Aas-28 1 11 0-RN

Alteon Application Switch
Release Notes

Version 28.1.11
August 01, 2013

Title: Alteon Application Switch version 28.1.11.0 Release Notes, August 01, 2013 Page 2

TABLE OF CONTENTS

CONTENT ..................................................................................................................................................... 4
RELEASE SUMMARY .................................................................................................................................. 4
SUPPORTED PLATFORMS AND MODULES ............................................................................................ 4
OBTAINING AND INSTALLING THE SOFTWARE..................................................................................... 4
OBTAINING THE SOFTWARE ...................................................................................................................... 4
INSTALLING THE SOFTWARE ..................................................................................................................... 5
UPGRADING THE SOFTWARE .................................................................................................................. 5
WHATS NEW ............................................................................................................................................... 5
NEW IN VERSION 28.1.9.0 ........................................................................................................................ 5
Password Strength Policy ................................................................................................................ 5
Selecting Supported SSL/TLS Protocol Version Text ...................................................................... 6
NEW IN VERSION 28.1.7.0 ........................................................................................................................ 7
Close with RST ................................................................................................................................ 7
NEW IN VERSION 28.1.5.0 ........................................................................................................................ 7
Google Chrome Browser Official Support ........................................................................................ 7
Client-based Service Differentiation ................................................................................................. 7
GSLB in IPv6 Environment .............................................................................................................. 8
DNS Layer 7 in IPv6 Environment ................................................................................................... 8
Least Connections per Virtual Service ............................................................................................. 8
Configuration Audit ........................................................................................................................... 9
SNMP Traps for VRRP .................................................................................................................... 9
Configuration Synchronization Feedback ........................................................................................ 9
WHATS CHANGED AND/OR MODIFIED ................................................................................................... 9

CHANGED FEATURES IN VERSION 28.1.10.0 ............................................................................................. 9
Trap Update for Link-UP Link-Down ................................................................................................ 9
Trunk port in VRRP Hot-Standby ................................................................................................... 10
No-Password Uniqueness.............................................................................................................. 10
IPv6 Link Local Address................................................................................................................. 10
Alteon VA Management ................................................................................................................. 10
Configuration Capacity Increase .................................................................................................... 10
Downgrade Protection.................................................................................................................... 10
Layer 7 Sessions Failover .............................................................................................................. 11
SSL information HTTP Headers in 2424-SSL Format ................................................................... 11
Delete SSH Keys ........................................................................................................................... 13
Entry Level 5224 ADC-VX.............................................................................................................. 13
MAINTENANCE FIXES .............................................................................................................................. 13
FIXED IN VERSION 28.1.11.0 .................................................................................................................. 13
FIXED IN VERSION 28.1.10.0 .................................................................................................................. 17
FIXED IN VERSION 28.1.9.0 .................................................................................................................... 23
FIXED IN VERSION 28.1.8.0 .................................................................................................................... 35
FIXED IN VERSION 28.1.7.0 .................................................................................................................... 35
FIXED IN VERSION 28.1.6.0 .................................................................................................................... 38
FIXED IN VERSION 28.1.5.0 .................................................................................................................... 45
FIXED IN VERSION 28.1.2 ....................................................................................................................... 49
KNOWN LIMITATIONS .............................................................................................................................. 50
LIMITATIONS IN VERSION 28.1.10.0 ......................................................................................................... 51
RELATED DOCUMENTATION .................................................................................................................. 55

Content
Radware announces the release of Alteon Application Switch version 28.1.11.0. These release
notes describe new features since the last released version of 28.1.5.0. Alteon Application
Switch 28.1.11.0 includes all bug fixes from maintenance version 28.1.5.0.
Release Summary
Release Date: July 22, 2013
Objective: Minor software release addressing software issues.
Supported Platforms and Modules
This version is supported on the following Alteon platforms:
4408 running on OnDemand Switch VL
4408 XL running on OnDemand Switch VL XL
4416 running on OnDemand Switch 2
4416 running on OnDemand Switch 2 XL
5224 running on OnDemand Switch 3 LS
5224 running on OnDemand Switch 3 LS XL
5412 running on OnDemand Switch 3
5412 running on OnDemand Switch 3 XL

For more information on platform specifications, refer to the Alteon Installation and Maintenance
Guide.
This version is supported by APSolute Vision version 1.25 and later.
Obtaining and Installing the Software
This section describes how to obtain and install the software for this version.
Obtaining the Software
1. Go to www.radware.com and log in if prompted.
Note: You must have a username and password before attempting to download a software
update. If you do not have a username and password, click My Account and then click
Register.
2. Under My Updates > Software Releases, the set of products and software downloads for
which you have licenses display.
3. For the release version and platform you want to update or recover, select the Download
Software icon, and download the relevant software update or recovery files to a server
within your own organization that is accessible using FTP or TFTP.

Installing the Software
For details on installation, refer to the Alteon Installation and Maintenance Guide.
Upgrading the Software
For details on upgrading, refer to the Alteon Installation and Maintenance Guide.
You can upgrade to this version from any of the following previous AlteonOS versions:
26.0.x
26.1.x
26.2.x
26.3.x
26.8.x
27.0.x
28.0.x
28.1.x
Whats New
This section describes the new features and components introduced in this version. For more
details on all described capabilities, refer to the Alteon Application Switch Operating System
Application Guide and the Alteon Application Switch Operating System Command Reference for
this version.
New in version 28.1.9.0
Password Strength Policy
Administrators are now able to configure parameters that ensure only strong passwords.
The password strength enforces:
Minimal password length
Specific characters Complexity
Password validity (maximum/minimum age)
Password History.

Note: The strong password policy is not applied on main Administrator (admin username), but is
applied on user-defined users with Administrator role.
NFR number: prod00158348

Selecting Supported SSL/TLS Protocol Version Text
Alteon Application Switch provided the ability to select the allowed and disallowed SSL/TLS
protocol versions in both frontend and backend connection. Disallowed SSL/TLS protocol
version will be rejected before handshake start.
Use-cases examples:
Mitigate the BEAST by allowing only SSLv3 and TLS1.1 in the SSL Policy.
To completely reject any SSLv2 connection to pass PCI compliance testing (SSLv2
handshake failure on non-matching ciphers as it is done today is non-PCI compliant)

>> HTTPS Server Access# /cfg/slb/ssl/sslpol 1
------------------------------------------------------------
[SSL Policy 1 Menu]
name - Set descriptive policy name
passinfo - Pass SSL Information to Backend Servers Menu
frver - Allowed Frontend SSL Protocol Version Menu
bever - Allowed Backend SSL Protocol Version Menu
cipher - Set allowed cipher-suites in frontend SSL
intermca - Set Intermediate CA certificate chain
becipher - Set allowed cipher-suites in backend SSL
authpol - Set client authentication policy
convuri - Set Host regex for HTTP redirection conversion
bessl - Enable/Disable backend SSL encryption
convert - Enable/Disable HTTP redirection conversion
ena - Enable policy
dis - Disable policy
del - Delete Policy
cur - Display current policy configuration
>> SSL Policy 1# frver/
------------------------------------------------------------
[SSL Policy 1 frver Menu]
ssl3 - Enable/Disable frontend SSLv3 protocol version
tls10 - Enable/Disable frontend TLS1.0 protocol version
tls11 - Enable/Disable frontend TLS1.1 Protocol version
cur - Display current frontend SSL protocol version configuration

>> SSL Policy 1# bever/
------------------------------------------------------------
[SSL Policy 1 bever Menu]
ssl3 - Enable/Disable backend SSLv3 protocol version
tls10 - Enable/Disable backend TLS1.0 protocol version
tls11 - Enable/Disable backend TLS1.1 Protocol version
cur - Display current backend SSL protocol version configuration

Note: SSLv2 is disabled by default in both frontend and backend connections

Close with RST
When enabled, upon receiving FIN from either side (client or server), Alteon closes the other
side using RST. This causes the session entry to be removed immediately.
When disabled, upon receiving FIN, graceful closure is performed in both sides.
Default: disable
Close with RST can be set per virtual service.
Note: To enable, forceproxy must be enabled on that service

Google Chrome Browser Official Support
Google Chrome Browser (version 17.x and later) is added to the list of supported BBI platforms.

Client-based Service Differentiation
Alteon lets you provide differentiated services for specific client groups: different type of
services, different levels of service, and different service access rights.
To implement this feature, source network classification has been added to the Layer 3 service
classification as part of virtual server definition.
For example, in order to provide differentiated HTTP/S services for two separate groups of
clients, you need to configure the following:
Source Network nw1
Source Network nw2
Virtual Server 1: VIP 100.100.100.100, Source Network nw1
o Service HTTP: Group 1
o Service HTTPS: Group 1; SSL Policy ssl1
Virtual Server 2: VIP 100.100.100.100, Source Network nw2
o Service HTTP: Group 2
o Service HTTPS: Group 2; SSL Policy ssl1

If, for example, you want to allow only HTTPS service for nw2 users, no HTTP service would be
configured for Virtual Server 2.

The new Network object type enables configuring complex networks for use in source network
classification. A network object can include and/or exclude multiple IP subnets and/or ranges.
The following is an example for the subnet definition described above:
nw1:
o Include 100.100.90.0/255.255.255.0
o Include 100.100.950.0/255.255.255.0
o Include 100.100.20.0 100.100.40.255

nw2:
o Include 100.100.0.0/255.255.0.0
o Exclude 100.100.90.0/255.255.255.0
o Exclude 100.100.950.0/255.255.255.0
o Exclude 100.100.20.0 100.100.40.255

Note: This new capability is currently only configurable via CLI and BBI.

GSLB in IPv6 Environment
Global Server Load Balancing is now supported for IPv6 environments. This support includes:
Support for AAAA query resolution that allows resolving a hostname to an IPv6 address.
Support for IPv6 GSLB networks to enable using the Network metric for IPv6 clients.
Support for IPv6 communication between remote sites.
New DSSP version (version 5) that provides support for IPv6.
DNSsec support for AAAA queries

Note: This new capability is currently only configurable via CLI and BBI.

DNS Layer 7 in IPv6 Environment
Layer 7 load balancing (according to hostname, query type, or DNS versus DNSsec type) is
now also supported for DNS UDP in an IPv6 environment (IPv6 clients and servers).

Least Connections per Virtual Service
The Least Connections per Virtual Service group metric is an extension of the current Least
Connections metric. It allows for real server selection based only on the number of active
connections for the service which is load balanced, and not the total number of connections
active on the server.
For example, when selecting a real server for a new HTTP session, a real server serving one
HTTP connection and 20 FTP connections takes precedence over a real server serving two
HTTP connections only.

