# LIST OF KNOWN ISSUES FOR ASTARO SECURITY GATEWAY V8
# ====================================================
# The purpose of this list is to give you an overview of known issues and
# possible workarounds, as well as known problems in other software being
# used in connection with Astaro Security Gateway V8
# The ID denotes the internal Astaro bugtracking ID and will be shown in
# the description of an Up2Date if the issue is fixed.
#
# We would appreciate if you contribute to this list and would give us
# feedback in this respect.
# For further infos please contact: knownissues@astaro.com
#
# Last edit (time is UTC):
# $Id: Known_Issues-ASG-V8.txt,v 1.54 2012/02/08 15:17:47 mantis Exp $
Open Issues - Email Security
========================================================================
ID17125 8.102 multipart/alternative mails with 'PGP Partitioned' get decrypted as PGP in text/html, and original HTML attached in PGPexch.htm
------------------------------------------------------------------------
Description: PGP Inline emails are decrypted successfully, but the
email arrives with PGP-Block at the recipient
Problem:
The output after decryption contains of two different
content-blocks:
1) The decrypted message in plain-text format.
2) A PGP Block of the original message with content-type
text/html
Workaround: The most email clients have the default-view "HTML".
So the Client only shows the data of the content type
text/html.
Then you see the PGP Block.
When you change the view of the email client to
plain-text, you can see the decrypted message.
Fixed in:
Open Issues - Logging/Reporting
========================================================================
ID12084 8.000 VoIP (SIP) connection reporting
------------------------------------------------------------------------
Description: The number of VoIP (SIP) connections in the Executive
Report is too high due to a calculation error.
Workaround:
Fixed in:
Open Issues - Management
========================================================================
ID12207 8.000 NIC order may change when importing v7 backup
------------------------------------------------------------------------
Description: After importing a V7-backup, the network interfaces may be
sorted differently (eg. eth0 and eth1 swapped). As a
result, the machine appears to be not responding at all.
This applies to software appliances ("beige-boxes") only.
Astaro Hardware-Appliances are not affected.
Workaround: Replug the network cables according to the new sort order.
Fixed in:
Open Issues - Various
========================================================================
ID20041 8.300 [Merge 17798 to axg8300] Download SSL-VPN Config of a user containig a space will result in cut off filename when using Firefox
------------------------------------------------------------------------
Description:
Workaround:
Fixed in:
ID19968 8.300 postgres causes high load
------------------------------------------------------------------------
Description: On some ASGs the postgres database may cause a highload.
Workaround: The default websecurity detail level (4) is not usable for
some installations.
Please reduce the websecurity detail level to (0)
(Webadmin: Reporting settings).
Fixed in:
ID19914 8.300 Can't select 2012 as custom time frame in Logging & Reporting >> View Log Files >> Search Log Files
------------------------------------------------------------------------
Description: In Logging & Reporting>>View Log Files>>Search Log Files,
it isn't possible to choose "2012" as year for "Custom
start date" and "Custom end date".
This only affects customers that installed the Soft
Release of 8.300, the GA Release is already fixed.
Workaround:
Fixed in: 8.301
ID19740 8.203 Downloads larger than the max. scanning size break if AntiVirus or Content Removal is enabled
------------------------------------------------------------------------
Description: With AntiVirus scanning or 'Active Content Removal'
features enabled, downloads
larger than the configured 'Max scanning size' are
broken.
Workaround: Increase the 'Max scanning size' or create an exception
that
disables AntiVirus and Content Removal for the affected
sites.
Fixed in:
ID19729 8.202 DHCP Offer is not processed by the DHCP-Relay at the ASG
------------------------------------------------------------------------
Description: DHCP Offer Messages are not processed by the
DHCP-Relay-Function, when using only one interface
(leading to the client) at the interfaces list.
Workaround: Add the interface, leading to the DHCP-Server to the
interfaces list, at the DHCP-Relay.
Fixed in:
ID19714 8.202 Citrix ICA traffic is shown as unclassified at the flow monitor
------------------------------------------------------------------------
Description: Citrix ICA (tcp port 1494) is shown as "unclassified" at
the flow monitor.
