Version 31.0.0.0 Rev. 1 February 21, 2017 -...

AlteonOS

Release Notes

Version 31.0.0.0 Rev. 1

February 21, 2017

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017

TABLE OF CONTENTS

CONTENT ..................................................................................................................................................... 4

RELEASE SUMMARY .................................................................................................................................. 4

SUPPORTED PLATFORMS AND MODULES ............................................................................................ 4

UPGRADE PATH ......................................................................................................................................... 4

BEFORE UPGRADE - IMPORTANT! ............................................................................................................... 4

GENERAL CONSIDERATIONS ...................................................................................................................... 5

DOWNGRADE ............................................................................................................................................ 5

WHAT’S NEW ............................................................................................................................................... 5

Alteon 8820 – High Performance ADC ............................................................................................ 5

Alteon 6024 VX Platform Enhancements ......................................................................................... 6

Redundant Out-of-path Management Port....................................................................................... 6

Performance ..................................................................................................................................... 6

Authentication Gateway – SAML 2.0 Service Provider Support ...................................................... 8

SSL Inspection Capabilities ............................................................................................................. 9

Intermediate SSL Certificate for HTTPS Management Access ..................................................... 10

LinkProof Enhancements ............................................................................................................... 11

Alteon VA/NFV/Cloud ..................................................................................................................... 12

IPsec Support for Virtual Service IP ............................................................................................... 13

HTTP/S Health Check Enhancements ........................................................................................... 13

High Availability Tracking for Selected Real Servers ..................................................................... 14

Alteon to Expand Support of BGP Prepend for VIPs ..................................................................... 14

Selectively Stop BGP Advertisements ........................................................................................... 14

Equal Cost Multipath Routing in OSPF .......................................................................................... 15

Geolocation-based Load Balancing ............................................................................................... 15

GSLB Enhancements ..................................................................................................................... 16

Dynamic IP Reputation .................................................................................................................. 16

AppShape++ Enhancements ......................................................................................................... 17

HTTP/2 Full Proxy (H2 server side) – Beta.................................................................................... 18

Troubleshooting and Debugging .................................................................................................... 18

WHAT’S CHANGED AND/OR MODIFIED ................................................................................................. 23

EXTRACTING CLIENT CERTIFICATE SAN EXTENSION ................................................................................ 23

OPENSSL UPGRADE TO 1.0.1U ............................................................................................................... 23


DEFAULT CIPHER CHANGES .................................................................................................................... 23

SYSLOGS FOR LACP LINK UP AND DOWN .............................................................................................. 23

5224 VADCS LIMIT ................................................................................................................................. 23

LONG OBJECT ID SUPPORT ..................................................................................................................... 23

GSLB − PREVENT NEGATIVE DNS RESPONSE CACHING .......................................................................... 24

SUPPORT FOR RFC6223 AND/OR RFC5626 ............................................................................................ 24

TROUBLESHOOTING AND DEBUGGING ...................................................................................................... 25

Technical Support Data (tsdmp) Formatting .................................................................................. 25

Configuration Adaptation on Upload .............................................................................................. 25

Command Line History Improvement ............................................................................................ 25

MAINTENANCE FIXES .............................................................................................................................. 26

FIXED IN 31.0.0.0 ................................................................................................................................... 26

KNOWN LIMITATIONS .............................................................................................................................. 26

Upgrade Limitations ....................................................................................................................... 26

vADC and ADC-VX Limitations ...................................................................................................... 27

Alteon VA Limitations ..................................................................................................................... 28

WBM Limitations ............................................................................................................................ 31

Static NAT Limitations .................................................................................................................... 35

General Limitations ........................................................................................................................ 35

FastView Limitations ...................................................................................................................... 45

AppWall Limitations ........................................................................................................................ 45

Alteon Management via APSolute Vision Limitations .................................................................... 46

RELATED DOCUMENTATION .................................................................................................................. 48


Content

Radware announces the release of AlteonOS version 31.0.0.0. These release notes describe

new and changed features introduced in this version on top of version 30.5.0.0.

Release Summary

Release Date: February 15, 2017

Objective: Major software release introducing new capabilities and offerings

Supported Platforms and Modules

This version is supported by the following platforms:

5224, 5224XL

5208, 5208 XL, 5208 Extreme

6024, 6024 XL, 6024 Extreme

6420, 6420 XL, 6420 Extreme

6420p, 6420p XL, 6420p Extreme

8420, 8420 XL, 8420 Extreme

8820, 8820 XL, 8820 Extreme

Alteon VA running on VMware ESX 5.0, 51, 5.5, 6.0, KVM, Hyper-V and OpenXen

Alteon VA on AWS

Alteon VA on Azure

For more information on platform specifications, refer to the Alteon Installation and Maintenance

Guide.

Alteon 31.0.0.0 is supported by APSolute Vision version 3.70 and later.

Upgrade Path

You can upgrade to this AlteonOS from AlteonOS versions 28.x, 29.x and 30.x.

General upgrade instructions are found in the Alteon Installation and Maintenance Guide.

Before Upgrade - Important!

1. Before performing an upgrade, back up your current configuration.

2. To ensure a successful upgrade, run the Upgrade Advisor Tool with your current

configuration and the target version. Then, perform the required actions as instructed in the

https://portals.radware.com/Customer/Home/Tools/Upgrade-Advisor-Tool/


report output. The Upgrade Advisory Tool includes all the limitation and upgrade

considerations specifically relevant to the source configuration, version, device details and

target version. Make sure to update the Upgrade Advisory Tool DB before performing the

analysis. The Upgrade Advisor Tool is available on the Customer Portal.

3. Read the Upgrade Limitations in these Release Notes for new upgrade limitations related to

this version.

General Considerations

Hypervisors (ADC-VX) running a certain version (for example, 31.0) only support vADCs

that run the same version or later.

Downgrade

Configuration rollback (downgrade) is not supported. The configuration should be saved before

upgrading to a newer version. If you perform version rollback, after the downgrade upload the

saved configuration.

What’s New

This section describes the new features and components introduced in this version on top of

Alteon version 30.5.1.0.

For more details on all features described here, see the Alteon Application Guide and the Alteon

Command Reference for AlteonOS version 31.0.0.0.

Alteon 8820 – High Performance ADC

Alteon Application Switch 8820 is the next-generation, carrier-grade application delivery

controller (ADC), providing superior performance coupled with advanced capabilities such as

ADC Virtualization, integrated application acceleration and on-demand scalability needed to

effectively meet mobile carrier and large enterprise data center and network needs.


Alteon 8820 Platform Highlights

High performance application delivery appliance covering the high-end throughput range:

120 Gbps, 160 Gbps, and up to 200 Gbps throughput capacity

Supports ADC-VX with up to:

60 vADCs with 64 GB RAM

100 vADCs with 256 GB RAM

High-End connectivity capabilities:

Four (4) 100 GbE QSFP28

Four (4) 40 GbE QSFP+

Twenty (20) 10 GbE SFP+

Hot-swappable dual AC/DC power supply

High performance SSL acceleration, compression, and caching

Front-to-back fans suitable for new data center designs

Alteon 6024 VX Platform Enhancements

The Alteon 6024 VX platform includes the following enhancements as part of version 31.0:

Maximum number of supported vADCs – This was increased from 20 to 32.

Elastic Core Allocation on the Alteon 6024 Platform – Alteon 6024 supports the elastic

core allocation configuration (previously named "advanced core allocation”). There is no

option to disable the elastic core allocation on this platform. The system default mode is

performance mode, supporting up to 20 vADCs.

Redundant Out-of-path Management Port

In this version there are now two redundant management ports providing out-of-band highly

reliable management interfaces with enhanced security.

NFR ID: prod00237950

Performance

Improved SSL Price –Performance

Alteon 31.0 introduces a significant increase in SSL performance (up to 300% increase for CPS

and up to 400% for throughput) for software-based SSL processing (VA and non-XL

appliances). This was achieved by optimizing the SSL code to the Intel processors, including

using Intel’s special AES commands.

In addition, a significant increase in SSL throughput (up to 40% depending on the platform) was

achieved also on SSL hardware-accelerated platforms by introducing capabilities such as TCP

Segmentation Offload and hardware-based core selection at Layer 4.


Hardware-based Core Selection

Prior to version 31.0, traffic that arrives at Alteon is distributed by the NICs between the CPU

cores by performing hash on Layer 3 data only (source and destination IP addresses).

Alteon 31.0 introduces the ability to configure NICs to perform hash based on Layer 4 data (4-

tuple source and destination IP addresses and ports). This allows for

improved core distribution

on standalone appliances and Alteon VA form factors, improved full proxy throughput (force

proxy mode)

Important! On standalone appliances and VA form factors, when any SSL

encryption/decryption is performed (SSL offload, SSL Inspection), if SSL reuse is required, the

hardware hash must be set to Layer 3.

