a failure to establish a connection between two Steelheads and a pass-through connection. 91124 Fixed an issue where HTTP connections can may not operate correctly. The packets that flowed in the forward direction (client => server) reached the Steelhead on a different in-path interface from the packets that flowed in the reverse direction (server => client). The problem occurred when the outer SYN from client arrives on one in-path. 91347 Fixed an issue where a scheduled tcpdump job including the primary interface would fail to execute. if the web server employs chunked transfer-encoding. 93793 Fixed a problem where connections were not optimized under the following conditions:             Full or Port Transparency were enabled. The client makes requests for a filename where a stream name immediately follows a directory separator.          28 .-} blocked 1081100528 times on syslogd" with incorrect counter 1081100528. Reenabling this workaround resists the CVE-2011-3889 "BEAST" attack. Once the clock is reset on the steelhead. but NetApp allows the open as though the directory separator isn't there. Windows rejects this as an invalid filename. The fix allows blacklisting of the SMB-Signed connection when the Steelhead detects that the domain has NTLM disabled and SMB-Signed is configured to use Delegation Mode. which has been accounted for by adjusting the name on a successful open. the service continues to compensate for the skew that leads to skew errors when getting the delegated tickets. 94026 Fixed an issue which caused CIFS prefetch to use default instead of negotiated value. When default value is higher than value set at CSH(client side steelhead). 94090 Fixed an issue where SMB-Signed connections are continuously dropped when using Delegation Mode against a domain which has NTLM disabled.6e disabled it by default because some broken SSL/TLS implementations did not work properly with it. OpenSSL 0. 94479 This solution ensures HTTP optimization is only triggered when enabled on both the client and server Steelheads. All users are advised to check for security updates for the web browsers as well. 94513 Fixed the memory leak by destroying unused objects.0 CBC vulnerability workaround for this same problem (then thought to be impractical to exploit).0 / TLS 1.NOTICE] . 94280 Limited default SSL ciphers used by web server to resist CVE-2011-3389 "BEAST" attack. Disabled default OpenSSL flag SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS for CVE-2011-3389.{. The issue manifests itself as the following log message "[asynclogger. But OpenSSL 0. 94218 Added ability to disable "Proxy File Service" alarm with the "no stats alarm pfs_operation enable" command. 94452 Fixed the counter in log messages that dump number of blocked log messages. it would result in excessive CIFS prefetch.9. The first time that the clocks on the steelhead and the DC differ by more than 5 minutes the optimization service calculates the difference and attempts to compensate for the skew.6d added an SSL 3. 94531 Fixed a crash in the optimization service when an SMB2 client tries to open up an invalid filename for a stream.9. 94242 Fixed an issue where getting the delegated tickets fails in smb-signing and encrypted MAPI optimization with clock skew errors. 94767 Fixed an issue that caused lan-addrs to be always on in commands "ip flowexport destination * * lan-addrs *" as part of "show run" output.  93995 Fixed a bug where class selections on the QoS Report pages were not always retained after a page refresh. we would allow the open to succeed." sometimes appear in the log.  94836 Enhancement to allow administrators to modify the list of domain controllers used by the Steelhead for Active Directory related communication via the CLI. If the file inherited access control entries on creation from its parent that would prevent a subsequent open using the same access mask. The link is now up. If the client then re-opened the file within the idle handle timeout." would be printed. 95668 A fix to the "show connections" cmd so that it is usable by an rbm user with just the "reports" role. 29           . 95737 Resolved rare problem where. If the user tried to tab complete on either prefix an error message of the form "[cli. messages of the form "Sending event for state change of interface `v^M\230*. Rebooting Steelhead does not clear the alarm. 95489 Fixed an issue that would allow an optimized SMB2 client to reopen a newly created file it recently closed. 95195 Fixed an issue where in the rare case of secure vault creation failure upon system boot up. when VM's are configured in RSP Dataflow. 95868 Fixed two issues on the RSP Data Flow page: the '# Rules' column did not always appear and the value in the column was wrong for virtual in-path VNIs with DNAT rules. the Steelhead appliance will have the 'Secure Vault Not Initialized' alarm triggered and in critical state. The service will now attempt to discover other DCs and will failover to another DC if one is available.ERR]: user admin: keyword 'ipc' is missing v1 capabilities. Add capab_required keyword parameter to the Command. which reference invalid interface names. we would keep the handle open so long as all other idle handle criteria were met. 95765 CIFS and CIFS-Signed traffics are now properly categorized in the statistical reports. 95627 Fixed an issue where smb-signing and encrypted MAPI optimization is disabled when the netlogon service on the DC that the optimization service is talking to is paused or stopped. 95851 Fixed a service failure when VLAN tagging and simplified routing is enabled and a connection's source and destination IP and port numbers are reused within a short time period. certain unexpected failures of MgmtD sometimes left all traffic blocked until the device is restarted. 