Workaround: Disable "App Accuracy Program" at "Application Control >
Advanced"
Fixed in:
ID19632 8.202 AP stays inactive if there exists no Wireless Network
------------------------------------------------------------------------
Description: AP stays inactive if there exists no Wireless Network
Workaround: Create Wireless Network
Fixed in:
ID19458 8.202 MIME type check: Pattern for DOS COM executables matches some russian texts
------------------------------------------------------------------------
Description: MIME type check: Pattern for DOS COM executables possibly
matches some russian texts and get quarantined.
Workaround: Create an Exception for MIME type checks and the specific
host/network/sender/recipient.
Fixed in:
ID19305 8.202 Cisco VPN connection is no longer working with iPhone/iPad running iOS 5
------------------------------------------------------------------------
Description: In iOS 5 (both iPhone/iPad) Apple made some changes within
the Cisco IPsec connection handling.
"In iOS 5, the signing of certificates with MD5
signatures is not supported. Please ensure that
certificates use signature algorithms based on SHA1 or
SHA2."
Source
(http://developer.apple.com/library/ios/#releasenotes/General/RN-iOSSDK-5_0/_index.html)
In Version 7.000 til 7.401 all certificates were
generated with MD5 algorithm. Since 7.402 all certificates
are using SHA1 algorithm.
Workaround: If you're still using older certificates with MD5
algorithm you have to re-generate your Signing CA and your
Server-Certificate which you're using for Cisco VPN.
1) Re-generate your Signing CA (Remote Access /
Certificate Management / Advanced)
CAUTION: The device and all user certificates will be
regenerated with the new signing CA. This may break
current Site-to-Site VPN and Roadwarrior connections.
2) Create a new certificate for Cisco VPN (Remote Access
/ Certificate Management / Certificates)
3) Choose this certificate in Remote Access / Cisco VPN
Client / Global
4) Re-Download / Install the iOS Configuration File from
the User Portal on your iPhone/iPad
Fixed in:
ID19122 8.201 AppCtrl: Applications are not blocked if the applications are configured to use the httppoxy
------------------------------------------------------------------------
Description: Application Control: Applications are not blocked if the
applications are configured to use the httppoxy
Workaround: Enable "Scan HTTPS (SSL) Traffic" for the httpproxy
Fixed in:
ID19096 8.201 Not all traffic flows while using Remote Acess IPSec with compression
------------------------------------------------------------------------
Description: Remote Acess IPSec with compression is no longer supported
in Version 8 while using ASC Version 9.x.
Workaround: Please use the latest Version of AIC 10.x or higher.
Fixed in:
ID19021 8.201 internal IPs used as static RAS-IPs are detected as IP-Spoofing
------------------------------------------------------------------------
Description: Internal IPs used as static VPN-RAS IPs are detected as
IP-Spoofing.
Workaround: Don't use static VPN-RAS IPs or disable IP Spoofing for
the moment.
Fixed in:
ID19006 8.201 Internet Explorer still doesn't trust the webadmin certificate after importing the WebAdmin CA
------------------------------------------------------------------------
Description: After importing the WebAdmin CA into the Internet Explorer
it's still not possbile to open the webadmin without a
certificate warning.
It doesn't matter if the CA is correctly imported and the
hostname from the certificate match the webadmin site.
Workaround: - Download WebAdmin CA Cert as Base64
- copy to
/var/sec/chroot-httpd/etc/httpd/WebAdminCertCA.pem
- add line SSLCA... in
/var/sec/chroot-httpd/etc/httpd/vhost/httpd-webadmin.conf:
SSLEngine On
SSLCertificateFile /etc/httpd/WebAdminCert.pem
SSLCACertificateFile /etc/httpd/WebAdminCertCA.pem
SSLCertificateKeyFile /etc/httpd/WebAdminKey.pem
-do the same for the following files:
httpd-webadmin.conf-default
httpd-portal.conf-default
(if User Portal is activated, also in httpd-portal.conf)
- after that "/etc/init.d/httpd restart"
Fixed in:
ID18543 8.200 Remote Access: SSL VPN Graph no data
------------------------------------------------------------------------
Description: The 'SSL VPN Connections' graph at 'Logging & Reporting'
>> 'Remote Access' >> 'Activity' shows no data
Workaround: There is no workaround, the problem will be addressed in a
future release.