The hardware hash level can only be accessed via CLI using the following commands:

/cfg/slb/adv/hwhash on standalone and Alteon VA platforms

/cfg/sys/hwhash in ADC-VX environments

After upgrade, the hardware hash parameter is set to Layer 3 for backward compatibility. For

new 31.0 installations, this parameter is set to Layer 4 by default for standalone and Alteon VA

form factors and to Layer 3 for ADC-VX.

vADC Core Selection

The basic core allocation for vADC is performed at the hypervisor level (TD). Prior to version

31.0, the core selection was based on the source IP hash. The /cfg/slb/adv/spl4hash

parameter lets you select the core based on Layer 4 data (source IP address and source and

destination ports) and achieve better core distribution.

TCP Segmentation Offload

TCP segmentation offload (TSO) reduces the CPU overhead of TCP/IP on fast networks by

relying on the network interface controller (NIC) to segment the data and then add the TCP, IP

and data link layer protocol headers to each segment. This frees CPU resources for higher data

level processing and can improve full proxy throughput.

This parameter can be configured from the Application Delivery > Virtual Services >Settings

pane, or with the following CLI command: /cfg/slb/adv/tso.

Note: When performing service chaining, whether for SSL Inspection or not, if chain hop bypass

is required when the hop server group is down (Continue in Flow Fallback Action), the TSO

must be disabled.


Westwood TCP Optimization Protocol Support

The Westwood TCP optimization protocol is a sender-side-only modification to the New Reno

TCP optimization protocol that is intended to better handle large bandwidth-delay product paths

(large pipes) with potential packet loss due to transmission or other errors (leaky pipes), and

with dynamic load (dynamic pipes).

The Westwood protocol can now be selected as the Congestion Control Mechanism in a TCP

optimization policy.

Authentication Gateway – SAML 2.0 Service Provider Support

SAML SSO works by transferring the user’s identity from one place (the identity provider) to

another (the service provider). This is done through an exchange of digitally signed

XML documents. In this version, the Alteon Authentication Gateway introduces new support for

SAML 2.0 SP functionality. It can integrate with external SAML 2.0 Identity Providers (IdP) for

the purpose of Single Sign-on (SSO) implementation across the organization. The

Authentication Gateway functions in such a setup as the SAML Service Provider (SP), offering

authorization and access control services to the back-end applications along with its currently

available back-end authentication schemes, such as Form Based Authentication, NTLM, and

Kerberos Constrained Delegation (KCD).

One example of such integration with SAML IdP is Microsoft ADFS 3.0. ADFS provides

simplified and secured identity federation and Web Single Sign-on capabilities for end-users

who want to access applications within an ADFS-secured enterprise, or in the Cloud. The Alteon

Authentication Gateway can integrate with ADFS, which can be configured as a SAML IdP. In

such a setup, Alteon can offer comprehensive Application Delivery and security services for the

Microsoft application environment. Not only does it provide a replacement to TMG/UAG

functionality in such an environment, but it also provides significant enhancements to

functionality currently provided by TMG/UAG. SAML SSO provides better protection, significant

performance optimization, and scalability to Web-based applications. Next generation services,

built into the Alteon ADC, add advanced load balancing and health checks with Layer 7

awareness, content and URL filtering, content rewrites, user programmable policies and traffic

steering logic, a Web Application Firewall, network access control, an authentication gateway,

single sign-on, Web access management, and hardware-based SSL termination.

Alteon has also been tested and certified for Microsoft SharePoint based on its integration with

ADFS. A detailed Technical Integration Guide (TIG) for integrating the Alteon Authentication

Gateway with ADFS and SharePoint with back-end KCD authentication is available.


SSL Inspection Capabilities

Host-based Inspection Bypass

Alteon now supports host-based SSL Inspection bypass when installed as a transparent proxy.

This is achieved by retrieving the destination host from the SNI extension in the Client SSL

Hello.

Traffic can be bypassed based on the host category (URL Filtering) or list of specific hosts (or

the new SSL Content Class type).

Note: The SSL Content Class is supported only in SSL Inspection filters.

Reminder: Alteon already supports host-based SSL Inspection bypass when installed as

explicit proxy (starting with version 30.5).

IDS Servers Support

This version removes the previous limitation that required a special workaround to support an

IDS server group as the first or only hop in the inspection chain. In addition, multiple IDS groups

can now be included in the security inspection chain (both SSL and clear traffic inspection).

To enable this advanced IDS support:

1. Enable the new IDS Chain flag in the IDS server group. 2. Use a redirect filter to send traffic (copy) to the IDS group (the IDS group is configured as

filter Primary Group ID and not as IDS Group ID).

Notes:

If the capability required is to copy the same traffic to all IDS servers (flood), use the legacy

IDS configuration (IDS Chain disabled, with an Allow filter with IDS Group ID configured).

This advanced capability cannot be used on Alteon VA when DPDK fast packet processing

is used (DPDK is used when more than 3 GB of RAM is allocated to the Alteon VA).

Do not mix advanced IDS support with legacy IDS support on the same flow/chain.

Server SSL Certificate Authentication

This version enhances the server authentication capability beyond checking the certificate chain

of trust. This is relevant mainly for outbound SSL traffic (SSL Inspection).

The new capabilities include:

Revocation status check via OCSP

Ability to specify whether to ignore certificate validity issues (expired certificate, untrusted

certificate or host mismatch) or reject a session when such an issue occurs.

For this purpose, the Client Authentication Policy object was promoted to an Authentication

Policy object that can be of type Client (default) or Server.


The Authentication Policy of type Server lets you define the following parameters:

Trusted CA certificate/group and CA chain lookup depth

Note: The Trusted CA certificate/group was moved to the Server Authentication Policy pane

from the SSL Policy Backend pane. After upgrade, if such a parameter is configured in the

SSL policy, a server Authentication Policy is automatically generated including the Trusted

CA.

Certificate validation method

Validity issues handling

Chain Hop Bypass

In a service chaining environment, it is often required to continue the flow of traffic in cases

where one hop in the chain is unavailable, by bypassing the unavailable hop and forwarding the

traffic to the next hop.

This capability is now improved with the addition of a new redirect filter Fallback Action value,

Continue in Flow. When this value is selected, if the server group bound to the filter is down,

traffic matching this filter is forwarded to the next hop in the flow. To bypass this hop and

continue the flow, specify the physical port through which traffic from this hop (server group)

was expected to ingress Alteon with the Flow Continuation Ingress Port parameter.

Notes:

To use this fallback action, the TSO (TCP Segmentation Offload) must be disabled on the

device.

This fallback action cannot be used on Alteon VA when DPDK fast packet processing is

used (DPDK is used when more than 3 GB of RAM is allocated to the Alteon VA platform).

Intermediate SSL Certificate for HTTPS Management Access

This feature was first introduced in version 30.5.2.0.

In this version, you can define an intermediate CA certificate/group for Alteon management via

HTTPS. With this support, when accessing Alteon via HTTPS (WBM or REST API), Alteon

sends both its server certificate and the configured intermediate CA chain.

This facilitates the process of verifying the chain of trust (instead of installing the chained CA on

the client browsers).

The configuration is available in the following paths:

From WBM ─ Configuration perspective > System > Management Access >

Management Protocol > HTTPS

From CLI─ /cfg/sys/access/https



LinkProof Enhancements

PPTP Support

With the full implementation of the Smart NAT feature, Alteon now fully supports VPN and other

Point-to-Point Tunneling Protocols such as PPTP.

Limitation: Only IPv4 is supported

NFR ID: Prod00239734

Static NAT for Inbound and Outbound Link Load Balancing


The Smart NAT feature provides one centralized pane to configure all required NAT

translations. You can add, edit, and delete entries in one location, which simplifies the process

of NAT translation configuration.

The following types of NAT translations are supported:

Static NAT — Ensures delivery of specific traffic to a particular server on the internal

network. For example, LinkProof uses Static NAT, meaning predefined addresses are

mapped to a single internal host to load balance traffic to the host among multiple

transparent traffic connections. This ensures that the return traffic uses the same path, and

also allows traffic to that single host to use multiple ISPs transparently. You assign multiple

Static Smart NAT addresses to the internal server, typically one for each ISP address range.

Dynamic NAT — Enables LinkProof to hide various network elements located behind

LinkProof. Using this feature, LinkProof replaces the original source IP address and source

port of a packet that is with the configured NAT IP address and a dynamically allocated port

before forwarding the request to the group. The network elements whose addresses are

translated can be servers or other local hosts. You can set different NAT addresses for

different ranges of intercepted addresses.