Note: This feature was first introduced in version 26.3.1.0.

Configuration Audit
Alteon lets you log the details of all configuration changes to the syslog servers.
Note: Enabling this feature may increase the Management Processor (MP) CPU usage
temporarily if the configuration changes are very large.

SNMP Traps for VRRP
SNMP traps are sent when a VRRP virtual server router (VSR) changes status to either master
or backup.

Configuration Synchronization Feedback
Feedback on success or failure of Global Admin configuration synchronization has been added.
Reports are received on success or failure of synchronization with each peer.

Whats Changed and/or Modified
This section describes changes to existing features and components introduced in this version.
Changed Features in version 28.1.10.0
Trap Update for Link-UP Link-Down
The trap information of linkDown and linkUp were updated and added with the following
information:
ifName return Port <ID>, for example, Port 1.
agPortCurCfgPortName return the port name as defined at "/c/port x/name.
agPortCurCfgPortAlia - return the port alias as defined at under "/c/port x/alias".

With this change, the linkDown and linkup traps return the following MIBs in this:
altSwTrapDisplayString, ifIndex, altSwTrapSeverity, ifName, ifOperStatus, ifAdminStatus,
agPortCurCfgPortName and agPortCurCfgPortAlias.


Trunk port in VRRP Hot-Standby
In a VRRP Hot-Standby configuration, a trunk port is now considered as failed and its priority is
changed only when all the ports in the trunk are down.

No-Password Uniqueness
In case of pre-defined user password is changed from its default and no local users define, both
user name and password will be prompted upon login instead of only for password

IPv6 Link Local Address
The following enhancements were made to Link Local Address support:
Manual configuration of a VLAN Link Local Address
An address of type Link Local can be configured in a static route Gateway parameter.

Alteon VA Management
Alteon VA can now be managed through VMware API and File System.

Configuration Capacity Increase
The maximum number of configurable instances was increased for the following objects:
The maximum number of TCP scripts has been increased to 256.
The maximum number of static routes has been increased to 1024
The maximum number of GSLB networks for has been increased to 1024

Downgrade Protection
In order to mitigate crash-loops due to configuration parameters that are not supported in earlier
versions, after downgrading from version 28.1.x the configuration is restored to factory defaults
(preserving IPv4 management interface access). Starting with this version, after downgrading
from a version later than 28.1.5.0, the device will perform Apply verification after booting up with
the earlier version.

Layer 7 Sessions Failover
In order to ensure fast Layer 7 session failover to a new master device, the new master device
now induces clients to resend Layer 7 requests upon failover by sending a reset to the client
when requests are received over connections established with the old master.

SSL information HTTP Headers in 2424-SSL Format
In this release, the optional HTTP headers that carry SSL and SSL-based client authentication
information can be set to be in 2424-SSL compatible format. This new functionality eases the
migration of Web applications that used 2424-SSL for SSL offloading to AlteonOS 28.1.5.0, by
eliminating the need to change the Web application header parsing.
The new headers format is available when changing the comply command to enabled in one
of the following paths:
/cfg/slb/ssl/sslpol/passinfo
/cfg/slb/ssl/authpol/passinfo

The following table compares HTTP Headers formats between versions:

Location Info Type 2424-SSL 28.15 when comply
disabled
28.15 when comply
enabled
SSL Policy Cipher-suite N/A
Cipher-Suite: AES256-SHA Cipher-Suite: AES256-SHA
SSL Policy SSL Version N/A
SSL-Version: TLSv1/SSLv3 SSL-Version: TLSv1/SSLv3
SSL Policy SSL Cipher
Bits
N/A
Cipher-Bits: 256 Cipher-Bits: 256
SSL Policy SSL
complied
info
X-SSL:
decrypted=true,
ciphers="TLSv1/SSLv3
RC4-SHA
N/A X-SSL: decrypted=true,
ciphers="TLSv1/SSLv3
RC4-SHA"
SSL Policy IIS front-end
HTTPS
Front-End-Https: on
Front-End-Https: on Front-End-Https: on
Authentica
tion Policy
Client
Certificate
issuer
X-SSL:
peerissuer="emailAddr
ess=ct100@radare.co
m,CN=CT10,OU=CT1
00,O=Radare,L=NA,S
T=NY,CUS"
CCRT-Issuer:
/C=US/ST=NY/L=NA/O=Rad
wae/OU=CT100/CN=CT100/
emailAddress=ct100@radw
are.com
X-SSL:
peerissuer="emailAddress=
ct100@radware.com,CN=C
100,OU=CT100,O=Radwar,
L=NA,ST=NY,C=US"
Authentica
tion Policy
Client
Certificate
subject
name
X-SSL:
peersubject="emailAdd
ress=ct100@radware.
com,CN=User_0002,O
CCRT-Subject:
/C=US/ST=NY/L=NA/O=Rad
ware/OU=CT100/CN=User_
0002/e
X-SSL:
peersubject="emailAddress
=ct100@radware.com,CN=
User_0002,OU=CT100,O=

Location Info Type 2424-SSL 28.15 when comply
disabled
28.15 when comply
enabled
U=CT100,O=Radware,
L=N,ST=NY,C=US"
mailAddress=ct100@radwar
e.com
Radware,L=NA,ST=NY,C=
US"
Authentica
tion Policy
Client
Certificate
serial
number
X-SSL: peerserial=3
CCRT-SN: 03 X-SSL: peerserial=03
Authentica
tion Policy
Client
Certificate
SSL version
N/A
CCRT-Version: 3 CCRT-Version: 3
Authentica
tion Policy
Client
Certificate
signing
algorithm
N/A CCRT-SignatureAlgo:
md5WithRSAEncryption
CCRT-SignatureAlgo:
md5WithRSAEncryption
Authentica
tion Policy
Client
Certificate
not valid
before
N/A CCRT-NotBefore: Oct 12
18:05:37 2010 GMT
CCRT-NotBefore: Oct 12
18:05:37 2010 GMT
Authentica
tion Policy
Client
Certificate
not valid
after
N/A CCRT-NotAfter: Oct 12
18:05:37 2011 GMT
CCRT-NotAfter: Oct 12
18:05:37 2011 GMT
Authentica
tion Policy
Client
Certificate
Public key
type
N/A CCRT-publicKeyType:
RSA(1024 bit)
CCRT-publicKeyType:
RSA(1024 bit)
Authentica
tion Policy
Client
Certificate
HASH
N/A CCRT-MD5Hash:
9311345EB64A9D5968AF6
A471D480431
CCRT-MD5Hash:
9311345EB64A9D5968AF6
A471D480431
Authentica
tion Policy
Full client
cert
X-Client-Cert:
-----BEGIN
CERTIFICATE-----
MIIDfjCCAue...XZKw=
=
-----END
CERTIFICATE-----
CCRT-Certificate:
MIIDfjCCAue...XZKw==
X-Client-Cert:
-----BEGIN CERTIFICATE--
--- MIIDfjCCAue...XZKw==
-----END CERTIFICATE----
-

Header names are configurable in AlteonOS 28.x so they can be adjusted to comply with 2424-
SSL fixed header names easily in configuration.

Delete SSH Keys
SSH keys can now be deleted when reconfiguring the device from the /boot menu.

Entry Level 5224 ADC-VX
Alteon 28.1.5.0 supports entry-level ADC-VX (maximum of 10 vADCs) on 5224 with 12 GB
RAM.
Important! This offering is only available in the Americas region, for special promotion.

Maintenance Fixes
This section lists all fixed issues that were reported by the field personnel or mentioned
previously as known limitations or bugs in versions starting from version 28.1.0. Later versions
contain all fixes of earlier versions unless otherwise noted.
Fixed in version 28.1.11.0
Item Description Bug ID
1. Using the APSolute Vision client, configuration sync between
two Alteon platforms sometimes caused the Alteon initiating
the sync to crash. prod00189736
2. Using APSolute Vision client, it was not possible to set a the
Server Group ID in virtual services other than HTTP and
HTTPS prod00189732
3. IPv6 scripted health check did not close the TCP session in
case of multiple open and close actions in the same script. prod00189690
4. When issuing the 'save' command through the XML API
interface, Alteon crashed. prod00189552
5. Using the BBI, it was not possible to configure the USM User
Name (an SNMPv3 parameter). prod00189302
6. In a mixed IPv4 and IPv6 environment, after session entries
aged, Alteon sometimes crashed. prod00189144
7. In a mixed IPv4 and IPv6 environment, after session entries
aged, Alteon sometimes crashed. prod00189143
8. On an Alteon 5000 and 4416, in standalone mode, the
throughput usage calculation was incorrect, causing false
throughput alert messages to be sent. prod00188880
9. In VRRP hot standby mode, when the ISL port was set to
disabled on the backup Alteon, all hot standby ports on the
backup remained in DISABLED status and did not change to
FORWARDING status. prod00188830
10. With dbind enabled, the ICMP unreachable (Fragmentation
Needed) packet was forwarded to the server with the prod00188730

incorrect SEQ number.
11. After rebooting a vADC, with connection management
configured on a service and its associated server port
defined with VLAN-based PIP, the entire configuration
(except the management configuration ) displayed in the diff. prod00188476
12. In VRRP hot standby mode, when using trunk ports in ISL
ports and in client or server-side ports, when all ISL ports
were down all of the client and server side ports on the
backup Alteon changed to FORWARDING statues, causing
a Layer 2 network loop. prod00188370
13. After the Global Admin changed the backdoor settings for a
vADC user, the backdoor command did not display in the
Global Admin configuration dump and also did not display in
the vADC. prod00188348
14. When Alteon received a ping destined for a network
broadcast address, Alteon sent the ping reply with source
MAC address of ff:ff:ff:ff:ff:ff instead of the interface MAC
address. prod00188176
15. After rebooting a vADC with static ARP entries configured,
the entire configuration displayed in the diff. prod00188160
16. After the admin password was changed in the configuration,
the password displayed in clear text in diff and diff flash. prod00188159
17. After Alteon was up for about 200 days, it sometimes
experienced the following behavior:
- 100% SP CPU utilization
- Full system freeze
- Sudden system reboot with no panic trace

These issues seemed to occur without any network
changes, traffic patterns changes, user intervention, or any
other direct reason. prod00187911
18. When configuration auditing using TACACS+ was enabled,
the following issues occurred:

