# LIST OF KNOWN ISSUES FOR ASTARO SECURITY GATEWAY V7 # ==================================================== # The purpose of this list is to give you an overview of known issues and # possible workarounds, as well as known problems in other software being # used in connection with Astaro Security Gateway V7 # The ID denotes the internal Astaro bugtracking ID and will be shown in the # description of an Up2Date if the issue is fixed. # # We would appreciate if you contribute to this list and would give us # feedback in this respect. # For further infos please contact: knownissues@astaro.com # # Last edit (time is UTC): # $Id: Known_Issues-ASG-V7.txt,v 1.57 2008/02/14 09:51:14 mgehrlein Exp $ Open Issues =========== ID7569 7.101 Unresolved HTTP parent proxy kills the backend system ------------------------------------------------------------------ Description: In ASG v7.100 and v7.101, using a DNS host object in WebSecurity->HTTP->Advanced->HTTPParentProy->Host can kill the backend system if the hostname cannot be resolved. This may lead to unstable network connectivity. Workaround: Until the release of ASG v7.102, only use plain "Host" objects in WebSecurity->HTTP->Advanced->HTTPParentProy->Host, explicitely specifying the IP address. Fix: --- ID7483 7.100 Lots of config changes cause SMTP restarts ------------------------------------------------------- Description: Having lots of config changes i.e. caused by heavy remote access connects/disconnects the SMTP proxy will get restarted very often. This causes many gaps where the system is not able to receive or send emails. Workaround: --- Fix: --- ID7475 7.100 IPsec starting in wrong mode after restart of HA system -------------------------------------------------------------------- Description: In some cases, a member of a HA/Cluster system will not initialize its IPsec mode correctly when getting Master directly after booting. As a result all tunnels will not come up. Workaround: Reboot again. Fix: --- ID7472 7.100 POP3 Proxy does not start with customized messages --------------------------------------------------------------- Description: In WebAdmin Management->Customization it is possible to change the default texts for messages the end users receives like download manager or blocked pages. When entering characters like &, < or > into the messages for POP3 proxy, the service will not longer be available. The logfile shows a xml-parser error. Workaround: Do not use these characters or escape them properly. I.e., replace & with & Fix: --- ID7379 7.000 Manual Up2Date upload may not work correctly --------------------------------------------------------- Description: For large Up2Date packages (>100MB) the manual upload via WebAdmin may not work correctly if ASG has less than 512MB of RAM. Workaround: Download Up2Date automatically or contact Support. Fix: --- ID7314 7.100 Bridge can not be disabled after importing a backup ---------------------------------------------------------------- Description: In some cases it is not possible to disable a bridge interface after importing a backup. Workaround: Change the hardware of one of the bridge interfaces (e.g. from eth2 to eth3) and retry disabling the bridge. Fix: --- ID7155 7.100 Network Usage may contain values larger than 100% -------------------------------------------------------------- Description: The Network Usage statistics in WebAdmin and in the Executive Report may contain wrong values (larger than 100% or negative values) when files larger than 4GB are passing the system. Workaround: --- Fix: --- ID7097 7.011 Nics listed twice in WebAdmin overview --------------------------------------------------- Description: In some cases after importing a V6 backup the interfaces in WebAdmin Network->Interfaces->Hardware will get listed twice. Workaround: --- Fix: --- ID7034 7.009 If cffd fails during spam digest creation no resume for digest is triggered ---------------------------------------------------------------------------------------- Description: If the cff daemon, which is responsible for the whole content filtering procedure, fails during the creation of the daily spam digest, sending of the reports is not continued. This can be checked in the selfmonitor logfile if the service is restarted at about 1 a.m. Workaround: We recommend that the settings of the quarantined emails are reduced to 3 days. Fix: --- ID6780 7.007 SSL client download fails on Windows Vista ------------------------------------------------------- Description: Users using Internet Explorer 7 on Windows Vista may not be allowed to download the SSL VPN client from the Enduser Portal. This is up to security restrictions within Vista/IE7. Workaround: Add the Portal to the Trusted Sites in Internet Explorer (Extras->Security->Trusted Sites) in order to allow downloading an executable. Fix: --- ID6620 7.006 QoS rules are not applied to backup interface when using UFO ------------------------------------------------------------------------- Description: When using Uplink failover (UFO) and QoS on the primary interface the QoS settings will not be applied to the backup interface in a failover case. Workaround: --- Fix: --- ID6271 7.003 SSL VPN does not start with more than 30 network definitions ------------------------------------------------------------------------- Description: Running SSL VPN works fine until less than 30 network definitions are used. Adding more will cause a failure when starting the SSL VPN service. Workaround: Either try to aggregate your networks into supernets or use 'Any' and restrict access via packetfilterrules. Fix: --- ID6109 7.000 HA not working correctly on ESX Server v2.x -------------------------------------------------------- Description: VMware ESX Server 2.x is not able to support HA- or Clustersetups. The heartbeat signal sent between HA/Cluster nodes may time out and lead to Master-Master scenarios. Workaround: Upgrade to VMware ESX 3.0 or higher. Fix: --- ID5997 7.002 Users may use HTTP Proxy even if not explicitly allowed -------------------------------------------------------------------- Description: When using the default HTTP profile of Web Security in combination with authentication than the system will still allow access for users, even if the user/group is not in the allowed users list. This only happens if the user has successfully authenticated himself. A failed authentication will lead to a blocked page. Workaround: Set the http default profile to standard mode. Go to the menu item 'Web Security > HTTP Profiles' and create a new 'filter action' with the name 'block all', the type 'block everything ...', leave the rest empty/unchecked and click save. Then create a new 'filter assignment' with the name 'allowed users', add the user/groups that should have access, set the 'filter action' to 'Default Filter Action' and click save. Afterwards create a new 'proxy profile', select the allowed network, check the box at 'allowed users' in the 'filter assignments', select 'block all' as the 'Fallback action', define your prefered authentication mode and click save. This should solve the issue. Fix: --- ID5897 7.001 End-User Portal downloads fail with Internet Explorer 7 -------------------------------------------------------------------- Description: While trying to download a file from the End-User Portal with Internet Explorer 7 a popup window may appear and close after a second. The download will not start. Disabling Popup blocker will not help. Workaround: Please enable "Automatic Prompting for File Downloads" in your zone settings of Internet Explorer 7. Fix: --- ID5703 7.000 Enduser Portal shows 127.0.0.1 as login source IP -------------------------------------------------------------- Description: After activating SSL VPN, users connecting to the Enduser Portal port will get redirected because of the port sharing of SSL VPN and Enduser Portal. For the Enduser Portal it seems that you are coming from localhost, although you are coming from somewhere else. Workaround: --- Fix: --- ID5565 7.000 HTTP proxy download manager stops refreshing --------------------------------------------------------- Description: Multiple simultaneous downloads in one browser stall the download manager's progress bar for each download. This is due to certain browser limitations in terms of concurrent connections. Workaround: Press the browser's reload button manually to refresh the progress bar display. Fix: --- ID5555 7.000 No DynDNS update on UFO Uplink interface ----------------------------------------------------- Description: In case of an Uplink failover the DynDNS information may not be updated correctly. Workaround: --- Fix: --- ID5474 7.000 No progressbar for UPS is shown in WebAdmin -------------------------------------------------------- Description: When an Uninterruptable Power Supply (UPS) is connected to the ASG, the progressbar visible in the dashboard will not update. Workaround: --- Fix: --- ID5465 7.000 Network interface graphs incorrect after turning back time ----------------------------------------------------------------------- Description: After turning back the system time for a considerable amount (e.g., 2 days), no data is shown in the network traffic graphs displayed on the Reporting >> Network >> Daily tab in WebAdmin. The reason is that the graph generator is not able to handle data with a timestamp older than the latest inserted data. Once the system time reaches the last inserted timestamp again, adding data will work again. Workaround: --- Fix: --- ID5422 7.000 Changing eDir