Version 31.0.0.0 Rev. 1 February 21, 2017 -...
Transcript of Version 31.0.0.0 Rev. 1 February 21, 2017 -...
AlteonOS
Release Notes
Version 31.0.0.0 Rev. 1
February 21, 2017
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 2
TABLE OF CONTENTS
CONTENT ..................................................................................................................................................... 4
RELEASE SUMMARY .................................................................................................................................. 4
SUPPORTED PLATFORMS AND MODULES ............................................................................................ 4
UPGRADE PATH ......................................................................................................................................... 4
BEFORE UPGRADE - IMPORTANT! ............................................................................................................... 4
GENERAL CONSIDERATIONS ...................................................................................................................... 5
DOWNGRADE ............................................................................................................................................ 5
WHAT’S NEW ............................................................................................................................................... 5
Alteon 8820 – High Performance ADC ............................................................................................ 5
Alteon 6024 VX Platform Enhancements ......................................................................................... 6
Redundant Out-of-path Management Port....................................................................................... 6
Performance ..................................................................................................................................... 6
Authentication Gateway – SAML 2.0 Service Provider Support ...................................................... 8
SSL Inspection Capabilities ............................................................................................................. 9
Intermediate SSL Certificate for HTTPS Management Access ..................................................... 10
LinkProof Enhancements ............................................................................................................... 11
Alteon VA/NFV/Cloud ..................................................................................................................... 12
IPsec Support for Virtual Service IP ............................................................................................... 13
HTTP/S Health Check Enhancements ........................................................................................... 13
High Availability Tracking for Selected Real Servers ..................................................................... 14
Alteon to Expand Support of BGP Prepend for VIPs ..................................................................... 14
Selectively Stop BGP Advertisements ........................................................................................... 14
Equal Cost Multipath Routing in OSPF .......................................................................................... 15
Geolocation-based Load Balancing ............................................................................................... 15
GSLB Enhancements ..................................................................................................................... 16
Dynamic IP Reputation .................................................................................................................. 16
AppShape++ Enhancements ......................................................................................................... 17
HTTP/2 Full Proxy (H2 server side) – Beta.................................................................................... 18
Troubleshooting and Debugging .................................................................................................... 18
WHAT’S CHANGED AND/OR MODIFIED ................................................................................................. 23
EXTRACTING CLIENT CERTIFICATE SAN EXTENSION ................................................................................ 23
OPENSSL UPGRADE TO 1.0.1U ............................................................................................................... 23
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 3
DEFAULT CIPHER CHANGES .................................................................................................................... 23
SYSLOGS FOR LACP LINK UP AND DOWN .............................................................................................. 23
5224 VADCS LIMIT ................................................................................................................................. 23
LONG OBJECT ID SUPPORT ..................................................................................................................... 23
GSLB − PREVENT NEGATIVE DNS RESPONSE CACHING .......................................................................... 24
SUPPORT FOR RFC6223 AND/OR RFC5626 ............................................................................................ 24
TROUBLESHOOTING AND DEBUGGING ...................................................................................................... 25
Technical Support Data (tsdmp) Formatting .................................................................................. 25
Configuration Adaptation on Upload .............................................................................................. 25
Command Line History Improvement ............................................................................................ 25
MAINTENANCE FIXES .............................................................................................................................. 26
FIXED IN 31.0.0.0 ................................................................................................................................... 26
KNOWN LIMITATIONS .............................................................................................................................. 26
Upgrade Limitations ....................................................................................................................... 26
vADC and ADC-VX Limitations ...................................................................................................... 27
Alteon VA Limitations ..................................................................................................................... 28
WBM Limitations ............................................................................................................................ 31
Static NAT Limitations .................................................................................................................... 35
General Limitations ........................................................................................................................ 35
FastView Limitations ...................................................................................................................... 45
AppWall Limitations ........................................................................................................................ 45
Alteon Management via APSolute Vision Limitations .................................................................... 46
RELATED DOCUMENTATION .................................................................................................................. 48
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 4
Content
Radware announces the release of AlteonOS version 31.0.0.0. These release notes describe
new and changed features introduced in this version on top of version 30.5.0.0.
Release Summary
Release Date: February 15, 2017
Objective: Major software release introducing new capabilities and offerings
Supported Platforms and Modules
This version is supported by the following platforms:
5224, 5224XL
5208, 5208 XL, 5208 Extreme
6024, 6024 XL, 6024 Extreme
6420, 6420 XL, 6420 Extreme
6420p, 6420p XL, 6420p Extreme
8420, 8420 XL, 8420 Extreme
8820, 8820 XL, 8820 Extreme
Alteon VA running on VMware ESX 5.0, 51, 5.5, 6.0, KVM, Hyper-V and OpenXen
Alteon VA on AWS
Alteon VA on Azure
For more information on platform specifications, refer to the Alteon Installation and Maintenance
Guide.
Alteon 31.0.0.0 is supported by APSolute Vision version 3.70 and later.
Upgrade Path
You can upgrade to this AlteonOS from AlteonOS versions 28.x, 29.x and 30.x.
General upgrade instructions are found in the Alteon Installation and Maintenance Guide.
Before Upgrade - Important!
1. Before performing an upgrade, back up your current configuration.
2. To ensure a successful upgrade, run the Upgrade Advisor Tool with your current
configuration and the target version. Then, perform the required actions as instructed in the
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 5
report output. The Upgrade Advisory Tool includes all the limitation and upgrade
considerations specifically relevant to the source configuration, version, device details and
target version. Make sure to update the Upgrade Advisory Tool DB before performing the
analysis. The Upgrade Advisor Tool is available on the Customer Portal.
3. Read the Upgrade Limitations in these Release Notes for new upgrade limitations related to
this version.
General Considerations
Hypervisors (ADC-VX) running a certain version (for example, 31.0) only support vADCs
that run the same version or later.
Downgrade
Configuration rollback (downgrade) is not supported. The configuration should be saved before
upgrading to a newer version. If you perform version rollback, after the downgrade upload the
saved configuration.
What’s New
This section describes the new features and components introduced in this version on top of
Alteon version 30.5.1.0.
For more details on all features described here, see the Alteon Application Guide and the Alteon
Command Reference for AlteonOS version 31.0.0.0.
Alteon 8820 – High Performance ADC
Alteon Application Switch 8820 is the next-generation, carrier-grade application delivery
controller (ADC), providing superior performance coupled with advanced capabilities such as
ADC Virtualization, integrated application acceleration and on-demand scalability needed to
effectively meet mobile carrier and large enterprise data center and network needs.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 6
Alteon 8820 Platform Highlights
High performance application delivery appliance covering the high-end throughput range:
120 Gbps, 160 Gbps, and up to 200 Gbps throughput capacity
Supports ADC-VX with up to:
60 vADCs with 64 GB RAM
100 vADCs with 256 GB RAM
High-End connectivity capabilities:
Four (4) 100 GbE QSFP28
Four (4) 40 GbE QSFP+
Twenty (20) 10 GbE SFP+
Hot-swappable dual AC/DC power supply
High performance SSL acceleration, compression, and caching
Front-to-back fans suitable for new data center designs
Alteon 6024 VX Platform Enhancements
The Alteon 6024 VX platform includes the following enhancements as part of version 31.0:
Maximum number of supported vADCs – This was increased from 20 to 32.
Elastic Core Allocation on the Alteon 6024 Platform – Alteon 6024 supports the elastic
core allocation configuration (previously named "advanced core allocation”). There is no
option to disable the elastic core allocation on this platform. The system default mode is
performance mode, supporting up to 20 vADCs.
Redundant Out-of-path Management Port
In this version there are now two redundant management ports providing out-of-band highly
reliable management interfaces with enhanced security.
NFR ID: prod00237950
Performance
Improved SSL Price –Performance
Alteon 31.0 introduces a significant increase in SSL performance (up to 300% increase for CPS
and up to 400% for throughput) for software-based SSL processing (VA and non-XL
appliances). This was achieved by optimizing the SSL code to the Intel processors, including
using Intel’s special AES commands.
In addition, a significant increase in SSL throughput (up to 40% depending on the platform) was
achieved also on SSL hardware-accelerated platforms by introducing capabilities such as TCP
Segmentation Offload and hardware-based core selection at Layer 4.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 7
Hardware-based Core Selection
Prior to version 31.0, traffic that arrives at Alteon is distributed by the NICs between the CPU
cores by performing hash on Layer 3 data only (source and destination IP addresses).
Alteon 31.0 introduces the ability to configure NICs to perform hash based on Layer 4 data (4-
tuple source and destination IP addresses and ports). This allows for
improved core distribution
on standalone appliances and Alteon VA form factors, improved full proxy throughput (force
proxy mode)
Important! On standalone appliances and VA form factors, when any SSL
encryption/decryption is performed (SSL offload, SSL Inspection), if SSL reuse is required, the
hardware hash must be set to Layer 3.