94900 Fixed a problem that could result in a failure to connect with encrypted MAPI when Steelhead communication with a Domain Controller fails with an NT_STATUS_PIPE_DISCONNECTED or NT_STATUS_BUFFER_TOO_SMALL error. 95798 When using RSP slots at log level "info". These messages have been removed. 95111 Fixed issue that would result in error log messages when the user tried to tab complete "protocol smb2" or "no protocol smb2" in the cli. Currently. the in-path rule has IPv6 subnet while IPv6 support is not enabled on the Steelhead.       5) KNOWN ISSUES  83059 Upgrading to 7. The in-path rule is only partially effective. 96070 Fixed an issue that would corrupt the segstore segment containing the SMB negotiate request at the server-side steelhead when an SMB2 client that is blacklisted for optimization would negotiate protocols with the server. For instance. hence subsequent authentication will use the cached service tickets with stale privileges. Delegation Mode caches all Kerberos service tickets. By default. For example. 96830 Disabled and IPv4 only in-path rules are indistinguishable from the show output. consider the following cases:     The in-path rule is disabled. 96659 Fixed an issue which prevented the Steelhead from joining a domain if the Steelhead is not able to get Kerberos tickets. 96926 Fixed an issue that caused enabling datastore sync not to prompt for a service restart. Web GUI has such information.  96049 Fixed an issue that caused "Domain Join Error" alarm. to not generate email notifications. The in-path rule is not applicable. Workaround: Reapply software version mismatch alarm configurations after upgrade. 96198 Fixed a small memory leak when configuring NTP servers. For the last two cases. an in-path rule has "all-ip" as source/destination network while IPv6 support is not enabled on the Steelhead. The fix is to show the option in command line help when user types "'qos classification class modify classname <class-name>" command.0. 96201 Fixed a small memory leak when taking tcpdumps from web UI or with "tcpdump-x" CLI command. 96371 'upper-limit-pct' option was incorrectly set to hidden. To determine the exact status of an in-path rule denoted with an asterisk. when triggered or cleared. The fix allows the user to either disable ticket caching or reset the ticket cache. 30 .0 does not preserve any user configured settings for the software version mismatch alarm. Domain join operation will fall back to NTLM authentication if using Kerberos authentication fails. please check whether IPv6 is enabled or not. 96643 Fixed an issue where permission changes for a credential might not take effect immediately in Delegation Mode. 3 (for features found in RiOS 6. Log in to the Management Console using the Administrator account (admin). unplug. After reboot. you are reminded to reboot the appliance in order to switch to the new version of the software. From URL. After the upload is complete. 2. uploading the image will take a few minutes. From Local File. WARNING: The system must be properly grounded (earthed) to reduce the risk of electrical shock. Click Install Upgrade.0. For detailed information about upgrading and downgrading. Navigate to the Setup: Software Upgrade page and choose one of the following options: 3. The software image is quite large. 8) HARDWARE AND SOFTWARE REQUIREMENTS Steelhead Appliance The appliance is designed to be installed in a 19 inch (483 mm) two-post or four-post rack. Do not press Ctrl-C. the Green/Yellow tab on the power cord must be grounded 31 . Type the URL that points to the software image in the text box 4.6) UPGRADING RIOS SOFTWARE What upgrades are allowed? You can upgrade this version of RiOS to another version that is both higher in version number and chronologically newer. On European systems. 7) MANAGING RIOS 7. Browse your file system and select the software image 5.5.0.0. There is no indication displayed during system boot that the recovery flash device is being configured.x) and CMC version 7.0. 1. Steps to upgrade RiOS Software Download the software image from the Software tab of the support site to a location such as your desktop.5 WITH A RIVERBED CMC RiOS version 7. the software version is displayed on the Home page of the Management Console. or otherwise shut down the system during this first boot.5 can be managed by Riverbed Central Management Console (CMC) version 6.5. see the article RiOS Upgrade and Downgrade Rules. dial +1 415 247 7381. ©2012 Riverbed Technology. Outside the U.x through 3. Free ssh clients include PuTTY for Windows computers. 8 bits. OpenSSH for many Unix and Unix-like operating systems. Steelhead Command-Line Interface  An ASCII terminal or emulator that can connect to the serial console (9600 baud. Phone Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.  9) CONTACTING RIVERBED SUPPORT Visit the Riverbed Support site to download software updates and documentation. no parity.x and Microsoft Internet Explorer versions 6. 1 stop bit. A member of the support team will reply as quickly as possible. Steelhead Management Console   Any computer that supports a Web browser with a color image display. 32 . and no flow control) or A computer with a Secure Shell (ssh) client that is connected by an IP network to the Steelhead appliance Primary interface. 7 and 8. choose one of the options below.6.S. or Cygwin. All rights reserved. Online You can also submit a support case online Email Send email to support@riverbed. To open a support case.0. browse our library of Knowledge Base articles and manage your account. All other trademarks used herein belong to their respective owners. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology.com.(earthed). The Management Console has been tested with Mozilla Firefox versions 1. : Javascript and cookies must be enabled in your Web browser.
Copyright © 2024 DOKUMEN.SITE Inc.