For example, traffic from subnet A is translated using IP address 10.1.1.1, and traffic from

subnet B is translated using IP address 10.1.1.3.

No Nat — Enables a simple configuration where internal hosts have IP addresses that

belong to a range of one of the group servers.

Traffic to and from these hosts should not be translated if the traffic is forwarded to this

group server


For more details on LinkProof capabilities, see the LinkProof NG User Guide or LinkProof for

Alteon NG User Guide, version 31.0.0.0


Simplified LinkProof Configuration

The LinkProof WAN Link configuration was updated to work with the Smart NAT table. By

default, NAT settings on the WAN links are set to inherit, meaning that Alteon uses the NAT

settings configured in the Smart NAT table. The NAT settings in the WAN link can also be

explicitly configured on the WAN link and override the SMART NAT settings

LinkProof Inbound Host Based LLB Rules configuration was updated to also support the local

server without the need for virtual server configuration as the NAT addresses. Instead, the

Smart NAT table is used to define the NAT mapping.

Alteon VA/NFV/Cloud

Alteon VA for NFV – 225 Gbps Layer 4

Alteon VA for NFV version 31.0 reaches 225 Gbps Layer 4 throughput (with the KVM

hypervisor).

VMware

Alteon VA on VMware reaches 10 Gbps throughput over VMware and no longer requires

PCI-[pass through/SR-IOV] to reach this throughput.

Starting with this version, VMware ESXi version 4.1 is no longer supported.

Microsoft Azure Support (which will be available a few weeks after the official release of

version 31.0)

Alteon VA on Azure now supports both High Availability (HA) and Global Server Load Balancing

(GSLB):

Ease of deployment – Similar to LBaaS

In version 31.0, Alteon VA is integrated with the Azure solution template.

This enables you to configure Alteon VA from the Azure portal without accessing either the

Alteon CLI or WBM.

SLB configuration

To configure Alteon VA for Basic SLB, you only need to provide the number of real servers

and their IP addresses, beyond the regular VM deployment parameters. If you choose, you

can also change the SLB metrics.

After the Alteon VA is up, it is ready to load balance your servers, even without accessing

the Alteon VA user interface.


HA configuration

To configure Alteon VA to operate in HA mode, you only need to select the HA deployment

mode and provide your Azure credentials beyond the basic SLB configuration as described

above.

Both HA instances are configured and run in a high availability environment without the

need to enter any of the Alteon VAs.

IPsec Support for Virtual Service IP

Virtual servers now support load balancing of IPsec along with TCP, UDP, and ICMP.

IPsec support has been added to the virtual service IP address (port 1).Now when the protocol

parameter is configured as both in the IP service configuration (/cfg/slb/virt

<xyz>/service 1/protocol both), it also includes IPsec along with TCP, UDP, and ICMP

Notes:

IPsec negotiation does not work with the Gateway ID type as IP, but only with type FQDN

(DE19232).

Proxy IP (PIP) cannot be used for an IPsec tunnel while NAT-T with IPsec Gateway is

working (DE19111).

In an SLB environment with persistent binding set to Client IP and rport configured, IPsec

traffic is not load balanced (DE19089).

HTTP/S Health Check Enhancements

The following capabilities were added to HTTP/S health checks:

Establish success based on absence of string in the response body.

To enable this capability, the new value Exclude was added to the Return String Type

parameter.


Alteon authentication using client certificate during SSL Handshake (HTTPS health

check).


Alteon can now identify itself using a client certificate during HTTPS health checks when

required by the monitored server. To enable this capability, select a certificate from the

certificate repository as the health monitoring client certificate:

From WBM ─ Application Delivery > Server Resources > Health Checks

From CLI ─ cfg/slb/advh/cert



Include SNI extension in the HTTPS health check.

When the Host parameter is configured in the HTTPS health check, an SNI extension with

the configured hostname is automatically included in the Client SSL Hello.


High Availability Tracking for Selected Real Servers

This NFR enhances the capabilities of tracking real servers for HA purposes. When selecting

this mode, you can either track all the real servers (as was done prior to version 31.0) or

explicitly select the real servers you want to track.

Notes:

Using WBM in Switch HA mode only, when real server tracking is enabled, all the real

servers are considered for tracking.

Use the CLI if you want to configure Alteon to track just a smaller set of the real servers.

Configure the active switch/group on the master Alteon before you configure the backup

Alteon.

If you configure the backup Alteon before the master, a failover occurs. The backup

switch/group takes control because its “priority” is higher (as a result of the new tracked

servers that were added to it).

If one or more of the tracked servers becomes unavailable, an unexpected failover can

occur if the health check sent from the backup switch precedes the health check sent from

the master, and vice versa when the servers become available again.


Alteon to Expand Support of BGP Prepend for VIPs

This NFR provides additional flexibility in defining routes when advertising the VIPs through

BGP on Alteon platforms. The capability to assign a network class to the route map active list

and on top of network filters was added. You can assign either a network class or network filters

(but not both).


Selectively Stop BGP Advertisements

An option to stop the VIP BGP advertisement when all servers are set to operational disable

was added.



Equal Cost Multipath Routing in OSPF

The number of supported routes for Equal Cost Multipath Routing in OSPF was extended from

3 to 4.


Geolocation-based Load Balancing

In this version, Alteon now enables making load balancing decisions based on the geographical

location of the traffic source or destination. For this purpose, Alteon has integrated the MaxMind

GeoLite2 City geolocation database.

To define a geolocation, you must configure a network class of the new type Region. The

Region network class lets you define a location down to the State level (Continent, Country, or

State).

This feature includes the following capabilities:

Select a data center based on the geographical location of the client (GSLB). The selection

is made via the DNS Rule Network metric:

The DNS Network metric now lets you define the network using the legacy range or a

Network Class (either the IP or Region type).

In addition, the selection can be made based on the geographical location of the DNS

client (LDNS) or on the geographical location of the actual client, if its IP address is

present in the DNS request (EDNS0 extension).

Select a link based on the geographical location (LinkProof):

For inbound traffic, the selection is made based on the geographical location of the

client. The selection is made via a DNS Rule Network metric (the same as for GSLB).

For outbound traffic, the selection is made based on the geographical location of the

destination

Provide different services based on the user’s geographical location. For example:

Traffic from French customers should go to group of servers that have French content.

Response traffic to a customer from Afghanistan should be compressed due to high

latency.

Block traffic from/to certain countries.

Enforce different bandwidth/rate limits per geolocation.

Geolocation Database Update

MaxMind updates the GeoLite2 databases on the first Tuesday of every month. The database

can be downloaded for free from MaxMind and uploaded to Alteon.

You can also buy the GeoIP2 City database from MaxMind and upload it to Alteon.


MaxMind provides both binary and CSV formats, both as .zip files. To upgrade the geolocation

database in Alteon, download both files from MaxMind and consolidate them in a .zip file.

Note: For vADC support of Geolocation, you must upgrade the ADC-VX to version 31.0 or later.

The Geolocation Database is uploaded to the ADC-VX and then can be used by all its vADCs.


GSLB Enhancements

Remote Real Server Status Update via DSSP

Alteon version 31.0 includes the option to update the status of remote real servers that are VIP

addresses on remote Alteon devices via DSSP communication instead of health monitoring.

A new global flag was added to let you select whether the status update will be achieved via

health check or DSSP:

From WBM ─ Application Delivery > Global Traffic Redirection > DSSP: Health

Monitoring via DSSP

From CLI - /cfg/slb/gslb/ddsphc

The flag is disabled by default (status update is performed via health checks).

Important: After the parameter is enabled, after Apply the health check of all remote real

servers is changed to NoCheck. If some of the remote real servers are not Alteon VIP

addresses, you must manually change their health check back to the desired one.


New GSLB Metric


A new GSLB metric called Current Least Connections lets you select a site (or WAN link)

according to the lowest absolute number of connections active on that site/WAN link. The

regular Least Connections metric selects the site/WAN Link with the lowest session utilization.

Session utilization is the percentage of sessions used over the total allowed (maximum)

sessions.


Dynamic IP Reputation

IP Reputation is a new added value security feature that protects Alteon from ‘known *’

malicious IP addresses.

The malicious IP addresses database is dynamically updated by Cyren (or in future versions,

any other vendor) and automatically downloaded by Alteon.

You can easily and effectively stop network based IP threats that are targeting your network,

and define whether to block or issues alerts of malicious IP addresses based on region,

category (spam/Malware) or level of severity.


Notes:

For vADC support in IP Reputation, you must upgrade the ADC-VX to version 31.0 or later.

The IP Reputation Database is uploaded to the ADC-VX and then can be used by all its

vADCs.

The IP Reputation time-based license is required for this support. After installing the license

and globally enabling the feature, a system reboot is required to make the feature

operational.