Fixed in:
ID17999 8.102 It's not possible to take over the internet explorer(8 &9) proxy settings with the openvpn-gui client
------------------------------------------------------------------------
Description: It's not possible to take over the internet explorer proxy
settings with the openvpn-gui client.
If you have configured the openvpn ssl client to use the
internet explorer proxy settings you will allways get
error massage linke can't take over MSIE proxy settings.
Workaround:
Fixed in:
ID17798 8.102 Download SSL-VPN Config of a user containig a space will result in cut off filename when using Firefox
------------------------------------------------------------------------
Description: Download SSL-VPN Config of a user containig a space will
result in cut off filename when using Firefox
Workaround: 1. Rename sslvpn_conf__username to
sslvpn_conf__username.zip to unzip the config
successfully.
or
2. Use another browser, for example Google-Chrome, Opera
or IE.
Fixed in: 8.105
ID17619 8.102 [OpenVPN] Special characters in username and/or passwort prevent authentication of SSL VPN users
------------------------------------------------------------------------
Description: There is an error called "TLS Auth Error: Auth
Username/Password verification failed for peer" while
connecting with SSL VPN and using a password containing
special characters. The connection to the gateways fails.
Workaround: It is not possible to use passwords containing special
characters with OpenVPN at the moment. Please restrict to
use only 7-bit characters (ASCII), i.e. for example
letters, numbers and an exclamation mark. Please note that
this also applies for usernames as well.
Fixed in: 8.105
ID17603 8.102 Remote Access Reporting shows active sessions although there is no connection established
------------------------------------------------------------------------
Description: It could happen that the Remote Access Reporting shows
active sessions although there is no connection
established.
Workaround:
Fixed in:
ID16982 8.100 Remote Access reporting and PDF/CSV export is not working properly
------------------------------------------------------------------------
Description: When you try to export Remote Access reporting via pdf and
csv-file, the file-creation is not working properly and
the customer was not able to download the csv/pdf-files,
or the information is not displayed correctly.
Here are two cases which were tested:
Case 1:
"Reporting Settings":
Reporting > Remote Access > Session
Filter:
Completed Sessions
Connections by user > username
Custom: from date x to date y
After clicking the PDF or CSV button, you receive a
pop-up which shows: Please be patient, while the report is
generated.
This message never comes to an end, is endlessly
running.
***********************************
Case2:
"Reporting Settings":
Reporting > Remote Access > Session
Filter:
Completed Sessions
Connections
Custom: from date to date
The CSV download works but the column Date/Time ist not
displayed correctly.
The column "Duration" is missing completely.
The PDF download in this case is working and all columns
are displayed correctly.
Workaround: At the moment there is no workaround available for this
issue.
Fixed in:
ID16898 8.160 Newly created packet filter rules or HTTP proxy authentication work only after restarting AAC
------------------------------------------------------------------------
Description: When AAC is already connected to ASG and a new packet
filter rule is generated for the logged in user or when
HTTP proxy is newly configured to use Client
Authentication, the user will not be correctly handled.
Workaround: Restart AAC on Windows client after ASG configuration
changes.
Fixed in:
ID16804 8.102 after reboot syslogng was not started
------------------------------------------------------------------------
Description: After reboot of the ASG it might happen that syslogng was
not started
Workaround: Restart syslogng manually via command:
/etc/init.d/syslogng start
or just reboot the system again until syslogng is running
Fixed in:
ID16609 8.151 udev: 50-vmware-net.rules breaks NIC sort
------------------------------------------------------------------------
Description: The udev rule in 50-vmware-net.rules (RPM vmware-tools)
breaks a Vmware installation on "mixed NIC" setups (e.g.
mixing e1000 and vmxnet NICs). Because it is a terminating
rule the rules in 70-persistent-net.rules are not called
anymore.
Workaround: Please contact Astaro Support.
Fixed in:
ID16361 8.003 Failed to get scanner instance after reloading avira pattern
------------------------------------------------------------------------
Description: After an Avira pattern update, it's possible that the HTTP
proxy failed to load the new Avira engine. When the
problem occurrs we receive the following error message
"failed to get scanner instance" in the http proxy
logfile.
