background image

26

Patch Release Note

Patch 86222-27 for Software Release 2.2.2

C613-10319-00 REV Z

The SHOW IP ROUTE FILTER command output displayed counters for 
'passes' and 'include' that were the same. This issue has been resolved. 
Counters now increment only when a filter is active and do not count 
interface routes.

PCR 02019 permitted the reception of packets by the CPU that should have 
been discarded. This issue has been resolved.

 

Firewall TCP timeout values have been reduced for sessions placed in the 
CLOSED state after receiving a TCP/RESET. This applies to the stateful 
inspection of firewall sessions only, and not to the TCP module. Previously, 
PCR 01263 reduced the timeout value for sessions placed in the CLOSED 
state after a TCP/FIN packet was received. 

 

Firewall IP access lists were not working correctly. If an IP range was 
specified without spaces between the IP address and the separating '-' the 
range would be ignored. Spaces are no longer required. Also, matches were 
made to addresses covered by a range in an access list if the matching range 
was numerically the lowest in the list. This issue has been resolved.

Features in 86222-13

Patch file details for Patch 86222-13 are listed in Table 14.

Patch 86222-13 includes all issues resolved and enhancements released in 
previous patches for Software Release 2.2.2, and the following enhancements:

When a Telnet session was terminated without a proper logout, counters 
recording the number of logins were not correctly decremented. This issue 
has been resolved.

If a layer 3 hardware filter for a particular packet type (e.g. Netbeui) was 
configured, all IP packets destined for the CPU were discarded. This issue 
has been resolved.

PCR: 02039

Module: IPG

Network affecting: No

PCR: 02040

Module: SWI

Network affecting: No

PCR: 02057

Module: FIREWALL

Network affecting: No

PCR: 02063

Module: FIREWALL

Network affecting: No

Table 14: Patch file details for Patch 86222-13.

Base Software Release File

86s-222.rez

Patch Release Date

1-Feb-2002

Compressed Patch File Name

86222-13.paz

Compressed Patch File Size

328884 bytes

PCR: 02014

Module: TELNET

Network affecting: No

PCR: 02019

Module: SWI

Network affecting: No

Содержание 86222-27

Страница 1: ...on the Documentation and Tools CD ROM packaged with your switch or from www alliedtelesyn co nz documentation documentation html WARNING Using a patch for a different model or software release may cause unpredictable results including disruption to the network Information in this release note is subject to change without notice and does not represent a commitment on the part of Allied Telesyn Inte...

Страница 2: ...W IP ICMPREPLY For details see Enable and Disable ICMP Messages on page 40 When IGMP memberships were created at layer 3 from multicast data sending an IGMP Membership Leave message incorrectly removed all ports from the specified group This issue has been resolved Zmodem uploads to some terminal emulators did not succeed because the 16 bit checksum was incorrect This issue has been resolved The M...

Страница 3: ...ate the source IP address of a broadcast packet correctly This issue has been resolved Previously the ADD SWITCH L3FILTER MATCH command was accepted if the TYPE parameter was not specified This command now requires the TYPE parameter and an error message will be returned if the TYPE parameter is not specified It is now possible to prevent specified ports from acting as IGMP all group ports and spe...

Страница 4: ... not change the UTC offset to the initialised value This issue has been resolved When a Rapier using switch silicon received a multicast packet the ifOutError port counter was erroneously incremented This issue has been resolved The firewall was not denying an ICMP packet even if ICMP Forwarding was disabled when using Standard NAT This issue has been resolved Sometimes CPU utilisation reached its...

Страница 5: ...ame by the metric Features in 86222 25 Patch file details are listed in Table 3 Patch 86222 25 includes all issues resolved and enhancements released in previous patches for Software Release 2 2 2 and the following enhancements If the command ADD FIREWALL POLICY RULE SOURCEPORT ALL was executed a value of 65535 was incorrectly displayed for the SOURCEPORT parameter for that rule in the SHOW FIREWA...

Страница 6: ...ratuitous ARP feature was enabled on an IP interface and an ARP packet arrived either ARP request or reply that had a Target IP address that was equal to the SenderIP address then the ARP cache was not updated with the ARP packet s source data This issue has been resolved Executing the PURGE STP command caused fatal error This issue has been resolved DVMRP was erroneously forwarding packets to a V...

Страница 7: ...en added again DVMRP routes associated with this interface were not reactivated This issue has been resolved Some issues with DVMRP forwarding have been resolved IGMP queries were being sent after IGMP was disabled This issue has been resolved A fatal error occurred when OSPF was under high load This issue has been resolved Inbound TCP sessions through the firewall e g Telnet and FTP failed when t...