Alteon VA using IP Reputation requires a minimum of 4 GB RAM and an 11 GB vDisk

Limitation: Only IPv4 addresses are supported.

AppShape++ Enhancements

Control Availability of Virtual Services with AS++ scripts

In previous versions, if an AppShape++ script was attached to a virtual service, the service and

the virtual server would always be Up, even when no real server was available (this allowed

implementing, using an AppShape++ script, a treatment for a “no real server available” scenario

- returning a sorry page, redirecting to sorry, server, selecting another server group, and so on.).

In this version, you can define whether the service should be kept always on or not when

AppShape++ scripts are attached. This lets you to keep a virtual service always on only if the

attached script is treating the “no real server available” scenario.

To configure this parameter:

From the CLI: /cfg/slb/virt <virt id>/service <service

port>/https/appshape/alwayson

From the WBM: Virtual Service > AppShape++ > Service Always On

This parameter is disabled by default for new services. After upgrading from previous versions,

this parameter is enabled on virtual services with AppShape++ scripts to preserve backward

compatibility

rdwr Cookie Command


The rdwr-cookie command retrieves data related to a cookie configured for persistency on the

current HTTP/S virtual service (Persistency Mode = Cookie/pbind cookie).

rdwr-cookie name – Retrieves the name configured for the cookie.

rdwr-cookie site-ip <value> – Retrieves the site IP identifier from the value of the

persistency cookie inserted by Alteon (relevant only for cookie insert persistency mode).



HTTP/2 Full Proxy (H2 server side) – Beta

The full HTTP/2 Proxy capability lets you load balance HTTP/2 traffic to HTTP/2 real servers.

The following features are available for the HTTP/2 Proxy:

Front end SSL offload

Backend SSL encryption

HTTP/2 health check

Important: HTTP/2 Full Proxy support is in beta mode. You must contact the local Radware

account team if you want to activate and test this capability.

Troubleshooting and Debugging

The below capabilities were added in order to make technical support more efficient:

Identifying the RCA quicker

Reducing the need to install the debug version in the field

Reducing the need for reproduction (better traceability)

Understanding upgrade issues quicker

Packet Capture Improvements

Capture on Standalone Management Port

Enables capturing the traffic on the management port with the command:

/maint/pktcap/mgmt/capture

To capture traffic of a specific vADC management port, use the following command on ADC VX:

capture host <vADC MNG IP>.

The maximum Capture file size is 100 MB.

Note: Capture on the ADC VX management port is available starting with version 30.5.0.

For more information on Alteon packet capture capabilities, see the Alteon Command

Reference

Alteon Related information in Data Capture

Enables including Alteon related information in the data capture file using a new flag (-E) with

the /maint/pktcap/data/capture command.

The information is available in the Wireshark under Extra Info section. It includes:

Physical Port number

Direction − In or Out.

Source – For example: AX IN, SP INGRESS, MP > SP OUT


SP Number

Session ID – Links Frontend & Backend flow

Limitations: Not supported for IPv6 traffic or filter flow.

The capture file can be filtered by any of these parameters.

Note: The Extra Info capability requires the Wireshark plug-in see the Knowledgbase article in

the following link for instructions: KB


Reference

Live Capture on TD in Data Capture

You can perform live capture on the ADC-VX Traffic Distributor using the

/maint/pktcap/td/capture command.

The TD capture enables filtering the traffic by IP address, MAC, VLAN and more.

Traffic for a specific vADC can be captured by filtering on the vADC VLANs.

Note: File Capture on a TD is available starting with version Alteon 30.5


Reference

Traceability and Log Enrichment

BSP and ND Logger modules

BSP and ND logger information can assist with identifying upgrade and traffic related issues.

The information is logged at /disk/logs/BSP_ADMINMP and exportable via techdata.

SP Logger

SP logger information is used for critical SP issues, such as the SP not being able to load.

The information is logged at /disk/logs/messagesSP and exportable via techdata.

Configuration Audit log


The default value of configuration audit command (/cfg/sys/syslog/audit) was changed

to disable.

In addition, the configuration audit logs are saved to disk regardless of the configuration audit

settings. The information is logged at /disk/logs/syslogAudit and exportable via techdata.

Console Log

This feature was first introduced version 30.5.2.0.

All console output is saved to disk. The information is logged at /disk/logs/console_log and

exportable via techdata.

https://kb.radware.com/Questions/Alteon/Public/Extra-Info-information-on-Alteon-Data-capture


SNMP Log


All SNMP calls are saved to disk. The information is logged at /disk/logs/snmpAudit and


REST API Log


All REST API calls are saved to disk. The information is logged at /disk/logs/webui and


Historical Events and Error Counters

The event and error counters allow R&D to quickly identify the reason for specific events and

errors.

These counters are available in previous releases. In version Alteon 31.0 a trend on the active

events and errors was added, showing the counters in the last 15, 30, 45, 60 and 75 seconds.

The relevant commands are /stats/counters/geterrors and

/stats/counters/getevents.

The output of these commands is also part of the tsdmp.

vADC Console

The vADC console feature provides console access to individual vADCs, and lets you easily

switch between the vADCs on the platform.

The vADC console is enabled by default for version 31.0 and later, or for upgrades from version

31.x and later.

When upgrading from earlier versions, the vADC console is disabled. In order to enable it run

the command /c/sys/vconsole on the VX console. (This requires applying, saving the

configuration, and rebooting the platform.)

This feature is available using the Telnet protocol, with a Linux keyboard simulation.

Use the following key combinations to switch between the vADC consoles:

CTRL+B, N — Goes to the next vADC console screen.

CTRL+B, P — Goes to the previous vADC console screen.

CTRL+B, <terminal slot number> — Goes to the specified vADC console screen

For slots greater than 10, press CTRL+B, ' and, when prompted, enter the slot number.

CTRL+B, 0 — Goes to the base ADC-VX console screen.


Note:

Only one console session to the ADC VX or one of the vADCs should be connected

simultaneously. If more sessions are opened, the console display may become corrupted.

The slot numbers are determined according the order the vADCs were activated (enabled),

and not according to the vADC ID.

This feature is not compatible with outdated terminals/terminal emulations (such as VT 100

and ProCom terminal emulation).

For more details on all described features, see the Alteon Command Reference for Alteon

version 31.0.0.0.

New Counters and Statistics

SP Distribution Monitoring

In order to visualize the CPU utilization distribution between all SPs, use the

/stats/sp/allcpu command. The default sampling interval is set to 4 seconds and can be

changed to 1 or 64 seconds.

New Back-end SSL Statistics

New back-end SSL statistics commands are now available from /stats/slb/ssl/backend.

These statistics are mainly used for SSL inspection debugging. The new statistics are:

SSL ignored certificates (session/seconds)

SSL expired certificates (session/seconds)

SSL untrusted certificates (session/seconds)

SSL certificates hostname mismatches (session/seconds)

SSL rejected handshakes (session/seconds)


Run time SSL Cipher Statistics

You can now view the CPS rate per SSL cipher (per device measuring period, default 5

seconds). The information is available per virtual service and per filter for either the front-end or

back-end connection. Using the /stats/slb/ssl/frontend and

/stats/slb/ssl/backend menus.

CLI Commands

‘apropos’ – New Global Command

Using the apropos command, you can find any CLI command based on a given pattern.

Syntax: apropos <pattern> [-i] [-d] [-u], where:

-i = Ignore case

-d = Also search for the pattern in the description

-u = Also search pattern for the pattern in the command usage

‘cc’ – New Global Command

For a quick and more readable configuration dump, use the new global command cc, which

prints the configuration output without keys and certificates.

Configuration Related Improvement

MD5 on Configuration File

Starting with version Alteon 31.0, Alteon identifies if the configuration uploaded to the device

was manually changed. The following warning appears on the console, in the CLI, and as a

syslog message:

Warning: The imported configuration differs from the original exported

configuration


Config Sync Error

When a config sync failure occurs, the failure reason is displayed on the device that issued the

sync (console, Telnet, and syslog).

What’s Changed and/or Modified

This section describes the changes to existing features and components introduced in version

31.0.0.0 on top of Alteon version 30.5.1.0.

For more details on all described features, see the Alteon Application Guide and the Alteon

Command Reference for AlteonOS version 31.0.0.0.

Extracting Client Certificate SAN Extension

The X509::extensions AppShape++ command now also retrieves the Subject Alternative

Name (SAN) extension, letting you extract the User Principal Name (UPN) value that might be

included in that extension.

NFR ID: Prod00241468

OpenSSL Upgrade to 1.0.1u

OpenSSL on both the data and management paths was updated to OpenSSL1.0.1u.

Default Cipher Changes

The default SSL policy cipher (Main) was updated according to the latest security

recommendations. Ciphers that used the 3DES symmetric algorithm (DES-CBC3) were

removed.