Workaround: fixed in version 8.103
Fixed in:
ID16186 8.100 HTTP-Proxy: Single time event doesn't work correctly
------------------------------------------------------------------------
Description: 'Single time events' within the HTTP Proxy configuration
doesn't work correctly. Cause of an issue with the
daylight-saving, for example from 14.00 til 14.30 actually
matches during 15:00-15:30.
Workaround: Always increase the START TIME and END TIME about one
additional hour.
Fixed in:
ID16171 8.003 When iphone disconnects from the l2tp session, ASG doesn't change the ipsec state for the session
------------------------------------------------------------------------
Description: When an iphone user disconnects from the l2tp vpn
facility, the iphone cannot immediately reconnect back to
the l2tp facility. This is due to the iphone failing to
send a delete SA notification to the ASG upon
disconnection, and as a result the ASG will remember the
session for a short-time.
Workaround: If dead-peer-detection is enabled (enabled by default),
the stale session will be automatically closed after 5
minutes, at which time the iphone can successfully
reconnect.
Fixed in:
ID15841 8.003 assigned Default-Gateway via DHCP will not set on the RED-device
------------------------------------------------------------------------
Description: If a Speed Touch 546 v5 router is used to provide an
IP-address via DHCP to the RED-device, the Default-Gateway
will not set on the WAN-port.
Workaround: Use static IP-address within the Astaro RED configuration.
Fixed in:
ID14503 8.000 Long webadmin sessions on the webadmin dashboard causes memory leak
------------------------------------------------------------------------
Description: When webadmin session's focus is kept on the webadmin
dashboard for an extended amount of time, this will cause
a memory leak until the session is closed.
Workaround:
Fixed in:
Open Issues - VPN
========================================================================
ID19680 8.202 L2TP over 3G does not work on Android
------------------------------------------------------------------------
Description: It is not possible to establish a L2TP connection with an
android device using 3G connection.
Workaround: L2TP works only over WiFi Connection. Please use PPTP
instead.
Fixed in:
ID19482 8.202 Data transfer over L2TP VPN breaks after a few minutes for Windows clients
------------------------------------------------------------------------
Description: Since Update to 8.202 data transfer breaks with L2TP VPN
connections and Windows OS after few minutes
Workaround: Contact Astaro support to get modified kernel;
Install
kernel-smp64-2.6.32.42-16.g1480364.x86_64-id19482.rpm and
restart the system
Fixed in: 8.301
ID14692 8.000 Terminating Cisco Remote access connections after end of phase 2 lifetime
------------------------------------------------------------------------
Description:
Workaround: Increase the lifetimes for IKE and IPsec on the ASG. Since
Cisco VPN uses a fixed policy you need to edit it on the
command line via confd-client. It's at
OBJS:ipsec->policy->REF_IPsecPolicyCisco. Values to be
increased are ike_sa_lifetime and ipsec_sa_lifetime.
Maximum value accepted by pluto is 86400.
Fixed in:
Open Issues - Web Application Security
========================================================================
ID16010 8.003 Microsoft Sharepoint / NTLM Authentication doesn't work over WAF
------------------------------------------------------------------------
Description:
Workaround: In addition to the NTLM authentication, enable Basic
Authentication in the Microsoft Sharepoint configuration.
Fixed in:
ID15971 8.080 WAF Firewall profile: mode 'drop' does the same like mode 'reject'
------------------------------------------------------------------------
Description: Web Application Security profile mode 'drop' does the same
like mode 'reject'.
Workaround:
Fixed in:
Open Issues - Web Security
========================================================================
ID19889 8.202 HTTP proxy redirects Adobe Flash Action Message Format requests to downloader page
------------------------------------------------------------------------
Description: HTTP proxy redirects sites which contain Adobe Flash
Action Message content to downloader page, even if no AV
scanning is active.
Workaround: Please contact support regarding a workaround.
Fixed in:
ID19806 8.295 Web Filter: iPhone/iPad exception for Youtube doesn't match
------------------------------------------------------------------------
Description: Youtube doesn't work when iPhone/iPad is used over the
HTTP proxy.