The hardware hash level can only be accessed via CLI using the following commands:
/cfg/slb/adv/hwhash on standalone and Alteon VA platforms
/cfg/sys/hwhash in ADC-VX environments
After upgrade, the hardware hash parameter is set to Layer 3 for backward compatibility. For
new 31.0 installations, this parameter is set to Layer 4 by default for standalone and Alteon VA
form factors and to Layer 3 for ADC-VX.
vADC Core Selection
The basic core allocation for vADC is performed at the hypervisor level (TD). Prior to version
31.0, the core selection was based on the source IP hash. The /cfg/slb/adv/spl4hash
parameter lets you select the core based on Layer 4 data (source IP address and source and
destination ports) and achieve better core distribution.
TCP Segmentation Offload
TCP segmentation offload (TSO) reduces the CPU overhead of TCP/IP on fast networks by
relying on the network interface controller (NIC) to segment the data and then add the TCP, IP
and data link layer protocol headers to each segment. This frees CPU resources for higher data
level processing and can improve full proxy throughput.
This parameter can be configured from the Application Delivery > Virtual Services >Settings
pane, or with the following CLI command: /cfg/slb/adv/tso.
Note: When performing service chaining, whether for SSL Inspection or not, if chain hop bypass
is required when the hop server group is down (Continue in Flow Fallback Action), the TSO
must be disabled.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 8
Westwood TCP Optimization Protocol Support
The Westwood TCP optimization protocol is a sender-side-only modification to the New Reno
TCP optimization protocol that is intended to better handle large bandwidth-delay product paths
(large pipes) with potential packet loss due to transmission or other errors (leaky pipes), and
with dynamic load (dynamic pipes).
The Westwood protocol can now be selected as the Congestion Control Mechanism in a TCP
optimization policy.
Authentication Gateway – SAML 2.0 Service Provider Support
SAML SSO works by transferring the user’s identity from one place (the identity provider) to
another (the service provider). This is done through an exchange of digitally signed
XML documents. In this version, the Alteon Authentication Gateway introduces new support for
SAML 2.0 SP functionality. It can integrate with external SAML 2.0 Identity Providers (IdP) for
the purpose of Single Sign-on (SSO) implementation across the organization. The
Authentication Gateway functions in such a setup as the SAML Service Provider (SP), offering
authorization and access control services to the back-end applications along with its currently
available back-end authentication schemes, such as Form Based Authentication, NTLM, and
Kerberos Constrained Delegation (KCD).
One example of such integration with SAML IdP is Microsoft ADFS 3.0. ADFS provides
simplified and secured identity federation and Web Single Sign-on capabilities for end-users
who want to access applications within an ADFS-secured enterprise, or in the Cloud. The Alteon
Authentication Gateway can integrate with ADFS, which can be configured as a SAML IdP. In
such a setup, Alteon can offer comprehensive Application Delivery and security services for the
Microsoft application environment. Not only does it provide a replacement to TMG/UAG
functionality in such an environment, but it also provides significant enhancements to
functionality currently provided by TMG/UAG. SAML SSO provides better protection, significant
performance optimization, and scalability to Web-based applications. Next generation services,
built into the Alteon ADC, add advanced load balancing and health checks with Layer 7
awareness, content and URL filtering, content rewrites, user programmable policies and traffic
steering logic, a Web Application Firewall, network access control, an authentication gateway,
single sign-on, Web access management, and hardware-based SSL termination.
Alteon has also been tested and certified for Microsoft SharePoint based on its integration with
ADFS. A detailed Technical Integration Guide (TIG) for integrating the Alteon Authentication
Gateway with ADFS and SharePoint with back-end KCD authentication is available.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 9
SSL Inspection Capabilities
Host-based Inspection Bypass
Alteon now supports host-based SSL Inspection bypass when installed as a transparent proxy.
This is achieved by retrieving the destination host from the SNI extension in the Client SSL
Hello.
Traffic can be bypassed based on the host category (URL Filtering) or list of specific hosts (or
the new SSL Content Class type).
Note: The SSL Content Class is supported only in SSL Inspection filters.
Reminder: Alteon already supports host-based SSL Inspection bypass when installed as
explicit proxy (starting with version 30.5).
IDS Servers Support
This version removes the previous limitation that required a special workaround to support an
IDS server group as the first or only hop in the inspection chain. In addition, multiple IDS groups
can now be included in the security inspection chain (both SSL and clear traffic inspection).
To enable this advanced IDS support:
1. Enable the new IDS Chain flag in the IDS server group. 2. Use a redirect filter to send traffic (copy) to the IDS group (the IDS group is configured as
filter Primary Group ID and not as IDS Group ID).
Notes:
If the capability required is to copy the same traffic to all IDS servers (flood), use the legacy
IDS configuration (IDS Chain disabled, with an Allow filter with IDS Group ID configured).
This advanced capability cannot be used on Alteon VA when DPDK fast packet processing
is used (DPDK is used when more than 3 GB of RAM is allocated to the Alteon VA).
Do not mix advanced IDS support with legacy IDS support on the same flow/chain.
Server SSL Certificate Authentication
This version enhances the server authentication capability beyond checking the certificate chain
of trust. This is relevant mainly for outbound SSL traffic (SSL Inspection).
The new capabilities include:
Revocation status check via OCSP
Ability to specify whether to ignore certificate validity issues (expired certificate, untrusted
certificate or host mismatch) or reject a session when such an issue occurs.
For this purpose, the Client Authentication Policy object was promoted to an Authentication
Policy object that can be of type Client (default) or Server.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 10
The Authentication Policy of type Server lets you define the following parameters:
Trusted CA certificate/group and CA chain lookup depth
Note: The Trusted CA certificate/group was moved to the Server Authentication Policy pane
from the SSL Policy Backend pane. After upgrade, if such a parameter is configured in the
SSL policy, a server Authentication Policy is automatically generated including the Trusted
CA.
Certificate validation method
Validity issues handling
Chain Hop Bypass
In a service chaining environment, it is often required to continue the flow of traffic in cases
where one hop in the chain is unavailable, by bypassing the unavailable hop and forwarding the
traffic to the next hop.
This capability is now improved with the addition of a new redirect filter Fallback Action value,
Continue in Flow. When this value is selected, if the server group bound to the filter is down,
traffic matching this filter is forwarded to the next hop in the flow. To bypass this hop and
continue the flow, specify the physical port through which traffic from this hop (server group)
was expected to ingress Alteon with the Flow Continuation Ingress Port parameter.
Notes:
To use this fallback action, the TSO (TCP Segmentation Offload) must be disabled on the
device.
This fallback action cannot be used on Alteon VA when DPDK fast packet processing is
used (DPDK is used when more than 3 GB of RAM is allocated to the Alteon VA platform).
Intermediate SSL Certificate for HTTPS Management Access
This feature was first introduced in version 30.5.2.0.
In this version, you can define an intermediate CA certificate/group for Alteon management via
HTTPS. With this support, when accessing Alteon via HTTPS (WBM or REST API), Alteon
sends both its server certificate and the configured intermediate CA chain.
This facilitates the process of verifying the chain of trust (instead of installing the chained CA on
the client browsers).
The configuration is available in the following paths:
From WBM ─ Configuration perspective > System > Management Access >
Management Protocol > HTTPS
From CLI─ /cfg/sys/access/https
NFR ID: prod00234972
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 11
LinkProof Enhancements
PPTP Support
With the full implementation of the Smart NAT feature, Alteon now fully supports VPN and other
Point-to-Point Tunneling Protocols such as PPTP.
Limitation: Only IPv4 is supported
NFR ID: Prod00239734
Static NAT for Inbound and Outbound Link Load Balancing
This feature was first introduced in version 30.5.2.0.
The Smart NAT feature provides one centralized pane to configure all required NAT
translations. You can add, edit, and delete entries in one location, which simplifies the process
of NAT translation configuration.
The following types of NAT translations are supported:
Static NAT — Ensures delivery of specific traffic to a particular server on the internal
network. For example, LinkProof uses Static NAT, meaning predefined addresses are
mapped to a single internal host to load balance traffic to the host among multiple
transparent traffic connections. This ensures that the return traffic uses the same path, and
also allows traffic to that single host to use multiple ISPs transparently. You assign multiple
Static Smart NAT addresses to the internal server, typically one for each ISP address range.
Dynamic NAT — Enables LinkProof to hide various network elements located behind
LinkProof. Using this feature, LinkProof replaces the original source IP address and source
port of a packet that is with the configured NAT IP address and a dynamically allocated port
before forwarding the request to the group. The network elements whose addresses are
translated can be servers or other local hosts. You can set different NAT addresses for
different ranges of intercepted addresses.
For example, traffic from subnet A is translated using IP address 10.1.1.1, and traffic from
subnet B is translated using IP address 10.1.1.3.
No Nat — Enables a simple configuration where internal hosts have IP addresses that
belong to a range of one of the group servers.