Syslogs for LACP link UP and DOWN

A trap is set upon LACP status change

5224 vADCs Limit

Starting with version 31.0, the Alteon 5224 VX platform with 24GB RAM only supports 16

vADCs (as compared to 20 vADCs in earlier versions).

Long Object ID Support


The ID field length for real servers, server groups and virtual servers has been extended to 255

characters to support the FQDN naming convention with dot.


Limitations:

The Quick Application Setup does not work with this extended ID length and currently works

only with a maximum ID length of 32 characters.

APM supports virtual service IDs with up to 245 characters without a period (.).

SNMP supports OIDs up to a maximum of 128 digits, including the parameter OID and the

key. Alteon implements a special mechanism that lets you browse the table (GetNext), Get a

specific object, or change (Set) a specific parameter. However, you cannot create a new

object with a long ID via SNMP.

When configured long IDs, some audit log messages might be displayed distorted.

A virtual server ID longer than 50 characters does not display in DPM.

The FQDN server cannot be created when the ID of the template real server ID is more than

32 characters.


GSLB − Prevent Negative DNS Response Caching


In previous versions, when there was no site available for the requested domain, Alteon would

answer DNS queries with No Such Name. Many DNS clients would cache this answer and

would not retry resolution. As of this version, to prevent this, Alteon no longer answers if there is

no site available. This results in the client continuing retrying to resolve the DNS record until the

site becomes available.


Support for RFC6223 and/or RFC5626


The Alteon SIP parser now allows keep alive messages to pass from the client to the server,

and vice versa, without blocking or discarding the messages.



Troubleshooting and Debugging

Technical Support Data (tsdmp) Formatting

The Technical Support Data File (tsdmp), which is part of the techdata file, is one of the main

debugging tools in Alteon. It contains all the required information on the device (such as

configuration, statistics, run-time information, events and so on) to help with problem

investigation. Starting with Alteon 31.0.0.0, in order to ease the use of this file, the following

improvements were made:

Table of contents

Summary Section – Section that includes highlights

Command Headlines – These headlines display the CLI command name before the

command output.

CLI Command Conditional Output – Rarely needed outputs are now conditional

techdata <hostname> <filename> <-tftp|username password> [-mgmt|-

data] [-scp] [-key <passphrase>] [-dnssec] -[persist] [-ucb]

Added Historical Event and Error Counters – Displays the last 15 seconds, 30 seconds,

45 seconds, 60 seconds, 75 seconds counters

Configuration Adaptation on Upload


Configuration adaptation as part of an upgrade process is now also available as part of

configuration file upload. For example: when uploading a configuration file from version 30.0 to

a device running version 30.5.2.0, the required configuration adaptation is performed as part of

the configuration upload and will be available in the diff.

Command Line History Improvement

The following improvements were made to the history command:

The history size increased from the last 10 to the last 100 commands

The history command itself is no longer added to the list of commands in the history

Duplicate commands are no longer recorded

!<string> − This syntax is used to execute the last command in the history that starts with

specified string (for example: !/info )

history <string> − This syntax prints only history commands that contain the specified

string.


Maintenance Fixes

Fixed in 31.0.0.0

Version 31.0.0.0 includes all field bug available in version 30.5.3.3. The following additional

bugs were fixed in 31.0.0.0.

Item Description Bug ID

1. In an environment with inbound NAT using Smart NAT, the

incoming traffic was NATed when sent to the internal network

but not NATed correctly when sent back, causing inconsistent

services availability.

prod00250420

2. After performing one global Save operation, when attempting to

again perform a Save using the agSaveConfig MIB, the

response was incorrect.

prod00250014

3. The response values for the ADC-VX's MAC address and all the

vADCs that are returned by polling SNMP OID

1.3.6.1.2.1.2.2.1.6 (Object Name : ifPhysAddress) were

incorrect.

prod00249937

4. When attempting to download a large file (an approximately

150MB file) via the Alteon HTTPS (using SSL offloading)

service with forceproxy, the operation failed.

prod00249847

5. In an SLB environment with some aged certificates, a memory

leak occurred in the inspection flow, resulting in the allocation

failing and the configuration was being lost after reboot.

prod00248637

6. When there was a memory leak in the Management Processor

(MP) and the process reached its limit of dynamic memory

allocations, the Apply operation failed and the Save operation

corrupted the configuration file.

prod00248532

7. Using WBM, when attempting to delete a previously created

(applied and/or just submitted) LOGEXP advanced health check

from the list of "customized HCs," a REST API unknown

error occurred.

prod00243746

Known Limitations

This section lists known limitations for version 31.0.0.0.

Upgrade Limitations



1. In order to upgrade 6024 or 6420 from 30.5.x to 31.0, upload the

new image is possible via the WBM while the selection of the

image after reboot and the reset should be done from CLI.

This issue is scheduled to be fixed in version 31.0.1.0.

DE21406

2. Starting with version 31.0, Alteon 5224 VX with 24 GB RAM

supports 16 vADCs (compared to 20 vADCs in earlier versions).

DE21457

3. After upgrading from version 30.5.3.0 to 31.0 with syslog servers

configured, the configuration remains in diff.

Reason: The syslog settings in version 30.5.3 contain the syslog

port, while the syslog settings in version 31.0 do not support it.

Workaround: Before the upgrade, remove the syslog settings from

the configuration. After upgrade, reconfigure the syslog settings.

DE22603

4. After upgrade to version 31.0 with a duplicate syslog server IP

address configured, the configuration remains in diff and the

following error displays:

Duplicate Syslog Server with same IP <syslog IP>

Workaround: Remove the duplicated syslog setting from the

configuration before the upgrade.

DE21305

vADC and ADC-VX Limitations


1. The vADC management access protocols can be enabled or

disabled via ADC-VX only upon vADC creation. Once a vADC is

created, these settings can only be changed through the vADC.

If SNMP is not enabled on the vADC on creation, it cannot be

accessed via APSolute Vision.

DE6362,

DE6449

2. In an ADC-VX environment where the ADC-VX version is earlier

than 30.0 and the vADCs are version 30.0 or later, packet capture

on the vADC does not work.

The issue also occurs when ADC-VX is running version 30.0.x with

vADCs with version 30.1 or later.

Workaround: Upgrade ADC-VX to version 30.1.x, or upgrade both

ADC-VX and the vADCs to the same Alteon versions.

DE2183,

prod00245015

3. After deleting a vADC, if the saved platform configuration that

includes the deleted vADC is uploaded via the GA environment and

pushed to all vADCs. The deleted vADC still exists, but its

prod00218109



configuration is cleared.

4. When uploading a vADC configuration using the padc option

(configuration from a standalone platform), if when you are

prompted to "Enter vADC Number" you leave a blank and press

Enter, the GA management IP address is overwritten by the vADC

management IP address.

prod00216519

5. From WBM, you cannot change the vADC management IP address

from within the ADC-VX environment.

prod00216388

6. Login to a vADC with RADIUS or TACACS authentication fails

when MP utilization is at 100%.

prod00206201

7. On an Alteon 8420 platform in an ADC-VX environment, when

Alteon is only using Layer 3, there could be packet loss even with

small traffic.

prod00225998

8. In a virtualization environment, the MP statistics displayed in the

vADC and for the same vADC in the ADC-VX do not match.

Note: The value displayed in vADC is correct.

DE22030

9. In a virtualization environment, when an ADC-VX has version

30.5.x and a vADC has version 31.0, the SP CPU Utilization value

displayed in the vADC is incorrect.

DE21465

10. Using FastView on an Alteon ADC-VX, when using the ADC-VX

management console to import a configuration from an older

version to a vADC that is using FastView, while the vADC is

enabled and actively running the import process takes a long time

and a timeout failure alert displays. Although the timeout error

displays, the file upload does complete successfully. To avoid the

timeout, Radware recommends stopping (disable) the vADC before

importing the configuration.

DE9649

Alteon VA Limitations


1. On an Alteon VA platform with more than 2.5 GB RAM in vSphere

with no DPDK ports, an IDS chain in the group and a fallback

action Continue in Flow in the filters cannot be used.

DE22180

2. For Alteon VA to run in PCI pass-through mode on HP servers with

VMware virtualization, ESXi 6.0 or higher is required.

NA

3. Alteon VA with more than 3 GB RAM works with DPDK and not

TUN/TAP (KVM/VMWare). This requires that the host processor is

N/A



the Intel Westmere architecture or higher (Xeon series 36xx, 56xx,

and the Core i7-980X).



4. Multi core VA is not supported over Hyper-V, Open XEN, and AWS. N/A

5. When working with DPDK more than 3 GB RAM (KVM/VMware),

the SP CPU usage displays high utilization when monitored by

external tools.