Страница 8: ...ins and enabled sec are now copied from NVS to FLASH at boot time if they do not exist in FLASH or if the NVS version of the file is different from the FLASH version If the SET SWITCH L3FILTER MATCH command had nothing specified for the IMPORT and EMPORT parameters and there was an existing match entry in the filter table the new filter was not added correctly Filter match entries are now accepted...

Страница 9: ...g for Firewall and IP NAT Each module can now be configured to process fragmented packets of specified protocol types without needing to reassemble the packet The number of fragments a packet may consist of is also configurable This enhanced fragment handling is disabled by default To enable enhanced fragmentation for Firewall use the command ENABLE FIREWALL POLICY policy_name FRAGMENT ICMP UDP OT...

Страница 10: ...erier timeout was not set to the correct value after a restart This issue has been resolved Entries in the process of being reclaimed as static entries and waiting for the remote IP to become routable were disrupting the reclaim process This prevented further entries from being reclaimed DHCP static entries are now fully subject to normal reclaim processing If the ENABLE IP IGMP command was execut...

Страница 11: ...llowing enhancements Locally generated ICMP packets such as unreachable messages were not passed out through public interfaces when the packet that caused the message was not recorded by the firewall This may occur for example if the packet passed between two public interfaces This issue has been resolved The ARP cache is now updated when a gratuitous ARP request or reply packet is received Some c...

Страница 12: ...was loaded The load also put the file into the wrong part of the file system once the compaction had moved beyond the part of the file that had been loaded A fatal error occurred during compaction if a file was marked as deleted when it was being transferred Sometimes during compaction when the file system was erasing blocks belonging to deleted files one of the files was transferred rather than d...

Страница 13: ... side of the firewall Traffic from the public to private side destined for subnet NAT was discarded These issues have been resolved ICMP traffic no longer causes a RADIUS lookup for access authentication but is now checked by ICMP handlers for attacks and eligibility If the ICMP traffic matches a NAT rule NAT will occur on inbound and outbound traffic HTTP 1 0 requests sometimes caused the firewal...

Страница 14: ...in the command SHOW IP ROUTE FILTER the output of the interface name was truncated when the name was more than six characters long These issues have been resolved The source net mask has been removed from DVMRP prune graft and graft ack messages Under some circumstances multiple default routes were created for DVMRP This issue has been resolved The source mask is now always 0xffffffff in the DVMRP...

Страница 15: ...ectly when packets were received from a subnet that was not attached to the receiving interface This issue has been resolved An ARP entry for a host has been removed whenever a DHCP DISCOVER or DHCP REQUEST message is received from the host This allows for clients changing ports on a switch The sequence number extracted from the AH and ESP header was in the wrong endian mode which caused an FTP er...

Страница 16: ...l issues resolved and enhancements released in previous patches for Software Release 2 2 2 and the following enhancements The IGMP specific query sent by the router switch now contains the correct default response time of 1 second Also ifOutOctets in the VLAN interface MIB now increments correctly If a port did not belong to an ethernet interface or was not directly connected to the seed port it c...

Страница 17: ...ctly This issue has been resolved The TOS field in IP packets was not being processed by IP POLICY filters with an identifier greater than 7 This issue has been resolved A feature has been added that makes pings pass from the source IP address of the public interface to the IP address on the private interface in the firewall If a port on a Rapier 48 or Rapier 48 i went down some associated entries...

Страница 18: ...ing files being deleted before a new version was stored This issue has been resolved The EPORT parameter in the ADD SWITCH L3FILTER ENTRY and SET SWITCH L3FILTER ENTRY commands was matching multicast and broadcast packets with software filtering This issue has been resolved Some switch chip register values have been changed to improve QoS support on Rapier G6 and Rapier G6f switches The PURGE IP c...

Страница 19: ...ys used unless the source IP address of the packet is the same as the VR s IP address PIM or DVMRP failed to see any data if IGMP snooping was on and DVMRP or PIM was enabled after the data stream had reached the router switch This issue has been resolved MAC address lists were not working with Firewall rules This issue has been resolved HTTP requests from a fixed IP address were erroneously repor...

Страница 20: ...P address associated with the MAC address provided such a VR exists and is in the master state This issue has been resolved The SIZE functionality on the IP filter was not working for IP fragmented packets This issue has been resolved Features in 86222 19 Patch file details for Patch 86222 19 are listed in Table 9 Patch 86222 19 includes all issues resolved and enhancements released in previous pa...