Traffic to and from these hosts should not be translated if the traffic is forwarded to this
group server
NFR ID: prod00240838
For more details on LinkProof capabilities, see the LinkProof NG User Guide or LinkProof for
Alteon NG User Guide, version 31.0.0.0
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 12
Simplified LinkProof Configuration
The LinkProof WAN Link configuration was updated to work with the Smart NAT table. By
default, NAT settings on the WAN links are set to inherit, meaning that Alteon uses the NAT
settings configured in the Smart NAT table. The NAT settings in the WAN link can also be
explicitly configured on the WAN link and override the SMART NAT settings
LinkProof Inbound Host Based LLB Rules configuration was updated to also support the local
server without the need for virtual server configuration as the NAT addresses. Instead, the
Smart NAT table is used to define the NAT mapping.
Alteon VA/NFV/Cloud
Alteon VA for NFV – 225 Gbps Layer 4
Alteon VA for NFV version 31.0 reaches 225 Gbps Layer 4 throughput (with the KVM
hypervisor).
VMware
Alteon VA on VMware reaches 10 Gbps throughput over VMware and no longer requires
PCI-[pass through/SR-IOV] to reach this throughput.
Starting with this version, VMware ESXi version 4.1 is no longer supported.
Microsoft Azure Support (which will be available a few weeks after the official release of
version 31.0)
Alteon VA on Azure now supports both High Availability (HA) and Global Server Load Balancing
(GSLB):
Ease of deployment – Similar to LBaaS
In version 31.0, Alteon VA is integrated with the Azure solution template.
This enables you to configure Alteon VA from the Azure portal without accessing either the
Alteon CLI or WBM.
SLB configuration
To configure Alteon VA for Basic SLB, you only need to provide the number of real servers
and their IP addresses, beyond the regular VM deployment parameters. If you choose, you
can also change the SLB metrics.
After the Alteon VA is up, it is ready to load balance your servers, even without accessing
the Alteon VA user interface.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 13
HA configuration
To configure Alteon VA to operate in HA mode, you only need to select the HA deployment
mode and provide your Azure credentials beyond the basic SLB configuration as described
above.
Both HA instances are configured and run in a high availability environment without the
need to enter any of the Alteon VAs.
IPsec Support for Virtual Service IP
Virtual servers now support load balancing of IPsec along with TCP, UDP, and ICMP.
IPsec support has been added to the virtual service IP address (port 1).Now when the protocol
parameter is configured as both in the IP service configuration (/cfg/slb/virt
<xyz>/service 1/protocol both), it also includes IPsec along with TCP, UDP, and ICMP
Notes:
IPsec negotiation does not work with the Gateway ID type as IP, but only with type FQDN
(DE19232).
Proxy IP (PIP) cannot be used for an IPsec tunnel while NAT-T with IPsec Gateway is
working (DE19111).
In an SLB environment with persistent binding set to Client IP and rport configured, IPsec
traffic is not load balanced (DE19089).
HTTP/S Health Check Enhancements
The following capabilities were added to HTTP/S health checks:
Establish success based on absence of string in the response body.
To enable this capability, the new value Exclude was added to the Return String Type
parameter.
NFR ID: prod00246581
Alteon authentication using client certificate during SSL Handshake (HTTPS health
check).
This feature was first introduced in version 30.5.2.0.
Alteon can now identify itself using a client certificate during HTTPS health checks when
required by the monitored server. To enable this capability, select a certificate from the
certificate repository as the health monitoring client certificate:
From WBM ─ Application Delivery > Server Resources > Health Checks
From CLI ─ cfg/slb/advh/cert
NFR ID: prod00243819
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 14
Include SNI extension in the HTTPS health check.
When the Host parameter is configured in the HTTPS health check, an SNI extension with
the configured hostname is automatically included in the Client SSL Hello.
NFR ID: prod00239194
High Availability Tracking for Selected Real Servers
This NFR enhances the capabilities of tracking real servers for HA purposes. When selecting
this mode, you can either track all the real servers (as was done prior to version 31.0) or
explicitly select the real servers you want to track.
Notes:
Using WBM in Switch HA mode only, when real server tracking is enabled, all the real
servers are considered for tracking.
Use the CLI if you want to configure Alteon to track just a smaller set of the real servers.
Configure the active switch/group on the master Alteon before you configure the backup
Alteon.
If you configure the backup Alteon before the master, a failover occurs. The backup
switch/group takes control because its “priority” is higher (as a result of the new tracked
servers that were added to it).
If one or more of the tracked servers becomes unavailable, an unexpected failover can
occur if the health check sent from the backup switch precedes the health check sent from
the master, and vice versa when the servers become available again.
NFR ID: prod00229797
Alteon to Expand Support of BGP Prepend for VIPs
This NFR provides additional flexibility in defining routes when advertising the VIPs through
BGP on Alteon platforms. The capability to assign a network class to the route map active list
and on top of network filters was added. You can assign either a network class or network filters
(but not both).
NFR ID: prod00245390
Selectively Stop BGP Advertisements
An option to stop the VIP BGP advertisement when all servers are set to operational disable
was added.
NFR ID: prod00238047
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 15
Equal Cost Multipath Routing in OSPF
The number of supported routes for Equal Cost Multipath Routing in OSPF was extended from
3 to 4.
NFR ID: prod00247457
Geolocation-based Load Balancing
In this version, Alteon now enables making load balancing decisions based on the geographical
location of the traffic source or destination. For this purpose, Alteon has integrated the MaxMind
GeoLite2 City geolocation database.
To define a geolocation, you must configure a network class of the new type Region. The
Region network class lets you define a location down to the State level (Continent, Country, or
State).
This feature includes the following capabilities:
Select a data center based on the geographical location of the client (GSLB). The selection
is made via the DNS Rule Network metric:
The DNS Network metric now lets you define the network using the legacy range or a
Network Class (either the IP or Region type).
In addition, the selection can be made based on the geographical location of the DNS
client (LDNS) or on the geographical location of the actual client, if its IP address is
present in the DNS request (EDNS0 extension).
Select a link based on the geographical location (LinkProof):
For inbound traffic, the selection is made based on the geographical location of the
client. The selection is made via a DNS Rule Network metric (the same as for GSLB).
For outbound traffic, the selection is made based on the geographical location of the
destination
Provide different services based on the user’s geographical location. For example:
Traffic from French customers should go to group of servers that have French content.
Response traffic to a customer from Afghanistan should be compressed due to high
latency.
Block traffic from/to certain countries.
Enforce different bandwidth/rate limits per geolocation.
Geolocation Database Update
MaxMind updates the GeoLite2 databases on the first Tuesday of every month. The database
can be downloaded for free from MaxMind and uploaded to Alteon.
You can also buy the GeoIP2 City database from MaxMind and upload it to Alteon.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 16
MaxMind provides both binary and CSV formats, both as .zip files. To upgrade the geolocation
database in Alteon, download both files from MaxMind and consolidate them in a .zip file.
Note: For vADC support of Geolocation, you must upgrade the ADC-VX to version 31.0 or later.
The Geolocation Database is uploaded to the ADC-VX and then can be used by all its vADCs.
NFR ID: prod00236644
GSLB Enhancements
Remote Real Server Status Update via DSSP
Alteon version 31.0 includes the option to update the status of remote real servers that are VIP
addresses on remote Alteon devices via DSSP communication instead of health monitoring.
A new global flag was added to let you select whether the status update will be achieved via
health check or DSSP:
From WBM ─ Application Delivery > Global Traffic Redirection > DSSP: Health
Monitoring via DSSP
From CLI - /cfg/slb/gslb/ddsphc
The flag is disabled by default (status update is performed via health checks).
Important: After the parameter is enabled, after Apply the health check of all remote real
servers is changed to NoCheck. If some of the remote real servers are not Alteon VIP
addresses, you must manually change their health check back to the desired one.
NFR ID: prod00236729
New GSLB Metric
This feature was first introduced in version 30.5.2.0.
A new GSLB metric called Current Least Connections lets you select a site (or WAN link)
according to the lowest absolute number of connections active on that site/WAN link. The
regular Least Connections metric selects the site/WAN Link with the lowest session utilization.
Session utilization is the percentage of sessions used over the total allowed (maximum)
sessions.
NFR ID: prod00245937
Dynamic IP Reputation
IP Reputation is a new added value security feature that protects Alteon from ‘known *’
malicious IP addresses.
The malicious IP addresses database is dynamically updated by Cyren (or in future versions,
any other vendor) and automatically downloaded by Alteon.
You can easily and effectively stop network based IP threats that are targeting your network,
and define whether to block or issues alerts of malicious IP addresses based on region,
category (spam/Malware) or level of severity.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 17
Notes:
For vADC support in IP Reputation, you must upgrade the ADC-VX to version 31.0 or later.
The IP Reputation Database is uploaded to the ADC-VX and then can be used by all its
vADCs.
The IP Reputation time-based license is required for this support. After installing the license
and globally enabling the feature, a system reboot is required to make the feature
operational.
Alteon VA using IP Reputation requires a minimum of 4 GB RAM and an 11 GB vDisk
Limitation: Only IPv4 addresses are supported.