The Alteon internal SP CPU utilization displays the correct value.

NA

6. When reallocating vCPUs to the Alteon VA under KVM, you must

modify the VM XML file on the host to utilize the correct number of

the cores.

NA

7. LACP is not supported when working in SR-IOV mode. NA

8. A NIC won’t be recognized by a VA when adding it after the initial

boot of the VA when operating in TUN/TAP mode (with less than 3

GB RAM or on Hyper-V, OpenXen, AWS, or Azure)

NA

9. When reallocating vCPUs to Alteon VA under KVM, you must

adjust the CPU pinning for performance optimization.

10. Alteon VA must have at least 3G RAM size to avoid panic in some

scenarios like configuration import

prod00249837

11. Alteon VA MP CPU utilization is 12% in idle mode (no configuration

or traffic).

prod00217990

12. On an Alteon VA platform, when accessing the platform over Telnet

or SSH using an IPv4 interface, the log message incorrectly

displays access via an IPv6 interface.

prod00206162

13. Using Alteon VA or NFV, BWM is not supported. DE137

14. When installing Alteon VA over KVM, the virtual machine name

cannot contain spaces.

DE384

15. Using Alteon VA, the displayed disk size is smaller than the actual

configured disk size, even though Alteon VA utilizes the entire disk

size configured for it.

16. Disabling TD vCPUs should be done through the CLI and not

through WBM.

DE13352

17. When configuring a second Alteon VA on the same host, and the

same NUMA that already has a running Alteon VA does not have

enough memory, the first Alteon VA might crash.

DE13928

18. Using WBM, when logged in to Alteon VA with User privileges, the

landing or the Welcome pane displays as blank and the actual

pane does not appear.

DE14588

19. On an Alteon VA platform, deleting or removing a TD can be DE17038



performed only through CLI and not through WBM.

WBM Limitations


1. Using WBM, when managing a vADC in the Memory Management

pane, the Allocated Session Table Capacity parameter displays

twice. Only the second display actually changes the configuration.

2. Both the SLB admin and Layer 4 admin cannot view the URL

Filtering statistics using the WBM monitoring screen and cannot

delete an URL Filtering policy

DE20796,

DE20793

3. A virtual service with 256 virtual service IDs does not display in the

Service Status View. DE21262

4. Using WBM, when navigated to Configuration > Application

Delivery > Global Traffic Redirection > DNS Direction Rules.>

Rule Type field is grayed out and cannot be edited.

Workaround: Use CLI to edit this field DE19103

5. Using the WBM, when trying to duplicate a virtual service and the

duplicated service is created with Group ID 1, an error displays. DE21577

6. On an 8820 platform, in the port settings WBM panes, the port

types of the 40G and 100G ports are incorrect.

DE21907,

DE21906

7. Using URL filtering, a URL will be categorized at the “undefined”

fallback category in the following cases: URL longer than 256 or

when HTTP 1.0 packets sent without a host header

DE21740,

DE21741

8. In the Link Load Balancing pane, an Inbound LLB Rule > IPv6

Inbound LLB Rule, with Service Type Group via IPv6 NAT

address or service type: Server via IPv6 Server, IPv6 inbound LLB

rule creates an IPv4 Client Network Rule

Workaround: Access the created Client Network Rule and

manually change it to IPv6.

DE21241,

DE21242

9. Using WBM, copying the Inbound Link Load Balancing rule does

not work and returns an error. DE21547

10. Using WBM, on a 6024 platform you cannot set more than eight (8)

AppWall (Websec) Capacity Units. DE20585



11. Using WBM, in an SLB environment, you cannot set the

persistency mode as cookie for an HTTPS virtual service, because

the persistency mode drop-down only displays clientip, sslid, and

disable, but not cookie. DE20486

12. Using WBM, when copying a server group, sometimes the real

servers configuration in the server group is not copied, causing a

submit error. DE19962

13. Using WBM, when managing with the user Class of Service set to

L4admin, SLBadmin, user, or certificate administrator, there

may be few discrepancies between the screen display and the CLI

menu display. DE19885

14. Using WBM, on an 8820 platform, in the Configuration > Network

> Physical Ports > Port Settings pane, the port types for 40G and

100G are displayed incorrectly. DE18106

15. After an idle timeout of a WBM session, if you click Cancel instead

of entering the credentials in the Authentication dialog box, an

incorrect error message is displayed instead of an

unauthorized error message. DE18092

16. Using WBM, when the Global SLB statistics are cleared, the

cleared acknowledgement message displays twice. The duplicate

message should be ignored. DE16456

17. Even though an AppShape++ script is not associated to a virtual

service, it might be displayed in the Service Status view and should

be ignored. DE16660

18. The Initial Startup Configuration does not support configuring

tagged VLANs.

19. Using WBM, in the SSL Client Authentication Policy pane at

Configuration > Application Delivery > SSL > SSL Policy >

Client Authentication Policy, the search in the table does not

work on the Redirect URL on failure column. DE16075

20. Using WBM, when the sync peer is preconfigured and you perform

any configuration change to an HTTP/2 policy, the Sync button is

not automatically highlighted. DE15480

21. Using WBM, when configuring an SSL Policy, the Intermediate CA

Certificate drop-down list gets stuck after the first time it is clicked.

DE13877

22. Using WBM, when a device is managed via a data port, the log

messages do not display.

DE13962



23. When editing an SNMPv3 user, you cannot only change the

authentication protocol.

DE7889

24. Using WBM on an Alteon VA platform, you cannot set the IDS port

in the real server configuration to a value greater than 2.

DE21296

25. In an ADC-VX environment, the APM license display has the

following issues:

Using WBM, it displays with the string “Status Unknown”.

If there is more than one license, the additional APM license

display overwrites the license display of the previous APM

license.

DE1919

26. Using WBM, you cannot import server certificates with an existing

ID (replace existing certificate).

Workaround: Delete the existing certificate and apply, then import

the new certificate using the same ID.

prod00213833

27. WBM does not support the Safari browser in MacOS. Instead, you

should use Chrome or Firefox.

N/A

28. In the STG monitoring pane, not all values are updated. prod00214839

29. Using large configurations, generating a techdata file may cause

the MP to reach 100% and WBM disconnects.

prod00212041

30. Using the Service Status view, when the primary real server is

down but its backup is up, the backup real server does not display.

prod00211854

31. Using the Service Status view, a real server in blocking mode

displays as Up instead of as Warning.

US2349

32. The Traffic Contract for Non-IP Traffic field is not available in the

VLAN configuration pane.

prod00211136

33. Using WBM on an Alteon VA platform, in the VRRP Configuration

pane, the Advertisement source MAC address mode field is

missing.

prod00216395

34. WBM has partial support for monitoring and statistics. For full

support, use the CLI.

N/A

35. You cannot renew a server Certificate with the new Validation

Period.

prod00218841



36. Using WBM, the SNMPv3 configuration has the following

limitations:

When creating or updating SNMPv3 USM users, the admin

password validation is skipped.

When creating SNMPv3 vacmAccess, the security level might

not be set properly

prod00204831

37. In WBM in the AppShape++ Monitoring pane, the Aborts value is

not updated and may display an incorrect value.

prod00204783

38. In CLI, there is a new display for SP Dynamic Memory usage. In

WBM, this display is not available and instead incorrectly shows the

old display.

prod00204612

39. In WBM, DNSSEC has the following limitations:

The DNSSEC responder VIP table may display irrelevant

columns such as service and protocol, which can be ignored.

In the DNS responder VIP Configuration pane, you must select

the virtual Server ID that has DNS TCP and DNS UDP as

services. You cannot pre-select the server.

The Virtual Server pane incorrectly does not display the DNS

responder VIP.

prod00204527

40. In WBM, in the filter configuration, two-way VPN load balancing is

missing.

prod00204182

41. In WBM, the VRRP Virtual Router state displays either Init, Master,

or Backup (the Holdoff state is missing). To obtain a detailed

status, Radware recommends using the CLI.

prod00201915

42. In WBM, on a vADC platform, you cannot turn off/on IP Forwarding

on a port. You can only perform this using the CLI command

/cfg/l3/port.

prod00205717

43. In WBM, in ADC-VX mode, after enabling RADIUS authentication,

logging in might not work.

Workaround: In the browser, clear the cache and retry logging in.

prod00206275

44. In WBM, panes in which virtual servers are associated and panes

that have virtual server dual lists or select boxes might display DNS

responders VIP addresses that are irrelevant.