Страница 21: ...ooded into other routers However these routes should still have been imported into the router s own LSA database but were not These issues have been resolved The IPG module has been enhanced to support gratiutous ARP request and ARP reply packets The Rapier was not detecting invalid checksums in ICMP echo request packets This issue has been resolved ICMP echo request packets with invalid checksums...

Страница 22: ...rnal uplink ports This issue has been resolved If a flash write error occurred when a file was being written the file s directory entry was deleted leaving a partial file in flash Subsequent attempts to write the file failed because a file of the same name already existed This issue has been resolved In configurations containing a large number of OSPF routes the SPF calculation could take a long t...

Страница 23: ... software routing performance of the Rapier 48 and Rapier 48i has been enhanced The layer 3 hardware table was not sorted properly when it contained a very wide range of IP addresses eg 10 0 0 1 205 33 3 1 This caused a small number of packets to be routed by software rather than hardware This issue has been resolved The periodic and time trigger counts were incrementing by two instead of one on e...

Страница 24: ... issue has been resolved Features in 86222 15 Patch file details for Patch 86222 15 are listed in Table 12 Patch 86222 15 includes all issues resolved and enhancements released in previous patches for Software Release 2 2 2 and the following enhancements A fatal error occurred when an invalid SNMP message was received This issue has been resolved When disabling port mirroring the VLAN tagging conf...

Страница 25: ...onging to VLANs not in the default STP A new command allows the Layer 3 aging timer to be changed SET SWITCH L3AGEINGTIMER seconds where seconds can be 30 43200 After each cycle of the ageing timer all existing Layer 3 entries with the hit bit set will have the hit bit reset to zero and all existing Layer 3 entries with the hit bit set to zero will be deleted The SHOW SWITCH command output now dis...

Страница 26: ...made to addresses covered by a range in an access list if the matching range was numerically the lowest in the list This issue has been resolved Features in 86222 13 Patch file details for Patch 86222 13 are listed in Table 14 Patch 86222 13 includes all issues resolved and enhancements released in previous patches for Software Release 2 2 2 and the following enhancements When a Telnet session was...

Страница 27: ...the CLOSED and TIMEWAIT states have been reduced This only applies to the stateful inspection of firewall sessions and not to the TCP module When a Rapier was under heavy load from software routing e g after a reboot and before the routing tables were refreshed OSPF could take a long time to converge This patch gives OSPF packets higher priority to expedite OSPF convergence A new feature permits h...

Страница 28: ...es into its own routing table However after some time e g 1 hour the AS external LSAs in the neigbour s database disappeared but the corresponding routes were still in its routing table This issue has been resolved The checksum in VRRP advertisements was not being calculated correctly The calculation was not compatible with the RFC This issue has been resolved When PPP was running over Ethernet to...

Страница 29: ... resolved IGMP reflooded packets with VLAN tagging were not processed correctly This issue has been resolved Features in 86222 11 Patch file details for Patch 86222 11 are listed in Table 16 Table 16 Patch file details for Patch 86222 11 Patch 86222 11 includes all issues resolved and enhancements released in previous patches for Software Release 2 2 2 and the following enhancements When a Rapier ...

Страница 30: ...ils for Patch 86222 09 are listed in Table 18 Patch 86222 09 includes all issues resolved and enhancements released in previous patches for Software Release 2 2 2 and the following enhancements A new feature STP forwarding has been added STP forwarding can be enabled and disabled using the commands ENABLE SWI STPFORWARD DISABLE SWI STPFORWARD When STP forwarding is enabled all STP forwarding is ig...

Страница 31: ... restart even if it was configured to a fixed speed This issue has been resolved When the port has been configured for a fixed speed the mode is now set to MDIX not MDI When an M2 version of the AR020 PRI E1 T1 PIC was installed in a AR040 NSM it was not possible to select the T1 mode of operation regardless of the jumper setting This issue has been resolved A fatal error occurred when the firewal...

Страница 32: ...for Patch 86222 07 are listed in Table 20 Table 20 Patch file details for Patch 86222 07 Patch 86222 07 includes all issues resolved and enhancements released in previous patches for Software Release 2 2 2 and the following enhancements DHCP now correctly handles request messages containing request list options not supported by the router The router would accept TCP sessions with destination addre...

Страница 33: ...mand was not correctly handling the ICMPTYPE and ICMPCODE parameters This issue has been resolved The router will now accept DHCP messages that are greater than or equal to 576 bytes in size and reject any message smaller than 576 bytes This operation conforms to RFC 1541 ISAKMP quick mode exchanges are now committed if any traffic is received over the newly generated SA This improves stability in...

