Amaranten Security Gateway changes from v8.70.01 to v8.70.02

8.70.02 Release date: 2006-11-27 [ISO]

Please Note: If upgrading from versions prior to 8.70.00, the Amaranten Loader MUST be upgraded before Amaranten CorePlus!

Contents of this document

Version 8.70.02 contains fixes to problems in CorePlus and FineTune. This document outlines problems fixed as well as improvements for each component.

The upgrade procedures in this document refer to upgrades from earlier v8.0x installations.

  • Summary of changes and problems fixed in v8.70.02
  • Files installed by v8.70.02
  • How to upgrade earlier v8.0x releases to v8.70.02
  • How to upgrade v6.0x/v7.0x releases to v8.0x
  • HA upgrade procedure
  • Amaranten FineTune
    		•    [Problems Fixed  
  • Amaranten CorePlus
    		•    [Problems Fixed] [Known Issues

    For future reference: This document is stored in the "Docs" sub-folder of your Amaranten FineTune installation folder.

    Change logs / release notes for earlier versions of Amaranten Security Gateway are available in the release notes section of www.Amaranten.com/support.



     Summary of changes and problems fixed                       

    FineTune
      Problem fixed: The downloaded IDP database is lost when a security gateway is renamed.

    CorePlus
      Problem fixed: NATed L2TP/IPSec clients can't reconnect to a broken connection
      Problem fixed: Advanced setting TCPAllowReopen is not always obeyed
      Problem fixed: Certificate and tunnel mismatch problem with self-signed certificates and ID lists.
      Problem fixed: A memory leak in the Intrusion Detection and Prevention engine.
      Problem fixed: Change of proxy IDs during IPsec SA negotiation corrupted internal data structures.
      Problem fixed: Dead Peer Detection only triggered on the absence of incoming traffic after there has been outgoing traffic.
      Problem fixed: Detection of CSPN servers will fail for an inactive HA node.
      Problem fixed: The IDP autoupdate functionality uses the private IP addresses to download updates.
      Known problem: HA: Transparent Mode won't work in HA mode
      Known problem: HA: No state synchronization for ALGs
      Known problem: HA: Tunnels unreachable from inactive node
      Known problem: HA: No state synchronization for L2TP and PPTP
      Known problem: HA: No state synchronization for IDP signature scan states.



     Files installed by v8.70.02                       
    This is a list of files that are new to the v8.70.02 release. All paths are relative to your Amaranten FineTune installation folder.
    » Cores/sgc-8.70.02-full.cfx
    This is the full v8.70.02 of CorePlus. Upload it to your existing Security Gateway, or create new boot media with it. It contains all available functionality.
    » Cores/sgc-8.70.02-sg50.cfx
    This is the v8.70.02 CorePlus for the SG50 appliance. Upload it to your existing Security Gateway. It contains all available functionality.
    » Cores/sgc-8.60.02-mini.cfx
    This is a version of v8.60.02 CorePlus with certain features removed. It is less than half the size of the full version. This version should be used if you would like to start the system on a floppy before copying it over to another media.

    » Docs/changes-8.70.01-to-8.70.02.html
    This document.
    » Docs/Amaranten EULA.pdf
    The Amaranten End User License Agreement.
    » Docs/Amaranten_CorePlus_Admin_Guide_8_70.pdf
    The Amaranten CorePlus administration guide for the v8.70.02 release.
    » Docs/Amaranten_FineTune_Admin_Guide_8_70.pdf
    The Amaranten FineTune administrators guide for the v8.70.02 release.
    » Docs/Amaranten_Log_Reference_Guide_8_70.pdf
    The log reference guide for the v8.70.02 release.
    » Docs/Amaranten_F100_Install_Setup.pdf
    Installation and Setup guide for the F100 series platform.
    » Docs/Amaranten_F300_Install_Setup.pdf
    Installation and Setup guide for the F300 series platform.
    » Docs/Amaranten_F600_Install_Setup.pdf
    Installation and Setup guide for the F600 series platform.
    » Amaranten_F1800_Install_Setup.pdf
    Installation and Setup guide for the F1800 series platform.
    » Amaranten_F3000_Install_Setup.pdf
    Installation and Setup guide for the F3000 series platform.
    » FineTune.exe
    This is the v8.70.02 Amaranten FineTune executable.
    » SNMP/Amaranten-Traps.mib
    This is the Amaranten v8.70.02 SNMP Traps MIB.
    » SNMP/Amaranten-SMI.mib
    This is the Amaranten v8.70.02 SNMP Structure of Management Information file.