SSL settings breaks eDir Browser for current session ------------------------------------------------------------------------------- Description: If your change SSL settings for eDir, the eDir Browser does not work. Also the current webadmin session breaks at the moment you try to open eDir Browser. Then you have to relogin to webadmin. After the relogin the eDir Browser works fine. If you enable/disable SSL for eDir again, the eDir Browser does not work again until you relogin to webadmin. Workaround: --- Fix: --- ID5405 7.000 PPTP/L2TP/SSL OpenVPN routes are not redistributed in OSPF ----------------------------------------------------------------------- Description: VPN Pools like the ones mentioned above will not get redistributed when using OSPF. Workaround: --- Fix: --- ID5375 7.000 Strict routing may also match locally generated traffic -------------------------------------------------------------------- Description: For locally generated packets and strict routing enabled for an IPSec tunnel, it is not possible to send locally generated plaintext packets to the same destination. Workaround: --- Fix: --- ID5356 7.000 WebAdmin certificate import problems with IE 6 & 7 --------------------------------------------------------------- Description: After installing the WebAdmin certificate in Internet Explorer 7 you may only be allowed to connect to the specific ASG the certificate is coming from. Adding another certificate from another ASG allows access to this machine, too. In IE6, the popup warning may also occur after importing the certificate. Workaround: --- Fix: --- ID5138 7.000 Import of WebAdmin CA certificates may fail with Firefox --------------------------------------------------------------------- Description: Depending on operating system and Firefox version, import of WebAdmin's certificate may no work correctly. Workaround: --- Fix: --- ID4533 7.000 L2TP doesn't work with IP addresses assigned via DHCP ------------------------------------------------------------------ Description: Using L2TP with IP assignment via DHCP may not work correctly. Workaround: Try enabling debugging in L2TP over IPSec. Fix: --- Closed Issues ============= ID7014 7.011 eDirectory authentication does not work if BaseDN is empty ----------------------------------------------------------------------- Description: When using eDirectory authentication and leaving the BaseDN empty the ASG will try to search the eDirectory without Base DN for a matching user. This will not work in all cases. Workaround: Set BaseDN for eDirectory authentication. Fix: Fixed in 7.100 ID6982 7.009 Anti-Spam filter not working in some environments -------------------------------------------------------------- Description: Using the Anti-Spam service for SMTP or POP3 email filtering, the service will not be available if the ASG has more than 10 local IP addresses configured on local (virtual) interfaces. Workaround: --- Fix: Fixed in 7.100 ID6865 7.007 Daily Spam Report is sent to all users --------------------------------------------------- Description: The Daily Spam Report is also sent to users an who are in an exception list. Workaround: --- Fix: Fixed in 7.100 ID6763 7.007 Problems with IPSec and DNAT on bridge interfaces -------------------------------------------------------------- Description: When trying to use IPSec and DNAT on a bridge interface the IPSec packets will not get handled correctly. This means there is no option to configure an IPSec tunnel. Workaround: --- Fix: Fixed in 7.100 ID6741 7.007 Email Encryption logfiles filling up partition ----------------------------------------------------------- Description: The logfiles from the Email Encryption backend are filling up the storage partition even after Email Encryption has been disabled. Workaround: --- Fix: Fixed in 7.100 ID6656 7.006 Possible problem after updating Antivirus pattern -------------------------------------------------------------- Description: In some cases the HTTP Proxy is not able to initialize the latest antivirus pattern. This may lead to restarts of the HTTP Proxy by the selfmonitor. The Proxy logfile will show lines containing the following message: 'Failed to initialize virus database'. Workaround: Contact support or try downloading latest pattern manually. Fix: Fixed in 7.100 ID6651 7.006 HA/Cluster stops working if ha password has special characters --------------------------------------------------------------------------- Description: In this version HA or Cluster does not work if the HA/Cluster encryption key contains any of the special characters " ' or (. This also affects Up2Dates from 7.005. Workaround: Remove special characters from encryption key or call support. Fix: Fixed in 7.100 ID6628 7.005 Wrong message after too many failed WebAdmin logins ---------------------------------------------------------------- Description: After too many failed WebAdmin logins the popup should tell about that. Instead, it only says 'Wrong username or password'. Workaround: --- Fix: Fixed in 7.100 ID6463 7.005 More than one Executive Report in HA/Cluster environment --------------------------------------------------------------------- Description: In some cases each node in a HA/Cluster environment may send an own Executive Report. Workaround: --- Fix: Fixed in 7.100 ID6438 7.000 WebAdmin SSO support for ACC not working ----------------------------------------------------- Description: Using Astaro Command Center (ACC) for accessing WebAdmin via Single Sign On is not working. Workaround: --- Fix: Fixed in 7.100 ID6389 7.005 WebAdmin very slow when using many objects ------------------------------------------------------- Description: With large amounts of definitions, such as many groups, hosts, or users that have been defined, the WebAdmin login can take a long time to process and as a result sometimes the session will timeout and/or repeated attempts to login are necessary. Workaround: Astaro recommends to use Microsoft IE7 or Mozilla Firefox 2. Fix: Fixed in 7.100 ID6281 7.003 NTLM doesn't work with IE7 and Windows Vista --------------------------------------------------------- Description: Active Directory Single-Sign-On (SSO) does not work for clients running IE7 under Windows Vista because NTLMv1 auth is not supported in this combination. This issue will be fixed in ASG version 7.100. Workaround: There is no workaround, except for using a different browser (e.g. Firefox). Fix: Fixed in 7.100 ID6178 7.003 Whitelisting does not work under certain circumstances ------------------------------------------------------------------- Description: By adding a profile to a user that should be allowed to surf a website and to a surf-protection-category, the user is only able to reach the website OR the surf protection category but not both as defined. Workaround: --- Fix: Fixed in 7.100 ID6106 7.003 Changing type of an interface will delete corresponding NAT/Masq rules ----------------------------------------------------------------------------------- Description: When changing the type of an interface all NAT/Masq rules bound to that interface will be deleted. Workaround: Create them again. Fix: Fixed in 7.100 ID6102 7.002 .com websites are blocked by file extension scanner ---------------------------------------------------------------- Description: The file extension scanner in HTTP Proxy will block websites ending with .com if the extension .com is listed for blocking. Workaround: Remove .com from file extension scanner. Fix: Fixed in 7.100 ID6492 7.005 WebAdmin becomes unresponsive after a longer log-in period ----------------------------------------------------------------------- Description: After working in WebAdmin and not clicking anything for some minutes, the session might be stale or time out. Workaround: --- Fix: Fixed in 7.100 ID7479 7.100 SNAT rule for network groups not set ------------------------------------------------- Description: For network definitions it is now possible to bind them to a specific interface. Adding such a bound network to a group and the using this group in a SNAT rule will not work. The rules will not be set in the backend. Workaround: Try using the definition without the group. Fix: Fixed in 7.101 ID7455 7.100 Adobe Download Manager may fail to download pdf files ------------------------------------------------------------------ Description: Downloading pdfs using HTTP Proxy and Adobe Download Manager may fail in certain cases. Workaround: --- Fix: Fixed in 7.101 ID7445 7.100 Kaspersky Antivirus blocks HTTPS through proxy ----------------------------------------------------------- Description: When using Kaspersky antivirus on a client, surfing the web via HTTP Proxy may not work in all cases. Workaround: --- Fix: Fixed in 7.101 ID7443 7.100 Customization Texts for HTTP Proxy not working ----------------------------------------------------------- Description: The customizable texts for HTTP Proxy (i.e. download manager) entered via WebAdmin will be ignored and default texts will be used. Workaround: --- Fix: Fixed in 7.101 ID7442 7.100 High system load after remote access login ------------------------------------------------------- Description: For systems with lots of remote access users the system load will increase when users connect/disconnect to ASG. This is due to a backend service using CPU resources for user and system management. Workaround: --- Fix: Fixed in 7.101 ID7001 7.010 eDirectory authentication in standard mode not working ------------------------------------------------------------------- Description: In certain cases non-eDirectory-SSO (Single Sign On) authentication will not work. Workaround: --- Fix: Fixed in 7.011 ID6853 7.007 Reporting may stop working because of backend problem ------------------------------------------------------------------ Description: In some cases a misformed logline in the backend may cause the reporting functions in WebAdmin to stop working. This may affect all types of reporting. Workaround: --- Fix: Fixed in 7.011 ID6926 7.009 Spam Digest not working on HA/Cluster systems ---------------------------------------------------------- Description: In HA/Cluster environments the Daily Spam Digest may not be sent out by ASG at all. This effect will occur if the system has been installed with 7.005 or earlier . Workaround: --- Fix: Fixed in 7.010 ID6920 7.009 SSL VPN renegotiates keys every hour ------------------------------------------------- Description: The SSL VPN renegotiates its key every hour which may cause a prompt for a new password depending which authentication type is used. Workaround: --- Fix: Fixed in 7.010 ID6911 7.009 Backend problem after importing a license ------------------------------------------------------ Description: After importing a license, the backend system may not be restarted correctly. Connecting to WebAdmin will show a message like 'Please wait, connecting to backend ...'