AppShape++ Enhancements
Control Availability of Virtual Services with AS++ scripts
In previous versions, if an AppShape++ script was attached to a virtual service, the service and
the virtual server would always be Up, even when no real server was available (this allowed
implementing, using an AppShape++ script, a treatment for a “no real server available” scenario
- returning a sorry page, redirecting to sorry, server, selecting another server group, and so on.).
In this version, you can define whether the service should be kept always on or not when
AppShape++ scripts are attached. This lets you to keep a virtual service always on only if the
attached script is treating the “no real server available” scenario.
To configure this parameter:
From the CLI: /cfg/slb/virt <virt id>/service <service
port>/https/appshape/alwayson
From the WBM: Virtual Service > AppShape++ > Service Always On
This parameter is disabled by default for new services. After upgrading from previous versions,
this parameter is enabled on virtual services with AppShape++ scripts to preserve backward
compatibility
rdwr Cookie Command
This feature was first introduced in version 30.5.2.0.
The rdwr-cookie command retrieves data related to a cookie configured for persistency on the
current HTTP/S virtual service (Persistency Mode = Cookie/pbind cookie).
rdwr-cookie name – Retrieves the name configured for the cookie.
rdwr-cookie site-ip <value> – Retrieves the site IP identifier from the value of the
persistency cookie inserted by Alteon (relevant only for cookie insert persistency mode).
NFR ID: prod00238551
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 18
HTTP/2 Full Proxy (H2 server side) – Beta
The full HTTP/2 Proxy capability lets you load balance HTTP/2 traffic to HTTP/2 real servers.
The following features are available for the HTTP/2 Proxy:
Front end SSL offload
Backend SSL encryption
HTTP/2 health check
Important: HTTP/2 Full Proxy support is in beta mode. You must contact the local Radware
account team if you want to activate and test this capability.
Troubleshooting and Debugging
The below capabilities were added in order to make technical support more efficient:
Identifying the RCA quicker
Reducing the need to install the debug version in the field
Reducing the need for reproduction (better traceability)
Understanding upgrade issues quicker
Packet Capture Improvements
Capture on Standalone Management Port
Enables capturing the traffic on the management port with the command:
/maint/pktcap/mgmt/capture
To capture traffic of a specific vADC management port, use the following command on ADC VX:
capture host <vADC MNG IP>.
The maximum Capture file size is 100 MB.
Note: Capture on the ADC VX management port is available starting with version 30.5.0.
For more information on Alteon packet capture capabilities, see the Alteon Command
Reference
Alteon Related information in Data Capture
Enables including Alteon related information in the data capture file using a new flag (-E) with
the /maint/pktcap/data/capture command.
The information is available in the Wireshark under Extra Info section. It includes:
Physical Port number
Direction − In or Out.
Source – For example: AX IN, SP INGRESS, MP > SP OUT
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 19
SP Number
Session ID – Links Frontend & Backend flow
Limitations: Not supported for IPv6 traffic or filter flow.
The capture file can be filtered by any of these parameters.
Note: The Extra Info capability requires the Wireshark plug-in see the Knowledgbase article in
the following link for instructions: KB
For more information on Alteon packet capture capabilities, see the Alteon Command
Reference
Live Capture on TD in Data Capture
You can perform live capture on the ADC-VX Traffic Distributor using the
/maint/pktcap/td/capture command.
The TD capture enables filtering the traffic by IP address, MAC, VLAN and more.
Traffic for a specific vADC can be captured by filtering on the vADC VLANs.
Note: File Capture on a TD is available starting with version Alteon 30.5
For more information on Alteon packet capture capabilities, see the Alteon Command
Reference
Traceability and Log Enrichment
BSP and ND Logger modules
BSP and ND logger information can assist with identifying upgrade and traffic related issues.
The information is logged at /disk/logs/BSP_ADMINMP and exportable via techdata.
SP Logger
SP logger information is used for critical SP issues, such as the SP not being able to load.
The information is logged at /disk/logs/messagesSP and exportable via techdata.
Configuration Audit log
This feature was first introduced in version 30.5.2.0.
The default value of configuration audit command (/cfg/sys/syslog/audit) was changed
to disable.
In addition, the configuration audit logs are saved to disk regardless of the configuration audit
settings. The information is logged at /disk/logs/syslogAudit and exportable via techdata.
Console Log
This feature was first introduced version 30.5.2.0.
All console output is saved to disk. The information is logged at /disk/logs/console_log and
exportable via techdata.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 20
SNMP Log
This feature was first introduced version 30.5.2.0.
All SNMP calls are saved to disk. The information is logged at /disk/logs/snmpAudit and
exportable via techdata.
REST API Log
This feature was first introduced version 30.5.2.0.
All REST API calls are saved to disk. The information is logged at /disk/logs/webui and
exportable via techdata.
Historical Events and Error Counters
The event and error counters allow R&D to quickly identify the reason for specific events and
errors.
These counters are available in previous releases. In version Alteon 31.0 a trend on the active
events and errors was added, showing the counters in the last 15, 30, 45, 60 and 75 seconds.
The relevant commands are /stats/counters/geterrors and
/stats/counters/getevents.
The output of these commands is also part of the tsdmp.
vADC Console
The vADC console feature provides console access to individual vADCs, and lets you easily
switch between the vADCs on the platform.
The vADC console is enabled by default for version 31.0 and later, or for upgrades from version
31.x and later.
When upgrading from earlier versions, the vADC console is disabled. In order to enable it run
the command /c/sys/vconsole on the VX console. (This requires applying, saving the
configuration, and rebooting the platform.)
This feature is available using the Telnet protocol, with a Linux keyboard simulation.
Use the following key combinations to switch between the vADC consoles:
CTRL+B, N — Goes to the next vADC console screen.
CTRL+B, P — Goes to the previous vADC console screen.
CTRL+B, <terminal slot number> — Goes to the specified vADC console screen
For slots greater than 10, press CTRL+B, ' and, when prompted, enter the slot number.
CTRL+B, 0 — Goes to the base ADC-VX console screen.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 21
Note:
Only one console session to the ADC VX or one of the vADCs should be connected
simultaneously. If more sessions are opened, the console display may become corrupted.
The slot numbers are determined according the order the vADCs were activated (enabled),
and not according to the vADC ID.
This feature is not compatible with outdated terminals/terminal emulations (such as VT 100
and ProCom terminal emulation).
For more details on all described features, see the Alteon Command Reference for Alteon
version 31.0.0.0.
New Counters and Statistics
SP Distribution Monitoring
In order to visualize the CPU utilization distribution between all SPs, use the
/stats/sp/allcpu command. The default sampling interval is set to 4 seconds and can be
changed to 1 or 64 seconds.
New Back-end SSL Statistics
New back-end SSL statistics commands are now available from /stats/slb/ssl/backend.
These statistics are mainly used for SSL inspection debugging. The new statistics are:
SSL ignored certificates (session/seconds)
SSL expired certificates (session/seconds)
SSL untrusted certificates (session/seconds)
SSL certificates hostname mismatches (session/seconds)
SSL rejected handshakes (session/seconds)
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 22
Run time SSL Cipher Statistics
You can now view the CPS rate per SSL cipher (per device measuring period, default 5
seconds). The information is available per virtual service and per filter for either the front-end or
back-end connection. Using the /stats/slb/ssl/frontend and
/stats/slb/ssl/backend menus.
CLI Commands
‘apropos’ – New Global Command
Using the apropos command, you can find any CLI command based on a given pattern.
Syntax: apropos <pattern> [-i] [-d] [-u], where:
-i = Ignore case
-d = Also search for the pattern in the description
-u = Also search pattern for the pattern in the command usage
‘cc’ – New Global Command
For a quick and more readable configuration dump, use the new global command cc, which
prints the configuration output without keys and certificates.
Configuration Related Improvement
MD5 on Configuration File
Starting with version Alteon 31.0, Alteon identifies if the configuration uploaded to the device
was manually changed. The following warning appears on the console, in the CLI, and as a
syslog message:
Warning: The imported configuration differs from the original exported
configuration
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 23
Config Sync Error
When a config sync failure occurs, the failure reason is displayed on the device that issued the
sync (console, Telnet, and syslog).
What’s Changed and/or Modified
This section describes the changes to existing features and components introduced in version
31.0.0.0 on top of Alteon version 30.5.1.0.
For more details on all described features, see the Alteon Application Guide and the Alteon
Command Reference for AlteonOS version 31.0.0.0.
Extracting Client Certificate SAN Extension
The X509::extensions AppShape++ command now also retrieves the Subject Alternative
Name (SAN) extension, letting you extract the User Principal Name (UPN) value that might be
included in that extension.
NFR ID: Prod00241468
OpenSSL Upgrade to 1.0.1u
OpenSSL on both the data and management paths was updated to OpenSSL1.0.1u.
Default Cipher Changes
The default SSL policy cipher (Main) was updated according to the latest security
recommendations. Ciphers that used the 3DES symmetric algorithm (DES-CBC3) were
removed.