Workaround: Ignore or skip these irrelevant VIP addresses.

prod00206278



45. In WBM, after deleting an object, if the object is associated to other

entities, these associations are not automatically removed. You

must remove these associations manually so that Apply does not

fail.

prod00206486

46. In WBM, the HTTPS body health check configuration can accept

only 512 characters, while 1024 characters are allowed.

prod00206608

47. Enabling or disabling a real server per group is not available using

WBM.

prod00206965

48. Using WBM, when attempting to delete a configuration object and

then adding a new object of the same type using the same ID, the

Apply command must be run between the two operations for the

addition to be successful.

prod00201414

49. Using WBM, converting a standalone configuration to a vADC

configuration does not work.

prod00216210

Static NAT Limitations

This section includes limitations of the Smart NAT feature that was added in version 30.5.2.0.

All of these limitations are scheduled to be fixed in version 31.0.0.0.


1. In a Smart NAT environment for outbound traffic and Global SLB

DNS queries, sometimes the priority doesn't work as expected. DE19218

2. Statistics are displayed for the wrong NAT ID. DE19177

3. In a No NAT static NAT environment, even though the local server

is up and running and HTTP requests are forwarded to the local

server, no response is given to the ICMP command (that is, the

ping to the static address does not work). DE18963

4. You can submit a Smart NAT entry with different IP versions (such

as IPv4 SNAT and IPv6 WAN link). DE18862

5. When adding an IPv6 NAT, in the Smart NAT table the local

address and NAT address columns display address 0.0.0.0 instead

of the IPv6 address.

DE19118,

DE20225

General Limitations


1. An FQDN Server cannot be created when the ID of the template DE21734



real server ID is more than 32 characters.



2. On an 8820 platform with a 100 G port, a forward error

correction (FEC) cannot be set to OFF, which is required to operate

LR transceivers. Currently only SR transceivers are approved for

use. DE22524

3. On 6024 or 8420 platforms, when an Alteon is connected to a

Cisco router in a simple STG topology, as all the ports remain in

Forwarding state, a loop occurs.

4. In an SSL inspection environment with more than one security

device flow, the reverse setting must be set to enabled on all

related filters.

5. In an SSL inspection environment, if the cache size reaches 100%,

traffic failures occur.

However, there is a clean mechanism with 10% deletion of the

system for an 80% cache size. If the R is being cleaned too quickly

(meaning greater than 100Mb per second) traffic failures might still

occur.

6. In a VRRP environment, centisecond advertisement is not

supported. All the intervals must be in seconds.

Currently, centiseconds are supported only with IPv6

advertisements and works incorrectly most of the times.

7. If you are using different image versions in Master (later than

version 30.0.0.0) and Backup (earlier than 30.0.0.0), syslog

messages display regarding the mismatch in address count, and

advertisement errors are incremented accordingly on the Backup.

However, this does not affect the VRRP master-backup scenario.

All the functionality is expected to work as before, except for the

error counter increment.

8. In a VRRP with SLB environment and PIP and network class

configured, the incorrect MAC address (the base MAC address)

instead of the VPR MAC is reflected in the MP ARP responses,

causing sessions that were NATed before going to the Internet to

return to the same MAC address.

Workaround: Delete the network class and configure the specific

address as PIP:

/c/slb/real LTM_F5/adv/pip

mode address

addr 171.182.204.63 255.255.255.255 persist

disable

DE21252



/c/slb/nwclss SNAT/del

9. Using APSolute Vision, configuring a network class with a country

or state that contains special characters may fail.

Workaround: Use Alteon WBM for such a configuration. DE21625

10. In an SLB environment with a gateway per VLAN configured in a

network without a PIP configuration, Alteon forwards server

returned packets to clients tagged with different VLAN IDs, causing

packets to be discarded by the gateways.

Radware recommends setting the Return to source MAC value for

a relevant virtual service using the rtsrcmac ena command, which

was introduced in version 30.1. prod00246941

11. LACP does not work when MSTP is enabled. DE13199

12. In an ADC-VX, when changing the management IPv6 gateway

address, the previous IPv6 gateway address is not removed from

the routing table. DE21599

13. Using WBM in the Firefox Mozilla browser with an HTTPS

connection, it might take a very long time to open the applet for

Alteon. DE20462

14. In high availability environment, The configuration synchronization

failure reason doesn’t appear on the master device when IPv6 peer

IP address is used.

Workaround: use IPv4 peer IP address DE19918

15. Alteon does not forward BPDUs between Cisco and Juniper when

the VLANs are in different STGs and the STG is set to off. DE19690

16. On an 8820 platform in an ADC- VX environment, even though the

threshold CUs should be only 144, WBM limits the user to up to

152 CUs. DE19548

17. In an SLB environment, Layer 7 Direct Server Return (DSR) with

FTP does not work. DE17741

18. In a DNS cloud environment with FQDN real servers configured,

after a few DNS responses, the real server capacity information

displays incorrectly with the CLI command

/info/sys/capacity/. DE17650

19. In a BGP environment where Floating IP advertisement is used, when you disable or delete a floating/VR IP address, BGP routes are not updated. DE16514

20. In a VRRP unicast environment on an Alteon VA platform (KVM), DE16513



with Direct Access Mode (DAM) disabled, matrix and mirror enabled, after backup the mirrored sessions are not distributed to all SPs.



21. In a VRRP unicast environment with TSO enabled on the backup and synced to the backup, when the backup becomes the master, even though the TSO enable is synced, manual reboot is required for TSO to work. DE15820

22. On the 5224 FIPS platform, when back-end SSL encryption is

enabled, SSL performance is very low.

DE13959

23. When performing outbound link load balancing in an IP gateway

environment (different IP versions used on LAN and WAN),

proximity checks are not initialized.

24. When using FQDN servers, configuration synchronization from

backup to master is not supported (it causes FQDN servers to be

disabled or deleted).

DE13680,

DE13559

25. When a backup device with FQDN servers comes up after reboot,

no ephemeral real servers are present.

26. GSLB Proxy Redirection for an HTTPS or SSL service does not

work when SSL ID persistency is configured on a virtual service.

DE13265

27. Using GSLB, availability priority set for a VIP on a remote Alteon is

not taken into consideration by the local Alteon.

DE13545

28. Alteon sends beacons to the APM on the default port only. DE12551

29. When using a network class for PIP, the range of the network class

cannot overlap with the VIP IP address.

DE2065

30. When the CDP server is not accessible and the CDP Interval value

is reached, the current CDP is deleted even though it is still valid.

DE2168

31. Uploading a large CRL file on a vADC with one (1) CU may take a

very long time. For example, uploading a 5M CRL file on a vADC

with one (1) CU may take 30 minutes.

N/A

32. Return to the source MAC address only works when Direct Access

Mode (DAM) is enabled.

DE792

33. IPv6 DSR DNS load balancing does not work. DE2284

34. The IPv6 DNS client does not work. DE802

35. For a virtual service, the insert cookie configuration should be

performed either by setting the persistency mode to insert cookie,

or by using an AppShape++ script with a persistent cookie. Both

settings should not be performed together on the same service.

DE881

36. On an 8420 platform, when the management port and next host

(SMB/NIC) is configured as 10 HDX/FDX auto off, the link displays

as down using the info/sys/mgmt command, even though the

prod00225576

https://rally1.rallydev.com/#/25036419115d/detail/defect/49526397107



link LED is orange and the activity LED is green.



37. On an 8420 platform, when the system is up, pulling out the fan

tray, blocking it, and then reinserting it, there is a log message that

the fan is plugged in, but there is no message that the fan failed.

prod00225314

38. On a 5208 platform with management port enabled, after rebooting

the platform (/boot/mgmt) with the factory configuration, the

platform becomes operational with the management port disabled,

when it should have been enabled by default.

prod00217388

39. On a 5208 platform, when setting the next boot to load from the

factory default configuration without keeping the management

configuration, after reset, the management port becomes disabled

(although by default it is enabled).

prod00223651

40. When audit is enabled on a platform and an audit message

contains more than 1000 characters, the message is truncated and

the audit may not display all configuration change details in the

message.

prod00223697

41. Some audit messages related to enable/disable might display as

deleted when the field is actually being modified.

Example command: /c/sys/access/https/https d

This may display if HTTPS was deleted as it was changed from its

default.

prod00223516

42. Using an AppShape++ script, the UDP::response does not work in

SERVER_DATA for DNS.

prod00221228

43. Under high traffic load, terminated sessions are not removed from

the backup platform mirror table.

prod00213645

44. The IP interface of a VRRP group that includes IPv4 VRs cannot be

configured using IPv6.

N/A

45. While retrieving techdata, the MP CPU utilization may reach 100%,

making the management interface inaccessible.

prod00212041

46. GSLB Proxy Redirection does not work for IPv6 traffic. prod00215426

47. GSLB Client Proximity does not work when HTTP traffic is

processed in forceproxy mode.

prod00215327

48. On a standalone platform connected to a Cisco switch, STP

Root bridge election does not occur.

prod00207648

49. On a 5224 platform, 1 GB fiber SFP links are not operational when

connected to a Juniper switch. This is a Juniper-Broadcom

interoperability problem.

prod00219478



Workaround: Disable auto-negotiation or use a copper GBIC.