. Workaround: Reboot the machine. Fix: Fixed in 7.010 ID6903 7.009 Checkboxes for HTTP Proxy profiles not working with IE6 -------------------------------------------------------------------- Description: When editing HTTP Proxy profiles, the checkboxes for the filter assignments can not be selected when using Internet Explorer 6. Workaround: Use another browser. Fix: Fixed in 7.010 ID6874 7.008 HTTP Proxy authentication exceptions not working correctly ----------------------------------------------------------------------- Description: The option for skipping authentication in HTTP Proxy (Exceptions) is not working as intended. Workaround: --- Fix: Fixed in 7.010 ID6855 7.007 Problem in Authentication service under high load -------------------------------------------------------------- Description: In high load scenarios (e.g. with many concurrent users logging on/off) the authentication service may run in to problems and mix up requests internally. This will mainly lead to a non-working authentication service. Workaround: --- Fix: Fixed in 7.010 ID6483 7.005 PPTP connection may stop passing traffic ----------------------------------------------------- Description: The PPTP service has problems when reordering incoming packets. Once a PPTP connection is established it may get interrupted by packets arriving in incorrect order at ASG. Workaround: --- Fix: Fixed in 7.010 ID6525 7.005 Corrupt databases in HA/Cluster environment -------------------------------------------------------- Description: In some HA/Cluster environments the databases may get corrupt while syncing with the slave. In this case, reporting will stop working properly. Workaround: --- Fix: Fixed in 7.010 ID6869 7.008 Up2date package upload via WebAdmin not possible ------------------------------------------------------------- Description: The Upload of Up2Date packages is not working correctly in version 7.008. When trying to upload a valid Up2Date package an error 'File extension not allowed' may show up. Workaround: Please contact support. Fix: Fixed in 7.009 ID6867 7.008 HTTP Proxy profiles not assigning correctly -------------------------------------------------------- Description: The HTTP Proxy profiles may not assign all authentication methods correctly, which will result in profiles having too much authentication dependencies. Thus for most profiles authentication seems to stop working completely. Workaround: --- Fix: Fixed in 7.009 ID6862 7.008 New HTTP exceptions not matching substrings -------------------------------------------------------- Description: Up to version 7.007, the 'Target Domains' match in the 'Exceptions' tab of the HTTP Proxy was a pure substring match against the domain part of URLs. For example, an entry of 'astaro.com' would match all domains (including subdomains and hostnames) containing 'astaro.com'. This has been changed in 7.008 to exact (sub)domain names by use of regular expressions. Unfortunately this also causes some existing expressions to no longer work because they now require an exact match - so the entry "astaro.com" only matches the domain 'astaro.com' but not 'www.astaro.com'. Workaround: This can be corrected by using regular-expression style wildcarding, in this case '.*astaro\.com' would achieve the desired effect; however it requires manual adaptation of each entry. Fix: Fixed in 7.009 ID6859 7.008 Downloads via HTTP Proxy do not work with Internet Explorer ------------------------------------------------------------------------ Description: When trying to download a file via HTTP Proxy with Microsoft Internet Explorer 6 or 7, the download manager page does not refresh automatically and the download is not shown as finished after scanning succeeded. Mozilla based browsers are not affected. Workaround: --- (use Firefox if available) Fix: Fixed in 7.009 ID6772 7.007 SMTP Mail processing may stop completely ----------------------------------------------------- Description: For some rare cases the SMTP mail processing may stop completely due to a deadlock within the SMTP scanning subsystem. This should not affect many installations. Workaround: Reboot the machine. Fix: Fixed in 7.008 ID6740 7.007 Authentication of new users may fail ------------------------------------------------- Description: When adding a new user and allowing access to i.e. SSL VPN, the user may not be able to authenticate. The authentication backend may not be informed correctly about the new user. Workaround: Try disabling/enabling the feature, otherwise reboot. Fix: Fixed in 7.008 ID6732 7.007 Can not change PPPoE Daily Reconnect Time to 'never' ----------------------------------------------------------------- Description: When editing a PPPoE connection and setting the Daily Reconnet Time to 'never' the setting will not be saved correctly. Workaround: --- Fix: Fixed in 7.008 ID6716 7.006 L2TP over IPsec offers wrong certificate ----------------------------------------------------- Description: When using L2TP over IPsec a wrong certificate is offered in the Enduser Portal which will disallow the user to establish a valid connection. Workaround: --- Fix: Fixed in 7.008 ID6715 7.006 Remote Syslog logs without facility and priority ------------------------------------------------------------- Description: When sending logs from an ASG to a remote Syslog server, ASG V7 does not send over the facility or selector in the logs like in V5 or V6. Workaround: --- Fix: Fixed in 7.008 ID6713 7.006 Changes to backend query order do not take effect -------------------------------------------------------------- Description: If you try to change the backend query order in Users->Authentication->Advanced by moving for example Radius to the top of the list the position changes correctly. After clicking apply it says changes saved, but when coming back to the menu the list is back to the original order. Workaround: --- Fix: Fixed in 7.008 ID6692 7.006 Interface used in Dyndns settings can not be removed ----------------------------------------------------------------- Description: Once configured, the interface used for Dyndns can not be removed anymore. Workaround: --- Fix: Fixed in 7.008 ID6639 7.006 Timezone glitch in WebSecurity Reporting ----------------------------------------------------- Description: Having a timezone outside GMT WebSecurity Reporting will not work correctly. If the system time moves over to a new local day, HTTP reports for today won't show anything since the day only changed in the local timezone, but not yet in GMT. Workaround: --- Fix: Fixed in 7.008 ID6618 7.005 HTTP Proxy closes sessions after response ------------------------------------------------------ Description: The HTTP Proxy announces the possibility to use keepalive for HTTP sessions but closes the connection after a request has been answered successfully. This will may cause trouble e.g. for Windows Media Player. Workaround: --- Fix: Fixed in 7.008 ID6607 7.005 Daily Spam Report may not be sent out correctly ------------------------------------------------------------ Description: The Daily Spam Report may not be sent correctly for users receiving spam emails with capital letters in their email address. The mail address matching is currently being done case sensitive. Workaround: --- Fix: Fixed in 7.008 ID6571 7.006 L2TP daemon will not be restarted automatically ------------------------------------------------------------ Description: The L2TP daemon responsible for remote access will not be restarted automatically in case of an internal failure. The selfmonitoring is not checking all of the relevant processes. Workaround: --- Fix: Fixed in 7.008 ID6510 7.005 Up and down arrows don't work correctly in HTTP Profiles --------------------------------------------------------------------- Description: When trying to move down a filter assignment in Web Security->HTTP Profiles it will always jump to the last position in the profile. This also happens when trying to move it to the top. Also, all assignments in the profiles are set to "1" and not numbered consecutively. Workaround: --- Fix: Fixed in 7.008 ID6421 7.004 HTTP Proxy does not log complete URL ------------------------------------------------- Description: The HTTP Proxy does currently not log the full URL (e.g. the query part) for users surfing via the proxy. Workaround: --- Fix: Fixed in 7.008 ID6375 7.004 Contentfilter whitelist does not use regular expressions --------------------------------------------------------------------- Description: When using whitelists or exceptions in HTTP Proxy, regular expressions will not work everywhere in the same way. Basically, everywhere regular expressions should be used. Workaround: --- Fix: Fixed in 7.008 ID6333 7.004 Drag-and-drop fails with Internet Explorer ------------------------------------------------------- Description: There is a problem when using Internet Explorer for configuring via WebAdmin. When the scrollbar of the browser is scrolled to the bottom, drag-and-drop fails. The mouse pointer points to the location where you want to drop an object (e.g. network object), but the object itself hovers quite a bit above the mouse pointer position. In this situation it is not possible to drop the object. Workaround: Move the dragged object bottom-up from the area you'd like to drop it until the area is highlighted or use another browser. Fix: Fixed in 7.008 ID6320 7.003 POP3 spam email not tagged correctly ------------------------------------------------- Description: When downloading emails via POP3 the tagging (warn threshold) is not done correctly. Although the mail should reach the client, there is neither a spam tag in the subject line nor a spam report in the header. Workaround: --- Fix: Fixed in 7.008 ID6265 7.003 Portscan detection and logging consumes too much CPU resources --------------------------------------------------------------------------- Description: When running a portscan against an ASG device lots of loglines are generated and processed. In this case the reporting subsystem may not be able to process all logoutput from portscan detection in time. As a result the reporting subsystem will start allocating system resources (CPU and RAM) and may also lead to a Denial of Service. This also applies to logged packetfilter violations, i.e. when client generates lots of traffic which is blocked and logged on ASG. Workaround: Try to disable logging for packetfilter rules generating much logoutput and disable Portscan detection. Fix: Fixed in 7.008 ID6703 7.005 Automatic import of SMIME certificates not working correctly ------------------------------------------------------------------------- Description: When using Email Encryption the automatic import of SMIME certificates will work in the backend, but the certificates will not be shown in the frontend. Workaround: --- Fix: Fixed in 7.008 ID6031 7.002 HTTP traffic in cluster may not be distributed to worker --------------------------------------------------------------------- Description: After changing the port of the HTTP Proxy to another port than 8080, the distribution of the HTTP traffic to cluster nodes (slave/worker) will not work Workaround: --- (Change back port to 8080 if possible) Fix: Fixed in 7.008 ID5789 7.001 User certificate will not be deleted at all -------------------------------------------------------- Description: When deleting a local user the corresponding certificate will remain on the firewall. This will not allow creating a new user with the same username the deleted user had. Workaround: --- Fix: Fixed in 7.008 ID5786 7.001 SHA-2 with 512 bit not compatible with NCP/ASC IPSec client ------------------------------------------------------------------------ Description: The IPsec backend of ASG uses a wrong blocksize in the SHA-2 algorithm if 512 bit key length is selected. This leads to the problem that the ISAKMP SA can not be established with SHA2-512 if an NCP client (ASC version 9) is used. Workaround: Use SHA 256 bit. Fix: Fixed in 7.008 ID5778 7.001 User objects not allowed as source/destination in DNAT/SNAT rules ------------------------------------------------------------------------------ Description: When creating a DNAT or SNAT rule, you can not select a "User network" object to be used as NAT destination or source. Nevertheless the objects can be used for "traffic source" and "traffic destination" parameters. Workaround: --- Fix: Fixed in 7.008 ID5747 7.001 Intrusion Protection counter in dashboard incorrect ---------------------------------------------------------------- Description: The Intrusion Protection counter in the dashboard may show a larger number for the active rules than for the available rules. This is up to a problem counting the available rules and all its dependencies. Workaround: --- Fix: Fixed in 7.008 ID5711 7.001 IPSec tunnels may not come up after DPD event ---------------------------------------------------------- Description: Dead Peer Detection (DPD) helps recovering lost IPSec tunnels if the remote gateway has been down. In some cases tunnels (also multiple tunnels to an endpoint) may not come up after a DPD event and need a manual trigger. Workaround: Disable and reenable the connection in WebAdmin. Fix: Fixed in 7.008 ID5468 7.000 Definition dialog boxes with fixed width only ---------------------------------------------------------- Description: Some browsers the definition dialog boxes in the left column do not show the horizontal scrollbar. Workaround: Use appropriate definitions. Fix: Fixed in 7.008 ID6701 7.006 Possible problem when syncing eDirectory users ----------------------------------------------------------- Description: The error handling for syncing eDirectory users can lead to unexpected restarts of the authentication subsystem. This may be caused by wrong context syntax or LDAP communication problems. Workaround: --- Fix: Fixed in 7.007 ID6674 7.006 DynDNS may not update because of a missing packetfilter rule ------------------------------------------------------------------------- Description: The DynDNS service will not be able to update the dynamic hostname after any interface configuration has been done via WebAdmin. This is because the automatic packetfilter rule allowing that specific traffic will be removed automatically after any successful interface parameter change. Workaround: Either create a packetfilter rule allowing HTTP traffic from the DSL interface address to Any or reboot the machine. Fix: Fixed in 7.007 ID6662 7.006 WebSecurity Reporting shows wrong numbers ------------------------------------------------------ Description: Most reports from the WebSecurity system will show wrong numbers since many entries will be counted multiple times. This affects the Reporting section in WebAdmin as well as the Executive Report. Workaround: --- Fix: Fixed in 7.007 ID6660 7.006 Search for IP addresses not working with many definitions ---------------------------------------------------------------------- Description: Having more than 51 definitions and searching for IP addresses in network definitions will not show any results. Workaround: --- Fix: Fixed in 7.007 ID6484 7.005 Sorting of policy routes not working correctly ----------------------------------------------------------- Description: The sorting of policy routes introduced in 7.005 does not work for all cases, especially after editing routes. Workaround: On most systems a reload of the routing page should show the correct order. Fix: Fixed in 7.006 ID6478 7.005 Packetfilter rules not set correctly when using additional addresses --------------------------------------------------------------------------------- Description: When a packetfilter rule is configured whose sourec/destination is an addiontal interface address, a filter rule is added to USR_FORWARD chain, not USR_OUTPUT/INPUT chain. Also Auto packet filter for IPsec connections whose local network is attitional interface does not create OUTPUT/INPUT chain. Workaround: --- Fix: Fixed in 7.006 ID6473 7.005 Disabled End User Spam report enabled after editing custom text ---------------------------------------------------------------------------- Description: When editing the custom text for the Enduser Spam Report the feature is turned on automatically. Workaround: Turn it off again if you don't need it. Fix: Fixed in 7.006 ID6472 7.005 Middleware stops working with unresolved routing targets --------------------------------------------------------------------- Description: Middleware stops working when a static route has an unresolved DNS definition as target. Workaround: Change route target to static host definition. Fix: Fixed in 7.006 ID6471 7.005 Mail processing stops at message ID 1000000 -------------------------------------------------------- Description: Mails having a message ID larger than 1000000 will not be processed correctly by the content scanning subsystem. Workaround: Call Support. Fix: Fixed in 7.006 ID6469 7.005 Online help will not open when WebAdmin language is set to Japanese or Chinese ------------------------------------------------------------------------------------------- Description: The online help will not open when WebAdmin language is set to Japanese or Chinese, which were supported from version 7.005 on. It gets stuck at the message "Please wait, connecting to backend". Workaround: --- Fix: Fixed in 7.006 ID6460 7.005 Authentication daemon restarting in eDirectory environments ------------------------------------------------------------------------ Description: On some lookup errors in eDirectory environments the authentication daemon may die. Selfmonitor will restart the daemon, but in this timeframe no more authenticaion requests will be processed. Workaround: --- Fix: Fixed in 7.006 