Syslogs for LACP link UP and DOWN
A trap is set upon LACP status change
5224 vADCs Limit
Starting with version 31.0, the Alteon 5224 VX platform with 24GB RAM only supports 16
vADCs (as compared to 20 vADCs in earlier versions).
Long Object ID Support
This feature was first introduced version 30.5.2.0.
The ID field length for real servers, server groups and virtual servers has been extended to 255
characters to support the FQDN naming convention with dot.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 24
Limitations:
The Quick Application Setup does not work with this extended ID length and currently works
only with a maximum ID length of 32 characters.
APM supports virtual service IDs with up to 245 characters without a period (.).
SNMP supports OIDs up to a maximum of 128 digits, including the parameter OID and the
key. Alteon implements a special mechanism that lets you browse the table (GetNext), Get a
specific object, or change (Set) a specific parameter. However, you cannot create a new
object with a long ID via SNMP.
When configured long IDs, some audit log messages might be displayed distorted.
A virtual server ID longer than 50 characters does not display in DPM.
The FQDN server cannot be created when the ID of the template real server ID is more than
32 characters.
NFR ID: prod00236421
GSLB − Prevent Negative DNS Response Caching
This feature was first introduced version 30.5.2.0.
In previous versions, when there was no site available for the requested domain, Alteon would
answer DNS queries with No Such Name. Many DNS clients would cache this answer and
would not retry resolution. As of this version, to prevent this, Alteon no longer answers if there is
no site available. This results in the client continuing retrying to resolve the DNS record until the
site becomes available.
NFR ID: prod00240111
Support for RFC6223 and/or RFC5626
This feature was first introduced in version 30.5.2.0.
The Alteon SIP parser now allows keep alive messages to pass from the client to the server,
and vice versa, without blocking or discarding the messages.
NFR ID: prod00244065
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 25
Troubleshooting and Debugging
Technical Support Data (tsdmp) Formatting
The Technical Support Data File (tsdmp), which is part of the techdata file, is one of the main
debugging tools in Alteon. It contains all the required information on the device (such as
configuration, statistics, run-time information, events and so on) to help with problem
investigation. Starting with Alteon 31.0.0.0, in order to ease the use of this file, the following
improvements were made:
Table of contents
Summary Section – Section that includes highlights
Command Headlines – These headlines display the CLI command name before the
command output.
CLI Command Conditional Output – Rarely needed outputs are now conditional
techdata <hostname> <filename> <-tftp|username password> [-mgmt|-
data] [-scp] [-key <passphrase>] [-dnssec] -[persist] [-ucb]
Added Historical Event and Error Counters – Displays the last 15 seconds, 30 seconds,
45 seconds, 60 seconds, 75 seconds counters
Configuration Adaptation on Upload
This feature was first introduced version 30.5.2.0.
Configuration adaptation as part of an upgrade process is now also available as part of
configuration file upload. For example: when uploading a configuration file from version 30.0 to
a device running version 30.5.2.0, the required configuration adaptation is performed as part of
the configuration upload and will be available in the diff.
Command Line History Improvement
The following improvements were made to the history command:
The history size increased from the last 10 to the last 100 commands
The history command itself is no longer added to the list of commands in the history
Duplicate commands are no longer recorded
!<string> − This syntax is used to execute the last command in the history that starts with
specified string (for example: !/info )
history <string> − This syntax prints only history commands that contain the specified
string.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 26
Maintenance Fixes
Fixed in 31.0.0.0
Version 31.0.0.0 includes all field bug available in version 30.5.3.3. The following additional
bugs were fixed in 31.0.0.0.
Item Description Bug ID
1. In an environment with inbound NAT using Smart NAT, the
incoming traffic was NATed when sent to the internal network
but not NATed correctly when sent back, causing inconsistent
services availability.
prod00250420
2. After performing one global Save operation, when attempting to
again perform a Save using the agSaveConfig MIB, the
response was incorrect.
prod00250014
3. The response values for the ADC-VX's MAC address and all the
vADCs that are returned by polling SNMP OID
1.3.6.1.2.1.2.2.1.6 (Object Name : ifPhysAddress) were
incorrect.
prod00249937
4. When attempting to download a large file (an approximately
150MB file) via the Alteon HTTPS (using SSL offloading)
service with forceproxy, the operation failed.
prod00249847
5. In an SLB environment with some aged certificates, a memory
leak occurred in the inspection flow, resulting in the allocation
failing and the configuration was being lost after reboot.
prod00248637
6. When there was a memory leak in the Management Processor
(MP) and the process reached its limit of dynamic memory
allocations, the Apply operation failed and the Save operation
corrupted the configuration file.
prod00248532
7. Using WBM, when attempting to delete a previously created
(applied and/or just submitted) LOGEXP advanced health check
from the list of "customized HCs," a REST API unknown
error occurred.
prod00243746
Known Limitations
This section lists known limitations for version 31.0.0.0.
Upgrade Limitations
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 27
Item Description Bug ID
1. In order to upgrade 6024 or 6420 from 30.5.x to 31.0, upload the
new image is possible via the WBM while the selection of the
image after reboot and the reset should be done from CLI.
This issue is scheduled to be fixed in version 31.0.1.0.
DE21406
2. Starting with version 31.0, Alteon 5224 VX with 24 GB RAM
supports 16 vADCs (compared to 20 vADCs in earlier versions).
DE21457
3. After upgrading from version 30.5.3.0 to 31.0 with syslog servers
configured, the configuration remains in diff.
Reason: The syslog settings in version 30.5.3 contain the syslog
port, while the syslog settings in version 31.0 do not support it.
Workaround: Before the upgrade, remove the syslog settings from
the configuration. After upgrade, reconfigure the syslog settings.
DE22603
4. After upgrade to version 31.0 with a duplicate syslog server IP
address configured, the configuration remains in diff and the
following error displays:
Duplicate Syslog Server with same IP <syslog IP>
Workaround: Remove the duplicated syslog setting from the
configuration before the upgrade.
DE21305
vADC and ADC-VX Limitations
Item Description Bug ID
1. The vADC management access protocols can be enabled or
disabled via ADC-VX only upon vADC creation. Once a vADC is
created, these settings can only be changed through the vADC.
If SNMP is not enabled on the vADC on creation, it cannot be
accessed via APSolute Vision.
DE6362,
DE6449
2. In an ADC-VX environment where the ADC-VX version is earlier
than 30.0 and the vADCs are version 30.0 or later, packet capture
on the vADC does not work.
The issue also occurs when ADC-VX is running version 30.0.x with
vADCs with version 30.1 or later.
Workaround: Upgrade ADC-VX to version 30.1.x, or upgrade both
ADC-VX and the vADCs to the same Alteon versions.
DE2183,
prod00245015
3. After deleting a vADC, if the saved platform configuration that
includes the deleted vADC is uploaded via the GA environment and
pushed to all vADCs. The deleted vADC still exists, but its
prod00218109
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 28
Item Description Bug ID
configuration is cleared.
4. When uploading a vADC configuration using the padc option
(configuration from a standalone platform), if when you are
prompted to "Enter vADC Number" you leave a blank and press
Enter, the GA management IP address is overwritten by the vADC
management IP address.
prod00216519
5. From WBM, you cannot change the vADC management IP address
from within the ADC-VX environment.
prod00216388
6. Login to a vADC with RADIUS or TACACS authentication fails
when MP utilization is at 100%.
prod00206201
7. On an Alteon 8420 platform in an ADC-VX environment, when
Alteon is only using Layer 3, there could be packet loss even with
small traffic.
prod00225998
8. In a virtualization environment, the MP statistics displayed in the
vADC and for the same vADC in the ADC-VX do not match.
Note: The value displayed in vADC is correct.
DE22030
9. In a virtualization environment, when an ADC-VX has version
30.5.x and a vADC has version 31.0, the SP CPU Utilization value
displayed in the vADC is incorrect.
DE21465
10. Using FastView on an Alteon ADC-VX, when using the ADC-VX
management console to import a configuration from an older
version to a vADC that is using FastView, while the vADC is
enabled and actively running the import process takes a long time
and a timeout failure alert displays. Although the timeout error
displays, the file upload does complete successfully. To avoid the
timeout, Radware recommends stopping (disable) the vADC before
importing the configuration.
DE9649
Alteon VA Limitations
Item Description Bug ID
1. On an Alteon VA platform with more than 2.5 GB RAM in vSphere
with no DPDK ports, an IDS chain in the group and a fallback
action Continue in Flow in the filters cannot be used.
DE22180
2. For Alteon VA to run in PCI pass-through mode on HP servers with
VMware virtualization, ESXi 6.0 or higher is required.
NA
3. Alteon VA with more than 3 GB RAM works with DPDK and not
TUN/TAP (KVM/VMWare). This requires that the host processor is
N/A
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 29
Item Description Bug ID
the Intel Westmere architecture or higher (Xeon series 36xx, 56xx,
and the Core i7-980X).