- The commands under the /cfg/sys/mmgmt menu were not
logged when entered in a single line.
- When configuration was performed using an SSH session,
no commands were logged. prod00187747
19. When a feature license was enabled on a vADC, a
vadcLicGlobal trap was generated but the
vADCNewCfgFeatBWM OID was missing. prod00187636
20. After Alteon rebooted with no space on the hard disk, the
configuration that had certificate and keys was not handled
correctly, resulting in the entire configuration displaying in
the diff. prod00187467
21. After upgrading from version 26.x to 28.x or 29.x, attempting
to connect to the platform from APSolute Vision resulted in prod00187168

an error because APSolute Vision could not retrieve the
device driver from Alteon
22. Using an SSH connection, uploading a configuration that
that defined SSHv1 as disabled changed the SSHv1 setting
to enabled (default). prod00187123
23. A high rate of packets with invalid TTL (value 0,1) that are
processed by the device could cause health check flip-flops,
VRRP flip flops, due to high MP CPU uitilization. prod00187051
24. When setting the DST time zone to the Canada/Eastern-
Ontario-&-Quebec time zone and the NTP Timezone Offset
(tzone) was +0:00, the NTP Daylight Saving Time (DST) was
not adjusted correctly. prod00186863
25. When traffic was processed through the Application Engine,
after VRRP failover an outage sometimes occurred. This
was because of RST or FIN packets sent by Alteon on
sessions that started on the main platform and which failed
over, using the VR MAC instead of the interface MAC
("confusing" the Layer 2 switch). prod00186846
26. When accessing device via TACACS authenticated user in
some rare cases the TACACS server closed the connections
at the same time the device TACACS request timed out and
it caused panic on the device. prod00186821
27. After uploading an image using SCP, the subsequent file
transfer via SCP (such as get configuration0), sometimes
caused Alteon to crash. prod00186670
28. Using the BBI with a RADIUS authenticated user whose
name length was longer than 21 characters, after logging out
of BBI Alteon panicked. prod00186667
29. SIP Load Balancing did not work with fragmented requests.
SIP requires that all fragments are first buffered and then
makes the load balancing decision. Because the last
fragment was dropped, the load balancing decision was not
be performed. prod00186644
30. When the configuration included a group for which backup
group is defined and a group with no backup defined, whose
ID was higher than the ID of group with backup defined, and
the traffic was processed by Acceleration Engine, when the
group that has backup was down, the servers in the backup
group appear as not in service, even though they are
available, resulting in 503 error response to clients. prod00186573
31. A DSR ICMP health check failed on servers running
Windows 2008R2 SP1. prod00186546
32. Sessions handled by the Application Engine were not aged,
if within 60 seconds after the FIN packet was sent by the
server it also sent a SYN (as a result of RST). prod00186501
33. When using an SSH management connection, Alteon
experienced instabilities. prod00186464

34. On an Alteon 5412 platform, the throughput was limited to
10G instead of 20G. prod00186287
35. When ADC-VX restarted after a crash or intentional panic
(using /maint/panic), Alteon experienced instabilities. prod00186261
36. Using SNMP, the temperature threshold was incorrect. prod00186095
37. When using TACACS+ Authentication, after entering user
credentials, sometimes the connection using SSH stacked
and no CLI prompt appeared. prod00186092
38. Using the BBI, a trap on a login failure attempt was not
generated. prod00185928
39. In VRRP hot standby mode, after a port was operationally
disabled and then enabled, the port configuration
enable/disable command did not work properly. prod00185423
40. On a backup platform, operationally disabling a hot standby
SFP port did not work. prod00185419
41. GSLB HTTP redirection did not work for an HTTPS service. prod00178810
42. Using URL SLB, when the GET URL split over multiple TCP
segments, the URL string matching was performed only on
the first segment, resulting in incorrect matching. prod00177975
43. In version 28.1.8.x, after setting the re-ARP period and
applying and saving in its old path (/cfg/l3/ip) instead of its
new path (/cfg/l3/arp), after reboot the command to set the
re-ARP period was disabled. prod00174075
44. Per second Interface statistics displayed incorrect values. prod00161478
45. The export tech support dump command did not prompt to
provide the file name with a .tar extension. prod00156435
46. In a vADC, the memory utilization output (/stats/sp/mem)
always displayed 0 Kbytes. prod00156430
47. The Last apply and Last Save times were not updated when
receiving the configuration from a peer switch during a sync
operation. prod00156326
48. In some cases, sending BPDIs on the external port failed
due an internal issue, when this happened, debug printouts
appeared on the console.
prod00190184
49. Using NAT filter, ICMP "Destination Unreachable" messages
response were not processed by Alteon , as session creation
and response happened to be on different SP's. prod00186201

50. When the application service log was set to debug
level, a GET/POST request containing %s or
%<number>s arrived, causing Alteon to crash. prod00185487
51. When the time zone was set to a location where DST
(Daylight Saving Time) is applicable but not in effect,
on every reboot the time moved back by one hour.

If after reboot the time changed to a value earlier than
the certificate issued time, the error server
certificate not yet valid displays. prod00185363
52. In a session that had a number of GET requests where
the cookie is bound to a server in down state, the first
GET request was redirected to another server that was
in up state, while the other GET requests were sent
incorrectly to the first server which was in down state. prod00177865
53. Configuration changes for TCP and content class trace
log were incorrectly applied. As a result, warning
messages regarding the Application Services Trace
Log performance impact were potentially sent every
few hours even after all logs were disabled. prod00177729
54. The description for some MIBs related to real server
statistics per SP were updated to reflect their "per SP"
relation. prod00185158
55. In force proxy mode, when the client sent a FIN and
the server answered with an RST, fastage was not
activated on the session entry. prod00177443
56. Throughput license alerts only worked on the Alteon
4408 platform and not on any of the other platforms. prod00177506
57. Resize of the vADC file system:
==========================
In VX versions as 28.1.2.0 and below, the vADCs were
allocated with a low size as ~7.5MB instead of having
more than 50MB.
This caused inability to capture traffic on the vADCs

As upgrade doesn't change the size allocated in
previus version to vADCs, we introduce the command
/maint/debug/resizevadc
The command will check if vADC resize is needed.
prod00179399

If so, the user will be asked to confirm the process will
being informed that requires system reboot which may
take up to 1.5 hours.

Resize operation on 28.1.10.0 changes the vADCs size
to ~100MB

Note: USB Recovery procedures to these versions will
also allocate the right sizes to the vADCs
58. After reboot, the ISL VLAN configuration for a vADC
was moved to pending state . prod00177682
59. When the resolution was set to one hour or one day,
the ADC-VX dashboard displayed incorrect statistics. prod00178193
60. When a real server and Alteon VA resided on the same
ESX, HTTP health checks failed. prod00179128
61. When using a passive cookie, dbind forceproxy, and
the hash metric, if the cookie value did not match any
session entry, the cookie value was used as the key to
select the real server instead of using the source IP. prod00184579
62. The administrative user with the Service user class
could not display any information or statuses of the real
servers for which the administrative user was defined
as the owner. prod00138330
63. After the NTP time zone was modified using
/cfg/sys/ntp/tzone, the system time zone was not
updated.
prod00150654,
prod00174180
64. VRRP advertisements were still sent even when all
ports were down, causing the advertisements counter
(/stat/l3/vrrp vrrpOutAdvers) to continue to increase. prod00157795
65. The output of the /info/l3/route/dump command
displayed internal debug information irrelevant to
Alteon end-users. This output now only appear only in
God mode. prod00164538
66. In Global admin mode, the incorrect stat/vadc X/sp
Y/mem command syntax was accepted. The correct
syntax is stat/vadc X/sp/mem. prod00177262
67. In Alteon VA VMware version 28.1.9.0, high MP CPU
utilization was always observed even though the actual
prod00185069

CPU utilization was low.
68. When vstat was enabled, the virtual service octets
counter wrapped around at the 4,294,967,295 value
(32-bit). prod00185606
69. The user-defined cipher parameter was incorrectly
limited to 64 characters. prod00178811
70. When a NAT filter was configured, traceroute failed
because ICMP TTL Exceeded Timeout (ICMP type 11)
packets that arrived with NAT address as the
destination IP, were dropped.
prod00178853,
prod00185053
71. If several virtual servers had the same VIP, when a real
server returned an HTTP redirection, an internal tunnel
port was added to the location header. prod00178751
72. After applying and saving a configuration that was
uploaded over a factory default setting, an incorrect
message displayed stating that there may be unapplied
configuration changes, even though all changes were
applied. prod00179387
73. Using BBI, a virtual router could be deleted while still
being a member of a VR group. prod00178423
74. When dbind was enabled on a service, the session
timeout was set to the value configured on the real
server instead of using the timeout configured on the
virtual service. prod00179486
75. vADC SP memory statistics did not function. They
always displayed 0. prod00177007
76. If multiple virtual servers shared the same VIP, when
the virtual server with a higher index was deleted the
Virtual Server Router (VSR) of that VIP was stuck in
the INIT state. prod00177399
77. The SNMP trap always were sent to the default port
(162) regardless of the configured port number. prod00185083
78. On an Alteon VA platform using BBI, it was possible to
install a new image to the active image slot. prod00185159
79. When the Inter-Switch port was down, the hot-standby
ports that belonged to a trunk kept their STG state as
LISTENING after boot-up, even though STG was set to
prod00185612

off.
80. The following MIB objects appeared twice in the MIB
file: agTftpImageAdc and agTftpImageVx prod00184976
81. Using BBI, a virtual server with the UDP stateless
protocol displayed as TCP. prod00184977
82. The content class element
Hostname/Path/Filename/Filetype did not match an
empty value. prod00185431
83. In case of script health check, where the expected
response string is bigger than 40 chars, if a health
check bigger than 60 chars did not match the expected
string, the device crashed. prod00184908
84. In a configuration where the Hot-Standby ports belong
to a trunk on both client and server network, in case all
the ISL ports were down, a L2 network loop occurred prod00179395
85. In case of a multiple request connection arrived to a
virtual service configured with HTTP content
modification and connection management,
If the second request arrived at the same time the
service cannot respond (service down or in 100% CPU
for example), the device may crash. prod00178731
86. Traps vadcStateUp, vadcStateDown,
vadcStateShutdown and vadcStateRestart were
removed from the MIB file as they are not supported. prod00178727
87. When TACACS+ logging is enabled, in some cases
when performing apply from the CLI alone with TAB,
before hitting enter, the device may crash. prod00177992
88. In some cases, configuration synchronization from the
VX caused the backup VX to crash prod00185644
89. When application service log was set to debug level, a
GET/POST request containing %s or %<number>s
arrived caused the Alteon to crashed.
prod00185316
90. Setting application service modules log level to none
did not change the TCP module log level to none as
well. prod00185168
91.
From performance reasons, we have removed the
prod00185738

mechanism that automatically changes the application
log level to debug in case of large amount of messages
per session arrives.