ID6391 7.004 User objects fail to be created when user name contains a numeral ------------------------------------------------------------------------------- Description: Usernames for either local user or backend authentication against edirectory/AD will not create a user object automatically if a number is used for the username. Workaround: --- Fix: Fixed in 7.006 ID6317 7.004 Pattern Up2Dates on cluster nodes running very slow ---------------------------------------------------------------- Description: In some cluster environments the Pattern-Up2Dates are running very slow due to some limitations of the sync process. Workaround: --- Fix: Fixed in 7.006 ID6311 7.003 Error while scanning emails may stop SMTP proxy ------------------------------------------------------------- Description: In a few cases the SMTP proxy stopped working after a special scanning error occured. In the logfile there is a message like this 'Maximum number of scan retries exceeded'. Workaround: Contact Support. Fix: Fixed in 7.006 ID5881 7.002 Dyndns-custom only supports one hostname ----------------------------------------------------- Description: Users having a dyndns-custom account may want to set their hostname to something like "www.mydomain.com,mail.mydomain.com,mydomain.com" which is not allowed at the moment. Workaround: --- Fix: Fixed in 7.006 ID5665 7.001 Broken rendering of WebAdmin tabs in QoS settings -------------------------------------------------------------- Description: Having lots of interfaces will leave the QoS page unusable. Workaround: --- Fix: Fixed in 7.006 ID6342 7.004 Large HTTP blacklist may cause WebAdmin slowdown ------------------------------------------------------------- Description: Having a large amount of HTTP blacklist entries may slow down WebAdmin extremely when trying to view the page. Workaround: --- Fix: Fixed in 7.005 ID6339 7.004 SSL VPN route will be deleted after enabling a static route ------------------------------------------------------------------------ Description: When using SSL VPN the route to an active client will be deleted when enabling a static route in WebAdmin. Workaround: Reestablish the tunnel. Fix: Fixed in 7.005 ID6325 7.004 Nic order mixed up on ASG 320 ------------------------------------------ Description: On some ASG320 systems the NIC order may have mixed up after installing Up2Date 7.004. Workaround: Check cabling or contact Astaro Support. Fix: Fixed in 7.005 ID6321 7.004 Possible problem when restarting SSL VPN ----------------------------------------------------- Description: In some cases there is a problem when restarting the SSL VPN service. This also showed up on many installations when updating to 7.004. Workaround: Reboot the system. Fix: Fixed in 7.005 ID6316 7.004 File synchronization fails if HA/Cluster password has special characters ------------------------------------------------------------------------------------- Description: When using some special characters in the HA/Cluster secret, the file syncronization between Master and other Cluster nodes will not work. In this case also console (loginuser/root) passwords will not be set correctly on the slave nodes. Workaround: Change HA/Cluster password. Fix: Fixed in 7.005 ID6300 7.003 Unable to release/download quarantined POP3 messages ----------------------------------------------------------------- Description: When trying to release or download the messages from the Quarantine Manager a popup window '404 not found' shows up. Trying to display a message shows '500 internal server error'. Workaround: --- Fix: Fixed in 7.005 ID6285 7.003 HA file synchronization may sync in wrong direction ---------------------------------------------------------------- Description: In some cases the High Availability slave may also sync data to the master. This can lead to wrong ssh keys or loginuser/root passwords, i.e. Workaround: --- Fix: Fixed in 7.005 ID6203 7.003 Backend sync for users with multiple mail adresses does not work ----------------------------------------------------------------------------- Description: If a user is created in an Active Directory using multiple e-mail adresses, the auto-creation function of Astaro Security Gateway used for synchronizing users with back end authentication servers may not not work correctly. Workaround: --- Fix: Fixed in 7.005 ID6197 7.003 BATV secret not changeable in WebAdmin --------------------------------------------------- Description: Currently there is no option to change the BATV secret in WebAdmin. Workaround: --- Fix: Fixed in 7.005 ID6169 7.003 Problems with Vista Windows Mail and POP3 Proxy in prefetch mode ------------------------------------------------------------------------------ Description: When using the Windows Vista mail client along with the POP3 Proxy in prefetch mode, a lot of timeouts may appear when trying to get new mails. Workaround: --- Fix: Fixed in 7.005 ID6132 7.002 System allows interface routes without target interface -------------------------------------------------------------------- Description: It is possible to create an interface route without selecting a target interface. This will result in a non-accessible routing page in WebAdmin. Workaround: --- Fix: Fixed in 7.005 ID6100 7.002 Streaming downloads aren't aborted on client disconnect -------------------------------------------------------------------- Description: When a client starts an HTTP stream download a disconnects/resets the connection, the HTTP Proxy will continue downloading the stream. Workaround: --- Fix: Fixed in 7.005 ID5956 7.002 Huge amount of SMTP domains will slow down WebAdmin ---------------------------------------------------------------- Description: When configuring a large amount of SMTP domains WebAdmin will slow down extremely. It also may not be possible to display the SMTP page at all. Workaround: --- Fix: Fixed in 7.005 ID5889 7.002 Content blocked page showing up twice -------------------------------------------------- Description: When using file extension blocking the content blocked pages' content (when HTTP Proxy blocks a URL) is displayed twice. Workaround: --- Fix: Fixed in 7.005 ID5811 7.001 Daily Spam Digest also sent to external domains ------------------------------------------------------------ Description: The Daily Spam Digest will be sent out to anyone receiving spam including external domains not configured in the SMTP Proxy. This behaviour is unwanted and should be limited to internal (specified) domains only. Workaround: --- Fix: Fixed in 7.005 ID5796 7.001 Unable to expand the preview window in quarantine manager ---------------------------------------------------------------------- Description: It is not possible to expand the preview window in Quarantine Manager. The popup window you get after clicking on the preview button is to small. Workaround: --- Fix: Fixed in 7.005 ID5584 7.000 Spam threshold can not be switched off in SMTP profiles -------------------------------------------------------------------- Description: In the per-domain profiles of the SMTP Proxy there is no option to switch off the spam thresholds at all. Workaround: --- Fix: Fixed in 7.005 ID6255 7.003 ASG 425 interface problem after Up2Date to version 7.003 --------------------------------------------------------------------- Description: For some devices of ASG 425 series the interfaces were not correctly ordered after installing Up2Date 7.003. Workaround: --- Fix: Fixed in 7.004 ID6222 7.003 IP rule for IPsec site-to-site remote network missing ------------------------------------------------------------------ Description: In some cases the ip rule for an IPsec site-to-site remote network is missing. In this case, the tunnel will be established correctly but not traffic will pass through. Workaround: --- Fix: Fixed in 7.004 ID6215 7.003 HA System reports "Error while scanning a message in database" --------------------------------------------------------------------------- Description: On some HA systems the Email subsystem may report an error while scanning as stated above. This is up to a problem in the MySQL backend. Workaround: --- Fix: Fixed in 7.004 ID6148 7.003 Empty hostname for DNS host cause system lockup ------------------------------------------------------------ Description: When creating a DNS host definition and leaving the host field empty, the system may lock up. Workaround: --- (do not try to reproduce) Fix: Fixed in 7.004 ID6103 7.002 Empty Source network breaks HTTP proxy profile config ------------------------------------------------------------------ Description: When creating an HTTP profile the source network setting is optional and may break the configuration if not specified. Workaround: Select a valid source network. Fix: Fixed in 7.004 ID6098 7.002 IP counting for licensing is too strict ---------------------------------------------------- Description: In some cases the IP counting also adds ARP requests to the licensed IPs which may result in a license usage false positive. Workaround: --- Fix: Fixed in 7.004 ID6094 7.002 MySQL may stop working after time change ----------------------------------------------------- Description: When changing the time backwards MySQL may not work correctly afterwards. This will affect email handling (SMTP/POP3). Workaround: Reboot the system. Fix: Fixed in 7.004 ID5959 7.002 Time not synced via NTP in automatic HA mode --------------------------------------------------------- Description: When using HA in automatic mode the external NTP server is not used at all. Workaround: --- Fix: Fixed in 7.004 ID5951 7.000 Cache size for HTTP Proxy (squid) too small -------------------------------------------------------- Description: The cache size for squid is calculated very conservative. Although the cache size depends on the disk size, it is very low even on larger disks. Workaround: --- Fix: Fixed in 7.004 ID5947 7.002 Executive report shows blank blocked categories ------------------------------------------------------------ Description: In the web reporting section some of the categories appear blank although there have been some blocked pages. Workaround: --- Fix: Fixed in 7.004 ID5895 7.002 SSL VPN does not check user certificate ---------------------------------------------------- Description: Once a user successfully authenticated via SSL VPN and his certificate, username and password another user may get access just by providing a valid username and password. Certificate is not being rechecked for next user. Workaround: --- Fix: Fixed in 7.004 ID5876 7.002 IPSec Roadwarrior Connection not counted in Dashboard view ----------------------------------------------------------------------- Description: In the Remote Access view of the Dashboard the IPsec Roadwarriors are not counted. Workaround: --- Fix: Fixed in 7.004 ID5845 7.001 Active directory authentication does not work on cluster --------------------------------------------------------------------- Description: When using HTTP Proxy in Cluster mode, the Active Directory authentication will not work correctly. Workaround: --- Fix: Fixed in 7.004 ID5804 7.001 Special characters not possible in smarthost authentication ------------------------------------------------------------------------ Description: Using special characters like $ or \ in SMTP smarthost authentication does not work. Workaround: --- (change password if possible) Fix: Fixed in 7.004 ID5790 7.001 SSL client package should install Windows service -------------------------------------------------------------- Description: In order to be able to automatically start tunnels during system startup, the OpenVPN service should be added to the SSL client installation package. Workaround: --- Fix: Fixed in 7.004 ID5788 7.001 eDirectory authentication for several users fails -------------------------------------------------------------- Description: Due to a limited number of concurrent eDirectory requests (especially sub tree searches) eDirectory authentication may fail. Workaround: --- Fix: Fixed in 7.004 ID5782 7.001 Automatic cleanup of Quarantine Manager not working correctly -------------------------------------------------------------------------- Description: The autoclean feature for Quarantine Manager only works with default settings. After changing them the default values will still be used. Workaround: --- Fix: Fixed in 7.004 ID5756 7.001 DHCP server may serve wrong IPs on VLANs ----------------------------------------------------- Description: When using multiple DHCP server instances on different VLANs it will serve IPs from the highest range first. These IPs will most probably not work for the other subnets. Workaround: --- Fix: Fixed in 7.004 ID5735 7.001 Wrong definition of the NTP service ------------------------------------------------ Description: In WebAdmin->Definitions->Services NTP is defined as TCP. Workaround: Edit it to your needs. Fix: Fixed in 7.004 ID5685 7.001 Traffic graphs still appear in reporting after deleting interfaces ------------------------------------------------------------------------------- Description: After deleting an interface the corresponding traffic graphs in the reporting section should be remove one week later. This does not work correctly. Workaround: --- Fix: Fixed in 7.004 ID5671 7.001 eDirectory does not allow to use eDirectory containers in backend groups ------------------------------------------------------------------------------------- Description: It is not possible to select an eDirectory container for a backend group. Workaround: Add all users to a certain eDirectory group. Fix: Fixed in 7.004 ID5667 7.001 SSL VPN doesn't work with special characters in certificates ------------------------------------------------------------------------- Description: The OpenVPN client config file holds the DN of the server, so that the server can be verified (this prevents man in the middle attacks). For special characters, the encodings do not match. Workaround: Replace all characters in the tls-remote line that are not part of ([A-Z,a-z,0-9], '_', '-', '.', '@', ':', '/', '=') by '_' symbols in the OpenVPN client config file (Program files\Astaro\Astaro SSL VPN Client\config\*.ovpn) Fix: Fixed in 7.004 ID5659 7.001 SMTP Banner does not show hostname ----------------------------------------------- Description: The banner of the SMTP proxy only shows the standard "220 ESMTP Ready" prompt but not the hostname. This may cause problems with some remote hosts. Workaround: --- Fix: Fixed in 7.004 ID5535 5.000 Font rendering of Executive Report in Outlook 2007 faulty ---------------------------------------------------------------------- Description: Microsofts Outlook 2007 does not support all of the style elements used in the Executive Report. Thus some fonts may not be displayed correctly. Workaround: --- Fix: Fixed in 7.004 ID6143 7.002 Incorrect BATV ACL check causes all bounces to be rejected ----------------------------------------------------------------------- Description: Incorrect BATV ACL check causes all bounces to be rejected, unless either BATV is deactivated for the recipient domain or BATV is deactivated by an exception for the recipient or the sending host. This also causes sending mail to hosts which do sender verification to fail, since sender verification is usually implemented as a bounce test. Workaround: see above Fix: Fixed in 7.003 ID6081 7.002 Confidentiality footer may get added to incoming emails -------------------------------------------------------------------- Description: The Confidentiality footer of the SMTP Proxy is also added to incoming emails when the email-domain has capital-letters. Workaround: --- Fix: Fixed in 7.003 ID6065 7.002 Pluto.pid not deleted after DSL reconnect ------------------------------------------------------ Description: The IPsec daemons' pidfile will not be deleted after a DSL reconnect which may cause the VPN tunnels to stay down. Workaround: --- Fix: Fixed in 7.003 ID6027 7.002 IOS error messages in Exim log - rendering the SMTP proxy inoperable --------------------------------------------------------------------------------- Description: Some rare ill formatted e-mails may render the SMTP proxy inoperable. Workaround: --- Fix: Fixed in 7.003 ID6021 7.002 Downloads are not aborted when a user closes the downloader page ----------------------------------------------------------------------------- Description: Downloads interrupted by the user will not be aborted by the HTTP proxy until the download is finished. Workaround: --- Fix: Fixed in 7.003 ID6011 7.002 Canceled downloads are not deleted by the HTTP proxy ----------------------------------------------------------------- Description: Deferred downloads that aren't downloaded by the users will not be deleted and gradually fill up the storage. Workaround: A reboot will delete all temporary files. Fix: Fixed in 7.003 ID6008 7.003 HTTP Proxy logging concerning file extension blocking is incomplete -------------------------------------------------------------------------------- Description: HTTP proxy log for blocked file extensions does not show file name and extension. Workaround: --- Fix: Fixed in 7.003 ID5999 7.002 No IPsec traffic after PPPoE reconnect --------------------------------------------------- Description: After PPPoE reconnect the ipsec0 interface may have a mac-address of 0-0-0-0-0-0-0-0-0-0-0-0-0 and no more traffic passes the tunnel. Workaround: --- Fix: Fixed in 7.003 ID5994 7.002 Empty content-disposition header in the MIME part is rendering the e-mail undeliverable ---------------------------------------------------------------------------------------------------- Description: The problem only occurs with multipart messages, such as content type multipart/related or multipart/alternative. Workaround: --- Fix: Fixed in 7.003 ID5963 7.002 Timewarp shell script hangs on MiddleWare restart -------------------------------------------------------------- Description: In case of a time warp effect (aimed at the past for more than 90 seconds), the MiddleWare may fail. Workaround: --- Fix: Fixed in 7.003 ID5944 7.002 Wildcards in exception lists not allowed ----------------------------------------------------- Description: Wildcards (using an asterisk *) in sender or recipient addresses in an exception list for HTTP, SMTP, and POP3 may not be working correctly. Workaround: --- Fix: Fixed in 7.003 ID5941 7.002 Base64 encoded subjects in quarantine manager are decoded with an error ------------------------------------------------------------------------------------ Description: Some Base64 encoded subjects listed in the quarantine manager are not decoded and thus not displayed correctly. This can be indicated by the message "Frontier::RPC2::Base64=SCALAR" Workaround: --- Fix: Fixed in 7.003 ID5925 7.002 Subject lines in Daily Spam Report corrupted --------------------------------------------------------- Description: Some e-mail clients such as Thunderbird for Windows operating systems often do not have the necessary character sets installed needed to correctly display special characters or CJK languages. However, if the correct charsets are installed, the problem no longer remains, as is the case with Thunderbird for Linux, for example, which is UTF-8 based and has therefore all charsets pre-installed. Workaround: --- Fix: Fixed in 7.003 ID5920 7.002 IPSec status view shows wrong status ------------------------------------------------- Description: Under certain circumstances the IPSec status is wrong. This may occur, for example, if the VPN ID is a distinguished name. Workaround: --- Fix: Fixed in 7.003 ID5910 7.002 MiddleWare fails when Radius server is unresolved -------------------------------------------------------------- Description: When using a DNS host definition as Radius server, the systems' Middleware may stop working when this host definition is not resolvable. Workaround: Use a static host definition for the Radius server. Fix: Fixed in 7.003 ID5844 7.002 Some POP3 messages are downloaded more than once ------------------------------------------------------------- Description: Because of a changed handling of the unique message id the POP3 proxy downloads all messages from server again. If the user has configured his or her mail client in such way that it leaves messages on server, it might happen that older messages (i.e., messages which the client had already received) are downloaded a second time by the client. Workaround: --- Fix: Fixed in 7.003 ID5824 7.002 Possible parsing errors concerning SIP control packets ------------------------------------------------------------------- Description: Due to a missing out-of-bonds check of the FROM line in a SIP control packet, a parsing error may occur, which may bring the entire system down at the worst case. Workaround: --- Fix: Fixed in 7.003 ID5801 7.001 Authentication exceptions per domain do not work ------------------------------------------------------------- Description: Using the HTTP proxy, exceptions with regard to user authentication per domain do not work correctly. Clients are still prompted for entering credentials even the domain is configured to be exempt from user authentication. This will cause automatic Windows updates to fail in any environment requiring user authentication. Workaround: --- Fix: Fixed in 7.003 ID5797 7.001 Daily Spam Report mistakenly tagged as spam -------------------------------------------------------- Description: Occasionally the Daily Spam Report of Astaro Security Gateway gets mistakenly tagged as spam due to a high spam score. Workaround: --- Fix: Fixed in 7.003 ID5781 7.001 Strange POP3 error messages ---------------------------------------- Description: The log file concerning POP3 shows confusing error messages that are of no relevance. Workaround: --- Fix: Fixed in 7.003 ID5780 7.001 Missing download progress due to unknown content length information -------------------------------------------------------------------------------- Description: If the content length is unknown to the client, download progress information shown on the HTTP proxy download page is missing. Workaround: --- Fix: Fixed in 7.003 ID5728 7.001 Problems with Full-NAT handling -------------------------------------------- Description: SNAT and DNAT rules are applied independently from one another, thus making it impossible to associate both within a full-NAT rule. In order to fix this issue, SNAT rules must be extended by a connection tracking parameter allowing to associate an SNAT rule with a corresponding DNAT rule. Workaround: --- Fix: Fixed in 7.003 ID5716 7.001 Scalability of object tables in WebAdmin ----------------------------------------------------- Description: Large object tables in WebAdmin (e.g., the list of network definitions) may take too long to be rendered in time, thus causing a repeating error message. Workaround: Click OK whenever the error message occurs. Depending on the size of the object list, this might occur several times. A future version of WebAdmin will implement an alternative representation of object tables containing a larger number of objects. Fix: Fixed in 7.003 ID5693 7.001 Sometimes the daily spam report is not created ----------------------------------------------------------- Description: Users having a POP3 account configured but for which no user object is existent on the Astaro Security Gateway unit sometimes do not receive a daily spam report for their POP3 accounts. Workaround: --- Fix: Fixed in 7.003 ID5652 7.001 Using Internet Explorer, the HTTP proxy fails to display a web page that requires a POST request -------------------------------------------------------------------------------------------------------------- Description: Internet Explorer adds an extra CRLF character to a POST request that is sent to an HTTP 1.1 server, causing the HTTP proxy to fail to deliver the page. For more information, see Microsoft Knowledgebase (http://support.microsoft.com/kb/823099). Workaround: Use an alternative browser (e.g., Firefox 2). Fix: Fixed in 7.003 ID5613 7.000 Cluster not able to handle IPSec NAT packets --------------------------------------------------------- Description: An Astaro Security Gateway cluster is not able to handle IPSec NAT packets. Workaround: Will be fixed in the next kernel release. Fix: Fixed in 7.003 ID5609 7.001 HTTP Proxy allocates a lot of memory ------------------------------------------------- Description: When downloading a file that has a size larger than the max scanning size, the HTTP Proxy downloads the complete file to memory, and delivers it to the client. When the client download is aborted before it has been finished or the internet uplink is faster than the client link speed the proxy does not free the memory used for downloading the body. Workaround: --- Fix: Fixed in 7.003 ID5602 7.001 Logmask of HTTP proxy cannot be changed ---------------------------------------------------- Description: The log level of the HTTP proxy is always set to 'debug'. Other available log levels cannot be selected. Workaround: --- Fix: Fixed in 7.003 ID5568 7.000 Daily Spam Report misses percentage value of blocked e-mails -------------------------------------------------------------------------- Description: The percentage value for blocked e-mails in the Statistics section of the daily spam report might be missing. Workaround: --- Fix: Fixed in 7.003 ID5404 5.000 RSA keys may be displayed incorrectly -------------------------------------------------- Description: For a remote gateway, if an RSA key is imported as hexadecimal (0x) instead of base64 (0s), WebAdmin interprets the keys as a hex value and displays "Infinity" instead of the key. This may happen for some versions of the Firefox browser on Windows operating systems. Workaround: Use a different browser/OS combination to access WebAdmin. Fix: Fixed in 7.003 ID5384 7.000 Daily Spam Report layout broken in Google Mail ----------------------------------------------------------- Description: Images contained in the End User Spam Report are not displayed if the report is opened through the Google mail web portal. However, this is just a cosmetic issue and has no impact on the spam statistics included in the report. Workaround: --- Fix: Fixed in 7.003 ID5309 5.000 Broken subject lines quarantine manager ---------------------------------------------------- Description: Some Base64 encoded subjects listed in the quarantine manager are not decoded and thus not displayed correctly. This can be indicated by the message "Frontier::RPC2::Base64=SCALAR" Workaround: --- Fix: Fixed in 7.003 ID5766 7.001 Incoming/outgoing e-mails are truncated if they contain a 'dot' ---------------------------------------------------------------------------- Description: AN SMTP e-mail that contains a single dot in one line of the message's body is truncated because the dot is interpreted as 'End of Message'. Workaround: Do not write an e-mail that has a single dot in one line. A dot having a preceding character does not cause the message to be cropped. Fix: Fixed in 7.002 ID5765 7.001 Network groups in DNS allowed networks not allowed --------------------------------------------------------------- Description: It is not possible to add network groups to allowed networks for DNS access. Workaround: --- Fix: Fixed in 7.002 ID5740 7.001 No space left on device due to too many tmpLFI* files ------------------------------------------------------------------ Description: Not removed temporary files in the /opt/tmpfs/ directory may fill up the hard disk drive of the device rendering WebAdmin inaccessible. Workaround: Reboot Astaro Security Gateway, because /opt/tmpfs/ is deleted during startup. Fix: Fixed in 7.002 ID5732 7.001 Static Usergroups don't work in the Packetfilter ------------------------------------------------------------- Description: Having standard usergroups in the Packetfilter ruleset will not work. Workaround: Create rules for the user objects directly. Fix: Fixed in 7.002 ID5709 7.001 Confidential footer applies on incoming mails only --------------------------------------------------------------- Description: The confidential footer only applies to incoming emails instead of outgoing emails. Workaround: --- Fix: Fixed in 7.002 ID5698 7.001 Content filter mangles SMTP addresses -------------------------------------------------- Description: Some characters like + get stripped off the local parts of email addresses. Workaround: --- Fix: Fixed in 7.002 ID5694 7.001 Executive Reporting showing more than 5 entries in TOP5 lists -------------------------------------------------------------------------- Description: Certain lists in the executive report show more than five items even though only the top5 entries should be displayed. Workaround: --- Fix: Fixed in 7.002 ID5686 7.001 Not possible to set GoogleTalk/Jabber "Block file transfers only" ------------------------------------------------------------------------------ Description: The ruleset controlling the option "Block file transfers only" for instant messaging using Google Talk/Jabber is ineffective. Workaround: --- Fix: Fixed in 7.002 ID5683 7.001 File extension filter blocks file after complete download ---------------------------------------------------------------------- Description: Files having an extension supposed to be blocked are downloaded nonetheless before the user who requests the file is shown the Astaro block message. Workaround: --- Fix: Fixed in 7.002 ID5682 7.001 Internet Explorer 7 (IE7) is incompatible to WebAdmin ------------------------------------------------------------------ Description: Internet Explorer 7 (IE7) is partly incompatible to WebAdmin. Some options such as the HTTP Proxy Profiles cannot be configured correctly using IE7. Workaround: Use Firefox 2 or Internet Explorer 6 to access WebAdmin. Fix: Fixed in 7.002 ID5669 7.001 Global HTTP Settings - Allowed Networks can not be changed ----------------------------------------------------------------------- Description: Changing and applying of global HTTP settings may be broken. The settings for 'Allowed Networks' in the HTTP Proxy menu cannot be changed. Reloading the page will revert to the previous settings, even though the 'successfully applied' message is shown after the configuration has been changed. Workaround: --- Fix: Fixed in 7.002 ID5666 7.001 Wrong status for added networks of a ipsec-tunnel and listview --------------------------------------------------------------------------- Description: Both yellow and green status icons are shown for IPSec-tunnels even though all tunnels are up and running. Workaround: Ignore yellow status icons; "n of n SA established" is the information of relevance. Fix: Fixed in 7.002 ID5660 7.001 HTTP Proxy Profiles sorting ---------------------------------------- Description: The sorting order of proxy profiles is broken. When an exisiting proxy profile is edited and the place of an item is changed to position n, it is always placed on position n-1. However, the positions 'Top' and 'Bottom' work correctly. Workaround: --- Fix: Fixed in 7.002 ID5657 7.001 Interface Name in reporting graphs is 'Unknown' for PPP-Interfaces ------------------------------------------------------------------------------- Description: PPP-interfaces are shown as 'Unknown' in reporting graphs. Workaround: --- Fix: Fixed in 7.002 ID5651 7.001 Whitelist mode in HTTP Proxy Profiles not working -------------------------------------------------------------- Description: The Filter Action mode 'block everything except the selection below' configured on the Web Security >> HTTP Profiles >> Filter Actions tab in WebAdmin does not work even though the profile matches. The user can access every web site, not just the ones allowed. Workaround: --- Fix: Fixed in 7.002 ID5649 7.001 "Re-generate WebAdmin certificate" may fail --------------------------------------------------------- Description: When clicking the "Re-generate WebAdmin certificate" button in WebAdmin, there is no check for an existing certificate with the same hostname. In this case the certificate creation fails without notice. Workaround: Change the hostname prior to re-generating the WebAdmin certificate. Fix: Fixed in 7.002 ID5637 7.000 SMTP domains are case-sensitive when used in profiles ------------------------------------------------------------------ Description: SMTP domain names are treated case-sensitive when SMTP profiles are used. Workaround: --- Fix: Fixed in 7.002 ID5631 7.001 Downloaded Up2Date package may not get unpacked ------------------------------------------------------------ Description: Due to a race condition between the downloader and the installer it might happen that an Up2Date package is successfully downloaded but not unpacked. Since only unpacked Up2Date packages are shown in WebAdmin as "ready to install", it is not possible to install the firmware update. Workaround: --- Fix: Fixed in 7.002 ID5603 7.000 Changing the name of ContentFilter categories not working correctly -------------------------------------------------------------------------------- Description: Editing the name of a ContentFilter category is not reflected in HTTP Proxy Profiles->Filter Actions. Workaround: --- Fix: Fixed in 7.002 ID5451 7.000 File extension filter blocks file only after download is complete ------------------------------------------------------------------------------ Description: Files having an extension supposed to be blocked are downloaded nonetheless before the user who requests the file is shown the Astaro block message. Workaround: --- Fix: Fixed in 7.002 ID5239 5.000 Some IM/P2P protocols won't be blocked --------------------------------------------------- Description: Some of the IM/P2P protocols will not be blocked correctly. Workaround: --- Fix: Fixed in 7.002 ID5592 7.000 Up2Date and Reporting may not work after installation ------------------------------------------------------------------ Description: After initial setup System and Pattern Up2Date as well as inline reporting and logfile rotation may not work correctly. This is due to a missing configuration detail in the backend system. Workaround: Go to Management->System Settings->Shell Access and set a password for the root user at least. You do not need to turn on Shell Access at all. Astaro recommends leaving it disabled. If you need Shell Access, please make sure to restriced access to trusted hosts/networks only and use strong passwords. Fix: Fixed in 7.001 ID5580 7.000 Up2date Overview page: Unable to complete backend request ---------------------------------------------------------------------- Description: Right after installation you may encouter a blank page when trying to access the Up2Date Overview page. When trying to switch to other configuration pages you get an error "Unable to complete backend request". Workaround: Relogin to WebAdmin. Check KIL ID5592 and wait at about 5 minutes. Try again. Fix: Fixed in 7.001 ID5579 7.000 Release symbol is shown in Quarantine Manager when prefetch is off ------------------------------------------------------------------------------- Description: The release icon for releasing emails in Quarantine Manager is always shown for POP3 emails. Releasing POP3 emails is only possible if Prefetching is enabled, thus it will not work if Prefetch is turned off. Workaround: Enable Prefetch to use this feature. Fix: Fixed in 7.001 ID5576 7.000 Blank HTTP Profiles/Proxy Profiles page after deleting objects --------------------------------------------------------------------------- Description: After deleting Contentfilter Actions used in Contentfilter Profiles, the Proxy Profiles page may stay empty (grey). Workaround: --- Fix: Fixed in 7.001 ID5574 7.000 Additional interface menu may not be reachable ------------------------------------------------------------ Description: After adding an additional interface to a primary and editing this primary interface, the configuration page of the additional interfaces does not load completely. In most cases you will see a grey page. Workaround: --- Fix: Fixed in 7.001 ID5572 7.000 PPTP shuts down if no user or group is set ------------------------------------------------------- Description: If you want to enable PPTP Remote Access with Radius authentication only, WebAdmin disables the feature automatically if not user or group is selected. Workaround: Add a user or group. Fix: Fixed in 7.001 ID5569 7.000 Error while trying to update group membership ---------------------------------------------------------- Description: While being logged in to WebAdmin via a backend authentication mechanism, you will not be able to update e.g. WebAdmin Access Control lists. Workaround: Try using the local authentication to edit the respective access controls. Fix: Fixed in 7.001 ID5540 7.000 Awkward Real Names in From and To fields in POP3 Log ------------------------------------------------------------------ Description: E-mail addresses with special character encodings or non-Latin1 characters contained in the real name are not shown correctly in WebAdmin reporting pages. Workaround: --- Fix: Fixed in 7.001 ID5495 7.000 Link Aggregation on 425 does not work correctly ------------------------------------------------------------ Description: With ASG 425 units, Link Aggregation to be configured on the Network >> Interfaces >> Link Aggregation tab in WebAdmin does not work. Two interfaces of the same group, which are connected to two interfaces of the same group on the switch, get different aggregator IDs in the backend. Thus it is not possible to ping a Link Aggregation Group (LAG) interface on ASG 425. Workaround: --- Fix: Fixed in 7.001 ID5564 7.000 NTP synchronisation does not work on slave nodes ------------------------------------------------------------- Description: Cluster nodes will not sync time via NTP from the master. Workaround: --- Fix: Fixed in 7.001 ID4920 5.000 Interfaces that are part of a LAG are not shown in dashboard ------------------------------------------------------------------------- Description: Interfaces which are part of an Link Aggregation group are shown as 'unused' in the dashboard. Workaround: --- Fix: Fixed in 7.001