     How to upgrade earlier v8.0x releases to v8.70.02                       

    Please Note: If upgrading from versions prior to 8.70.00, the Amaranten Loader MUST be upgraded before Amaranten CorePlus!

    Upgrading a previous v8.x release to v8.70.02 is completely straightforward.
    First upload the new Amaranten Loader, followed by the new CorePlus, "sgc-8.70.02-full.cfx" (or "sgc-8.70.02-sg50.cfx" for the SG50 Series), to your Security Gateway and restart it.

     HA upgrade procedure                       
    Note: For upgrades from v7.x HA clusters, first follow the HA upgrade procedures outlined in changes-7.0x.xx-to-8.00.02.html.

    Note: Upgrades from versions prior to v8.40.01: Upgrading directly to v8.50.00 or later from a version prior to v8.40.01 will lead to loss of state synchronization. All open states will be closed as a result of the upgrade. If this is acceptable, continue with the upgrade as described below. Otherwise, first upgrade to v8.40.01 or a later v8.4x core and then upgrade to v8.70.02.

    Simply upload the new CorePlus file to the Security Gateways in your cluster and make sure that the first upload and restart is successful before uploading to the second Security Gateway.

    We recommend beginning with the Security Gateway that is currently active, even though this will necessitate two failovers. The reason for this is that ALG sessions are not synchronized.

      The "immediate availability" method
    • Upload the core to the currently active Security Gateway ("Security Gateway A") and restart it.
    • Issue a 'reconfigure' on the Security Gateway B to rapidly fail back to the now upgraded Security Gateway A. Make sure Security Gateway A functions properly.
    • Upload the core to Security Gateway B and restart it.
    • End result: Security Gateway A is now the active node, just as it was before the upgrade procedure.

    Note that this leaves the second Security Gateway untested, even though it most likely will work just as well as the first Security Gateway. If you want to specifically test the second Security Gateway, you can:
    1) cause two failovers manually,   or
    2) connect to it via e.g. the remote console just to make sure it's running,   or
    3) if ALG and tunnel synchronization is not a concern, follow this procedure:

      The "long-term safe" procedure:
    • Upload the core to the currently inactive Security Gateway ("Security Gateway B") and restart it.
    • Issue a 'reconfigure' on Security Gateway A. This causes failover to Security Gateway B. Make sure Security Gateway B functions properly.
    • Upload the core to Security Gateway A and restart it.
    • Issue a 'reconfigure' on Security Gateway B to fall back to Security Gateway A. Make sure Security Gateway A functions properly.
    • End result: Security Gateway A is now the active node, just as it was before the upgrade procedure.
    Note that the "availability" issues affect only synchronization of ALGs and tunnels; there is more information about this in the Known Issues section. All other states are, as usual, fully synchronized and not affected in either procedure.

     FineTune Problems Fixed                       
    The downloaded IDP database is lost when a security gateway is renamed.
        Problem: When a security gateway is renamed, the downloaded IDP database is lost.
        Results: The IDP database must be downloaded from the security gateway.
        Affects: Amaranten CorePlus v8.70.00 and v8.70.01.
        Solution: Fixed in v8.70.02.



     CorePlus Problems Fixed                       
    NATed L2TP/IPSec clients can't reconnect to a broken connection
        Problem: If a NATed client connected with L2TP/IPsec incorrectly gets disconnected, the associated IPSec SA is still active in the security gateway.
        Results: The NATed client will not be able to reconnect if the connection has been disconnected by mistake.
        Affects: Amaranten CorePlus v8.60.00, v8.60.01 and v8.60.02
        Solution: Fixed in v8.60.04 and v8.70.02.