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 30
Item Description Bug ID
4. Multi core VA is not supported over Hyper-V, Open XEN, and AWS. N/A
5. When working with DPDK more than 3 GB RAM (KVM/VMware),
the SP CPU usage displays high utilization when monitored by
external tools.
The Alteon internal SP CPU utilization displays the correct value.
NA
6. When reallocating vCPUs to the Alteon VA under KVM, you must
modify the VM XML file on the host to utilize the correct number of
the cores.
NA
7. LACP is not supported when working in SR-IOV mode. NA
8. A NIC won’t be recognized by a VA when adding it after the initial
boot of the VA when operating in TUN/TAP mode (with less than 3
GB RAM or on Hyper-V, OpenXen, AWS, or Azure)
NA
9. When reallocating vCPUs to Alteon VA under KVM, you must
adjust the CPU pinning for performance optimization.
10. Alteon VA must have at least 3G RAM size to avoid panic in some
scenarios like configuration import
prod00249837
11. Alteon VA MP CPU utilization is 12% in idle mode (no configuration
or traffic).
prod00217990
12. On an Alteon VA platform, when accessing the platform over Telnet
or SSH using an IPv4 interface, the log message incorrectly
displays access via an IPv6 interface.
prod00206162
13. Using Alteon VA or NFV, BWM is not supported. DE137
14. When installing Alteon VA over KVM, the virtual machine name
cannot contain spaces.
DE384
15. Using Alteon VA, the displayed disk size is smaller than the actual
configured disk size, even though Alteon VA utilizes the entire disk
size configured for it.
16. Disabling TD vCPUs should be done through the CLI and not
through WBM.
DE13352
17. When configuring a second Alteon VA on the same host, and the
same NUMA that already has a running Alteon VA does not have
enough memory, the first Alteon VA might crash.
DE13928
18. Using WBM, when logged in to Alteon VA with User privileges, the
landing or the Welcome pane displays as blank and the actual
pane does not appear.
DE14588
19. On an Alteon VA platform, deleting or removing a TD can be DE17038
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 31
Item Description Bug ID
performed only through CLI and not through WBM.
WBM Limitations
Item Description Bug ID
1. Using WBM, when managing a vADC in the Memory Management
pane, the Allocated Session Table Capacity parameter displays
twice. Only the second display actually changes the configuration.
2. Both the SLB admin and Layer 4 admin cannot view the URL
Filtering statistics using the WBM monitoring screen and cannot
delete an URL Filtering policy
DE20796,
DE20793
3. A virtual service with 256 virtual service IDs does not display in the
Service Status View. DE21262
4. Using WBM, when navigated to Configuration > Application
Delivery > Global Traffic Redirection > DNS Direction Rules.>
Rule Type field is grayed out and cannot be edited.
Workaround: Use CLI to edit this field DE19103
5. Using the WBM, when trying to duplicate a virtual service and the
duplicated service is created with Group ID 1, an error displays. DE21577
6. On an 8820 platform, in the port settings WBM panes, the port
types of the 40G and 100G ports are incorrect.
DE21907,
DE21906
7. Using URL filtering, a URL will be categorized at the “undefined”
fallback category in the following cases: URL longer than 256 or
when HTTP 1.0 packets sent without a host header
DE21740,
DE21741
8. In the Link Load Balancing pane, an Inbound LLB Rule > IPv6
Inbound LLB Rule, with Service Type Group via IPv6 NAT
address or service type: Server via IPv6 Server, IPv6 inbound LLB
rule creates an IPv4 Client Network Rule
Workaround: Access the created Client Network Rule and
manually change it to IPv6.
DE21241,
DE21242
9. Using WBM, copying the Inbound Link Load Balancing rule does
not work and returns an error. DE21547
10. Using WBM, on a 6024 platform you cannot set more than eight (8)
AppWall (Websec) Capacity Units. DE20585
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 32
Item Description Bug ID
11. Using WBM, in an SLB environment, you cannot set the
persistency mode as cookie for an HTTPS virtual service, because
the persistency mode drop-down only displays clientip, sslid, and
disable, but not cookie. DE20486
12. Using WBM, when copying a server group, sometimes the real
servers configuration in the server group is not copied, causing a
submit error. DE19962
13. Using WBM, when managing with the user Class of Service set to
L4admin, SLBadmin, user, or certificate administrator, there
may be few discrepancies between the screen display and the CLI
menu display. DE19885
14. Using WBM, on an 8820 platform, in the Configuration > Network
> Physical Ports > Port Settings pane, the port types for 40G and
100G are displayed incorrectly. DE18106
15. After an idle timeout of a WBM session, if you click Cancel instead
of entering the credentials in the Authentication dialog box, an
incorrect error message is displayed instead of an
unauthorized error message. DE18092
16. Using WBM, when the Global SLB statistics are cleared, the
cleared acknowledgement message displays twice. The duplicate
message should be ignored. DE16456
17. Even though an AppShape++ script is not associated to a virtual
service, it might be displayed in the Service Status view and should
be ignored. DE16660
18. The Initial Startup Configuration does not support configuring
tagged VLANs.
19. Using WBM, in the SSL Client Authentication Policy pane at
Configuration > Application Delivery > SSL > SSL Policy >
Client Authentication Policy, the search in the table does not
work on the Redirect URL on failure column. DE16075
20. Using WBM, when the sync peer is preconfigured and you perform
any configuration change to an HTTP/2 policy, the Sync button is
not automatically highlighted. DE15480
21. Using WBM, when configuring an SSL Policy, the Intermediate CA
Certificate drop-down list gets stuck after the first time it is clicked.
DE13877
22. Using WBM, when a device is managed via a data port, the log
messages do not display.
DE13962
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 33
Item Description Bug ID
23. When editing an SNMPv3 user, you cannot only change the
authentication protocol.
DE7889
24. Using WBM on an Alteon VA platform, you cannot set the IDS port
in the real server configuration to a value greater than 2.
DE21296
25. In an ADC-VX environment, the APM license display has the
following issues:
Using WBM, it displays with the string “Status Unknown”.
If there is more than one license, the additional APM license
display overwrites the license display of the previous APM
license.
DE1919
26. Using WBM, you cannot import server certificates with an existing
ID (replace existing certificate).
Workaround: Delete the existing certificate and apply, then import
the new certificate using the same ID.
prod00213833
27. WBM does not support the Safari browser in MacOS. Instead, you
should use Chrome or Firefox.
N/A
28. In the STG monitoring pane, not all values are updated. prod00214839
29. Using large configurations, generating a techdata file may cause
the MP to reach 100% and WBM disconnects.
prod00212041
30. Using the Service Status view, when the primary real server is
down but its backup is up, the backup real server does not display.
prod00211854
31. Using the Service Status view, a real server in blocking mode
displays as Up instead of as Warning.
US2349
32. The Traffic Contract for Non-IP Traffic field is not available in the
VLAN configuration pane.
prod00211136
33. Using WBM on an Alteon VA platform, in the VRRP Configuration
pane, the Advertisement source MAC address mode field is
missing.
prod00216395
34. WBM has partial support for monitoring and statistics. For full
support, use the CLI.
N/A
35. You cannot renew a server Certificate with the new Validation
Period.
prod00218841
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 34
Item Description Bug ID
36. Using WBM, the SNMPv3 configuration has the following
limitations:
When creating or updating SNMPv3 USM users, the admin
password validation is skipped.
When creating SNMPv3 vacmAccess, the security level might
not be set properly
prod00204831
37. In WBM in the AppShape++ Monitoring pane, the Aborts value is
not updated and may display an incorrect value.
prod00204783
38. In CLI, there is a new display for SP Dynamic Memory usage. In
WBM, this display is not available and instead incorrectly shows the
old display.
prod00204612
39. In WBM, DNSSEC has the following limitations:
The DNSSEC responder VIP table may display irrelevant
columns such as service and protocol, which can be ignored.
In the DNS responder VIP Configuration pane, you must select
the virtual Server ID that has DNS TCP and DNS UDP as
services. You cannot pre-select the server.
The Virtual Server pane incorrectly does not display the DNS
responder VIP.
prod00204527
40. In WBM, in the filter configuration, two-way VPN load balancing is
missing.
prod00204182
41. In WBM, the VRRP Virtual Router state displays either Init, Master,
or Backup (the Holdoff state is missing). To obtain a detailed
status, Radware recommends using the CLI.
prod00201915
42. In WBM, on a vADC platform, you cannot turn off/on IP Forwarding
on a port. You can only perform this using the CLI command
/cfg/l3/port.
prod00205717
43. In WBM, in ADC-VX mode, after enabling RADIUS authentication,
logging in might not work.
Workaround: In the browser, clear the cache and retry logging in.
prod00206275
44. In WBM, panes in which virtual servers are associated and panes
that have virtual server dual lists or select boxes might display DNS
responders VIP addresses that are irrelevant.
Workaround: Ignore or skip these irrelevant VIP addresses.
prod00206278
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 35
Item Description Bug ID
45. In WBM, after deleting an object, if the object is associated to other
entities, these associations are not automatically removed. You
must remove these associations manually so that Apply does not
fail.
prod00206486
46. In WBM, the HTTPS body health check configuration can accept
only 512 characters, while 1024 characters are allowed.
prod00206608
47. Enabling or disabling a real server per group is not available using
WBM.
prod00206965
48. Using WBM, when attempting to delete a configuration object and
then adding a new object of the same type using the same ID, the
Apply command must be run between the two operations for the
addition to be successful.
prod00201414
49. Using WBM, converting a standalone configuration to a vADC
configuration does not work.
prod00216210
Static NAT Limitations
This section includes limitations of the Smart NAT feature that was added in version 30.5.2.0.
All of these limitations are scheduled to be fixed in version 31.0.0.0.
Item Description Bug ID
1. In a Smart NAT environment for outbound traffic and Global SLB
DNS queries, sometimes the priority doesn't work as expected. DE19218
2. Statistics are displayed for the wrong NAT ID. DE19177
3. In a No NAT static NAT environment, even though the local server
is up and running and HTTP requests are forwarded to the local
server, no response is given to the ICMP command (that is, the
ping to the static address does not work). DE18963
4. You can submit a Smart NAT entry with different IP versions (such
as IPv4 SNAT and IPv6 WAN link). DE18862
5. When adding an IPv6 NAT, in the Smart NAT table the local
address and NAT address columns display address 0.0.0.0 instead
of the IPv6 address.
DE19118,
DE20225
General Limitations
Item Description Bug ID
1. An FQDN Server cannot be created when the ID of the template DE21734
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 36
Item Description Bug ID
real server ID is more than 32 characters.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 37
Item Description Bug ID
2. On an 8820 platform with a 100 G port, a forward error
correction (FEC) cannot be set to OFF, which is required to operate
LR transceivers. Currently only SR transceivers are approved for
use. DE22524
3. On 6024 or 8420 platforms, when an Alteon is connected to a
Cisco router in a simple STG topology, as all the ports remain in
Forwarding state, a loop occurs.
4. In an SSL inspection environment with more than one security
device flow, the reverse setting must be set to enabled on all
related filters.
5. In an SSL inspection environment, if the cache size reaches 100%,
traffic failures occur.
However, there is a clean mechanism with 10% deletion of the
system for an 80% cache size. If the R is being cleaned too quickly
(meaning greater than 100Mb per second) traffic failures might still
occur.
6. In a VRRP environment, centisecond advertisement is not
supported. All the intervals must be in seconds.
Currently, centiseconds are supported only with IPv6
advertisements and works incorrectly most of the times.
7. If you are using different image versions in Master (later than
version 30.0.0.0) and Backup (earlier than 30.0.0.0), syslog
messages display regarding the mismatch in address count, and
advertisement errors are incremented accordingly on the Backup.
However, this does not affect the VRRP master-backup scenario.
All the functionality is expected to work as before, except for the
error counter increment.
8. In a VRRP with SLB environment and PIP and network class
configured, the incorrect MAC address (the base MAC address)
instead of the VPR MAC is reflected in the MP ARP responses,
causing sessions that were NATed before going to the Internet to
return to the same MAC address.
Workaround: Delete the network class and configure the specific
address as PIP:
/c/slb/real LTM_F5/adv/pip
mode address
addr 171.182.204.63 255.255.255.255 persist
disable
DE21252
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 38
Item Description Bug ID
/c/slb/nwclss SNAT/del
9. Using APSolute Vision, configuring a network class with a country
or state that contains special characters may fail.
Workaround: Use Alteon WBM for such a configuration. DE21625
10. In an SLB environment with a gateway per VLAN configured in a
network without a PIP configuration, Alteon forwards server
returned packets to clients tagged with different VLAN IDs, causing
packets to be discarded by the gateways.
Radware recommends setting the Return to source MAC value for
a relevant virtual service using the rtsrcmac ena command, which
was introduced in version 30.1. prod00246941
11. LACP does not work when MSTP is enabled. DE13199
12. In an ADC-VX, when changing the management IPv6 gateway
address, the previous IPv6 gateway address is not removed from
the routing table. DE21599
13. Using WBM in the Firefox Mozilla browser with an HTTPS
connection, it might take a very long time to open the applet for
Alteon. DE20462
14. In high availability environment, The configuration synchronization
failure reason doesn’t appear on the master device when IPv6 peer
IP address is used.
Workaround: use IPv4 peer IP address DE19918
15. Alteon does not forward BPDUs between Cisco and Juniper when
the VLANs are in different STGs and the STG is set to off. DE19690
16. On an 8820 platform in an ADC- VX environment, even though the
threshold CUs should be only 144, WBM limits the user to up to
152 CUs. DE19548
17. In an SLB environment, Layer 7 Direct Server Return (DSR) with
FTP does not work. DE17741
18. In a DNS cloud environment with FQDN real servers configured,
after a few DNS responses, the real server capacity information
displays incorrectly with the CLI command
/info/sys/capacity/. DE17650
19. In a BGP environment where Floating IP advertisement is used, when you disable or delete a floating/VR IP address, BGP routes are not updated. DE16514
20. In a VRRP unicast environment on an Alteon VA platform (KVM), DE16513
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 39
Item Description Bug ID
with Direct Access Mode (DAM) disabled, matrix and mirror enabled, after backup the mirrored sessions are not distributed to all SPs.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 40
Item Description Bug ID
21. In a VRRP unicast environment with TSO enabled on the backup and synced to the backup, when the backup becomes the master, even though the TSO enable is synced, manual reboot is required for TSO to work. DE15820
22. On the 5224 FIPS platform, when back-end SSL encryption is
enabled, SSL performance is very low.
DE13959
23. When performing outbound link load balancing in an IP gateway
environment (different IP versions used on LAN and WAN),
proximity checks are not initialized.
24. When using FQDN servers, configuration synchronization from
backup to master is not supported (it causes FQDN servers to be
disabled or deleted).
DE13680,
DE13559
25. When a backup device with FQDN servers comes up after reboot,
no ephemeral real servers are present.
26. GSLB Proxy Redirection for an HTTPS or SSL service does not
work when SSL ID persistency is configured on a virtual service.
DE13265
27. Using GSLB, availability priority set for a VIP on a remote Alteon is
not taken into consideration by the local Alteon.
DE13545
28. Alteon sends beacons to the APM on the default port only. DE12551
29. When using a network class for PIP, the range of the network class
cannot overlap with the VIP IP address.
DE2065
30. When the CDP server is not accessible and the CDP Interval value
is reached, the current CDP is deleted even though it is still valid.
DE2168
31. Uploading a large CRL file on a vADC with one (1) CU may take a
very long time. For example, uploading a 5M CRL file on a vADC
with one (1) CU may take 30 minutes.
N/A
32. Return to the source MAC address only works when Direct Access
Mode (DAM) is enabled.
DE792
33. IPv6 DSR DNS load balancing does not work. DE2284
34. The IPv6 DNS client does not work. DE802
35. For a virtual service, the insert cookie configuration should be
performed either by setting the persistency mode to insert cookie,
or by using an AppShape++ script with a persistent cookie. Both
settings should not be performed together on the same service.
DE881
36. On an 8420 platform, when the management port and next host
(SMB/NIC) is configured as 10 HDX/FDX auto off, the link displays
as down using the info/sys/mgmt command, even though the
prod00225576
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 41
Item Description Bug ID
link LED is orange and the activity LED is green.
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 42
Item Description Bug ID
37. On an 8420 platform, when the system is up, pulling out the fan
tray, blocking it, and then reinserting it, there is a log message that
the fan is plugged in, but there is no message that the fan failed.
prod00225314
38. On a 5208 platform with management port enabled, after rebooting
the platform (/boot/mgmt) with the factory configuration, the
platform becomes operational with the management port disabled,
when it should have been enabled by default.
prod00217388
39. On a 5208 platform, when setting the next boot to load from the
factory default configuration without keeping the management
configuration, after reset, the management port becomes disabled
(although by default it is enabled).
prod00223651
40. When audit is enabled on a platform and an audit message
contains more than 1000 characters, the message is truncated and
the audit may not display all configuration change details in the
message.
prod00223697
41. Some audit messages related to enable/disable might display as
deleted when the field is actually being modified.
Example command: /c/sys/access/https/https d
This may display if HTTPS was deleted as it was changed from its
default.
prod00223516
42. Using an AppShape++ script, the UDP::response does not work in
SERVER_DATA for DNS.
prod00221228
43. Under high traffic load, terminated sessions are not removed from
the backup platform mirror table.
prod00213645
44. The IP interface of a VRRP group that includes IPv4 VRs cannot be
configured using IPv6.