Workaround: Modify the 'iphone/iPad youtube' exception to match the
following URL regex too:
^http://[A-Za-z0-9.-]+\.youtube\.com/videoplayback
Fixed in: 8.301
ID19484 8.202 HTTP-Proxy Block-Page is not displayed if the client is at the Application Control Skiplist
------------------------------------------------------------------------
Description: HTTP-Proxy Block-Page is not displayed if the client is at
the Application Control Skiplist
Workaround: Remove the Client/Network from the Application Control
Skiplist.
Then the block-page works as normal.
Fixed in:
ID19479 8.202 user-/group mapping does not work with identical user names in different domains
------------------------------------------------------------------------
Description: Http proxy stores the name and the corresponding SID for
Active Directory user/groups in local SID cache.
If users/groups in different Active Directory domains do
have identical names, it won't be possible to
differentiate between these objects.
HTTP proxy does always return the first resolved SID/name
for an Active Directory object.
Workaround: Rename the affected users/groups.
Fixed in:
ID14384 8.000 Reporting for the FTP proxy does not work
------------------------------------------------------------------------
Description: Reporting data for the FTP proxy should be displayed in
the Web Security reports. However, this is not the case.
Workaround:
Fixed in:
Open Issues - Wireless Security
========================================================================
ID20102 8.300 WiFi: Connection problems for clients using powersaving
------------------------------------------------------------------------
Description: In 8.300 the AP10/30 Wireless APs might be unable to
maintain a stable connection to power-saving clients (like
smartphones or laptops on battery power).
This can manifest itself as high latencies, slow
throughput or frequent disconnects of some clients.
Workaround: Once the AP entered that faulty state it needs to be
reconfigured or rebooted to get back into a working
state.
Also, disabling PS mode on the client (if possible)
should work around the issue in most cases.
Fixed in: 8.301
ID16153 8.100 Radius secret containing backtick character (`) doesn't work
------------------------------------------------------------------------
Description:
Workaround: Configure a Radius secret without backtick character
Fixed in:
Closed Issues - Email Security
========================================================================
ID19097 8.201 Exim RDNS check behavorial change between 8.1x and 8.2x
------------------------------------------------------------------------
Description: Since the upgrade to ASG 8.20x the SMTP proxy rejects more
messages than before with reason 'No RDNS entry for
x.x.x.x' even though the IP address x.x.x.x has a PTR
record in DNS. In the Mail Manager these messages are
shown as Rejected with log entry 'Rejected: RDNS/HELO
(RDNS missing)'.
Workaround: To revert the RDNS check back to the behavior of ASG
8.10x, please run the following commands as root on the
ASG:
sed -i '404s/\$host_lookup_failed/${lookup
dnsdb{ptr=$sender_host_address}{0}{1}}/'
/var/chroot-smtp/etc/exim.conf
/var/mdw/scripts/smtp restart
Fixed in: 8.203
ID18728 8.200 SMTP Proxy can't send any email when special characters in BATV secret
------------------------------------------------------------------------
Description: The SMTP Proxy can't send any emails when special
characters are set in the BATV secret.
Workaround: Not using special character (like $,%...) as BATV secret.
Fixed in: 8.260
ID18198 8.000 TNEF encoded attachment (aka winmail.dat) can't be decrypted
------------------------------------------------------------------------
Description: TNEF encoded attachments (winmail.dat) can not be
decrypted by the ASG.
Those attachments are for example generated by Outlook
when sending "Meeting Requests".
Workaround: Please disable the Rich-Text-Format at Outlook. A detailed
description can be found at:
http://support.microsoft.com/kb/278061
Fixed in:
ID17362 8.102 After successful Smime-decryption, the emails are sent out encrypted when signature verification fails
------------------------------------------------------------------------
Description: After successful Smime-decryption, the emails are sent out
encrypted when signature verification fails.
Workaround: Disable the verification for incoming Smime signed emails.
Fixed in: 8.170
ID16431 8.100 PGP Inline encrypted Emails arrive with emtpy body at the mail-client
------------------------------------------------------------------------
Description: PGP Inline encrypted Emails arrive with emtpy body at the
mail-client after decryption.
Workaround: When the sender chooses PGP Mime Encryption everything is
working properly.
Fixed in: 8.165
ID15403 8.002 confidentiality footer is appended to incoming mail
------------------------------------------------------------------------
Description:
Workaround:
Fixed in: 8.055
ID14782 8.001 UTF-8 characters in realname of imported keys are not displayed correctly
------------------------------------------------------------------------
Description: By importing a PGP key (Mail Security > Encryption >
OpenPGP Public Keys > Import Keyring file) UTF-8
characters in the 'Key owner name' are not displayed
correctly.
Workaround:
Fixed in: 8.151
ID14736 8.000 Email confidentiality footer gets injected in unsuitable email parts
------------------------------------------------------------------------
Description: The confidentiality gets injected in all email parts that
are not marked as attachment or download and have a MIME
type of text/*. This can lead to it being injected in e.g
XML documents if they are not marked as attachment.
Fixed ASG versions will only append the confidentiality
footer if the email part has a MIME type of text/plain or
text/html.
Workaround: If you send text documents that do should not get an
confidentiality footer appended, make sure they are marked
as attachment.
Fixed in: 8.002
ID14364 8.000 ASG does not use ESMTP for "Skip TLS negotiation hosts"
------------------------------------------------------------------------
Description: Authentication at a smarthost that is listed in "Skip TLS
negotiation hosts" doesn't work.
Workaround:
Fixed in: 8.001
Closed Issues - High Availability
========================================================================
ID15385 8.000 HA not available with single subscription WAS
------------------------------------------------------------------------
Description: Any valid subscription should enable the High Availability
feature. However, this was not working for the Web
Application Security subscription.
Workaround:
Fixed in: 8.080
ID14699 8.000 Interface MTU settings not set correctly on HA slave
------------------------------------------------------------------------
Description: The configured MTU for dynamic interfaces (i.e. DSL over
PPPoE or PPPoA) is not set correctly on HA slave systems.
This can lead to transmission problems if a takeover
occurs and the default MTU (1500) is too high to be usable
for the interface.
Workaround:
Fixed in: 8.002
Closed Issues - Management
========================================================================
ID16229 8.100 ACC Device Agent dies when RED Split DNS is configured
------------------------------------------------------------------------
Description: When using both ACC Agent and RED Split DNS feature (new
in 8.100) an error in parsing the configuration leads to a
crash in ACC Agent.
Workaround:
Fixed in: 8.101
ID16203 8.000 WebAdmin login broken in case of remote authentication
------------------------------------------------------------------------
Description: Users that are authenticated against a remote
authentication server can't login to WebAdmin if there is
no local user object for them. This issue does not occur
when automatic user creation and user prefetch are
enabled.
Workaround:
Fixed in: 8.101
ID14799 8.002 Scheduled Up2Dates do not work
------------------------------------------------------------------------
Description: In all ASG 8 versions up to and including 8.003, Up2Dates
scheduled on the Management >> Up2Date >> Overview
WebAdmin tab are not started automatically at the
scheduled time.
Workaround: Start the Up2Dates manually on the same WebAdmin tab.
Fixed in: 8.055
ID14627 8.000 Local IP addresses counted for license check
------------------------------------------------------------------------
Description: The license check counting used IPs erroneously included
IPs used by the ASG itself (i.e. interface addresses and
additional addresses).
Workaround:
Fixed in: 8.002
ID14420 8.000 Connection attempts to nonexistent IP addresses are counted for license
------------------------------------------------------------------------
Description: Connection attempts through the ASG may cause the internal
IP being counted for licensing IP restrictions even though
a connection was never established.
This can cause problems when it is possible to send
packets to nonexistent internal IPs from the outside,
which can lead to an inflated IP count.
Workaround:
Fixed in: 8.001
Closed Issues - Network Security
========================================================================
ID15948 8.000 After activation of a packetfilter rule with authentication header (AH) service the ASG will crash
------------------------------------------------------------------------
Description:
Workaround:
Fixed in: 8.080
ID15555 8.000 RED: UDP flood protection blocks RED traffic
------------------------------------------------------------------------
Description: When UDP Flood protection is turned on, incoming traffic
from RED devices may be dropped. The RED link will still
work, but throughput is heavily impaired.
Workaround: Create an exception for UDP Flood Protection, matching
target port 3400.
Fixed in: 8.060
ID15369 8.000 RED-Traffic (TCP/UDP-Port 3400) will be dropped by AFC as Skype
------------------------------------------------------------------------
Description:
Workaround:
Fixed in: 8.065
ID14706 8.000 Packetfilter breaks if a rule used a big service group
------------------------------------------------------------------------
Description: If a packetfilter rule uses a service group with a big
number of services (30 or more) in some cases an error
occurs when enabling packetfilter rules, potentially
affecting all packetfilter rules.
Workaround: Disable multi-port optimization
(MAIN:packetfilter->advanced->optimize->ports)
Fixed in: 8.002
ID14564 8.000 Packetfilter rule using Single Time Event does not get created
------------------------------------------------------------------------
Description: Packetfilter rules using a Time Event of type "Single
Event" do not get created in the backend and therefore
have no effect.
Workaround:
Fixed in: 8.002
ID14469 8.000 Country Blocking blocks essential services
------------------------------------------------------------------------
Description: If you enable "Country Blocking" and block countries where
essential servers are located (e.g. Provisioning servers
for RED, Spam filter servers), some features of the ASG
might stop to function.
Workaround: Limit Country Blocking to fewer countries.
Fixed in: 8.001
Closed Issues - RED
========================================================================
ID16519 8.100 Incoming RED reply packets are dropped
------------------------------------------------------------------------
Description: In some circumstances (So far this occurred with certain
Intel network cards which are used in ASG 625; but other
configurations might be affected, too) the ASG fails to
read packets coming from attached RED devices correctly
and subsequently drops them.
Workaround:
Fixed in: 8.101
Closed Issues - Various
========================================================================
ID19887 8.300 Using Interface bound ANY Object (e.g. Internet IPv4) in network list will cause other entries not to match
------------------------------------------------------------------------
Description: Using an ANY Object that is bound to an interface(e.g.
Internet IPv4 Object) in network list will cause other
entries not to match.
This may lead to locking out of Webadmin/SSH if there are
more than one object including the any definition (e.g
Internet, Any)
Workaround: Please remove the Interface bound ANY Object (e.g.
Internet IPv4 Object) out of Webadmin/SSH allowed networks
and insert the default ANY Object (Matches any IPv4 and
IPv6 address)
Fixed in: 8.300
ID19185 8.202 HTTP proxy resets Dropbox connections
------------------------------------------------------------------------
Description:
Workaround:
Fixed in:
ID18974 8.201 Updown script running on 100%
------------------------------------------------------------------------
Description: In certain cases the Astaro has a large number of
connection tracking entries it could happen that a process
called "updown" is running on 100% cpu load.
This process is part of the ipsec feature.
Workaround: Will be fixed in 8.202, or contact the astaro support.
They will install a new updown script on the ASG, which
will fix the issue.
Fixed in: 8.202
ID18936 8.201 HTTP Proxy: SSL tunnel handler doesn't close client connection in all cases
------------------------------------------------------------------------
Description: If the server closed the connection, and there's no data
left to send to the client, the HTTP Proxy doesn't close
the client connection. In most cases this doesn't hurt, as
the HTTP response in the SSL tunnel have a content length.
If there's no content length, the Page seems to 'hang'
Workaround:
Fixed in: 8.202
ID18929 8.201 Transparent Proxy with Auth not working properly
------------------------------------------------------------------------
Description: If you enter invalid credentials the httpproxy restarts.
Workaround:
Fixed in: 8.202
ID18927 8.202 Wifi: Access Point with a MAC address ending in :f8 cannot connect to the ASG
------------------------------------------------------------------------
Description: During production of the latest batch of our AP 10 and AP
30 we could isolate an issue with Access point having an
unusual MAC address ending with :f8. Those access points
cannot connect to the ASG.
Workaround: Please refer to our knowledgebase at
https://support.astaro.com/support/index.php/APs_with_a_MAC_address_ends_on_f8_doesnt_work
to install the latest patch for your version.