    Advanced setting TCPAllowReopen is not always obeyed
        Problem: The advanced setting TCPAllowReopen is not always obeyed.
        Results: In some cases it has been possible to reestablish closed TCP connection even though the setting prohibits it.
        Affects: Amaranten CorePlus v8.60.03, v8.70.01 and v8.70.00.
        Solution: Fixed in v8.60.04 and v8.70.02.

    Certificate and tunnel mismatch problem with self-signed certificates and ID lists.
        Problem: IPsec tunnel matching with ID lists did not work when used together with self-signed certificates.
        Results: One or more clients will fail to connect.
        Affects: Amaranten CorePlus v8.60.00, v8.60.01, v8.60.02, v8.70.00 and v8.70.01
        Solution: Fixed in v8.60.04 and v8.70.02

    A memory leak in the Intrusion Detection and Prevention engine.
        Problem: A memory leak in the Intrusion Detection and Prevention engine caused increased memory usage over time.
        Results: Excessive use of memory.
        Affects: Amaranten CorePlus v8.70.01.
        Solution: Fixed in v8.70.02.

    Change of proxy IDs during IPsec SA negotiation corrupted internal data structures.
        Problem: The change of proxy IDs during IPsec SA negotiation corrupted internal data structures.
        Results: Could cause a system crash.
        Affects: Amaranten CorePlus v8.60.00, v8.60.01, v8.60.02, v8.60.03, v8.70.00 and v8.70.01
        Solution: Fixed in v8.60.04 and v8.70.02.

    Dead Peer Detection only triggered on the absence of incoming traffic after there has been outgoing traffic.
        Results: DPD will fail to detect a dead peer if there is only incoming traffic to the peer.
        Solution: Fixed in v8.60.04 and v8.70.02.

    Detection of CSPN servers will fail for an inactive HA node.
        Problem: Detection of CSPN servers will be done using the shared IP address in HA setups. Only the active node will perform server detection.
        Results: The inactive HA node will not be able to determine what CSPN server to contact if only the shared IP address can access the internet.
        Affects: Amaranten CorePlus v8.70.00 and v8.70.01.
        Solution: Fixed in v8.70.02.

    The IDP autoupdate functionality uses the private IP addresses to download updates.
        Problem: Automatic downloads of IDP signatures uses the private IP address to download updated signatures.
        Results: IDP Update requires two globally accessible IP addresses as private IPs on the two external interfaces towards the Internet.
        Affects: Amaranten CorePlus v8.70.00 and v8.70.01.
        Solution: Fixed in v8.70.02.



     CorePlus Known Issues                       
    HA: Transparent Mode won't work in HA mode
        Problem: There is no state synchronization for Transparent Mode and there is no loop avoidance.
        Results: Transparent Mode won't work in HA mode. There is no state synchronization and loop avoidance is not in place.

    HA: No state synchronization for ALGs
        Problem: No aspect of ALGs are state synchronized
        Results: This means that all traffic handled by ALGs will freeze when the cluster fails over to the other peer. If, however, the cluster fails back over to the original peer within approximately half a minute, frozen sessions (and associated transfers) should begin working again.
    Note that such failover (and consequent fallback) occurs each time a new configuration is uploaded.

    HA: Tunnels unreachable from inactive node
        Problem: The inactive node in a HA cluster cannot communicate over IPsec, PPTP, L2TP and GRE tunnels, as such tunnels are established to/from the active node.
        Results:
    » Inactive HA member cannot send log events over tunnels.
    » Inactive HA member cannot be managed / monitored over tunnels.
    » OSPF: If the cluster members do not share a broadcast interface so that the inactive node can learn about OSPF state, OSPF failover over tunnels uses normal OSPF failover rather than accelerated (<1s) failover. This means 20-30 seconds with default settings, and 3-4 seconds with more aggressively tuned OSPF timings.

    HA: No state synchronization for L2TP and PPTP
        Problem: There is no state synchronization for L2TP and PPTP tunnels.
        Results: On failover, incoming clients will re-establish their tunnels after the tunnels are deemed non-functional. This timeout is typically in the 30 -- 120 second range.

    HA: No state synchronization for IDP signature scan states.
        Problem: No aspects of the IDP signature states are synchronized.
        Results: This means that there is a small chance that the IDP engine causes false negatives during a HA failover.