92. Using the BBI to download an image more than once
via HTTPS, occasionally caused Alteon to crash. prod00174597
93. The following changes were made due to BDPU packet
loss in Alteon VX:

- You can now use the /c/sys/acc/rlimit command to
limit the number of BPDUs handled per second per
port on Alteon VX.

- The default BPDU limit was changed to zero
(unlimited). In previous versions it was hard-coded to 5
BPDUs per second per port for Alteon VX, and to 5
BPDUs per second per port for standalone Alteons.

- A counter was added to show the number of BDPU
packets dropped in Alteon VX and can be found at
/stats/vx/counters.

- Alteon vADC now accepts all rlimit values, except for
BPDUs (which are processed in Alteon VX). prod00176509
94. An incorrect trap (vADCInfoStatus) was generated from
GA upon vADC reboot. prod00173256
95. Redirect persistent sessions were not aged out when
rport was configured with the filter. prod00174261
96. When RTS was enabled on client port, the RTS
sessions were wrongly created on all SPs, causing the
sessions on the non-relevant SPs to persist and not
aged out. prod00174301
97. The management port became inaccessible when the
management connection was closed before TFTP
upload/download tasks via the management port (such
as support dump and configuration dump) had ended
completely. prod00177406
98. It was not possible to add a GSLB IPv4 remote site via
Vision. An error related to IPv6 was incorrectly
prod00175919

generated.
99. In some cases it was not possible to download the
cached content. prod00176971
100. In a configuration were the data port gateway and a
real server had the same IP address, and both had an
ARP health check, the gateway frequently lost its
connectivity, causing the VIP to become inaccessible. prod00177212
101. Redirection to HTTPS requests failed if the virtual
service was defined with an HTTPS redirection action
which using "$QUERY", and the requests to redirect
contain an odd number of characters in the string. prod00175362
102. After changing the real server operational status to
disable and then to enable, its state changed to block
although its health check succeeded. prod00175800
103. Traps altSwcpuCross80 and altSwcpuFell80 are now
obsolete. prod00173561
104. Incorrect trap OIDs were sent for vADC throughput
limit, vADC ssl limit, and vADC compression limit. prod00173851
105. When a VRRP status change occurred on vADC, an
incorrect trap OID was sent. prod00173921
106. Applying a content rule in a virtual service sometimes
failed when the rule was not added in the consecutive
numerical order to rules already applied. For example,
applying rule 6 failed where rules 5 and 7 were already
running. prod00174209
107. Using the BBI to upload a new image to the active
image bank caused Alteon to become non-bootable
and require USB recovery. prod00176870
108. Incorrect trap host address was shown under
/info/sys/snmp/taddr. prod00174552
109. ColdStart (sent on startup) and WarmStart (sent on
reset) traps were not generated in Alteon versions after
28.x. prod00176003
110. When a feature license was enabled on vADC, an
incorrect trap OID was sent. prod00174181
111. When vADC was deleted, the vadcDelete trap was not
generated. prod00174183

112. When capacity units where added or removed from
vADC, the vadcCapUnit trap was not generated. prod00174185
113. When setting the Alteon health check content in the
group to a value longer than 127, no warning appeared
although Alteon did not accept this content. prod00174273
114. In a standalone Alteon, when trying to set the BWM
user table size using the BBI, an incorrect message
sent stating that the maximum allowed entries is 16K
entries per SP. prod00174400
115. A RADIUS/TACACs+ secret password including "!"
disappeared from configuration after reboot.
prod00175349/
prod00175631
116. For WAP SLB with RADIUS persistence, group
statistics showed that all traffic was sent to one server,
although the traffic was actually load balanced between
several servers. prod00174693

1. In version 28.1.8.40, when uploading the configuration
with a private key, the key extraction failed because the
passphrase was not parsed correctly. prod00174411
2. In version 28.1.8.20, the redirection filter with client
proxy processing enabled did not work. prod00174272
3. When a SIP service with no SIP parsing was used,
various configuration additions (such as adding a filter,
adding Layer 7 parsing for other services, disabling
local DAM) caused session failures on that SIP service. prod00174120
4. HSRP tracking did not work-- the priority was not
increased. prod00173856
5. When some services used the legacy delayed binding
and some used forceproxy, under stress, the HTTP
503 error message could appear on the proxied
session due to server selection failure. prod00173770
6. Using the BBI, when configuring the intermediate
certificate name, the device panicked. prod00173754

7. After switching to verbose 1 mode, a service
configured in verbose 2 mode was erroneously
changed to basic-slb. prod00173750
8. When the scpadmin user on a TACACS server had
the same password as the scpadmin on the device,
logging in with the scpadmin user caused 100% CPU
usage.
In addition, it was not possible to login with any
username that had the same password as the
scpadmin user. prod00173687
9. Least connection load balancing on a real server port
(rmetric) did not work with SLB IPv6-to-IPv4. All of the
requests were load balanced to the first rport of the
server. prod00173370
10. SIP load balancing did not work when DAM was
enabled globally and disabled under the service. prod00173282
11. The SNMP Trap Source IP setting was not taken into
account and was not set as the trap source. Instead,
the first interface that was UP was considered to be the
trap source. prod00173274
12. On traffic matching the IPv4 redirect filter with proxy
processing enabled on the port, and no PIP address
defined, Half NAT was not performed. Half NAT was
performed correctly for the same configuration
processing IPv6 traffic. prod00173219
13. When the device rebooted with an expired certificate in
its configuration, after the reboot all the configuration
remained in pending state. prod00172948
14. In session dumps collected via SNMP, the EAcc and
Acc flags were missing. prod00172918
15. Sessions collected via SNMP were not showing
correctly when session entries were deleted or aged
during the collection process. prod00172917
16. On the 5224 platform, incorrect temperature thresholds
were displayed. prod00172904
17. In an ADC-VX environment, creating or changing Layer
2 configuration items such as trunks or VLANs caused
all the VIPs on the VADCs to stop function for up to 30
prod00172709

seconds.
18. It was not possible to delete session entries by using
the slbOperSessionDelete SNMP SET command. prod00172596
19. Because in version 27.x, the default protocol for DNS
and SIP services was changed from TCP to UDP, after
upgrading from version 26.x to 28.x, configuration
changes in the protocol setting occurred. prod00172595
20. Using the Chrome browser, Alteon did not release the
TCP connection created by opening HTTPS
management to the device via a data port. prod00172310
21. Removed the /boot/udefquit command on
console/telnet/ssh because rebooting the device from
the console using Shift + Ctrl + "-" is not supported on
OnDemand Switch platforms. prod00172213
22. Using BBI or APSolute Vision, it was not possible to
export a configuration with private keys. It is now
possible on HTTPS and SNMPv3 connections. prod00172196
23. Virtual service statistics did not display the content
based-service rules statistics when the service port
was different than 80. prod00172059
24. When accessing the device via BBI using the non-
default OPER user, the Class Of Service is displayed
as USER instead of OPER. prod00172057
25. After an SNMP request to 802.1AB LLDP OIDs, VRRP
flip flopped. prod00171983
26. After configuration sync, the order of the virtual
services section in the configuration dump was
different in the sending peer than in the received peer. prod00171762
27. In a VRRP pair configuration with DNSSSEC enabled,
configuration sync could cause both peers to be set
with keyslave enabled. prod00171761
28. After executing the /stats/sp/c +[tab] command in the
fourth Telnet/SSH session, the device crashed. prod00171758
29. In version 28.1.8.30, a revert apply with an interface
address change could cause the device to hang. prod00171609
30. The BPDU frame length for RSTP and MSTP BPDUs
was incorrect -- Alteon indicates a frame 14 bytes
prod00171399

longer.
31. Using BBI, when a real server or virtual server was
added to the GSLB metric, the preference value was
set to 0. Now you can define network preferences
values using BBI. prod00171391
32. In a VRRP owner configuration, editing or deleting the
interface IP address or VIR address did not update the
interface MAC address to the base MAC address. prod00169623
33. After applying configuration changes that affected the
routing table, the device sometimes panicked. prod00169133
34. Due to unnecessary validation during boot-up, the
vADC configuration was not applied automatically and
instead moved to diff. Manual apply was then
required to make it active.
prod00162680/
prod00170875
35. It was not possible to delete an IPv6 management
interface. prod00160336
36. When an apply command was performed in parallel
with a configuration change done from another CLI
interface, the CPU utilization increased.
prod00156307

37. When the passphrase configured for certificate sync
contained an "!" character, the configuration was not
loaded after reboot. prod00171765
38. When force proxy was used, the default BWM contract
(ID 1024) did not work, as well as application
acceleration capabilities and SSL acceleration. prod00171616
39. When Alteon inserted an x-forwarded-for header and
dbind is set to enabled, a client request corruption
occurred.
When dbind is set to force-proxy, this client request
corruption does not occur. prod00171441
40. If one of the ports in a trunk was down, the trunk was
declared down for port teaming.
In this version, the trunk is now considered up for port
teaming if at least one trunk port is up. prod00171252
41. Alteon did not process the HTTP CONNECT method.
After a service with application acceleration configured
received the CONNECT method, the service closed the
prod00171244

connection by sending [FIN,PSH,ACK] to the client.
42. When rport load-balancing was used with pbind cookie
and dbind force proxy, virtual server statistics were
incorrect prod00171178
43. When receiving multiple GET requests in the same
TCP session that matched both cookie persistency and
URL SLB and that were designated to different real
servers, the persistence sessions that were created
were not removed from the session table, causing the
session table to fill up prod00170976
44. On a device with an ADoS license and DoS attack
enabled on the port, ICMP type 3 packets (destination
port unreachable) where considered as ICMPLEN DOS
attacks, causing the MP CPU to reach 100%. prod00170909
45. After migrating from the 2424 platform to the 5412
platform, WTS load-balancing did not work. This
happened because of the difference between the CPU
chips used in each platform and the way the IP
addresses are stored in memory. prod00170776
46. With GSLB set to enabled, HTTP access set to
disabled, and wport set to 80, it was not possible to
apply a configuration. prod00170745
47. When real server backup with preemption were
disabled, because an apply causes a server to either
go up or down, when the backup server health check
arrived before the primary server health check, the
backup took over even though the primary was still
alive.
prod00170723,
prod00170456
48. The command description for importing and exporting a
certificate component was improved prod00170462
49. In a configuration with the same real server with
preemption disabled was associated to multiple groups
that function in different virtual services, if the primary
server failed, the backup server took over only in one
group.
prod00170454,
prod00170317
50. Configuring real server backup with preemption
disabled created tje following problems:
1. Preemption disabled did not work for some real
servers (depending on their index).
prod00170453,
prod00170067

2. If the primary server came up before the backup (for
the first time after reboot), and the server went down
then up again, preemption acted as if it was enabled.
51. After failover, on the ex-Master, the status of some
primary servers with backup preemption disabled
changes to operator DISABLED and backup server
took over.
prod00170451

52. Using a redirect filter, if a real server with preemption
enabled failed, its backup real server took over and
acted as if preemption was disabled when the primary
real server came back up (traffic was still sent to the
backup server even though the primary was up). prod00170374
53. Network class deletion was not synced to a peer
switch. prod00170347
54. backup group real server showed in service info output
as "group dis, up" and no traffic sent to that real
although the backup group was up.

This happened when the primary group went down and
the backup group became active and then 2 more
groups were added using the same real server from
the backup group prod00170175
55. In an ADC-VX environment, MSTP/RTSP was not
working. prod00169943
56. In a vADC environment, a tsdump command caused a
VRRP to flip flop (meaning that the backup became
master and after a short time became the backup
again) and all services defined on that vADC went
down. prod00169942
57. Throughput information showed much higher values
than the actual throughput. prod00169940
58. When an IP fragment ping was sent to a VIR, VIP, or
VSR, the interface MAC address was used as the
source MAC of the ping reply. prod00169338
59. When the IP address of a VIP was changed, the ARP
entry with the old VIP address was not removed even
though there was no other VR with the same address
as the old VIP. prod00169334

60. On an OnDemand Switch 3 platform, traffic from
source TCP ports 4 or 5 displayed incorrectly in the
session table, as follows:
1. Aged-out sessions still appeared in the session
dump
2. Live sessions were displayed incorrectly as BWM
sessions. Their source IP addresses and ingress ports
appeared as 0. prod00169037
61. SLB VIP was added automatically to the OSPF
database and distributed to the peers even though the
default route redistribution was configured (no host
redistribution defined). prod00168364
62. When entering a new virtual service menu without
changing anything under that menu, Alteon considered
it as a configuration change even though diff was
empty. prod00167509
63. Wrong FAN failure Syslog messages were sent while
the tsdmp showed FAN OK.
prod00153747/
prod00153290
64. In a vADC environment, after importing a configuration
without its private key, even though the apply was
successful after the import it was not possible to
access the server certificate menu. prod00156551
65. In DSR mode, ICMP health checks were sent to real
server IP rather than to sending it to the loopback
address (the VIP IP address) prod00170244
66. SIP session entry was not aged properly in a case
where INVITE reuses a session that was already
deleted/moved to fastage. prod00169941
67. Network mask of localnet was not displayed properly prod00169609
68. When using configuration with multiple interfaces, the
device became inaccessible, within 5 minutes from
upgrade to 28.1.8.20
prod00169565,
prod00169455,
prod00169458
69. SNMP Get/GetNext request to 1.3.6.1.2.1.2.2.1.3.x
caused the Alteon to enter freeze state. Reboot was
needed to exit this state. prod00169455
70. BPDUs of disabled VLAN were flooded on all ports. prod00169555
71.
Alteon device sometimes panicked after applying
prod00169333

configuration changes that affected routing table.
72. HTTP traffic affected by vADC SSL CPS limit. prod00169253
73. After running SNMP traffic for some time, all
management activities became inaccessible due to a
memory leak
prod00169141,
prod00169111
74. SNMP services became down after upgrade. That
happened due to a changed added in SMTP Health
check in version 28.1.8.10.
Now, SMTP HC made common for both IPV4 and
IPV6, meaning that SMTP HC will send a "vrfy" even if
there is no content is configured. Some SMTP servers
does not reply to "vrfy" since they are waiting for
additional data and therefore can be considered as
down prod00169052
75. vADC reset occured when accessed a virtual service of
type ''service ip''. prod00169012
76. In a URL redirect from HTTP to HTTPs setting, GET
request without the host header caused the device to
crash prod00168862
77. When adding PIP for port range via BBI, an error
message appeared prod00168757
78. Passive cookie persistency with rport load-balancing,
when the cookie is not found and the client request is
within the same TCP connection, rport persistency was
not maintained prod00168751
79. Health Check Script above 156 caused the virtual
service to go down for several seconds prod00168588
80. HTTP content class and http modification did not work
together when both made a decision according to
HOST header prod00168515
81. SIP outbound call was not working prod00168443
82. It was not possible to define Script health check
between 64 to 256 prod00168271
83. nonat on RTSP virtual service was not working. prod00166915
84. Some syslog messages on management port were
missing,
No message was sent after the management IPv6
prod00166720

gateway address and therefore it was thought to be not
UP
85. In hot-standby environment, when there are more than
256 VSRs, the following syslog message appeared in
the backup: "vrrp: received incorrect addresses" prod00165484
86. Querying the vADC interface using a 64-bit counter
MIB returned a value of 0. prod00162440
87. A change in the Layer 3 configuration caused the
default gateway status to flap.
prod00168365
88. After upgrade, the pending configuration message
displayed even though no pending configuration
existed.
prod00167780
89. With the TACACS+ command login enabled, after
executing an Alteon global command (such as save,
apply, or diff. Alteon sometimes crashed.
prod00167541
90. When a hot-standby port was not part of VLAN
assigned to the vADC, it was not tracked for VRRP
priority.
prod00167398
91. An IPv6 VIP responded with the incorrect source MAC
address.
prod00167397
92. In a DNS hostname configuration using regular
expressions, uppercase characters were always
changed to lowercase.
prod00167326
93. On a 4408 platform, sometimes a FAN status alert was
sent for non-existing fans.
prod00167173
94. When a Layer 7 DNS string was configured to match at
the end of the chain (using the $ symbol), if the string
existed twice in the DNS query, it was considered to be
no match.
prod00167152
95. Alteon dropped broadcast ARP replies with a unicast
target MAC address.
prod00167139
96. In an ADC-VX environment, the OID of
vadcStateVrrpMaster / vadcStateVrrpBackup trap was
incorrect.
prod00167105
97. The TACACS usernames did not display in the login
syslog message.
prod00166917
98.
In an ADC-VX environment, in the BBI dashboard the
prod00166916

SSL CPS information was incorrect.
99. On a 4408 platform, during upgrade a file missing
error message displayed.
prod00166885
100. The SNMP trap for link up and link down was not clear
and did not indicate the port number and its state.
prod00166805
101. When the Technical Support dump was issued via SSH
and the terminal immediately closed without writing the
output, Alteon would sometimes crash.
prod00166745
102. In a vADC, when its two CUs were located on the
same SP core (with a different HAID),a VRRP
advertisement conflict occurred .
prod00166743
103. After issuing the "session clear" command, sessions
that were removed on the master were not cleared on
the backup.
prod00166740
104. NTP requests were not sent from an IPv6 management
port.
prod00166538
105. Using BBI, when exporting all VX and vADC
configurations, the vADC configurations were not
restored properly.
prod00166537
106. On a 5224 platform using BBI, the displayed
management IP was different than the one configured
in CLI.
prod00166536
107. The Spain daylight savings timezone was incorrect. prod00166534
108. An IPv6 VR did not reply to ICMPv6 requests. prod00166453
109. ICMPv6 router advertisements were not dropped by
the deny filter.
prod00166448
110. Configuration synchronization was not working prod00166199
111. Redirection filters did not work correctly when proxy
was enabled on the port and the filter was defined with
rport, even though no proxy IP was configured in the
filter.
prod00165876
112. OSPF static/fixed selective route redistribution using
route maps did not work.
prod00165847
113. Latency occurred due to a high port reuse rate. prod00165578
114. In a VRRP hot-standby configuration, when the ISL link
went down, the IP interface also went down on the
prod00165487

backup vADC.
115. Script health checks were not allowed for an IP type
virtual service.
prod00164543
116. In a VRRP hot-standby configuration, when the master
vADC panicked (booted up very quickly), the failover
was not performed properly.
prod00162893
117. After importing a file that contains more than one
certificate, Alteon crashed.
prod00160343
118. The SNMP trap for link up/down did not indicate the
related port number.
prod00167018
119. Using RTSP SLB, TRCP and RTP sessions were not
cleared from the session table on
time.
prod00166549
120. On a 5412 platform, when manually disabling an SFP
copper port, the link did not go
down on the peer switch.
prod00166339
121. When multiple VIPs used the same real server, in the
traffic that returned to the client
that caused a session failure, the real server IP to VIP
translation was wrong.
prod00166243
122. On an Alteon 10000 platform, an irrelevant reboot log
appeared.
prod00166207
123. Rarely, after upgrading to version 28.1.5.0, an HTTP
1.0 request from a proxy caused
the device to crash.
prod00166193,
prod00166980
124. In a filter with session table caching disabled and
tunable hash based on the source or
destination IP, group redirection did not occur.
prod00165795
125. When setting the backup group for a group with no real
server, an unclear message
displayed.
prod00165506
126. When the request header was larger than 16K, SSL
decryption failed.
prod00165389
127. When DSR was configured, many sessions were
created for a single HTTP request,
prod00165358

causing the session table to fill up even though the load
was minimal.
128. BWM statistics sent to an SMTP server configured on a
data port caused a device panic.
prod00165357
129. On an Alteon 5412 platform with 32GB memory, a
client request that reached 50K TPS
caused the device to crash.
prod00165275
130. When compression was used along with multiplexing,
an HTTP 1.0 client, and server
keep-alive, transactions did not finish because a FIN
was not sent by the server.
prod00165251,
prod00166979
131. SSHv2 management connection did not work with a
Sun Solaris client.
prod00165231
132. SSH management on data port caused a device panic. prod00165216
133. When a second HTTPS request arrived on an existing
TCP session, Alteon sent the
request to the same real server selected for the first
HTTPS request without checking if there was a new
URL SLB match.
prod00165016
134. Using BBI, configuring port mirroring caused the Alteon
device to panic.
prod00164932
135. In a redirect filter with session caching disabled, when
all the real servers were down,
the packets were dropped instead of being forwarded
to the default route
prod00164910
136. When SNMPv1 and v2 where disabled, Alteon
answered SNMPv1 requests with an
error message instead of not answering at all.
prod00164896
137. The td-config and shared maintenance debug
commands were available in normal mode
instead of being available only in god mode.
prod00164787
138. CISCO PVST and BPDU frames were not always
tagged when sent out from a tagged
port.
prod00164731
139. Alteon did not forward BPDU frames in VX mode. prod00164710

140. In a GSLB environment, when more than 10 VIPs were
configured with the same
domain, the device panicked on a DNS response for
that domain.
prod00164708
141. The real server state was not set to block when one of
the services it served was down.
This happened when the real server was defined with
multiple addports associated with
prod00164632
142. Only ICMP health check can be used for virtual
service for type IP
prod00141916

1. Configuration synchronization was not working prod00166199
2. BPDUs were not always tagged when sent out from
tagged port prod00166164

1. Using IPv6 script health checks resulted in high MP
CPU usage. prod00164420
2. On an Alteon 5412 platform, LACP packets were
dropped by Alteon VX. prod00164305
3. On the Alteon 5412 and 5224 VX platforms, when STP
was set to off, STP and LACP packets were not
forwarded. prod00164227
4. On an Alteon 5412 platform, STP packets were
dropped by Alteon VX. prod00164223
5. It was not possible to connect using Vision to Alteon
28.1.6.0 prod00164196
6. The SLBadmin user was unable to apply configuration
changes. prod00164136

7. When session caching was enabled, IPv6 filter
redirection did not work. prod00164003
8. Synchronization of DNSSEC configuration changes
were automatically performed on apply, even though
no peers were configured. prod00163824
9. When Layer 7 modification was defined, dbind was
automatically changed from enabled to forceproxy. prod00163767
10. The SSH management connection became
inaccessible periodically, and running SSH on/off did
not revive the connection. After several such retries,
the device reset.
prod00163531,
prod00163229
11. On an Alteon 5224 platform, BWM was not working on
ports 17 through 26. prod00163417
12. On an Alteon VX 5224 platform, in viewing the vADC in
the BBI, there was a mismatch between the VLAN
table and the Physical Ports table. prod00163394
13. On a Alteon VX 5224 platform, in the BBI L2 Physical
Port pane, the port speed of ports 19 through 24
displayed the incorrect values. prod00163392
14. Alteon VX crashed in certain cases due to SSH
management connection. prod00163271
15. NAT was not performed on SDP data (in SIP) with
response codes other than 200OK

Now it is also performed for 180 RINGING and 183
SESSION IN PROGRESS response codes. prod00163262
16. ADC-VX could capture traffic from only one vADC at a
time. Now separate files are saved for each vADC. prod00163247
17. When 1. creating a disabled virt, adding a content class
rule to it, and applying it, and then 2. enabling the virt
and applying it again, Alteon replied with a "503" HTTP
response code (=servers down) when matching the
content class, even though the servers were actually
up. prod00163224
18. In a Layer 2 DSR environment, DNS UDP health
checks caused the device to crash. Upgrade from
27.0.3 to 28.x results in panic once VRRP activated. prod00163185

19. Using RADIUS authentication, SSH user access was
blocked for an unlimited time, even though it was
defined as authorized. prod00163112
20. In APSolute Vision, the secure cookie insert
configuration showed opposite settings from the device prod00163098
21. When the ADC-VX and the vADCs were installed with
different versions, vADC sync failed. prod00163077
22. In the BBI, an incorrect breadcrumb appeared in the
Layer 3 sub-menus. prod00163017
23. When VRRP failover occurred, it took the default
gateway 8 seconds to get back online. prod00162931
24. Using SCP to transfer the configuration and commands
to Alteon did not work on ADC-VX/vADC. prod00162738
25. When the device was under heavy load, sometimes
FDB table corruption occurred, causing ARP and ICMP
packets to be discarded. prod00162636
26. After adding a couple of interfaces, the device
panicked. prod00162562
27. Some of the SSH/Telnet management connections
were not closed properly in vADC, causing the
maximum commotion (4) to be reached. As a result,
new management connections could not be opened. prod00162450
28. Querying the vADC interface using a 64-bit counter
MIB returned a value of 0. prod00162440
29. It was not possible to set a virtual service IP supporting
both UDP and TCP protocols in the same service. prod00162382
30. Executing many putdumps commands sometimes
caused ADC-VX to crash prod00162230
31. Adding a second VIP with RTSP SLB that uses the
same real server as the first RTSP SLB service caused
the sessions to the first VIP to fail. prod00162090
32. An empty "name" in the "team" configuration dump
caused restoring the configuration to fail. prod00162051
33. Dynamic proximity calculation results were incorrect. prod00162044
34. When exporting the configuration using the putdump
command, the user password displayed in clear text. prod00161980

35. Using the BBI, in a VRRP service based group, it was
not possible to disable share and preempt. prod00161975
36. Using the BBI, it was not possible to change an SSL
service rport to 443 when back-end SSL was disabled. prod00161441
37. Virtual service statistics were incorrect for services with
dbind enabled and pbind set to sslid prod00161245
38. Some validation checks for matching between the
server certificate and private key were missing. prod00160917
39. The output of the real server group mapping command
(/info/slb/bind) was incorrect. prod00157497

1. When cookie insert for persistency and Layer 7 string
matching were configured in an HTTPS offloading
service, and the traffic did not contain any matching
cookie or string, a server was selected instead of
responding with HTTP error 503 (server unavailable). prod00162602
2. With a heavy load of HTTP "Connection: close" traffic
and connection management enabled, software panic
sometimes occurred when several responses were
sent from the server for one request. prod00162148
3. When the port command was retransmitted, Active
FTP load balancing did not work properly. prod00162078
4. Under certain circumstances, unpredictable behavior
occurred with certificate management (such as loss of
keys, unable to connect via SSH, the diff flash holds
the configuration after reboot, and so on). prod00161974
5. When a client HTTPS request did not match any of the
strings assigned to the real servers, after Alteon reset
no response was received and SSL terminated. prod00161818
6. When the GSLB network IP version was not manually
defined, the proximity GSLB worked incorrectly. prod00161647
7. The redundant capability of setting an SNMP service
with TCP protocol was removed. prod00161584

8. The configuration apply command generated incorrect
and irrelevant VRRP syslog messages. prod00161579
9. Transferring a large file using an HTTPS service took
much longer compared to an HTTP service, because a
small TCP window size was set. prod00161459
10. For virtual services configured with SSL offloading
where the front-end and back-end ports are the same,
the service back-end port on the backup device was
changed during configuration synchronization. prod00161446
11. Using VRRP with stateful failover configured, when the
backup device booted up after upgrading to version
28.1.5, the master device rebooted repeatedly. prod00161442
12. In version 28.1.5.0, when X-Forwarded-For was using
with dbind enabled, the sequence number on the
second get request to server was incorrect. prod00161266
13. In version 28.1.2.0, an image upgrade via HTTP
transport caused a panic. prod00161254
14. In BBI, a clear operation in SLB monitoring cleared the
session table instead of clearing SLB statistics prod00161019
15. In an HTTP persistency configuration, the path was
added to the cookie header even though it was not
configured in the pbind cookie insert configuration. prod00161011
16. The connection splicing statistic was not updated with
dbind forceproxy. prod00161007
17. Alteon panicked when "host:" string was not found in
the URI of a request. prod00160900
18. The RADIUS secret password was synced during
configuration sync. prod00160668
19. When all the real servers in a group and backup group
were down, the virtual server information displayed the
backup group as disabled. prod00160637
20. On Alteon with SSL acceleration card, a very heavy
load can cause a switch panic prod00160610
21. The swkey (license information) command did not
display the installed default throughput license. prod00160459
22. A non-updated Geo database was used, causing Geo
IP resolution for a DNS query to be incorrect. prod00160397

23. In certain cases, out-of-order fragments traffic with
proxy IP configured caused the device to crash. prod00160348
24. After upgrading from version 28.0 to 28.1, an apply
failed due to a certificate synchronization error, even
though no certificate was configured. prod00160341
25. Active FTP load balancing did not work properly when
PORT command retransmission occurs. prod00160294
26. On a virtual service with both caching and compression
policies, when compression was set disabled, caching
also stopped working prod00160249
27. After USB recovery, redundant message appeared
before the login prompt prod00159887
28. On on Alteon 5224, STP and LACP packets that were
received on ports without a VLAN tag configured were
dropped. prod00159860
29. In a vADC hot-standby configuration with Layer 4
switch port tracking enabled, resetting the master
vADC caused the backup vADC to take over only until
the master vADC started again. prod00159834
30. session matched on redirect filter with Linklb and FTPA
enabled where created with ageing 0 and got
disconnected quickly prod00159775
31. On 4408/4408-XL devices, throughput license
information showed irrelevant value when default
throughput license was installed prod00159763
32. It was possible to set the default gateway address to a
virtual server and PIP. prod00159741
33. In a vADC, server responses with the destination MAC
of a different vADC were not processed and were then
dropped. prod00159723
34. During image download on VX, LACP trunks where
blocked for about 2 minutes causing network traffic
instability prod00159550
35. When persistent entry exists but corresponding real
server was down or disabled, Alteon answered with
HTTP Error 503 (Service unavailable) instead of
selecting new server prod00159531

36. When TCP based health checks (i.e HTTP, FTP) were
configured for UDP based services, TCP port health
check was performed instead of ICMP prod00159427
37. The ADC-VX MIB-II did not support 64-bit counters.
ADC-VX interfaces were incorrectly displayed as
10/100 instead of Gigabit or 10Gigabit. prod00159381
38. In curtain cases, Direct Server Return (nonat enabled)
caused switch panic prod00159357
39. SSL session failed after configuration apply due to
certificate synchronization prod00159323
40. BBI showed incorrect user login information when
login-in from the same host with different users which
has the same COS prod00159298
41. PIP statistics update of VLAN based PIP, caused the
vADC to crash prod00159297
42. In an ADC-VX environment, XL devices were not
indicated as XL in CLI displays. prod00159257
43. Switch panicked when real comes back up causing the
backup real servers to become disabled prod00158835
44. Navigation option between the Virtual Servers BBI
pages was missing prod00158669
45. After disabling connection management functionality in
a service, a persistency problem occurred. prod00158650
46. Active FTP load balancing did not work properly
because of the wrong adjustment to the sequence
number prod00158622
47. When static route is not covered by localnet, default
gateway will be used. Removed confusing warning
message appeared in such cases prod00158609
48. Update of server certificate name via BBI was not
possible prod00158590
49. Active FTP load balancing did not work properly due to
wrong adjustment of the sequence number prod00158572
50. Certain SNMP traps caused the device to crash prod00158525
51. Virtual server current session statistics, showed
strange value via BBI prod00158470

52. It was not possible to disable SSL offloading for a VIP
via BBI prod00158456
53. Responses from Virtual Server were linked to the
same port of the trunk and therefore limit the
throughput to 1 Gbps. This happened since the trunk
load balancing algorithm used only source IP instead of
source IP + destination IP prod00158403
54. Enable "IP TOS matching" on a filter through BBI also
enabled the "IP Option Matching" prod00158281
55. Empty trunk name appeared in the configuration dump
caused failure in restoring configuration prod00158111
56. On a 5412 platform, TACACS+ authentication caused
the device to crash.
prod00157976
57. In BBI, the Alteon-VX dashboard did not work.
Also, HTTP request over management port with an
empty Host header caused the device to crash
prod00157799
58. VRRP flap occurred when uploading tech support
dump or viewing real servers information on backup
vADC1. prod00157771
59. On 4408 and 4416 devices, the putdumps
maintenance command failed.
prod00157731
60. On a 5412 platform, the device crashed with a link load
balancing configuration with fragmented traffic.
prod00157666
61. In CLI and BBI displays, an Alteon 4408 device with an
SSL card was not identified as 4408XL.
prod00157617
62. Heavy load caused Alteon to sent irrelevant trap
(OCSP related) prod00157309
63. When "regex" or "none" where incorrectly defined as
the HTTP modification element, a panic occurred.
prod00157033
64. The default compression license for 5224XL was
changed from 500 Mbps to 1Gbps.
prod00157011
65. On device startup, a duplicate SNMP temperature trap
was sent where one of the messages had incorrect
information.
prod00156974
66. When only one power supply was installed in a dual
power supply device, an SNMP trap reporting this
problem was not generated.
prod00156903

67. After upgrading to version 28.1.5, all vADCs went down
and their image statuses were displayed as
Incompatible.
prod00156868
68. In SNMP traps sent on data port, the wrong agent-
address was included, and the incorrect OID was
reported in slbCurCfgRealServerOid.0
prod00156813
69. In a vADC environment, when the syslog default port
was configured on a management port, the source IP
address of the syslog packets was the ADC-VX
management IP instead of the vADC management IP.
prod00156720
70. Persistency break sometime occurred when a cookie
arrived to an SP which did not contain the persistent
entry of that cookie prod00156706
71. During configuration sync, port number was replaced
with port allies causing a problem in VRRP failover prod00156661
72. When all primary servers were configured as disabled,
the backup servers moved from the blocked to the up
state when one of the backup servers was disabled
operationally. prod00156636
73. In certain cases, active FTP LB with client NAT did not
work.
prod00156619
74. When VLAN based PIP was configured, no PIP
statistics were generated.
prod00156548
75. An Apply generated incorrect and irrelevant VRRP
syslog messages.
prod00156531
76. In a vADC, a user with CoS set to user was unable to
enable or disable the real servers that were assigned
to him, while the l3oper user was able to do enable or
disable real servers that were not assigned to him. prod00156384
77. After upgrading from version 28.0 to 28.1, an apply
failed when VRRP hot-standby was configured.
prod00156344
78. The string "v4" was mistakenly added to the SMTP
hostname in the configuration dump.
prod00156070
79. False fan traps were sent on a vADC. prod00155948
80. When a vADC was down, BPDUs in corresponding
VLAN were not blocked.
prod00155824
81. After upgrading from version 27.0.x to 28.1.2.x, An prod00155794

apply failed when X-ForwardedFfor configured for a
service.
82. Throughput license is up to 16 Gbps for the 5224 and
5224XLplatforms. This was incorrectly stated in
previous release notes.
prod00155691
83. After upgrade from 27.0.2.0 to 28.1.2.0 with dbind
disabled and X-Forward-For enabled, after changing
dbind to enabled on a service, an error message was
issued, and the device crashed.
prod00155689
84. A vADC panic caused the SYS LED to turn red. Only
rebooting the device turned the LED back to green.
prod00154297
85. During the upgrade process of a cluster, after one
device was upgraded from version 28.0. to 28.1, the
cluster changed to the VRRP Master-Master state.
prod00153379
86. A link UP was reported on port with the Copper SFP
module inserted, even though the cable was not
connected.
prod00152580
87. vADC throughput statistic was shown in MB rather than
Mbps prod00152104
88. When attempting to reset a vADC or device, a
message is issued that there is an unapplied/unsaved
configuration even though the configuration was
applied and saved.
prod00151807
89. An NTP server IP address could not be deleted (set to
default 0.0.0.0 value).
prod00151632
90. After SSH login, the SSH management session
sometimes hangs.
prod00151316
91. In dbind forceproxy service, If the client delayed in
sending the FIN,ACK to Alteon as a response to FIN,
the session entry was aged in slow aging rather than
fast aging prod00151145
92. After applying system configuration changes, incorrect
SLB log messages were issued.
prod00151057
93. When an IPv4 VRRP group was enabled, it was
possible to define an IPv6 VSR. This caused the IPv6
VSR to be unreachable.
prod00150485
94.
When connection management was enabled and
prod00141402

egress PIP was configured (as recommended), Alteon
still required the ingress PIP address to be configured.

1. The switch blocked TCP sequence zero and direct
ARP request (non broadcast) packets, treating them as
attack packets.
136092
2. SSL offloading with SSL reuse did not work properly on
Alteon 5412 XL.
155194
3. When delayed binding was enabled, an HTTP request
with malformed HTTP version parameter caused a
panic.
155172
4. When performing SNMP walk of the Alteon switch MIB,
the walk stopped once it reached the
agAccessNewCfgHttpsCert.0
(1.3.6.1.4.1.1872.2.5.1.1.19.4.6.0) OID.
153699
5. When a configuration included real servers with buddy
servers, after Apply unnecessary notices regarding
server statuses were sent.
153555
6. The virtual server status was reported via BBI as
blocked when one real server went down.
153554
7. When delayed binding was enabled, an HTTP request
with malformed HTTP version parameter caused a
panic.
153491
8. When Alteon 5224 ports 1 and 2 are administratively
disabled (/cfg/port x/dis), the links connected to
Alteon 5224 ports 3 and 4 went down.
153297
9. Performing the /maint/applog/showlog command
caused a vADC restart, and no panic dump was
available.
153167
10. A Header Modification rule to remove the Date header
did not remove the header from HTTP requests.
152927
Could not enable SSH from Telnet in 28.1.2.0. 152888
11. The upgrade from version 27 to 28 failed if the device 152803

configuration included certificates.
12. A panic occurred on a vADC when a SAVE command
was performed via SNMP.
152787
13. When Web cache redirection and server load
balancing were performed using a filter with a non-zero
server port (rport), the server port was not updated in
the session table resulting in a session failure.
152506
14. Even though a vADC management port was locked by
the Global Administrator, the vADC management port
could be deleted by pasting a script without a
management setting.
152487
15. When changing proxy IPs and virtual servers using
BBI, the device panicked.
152226
16. The default SSL CPS license was incorrectly set to 500
CPS for Alteon 5224XL.
152224
17. When an interface was disabled and then enabled,
OSPF did not recover after the link came back up.
152132
18. MNG-2 management port could be configured but did
not work properly. Currently this port cannot be
configured.
152131
19. Interface statistics showed incorrect values. 152056
20. Load balancing between device gateways using the
round robin metric did not work properly and resulted in
uneven allocation.
152044
21. When attempting to reset a vADC or device, a
message displayed that there was an
unapplied/unsaved configuration even through the
configuration has been applied and saved
151807
22. Load balancing of WTS traffic caused a panic on the
device.
151681
23. Alteon VA responded to ping to VIR only when the
request came from the VLAN to which the VIR
belonged.
151590
24. When configuring the NTP primary server with an
empty string, a fake IPv6 address was set as the
server address.
151407
25. When NTP servers were connected behind a gateway, 151406

an NTP warning message was displaying the gateway
address instead of the NTP server IP address.
26. The device did not allow enabling egress PIP (epip) on
a service when the server-side port was proxy enabled
but was not assigned a PIP.
151019
27. VRRP group settings could not be configured using the
BBI.
150921
28. Alteon discarded ACK packets sent by client in
response to server TCP keep-alive packets.
150750
29. The XML configuration API could not be used to
change a vADC configuration.
150484
30. The message sent when Alteon was shut down due to
critical temperature was not accurate.
150456
31. Importing a certificate in PKCS12 format to a vADC
failed with the error "Error: Failed to extract cert+key".
150376
32. When user "user was disabled for a vADC, it could still
be used to access the vADC.
150327
33. Fragmented traffic that arrived for a virtual service
which was processed by the Acceleration Engine
caused a device panic.
150326
34. When an Intermediate CA Certificate Group and
Intermediate CA Certificate had the same name, and
the group was attached to an SSL policy, Alteon sent
an Intermediate CA Certificate instead.
150306
35. When querying the VRRP status using SNMP in the
Global Admin context of an ADC-VX device, the state
of the Virtual Routers was incorrectly reported.
149938
36. Occasionally when Alteon did not forward an RST from
the client to the server, the client received packets with
the real server IP as the source instead of the VIP.
149875
37. Using the BBI, the user was able to configure a
different application type for a standard service port
when using IE6. After device/vADC restart, the
configuration of such services was erased.
149702
38. The /info/slb/gslb/geo command did not display
anything.
149636
39. When the HTTP method was split across packets, 149554

Alteon dropped the first packet which contained an
invalid method and sent an HTTP_501 error message
to the client.
40. There was an inconsistency between the actual
altSwBulkApply trap packet and the description in MIB
file.
149539
41. Bandwidth Management did not work on IPv6 traffic in
Alteon version 28.1.
149497
42. Alteon allowed using the same IP address for a vADC
peer address and a Global Admin management
address.
148866
43. A group could not be deleted from CLI; the following
error message displayed during the apply phase:
"Unable to lock cli, no response from configuration
thread!" The group still appeared in the configuration
dump, but it was empty.
148726
44. On sessions for which delayed binding was performed,
if a FIN packet arrived from the client immediately after
HTTP request packet the switch dropped the FIN
packet.
148673
45. When user authentication was performed using
RADIUS, if the RADIUS servers were unavailable and
the user existed in the local user data base and had
backdoor enabled, Alteon asked for user/password
credentials again, instead of using the credentials
provided the first time.
148671
46. When persistency using cookie insert was configured,
the age of the actual session entry was updated to 4
minutes instead of using the selected real server
timeout value.
148661
47. When Alteon performed delayed binding, if, in addition
to persistency, content hash based load-balancing
(such as URL hash or WTS user hash) was configured,
TCP requests retransmissions were dropped.
148649
48. When an NTP and a DNS service were configured for
the same virtual server, an NTP request that arrived
immediately after a DNS request was sent to the DNS
server group instead of the NTP server group.
148640