Страница 34: ...affic between port 1 and the uplink caused the traffic flow to cease after a period of time depending on the volume of traffic This issue has been resolved The Rapier did not include the message age of the received BDPU message in the message age of the BDPU it transmitted Also the message age of the message transmitted BDPU could be less than that of the received BDPU which contravenes IEEE 802 3...

Страница 35: ...issues resolved and enhancements released in previous patches for Software Release 2 2 2 and the following enhancements The power supply voltages of the base board PHYs on a Rapier G6 are controlled by a PHY register value which was incorrectly set This issue has been resolved In PIM Dense Mode if a data stream started before PIM hello messages were exchanged the receiver did not get the data stre...

Страница 36: ...rom a configuration script are now processed correctly A fatal error occurred if an IPv6 interface was deleted while packets were being transmitted The number of current interfaces was not being updated correctly when a new IPv6 interface was added As a result after multiple additions and deletions no more IPv6 interfaces could be added These issues have been resolved The CREATE CONFIG command now...

Страница 37: ...86222 04 Patch file details for Patch 86222 04 are listed in Table 23 Patch 86222 04 includes all issues resolved and enhancements released in previous patches for Software Release 2 2 2 and the following enhancements Message protection validation failures would occur intermittently This issue has been resolved ISAKMP now interoperates with other vendor s products in aggressive mode exchanges Supp...

Страница 38: ... been resolved RSA encryption is now periodically suspended to ensure other processes get some CPU time during large RSA calculations The CREATE ISAKMP command now checks that the key specified by the LOCALRSAKEY parameter actually exists in the ENCO module The INTERFACE parameter of the CREATE TRIGGER and SET TRIGGER commands now supports Ethernet interfaces Ethernet interface events can now gene...

Страница 39: ...arameter specifies the life of the address and defaults to INFINITE The address is deleted when the lifetime expires The PREF parameter specifies the time that the address is the preferred address of the interface and defaults to INFINITE PREF must be less than or equal to VALID IPV6 now checks and ensures that if either PREF or VALID is specified PREF is less than or equal to VALID When an addres...

Страница 40: ... This message indicates that the switch does not know how to reach the destination network Host Unreachable This message indicates that the switch does not know how to reach the host ICMP Redirect This message is sent to a local host to tell it that its target is located on the same LAN no routing is required or when it detects a host using a non optimal route usually because a link has failed or ...

Страница 41: ...TUNREACH REDIRECT Description This command enables ICMP reply messages If ALL is specified all configurable ICMP message replies are enabled If NETUNREACH is specified all network unreachable message replies are enabled RFC792 Type 3 Code 0 If HOSTUNREACH is specified all host unreachable message replies are enabled RFC792 Type 3 Code 1 If REDIRECT is specified all ICMP redirect message replies ar...

Страница 42: ...ntry ports by using the ENABLE IP IGMP ALLGROUP command For example consider a video streaming service which has 15 channels When the switch receives IGMP membership reports destined for the address 239 0 0 2 from an unauthorised user all 15 channels of multicast data floods to that port which may affect the service of the network In order to avoid this the network manager decides whether or not t...

Страница 43: ...show information about IGMP use the command SHOW IP IGMP See Also ENABLE IP IGMP ALLGROUP DISABLE IP IGMP ALLGROUP IGMP Protocol Status Enabled Default Query Interval 125 secs Default Timeout Interval 270 secs Disabled All groups ports 1 5 7 Interface Name vlan2 DR IGMP Proxy Off Group List Group 238 0 1 2 Last Adv 172 50 2 1 Refresh time 34 secs Ports 3 11 23 Group 224 1 1 2 Last Adv 172 50 2 1 R...

Страница 44: ...is specified all ports are able to behave as all group entry ports The default is ALL Examples To enable ports 1 5 and 7 to behave as all group entry ports use the command ENABLE IP IGMP ALLGROUP 1 5 7 See Also DISABLE IP IGMP ALLGROUP SHOW IP IGMP DISABLE IP IGMP ALLGROUP Syntax DISABLE IP IGMP ALLGROUP port list ALL where port list is a port number a range of port numbers specified as n m or a c...

Страница 45: ...ch 86222 27 for Software Release 2 2 2 C613 10319 00 REV Z Availability Patches can be downloaded from the Software Updates area of the Allied Telesyn web site at www alliedtelesyn co nz support updates patches html A licence or password is not required to use a patch ...

Страница 46: ...46 DISABLE IP IGMP ALLGROUP Patch Release Note Patch 86222 27 for Software Release 2 2 2 C613 10319 00 REV Z ...

Отзывы: