
Readme for system software 7.1.4 PATCH 3, 7.1.6 PATCH 3, 7.1.10 PATCH 3
=======================================================================
=======================================================================

The following changes have been made to our software since the release of system software 7.1.4, 7.1.6 and 7.1.10. They have been included in system software 7.1.4 PATCH 3, 7.1.6 PATCH 3 and 7.1.10 PATCH 3 which is available from Bintec's web server.



****  Changes:  ****
====================

1. Keepalive Monitoring - Configurable Ping Count
=================================================

Before system software 7.1.xxx, the number of ICMP Echo Requests used for Keepalive Monitoring was restricted to three and was not configurable. This has been changed, and the number of Pings to be sent can be specified using the variable ipHostsAliveTrials. Available values are “1” – “65535”.


2. ISDN/PPP - DOVB 64 Kbit Support
==================================

System software 7.1.4 p3 supports the use of the Layer 1 Protocol DOVB 64 for PPP WAN Partner.


3. PPP - Interface Blocked after Timeout
=========================================

Before system software 7.1.xxx, setting a PPP interface into a blocked state after the maximum number of retries had been preformed was slightly delayed due to an internal timeout. This has been changed and after the last unsuccessful retry, the interface will be blocked immediately.



****  Bugfixes:  ****
======================

1. Setup Tool - Extended Route Display Error
=============================================
When an extended route for the local interface was entered, the interface of the route was shown as "unknown" in the menu [IP > ROUTING] menu. This was a display problem only and did not affect the functionality of your gateway.

The problem has been solved.


2. Setup Tool - IPSec Heartbeat Auto Function not Available
===========================================================
In the Setup Tool, the variable [IPSec > IKE (Phase 1) Profile Edit]: Heartbeats did not allow selecting the value "auto" which could, however, be configured in the SNMP shell.

When using this value, a vendor ID is used to detect Bintec style heartbeat support. This vendor ID is always transmitted at the beginning of a phase 1 negotiation. If ikePrfHeartbeats is set to "auto", the receipt of this vendor ID is used as a hint to enable heartbeats for Phase 1 (ikePrfHeartbeats = "auto") and/or Phase 2 (ipsecPrfHeartbeats = "auto").

The problem has been solved.


3. Setup Tool - Crash in Menu Extended Interface Settings
=========================================================
When creating a WAN Partner, leaving the  menu [WAN Partner > ADD > Advanced Settings > Extended Interface Settings] by confirming with OK and then re-entering the menu, the Setup Tool crashed displaying a stack trace.

The problem has been solved.


4. PPP – Session Table not Cleared
==================================

The entries of disconnected incoming PPP sessions were not cleared from the pppSessionTable. This lead to a memory leak and occasionally to a gateway reboot.

This problem has been solved.


5. QoS – Stack Trace
====================

Using Wighted Fair Queuing as Queuing and Scheduling Algorithm could lead to a stack trace.

This problem has been solved.


6. QoS – Blocked Queues
========================

Fragmented IP packets could cause inconsistent QoS statistics and could lead to blocked QoS queues.


This problem has been solved.

7. X8E-2SYNC – Boote Error
===========================

When booting an X8500 equipped with a X8E-2SYNC, a PCI error message was displayed, and the gateway would sporadically reboot.


This problem has been solved.

8. QoS - Problems with X8E-SYNC
=======================================
When handling a high amount of traffic, a QoS configuration for priority queues with a bandwidth restriction was not working properly.

The problem has been solved.


9. Load Balancing - Wrong Session Count on IPSec Interfaces
============================================================
Using the IP Load Balancing feature for IPSec interfaces could result in a wrong session count (as shown by ipLoadBIfTable: ActAssignedSessions).

The problem has been solved.


10. Setup Tool - Restriction
========================================
When entering encryption key in [WAN Partner > Advanced Settings > Extended Interface Settings], the Setup Tool helpline falsely said "Enter string, max length = 20 chars". One the one hand, the key had to be entered in hexadecimal format, and on the other hand, the input was restricted to a length of 7 Bytes, which was too short for the use of MPPE 128, DES3 168 or Blowfish 168.

The problem has been solved.


11. RIP - TOS Tagging not Possible
===================================
TOS signaling was not possible for locally generated RIP packets.

The problem has been solved.


12. OSPF - OSPF Packets Dropped
=============================================
OSPF Multicast Packets were dropped by the Ethernet controller. This could lead to connection failures.

The problem has been solved.


13. Setup Tool - Parameter Missing from IP Menu
==============================================
The field Mode did not show when adding extended routes for WAN Partners, PPTP- and IPSec Peers via the respective IP submenus: [... > IP > More Routing > ADDEXT].

The problem has been solved.


14. Channel Bundling - Incompatibility
=====================================
Channel bundling could fail (no data are transferred) if the remote side used a two phase authentication procedure in which the remote endpoints provided different options for Address Field Compression during LCP (Link Control Protocol) negotiation.

The problem has been solved.


15. IPSec - Traffic Blocked after Deleting IPSec Configuration
=============================================================
Entering wizard and performing "clear config" did not change the status of the field [IPSec]: IPSec Enable from "yes" to "no". Since the default Post IPSec Rule is "drop", leaving the [IPSec] menu via SAVE and thus re-enabling IPSec led to any traffic being blocked.

The problem has been solved.


16. IPSec  - Failure of Certificate Based Authentication
==========================================================
In certificate based authentication, IKE packets (UDP 500 <-> 500) become larger than 1500 bytes which requires fragmentation. If the higher fragment had a length smaller than 56 bytes (which is the minimum length of an IKE packet), it was discarded by the IPSec kernel. If any feature which reassembles packets was enabled (i.e. NAT, SIF, Accounting, Access Lists), the problem did not occur.

The problem has been solved.


17.  Setup Tool - IPSec SA Monitoring Creates Stacktrace 
=========================================================
Using the IPSec SA Monitoring menu [IPSec > IPSec SA Bundles] caused a stacktrace without reboot.

The problem has been solved.


18. IPSec - Dead IPSec Peers
===============================================
If neither an IP address nor IPSec Callback was configured for an interface peer, no tunnel was actually established. The value of ipsecPeerOperStatus never changed from "dormant" to "up".

The problem has been solved.


19. IPSec - QoS Classification Fails
=================================================================================
The high priority classification of a QoS configuration failed if hardware acceleration was used.

The problem has been solved.


20. IPSec  - Callback Collision
========================================================
Simultaneous IPSec Callback (as may occur when both peers are configured with ISDN Callback: "both") was not handled correctly and tunnel establishment between the peers fails. This could also occur with ISDN Callback roles distributed between the peers ("passive" / "active") and Transfer own IP Address over ISDN: "yes".

The problem has been solved.


21. IPSec Callback - IP Address Unnecessarily Transferred in B Channel
=====================================================================
In individual cases, the callback module could not detect the success of the IP address transfer via the ISDN D channel due to the behavior of some telephony equipment. It therefore unnecessarily fell back to transmitting the IP address in the B channel.

The problem has been solved.


22. Setup Tool - Certificate Import Disfunctional
=================================================
Importing a base-64 encoded certificate did not work in all cases. Occasionally specific characters in the certificate were interpreted as binary, but a binary interpretation of the base-64 encoded certificate must fail. Importing the certificate using the shell command "cert get -p" was problem-free.

The problem has been solved.


23. IPSec - Port Specific IPSec Tunnels Disfunctional
=====================================================
The fragments of port specific IPSec tunnel connections were not properly assembled and the port number for non-first fragments were misinterpreted. Tunnels for port specific connections would not work properly.

The problem has been solved.


24. IPSec - Gateway Reboots
==============================================
Occasionally, the gateway would reboot upon the reception of specific ICMP message packets.

The problem has been solved.


25. IPSec - Setup Tool Crash
=============================================
After reconfiguring a peer and its pre-shared key, the Setup Tool (and occasionally the gateway) crashed.

The problem has been solved.


26. IPSec - Reboot when Handling Large Keys
===========================================
Handling certificate contained keys larger than 1536 bits caused the gateway to reboot.

The problem has been solved.