N/A
45. While retrieving techdata, the MP CPU utilization may reach 100%,
making the management interface inaccessible.
prod00212041
46. GSLB Proxy Redirection does not work for IPv6 traffic. prod00215426
47. GSLB Client Proximity does not work when HTTP traffic is
processed in forceproxy mode.
prod00215327
48. On a standalone platform connected to a Cisco switch, STP
Root bridge election does not occur.
prod00207648
49. On a 5224 platform, 1 GB fiber SFP links are not operational when
connected to a Juniper switch. This is a Juniper-Broadcom
interoperability problem.
prod00219478
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 43
Item Description Bug ID
Workaround: Disable auto-negotiation or use a copper GBIC.
50. On a 6420 platform, ports that are connected to a Cisco or Juniper
switch are incorrectly reported as up even when disabled.
prod00217649
51. Statistics of IPv6 virtual servers are incorrect on the backup
platform.
prod00217544
52. When activating traffic capture on a platform that is under high load
and high SP CPU, failover to the backup platform may occur.
prod00210096
53. Outbound SIP traffic works only for a standard 5060 port. prod00217348
54. SSL decryption of an SSL capture is not supported for IPv6 traffic. prod00217115
55. Using redirect filtering, Layer 7 pattern match does not work when
delayed binding is enabled.
prod00212657
56. The OSPF MD5 key is displayed in a config dump as clear text
instead of encrypted.
prod00214646
57. In IPv6 filters, when delayed binding is enabled internally, it
functions as forceproxy.
prod00214645
58. For a VR group that includes both IPv4 and IPv6 VRs, the
advertisements are sent only via IPv6 interfaces when the method
is unicast.
prod00214159
59. No warning message is displayed when APM is enabled on a
service with no APM license.
prod00213522
60. When all persistent entries in the Dynamic Data Store (persistence
via AppShape++) are purged, sometimes new persistent entries
are not mirrored to the backup platform. Radware recommends
also purging entries from the backup platform.
prod00212945
61. If the real server has the description configured, the real server
description is shown instead of the real IP address under
/info/slb/cookie.
prod00220874
62. When a buddy server does not belong to any service, after Apply it
and the real server go down for a short time.
prod00212727
63. When two IPv6 interfaces are configured on the same VLAN and
they both have VRs configured, only one interface is in status "up
(preferred)", while the other is in status "up (tentative)".
Workaround: Disable and then enable the interface.
prod00216479
64. Uploading the configuration taken from a techdata file is not
supported. After uploading such a configuration, after rebooting the
"bad syntax" error is issued, and most of the configuration is
prod00216036
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 44
Item Description Bug ID
ignored.
65. The default share value for /cfg/l3/vrrp/group and
/cfg/l3/vrrp/vr is disabled in Alteon versions 26.8 and 28.0,
and enabled starting with version 28.1. After upgrading from
versions 26.8 or 28.0 to version 28.1 or later, if the share
parameter had a default value, you must disable it manually.
prod00177054
66. The BWM module is not working properly. prod00190470
67. For IPv6 virtual routers (VRs), only VRIDs up to 255 can be used. prod00191837
68. HTTP Layer 7 processing using legacy delayed binding in enabled
mode does not work with fragmented traffic.
prod00198986
69. On an Alteon 5412 platform (XL or non-XL), the 1 GB fiber module
is not working with auto-negotiation on.
Note: The port might be displayed as up but it does not function
properly.
Workaround: Set the auto-negotiation to off at both sides.
prod00200279
70. On a 5412 platform, an SFP port with the SI8512-X5AT0-3C fiber
module should not be used for ISL. The port speed is reported as
10M, causing VRRP flaps.
prod00200619
71. SSL ID persistency is not supported in force proxy mode. When
upgrading from version 28.1.x to 29.5.0.0, if there are virtual
services configured with SSL ID persistency and force proxy mode,
configuration apply fails until either SSL ID persistency is disabled
or force proxy mode is deactivated.
Radware recommends performing this before upgrade.
prod00200668
72. A GSLB configuration with cookie-based persistency between sites
does not work for IPv6 requests.
prod00201333
73. The incorrect APM license value is reported to APSolute Vision. prod00201942
74. On an HTTPS service with a non-standard service port and server
port 443, in force-proxy mode, real server IP leakage is observed.
Workaround: Add a proxy IP address or change delayed binding
to enabled mode.
prod00202219
75. When a new configuration is applied, there might be "server up"
messages for servers that are not attached to any VIP.
prod00202693
76. If more than 256 virtual routers (VRs) are configured on the same
IP interface, flipping between master and backup device can occur.
prod00202886
77. Sometimes persistent sessions exist for twice the persistency prod00203494
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 45
Item Description Bug ID
timeout value.
78. When processing traffic via a redirect or NAT filter, if an ICMP type
3 code 4 message arrives from the client-side, it is not properly
processed.
prod00203850,
prod00203888
79. X-Forwarded-For can be enabled for an HTTPS service without
SSL offload (requires delayed binding enabled), even though it
cannot be performed.
prod00204113
80. MP Utilization data sent to the Device Performance Monitoring
module is sometimes incorrect.
prod00204922
81. Generation of a 4096 key size may take up to 30 seconds. During
this time, the CPU utilization may reach 100 %.
prod00204939
82. Trying to upload a very large capture file via FTP/TFTP fails. prod00205038
83. On an Alteon 4408 platform with 1G copper SFP ports, the port
status is always displayed incorrectly on these ports and does not
take effect when operationally disabled or enabled.
prod00206900,
prod00115850
84. Some of the cache statistics are incorrect:
The number of new cached bytes is always reported as 0.
The new cached bytes rate is incorrect.
The cached objects average size counters are incorrect.
prod00207290,
prod00207297,
prod00207299
85. HTTP/2 Gateway is not supported in conjunction with AppShape++.
FastView Limitations
Item Description Bug ID
1. When using FastView for an HTTPS service in conjunction with
Pass SSL Information to Backend Servers, Radware
recommends using the default header names. The FastView
fetcher uses default SSL headers to indicate front-end SSL, and
not the user-defined custom headers.
DE6100
2. Using FastView with deferral for images, the images are not
displayed.
This is scheduled to be fixed in version 31.0.1.0.
DE13859
AppWall Limitations
Item Description Bug ID
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 46
Item Description Bug ID
1. The AppWall management applet does not work when the
management user is authenticated via TACACS or RADIUS (only
local users are supported).
prod00216858
2. After upgrading to version 31.0.0.0, as the internal security page
.zip files are deleted from the disk, the vulnerability response is
always returned as a 404 not found page instead of the configured
security page.
Workaround: After the upgrade to version 31.0.0.0, re-upload the
internal security page .zip files to avoid the 404 response.
This is scheduled to be fixed for version 31.0.1.0.
DE22203
3. In an Authentication Gateway environment, uploading several files
in a short period might sometimes fail.
DE21801
4. In the Authentication GW panes, in some rare cases when only the
authentication GW license is installed, more filters display than are
defined.
Workaround: For authentication GW functionality, use only the
Allowlist and Pathblocking filters.
DE1929
5. In some rare cases, the request data in the Forensics table does
not display information
DE1373
Alteon Management via APSolute Vision Limitations
Item Description Bug ID
1. From APSolute Vision, when working in a vADC that is set with
unlock system access. after applying any system changes in the
vADC, the Revert Apply from APSolute Vision may cause the
vADC to disconnect, as the SNMP access setting will revert to
default (disabled).
Workaround: Perform the Revert Apply from the Alteon WBM.
This is scheduled to be fixed in version 31.0.1.0.
DE20789
2. Using APSolute Vision version 3.60 with this Alteon version, the
import/export from the Operations menu does not work.
Workaround: Navigate to the individual pages for the export/import
of a specific configuration (for example), or upgrade to APSolute
Vision version 3.70.
prod00246805
3. Using APSolute Vision 3.0, techdata cannot be generated.
Workaround: To generate techdata, use the Alteon WBM, or use
DE1850
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 47
Item Description Bug ID
the CLI command /maint/techdata.
4. Using APSolute Vision to manage FastView on Alteon, the controls
in the Treatment Set screens do not work properly.
DE14140,
DE13816
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 48
Related Documentation
New! Version 31.0.0.0 introduces the Alteon Getting Started Guide. This guide is designed to
quickly assist you in configuring a new installation from scratch.
The following documentation is related to this version:
Alteon Installation and Maintenance Guide
Alteon VA Installation and Maintenance Guide
Alteon Getting Started Guide
Alteon Web Based Management Application Guide
Alteon Command Line Interface Application Guide
Alteon Command Reference
Alteon REST API User Guide
Alteon AppShape++ SDK Guide
Alteon NG Deployment Guide
AppWall for Alteon NG User Guide
FastView for Alteon NG User Guide
LinkProof for Alteon NG User Guide
LinkProof NG User Guide
Alteon Troubleshooting Guide
North America International
Radware Inc. Radware Ltd.
575 Corporate Drive 22 Raoul Wallenberg St.
Mahwah, NJ 07430 Tel Aviv 69710, Israel
Tel: +1-888-234-5763 Tel: 972 3 766 8666
© 2017 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A