50. On a 6420 platform, ports that are connected to a Cisco or Juniper

switch are incorrectly reported as up even when disabled.

prod00217649

51. Statistics of IPv6 virtual servers are incorrect on the backup

platform.

prod00217544

52. When activating traffic capture on a platform that is under high load

and high SP CPU, failover to the backup platform may occur.

prod00210096

53. Outbound SIP traffic works only for a standard 5060 port. prod00217348

54. SSL decryption of an SSL capture is not supported for IPv6 traffic. prod00217115

55. Using redirect filtering, Layer 7 pattern match does not work when

delayed binding is enabled.

prod00212657

56. The OSPF MD5 key is displayed in a config dump as clear text

instead of encrypted.

prod00214646

57. In IPv6 filters, when delayed binding is enabled internally, it

functions as forceproxy.

prod00214645

58. For a VR group that includes both IPv4 and IPv6 VRs, the

advertisements are sent only via IPv6 interfaces when the method

is unicast.

prod00214159

59. No warning message is displayed when APM is enabled on a

service with no APM license.

prod00213522

60. When all persistent entries in the Dynamic Data Store (persistence

via AppShape++) are purged, sometimes new persistent entries

are not mirrored to the backup platform. Radware recommends

also purging entries from the backup platform.

prod00212945

61. If the real server has the description configured, the real server

description is shown instead of the real IP address under

/info/slb/cookie.

prod00220874

62. When a buddy server does not belong to any service, after Apply it

and the real server go down for a short time.

prod00212727

63. When two IPv6 interfaces are configured on the same VLAN and

they both have VRs configured, only one interface is in status "up

(preferred)", while the other is in status "up (tentative)".

Workaround: Disable and then enable the interface.

prod00216479

64. Uploading the configuration taken from a techdata file is not

supported. After uploading such a configuration, after rebooting the

"bad syntax" error is issued, and most of the configuration is

prod00216036



ignored.

65. The default share value for /cfg/l3/vrrp/group and

/cfg/l3/vrrp/vr is disabled in Alteon versions 26.8 and 28.0,

and enabled starting with version 28.1. After upgrading from

versions 26.8 or 28.0 to version 28.1 or later, if the share

parameter had a default value, you must disable it manually.

prod00177054

66. The BWM module is not working properly. prod00190470

67. For IPv6 virtual routers (VRs), only VRIDs up to 255 can be used. prod00191837

68. HTTP Layer 7 processing using legacy delayed binding in enabled

mode does not work with fragmented traffic.

prod00198986

69. On an Alteon 5412 platform (XL or non-XL), the 1 GB fiber module

is not working with auto-negotiation on.

Note: The port might be displayed as up but it does not function

properly.

Workaround: Set the auto-negotiation to off at both sides.

prod00200279

70. On a 5412 platform, an SFP port with the SI8512-X5AT0-3C fiber

module should not be used for ISL. The port speed is reported as

10M, causing VRRP flaps.

prod00200619

71. SSL ID persistency is not supported in force proxy mode. When

upgrading from version 28.1.x to 29.5.0.0, if there are virtual

services configured with SSL ID persistency and force proxy mode,

configuration apply fails until either SSL ID persistency is disabled

or force proxy mode is deactivated.

Radware recommends performing this before upgrade.

prod00200668

72. A GSLB configuration with cookie-based persistency between sites

does not work for IPv6 requests.

prod00201333

73. The incorrect APM license value is reported to APSolute Vision. prod00201942

74. On an HTTPS service with a non-standard service port and server

port 443, in force-proxy mode, real server IP leakage is observed.

Workaround: Add a proxy IP address or change delayed binding

to enabled mode.

prod00202219

75. When a new configuration is applied, there might be "server up"

messages for servers that are not attached to any VIP.

prod00202693

76. If more than 256 virtual routers (VRs) are configured on the same

IP interface, flipping between master and backup device can occur.

prod00202886

77. Sometimes persistent sessions exist for twice the persistency prod00203494



timeout value.

78. When processing traffic via a redirect or NAT filter, if an ICMP type

3 code 4 message arrives from the client-side, it is not properly

processed.

prod00203850,

prod00203888

79. X-Forwarded-For can be enabled for an HTTPS service without

SSL offload (requires delayed binding enabled), even though it

cannot be performed.

prod00204113

80. MP Utilization data sent to the Device Performance Monitoring

module is sometimes incorrect.

prod00204922

81. Generation of a 4096 key size may take up to 30 seconds. During

this time, the CPU utilization may reach 100 %.

prod00204939

82. Trying to upload a very large capture file via FTP/TFTP fails. prod00205038

83. On an Alteon 4408 platform with 1G copper SFP ports, the port

status is always displayed incorrectly on these ports and does not

take effect when operationally disabled or enabled.

prod00206900,

prod00115850

84. Some of the cache statistics are incorrect:

The number of new cached bytes is always reported as 0.

The new cached bytes rate is incorrect.

The cached objects average size counters are incorrect.

prod00207290,

prod00207297,

prod00207299

85. HTTP/2 Gateway is not supported in conjunction with AppShape++.

FastView Limitations


1. When using FastView for an HTTPS service in conjunction with

Pass SSL Information to Backend Servers, Radware

recommends using the default header names. The FastView

fetcher uses default SSL headers to indicate front-end SSL, and

not the user-defined custom headers.

DE6100

2. Using FastView with deferral for images, the images are not

displayed.

This is scheduled to be fixed in version 31.0.1.0.

DE13859

AppWall Limitations




1. The AppWall management applet does not work when the

management user is authenticated via TACACS or RADIUS (only

local users are supported).

prod00216858

2. After upgrading to version 31.0.0.0, as the internal security page

.zip files are deleted from the disk, the vulnerability response is

always returned as a 404 not found page instead of the configured

security page.

Workaround: After the upgrade to version 31.0.0.0, re-upload the

internal security page .zip files to avoid the 404 response.

This is scheduled to be fixed for version 31.0.1.0.

DE22203

3. In an Authentication Gateway environment, uploading several files

in a short period might sometimes fail.

DE21801

4. In the Authentication GW panes, in some rare cases when only the

authentication GW license is installed, more filters display than are

defined.

Workaround: For authentication GW functionality, use only the

Allowlist and Pathblocking filters.

DE1929

5. In some rare cases, the request data in the Forensics table does

not display information

DE1373

Alteon Management via APSolute Vision Limitations


1. From APSolute Vision, when working in a vADC that is set with

unlock system access. after applying any system changes in the

vADC, the Revert Apply from APSolute Vision may cause the

vADC to disconnect, as the SNMP access setting will revert to

default (disabled).

Workaround: Perform the Revert Apply from the Alteon WBM.

This is scheduled to be fixed in version 31.0.1.0.

DE20789

2. Using APSolute Vision version 3.60 with this Alteon version, the

import/export from the Operations menu does not work.

Workaround: Navigate to the individual pages for the export/import

of a specific configuration (for example), or upgrade to APSolute

Vision version 3.70.

prod00246805

3. Using APSolute Vision 3.0, techdata cannot be generated.

Workaround: To generate techdata, use the Alteon WBM, or use

DE1850



the CLI command /maint/techdata.

4. Using APSolute Vision to manage FastView on Alteon, the controls

in the Treatment Set screens do not work properly.

DE14140,

DE13816


Related Documentation

New! Version 31.0.0.0 introduces the Alteon Getting Started Guide. This guide is designed to

quickly assist you in configuring a new installation from scratch.

The following documentation is related to this version:

Alteon Installation and Maintenance Guide

Alteon VA Installation and Maintenance Guide

Alteon Getting Started Guide

Alteon Web Based Management Application Guide

Alteon Command Line Interface Application Guide

Alteon Command Reference

Alteon REST API User Guide

Alteon AppShape++ SDK Guide

Alteon NG Deployment Guide

AppWall for Alteon NG User Guide

FastView for Alteon NG User Guide

LinkProof for Alteon NG User Guide

LinkProof NG User Guide

Alteon Troubleshooting Guide

North America International

Radware Inc. Radware Ltd.

575 Corporate Drive 22 Raoul Wallenberg St.

Mahwah, NJ 07430 Tel Aviv 69710, Israel

Tel: +1-888-234-5763 Tel: 972 3 766 8666

© 2017 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A

Version 31.0.0.0 Rev. 1 February 21, 2017 -...

Documents

Transcript of Version 31.0.0.0 Rev. 1 February 21, 2017 -...