# LIST OF KNOWN ISSUES FOR ASTARO SECURITY GATEWAY V7 # ==================================================== # The purpose of this list is to give you an overview of known issues and # possible workarounds, as well as known problems in other software being # used in connection with Astaro Security Gateway V7 # The ID denotes the internal Astaro bugtracking ID and will be shown in the # description of an Up2Date if the issue is fixed. # # We would appreciate if you contribute to this list and would give us # feedback in this respect. # For further infos please contact: knownissues@astaro.com # # Last edit (time is UTC): # $Id: Known_Issues-ASG-V7.txt,v 1.90 2010/03/10 08:42:27 mgehrlein Exp $ Open Issues - Email Security =============================== ID09174 7.302 Without email subscription (or deactivated smtp proxy) the standard smtp profile is activated ------------------------------------------------------------------------------------------------------------ Description: When activating the SMTP Proxy the default profile, that contains the "AntiSpam" and the "AntiVirus" feature, is activated, even without an Email filtering subscription. The configuration can't be changed. Workaround: Please contact our support team Fix: --- Open Issues - High Availability ================================== ID06109 7.000 HA not working correctly on ESX Server v2.x ---------------------------------------------------------- Description: VMware ESX Server 2.x is not able to support HA- or Clustersetups. The heartbeat signal sent between HA/Cluster nodes may time out and lead to Master-Master scenarios. Workaround: Upgrade to VMware ESX 3.0 or higher. Fix: --- Open Issues - Logging/Reporting ================================== ID05465 7.000 Network interface graphs incorrect after turning back time ------------------------------------------------------------------------- Description: After turning back the system time for a considerable amount (e.g., 2 days), no data is shown in the network traffic graphs displayed on the Reporting >> Network >> Daily tab in WebAdmin. The reason is that the graph generator is not able to handle data with a timestamp older than the latest inserted data. Once the system time reaches the last inserted timestamp again, adding data will work again. Workaround: --- Fix: --- Open Issues - Management =========================== ID07379 7.000 Manual Up2Date upload may not work correctly ----------------------------------------------------------- Description: For large Up2Date packages (>100MB) the manual upload via WebAdmin may not work correctly if ASG has less than 512MB of RAM. Workaround: Download Up2Date automatically or contact Support. Fix: --- ID06813 7.007 End-User Portal uses WebAdmin certificate -------------------------------------------------------- Description: The End-User Portal uses the certificate generated for WebAdmin. This may cause problems when having different hostnames for End-User Portal and ASG/WebAdmin. Workaround: --- Fix: --- ID06780 7.007 SSL client download fails on Windows Vista --------------------------------------------------------- Description: Users using Internet Explorer 7 on Windows Vista may not be allowed to download the SSL VPN client from the Enduser Portal. This is up to security restrictions within Vista/IE7. Workaround: Add the Portal to the Trusted Sites in Internet Explorer (Extras->Security->Trusted Sites) in order to allow downloading an executable. Fix: --- ID05356 7.000 WebAdmin certificate import problems with IE 6 & 7 ----------------------------------------------------------------- Description: After installing the WebAdmin certificate in Internet Explorer 7 you may only be allowed to connect to the specific ASG the certificate is coming from. Adding another certificate from another ASG allows access to this machine, too. In IE6, the popup warning may also occur after importing the certificate. Workaround: --- Fix: --- ID05138 7.000 Import of WebAdmin CA certificates may fail with Firefox ----------------------------------------------------------------------- Description: Depending on operating system and Firefox version, import of WebAdmin's certificate may no work correctly. Workaround: --- Fix: --- Open Issues - Network Security ================================= ID11621 7.501 Paketfilter is dropping own DNS replies ------------------------------------------------------ Description: The handling of non-resolvable dns-queries cause a default packetfilter drop. If a request could not be resolved, a not resolvable message will be transmitted after 30 seconds. The ip_conntrack_udp_timeout is 30 seconds, so the answer packet will be dropped. Workaround: --- Fix: --- Open Issues - Networking =========================== ID11671 7.501 Receiving Transmit timed out on network cards using tg3 ---------------------------------------------------------------------- Description: In some rare cases Networkcards using the tg3 driver do a reset. This could be identified by the following log statements in the kernel.log: kernel: NETDEV WATCHDOG: eth0: transmit timed out kernel: tg3: eth0: transmit timed out, resetting After the reset communication continues. During this reset no communication is possible with the affected card. Workaround: Use a network card with other chipsets. Fix: --- Open Issues - VPN ==================== ID12539 7.502 Pushed dns server are randomly not used ------------------------------------------------------ Description: Configured SSL-VPN DNS server are sometimes not used during an established SSL client connection. DNS queries will be sent out on the local standard gateway. Issue occurred on Windows XP SP3 systems only, so far. Workaround: If the issue occurs on the system, please execute the following command on your Windows system to flush the DNS resolver cache: ipconfig /flushdns Fix: --- ID09100 7.301 Symantec Endpoint Protection conflicts with SSL VPN ------------------------------------------------------------------ Description: Using Symantec Endpoint Protection on a Windows system running the SSL VPN client will not work. The Symantec software causes the SSL VPN client to initialize. Workaround: Do not install both software pieces on the same system. Fix: --- ID05405 7.000 PPTP/L2TP/SSL OpenVPN routes are not redistributed in OSPF ------------------------------------------------------------------------- Description: VPN Pools like the ones mentioned above will not get redistributed when using OSPF. Workaround: --- Fix: --- ID05375 7.000 Strict routing may also match locally generated traffic ---------------------------------------------------------------------- Description: For locally generated packets and strict routing enabled for an IPSec tunnel, it is not possible to send locally generated plaintext packets to the same destination. Workaround: --- Fix: --- Open Issues - Web Security ============================= ID11746 7.501 Directory listing is not working for strato ftp server --------------------------------------------------------------------- Description: Directory listing may not be working under certain conditions via FTP proxy. Workaround: As a workaround try skipping virus scanning for this specific server. If this should not work please contact support. Fix: --- ID06491 7.005 Customizable AV scanning size not used in HTTP profiles ---------------------------------------------------------------------- Description: It is possible to set the maximum size of the file to be scanned by the AV scanner in the HTTP Proxy setup. This allows much larger files to skip the processor and ram intensive task of scanning a 700mb ISO file for example. Currently, changing the file size will only work for the default HTTP Proxy profile. Additional profiles will continue using the default value of 50MB. Workaround: --- Fix: --- Open Issues - Various ======================== ID05984 7.002 FTP upload/download stops during data transfer ------------------------------------------------------------- Description: During an FTP transfer on a DNAT'd FTP server, incoming and outgoing FTP streams are timing out. This is due to expectations problems created by the Connection Tracking helper not allowing the connection to be revalidated. Workaround: Create an additional packetfilter rule allowing any traffice from your source network to the FTP servers' address. Fix: --- ID12687 7.502 arabic letters of the subject are not visible inside the spam report ----------------------------------------------------------------------------------- Description: The subject of blocked E-Mails are not shown in the correct way inside the spam report if they contain Arabic letters Workaround: Please contact our support team Fix: --- ID12449 7.502 ASG crashes, caused by special character ")" in PPPoE password ----------------------------------------------------------------------------- Description: A ISP given pppoe password, which contains ")" as a character, may crash the ASG after saving the interface settings. Workaround: Use an another password, the ISP can change it. Fix: --- ID12337 7.502 When the password contains german umlauts the referring account cannot be created in POP3 proxy -------------------------------------------------------------------------------------------------------------- Description: POP3 prefetch accounts will not be created when the password contains certain special characters, as e.g. german umlauts. Workaround: Please use only characters of the ASCII charset. Fix: --- ID11844 7.501 Cannot use HTTPS scanning in a profile if HTTPS is not enabled for the global settings. ------------------------------------------------------------------------------------------------------ Description: In Transparent mode, HTTPS scanning specified by a HTTP/S proxy profile will not work for hosts in the profile which are also in the Global Allowed networks list unless HTTPS scanning is enabled in Global settings. Example: Network 10.0.0.0/24 is in the Global Allowed Networks list Proxy is in Transparent mode, Scan HTTPS (SSL) Traffic is not enabled on the Global tab Profile including the host 10.0.0.1 in Transparent mode with HTTPS scanning enabled, HTTPS traffic will not be scanned. Workaround: --- Fix: --- ID11496 7.500 State of additional addresses remains at DOWN after the daily reconnect -------------------------------------------------------------------------------------- Description: After daily reconnect of PPPoE-interfaces, additional addresses bounded to those interfaces remains in state DOWN. Workaround: Please contact the Astaro Support Team. Fix: --- ID11412 7.500 External OWA adress is no longer reachable via http proxy ------------------------------------------------------------------------ Description: External OWA adress is no longer reachable via http proxy on the internal ip adress of the OWA server Workaround: Please add at network services > DNS a static entry for the domain to the internal ip address Fix: --- ID11396 7.500 Webadmin is no longer reachable via http proxy after update -------------------------------------------------------------------------- Description: Webadmin is no longer reachable via HTTP Proxy, since Webadmin's allowed networks check could be bypassed through HTTP proxy. Workaround: no workaround Fix: --- ID11392 7.405 Windows Server 2008 R2: receiving winbindd error message, "NT_STATUS_PIPE_DISCONNECTED" ------------------------------------------------------------------------------------------------------ Description: Using web proxy with Windows 2008 R2 NTLM & LM authentication, the authentication will fail due to incompatible new security policies introduced in Windows 2008 R2 server and Astaro's authentication daemons. Workaround: An alternate workaround is to use Kerberos authentication. When using the Astaro's fully-qualified hostname in the browser's proxy settings, Kerberos authentication will automatically be used. Ensure the time and date of the ASG is within five minutes of the Domain Controller for successful handling of kerberos tickets. Fix: --- ID11371 7.500 eDirectory authentication not working any more after upgrade 7.405->7.500 when no base dn specified ------------------------------------------------------------------------------------------------------------------- Description: Authentications for users in the eDir fails. If you press "Test server settings" in the eDir setup dialog, you get "server test passed OK" but if you try to authenticate an eDir user with the "Authenticate example user" button, you will get an "LDAP call error" message Workaround: Specify one or more base DNs in the eDir server settings Fix: --- ID11239 7.405 Yahoo messenger will not be detected by IM/P2P security ---------------------------------------------------------------------- Description: Yahoo Messenger will not be blocked by IM/P2P-Security while connecting via the HTTP-Proxy of the ASG. Workaround: Will be fixed in one of the upcoming versions. Fix: --- ID11212 7.405 Gateway route to PPTP client IP is missing after PPTP reconnect ------------------------------------------------------------------------------ Description: Static routes / Policy routes get missing after minor interface change. E.g. gateway route to PPTP client IP is missing after PPTP reconnect. Workaround: --- Fix: --- ID11008 7.404 User will not be shown in the SSL VPN online statistics if the name contains a space --------------------------------------------------------------------------------------------------- Description: SSL VPN users will not be shown in 'Remote Access Status' if the user name contains a space. This is a display issue only and does not affect the VPN functionality. Workaround: Avoid spaces in SSL VPN user names. Fix: --- ID10429 7.402 ips loops if a exception for ssl vpn user exist and they connect with Vista 32 bit ------------------------------------------------------------------------------------------------- Description: IPS cause a high load and loops if a ssl vpn user connect with Vista 32bit OS and a Exception exist for this user. Workaround: Please set the Protocol at Remote Access > SSL > settings from TCP to UDP Fix: --- ID10338 7.401 Not possible to delete interface, get "One of the values you entered is syntactically or logically incorrect" ---------------------------------------------------------------------------------------------------------------------------- Description: Not possible to delete an interface, getting the error "One of the values you entered is syntactically or logically incorrect" Workaround: The error appears in terms the interface is still in use in the configuration. Check your configuration and remove the affected interface from the configuration e.g. httpproxy profiles Fix: --- ID10318 7.401 Time Events don't work correctly, after switched to daylight-saving time (03/29/09) -------------------------------------------------------------------------------------------------- Description: After switching to daylight-saving time, time-based rules don't work correctly. Workaround: Decrease the start- and end-time about one hour to make the time-based rules correctly functional. Fix: --- ID10229 7.401 SIP counts dropped SIP RTP packets as connections ---------------------------------------------------------------- Description: When ringing, a lot of SIP RTP packets may be dropped by the packet filter. Every dropped packet increases the SIP connection counter in Webadmin. Workaround: --- Fix: --- ID10133 7.400 APC UPS does not restore the load after power outage: Astaro stays off ------------------------------------------------------------------------------------- Description: On a power outage, when an APC UPS reaches critical battery level, upsmon initiates the shutdown of the Astaro and tells the UPS to power down. After both devices turned off and power comes back, the UPS and therefore the Astaro as well stay powered off. Workaround: --- Fix: --- ID10005 7.400 If you change to german language, some descriptions are still in english --------------------------------------------------------------------------------------- Description: By changing the global WebAdmin language to German, some descriptions are still in English. Workaround: --- Fix: --- ID08063 7.104 active directory authentication for openvpn not possible if using special characters in password --------------------------------------------------------------------------------------------------------------- Description: There is an error called "TLS Auth Error: Auth Username/Password verification failed for peer" while connecting with SSL VPN and using a password containing special characters. The connection to the gateways fails. Workaround: It is not possible to use passwords containing special characters with OpenVPN at the moment. Please restrict to use only 7-bit characters (ASCII), i.e. for example letters, numbers and an exclamation mark. Please note that this also applies for usernames as well. Fix: --- ID06912 7.009 Problem authenticating new AD users to HA slaves --------------------------------------------------------------- Description: In HA environments there might show up a problem when trying to authenticate a newly generated Active Directory user via a HA slave system. This may happen e.g. when using the End-User Portal with AD authentication. Workaround: Authenticate the user against the master first, if possible. Fix: --- ID05897 7.001 End-User Portal downloads fail with Internet Explorer 7 ---------------------------------------------------------------------- Description: While trying to download a file from the End-User Portal with Internet Explorer 7 a popup window may appear and close after a second. The download will not start. Disabling Popup blocker will not help. Workaround: Please enable "Automatic Prompting for File Downloads" in your zone settings of Internet Explorer 7. Fix: --- Closed Issues - Email Security ================================= ID11538 7.501 HA slaves can not connect to the internet via dynamic interfaces ------------------------------------------------------------------------------- Description: In case of an HA setup with dynamic interfaces (e.g. PPPoE) the slave node can't reach the query database server and will send out the following notification: "[WARN-129] Spam Filter cannot query database servers". Workaround: Change the dynamic interface to a static interface. E.g. by moving the PPPoE dial-in to a router. Fix: Fixed in 7.502 ID11531 7.500 You must specify a route target (internal server) error message on SMTP profile systems ------------------------------------------------------------------------------------------------------ Description: After updating to 7.500 when attempting to change the global anti-spam settings under mail security>>SMTP>>Antispam the system sends a warning: You must specify a route target (internal server). This warning indicates that the user has not previously configured the basic Routing tab which may occur if all servers were set using profile mode only in previous versions. Workaround: As a workaround under Mail Security>>SMTP>>Routing either enter a normal or dummy domain such as donotresolve.net and set a route target IP address. This will allow for modification of the antispam settings tab. Fix: Fixed in 7.504 ID11430 7.405 SMTP work queue filled up after failover which causes delay in delivery -------------------------------------------------------------------------------------- Description: Mail work queue fills up in HA environments after takeover and will be processed very slow. Workaround: --- Fix: Fixed in 7.502 ID11424 7.500 While email-subscription is missing, scanning of outgoing/incoming mails is still active ------------------------------------------------------------------------------------------------------- Description: If there is no valid Email Subscription installed AntiVirus and AntiSpam is greyed out and not used, but in Smtp->Relaying the feature "Scan relayed (outgoing) messages" is not greyed out and still active. With that option, the system will try to scan mails sent from an internal mailserver, but the scanner backend is not available due to a non-valid subscription. As a result, mails will not be sent out. Workaround: Disable "Scan relayed (outgoing) messages" if you do not have a valid subscription. Fix: Fixed in 7.501 ID10391 7.402 POP3 prefetch fails at long MIME-encoded subjects ---------------------------------------------------------------- Description: The prefetch mechanism of the POP3 proxy stops at an email where the subject is MIME-encoded for multiple lines but without actual line feed. In this case the respective account will no longer be prefetched at all. Workaround: --- Fix: Fixed in 7.403 ID09374 7.303 DKIM signature will not be added in some cases ------------------------------------------------------------- Description: Email headers containing special characters may miss the DKIM signature depending on the encoding. Workaround: --- Fix: Fixed in 7.400 ID09072 7.301 Signing may be reported as invalid ------------------------------------------------- Description: For encrypted emails the signing may get reported as invalid at the remote end if intermediate certificates are used. This is currently a restriction in the way the certificate is added to the email. Workaround: --- Fix: Fixed in 7.303 ID09028 7.301 Releasing of quarantined mails may not work ---------------------------------------------------------- Description: For emails being converted from pre 7.300 systems releasing them out of the Quarantine Manager may not work in all cases. Workaround: --- Fix: Fixed in 7.302 ID09017 7.301 Quarantine Report not sent as specified ------------------------------------------------------ Description: On some systems the Quarantine Report is not being sent as it should be, even if there are quarantined emails waiting for review. Workaround: --- Fix: Fixed in 7.302 ID08975 7.301 Special characters in emails are not processed correctly ----------------------------------------------------------------------- Description: In some cases umlauts are still causing broken emails, especially when using them in footers. Workaround: Disable footers. Fix: Fixed in 7.302 ID08949 7.300 SMTP scanner caught in an endless loop ----------------------------------------------------- Description: In some cases SMTP scanner may be caught in an endless loop which may stop the delivery of emails. Workaround: Restart SMTP service. Fix: Fixed in 7.301 ID08912 7.300 Email decryption may cut last character in line -------------------------------------------------------------- Description: For some encrypted emails the decryption subsystem may cut the last character of each line. This has been encountered with encrypted mails coming from an Outlook 2003 client using the GnuPG plugin. Workaround: --- Fix: Fixed in 7.301 ID08910 7.300 Outgoing emails might get signed although signing is off ----------------------------------------------------------------------- Description: In case there is email encryption but no signing is configured, the mails may get signed in any way if encrypting the message fails. This might be triggered by having no valid key for the external user. Workaround: --- Fix: Fixed in 7.302 ID08906 7.300 SMTP service running with high CPU usage ------------------------------------------------------- Description: In case of corrupt emails in the queue directory the SMTP service will try to process them anyway and drain CPU while doing this. Workaround: --- Fix: Fixed in 7.301 ID08892 7.300 SMTP relaying not working correctly with special configuration ----------------------------------------------------------------------------- Description: In some cases after importing a V6 backup the SMTP relaying may not work correctly and reject messages with the following statement: "451 Temporary local problem - please try later". Workaround: Enable Virusscanning if possible, switch scanners and revert to old configuration state. Fix: Fixed in 7.303 ID08876 7.300 Special characters in emails are not processed correctly ----------------------------------------------------------------------- Description: In some cases emails containing special characters will not be processed correctly and the special characters are shown wrong in the email client. This behaviour will mainly be triggered when adding additional footers also containing special characters. Workaround: Try disabling the additional footer. Fix: Fixed in 7.301 ID08864 7.300 Email encryption may stop SMTP service ----------------------------------------------------- Description: When using Email Encryption with a large set of certificates, the system may not be able to start in time before a restart of the service is triggered. This will result in an endless loop of restarting. Workaround: Disable Email Encryption to get the SMTP service started. Fix: Fixed in 7.301 ID08853 7.300 SMTP service not starting on HA/Cluster systems -------------------------------------------------------------- Description: In some cases the SMTP service is not able to start on HA/Cluster systems after updating to Version 7.300. This may also affect FTP and POP3 services. Workaround: --- Fix: Fixed in 7.301 ID08849 7.300 End-User Portal does not show all emails ------------------------------------------------------- Description: The email filter in End-User Portal is case sensitive which means emails arriving for a user containing e.g. capitalized letters while his email addresses in ASG are lowercase will not be shown in the Portal Workaround: --- Fix: Fixed in 7.301 ID08200 7.104 Unable to create exceptions for domains with single character ---------------------------------------------------------------------------- Description: It is not possible to add domains containing one character like a.example.com to the SMTP exceptions page. Workaround: --- Fix: Fixed in 7.300 ID07983 7.104 Daily Spam Report fails for some Recipients (case-sensitive issue) --------------------------------------------------------------------------------- Description: If an email arrives with an identical recipient but different spelling e.g. case sensitive notation, the daily spam report will not be generated in some cases. This may happen i.e. for recipients like this: support@astaro.com OR SUPPORTT@astaro.com. Workaround: Please contact support with the corresponding ID. They will be able to send you a new package which solves this issue. Fix: Fixed in 7.300 ID07833 7.100 Download of S/MIME certificate provides empty file ----------------------------------------------------------------- Description: When trying to download a S/MIME cert you will receive an empty file. This is up to a problem in the frontend receiving/handling data from the backend incorrectly. Workaround: --- Fix: Fixed in 7.200 ID07483 7.100 Lots of config changes cause SMTP restarts --------------------------------------------------------- Description: Having lots of config changes i.e. caused by heavy remote access connects/disconnects the SMTP proxy will get restarted very often. This causes many gaps where the system is not able to receive or send emails. Workaround: --- Fix: Fixed in 7.102 ID07472 7.100 POP3 Proxy does not start with customized messages ----------------------------------------------------------------- Description: In WebAdmin Management->Customization it is possible to change the default texts for messages the end users receives like download manager or blocked pages. When entering characters like &, < or > into the messages for POP3 proxy, the service will not longer be available. The logfile shows a xml-parser error. Workaround: Do not use these characters or escape them properly. I.e., use html notation. Fix: Fixed in 7.300 ID07034 7.009 If cffd fails during spam digest creation no resume for digest is triggered ------------------------------------------------------------------------------------------ Description: If the cff daemon, which is responsible for the whole content filtering procedure, fails during the creation of the daily spam digest, sending of the reports is not continued. This can be checked in the selfmonitor logfile if the service is restarted at about 1 a.m. Workaround: We recommend that the settings of the quarantined emails are reduced to 3 days. Fix: Fixed in 7.300 ID06982 7.009 Anti-Spam filter not working in some environments ---------------------------------------------------------------- Description: Using the Anti-Spam service for SMTP or POP3 email filtering, the service will not be available if the ASG has more than 10 local IP addresses configured on local (virtual) interfaces. Workaround: --- Fix: Fixed in 7.100 ID06926 7.009 Spam Digest not working on HA/Cluster systems ------------------------------------------------------------ Description: In HA/Cluster environments the Daily Spam Digest may not be sent out by ASG at all. This effect will occur if the system has been installed with 7.005 or earlier . Workaround: --- Fix: Fixed in 7.010 ID06892 7.009 Astaro notification emails tagged as spam -------------------------------------------------------- Description: In some cases the Astaro notification emails may get tagged as spam by other Astaro appliances. Workaround: Create exceptions matching these notifications. Fix: Fixed in 7.300 ID06865 7.007 Daily Spam Report is sent to all users ----------------------------------------------------- Description: The Daily Spam Report is also sent to users an who are in an exception list. Workaround: --- Fix: Fixed in 7.100 ID06772 7.007 SMTP Mail processing may stop completely ------------------------------------------------------- Description: For some rare cases the SMTP mail processing may stop completely due to a deadlock within the SMTP scanning subsystem. This should not affect many installations. Workaround: Reboot the machine. Fix: Fixed in 7.008 ID06741 7.007 Email Encryption logfiles filling up partition ------------------------------------------------------------- Description: The logfiles from the Email Encryption backend are filling up the storage partition even after Email Encryption has been disabled. Workaround: --- Fix: Fixed in 7.100 ID06703 7.005 Automatic import of SMIME certificates not working correctly --------------------------------------------------------------------------- Description: When using Email Encryption the automatic import of SMIME certificates will work in the backend, but the certificates will not be shown in the frontend. Workaround: --- Fix: Fixed in 7.008 ID06607 7.005 Daily Spam Report may not be sent out correctly -------------------------------------------------------------- Description: The Daily Spam Report may not be sent correctly for users receiving spam emails with capital letters in their email address. The mail address matching is currently being done case sensitive. Workaround: --- Fix: Fixed in 7.008 ID06563 7.005 Possible memleak in Contentfilter backend system --------------------------------------------------------------- Description: The MySQL, a database engine used on Astaro to store data, is taking up hardware resources over time. This is a bug in MySQL and will most probably show up in high-load environments. Workaround: At the moment you only can reboot the box or restart a service in the backend in order to regain system resources. Prior to 7.100, please restart the Contentscanner (/var/mdw/scripts/cffd). Starting with 7.100, there has been some changes in the backend, so please restart Mysql (/etc/init.d/mysql). Fix: Fixed in 7.300 ID06481 7.005 Preview of quarantined emails not working for mail with attachment --------------------------------------------------------------------------------- Description: In the end user or administrator portal, overview of emails that have been stopped by Astaro for various reasons is possible. For mails containing an attachment a preview in the portal is not possible. Workaround: --- Fix: Fixed in 7.300 ID06471 7.005 Mail processing stops at message ID 1000000 ---------------------------------------------------------- Description: Mails having a message ID larger than 1000000 will not be processed correctly by the content scanning subsystem. Workaround: Call Support. Fix: Fixed in 7.006 ID06320 7.003 POP3 spam email not tagged correctly --------------------------------------------------- Description: When downloading emails via POP3 the tagging (warn threshold) is not done correctly. Although the mail should reach the client, there is neither a spam tag in the subject line nor a spam report in the header. Workaround: --- Fix: Fixed in 7.008 ID06311 7.003 Error while scanning emails may stop SMTP proxy --------------------------------------------------------------- Description: In a few cases the SMTP proxy stopped working after a special scanning error occured. In the logfile there is a message like this 'Maximum number of scan retries exceeded'. Workaround: Contact Support. Fix: Fixed in 7.006 ID06300 7.003 Unable to release/download quarantined POP3 messages ------------------------------------------------------------------- Description: When trying to release or download the messages from the Quarantine Manager a popup window '404 not found' shows up. Trying to display a message shows '500 internal server error'. Workaround: --- Fix: Fixed in 7.005 ID06197 7.003 BATV secret not changeable in WebAdmin ----------------------------------------------------- Description: Currently there is no option to change the BATV secret in WebAdmin. Workaround: --- Fix: Fixed in 7.005 ID06169 7.003 Problems with Vista Windows Mail and POP3 Proxy in prefetch mode -------------------------------------------------------------------------------- Description: When using the Windows Vista mail client along with the POP3 Proxy in prefetch mode, a lot of timeouts may appear when trying to get new mails. Workaround: --- Fix: Fixed in 7.005 ID06143 7.002 Incorrect BATV ACL check causes all bounces to be rejected ------------------------------------------------------------------------- Description: Incorrect BATV ACL check causes all bounces to be rejected, unless either BATV is deactivated for the recipient domain or BATV is deactivated by an exception for the recipient or the sending host. This also causes sending mail to hosts which do sender verification to fail, since sender verification is usually implemented as a bounce test. Workaround: see above Fix: Fixed in 7.003 ID06081 7.002 Confidentiality footer may get added to incoming emails ---------------------------------------------------------------------- Description: The Confidentiality footer of the SMTP Proxy is also added to incoming emails when the email-domain has capital-letters. Workaround: --- Fix: Fixed in 7.003 ID06027 7.002 IOS error messages in Exim log - rendering the SMTP proxy inoperable ----------------------------------------------------------------------------------- Description: Some rare ill formatted e-mails may render the SMTP proxy inoperable. Workaround: --- Fix: Fixed in 7.003 ID05994 7.002 Empty content-disposition header in the MIME part is rendering the e-mail undeliverable ------------------------------------------------------------------------------------------------------ Description: The problem only occurs with multipart messages, such as content type multipart/related or multipart/alternative. Workaround: --- Fix: Fixed in 7.003 ID05941 7.002 Base64 encoded subjects in quarantine manager are decoded with an error -------------------------------------------------------------------------------------- Description: Some Base64 encoded subjects listed in the quarantine manager are not decoded and thus not displayed correctly. This can be indicated by the message "Frontier::RPC2::Base64=SCALAR" Workaround: --- Fix: Fixed in 7.003 ID05925 7.002 Subject lines in Daily Spam Report corrupted ----------------------------------------------------------- Description: Some e-mail clients such as Thunderbird for Windows operating systems often do not have the necessary character sets installed needed to correctly display special characters or CJK languages. However, if the correct charsets are installed, the problem no longer remains, as is the case with Thunderbird for Linux, for example, which is UTF-8 based and has therefore all charsets pre-installed. Workaround: --- Fix: Fixed in 7.003 ID05844 7.002 Some POP3 messages are downloaded more than once --------------------------------------------------------------- Description: Because of a changed handling of the unique message id the POP3 proxy downloads all messages from server again. If the user has configured his or her mail client in such way that it leaves messages on server, it might happen that older messages (i.e., messages which the client had already received) are downloaded a second time by the client. Workaround: --- Fix: Fixed in 7.003 ID05811 7.001 Daily Spam Digest also sent to external domains -------------------------------------------------------------- Description: The Daily Spam Digest will be sent out to anyone receiving spam including external domains not configured in the SMTP Proxy. This behaviour is unwanted and should be limited to internal (specified) domains only. Workaround: --- Fix: Fixed in 7.005 ID05804 7.001 Special characters not possible in smarthost authentication -------------------------------------------------------------------------- Description: Using special characters like $ or \ in SMTP smarthost authentication does not work. Workaround: --- (change password if possible) Fix: Fixed in 7.004 ID05797 7.001 Daily Spam Report mistakenly tagged as spam ---------------------------------------------------------- Description: Occasionally the Daily Spam Report of Astaro Security Gateway gets mistakenly tagged as spam due to a high spam score. Workaround: --- Fix: Fixed in 7.003 ID05782 7.001 Automatic cleanup of Quarantine Manager not working correctly ---------------------------------------------------------------------------- Description: The autoclean feature for Quarantine Manager only works with default settings. After changing them the default values will still be used. Workaround: --- Fix: Fixed in 7.004 ID05766 7.001 Incoming/outgoing e-mails are truncated if they contain a 'dot' ------------------------------------------------------------------------------ Description: AN SMTP e-mail that contains a single dot in one line of the message's body is truncated because the dot is interpreted as 'End of Message'. Workaround: Do not write an e-mail that has a single dot in one line. A dot having a preceding character does not cause the message to be cropped. Fix: Fixed in 7.002 ID05709 7.001 Confidential footer applies on incoming mails only ----------------------------------------------------------------- Description: The confidential footer only applies to incoming emails instead of outgoing emails. Workaround: --- Fix: Fixed in 7.002 ID05698 7.001 Content filter mangles SMTP addresses ---------------------------------------------------- Description: Some characters like + get stripped off the local parts of email addresses. Workaround: --- Fix: Fixed in 7.002 ID05693 7.001 Sometimes the daily spam report is not created ------------------------------------------------------------- Description: Users having a POP3 account configured but for which no user object is existent on the Astaro Security Gateway unit sometimes do not receive a daily spam report for their POP3 accounts. Workaround: --- Fix: Fixed in 7.003 ID05659 7.001 SMTP Banner does not show hostname ------------------------------------------------- Description: The banner of the SMTP proxy only shows the standard "220 ESMTP Ready" prompt but not the hostname. This may cause problems with some remote hosts. Workaround: --- Fix: Fixed in 7.004 ID05637 7.000 SMTP domains are case-sensitive when used in profiles -------------------------------------------------------------------- Description: SMTP domain names are treated case-sensitive when SMTP profiles are used. Workaround: --- Fix: Fixed in 7.002 ID05568 7.000 Daily Spam Report misses percentage value of blocked e-mails ---------------------------------------------------------------------------- Description: The percentage value for blocked e-mails in the Statistics section of the daily spam report might be missing. Workaround: --- Fix: Fixed in 7.003 ID05384 7.000 Daily Spam Report layout broken in Google Mail ------------------------------------------------------------- Description: Images contained in the End User Spam Report are not displayed if the report is opened through the Google mail web portal. However, this is just a cosmetic issue and has no impact on the spam statistics included in the report. Workaround: --- Fix: Fixed in 7.003 ID05309 Broken subject lines quarantine manager ------------------------------------------------- Description: Some Base64 encoded subjects listed in the quarantine manager are not decoded and thus not displayed correctly. This can be indicated by the message "Frontier::RPC2::Base64=SCALAR" Workaround: --- Fix: Fixed in 7.003 Closed Issues - High Availability ==================================== ID11383 7.500 Cluster distribution enabled on HA systems --------------------------------------------------------- Description: For active/passive HA systems, the cluster load distribution for IPsec and HTTP Proxy packets may be active and thus distributing parts of the traffic to the passive box which will not process the data further. In that case, the connections will get dropped/lost. Workaround: Please contact support. Fix: Fixed in 7.501 ID10339 7.402 Slave nodes keeps UP2DATE state after manual action ------------------------------------------------------------------ Description: In case there is actually no Up2Date to perform, but nevertheless triggered via WebAdmin or ACC, HA/Clusternodes may remain in the UP2DATE state until next successful Up2Date is triggered. Workaround: --- Fix: Fixed in 7.403 ID10324 7.402 Possible db sync problem on HA nodes --------------------------------------------------- Description: In some cases there might show up messages like this in your High Availability logfile: 'FATAL main: Node has wrong Slony-I schema or module version loaded'. This means, the db schema on the respective HA/Cluster nodes differ and no data can be synced. Most often, this effect can occur if a the nodes have/had different versions when (re-)joining the cluster. Workaround: Contact Support, please. Fix: Fixed in 7.403 ID10323 7.402 High-Availability logfile filling up quickly ----------------------------------------------------------- Description: In some cases the HA logfile is filling up quickly with messages like this: "ctsyncd: Got SIGUSR1, set status to SLAVE". In those cases, syncing the connection tracking table might not work correctly. Workaround: Please contact Support. Fix: Fixed in 7.403 ID09449 7.304 Problem accessing internal servers via HTTP Proxy on cluster nodes --------------------------------------------------------------------------------- Description: Having internal servers reachable via DNAT on ASG will cause trouble when an internal client is trying to load the external address of this server via an active/active cluster. In case the request is processed by a slave or worker node it will not reach the internal server. Workaround: Define static DNS entries for the respective servers pointing to their internal addresses. Fix: Fixed in 7.400 ID09372 7.301 Problem when disabling HA backup interface --------------------------------------------------------- Description: When using HA with backup interface functionality, the HA system might be able to shut down backup mode after disabling in WebAdmin. This means, that backup mode might still be active although it has been deactivated. Workaround: Reboot the system. Fix: Fixed in 7.305 ID09324 7.303 Possible problem when resolving HA Master-Master situation ------------------------------------------------------------------------- Description: The backup interface is used to prevent Master-Master situations. When backup and main sync interface fail together and only the backup interface comes back up again, the Master-Master situation is not resolved properly. Workaround: --- Fix: Fixed in 7.305 ID09274 7.302 HA/Cluster system may deliver messages several times ------------------------------------------------------------------- Description: In some cases SMTP messages are delivered twice or even more times in case of an error within the quene sync process of HA/Cluster systems. Workaround: --- Fix: Fixed in 7.305 ID09239 7.302 End users can't release spam on HA systems after a power outage ------------------------------------------------------------------------------ Description: After a power outage of a complete set of HA clustered machines end users may not be able to release spam by clicking the release link in the daily digest email. Workaround: --- Fix: Fixed in 7.400 ID08409 7.104 IPsec/Pluto misses SA syncs during restart on slave ------------------------------------------------------------------ Description: When using IPSec VPN on active/active Cluster systems the reboot of a slave system may also shutdown the tunnel SA on the remote side without any need. Workaround: Actually the SA will get restablished once traffic should pass the tunnel automatically. Fix: Fixed in 7.303 ID08365 7.104 Slave stuck in 'UP2DATE' state in HA/Cluster environment ----------------------------------------------------------------------- Description: In some cases a node in a HA/Cluster environment is not able to update. WebAdmin will show status UP2DATE for a very long time and node will not get back to ACTIVE. Workaround: Reboot the slave (after waiting some time for automated recovery) or call support. Fix: Fixed in 7.300 ID07906 7.103 Link detection on LAG interfaces does not work on Slave/Worker nodes ----------------------------------------------------------------------------------- Description: Link detection on LAG interfaces will not work on Slave/Worker Nodes. Because of that, Slave/Worker nodes will be in UNLINKED state. Workaround: --- Fix: Fixed in 7.200 ID07892 7.103 Cluster with four or more nodes will not update completely ------------------------------------------------------------------------- Description: Having a cluster with four or more nodes, an Up2Date triggered via WebAdmin may not finish successfully. In some cases, half of the nodes seem to be stuck. Workaround: Trigger Up2Date a second time via WebAdmin. Fix: Fixed in 7.200 ID07831 7.102 High availablility logfile filling up with stats --------------------------------------------------------------- Description: When using ASG in High availability or Cluster mode, the logfile will fill up with stats from a process called 'ctsyncd'. Over time, the logfiles might get too large. Workaround: --- Fix: Fixed in 7.103 ID07475 7.100 IPsec starting in wrong mode after restart of HA system ---------------------------------------------------------------------- Description: In some cases, a member of a HA/Cluster system will not initialize its IPsec mode correctly when getting Master directly after booting. As a result all tunnels will not come up. Workaround: Reboot again. Fix: Fixed in 7.102 ID06886 7.009 Problem detecting linkbeat for HA on ASG525F ----------------------------------------------------------- Description: Having two ASG525F in a HA configuration will not case a failover when linkbeat on a fibre interface is lost. This is up to a driver problem. Workaround: --- Fix: Fixed in 7.200 ID06651 7.006 HA/Cluster stops working if ha password has special characters ----------------------------------------------------------------------------- Description: In this version HA or Cluster does not work if the HA/Cluster encryption key contains any of the special characters " ' or (. This also affects Up2Dates from 7.005. Workaround: Remove special characters from encryption key or call support. Fix: Fixed in 7.100 ID06463 7.005 More than one Executive Report in HA/Cluster environment ----------------------------------------------------------------------- Description: In some cases each node in a HA/Cluster environment may send an own Executive Report. Workaround: --- Fix: Fixed in 7.100 ID06346 7.003 Ctsync process from HA/Cluster is restarting hourly ------------------------------------------------------------------ Description: The ctsync process ensures proper handling of connections in HA and Cluster environments. In active/active clustering setups, this process may crash on the slave for some special connections. In high-traffic environments this may occur more often. Workaround: --- Fix: Fixed in 7.008 ID06317 7.004 Pattern Up2Dates on cluster nodes running very slow ------------------------------------------------------------------ Description: In some cluster environments the Pattern-Up2Dates are running very slow due to some limitations of the sync process. Workaround: --- Fix: Fixed in 7.006 ID06316 7.004 File synchronization fails if HA/Cluster password has special characters --------------------------------------------------------------------------------------- Description: When using some special characters in the HA/Cluster secret, the file syncronization between Master and other Cluster nodes will not work. In this case also console (loginuser/root) passwords will not be set correctly on the slave nodes. Workaround: Change HA/Cluster password. Fix: Fixed in 7.005 ID06285 7.003 HA file synchronization may sync in wrong direction ------------------------------------------------------------------ Description: In some cases the High Availability slave may also sync data to the master. This can lead to wrong ssh keys or loginuser/root passwords, i.e. Workaround: --- Fix: Fixed in 7.005 ID06225 7.003 Problems syncing databases in HA/Cluster environments -------------------------------------------------------------------- Description: Astaro uses MySQL and Sqlite databases for information handling. In some cases (takeover, crash, powerloss, ..) these databases may get corrupted and syncing will no longer work correctly. This may affect single Cluster nodes or the complete system. Workaround: Call Support. Fix: Fixed in 7.010 ID06215 7.003 HA System reports "Error while scanning a message in database" ----------------------------------------------------------------------------- Description: On some HA systems the Email subsystem may report an error while scanning as stated above. This is up to a problem in the MySQL backend. Workaround: --- Fix: Fixed in 7.004 ID06031 7.002 HTTP traffic in cluster may not be distributed to worker ----------------------------------------------------------------------- Description: After changing the port of the HTTP Proxy to another port than 8080, the distribution of the HTTP traffic to cluster nodes (slave/worker) will not work Workaround: --- (Change back port to 8080 if possible) Fix: Fixed in 7.008 ID05959 7.002 Time not synced via NTP in automatic HA mode ----------------------------------------------------------- Description: When using HA in automatic mode the external NTP server is not used at all. Workaround: --- Fix: Fixed in 7.004 ID05845 7.001 Active directory authentication does not work on cluster ----------------------------------------------------------------------- Description: When using HTTP Proxy in Cluster mode, the Active Directory authentication will not work correctly. Workaround: --- Fix: Fixed in 7.004 ID05613 7.000 Cluster not able to handle IPSec NAT packets ----------------------------------------------------------- Description: An Astaro Security Gateway cluster is not able to handle IPSec NAT packets. Workaround: Will be fixed in the next kernel release. Fix: Fixed in 7.003 ID05564 7.000 NTP synchronisation does not work on slave nodes --------------------------------------------------------------- Description: Cluster nodes will not sync time via NTP from the master. Workaround: --- Fix: Fixed in 7.001 Closed Issues - Intrusion Protection ======================================= ID08323 7.200 Using predefined QoS traffic selectors for IM/P2P may cause problems ----------------------------------------------------------------------------------- Description: In some cases the predefinded QoS traffic selectors for IM/P2P services are not working correctly and cause Middleware to stop working. Workaround: --- Fix: Fixed in 7.201 ID08305 7.200 No option to enter Controlled Networks for IM/P2P ---------------------------------------------------------------- Description: In WebAdmin IM/P2P->Settings->Global the drag'n'dropbox for Contolled Networks may be missing in some cases. This mainly affects configurations coming from V6 via Backup converter. Workaround: --- Fix: Fixed in 7.201 ID06952 7.009 IPS not working correctly on ASG Cluster in bridge mode ---------------------------------------------------------------------- Description: IPS traffic is not correctly distributed to Active-Active Cluster nodes for bridge interfaces. Workaround: --- Fix: Fixed in 7.200 ID06530 7.005 IM/P2P: Winny blocking not working ------------------------------------------------- Description: The detection/blocking of the P2P client Winny is not working currently. Workaround: --- Fix: Fixed in 7.200 ID06396 7.004 IPS hardware accelerated scanning terminates connections ----------------------------------------------------------------------- Description: The hardware scanner is part of the ASG 425/525 models and accelerates various IPS and AV functions. In some cases the IPS daemon causes session disconnects of end users when the hardware scanner is running. This also might affect SSH sessions. Workaround: --- Fix: Fixed in 7.200 ID05747 7.001 Intrusion Protection counter in dashboard incorrect ------------------------------------------------------------------ Description: The Intrusion Protection counter in the dashboard may show a larger number for the active rules than for the available rules. This is up to a problem counting the available rules and all its dependencies. Workaround: --- Fix: Fixed in 7.008 Closed Issues - Logging/Reporting ==================================== ID10409 7.402 Web Security reports not visible for auditors ------------------------------------------------------------ Description: Currently auditor users only get a blank page when trying to access the WebSecurity reports in WebAdmin. Workaround: --- Fix: Fixed in 7.403 ID10139 7.400 Unable to download, clear, or delete log files -------------------------------------------------------------- Description: Downloading or manipulating logfiles via WebAdmin does not work. This affects all types of actions in all browser variants. Workaround: --- Fix: Fixed in 7.403 ID10087 7.400 Historical WebSecurity usage data not shown ---------------------------------------------------------- Description: Installations updating to 7.400 will not be able to view historical WebSecurity usage. Data and reports are not lost and will be reenabled in an upcoming Up2Date. Workaround: --- Fix: Fixed in 7.401 ID09220 7.302 Email Usage and Email filtering not showing any values --------------------------------------------------------------------- Description: The Daily Executive Report as well as the Email Reports in WebAdmin may not show values for Email Usage and Email Filtering. This is up to a mismatch in pattern file in the backend. Workaround: If possible, enable IPS and run a Pattern Up2Date. Fix: Fixed in 7.303 ID08035 7.104 Estimation of log partition fillup can be negative ----------------------------------------------------------------- Description: In case the system is running on disks larger than 250 GB, the estimated log partition fillup rate can be negative. Workaround: --- (don't worry, this partition won't fillup that fast) Fix: Fixed in 7.200 ID07155 7.100 Network Usage may contain values larger than 100% ---------------------------------------------------------------- Description: The Network Usage statistics in WebAdmin and in the Executive Report may contain wrong values (larger than 100% or negative values) when files larger than 4GB are passing the system. Workaround: --- Fix: --- ID06853 7.007 Reporting may stop working because of backend problem -------------------------------------------------------------------- Description: In some cases a misformed logline in the backend may cause the reporting functions in WebAdmin to stop working. This may affect all types of reporting. Workaround: --- Fix: Fixed in 7.011 ID06715 7.006 Remote Syslog logs without facility and priority --------------------------------------------------------------- Description: When sending logs from an ASG to a remote Syslog server, ASG V7 does not send over the facility or selector in the logs like in V5 or V6. Workaround: --- Fix: Fixed in 7.008 ID06662 7.006 WebSecurity Reporting shows wrong numbers -------------------------------------------------------- Description: Most reports from the WebSecurity system will show wrong numbers since many entries will be counted multiple times. This affects the Reporting section in WebAdmin as well as the Executive Report. Workaround: --- Fix: Fixed in 7.007 ID06639 7.006 Timezone glitch in WebSecurity Reporting ------------------------------------------------------- Description: Having a timezone outside GMT WebSecurity Reporting will not work correctly. If the system time moves over to a new local day, HTTP reports for today won't show anything since the day only changed in the local timezone, but not yet in GMT. Workaround: --- Fix: Fixed in 7.008 ID06526 7.005 Accounting rotation process leads to slow system --------------------------------------------------------------- Description: The accounting process, responsible for the various bandwidth and traffic statistics present on ASG, needs to be archived, purged, and reset each night for a fresh workday. Customers in large installations that use the Astaro normally during the maintenance period will experience slowdowns. Possible solutions are being considered. Workaround: --- Fix: Fixed in 7.300 ID06525 7.005 Corrupt databases in HA/Cluster environment ---------------------------------------------------------- Description: In some HA/Cluster environments the databases may get corrupt while syncing with the slave. In this case, reporting will stop working properly. Workaround: --- Fix: Fixed in 7.010 ID06516 7.005 Large accounting database causes long processing times --------------------------------------------------------------------- Description: This issue is regarding a lot of accounting data that must be tracked, then reported on. If the data that is stored in the accounting database gets too large too quickly, it can overwhelm the reporting scripts and rotation processess. Alternate methods of parsing and rotating are being investigated. Workaround: --- Fix: Fixed in 7.300 ID06421 7.004 HTTP Proxy does not log complete URL --------------------------------------------------- Description: The HTTP Proxy does currently not log the full URL (e.g. the query part) for users surfing via the proxy. Workaround: --- Fix: Fixed in 7.008 ID06265 7.003 Portscan detection and logging consumes too much CPU resources ----------------------------------------------------------------------------- Description: When running a portscan against an ASG device lots of loglines are generated and processed. In this case the reporting subsystem may not be able to process all logoutput from portscan detection in time. As a result the reporting subsystem will start allocating system resources (CPU and RAM) and may also lead to a Denial of Service. This also applies to logged packetfilter violations, i.e. when client generates lots of traffic which is blocked and logged on ASG. Workaround: Try to disable logging for packetfilter rules generating much logoutput and disable Portscan detection. Fix: Fixed in 7.008 ID06008 7.003 HTTP Proxy logging concerning file extension blocking is incomplete ---------------------------------------------------------------------------------- Description: HTTP proxy log for blocked file extensions does not show file name and extension. Workaround: --- Fix: Fixed in 7.003 ID05947 7.002 Executive report shows blank blocked categories -------------------------------------------------------------- Description: In the web reporting section some of the categories appear blank although there have been some blocked pages. Workaround: --- Fix: Fixed in 7.004 ID05781 7.001 Strange POP3 error messages ------------------------------------------ Description: The log file concerning POP3 shows confusing error messages that are of no relevance. Workaround: --- Fix: Fixed in 7.003 ID05694 7.001 Executive Reporting showing more than 5 entries in TOP5 lists ---------------------------------------------------------------------------- Description: Certain lists in the executive report show more than five items even though only the top5 entries should be displayed. Workaround: --- Fix: Fixed in 7.002 ID05685 7.001 Traffic graphs still appear in reporting after deleting interfaces --------------------------------------------------------------------------------- Description: After deleting an interface the corresponding traffic graphs in the reporting section should be remove one week later. This does not work correctly. Workaround: --- Fix: Fixed in 7.004 ID05657 7.001 Interface Name in reporting graphs is 'Unknown' for PPP-Interfaces --------------------------------------------------------------------------------- Description: PPP-interfaces are shown as 'Unknown' in reporting graphs. Workaround: --- Fix: Fixed in 7.002 ID05602 7.001 Logmask of HTTP proxy cannot be changed ------------------------------------------------------ Description: The log level of the HTTP proxy is always set to 'debug'. Other available log levels cannot be selected. Workaround: --- Fix: Fixed in 7.003 ID05540 7.000 Awkward Real Names in From and To fields in POP3 Log -------------------------------------------------------------------- Description: E-mail addresses with special character encodings or non-Latin1 characters contained in the real name are not shown correctly in WebAdmin reporting pages. Workaround: --- Fix: Fixed in 7.001 ID05535 Font rendering of Executive Report in Outlook 2007 faulty ------------------------------------------------------------------- Description: Microsofts Outlook 2007 does not support all of the style elements used in the Executive Report. Thus some fonts may not be displayed correctly. Workaround: --- Fix: Fixed in 7.004 Closed Issues - Management ============================= ID09249 7.302 External SMTP server for notifications not used after a reboot ----------------------------------------------------------------------------- Description: In some cases the external SMTP server for notifications is not used after rebooting the system. Workaround: --- Fix: Fixed in 7.400 ID08930 7.300 User data can not be changed ------------------------------------------- Description: In some cases when upgrading from 7.2 user data can not be changed e.g. when setting preferences for Email Encryption. This is up to a missing real name in the user settings page. Workaround: Go to Definition->Users, edit the user and set a real name. Fix: Fixed in 7.302 ID08899 7.300 Data partition filling up on small systems --------------------------------------------------------- Description: On small systems and also on systems having lots of reporting data, the 'Storage-Partition' may fill up too fast. This is due to conversion of reporting data to a faster and more flexible model. Workaround: --- Fix: Fixed in 7.301 ID08850 7.300 IP counting for licensing adds external hosts ------------------------------------------------------------ Description: In some cases the license IP counter detects and adds also external IPs to the internal pool. This may happen on alias interfaces using a hostmask (/32) as netmask. Workaround: --- Fix: Fixed in 7.301 ID08385 7.200 Middleware may stop working after factory reset -------------------------------------------------------------- Description: In some cases the Middleware may stop working when a factory reset has been done in version 7.10x or 7.200 and when you are using the HTTP Proxy or HA/Clustering features after the factory reset. Workaround: --- Fix: Fixed in 7.201 ID08369 7.200 Licenses can not be installed on Virtual AWG Appliance --------------------------------------------------------------------- Description: In many virtual environments there are problems importing a valid license for AWG Virtual Appliance. Workaround: In case updating works, please try to apply System Up2Date 7.201 and try again, in case updating is not an option, please backup your configuration and restore it in a 7.201 Virtual Appliance. Fix: Fixed in 7.201 ID08317 7.104 USV support is not working properly -------------------------------------------------- Description: When connecting a UPS the device might not get detected properly. In some cases no progressbar is shown and in many cases the UPS icon is not shown at all in the dashboard. In those cases, there will also be no notifications and not shutdown action in case of a power outage. Workaround: --- Fix: Fixed in 7.400 ID08073 7.180 Blank password allowed for encrypted backups ------------------------------------------------------------ Description: When enabling encrypted backups it is possible to supply a blank password. Backups encrypted this way can not be restored. A check is needed to make sure a valid password is supplied. Workaround: Make sure you've set a valid password (also try importing one of the encrypted backups) Fix: Fixed in 7.300 ID08005 7.104 Webadmin/End-User Portal hangs when backend user logs in ----------------------------------------------------------------------- Description: When a backend user having two identical mail addresses in the backend service (e.g. Active Directory primary and secondary mail address) logs into End-User Portal, ASG strips away the duplicate email and restarts a service which causes the Portal/WebAdmin to hang. Workaround: --- Fix: Fixed in 7.200 ID08001 7.104 Daylight Saving Time (DST) not updating properly --------------------------------------------------------------- Description: Some countries had changes to their Daylight Saving Times which are not reflected by ASG currently. Thus, the summer-/wintertime starts at a wrong date. Known countries are Canada, Venezuela, New Zealand, .. Workaround: --- Fix: Fixed in 7.200 ID07939 7.102 Hostname for End User Portal no longer acceps IPs ---------------------------------------------------------------- Description: The hostname box in Management->End User Portal->Advanced does only accept hostnames. In some cases there is a need for putting IP addresses in there. Workaround: --- Fix: Fixed in 7.200 ID07920 7.104 Problem with usernames containing spaces ------------------------------------------------------- Description: Users having usernames with space character can not download configuration files for SSL VPN from End-User Portal. As error there is only a popup reading "UNKNOWN". This mainly comes from Active Directory users having different names (with and without space) in their attributes (CN and sAMAccountName). Workaround: --- Fix: Fixed in 7.200 ID07866 7.102 Up2Date package verification fails after factory reset --------------------------------------------------------------------- Description: After executing factory reset the system and pattern Up2Date packages can not be verified. An 'Error in GPG verification (return code: 512)' is shown in the logfile. Workaround: Contact support. Fix: Fixed in 7.104 ID07823 7.102 Active Directoy dot-notation not working ------------------------------------------------------- Description: Users having different values in Active directory attributes 'CN' and 'sAMAccountName' will have problems authenticating agains ASG. Workaround: --- Fix: Fixed in 7.200 ID07443 7.100 Customization Texts for HTTP Proxy not working ------------------------------------------------------------- Description: The customizable texts for HTTP Proxy (i.e. download manager) entered via WebAdmin will be ignored and default texts will be used. Workaround: --- Fix: Fixed in 7.101 ID07442 7.100 High system load after remote access login --------------------------------------------------------- Description: For systems with lots of remote access users the system load will increase when users connect/disconnect to ASG. This is due to a backend service using CPU resources for user and system management. Workaround: --- Fix: Fixed in 7.101 ID07314 7.100 Bridge can not be disabled after importing a backup ------------------------------------------------------------------ Description: In some cases it is not possible to disable a bridge interface after importing a backup. Workaround: Change the hardware of one of the bridge interfaces (e.g. from eth2 to eth3) and retry disabling the bridge. Fix: Fixed in 7.102 ID07097 7.011 Nics listed twice in WebAdmin overview ----------------------------------------------------- Description: In some cases after importing a V6 backup the interfaces in WebAdmin Network->Interfaces->Hardware will get listed twice. Workaround: --- Fix: Fixed in 7.102 ID07014 7.011 eDirectory authentication does not work if BaseDN is empty ------------------------------------------------------------------------- Description: When using eDirectory authentication and leaving the BaseDN empty the ASG will try to search the eDirectory without Base DN for a matching user. This will not work in all cases. Workaround: Set BaseDN for eDirectory authentication. Fix: Fixed in 7.100 ID07001 7.010 eDirectory authentication in standard mode not working --------------------------------------------------------------------- Description: In certain cases non-eDirectory-SSO (Single Sign On) authentication will not work. Workaround: --- Fix: Fixed in 7.011 ID06869 7.008 Up2date package upload via WebAdmin not possible --------------------------------------------------------------- Description: The Upload of Up2Date packages is not working correctly in version 7.008. When trying to upload a valid Up2Date package an error 'File extension not allowed' may show up. Workaround: Please contact support. Fix: Fixed in 7.009 ID06855 7.007 Problem in Authentication service under high load ---------------------------------------------------------------- Description: In high load scenarios (e.g. with many concurrent users logging on/off) the authentication service may run in to problems and mix up requests internally. This will mainly lead to a non-working authentication service. Workaround: --- Fix: Fixed in 7.010 ID06740 7.007 Authentication of new users may fail --------------------------------------------------- Description: When adding a new user and allowing access to i.e. SSL VPN, the user may not be able to authenticate. The authentication backend may not be informed correctly about the new user. Workaround: Try disabling/enabling the feature, otherwise reboot. Fix: Fixed in 7.008 ID06713 7.006 Changes to backend query order do not take effect ---------------------------------------------------------------- Description: If you try to change the backend query order in Users->Authentication->Advanced by moving for example Radius to the top of the list the position changes correctly. After clicking apply it says changes saved, but when coming back to the menu the list is back to the original order. Workaround: --- Fix: Fixed in 7.008 ID06701 7.006 Possible problem when syncing eDirectory users ------------------------------------------------------------- Description: The error handling for syncing eDirectory users can lead to unexpected restarts of the authentication subsystem. This may be caused by wrong context syntax or LDAP communication problems. Workaround: --- Fix: Fixed in 7.007 ID06628 7.005 Wrong message after too many failed WebAdmin logins ------------------------------------------------------------------ Description: After too many failed WebAdmin logins the popup should tell about that. Instead, it only says 'Wrong username or password'. Workaround: --- Fix: Fixed in 7.100 ID06492 7.005 WebAdmin becomes unresponsive after a longer log-in period ------------------------------------------------------------------------- Description: After working in WebAdmin and not clicking anything for some minutes, the session might be stale or time out. Workaround: --- Fix: Fixed in 7.100 ID06460 7.005 Authentication daemon restarting in eDirectory environments -------------------------------------------------------------------------- Description: On some lookup errors in eDirectory environments the authentication daemon may die. Selfmonitor will restart the daemon, but in this timeframe no more authenticaion requests will be processed. Workaround: --- Fix: Fixed in 7.006 ID06438 7.000 WebAdmin SSO support for ACC not working ------------------------------------------------------- Description: Using Astaro Command Center (ACC) for accessing WebAdmin via Single Sign On is not working. Workaround: --- Fix: Fixed in 7.100 ID06391 7.004 User objects fail to be created when user name contains a numeral --------------------------------------------------------------------------------- Description: Usernames for either local user or backend authentication against edirectory/AD will not create a user object automatically if a number is used for the username. Workaround: --- Fix: Fixed in 7.006 ID06203 7.003 Backend sync for users with multiple mail adresses does not work ------------------------------------------------------------------------------- Description: If a user is created in an Active Directory using multiple e-mail adresses, the auto-creation function of Astaro Security Gateway used for synchronizing users with back end authentication servers may not not work correctly. Workaround: --- Fix: Fixed in 7.005 ID05881 7.002 Dyndns-custom only supports one hostname ------------------------------------------------------- Description: Users having a dyndns-custom account may want to set their hostname to something like "www.mydomain.com,mail.mydomain.com,mydomain.com" which is not allowed at the moment. Workaround: --- Fix: Fixed in 7.006 ID05789 7.001 User certificate will not be deleted at all ---------------------------------------------------------- Description: When deleting a local user the corresponding certificate will remain on the firewall. This will not allow creating a new user with the same username the deleted user had. Workaround: --- Fix: Fixed in 7.008 ID05788 7.001 eDirectory authentication for several users fails ---------------------------------------------------------------- Description: Due to a limited number of concurrent eDirectory requests (especially sub tree searches) eDirectory authentication may fail. Workaround: --- Fix: Fixed in 7.004 ID05765 7.001 Network groups in DNS allowed networks not allowed ----------------------------------------------------------------- Description: It is not possible to add network groups to allowed networks for DNS access. Workaround: --- Fix: Fixed in 7.002 ID05686 7.001 Not possible to set GoogleTalk/Jabber "Block file transfers only" -------------------------------------------------------------------------------- Description: The ruleset controlling the option "Block file transfers only" for instant messaging using Google Talk/Jabber is ineffective. Workaround: --- Fix: Fixed in 7.002 ID05671 7.001 eDirectory does not allow to use eDirectory containers in backend groups --------------------------------------------------------------------------------------- Description: It is not possible to select an eDirectory container for a backend group. Workaround: Add all users to a certain eDirectory group. Fix: Fixed in 7.004 ID05669 7.001 Global HTTP Settings - Allowed Networks can not be changed ------------------------------------------------------------------------- Description: Changing and applying of global HTTP settings may be broken. The settings for 'Allowed Networks' in the HTTP Proxy menu cannot be changed. Reloading the page will revert to the previous settings, even though the 'successfully applied' message is shown after the configuration has been changed. Workaround: --- Fix: Fixed in 7.002 ID05649 7.001 "Re-generate WebAdmin certificate" may fail ----------------------------------------------------------- Description: When clicking the "Re-generate WebAdmin certificate" button in WebAdmin, there is no check for an existing certificate with the same hostname. In this case the certificate creation fails without notice. Workaround: Change the hostname prior to re-generating the WebAdmin certificate. Fix: Fixed in 7.002 ID05603 7.000 Changing the name of ContentFilter categories not working correctly ---------------------------------------------------------------------------------- Description: Editing the name of a ContentFilter category is not reflected in HTTP Proxy Profiles->Filter Actions. Workaround: --- Fix: Fixed in 7.002 ID05580 7.000 Up2date Overview page: Unable to complete backend request ------------------------------------------------------------------------ Description: Right after installation you may encouter a blank page when trying to access the Up2Date Overview page. When trying to switch to other configuration pages you get an error "Unable to complete backend request". Workaround: Relogin to WebAdmin. Check KIL ID5592 and wait at about 5 minutes. Try again. Fix: Fixed in 7.001 ID05579 7.000 Release symbol is shown in Quarantine Manager when prefetch is off --------------------------------------------------------------------------------- Description: The release icon for releasing emails in Quarantine Manager is always shown for POP3 emails. Releasing POP3 emails is only possible if Prefetching is enabled, thus it will not work if Prefetch is turned off. Workaround: Enable Prefetch to use this feature. Fix: Fixed in 7.001 ID05576 7.000 Blank HTTP Profiles/Proxy Profiles page after deleting objects ----------------------------------------------------------------------------- Description: After deleting Contentfilter Actions used in Contentfilter Profiles, the Proxy Profiles page may stay empty (grey). Workaround: --- Fix: Fixed in 7.001 ID05569 7.000 Error while trying to update group membership ------------------------------------------------------------ Description: While being logged in to WebAdmin via a backend authentication mechanism, you will not be able to update e.g. WebAdmin Access Control lists. Workaround: Try using the local authentication to edit the respective access controls. Fix: Fixed in 7.001 ID05422 7.000 Changing eDir SSL settings breaks eDir Browser for current session --------------------------------------------------------------------------------- Description: If your change SSL settings for eDir, the eDir Browser does not work. Also the current webadmin session breaks at the moment you try to open eDir Browser. Then you have to relogin to webadmin. After the relogin the eDir Browser works fine. If you enable/disable SSL for eDir again, the eDir Browser does not work again until you relogin to webadmin. Workaround: --- Fix: Fixed in 7.300 Closed Issues - Network Security =================================== ID12338 7.502 Snort SID link in IPS notifications is invalid ------------------------------------------------------------- Description: As there has been a change in the backend of the snort system, the links within the IPS notification are broken. Workaround: --- Fix: Fixed in 7.504 ID10028 7.400 Service-only NAT rules cause backend problems ------------------------------------------------------------ Description: Using NAT rules (DNAT or SNAT) and leaving the 'Destination' field blank will cause a crash in the backend. This leads to a mainly unusable system as the backend service will get restarted permanently. Workaround: Enter a destination for the NAT rule, if possible. Alternatively, for maximum safety, disable the affected NAT rules before installing the 7.400 Up2date and re-enable them after installing the 7.401 Up2date. If both Up2date packages are installed at the same time, no special action is required. Fix: Fixed in 7.401 ID10024 7.400 Using Service groups for NAT can cause backend problems ---------------------------------------------------------------------- Description: Using service groups for NAT (DNAT/Full NAT) rules can cause backend problems when a group should be mapped to a single port. In such cases, the backend will crash while being restarted by selfmonitoring permanently. Workaround: --- Fix: Fixed in 7.401 ID08109 7.104 Packetfilter may drop locally generated packets -------------------------------------------------------------- Description: In some cases packetfilter may drop locally generated packets like outgoing requests for DNS, VPN, Email or NTP. This will not apply to all packets of a connection, but just to some of them. Workaround: Reboot the system. Fix: Fixed in 7.200 ID07479 7.100 SNAT rule for network groups not set --------------------------------------------------- Description: For network definitions it is now possible to bind them to a specific interface. Adding such a bound network to a group and the using this group in a SNAT rule will not work. The rules will not be set in the backend. Workaround: Try using the definition without the group. Fix: Fixed in 7.101 ID06478 7.005 Packetfilter rules not set correctly when using additional addresses ----------------------------------------------------------------------------------- Description: When a packetfilter rule is configured whose sourec/destination is an addiontal interface address, a filter rule is added to USR_FORWARD chain, not USR_OUTPUT/INPUT chain. Also Auto packet filter for IPsec connections whose local network is attitional interface does not create OUTPUT/INPUT chain. Workaround: --- Fix: Fixed in 7.006 ID05986 7.002 Enduser Portal and SSL VPN not reachable via DNAT ---------------------------------------------------------------- Description: It is not possible to use DNAT for Enduser Portal or SSL VPN on an upstream router. This is because of the local IP address used in the redirection response from the HTTP Proxy. Workaround: --- Fix: Fixed in 7.300 ID05728 7.001 Problems with Full-NAT handling ---------------------------------------------- Description: SNAT and DNAT rules are applied independently from one another, thus making it impossible to associate both within a full-NAT rule. In order to fix this issue, SNAT rules must be extended by a connection tracking parameter allowing to associate an SNAT rule with a corresponding DNAT rule. Workaround: --- Fix: Fixed in 7.003 Closed Issues - Networking ============================= ID11259 7.405 IP counting in bridge configuration not working in all cases --------------------------------------------------------------------------- Description: In some cases when using a bridge configuration, the IP counting is not working correctly. This mainly happens when having only a bridge interface. Workaround: --- Fix: Fixed in 7.501 ID10607 7.400 Problems reconnecting to DSL via PPPoE ----------------------------------------------------- Description: Some DSL modems seem to announce availability of the access concentrator on the remote side without actually having a connection. This can cause the backend system being stuck while trying to establish a connection to the access concentrator. Workaround: Either try disabling and renabling the PPPoE interface or reboot the system. Fix: Fixed in 7.404 ID10588 7.403 Problems connecting via DHCP / Cable modem --------------------------------------------------------- Description: When the default gateway is assigned to a cable DHCP interface, the backend may fail to bring up the connection correctly. Workaround: Reboot the system gracefully worked in most cases. Fix: Fixed in 7.404 ID10423 7.402 Using proxy arp may cause loss of WebAdmin connectivity ---------------------------------------------------------------------- Description: After installing a backup of an older version with proxy arp feature enabled, the respective interface might not come up correctly and WebAdmin access might no longer work. This effect can also show up after rebooting the system. Workaround: --- Fix: Fixed in 7.403 ID10284 7.401 Uplink interface not showing up sometimes -------------------------------------------------------- Description: In some cases the Uplink interface will not show up in the interface selection list. This is an error when unhiding the respective object. Workaround: Disable and reenable Uplink Balancing in WebAdmin. The Uplink interface should appear in the interfaces selection list. Fix: Fixed in 7.403 ID10200 7.400 Problem with auto packetfilter rules for outgoing traffic ------------------------------------------------------------------------ Description: Using uplink failover before upgrading to version 7.400 can lead to a faulty conversion of check hosts for 7.400 which will cause some automatic packetfilter rules for outgoing traffic to not be activated at all. This may affect various places of the system using these rules for communication to outside services. Workaround: --- Fix: Fixed in 7.402 ID10195 7.401 Same domain name in request routing and static entries prevents named from starting -------------------------------------------------------------------------------------------------- Description: Using the same domain for both "Request Routing" and "Static Entries" prevents the named service from starting. Workaround: Please delete one of this two entries with the same domain name. Fix: Fixed in 7.500 ID10158 7.401 Multipath persistence by connection not working properly ----------------------------------------------------------------------- Description: In case two multipath rules match a certain traffic flow and the first rule is nonpersist, the last one wins. Workaround: --- Fix: Fixed in 7.402 ID10108 7.400 ASG 525-F eth8 and eth9 may loose link ----------------------------------------------------- Description: After upgrading to 7.400 on some ASG525-F machines the fibre NICS eth8 and eth9 may loose link and not transfer any data. This only affects fibre NICS. ASG525 models with copper-only NICs are not affected. Workaround: Switch to another free NIC if possible. Change hardware for this interface in WebAdmin after recabling. Fix: Fixed in 7.402 ID09207 7.200 OSPF debug output in WebAdmin is empty ----------------------------------------------------- Description: When trying to gather debug information about OSPF, all the windows may stay empty. Workaround: --- Fix: Fixed in 7.303 ID08948 7.300 Problem with masquerading rules after uplink failover -------------------------------------------------------------------- Description: Masquerading rules will not be set correctly after switching back to the primary uplink failover interface. Workaround: --- Fix: Fixed in 7.303 ID08503 7.103 VLAN sometimes fails on bonding device ----------------------------------------------------- Description: In some cases there might be a problem creating a vlan interface on a link aggregation group. Workaround: --- Fix: Fixed in 7.300 ID08384 7.200 Kernel reports 'Detected Tx Unit Hang' on e1000 hardware ----------------------------------------------------------------------- Description: For some e1000 hardware a there might appear messages like the one listed above in the kernel log. This may also show up if e.g. eth0 is connected to a 1000MBit/s switchport while eth1 is connected to 100MBit/s only. Workaround: If this message appears for just one interface, please make sure that this NIC is also connected to a 1000 MBit/s switchport. Fix: Fixed in 7.300 ID08254 7.104 Using service 'Any' as traffic service breaks DNAT and SNAT rules -------------------------------------------------------------------------------- Description: Adding DNAT/SNAT rules with service 'Any' will not work. When updating to 7.300 these rules will get disabled automatically. Workaround: Please use one of the predefined service definitions or add a new one matching your target service. Fix: Fixed in 7.300 ID07950 7.104 Changing link speed/mode does not take effect in bridge mode --------------------------------------------------------------------------- Description: It is currently not possible to successfully change autonegotiation for a bridge interface. Workaround: --- Fix: Fixed in 7.200 ID07927 7.201 OSPF not working correctly in HA/Cluster environment ------------------------------------------------------------------- Description: The dynamic routing protocol OSPF does not work correctly on HA/Cluster system because of all nodes answering OSPF broadcasts. This will mess up routing tables. Workaround: --- Fix: Fixed in 7.200 ID07641 7.101 NIC autonegotiation not working in all cases ----------------------------------------------------------- Description: There are some reports, that autonegotiation for does not work on some systems, especially when connecting to DSL modems or routers. In most cases there are Intel NICs involved (e100/e1000). Workaround: Try setting NIC speed in WebAdmin directly (Network->Interface->Hardware) or add a small switch in between. If problem persists, please contact support with detailed hardware data. Fix: Fixed in 7.501 ID07005 7.011 Middleware may mix up static DHCP mappings ---------------------------------------------------------- Description: Running DHCP server on more than on (e.g. two, eth0 and eth1) interfaces may cause problems when the IP of a static mapping from eth0's pool is changed to eth1's pool. Workaround: Delete the mapping and create a new one. Fix: Fixed in 7.300 ID06821 7.007 Combining DNAT and policy routing may not work in all cases -------------------------------------------------------------------------- Description: If a DNAT rule is created combinded with a policy route that uses the translated destination address as the desination match of the policy route, than it does not work. Workaround: --- Fix: Fixed in 7.200 ID06763 7.007 Problems with IPSec and DNAT on bridge interfaces ---------------------------------------------------------------- Description: When trying to use IPSec and DNAT on a bridge interface the IPSec packets will not get handled correctly. This means there is no option to configure an IPSec tunnel. Workaround: --- Fix: Fixed in 7.100 ID06732 7.007 Can not change PPPoE Daily Reconnect Time to 'never' ------------------------------------------------------------------- Description: When editing a PPPoE connection and setting the Daily Reconnet Time to 'never' the setting will not be saved correctly. Workaround: --- Fix: Fixed in 7.008 ID06692 7.006 Interface used in Dyndns settings can not be removed ------------------------------------------------------------------- Description: Once configured, the interface used for Dyndns can not be removed anymore. Workaround: --- Fix: Fixed in 7.008 ID06620 7.006 QoS rules are not applied to backup interface when using UFO --------------------------------------------------------------------------- Description: When using Uplink failover (UFO) and QoS on the primary interface the QoS settings will not be applied to the backup interface in a failover case. Workaround: --- Fix: Fixed in 7.400 ID06339 7.004 SSL VPN route will be deleted after enabling a static route -------------------------------------------------------------------------- Description: When using SSL VPN the route to an active client will be deleted when enabling a static route in WebAdmin. Workaround: Reestablish the tunnel. Fix: Fixed in 7.005 ID06106 7.003 Changing type of an interface will delete corresponding NAT/Masq rules ------------------------------------------------------------------------------------- Description: When changing the type of an interface all NAT/Masq rules bound to that interface will be deleted. Workaround: Create them again. Fix: Fixed in 7.100 ID05756 7.001 DHCP server may serve wrong IPs on VLANs ------------------------------------------------------- Description: When using multiple DHCP server instances on different VLANs it will serve IPs from the highest range first. These IPs will most probably not work for the other subnets. Workaround: --- Fix: Fixed in 7.004 ID05607 7.001 Link Aggregation on PCI-E interfaces at ASG425 ------------------------------------------------------------- Description: Using Link Aggregation on the PCI-Express interfaces of an ASG 425 works, but does not increase the bandwidth. Workaround: --- Fix: --- ID05555 7.000 No DynDNS update on UFO Uplink interface ------------------------------------------------------- Description: In case of an Uplink failover the DynDNS information may not be updated correctly. Workaround: --- Fix: --- ID05495 7.000 Link Aggregation on 425 does not work correctly -------------------------------------------------------------- Description: With ASG 425 units, Link Aggregation to be configured on the Network >> Interfaces >> Link Aggregation tab in WebAdmin does not work. Two interfaces of the same group, which are connected to two interfaces of the same group on the switch, get different aggregator IDs in the backend. Thus it is not possible to ping a Link Aggregation Group (LAG) interface on ASG 425. Workaround: --- Fix: Fixed in 7.001 Closed Issues - VPN ====================== ID11302 7.500 SSL VPN not starting correctly --------------------------------------------- Description: In some cases the SSL VPN backend will not start up correctly. In most of these cases the problem is caused by some overlapping pool networks. Workaround: Please check where the SSL VPN pool network is used and make sure it is only used for SSL VPN and not overlapping with any other pool network. If that does not help, please contact support for further assistance. Fix: Fixed in 7.501 ID10708 7.403 VPN connections cannot established on iPhone 3.0 using Cisco VPN client. --------------------------------------------------------------------------------------- Description: VPN connections using Cisco IPSec Client on an IPhone with firmware version 3.0 and later cannot be established. Certificates are rejected by the client. Following errormessage will appear: Could not validate the server certificate Workaround: --- Fix: Fixed in 7.500 ID10633 7.403 Conntrack failed error messages in ipsec.log ----------------------------------------------------------- Description: In some cases, there are 'conntrack failed with status: 2' error messages in the IPsec logfile. In most of the cases, this will not have any operational impact. Workaround: --- Fix: Fixed in 7.404 ID10355 7.402 Problem reinitializing tunnels after HA takeover --------------------------------------------------------------- Description: Using IPsec VPN in an HA/Cluster environment may cause problems when more than one tunnel will be reinitiated after a HA takeover has taken place. Workaround: Restart IPsec subsystem, if possible. Fix: Fixed in 7.403 ID10233 7.401 Regenerating the Signing CA might cause problems --------------------------------------------------------------- Description: When regenerating the Signing CA used e.g. for VPN remote access, the common name (CN) is missing and thus the certificate is not usable. As a result, the CA is not able to sign new certificates. Workaround: --- (recreate your Signing CA manually after applying the Up2Date which holds the fix, please) Fix: Fixed in 7.403 ID10147 7.400 IPsec tunnels with remote network 'Any' will not work -------------------------------------------------------------------- Description: Using the network 'Any' as remote subnet for passing all traffic to a VPN concentrator will not work. Workaround: --- Fix: Fixed in 7.402 ID10023 7.400 SHA256/SHA512 not working for IPsec tunnels ---------------------------------------------------------- Description: Using SHA256/SHA512 as hash algorithm for IPsec tunnels does not work correctly, no matter if used in phase 1 or 2. This problem does not affect any predefined IPsec policy. In case you only use predefined policies, IPsec should work as expected. Workaround: --- Fix: Fixed in 7.401 ID09376 7.302 Ipsec VPN tunnel not coming up after takeover ------------------------------------------------------------ Description: After a takeover in an active/passive High-Availability environment there might show up a problem when trying to reestablish VPN tunnels which will result in actually no tunnel will get established. Workaround: --- Fix: Fixed in 7.402 ID09278 7.302 Klips error when transmitting lots of traffic through IPsec tunnel --------------------------------------------------------------------------------- Description: On some installations, a klips error showed up when transmitting larger amounts of traffic through an IPsec tunnel. The problem only shows up sporadically and is not bound to certain size limits. Workaround: --- Fix: Fixed in 7.400 ID08349 7.200 L2TP connection terminates after 60 minutes ---------------------------------------------------------- Description: Most L2TP connections are terminated after 60 minutes by the VPN backend. This mainly happens when some control packets are lost between client and server. Workaround: --- Fix: Fixed in 7.301 ID08313 7.200 SSL VPN not working correctly in all cases --------------------------------------------------------- Description: Having lots of network definitions in allowed networks for SSL VPN may cause problems. The problem depends on the sort order of the networks used in the configuration. In case networks addresses are sorted descending the service may not start. Workaround: Try sorting used networks ascending. Fix: Fixed in 7.201 ID08248 7.104 ASC config file doesn't set IKE config mode correctly -------------------------------------------------------------------- Description: When downloading an ASC configuration via End-User Portal with user setting "use static remote access IP" unset, the configuration misses an entry which leads to failing connections if the remote user is behind a NAT device. Workaround: --- Fix: Fixed in 7.300 ID07766 7.101 IPSec connection problems in HA/Cluster environments ------------------------------------------------------------------- Description: IPSec connections may become unusable when a slave node tries to contact remote server over the IPSec tunnel. This may mess up IPSec SA tables. Workaround: --- Fix: Fixed in 7.200 ID07631 7.100 Problem showing logged in remote users after HA takeover ----------------------------------------------------------------------- Description: SSL, L2TP and PPTP remote user are shown as logged in on the remote access status page even if the user is not connected when there was a HA takeover. Workaround: --- Fix: Fixed in 7.500 ID07585 7.100 Problems when SSL VPN user logs in twice ------------------------------------------------------- Description: When a SSL VPN user logs in twice from different workstations, the system is playing ping-pong with both accounts causing high load on the ASG. Workaround: --- Fix: Fixed in 7.200 ID07580 7.101 IPSec error: No space left on device --------------------------------------------------- Description: In some cases the IPSec backend is not able to establish a tunnel and logs out 'No space left on device', although there is enough free disk space. This is up to kernel space. Workaround: A reboot fixes this at least temporarily. Fix: Fixed in 7.200 ID07555 7.101 Problem with Site-to-Site VPN having a NAT router inbetween -------------------------------------------------------------------------- Description: There is a possible problem when two ASGs are having a Site-to-Site VPN tunnel with a router inbetween NATting/masquarading the IPSec packets. In this case the tunnel might not reestablish correctly once it has been down. Workaround: Restart tunnel on both ends. Fix: Fixed in 7.200 ID07091 7.011 L2TP packets may get lost on bridge interfaces ------------------------------------------------------------- Description: Using L2TP on a bridge may cause loss of packets when the L2TP traffic gets masqueraded on ASG. Workaround: --- Fix: Fixed in 7.200 ID06920 7.009 SSL VPN renegotiates keys every hour --------------------------------------------------- Description: The SSL VPN renegotiates its key every hour which may cause a prompt for a new password depending which authentication type is used. Workaround: --- Fix: Fixed in 7.010 ID06716 7.006 L2TP over IPsec offers wrong certificate ------------------------------------------------------- Description: When using L2TP over IPsec a wrong certificate is offered in the Enduser Portal which will disallow the user to establish a valid connection. Workaround: --- Fix: Fixed in 7.008 ID06649 7.006 ASC may not connect correctly via NAT-Traversal -------------------------------------------------------------- Description: When a Roadwarrior VPN Client wants to connect to the VPN Gateway through a NAT device, the connection cannot be established due to an issue with Nat Traversal. The logfile indicates this error with the follwing meesages in the logfile: INVALID_ID_INFORMATION and INVALID_MESSAGE_ID. Workaround: Please define a virtual IP address inside the user definition. Fix: Fixed in 7.400 ID06493 7.005 IPSec subsystem may crash when connecting to Lancom devices -------------------------------------------------------------------------- Description: Pluto, the engine that controls Astaro VPN tunnels, is crashing in certain situations when tunnels are made to Lancom VPN gateway products. The problem will show up if one side allows NAT-T (Nat-Traversal) while the other side does not. Workaround: Disable or enable NAT-T on both endpoints. Fix: Fixed in 7.008 ID06483 7.005 PPTP connection may stop passing traffic ------------------------------------------------------- Description: The PPTP service has problems when reordering incoming packets. Once a PPTP connection is established it may get interrupted by packets arriving in incorrect order at ASG. Workaround: --- Fix: Fixed in 7.010 ID06456 7.004 Deleting the default L2TP pool may cause problems ---------------------------------------------------------------- Description: All ASGs come with a default range of IP addresses assigned for Roadwarrior access, one each for L2TP, IPSec, SSL VPN and PPTP. This bug outlines an issue where the end user deletes the pre-assigned definition before activating L2TP, then tries to activate it using a new definition which will not work because of a logical deadlock. Workaround: Try using a backup where the initial definition is still present. Fix: Fixed in 7.100 ID06439 7.004 SSL-VPN and Windows Vista does not work correctly ---------------------------------------------------------------- Description: SSL VPN in combination with Windows Vista works in general but we experienced some scenarios/configurations where it does not work properly. Workaround: --- Fix: Fixed in 7.010 ID06321 7.004 Possible problem when restarting SSL VPN ------------------------------------------------------- Description: In some cases there is a problem when restarting the SSL VPN service. This also showed up on many installations when updating to 7.004. Workaround: Reboot the system. Fix: Fixed in 7.005 ID06271 7.003 SSL VPN does not start with more than 30 network definitions --------------------------------------------------------------------------- Description: Running SSL VPN works fine until less than 30 network definitions are used. Adding more will cause a failure when starting the SSL VPN service. Workaround: Either try to aggregate your networks into supernets or use 'Any' and restrict access via packetfilterrules. Fix: Fixed in 7.200 ID06222 7.003 IP rule for IPsec site-to-site remote network missing -------------------------------------------------------------------- Description: In some cases the ip rule for an IPsec site-to-site remote network is missing. In this case, the tunnel will be established correctly but not traffic will pass through. Workaround: --- Fix: Fixed in 7.004 ID06065 7.002 Pluto.pid not deleted after DSL reconnect -------------------------------------------------------- Description: The IPsec daemons' pidfile will not be deleted after a DSL reconnect which may cause the VPN tunnels to stay down. Workaround: --- Fix: Fixed in 7.003 ID05999 7.002 No IPsec traffic after PPPoE reconnect ----------------------------------------------------- Description: After PPPoE reconnect the ipsec0 interface may have a mac-address of 0-0-0-0-0-0-0-0-0-0-0-0-0 and no more traffic passes the tunnel. Workaround: --- Fix: Fixed in 7.003 ID05965 7.002 IPSec tunnels over DSL interface missing after reboot -------------------------------------------------------------------- Description: On installations configured with a PPPoE interface (usually found in some types of ADSL Internet connections), a reboot of the system may cause the IPSec interface used by the Astaro in building VPN tunnels to become ready up before the corresponding DSL interface has been initialized. In this case no tunnel will be established. Workaround: Reboot the machine again or try disabling/enabling all tunnels if possible. Fix: Fixed in 7.008 ID05920 7.002 IPSec status view shows wrong status --------------------------------------------------- Description: Under certain circumstances the IPSec status is wrong. This may occur, for example, if the VPN ID is a distinguished name. Workaround: --- Fix: Fixed in 7.003 ID05904 7.002 ASC config download for multiple local networks -------------------------------------------------------------- Description: When building a Roadwarrior IPSec VPN, a local network for permissions must be defined. If multiple definitions are added to the local networks box, the ASC config will have errors and the download will not work. Workaround: Review IPSec settings and use only one local network if possible. Fix: Fixed in 7.008 ID05895 7.002 SSL VPN does not check user certificate ------------------------------------------------------ Description: Once a user successfully authenticated via SSL VPN and his certificate, username and password another user may get access just by providing a valid username and password. Certificate is not being rechecked for next user. Workaround: --- Fix: Fixed in 7.004 ID05790 7.001 SSL client package should install Windows service ---------------------------------------------------------------- Description: In order to be able to automatically start tunnels during system startup, the OpenVPN service should be added to the SSL client installation package. Workaround: --- Fix: Fixed in 7.004 ID05786 7.001 SHA-2 with 512 bit not compatible with NCP/ASC IPSec client -------------------------------------------------------------------------- Description: The IPsec backend of ASG uses a wrong blocksize in the SHA-2 algorithm if 512 bit key length is selected. This leads to the problem that the ISAKMP SA can not be established with SHA2-512 if an NCP client (ASC version 9) is used. Workaround: Use SHA 256 bit. Fix: Fixed in 7.008 ID05711 7.001 IPSec tunnels may not come up after DPD event ------------------------------------------------------------ Description: Dead Peer Detection (DPD) helps recovering lost IPSec tunnels if the remote gateway has been down. In some cases tunnels (also multiple tunnels to an endpoint) may not come up after a DPD event and need a manual trigger. Workaround: Disable and reenable the connection in WebAdmin. Fix: Fixed in 7.008 ID05667 7.001 SSL VPN doesn't work with special characters in certificates --------------------------------------------------------------------------- Description: The OpenVPN client config file holds the DN of the server, so that the server can be verified (this prevents man in the middle attacks). For special characters, the encodings do not match. Workaround: Replace all characters in the tls-remote line that are not part of ([A-Z,a-z,0-9], '_', '-', '.', '@', ':', '/', '=') by '_' symbols in the OpenVPN client config file (Program files\Astaro\Astaro SSL VPN Client\config\*.ovpn) Fix: Fixed in 7.004 ID05666 7.001 Wrong status for added networks of a ipsec-tunnel and listview ----------------------------------------------------------------------------- Description: Both yellow and green status icons are shown for IPSec-tunnels even though all tunnels are up and running. Workaround: Ignore yellow status icons; "n of n SA established" is the information of relevance. Fix: Fixed in 7.002 ID05572 7.000 PPTP shuts down if no user or group is set --------------------------------------------------------- Description: If you want to enable PPTP Remote Access with Radius authentication only, WebAdmin disables the feature automatically if not user or group is selected. Workaround: Add a user or group. Fix: Fixed in 7.001 ID04533 7.000 L2TP doesn't work with IP addresses assigned via DHCP -------------------------------------------------------------------- Description: Using L2TP with IP assignment via DHCP may not work correctly. Workaround: Try enabling debugging in L2TP over IPSec. Fix: Fixed in 7.300 Closed Issues - Web Security =============================== ID12695 7.502 HTTP Proxy content filter does not work with new license model ----------------------------------------------------------------------------- Description: Installations running with a new license will not filter HTTP Proxy traffic correctly. Although the proxy is starting up, the content filtering will remain inactive. Workaround: --- Fix: Fixed in 7.503 ID12466 7.502 HTTP Proxy may not recognize new eDir users logging in --------------------------------------------------------------------- Description: In some cases the HTTP Proxy may not recognize eDirectory users logging in for up to 5 minutes. Workaround: --- Fix: Fixed in 7.504 ID11660 7.501 Directory listing for FTP folder over HTTP proxy is empty ------------------------------------------------------------------------ Description: Directory listing for FTP folder over HTTP proxy is empty, if files contain special file flags. Workaround: --- Fix: Fixed in 7.504 ID11453 7.500 Virus pattern updates may conflict with HTTP Proxy ----------------------------------------------------------------- Description: In some cases a reload of the HTTP Proxy is required after updating the virus pattern. Rarely this action can cause a conflict and result in a complete restart of the Proxy, which in turn could impact websurfing for up to some minutes depending on system speed and features used. This ID is about reducing reloads and restarts to a bare minimum and make sure to avoid all known conflicts. Workaround: Suggested temporary workaround to reduce occurrences related to AV pattern updates is to increase the Management->Up2date->Configuration Pattern download/installation interval from 15 minutes to a higher value. Fix: Fixed in 7.504 ID11257 7.405 Auto packetfilter rules missing for spcial traffic in HTTP Proxy ------------------------------------------------------------------------------- Description: Hosts and networks which have been added to "Transparent mode skiplist" and/or "Allow HTTP traffic for listed hosts/nets" within HTTP Proxy configuration will not get auto packetfilter rules which actually allow the traffic. Thus, these hosts/networks can not bypass the Proxy automatically. Workaround: Add rules manually if possible. Fix: Fixed in 7.501 ID10441 7.402 HTTP block action not working in all cases --------------------------------------------------------- Description: In case of a missing or expired WebSubscription, the block-filteraction of the HTTP Proxy is no longer working as a default or fallback option. Workaround: --- Fix: Fixed in 7.403 ID10361 7.401 File Extensions missing from Filter Action page -------------------------------------------------------------- Description: In WebAdmin the File Extension filter lists are not shown completely at the Filter Action page unless you hit the Edit button. All the extensions listed in the edit-view will also be blocked by the Proxy. Workaround: Click edit to see all extensions. Fix: Fixed in 7.403 ID10189 7.401 Usergroups with umlauts are not working in HTTP Proxy profiles ----------------------------------------------------------------------------- Description: Using special characters like umlauts will not work with usergroups when using them in HTTP Proxy Profiles. Workaround: --- Fix: Fixed in 7.402 ID10095 7.400 Problem with HTTP Parent Proxy and SSL connections ----------------------------------------------------------------- Description: Using an HTTP Parent Proxy will not work for HTTPS/SSL connections without using HTTPS scanning. This means all HTTPS connections handled by the proxy would need either SSL scanning or bypass the proxy. Workaround: Enable HTTPS scanning if possible. Bypassing the HTTP Proxy for HTTPS traffic is also an option. Fix: Fixed in 7.401 ID10034 7.400 HTTP Proxy AV scanner will skip some content types ------------------------------------------------------------------ Description: For installations updating to 7.400 or importing a pre 7.400 configuration the HTTP Proxy will not scan all content types available for viruses. This behaviour can not be changed via WebAdmin. Workaround: --- Fix: Fixed in 7.401 ID10032 7.400 Cluster slave is not able to authenticate AD SSO users --------------------------------------------------------------------- Description: Running HTTP Proxy with Active Directory Single Sign-On authentication in an active/active HA/Cluster environment will cause problems when a slave node tries to authenticate users directly. This will result in an authentication only working partly. Workaround: --- Fix: Fixed in 7.401 ID10015 7.400 Active content removal not working correctly ----------------------------------------------------------- Description: The HTTP Proxy feature for remove embedded objects like ActiveX, Java or Flash will not show any effect and thus not filter the active objects in most cases. Workaround: --- Fix: Fixed in 7.403 ID09914 7.305 HTTP Proxy erroneously sets keepalive for some requests ---------------------------------------------------------------------- Description: For requests without content length the HTTP Proxy uses keepalive which may lead to long delays for some websites to load completely. Workaround: Whitelist those sites if possible. Fix: Fixed in 7.400 ID09319 7.303 Edirectory authenthication stops working after some time ----------------------------------------------------------------------- Description: When surfing the web via HTTP Proxy with eDirectory SSO enabled, successful authentication will stop after a while. This is up to an internal counter reaching a certain limit. Workaround: Restart HTTP Proxy or call support. Fix: Fixed in 7.304 ID09318 7.303 Authentication pop-up window not showing for HTTP Proxy ---------------------------------------------------------------------- Description: When surfing the web via HTTP Proxy with eDirectory SSO enabled, the authentication pop-up will not show if the SSO auth-request was not successful. This means there is no other option to enter credentials. Workaround: Switch to basic auth profile using eDirectory in direct (LDAP) access mode for getting the pop-up. Fix: Fixed in 7.304 ID08414 7.200 HTTP Proxy may expire cached objects even if expire time isn't reached ------------------------------------------------------------------------------------- Description: In some cases the HTTP Proxy may expire objects from the cache before the cache lifetime expires. Workaround: --- Fix: Fixed in 7.300 ID08361 7.200 HTTP Proxy not working for VLANs on top of a bridge ------------------------------------------------------------------ Description: Using a setup with some bridged interfaces and configuring VLANs on top of that will cause trouble when trying to enable a transparent HTTP Proxy as the packets will not get routed correctly in the backend. After all, this setup is not working. Workaround: --- Fix: Fixed in 7.502 ID08336 7.200 HTTP Proxy misbehaviour when reloading configuration ------------------------------------------------------------------- Description: In some cases HTTP Proxy may run into an error when reloading the configuration. Once this happens the proxy may either die and get restarted via selfmonitor or hang and consume RAM and CPU resources. Workaround: Restart HTTP Proxy. Fix: Fixed in 7.201 ID08184 7.104 Cache for HTTP Proxy AD SSO not updating sometimes ----------------------------------------------------------------- Description: The cache database used for Active Directory Single Sign-On in HTTP Proxy may not be updated correctly every time resulting in providing outdated information to the authentication module of HTTP Proxy. Workaround: --- Fix: Fixed in 7.301 ID08147 7.104 FTP file downloads stop at 2GB --------------------------------------------- Description: FTP Proxy can not handle files larger than 2GB correctly. Workaround: --- Fix: Fixed in 7.300 ID08070 7.104 Web Security reporting shows largs numbers --------------------------------------------------------- Description: Web Security reporting calculates the amount of traffic by using the filesize information provided from the webservers. In some cases, the webservers report unrealistic numbers (ranging above 10GB per file) which messes up the reporting. Workaround: --- Fix: Fixed in 7.200 ID07717 7.101 Problem with colon in local user password -------------------------------------------------------- Description: Having local users with colon in their password may cause problems when using HTTP Proxy. Workaround: Change password. Fix: Fixed in 7.302 ID07569 7.101 Unresolved HTTP parent proxy kills the backend system -------------------------------------------------------------------- Description: In ASG v7.100 and v7.101, using a DNS host object in WebSecurity->HTTP->Advanced->HTTPParentProy->Host can kill the backend system if the hostname cannot be resolved. This may lead to unstable network connectivity. Workaround: Until the release of ASG v7.102, only use plain "Host" objects in WebSecurity->HTTP->Advanced->HTTPParentProy->Host, explicitely specifying the IP address. Fix: Fixed in 7.102 ID07455 7.100 Adobe Download Manager may fail to download pdf files -------------------------------------------------------------------- Description: Downloading pdfs using HTTP Proxy and Adobe Download Manager may fail in certain cases. Workaround: --- Fix: Fixed in 7.101 ID07445 7.100 Kaspersky Antivirus blocks HTTPS through proxy ------------------------------------------------------------- Description: When using Kaspersky antivirus on a client, surfing the web via HTTP Proxy may not work in all cases. Workaround: --- Fix: Fixed in 7.101 ID06874 7.008 HTTP Proxy authentication exceptions not working correctly ------------------------------------------------------------------------- Description: The option for skipping authentication in HTTP Proxy (Exceptions) is not working as intended. Workaround: --- Fix: Fixed in 7.010 ID06867 7.008 HTTP Proxy profiles not assigning correctly ---------------------------------------------------------- Description: The HTTP Proxy profiles may not assign all authentication methods correctly, which will result in profiles having too much authentication dependencies. Thus for most profiles authentication seems to stop working completely. Workaround: --- Fix: Fixed in 7.009 ID06862 7.008 New HTTP exceptions not matching substrings ---------------------------------------------------------- Description: Up to version 7.007, the 'Target Domains' match in the 'Exceptions' tab of the HTTP Proxy was a pure substring match against the domain part of URLs. For example, an entry of 'astaro.com' would match all domains (including subdomains and hostnames) containing 'astaro.com'. This has been changed in 7.008 to exact (sub)domain names by use of regular expressions. Unfortunately this also causes some existing expressions to no longer work because they now require an exact match - so the entry "astaro.com" only matches the domain 'astaro.com' but not 'www.astaro.com'. Workaround: This can be corrected by using regular-expression style wildcarding, in this case '.*astaro\.com' would achieve the desired effect; however it requires manual adaptation of each entry. Fix: Fixed in 7.009 ID06859 7.008 Downloads via HTTP Proxy do not work with Internet Explorer -------------------------------------------------------------------------- Description: When trying to download a file via HTTP Proxy with Microsoft Internet Explorer 6 or 7, the download manager page does not refresh automatically and the download is not shown as finished after scanning succeeded. Mozilla based browsers are not affected. Workaround: --- (use Firefox if available) Fix: Fixed in 7.009 ID06656 7.006 Possible problem after updating Antivirus pattern ---------------------------------------------------------------- Description: In some cases the HTTP Proxy is not able to initialize the latest antivirus pattern. This may lead to restarts of the HTTP Proxy by the selfmonitor. The Proxy logfile will show lines containing the following message: 'Failed to initialize virus database'. Workaround: Contact support or try downloading latest pattern manually. Fix: Fixed in 7.100 ID06618 7.005 HTTP Proxy closes sessions after response -------------------------------------------------------- Description: The HTTP Proxy announces the possibility to use keepalive for HTTP sessions but closes the connection after a request has been answered successfully. This will may cause trouble e.g. for Windows Media Player. Workaround: --- Fix: Fixed in 7.008 ID06616 7.005 Missing Contentfilter categories in WebAdmin ----------------------------------------------------------- Description: After importing a v6 Backup into version 7, the content filter categories are missing in rare cases. Workaround: Please contact Astaro Support Fix: Fixed in 7.102 ID06510 7.005 Up and down arrows don't work correctly in HTTP Profiles ----------------------------------------------------------------------- Description: When trying to move down a filter assignment in Web Security->HTTP Profiles it will always jump to the last position in the profile. This also happens when trying to move it to the top. Also, all assignments in the profiles are set to "1" and not numbered consecutively. Workaround: --- Fix: Fixed in 7.008 ID06375 7.004 Contentfilter whitelist does not use regular expressions ----------------------------------------------------------------------- Description: When using whitelists or exceptions in HTTP Proxy, regular expressions will not work everywhere in the same way. Basically, everywhere regular expressions should be used. Workaround: --- Fix: Fixed in 7.008 ID06281 7.003 NTLM doesn't work with IE7 and Windows Vista ----------------------------------------------------------- Description: Active Directory Single-Sign-On (SSO) does not work for clients running IE7 under Windows Vista because NTLMv1 auth is not supported in this combination. This issue will be fixed in ASG version 7.100. Workaround: There is no workaround, except for using a different browser (e.g. Firefox). Fix: Fixed in 7.100 ID06178 7.003 Whitelisting does not work under certain circumstances --------------------------------------------------------------------- Description: By adding a profile to a user that should be allowed to surf a website and to a surf-protection-category, the user is only able to reach the website OR the surf protection category but not both as defined. Workaround: --- Fix: Fixed in 7.100 ID06103 7.002 Empty Source network breaks HTTP proxy profile config -------------------------------------------------------------------- Description: When creating an HTTP profile the source network setting is optional and may break the configuration if not specified. Workaround: Select a valid source network. Fix: Fixed in 7.004 ID06102 7.002 .com websites are blocked by file extension scanner ------------------------------------------------------------------ Description: The file extension scanner in HTTP Proxy will block websites ending with .com if the extension .com is listed for blocking. Workaround: Remove .com from file extension scanner. Fix: Fixed in 7.100 ID06100 7.002 Streaming downloads aren't aborted on client disconnect ---------------------------------------------------------------------- Description: When a client starts an HTTP stream download a disconnects/resets the connection, the HTTP Proxy will continue downloading the stream. Workaround: --- Fix: Fixed in 7.005 ID06021 7.002 Downloads are not aborted when a user closes the downloader page ------------------------------------------------------------------------------- Description: Downloads interrupted by the user will not be aborted by the HTTP proxy until the download is finished. Workaround: --- Fix: Fixed in 7.003 ID06011 7.002 Canceled downloads are not deleted by the HTTP proxy ------------------------------------------------------------------- Description: Deferred downloads that aren't downloaded by the users will not be deleted and gradually fill up the storage. Workaround: A reboot will delete all temporary files. Fix: Fixed in 7.003 ID05997 7.002 Users may use HTTP Proxy even if not explicitly allowed ---------------------------------------------------------------------- Description: When using the default HTTP profile of Web Security in combination with authentication than the system will still allow access for users, even if the user/group is not in the allowed users list. This only happens if the user has successfully authenticated himself. A failed authentication will lead to a blocked page. Workaround: Set the http default profile to standard mode. Go to the menu item 'Web Security > HTTP Profiles' and create a new 'filter action' with the name 'block all', the type 'block everything ...', leave the rest empty/unchecked and click save. Then create a new 'filter assignment' with the name 'allowed users', add the user/groups that should have access, set the 'filter action' to 'Default Filter Action' and click save. Afterwards create a new 'proxy profile', select the allowed network, check the box at 'allowed users' in the 'filter assignments', select 'block all' as the 'Fallback action', define your prefered authentication mode and click save. This should solve the issue. Fix: Fixed in 7.400 ID05951 7.000 Cache size for HTTP Proxy (squid) too small ---------------------------------------------------------- Description: The cache size for squid is calculated very conservative. Although the cache size depends on the disk size, it is very low even on larger disks. Workaround: --- Fix: Fixed in 7.004 ID05889 7.002 Content blocked page showing up twice ---------------------------------------------------- Description: When using file extension blocking the content blocked pages' content (when HTTP Proxy blocks a URL) is displayed twice. Workaround: --- Fix: Fixed in 7.005 ID05864 7.002 HTTP Proxy is restarted by selfmon very often ------------------------------------------------------------ Description: There seems to be a memory corruption problem within the HTTP Proxy daemon showing up in rare scenarios only. In this case the Selfmonitor will restart the proxy quite frequently. Workaround: --- Fix: Fixed in 7.008 ID05801 7.001 Authentication exceptions per domain do not work --------------------------------------------------------------- Description: Using the HTTP proxy, exceptions with regard to user authentication per domain do not work correctly. Clients are still prompted for entering credentials even the domain is configured to be exempt from user authentication. This will cause automatic Windows updates to fail in any environment requiring user authentication. Workaround: --- Fix: Fixed in 7.003 ID05780 7.001 Missing download progress due to unknown content length information ---------------------------------------------------------------------------------- Description: If the content length is unknown to the client, download progress information shown on the HTTP proxy download page is missing. Workaround: --- Fix: Fixed in 7.003 ID05683 7.001 File extension filter blocks file after complete download ------------------------------------------------------------------------ Description: Files having an extension supposed to be blocked are downloaded nonetheless before the user who requests the file is shown the Astaro block message. Workaround: --- Fix: Fixed in 7.002 ID05652 7.001 Using Internet Explorer, the HTTP proxy fails to display a web page that requires a POST request ---------------------------------------------------------------------------------------------------------------- Description: Internet Explorer adds an extra CRLF character to a POST request that is sent to an HTTP 1.1 server, causing the HTTP proxy to fail to deliver the page. For more information, see Microsoft Knowledgebase (http://support.microsoft.com/kb/823099). Workaround: Use an alternative browser (e.g., Firefox 2). Fix: Fixed in 7.003 ID05651 7.001 Whitelist mode in HTTP Proxy Profiles not working ---------------------------------------------------------------- Description: The Filter Action mode 'block everything except the selection below' configured on the Web Security >> HTTP Profiles >> Filter Actions tab in WebAdmin does not work even though the profile matches. The user can access every web site, not just the ones allowed. Workaround: --- Fix: Fixed in 7.002 ID05609 7.001 HTTP Proxy allocates a lot of memory --------------------------------------------------- Description: When downloading a file that has a size larger than the max scanning size, the HTTP Proxy downloads the complete file to memory, and delivers it to the client. When the client download is aborted before it has been finished or the internet uplink is faster than the client link speed the proxy does not free the memory used for downloading the body. Workaround: --- Fix: Fixed in 7.003 ID05565 7.000 HTTP proxy download manager stops refreshing ----------------------------------------------------------- Description: Multiple simultaneous downloads in one browser stall the download manager's progress bar for each download. This is due to certain browser limitations in terms of concurrent connections. Workaround: Press the browser's reload button manually to refresh the progress bar display. Fix: Fixed in 7.100 ID05451 7.000 File extension filter blocks file only after download is complete -------------------------------------------------------------------------------- Description: Files having an extension supposed to be blocked are downloaded nonetheless before the user who requests the file is shown the Astaro block message. Workaround: --- Fix: Fixed in 7.002 Closed Issues - Various ========================== ID12596 7.502 AMG/AWG backup import to ASG not possible -------------------------------------------------------- Description: It is not possible to import backups from a Web or Mail Appliance (AWG,AMG) into an Astaro Security Gateway. Workaround: Please contact support. Fix: Fixed in 7.504 ID12176 7.502 PPTP routing is broken if PPTP pool is part of the internal network ---------------------------------------------------------------------------------- Description: PPTP routing is broken if the PPTP pool is overlapping with the internal network e.g 192.168.0.0/16 is used for LAN and 192.168.1.0/24 for RA. Remote connections will be unable to communicate with these overlapping networks. Traffic between non-overlapping subnets are not affected. Workaround: a) Setup a Masquerading rule, so connections from remote clients will be NAT'ed to the LAN ASG address and there is no direct connection anymore between LAN and Remote Access. b) Don't use overlapping subnets for Remote Access and LAN, e.g. use 192.168.0.0/24 for LAN and 192.168.1.0/24 for RA instead of 192.168.0.0/16 LAN and 192.168.1.0/24 for RA c) contact support to install a pre-rpm Fix: Fixed in 7.504 ID11987 7.502 Can't dissolve bridge or remove bridge ports ----------------------------------------------------------- Description: Removing a bridge completely does not work as expected. Workaround: --- Fix: Fixed in 7.504 ID11871 7.501 IPS logging can cause root partition fillup ---------------------------------------------------------- Description: The IPS log files will be written to an incorrect directory causing the root disk partition to be filled up to maximum capacity. Workaround: Please contact Astaro Support to clear the root disk partition. Fix: Fixed in 7.504 ID11837 7.501 Prefetch of an AD user fails if the mail address is case-sensitive --------------------------------------------------------------------------------- Description: When using Active Directory back-end authentication with the ASG, user objects will not automatically get created, because there is a email address case-mismatch associated with AD user account. Workaround: Review all email addresses associated with the Active Directory user account and ensure that all email addresses are in the same case. Fix: Fixed in 7.504 ID11807 7.501 MIME blocking inspects HTTP body not working ----------------------------------------------------------- Description: Files with renamed file extension are not identified. MIME blocking inspects HTTP body not working. Workaround: --- Fix: Fixed in 7.504 ID11760 7.501 Reporting Exceptions missing from AWG and AMG Appliances ----------------------------------------------------------------------- Description: This does not break anything major in the Astaro, traffic will still pass without issue. This just affects the ability to add exceptions for reporting output. The Exceptions tab is missing from Reporting->Settings. Workaround: --- Fix: Fixed in 7.504 ID11753 7.501 Incoming mails with inline PGP encryption can cause problems --------------------------------------------------------------------------- Description: In some cases PGP inline encrypted mails can raise the cpu up to 100%. If this problem accures the process /bin/emailenc will be visible in the top list and the mail will not be delivered. Workaround: --- Fix: Fixed in 7.502 ID11620 7.501 DNS resolution problem through SSL VPN connection ---------------------------------------------------------------- Description: Sometimes the DNS resolution of internal clients do not work, although internal DNS servers are defined in the remote access settings. To fix this you have to execute a ipconfig /registerdns on the client machine. Workaround: --- Fix: Fixed in 7.502 ID11544 7.501 Default gateway will not be set with SSL VPN client 1.5 ---------------------------------------------------------------------- Description: After updating to 7.500 the SSL VPN client will not add a default route if network "Any" (0.0.0.0) is in use. Workaround: --- Fix: Fixed in 7.502 ID11532 7.501 Handling of encrypted zip files is inconsistent -------------------------------------------------------------- Description: Handling of encrypted zip files is not consistent at HTTP and SMTP proxy. This is not only when configuring, but also when actually scanning the content. I.e. an eicar test-virus will not be detected as unscannable and get passed through in some cases. Workaround: --- Fix: Fixed in 7.502 ID11524 7.500 Wrong aua connection count for transparent proxy --------------------------------------------------------------- Description: Proxy is showing error message "Max number of AUA connections reached" when transparent authentication mode is enabled. Workaround: Please contact support. Fix: Fixed in 7.502 ID11505 7.500 Special words with different meanings may be blocked by content-filter ------------------------------------------------------------------------------------- Description: The content-filter doesn't provide a semantic parser, so false classifications of special words with different meanings can't be prevented. For example: Stosunek pracy (pl.) = employer-employee relationship (engl.) Stosunek (pl.) = coitus (sexual) Workaround: Add a whitelist/exception entry for this. Fix: --- ID11425 7.500 Classic base licenses no longer allows basic SMTP usage ---------------------------------------------------------------------- Description: Using basic SMTP features with a classic license and no Mail Subscription will not work correctly. Workaround: --- Fix: Fixed in 7.504 ID11420 7.403 Cannot log archive to windows share when windows password contains a percent sign (%). ----------------------------------------------------------------------------------------------------- Description: Remote archive logging fails to copy to windows shares when authentication password contains a percent sign (%). Workaround: Set another windows password that doesn't contain the percent sign (%). Fix: Fixed in 7.504 ID11411 7.500 File downloads via ftphelper may be corrupt ---------------------------------------------------------- Description: Random file downloads via FTP using the HTTP Proxy can get corrupt. This is mainly seen when using Filezilla as a client. Workaround: --- Fix: Fixed in 7.502 ID11407 7.500 For inline PGP encrypted emails only the attachment is decrypted ------------------------------------------------------------------------------- Description: For PGP inline encrypted emails there will only be attachements decrypted after receiving, but the body of the mail will remain encrypted. Workaround: --- Fix: Fixed in 7.502 ID11379 7.500 Missing fields for WebAdmin settings --------------------------------------------------- Description: After updating to 7.500 allowed networks, allowed administrators and allowed auditors fields are no longer visible in WebAdmin. Workaround: Please contact our support team Fix: Fixed in 7.502 ID11359 7.500 SMTP proxy is not usable anymore if no mail subscription is installed ------------------------------------------------------------------------------------ Description: It is not possible to configure the tabs Routing, Exceptions, Relaying and Advanced within Mail Security without a Mail Security Subscription. Workaround: Please contact our support team. Fix: Fixed in 7.501 ID11299 7.500 Unreachable Astaro news feed might break the dashboard --------------------------------------------------------------------- Description: In case the Astaro news feed is not reachable, the dashboard might not show up properly. Instead you'll find a grey page reading 'undefined'. In some cases, this issue might also prevent users from logging in to WebAdmin when trying to load/cache objects. Workaround: Make sure Internet access is available. Fix: Fixed in 7.501 ID11236 7.405 Bridge setup without an IP is not working -------------------------------------------------------- Description: Bridging does not work when no IP is assigned. This can be done when not using a convert interface and not assigning any standard or VLAN interface after creating the bridge. In this case hosts behind the bridge will not be reachable. Workaround: --- Fix: Fixed in 7.502 ID11235 7.404 "ICMP Fragmentation needed" packets are not handled correctly when using Multipath ------------------------------------------------------------------------------------------------- Description: "ICMP Fragmentation needed" packets are not handled correctly when using Multipath. This can cause that some connections (e.g. HTTPS) do not work. Workaround: Contact Astaro Technical Support Fix: Fixed in 7.504 ID11129 7.404 Accounting information in executive report incorrect ------------------------------------------------------------------- Description: The accounting logs each transfer with it's beginning timestamp, but in case the transfer crosses midnight, the transfer is written to the database the next day (or several days later, in case of very long standing connections). So it could happen that the transfer is listed in the daily executive report one (or more) days after the transfer is started. Workaround: --- Fix: --- ID11070 7.404 All CA's listed in CA authorites will be added as signature -------------------------------------------------------------------------- Description: In some cases the signature of an outgoing email could have a size of some kilobytes. This is caused by adding all known CA authorites to the email by default. Workaround: Add only the CA's to the list which are really needed. Fix: Fixed in 7.502 ID10909 7.403 Middleware problem after restarting the service -------------------------------------------------------------- Description: In some cases, Middleware is not able to start up completely and writing the following error message to /tmp/mdwdebug.log: 'MLDBM error: Second level tie failed, "File exists" at /PerlApp/Astaro'. This is caused by an incorrect file cleanup/access. Workaround: --- Fix: Fixed in 7.501 ID10808 7.403 After update to version 7.403 the remote access menu item is missing ----------------------------------------------------------------------------------- Description: After update to version 7.403 on a AMG system, the remote access menu item is missing. Workaround: Contact Astaro Technical Support Fix: Fixed in 7.500 ID10426 Importing license via wizard may not work correctly ------------------------------------------------------------- Description: In some cases a race condition will prevent a license from being properly imported when using the setup wizard. Workaround: Please import the license after finishing the wizard via Management->Licensing. Fix: Fixed in 7.403 ID10425 7.401 Slave stuck in status UP2DATE and update was not started on slave -------------------------------------------------------------------------------- Description: Under certain circumstances, the update process auisys.pl cannot be started due to another running instance. This is indicated by the following line in the update logfile: auisys[]: Another instance of this process is already running, exiting Workaround: By entering the command 'ha_daemon -c up2date VERSION', where version is the next update to install, e.g. 7.402, the update process is triggered again. Fix: Fixed in 7.500 ID10387 7.402 Webadmin AWG and ASG - Translation error in "Filteraktion" of http profiles ------------------------------------------------------------------------------------------ Description: By changing webadmin language to german, in http profiles / filter actions is a wrong translation for manual blacklist. Text is "Immer diese URLs/Seiten zulassen" for black-, and whiltelist. Workaround: --- Fix: Fixed in 7.500 ID10375 7.402 IPSec local hosts/networks are missing in ASC-Configfile, if you add more than 5 hosts ----------------------------------------------------------------------------------------------------- Description: If you define more than 5 IPsec local hosts/networks, some of them are missing in Astaro Secure Client (IPsec) config file which causes missing network routes on connect. The Astaro Secure Client supports up to 20 host/network entries in a config file, but the configuration the Astaro Gateway generates contains only 5 (The file you may download via the User Portal). Workaround: If you can't wait for v7.500, you can manually edit the config file to contain up to 20 hosts/networks by simply adding the necessary entries by extending the current format. Fix: Fixed in 7.500 ID10374 7.402 License expiry when BIOS clock resets ---------------------------------------------------- Description: When any event that drastically changes the date on the machine occurs, permanent licenses may be considered invalid and restrict users from logging into Webadmin. For instance, this can be caused by the BIOS clock being reset or an adminstrator setting the date back some years. Workaround: --- Fix: Fixed in 7.500 ID10360 7.402 Exception list can not be created for Share ---------------------------------------------------------- Description: Trying to create an exception list for P2P application Share will not succeed. The exception will not get created at all. Workaround: --- Fix: Fixed in 7.403 ID10337 7.401 DNS requests from Windows 2003 server to domain controller will be detect as trojan -------------------------------------------------------------------------------------------------- Description: DNS requests from a Windows 2003 server to domain controller will be detect as trojan Workaround: Put the domain controller into a exception list to skip IPS. Fix: --- ID10221 7.401 SSL Site2Site VPN default route to remote site does not work --------------------------------------------------------------------------- Description: When configuring SSL Site-toSite VPN with one side acting as default gateway, you get "NOTE: unable to redirect default gateway -- Cannot read current default gateway from system" in the Logfile and the default route will not be redirected. Workaround: --- Fix: Fixed in 7.500 ID10181 7.401 Wrong translation (English => German or French) in HTTP-Profiles >> FilterActions ------------------------------------------------------------------------------------------------ Description: By changing the global WebAdmin language to German or French and create a new FilterAction in the HTTP-Profiles, 'Allow these URLs/sites' and 'Block these URLs/sites' are both translated as 'Immer diese URLs/Seiten zulassen' or rather 'Toujours autoriser ces URL/sites' Workaround: The first checkbox below the categories is to permanently allow websites, the second one to permanently block websites. Fix: Fixed in 7.500 ID10123 7.400 Dashboard view of RAM incorrectly labeled SWAP on Japanese webadmin ---------------------------------------------------------------------------------- Description: In webadmin dashboard view if the language selection is set to Japanese the Swap and RAM values are swapped. Workaround: None - The graphs are correct just interpret RAM graph to = Swap Fix: Fixed in 7.500 ID10027 7.400 Network and service group definitions unordered after 7.400 up2date ---------------------------------------------------------------------------------- Description: When viewing network or service group definitions containing multiple objects the objects will appear unordered. The objects are ordered according to backend reference ID rather than alphabetical. Workaround: None Fix: Fixed in 7.500 ID09617 7.305 Problem authenticating users with umlauts via Active Directory ----------------------------------------------------------------------------- Description: Usernames containing german umlauts can not be used in HTTP proxy profiles since the character set is not parsed correctly. All non-ASCII characters will be skipped, which leads to an "Authorization denied" failure. Workaround: As the HTTP proxy does not convert any character set, only 7 bit ASCII characters work. Please change the affected username to 7 bit ASCII, e.g. "mueller" instead of "müller". Fix: Fixed in 7.400 ID09120 7.301 System may boot up with factory defaults after power cycle ------------------------------------------------------------------------- Description: There has been some reports about systems booting up with factory defaults after a power loss. There is a possible race condition when storing the configuration data which could cause this. Workaround: --- Fix: Fixed in 7.303 ID08875 7.300 Active Directory Browser makes no sense when groups should be used in HTTP-Proxy ----------------------------------------------------------------------------------------------- Description: When creating a new AD backend group in Users->Groups with the help of the AD browser, the group will be taken with the complete CN-notation instead of just the first attribute of the DN. Workaround: Either you enter the group name by yourself or you drag it into the groups field via AD browser and delete all but the group name. For example, CN=http_allow_all,OU=internetusers,OU=DE, DC=intranet,DC=local must be http_allow_all. (without a trailing dot) Fix: Fixed in 7.400 ID08635 7.201 Deactivating SIP support does not work correctly --------------------------------------------------------------- Description: When disabling SIP support in WebAdmin, not all modules get unloaded properly in the backend. Workaround: Reboot the box after deactivating SIP support. Fix: Fixed in 7.300 ID08626 7.201 DHCP fails to start on state toggle in WebAdmin -------------------------------------------------------------- Description: When toggling state of DHCP server in WebAdmin in some cases the server might not start up properly. Workaround: Please try again. Fix: Fixed in 7.400 ID08469 7.201 Packetfilter log shows drops of local packets ------------------------------------------------------------ Description: When using IM/P2P detection there might be loglines in the packetfilter logs indicating localhost traffic (srcip and dstip is 127.0.0.1). Workaround: Reboot the system or disable IM/P2P detection. Fix: Fixed in 7.300 ID08366 7.200 Online Help and Manual for AWG may not work after installation ----------------------------------------------------------------------------- Description: For AWG appliances, online help and manual may not be accessible right after installation. Workaround: Make sure internet connection is working and automatic pattern updates are enabled. Fix: Fixed in 7.201 ID08359 7.200 Readable eDirectory passwords in debugging mode -------------------------------------------------------------- Description: When doing debugging the bind users password is printed in plain text to one of the debug logs. Workaround: --- Fix: Fixed in 7.300 ID08358 7.200 High memory usage for IM/P2P detection ----------------------------------------------------- Description: Using IM/P2P detection will cause the backend to allocate a lot of memory which may slow down the system at all. Workaround: --- Fix: Fixed in 7.300 ID07900 7.103 VLAN sometimes fails on LAG devices -------------------------------------------------- Description: Creating a VLAN Interface on basis of a Link Aggregation group sometimes fails. The exact scenario of failing is yet unknown. Workaround: Contact support if you have a failing setup. Fix: Fixed in 7.402 ID07814 7.102 Middleware may slow down on some systems ------------------------------------------------------- Description: On systems with heavy roadwarrior traffic the Middleware may slow down and allocate large amounts of memory. Workaround: Restart system. Fix: Fixed in 7.103 ID07260 7.011 System freezes on Vmware ESX Server V3 ----------------------------------------------------- Description: Some installations running in VMware ESX Server 3.0 or 3.5 may freeze after a random time. Workaround: --- Fix: Fixed in 7.300 ID06911 7.009 Backend problem after importing a license -------------------------------------------------------- Description: After importing a license, the backend system may not be restarted correctly. Connecting to WebAdmin will show a message like 'Please wait, connecting to backend ...'. Workaround: Reboot the machine. Fix: Fixed in 7.010 ID06903 7.009 Checkboxes for HTTP Proxy profiles not working with IE6 ---------------------------------------------------------------------- Description: When editing HTTP Proxy profiles, the checkboxes for the filter assignments can not be selected when using Internet Explorer 6. Workaround: Use another browser. Fix: Fixed in 7.010 ID06687 7.006 Kernel freezes on ASG 110/120/220 ------------------------------------------------ Description: For some small appliances (ASG 110/120/220) the system may freeze during normal operation. No network traffic is possible anymore, the screen (if attached) will remain black and also keyboard input is no longer possible. This may be caused by a problem within the ASG kernel. Workaround: Reboot the machine. Fix: Fixed in 7.200 ID06674 7.006 DynDNS may not update because of a missing packetfilter rule --------------------------------------------------------------------------- Description: The DynDNS service will not be able to update the dynamic hostname after any interface configuration has been done via WebAdmin. This is because the automatic packetfilter rule allowing that specific traffic will be removed automatically after any successful interface parameter change. Workaround: Either create a packetfilter rule allowing HTTP traffic from the DSL interface address to Any or reboot the machine. Fix: Fixed in 7.007 ID06660 7.006 Search for IP addresses not working with many definitions ------------------------------------------------------------------------ Description: Having more than 51 definitions and searching for IP addresses in network definitions will not show any results. Workaround: --- Fix: Fixed in 7.007 ID06571 7.006 L2TP daemon will not be restarted automatically -------------------------------------------------------------- Description: The L2TP daemon responsible for remote access will not be restarted automatically in case of an internal failure. The selfmonitoring is not checking all of the relevant processes. Workaround: --- Fix: Fixed in 7.008 ID06484 7.005 Sorting of policy routes not working correctly ------------------------------------------------------------- Description: The sorting of policy routes introduced in 7.005 does not work for all cases, especially after editing routes. Workaround: On most systems a reload of the routing page should show the correct order. Fix: Fixed in 7.006 ID06473 7.005 Disabled End User Spam report enabled after editing custom text ------------------------------------------------------------------------------ Description: When editing the custom text for the Enduser Spam Report the feature is turned on automatically. Workaround: Turn it off again if you don't need it. Fix: Fixed in 7.006 ID06472 7.005 Middleware stops working with unresolved routing targets ----------------------------------------------------------------------- Description: Middleware stops working when a static route has an unresolved DNS definition as target. Workaround: Change route target to static host definition. Fix: Fixed in 7.006 ID06469 7.005 Online help will not open when WebAdmin language is set to Japanese or Chinese --------------------------------------------------------------------------------------------- Description: The online help will not open when WebAdmin language is set to Japanese or Chinese, which were supported from version 7.005 on. It gets stuck at the message "Please wait, connecting to backend". Workaround: --- Fix: Fixed in 7.006 ID06389 7.005 WebAdmin very slow when using many objects --------------------------------------------------------- Description: With large amounts of definitions, such as many groups, hosts, or users that have been defined, the WebAdmin login can take a long time to process and as a result sometimes the session will timeout and/or repeated attempts to login are necessary. Workaround: Astaro recommends to use Microsoft IE7 or Mozilla Firefox 2. Fix: Fixed in 7.100 ID06342 7.004 Large HTTP blacklist may cause WebAdmin slowdown --------------------------------------------------------------- Description: Having a large amount of HTTP blacklist entries may slow down WebAdmin extremely when trying to view the page. Workaround: --- Fix: Fixed in 7.005 ID06333 7.004 Drag-and-drop fails with Internet Explorer --------------------------------------------------------- Description: There is a problem when using Internet Explorer for configuring via WebAdmin. When the scrollbar of the browser is scrolled to the bottom, drag-and-drop fails. The mouse pointer points to the location where you want to drop an object (e.g. network object), but the object itself hovers quite a bit above the mouse pointer position. In this situation it is not possible to drop the object. Workaround: Move the dragged object bottom-up from the area you'd like to drop it until the area is highlighted or use another browser. Fix: Fixed in 7.008 ID06325 7.004 Nic order mixed up on ASG 320 -------------------------------------------- Description: On some ASG320 systems the NIC order may have mixed up after installing Up2Date 7.004. Workaround: Check cabling or contact Astaro Support. Fix: Fixed in 7.005 ID06255 7.003 ASG 425 interface problem after Up2Date to version 7.003 ----------------------------------------------------------------------- Description: For some devices of ASG 425 series the interfaces were not correctly ordered after installing Up2Date 7.003. Workaround: --- Fix: Fixed in 7.004 ID06148 7.003 Empty hostname for DNS host cause system lockup -------------------------------------------------------------- Description: When creating a DNS host definition and leaving the host field empty, the system may lock up. Workaround: --- (do not try to reproduce) Fix: Fixed in 7.004 ID06132 7.002 System allows interface routes without target interface ---------------------------------------------------------------------- Description: It is possible to create an interface route without selecting a target interface. This will result in a non-accessible routing page in WebAdmin. Workaround: --- Fix: Fixed in 7.005 ID06098 7.002 IP counting for licensing is too strict ------------------------------------------------------ Description: In some cases the IP counting also adds ARP requests to the licensed IPs which may result in a license usage false positive. Workaround: --- Fix: Fixed in 7.004 ID06094 7.002 MySQL may stop working after time change ------------------------------------------------------- Description: When changing the time backwards MySQL may not work correctly afterwards. This will affect email handling (SMTP/POP3). Workaround: Reboot the system. Fix: Fixed in 7.004 ID05963 7.002 Timewarp shell script hangs on MiddleWare restart ---------------------------------------------------------------- Description: In case of a time warp effect (aimed at the past for more than 90 seconds), the MiddleWare may fail. Workaround: --- Fix: Fixed in 7.003 ID05956 7.002 Huge amount of SMTP domains will slow down WebAdmin ------------------------------------------------------------------ Description: When configuring a large amount of SMTP domains WebAdmin will slow down extremely. It also may not be possible to display the SMTP page at all. Workaround: --- Fix: Fixed in 7.005 ID05944 7.002 Wildcards in exception lists not allowed ------------------------------------------------------- Description: Wildcards (using an asterisk *) in sender or recipient addresses in an exception list for HTTP, SMTP, and POP3 may not be working correctly. Workaround: --- Fix: Fixed in 7.003 ID05910 7.002 MiddleWare fails when Radius server is unresolved ---------------------------------------------------------------- Description: When using a DNS host definition as Radius server, the systems' Middleware may stop working when this host definition is not resolvable. Workaround: Use a static host definition for the Radius server. Fix: Fixed in 7.003 ID05876 7.002 IPSec Roadwarrior Connection not counted in Dashboard view ------------------------------------------------------------------------- Description: In the Remote Access view of the Dashboard the IPsec Roadwarriors are not counted. Workaround: --- Fix: Fixed in 7.004 ID05824 7.002 Possible parsing errors concerning SIP control packets --------------------------------------------------------------------- Description: Due to a missing out-of-bonds check of the FROM line in a SIP control packet, a parsing error may occur, which may bring the entire system down at the worst case. Workaround: --- Fix: Fixed in 7.003 ID05796 7.001 Unable to expand the preview window in quarantine manager ------------------------------------------------------------------------ Description: It is not possible to expand the preview window in Quarantine Manager. The popup window you get after clicking on the preview button is to small. Workaround: --- Fix: Fixed in 7.005 ID05778 7.001 User objects not allowed as source/destination in DNAT/SNAT rules -------------------------------------------------------------------------------- Description: When creating a DNAT or SNAT rule, you can not select a "User network" object to be used as NAT destination or source. Nevertheless the objects can be used for "traffic source" and "traffic destination" parameters. Workaround: --- Fix: Fixed in 7.008 ID05740 7.001 No space left on device due to too many tmpLFI* files -------------------------------------------------------------------- Description: Not removed temporary files in the /opt/tmpfs/ directory may fill up the hard disk drive of the device rendering WebAdmin inaccessible. Workaround: Reboot Astaro Security Gateway, because /opt/tmpfs/ is deleted during startup. Fix: Fixed in 7.002 ID05735 7.001 Wrong definition of the NTP service -------------------------------------------------- Description: In WebAdmin->Definitions->Services NTP is defined as TCP. Workaround: Edit it to your needs. Fix: Fixed in 7.004 ID05732 7.001 Static Usergroups don't work in the Packetfilter --------------------------------------------------------------- Description: Having standard usergroups in the Packetfilter ruleset will not work. Workaround: Create rules for the user objects directly. Fix: Fixed in 7.002 ID05716 7.001 Scalability of object tables in WebAdmin ------------------------------------------------------- Description: Large object tables in WebAdmin (e.g., the list of network definitions) may take too long to be rendered in time, thus causing a repeating error message. Workaround: Click OK whenever the error message occurs. Depending on the size of the object list, this might occur several times. A future version of WebAdmin will implement an alternative representation of object tables containing a larger number of objects. Fix: Fixed in 7.003 ID05703 7.000 Enduser Portal shows 127.0.0.1 as login source IP ---------------------------------------------------------------- Description: After activating SSL VPN, users connecting to the Enduser Portal port will get redirected because of the port sharing of SSL VPN and Enduser Portal. For the Enduser Portal it seems that you are coming from localhost, although you are coming from somewhere else. Workaround: --- Fix: Fixed in 7.300 ID05682 7.001 Internet Explorer 7 (IE7) is incompatible to WebAdmin -------------------------------------------------------------------- Description: Internet Explorer 7 (IE7) is partly incompatible to WebAdmin. Some options such as the HTTP Proxy Profiles cannot be configured correctly using IE7. Workaround: Use Firefox 2 or Internet Explorer 6 to access WebAdmin. Fix: Fixed in 7.002 ID05665 7.001 Broken rendering of WebAdmin tabs in QoS settings ---------------------------------------------------------------- Description: Having lots of interfaces will leave the QoS page unusable. Workaround: --- Fix: Fixed in 7.006 ID05660 7.001 HTTP Proxy Profiles sorting ------------------------------------------ Description: The sorting order of proxy profiles is broken. When an exisiting proxy profile is edited and the place of an item is changed to position n, it is always placed on position n-1. However, the positions 'Top' and 'Bottom' work correctly. Workaround: --- Fix: Fixed in 7.002 ID05631 7.001 Downloaded Up2Date package may not get unpacked -------------------------------------------------------------- Description: Due to a race condition between the downloader and the installer it might happen that an Up2Date package is successfully downloaded but not unpacked. Since only unpacked Up2Date packages are shown in WebAdmin as "ready to install", it is not possible to install the firmware update. Workaround: --- Fix: Fixed in 7.002 ID05592 7.000 Up2Date and Reporting may not work after installation -------------------------------------------------------------------- Description: After initial setup System and Pattern Up2Date as well as inline reporting and logfile rotation may not work correctly. This is due to a missing configuration detail in the backend system. Workaround: Go to Management->System Settings->Shell Access and set a password for the root user at least. You do not need to turn on Shell Access at all. Astaro recommends leaving it disabled. If you need Shell Access, please make sure to restriced access to trusted hosts/networks only and use strong passwords. Fix: Fixed in 7.001 ID05584 7.000 Spam threshold can not be switched off in SMTP profiles ---------------------------------------------------------------------- Description: In the per-domain profiles of the SMTP Proxy there is no option to switch off the spam thresholds at all. Workaround: --- Fix: Fixed in 7.005 ID05574 7.000 Additional interface menu may not be reachable -------------------------------------------------------------- Description: After adding an additional interface to a primary and editing this primary interface, the configuration page of the additional interfaces does not load completely. In most cases you will see a grey page. Workaround: --- Fix: Fixed in 7.001 ID05474 7.000 No progressbar for UPS is shown in WebAdmin ---------------------------------------------------------- Description: When an Uninterruptable Power Supply (UPS) is connected to the ASG, the progressbar visible in the dashboard will not update. Workaround: --- Fix: Fixed in 7.400 ID05468 7.000 Definition dialog boxes with fixed width only ------------------------------------------------------------ Description: Some browsers the definition dialog boxes in the left column do not show the horizontal scrollbar. Workaround: Use appropriate definitions. Fix: Fixed in 7.008 ID05404 RSA keys may be displayed incorrectly ----------------------------------------------- Description: For a remote gateway, if an RSA key is imported as hexadecimal (0x) instead of base64 (0s), WebAdmin interprets the keys as a hex value and displays "Infinity" instead of the key. This may happen for some versions of the Firefox browser on Windows operating systems. Workaround: Use a different browser/OS combination to access WebAdmin. Fix: Fixed in 7.003 ID05264 7.000 Wrong inline report data for H323 and SIP connections -------------------------------------------------------------------- Description: The VoIP inline reporting for SIP may not work correctly. For H323, some data may not match the actual number of connections. Workaround: --- Fix: Fixed in 7.000 ID05239 Some IM/P2P protocols won't be blocked ------------------------------------------------ Description: Some of the IM/P2P protocols will not be blocked correctly. Workaround: --- Fix: Fixed in 7.002 ID04920 Interfaces that are part of a LAG are not shown in dashboard ---------------------------------------------------------------------- Description: Interfaces which are part of an Link Aggregation group are shown as 'unused' in the dashboard. Workaround: --- Fix: Fixed in 7.001