49. The admin password could not be changed using a
SSH connection.
148469
50. Configuration synchronization failed after upgrade from
27.0.1.0 to 28.1. The remote peer reset the connection.
148214
51. When DSR VIP health checking was enabled and the
health check was UDP, the health check was sent to
the real server IP instead of the VIP.
148213
52. SP memory utilization could not be monitored through
SNMP.
147657
53. The persistency entry age update behavior when
modifying Real Server Inactivity Timeout
(/cfg/slb/real x/tmout) and when changing
Virtual Service Persistency Timeout (/cfg/slb/virt
x/service x/tmout) was inconsistent.
147523
54. The switch gateway was temporarily down when
adding a local static route.
143262

Fixed in version 28.1.2
1. When using the /maint/tsdmp command, the device
failed.
147546
2. When the route from the client to a VIP had an MTU
less than 1460, the router sent an ICMP error that
forced Alteon to split packets into smaller segments.
On Alteon, this client IPs repository was limited to 10,
so the 11th client still received high MTU traffic,
resulting in no traffic being forwarded from the router to
this client.
148516
3. When a POST request was sent, it could be divided
into a header section and data section.
When the header section reached the server, the
server could send 200 OKs before receiving the data
section. When this happened, the next HTTP request
was not forwarded to the server and the connection
was not terminated.
147992
4. On a 5412 platform, boot-up time took more than 5 114954

Fixed in version 28.1.2
minutes.
5. Using BBI, when deleting an object attached to a virtual
service (such as a caching policy, compression policy,
or an HTTP modifications rule list), you had to remove
it from the virtual service in order for the Apply to
succeed. However, after it was deleted, the object did
not appear as selected in the virtual service, which may
have been misleading.
121073
6. There was no SNMP configuration (MIB) support for
new features added in version 27.0.0.0, including
caching, compression, HTTP modifications, and HTTP
connection management.
SNMP (MIB) support for status and monitoring is now
fully available.
121097
7. An HTTPS certificate change did not take effect until
the HTTPS service was restarted (disabled and then
enabled).
146716
8. When Alteon was configured with VRRP and a high
volume of SSL traffic was sent for a long period, a
failure could have occurred.
146876
9. The device sometimes stopped advertising OSPF
routes due to timer issue.
285641
10. On sessions for which delayed binding was performed;
if a FIN packet arrived from the client immediately after
HTTP request packet the switch dropped the FIN
packet.
148673
11. vADC statistics limit command showed incorrect values
for SSL CPS and device throughput
147825
12. BPDU frame with MAC address 00:00:00:00:00:00
were forwarded by Alteon
147168

Known Limitations
This section lists all known limitations for this release.

Limitations in version 28.1.10.0
1. In Alteon VA, as all its ports are in the same VLAN by
default, its ports can be interconnected to the same
broadcast domain causing a network loop.
Workaround: define port 2 in VLAN 2 as port 1 is
defined in VLAN1
(Fixed in 29.0)
170110

2. When x-forward-for was enabled on a service with
least connection rmetric, its starts corrupting PIP
address when sending traffic to backend. (fixed in 29.0)
173659

3. Sometimes, software image download process failed.
In most of the times, download retry was successful 167409
4. When "httpslb or urlslb" is configured, in a group with
least connection matric. The string match is checked in
both httpslb and urlslb although the precedence is set
to OR and not AND.
(fixed in 29.0)
170004
5. Alteon only supports IPv4 as agent address in the
SNMP trap
166454
6. The put image option /boot/ptimg is not supported 110769
7. The configuration dump done from BBI does not use
Courier-New font. For this reason, the PKI components
included in the dump looks like they are not formatted
correctly.
110848
8. When using HTTP connection management (HTTP
Multiplexing) and group server maximum connections
(maxconn) is reached, the persistent connections
opened for multiplexing are also not reused to server
client requests.
110952
9. Capture and decrypt capture functionality is supported
only using the CLI. BBI does not support this
functionality.
111085
10. Importing the 2424- SSL processor configuration file to
migrate its certificate repository to version 27.x is
supported only using the CLI.
111453
11. BGP does not remove from its table a route that was
learned from RIP, even though the route had been
withdrawn. When redistribution of RIP routes to BGP is
configured, and a route that is learned from RIP has
112196

failed, BGP should send an UPDATE message
containing the withdrawn route to its peers and state
that it is not removing the route entry from the routing
and BGP tables.
12. The /stats/mp/cpu option shows the MP CPU utilization
for one second, the average for four seconds, and the
average for 64 seconds. It takes up to 25 seconds for
the four-second average to get updated properly and
almost 5 minutes for the 64-second average to get
updated properly.
114941
13. The scheduled reboot option /boot/sched is not
supported.
114952
14. BWM statistics are different when used with different
contracts within the same policy. When the user
assigns different contracts for different ports with equal
capacity within the same policy, statistics of both ports
differ even though the same policy is applied. This
means that the number of total packets and discarded
packets varied for two different ports.
114967
15. A new image is downloaded to the image2 slot even
though the instruction was to download to the image1
slot. The new image is downloaded to image 1, but
after being written to the CompactFlash, the images
are then swapped.
114968
16. The upgrade process does not ask the user to confirm
the upgrade after the new image is downloaded.
114987
17. The upgrade process cannot be aborted when the
wrong password is provided. Currently, there is no way
to abort the upgrade process other than waiting for the
idle time out (5 minutes) to expire.
114988
18. The GSLB, command /info/slb/gslb/geo (geographical
preference information) does not display the region list.
115002
19. If an image is downloaded to an active bank, the
warning is displayed only after the download is finished
and file writing is aborted.
115009
20. On a 4416 platform, there is a bottleneck on throughput
when DAM enabled (only 3G can be reached).
115834
21. On a 5412 platform, the link status displays incorrectly 115899

when changing some port parameters.
22. The number of free pports reflected by the commands
/stats/slb/pip and /stats/slb/sp x/pip is calculated for a
single real server, where it should be multiplied by
number of real servers.
116638
23. Alteon HTTP cache does not respect the range HTTP
header to request only part of an object.
119892
24. Using HTTP modifications with the file type element,
only the replace action is supported. If removing or
inserting a file type (file extension) is required, use the
modification of element of type URL.
119911
25. When a client port is part of multiple VLAN, and
multiplexing is used, the VLAN used in the back-end
connection (to the server) is always the one used to
initiate the connection.
This problem does not exist when proxy IP (PIP) is
done on the egress port, as recommended in
Radwares best practices for connection management
(multiplexing).
121126
26. With large configurations, the Revert-Apply operation
may fail with multiple errors generated that are related
to a legitimate CLI command that did not succeed.
Workaround: Run the Revert-Apply operation again.
121285
27. Proxy IP (PIP) statistics are available only when
multiplexing is enabled on the virtual service.
121299
28. Jumbo frames are not supported in this release. 121765
29. Fragmented traffic is not supported when accessing
the device management.
134531
30. Alteon legacy content-based switching with delayed
binding enabled does not work with fragmented traffic.
Work around: Use pbind force-proxy mode
139880
31. When more than 390 certificates and keys of different
types are configured, accessing the BBI certificate
repository page might cause the device failure.
142396
32. Overlapping NAT capability is not supported for IPv6
filters.
143690
33. After downgrading from 28.1.x.0 to 26.3.x, the user is 146536

prompted to keep or discard the management IP. Even
if the user answers No, the management IP is saved.
34. IPv6 traffic destined to directly connected network is
forwarded to the gateway instead of the configured
IPv6 interfaces.
Workaround: Define the local route cache for the
immediately connected network using
/cfg/l3/frwd/local/add6 command.
152729
35. Passive FTP doesn't work over IPv6
(fixed in 29.0)
155745
36. Highly fragmented connections that include more than
20,000 fragments drop fragments.
121288
37. On Alteon 4408, the power LED does not turn red
when there is a power supply failure.
N/A
38. Live capture (TCPdump) mode is not supported via a
serial console.
N/A
39. When downloading an image, you cannot have the
same image version in both image banks (image1 and
image2). When downloading the same version, the
older image is overwritten by the newly downloaded
image.
N/A
ADC-VX / vADC Specific Limitations
40. MP Virtualization (vMP) goes to 100% utilization VRRP
when using VLAN tag and shared VLAN for ISL. When
this occurs, both vADCs in the HA pair become the
master with or without traffic for a short while.
131075
41. When the device is working in ADC-VX mode,
uploading the global configuration (gtcfg by global
administrator) does not replace existing vADCs with
the ones in the new configuration. Instead, it merges
them. If the uploaded file includes vADC IDs that are
already on the device, the user is prompted to
overwrite the existing vADC configuration with the
imported one.
Workaround: Manually delete all vADCs before
importing a new configuration.
143192
42. When using a script to configure several vADCs in
parallel, the server certificate Generate command
144673

might stop working until reboot is performed.
43. When a vADC is rebooted, it shows an incorrect alert
message saying a throughput limit of 0 has been
reached.
This message should be ignored.
144918
44. An incorrect VLAN ID appears in a warning message
when HAID 0 is used for two vADCs on the same
shared VLAN.
145673
45. In case Global Admin context process restarts, the
user is not able to perform Revert Apply to the last
configuration.
146405
46. When synchronizing the configuration between a vADC
instance running on a 5224 device and a standalone
5412 device that uses different physical ports, a "bad
port" error is received, even after disabling ID ports
synchronization using /cfg/slb/sync/ports.
146570

Related Documentation
The following documentation is related to this version:
Alteon Application Switch Operating System Application Guide version 28.1.11.0
Alteon Application Switch Operating System Command Reference version 28.1.11.0
Alteon Application Switch Operating System Browser-Based Interface Quick Guide version
28.1.11.0
Alteon Application Switch Operating System Troubleshooting Guide version 28.1.11.0
Browser-Based Interface (BBI) Quick Guide version 28.1.11.0
Alteon Application Switch Performance Report version 28.1.0.0

For the latest Radware product documentation, refer to the product CD/DVD that was shipped
with your product, or download it from http://www.radware.com/Customer/Portal/default.asp.


North America International
Radware Inc. Radware Ltd.
575 Corporate Drive 22 Raoul Wallenberg St.
Mahwah, NJ 07430 Tel Aviv 69710, Israel
Tel: +1-888-234-5763 Tel: 972 3 766 8666

2013 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered
trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective
owners. Printed in the U.S.A

Aas-28 1 11 0-RN

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aas-28 1 11 0-RN

Uploaded by

Copyright:

Available Formats

Alteon Application Switch

You might also like