Fixed in: 8.202
ID18880 8.201 Edir SSO authentication still times out in http proxy after 8.201
------------------------------------------------------------------------
Description: Edir SSO authentication sometimes times out in http proxy
after update to 8.201
Workaround:
Fixed in: 8.202
ID18872 8.202 WiFi: aweclient sends incomplete client list to ASG and enters inactive state
------------------------------------------------------------------------
Description: Under some circumstances it can happen that an AP is shown
as inactive on the ASG but it still forwards wireless
traffic to the ethernet when Bridge-to-LAN mode is used.
When the APs end up in this state they need to be
manually rebooted in order to get them into active state
again.
Workaround: Once the APs entered inactive state they need to be
manually rebooted (power-off by unplugging the power
cable).
Fixed in: 8.202
ID18825 8.201 HTTP Proxy doesn't reauthenticate AD SSO client after auth exception matched
------------------------------------------------------------------------
Description: HTTP Proxy doesn't reauthenticate AD SSO client after auth
exception matched
Workaround:
Fixed in: 8.202
ID18802 8.200 Executive reports will not be generated
------------------------------------------------------------------------
Description: Executive Report generation may fail if Network Objects
contain Umlauts.
Logging will work but the generation of the Report may
fail due to
Encoding Problems.
Workaround: Do not use Umlauts in Network Objects.
Fixed in: 8.202
ID18769 8.200 If virus scanning of a website failed, no error message is shown in the browser
------------------------------------------------------------------------
Description: If virus scanning of a website failed, no error message is
shown in the browser. Instead, the user gets a blank page.
Workaround:
Fixed in: 8.202
ID18695 8.200 Policyrouting in combination with Application Control may cause problems
------------------------------------------------------------------------
Description: Policyrouting in combination with Application Control may
cause problems. This is caused by wrong connection
handling.
Workaround: Disable Application Control.
Fixed in: 8.202
ID18684 8.200 Exception for extensions will not be logged. There will be always a empty string in the log: exceptions=""
------------------------------------------------------------------------
Description: Exception for extensions will not be logged. There will be
always a empty string in the log: exceptions=""
Workaround: Please contact the support team for a rpm package.
Fixed in: 8.202
ID18653 8.200 If the HTTPs-Proxy is enabled, login to some websites may result in "Internal server error"
------------------------------------------------------------------------
Description: By using the HTTPs-Proxy, some websites requiring
authentication might not be reachable. This happens on
websites using HTTP keepalives using POST requests.
Workaround:
Fixed in: 8.202
ID18600 8.200 Websec reporting: scheduled reports are always empty
------------------------------------------------------------------------
Description: The e-mails sent by the Web Security Scheduled Reports are
always empty.
Workaround: Manually send the affected reports using the 'Send' button
in the Logging & Reporting -> Web Security -> Web Usage
Report tab.
Fixed in: 8.296
ID18581 8.103 QoS limits maximum packet size to 2047
------------------------------------------------------------------------
Description: In some cases it's possible that packets, over a packet
size from 2005 will be dropped in the IPSec Tunnel,
without a packfilter log entry.
Our current QoS implementation (TBF) limits the maximum
packet size to 2047.
Workaround: disable QoS on the external interface or disable interface
'Download Equalizer'.
Fixed in: 8.260
ID18567 8.200 "MIME blocking inspects HTTP body" is broken
------------------------------------------------------------------------
Description: By enabling "MIME blocking inspects HTTP body" in the HTTP
proxy, there might be some cases where the recognitation
of the MIME type fails and files cannot be downloaded.
Workaround:
Fixed in: 8.202
ID17907 8.102 User prefetch fails if the mail and proxyAddresses is case-sensitive
------------------------------------------------------------------------
Description: The User import via the prefetch feature is not working if
the mail address and the proxy address on the domain
controller is case-sensitive.
Example:
mail address: User@domain.com
proxy address: user@domain.com
Workaround:
Fixed in: 8.170
ID17815 8.102 User not shown in 'Remote Access Status' and User Network not resolved if OpenSSL username contains space
------------------------------------------------------------------------
Description: If a user containing a space connects via OpenSSL the User
is not shown in 'Remote Access Status' and the 'User
Network' is not resolved.
Therefore the packet filter rule will never apply since
there is no IP address given for the user's network
object.
Workaround: ---
Fixed in:
ID17716 8.102 Basic authentication via httpproxy didn't work if username and/or password contains special characters when using Firefox or IE
------------------------------------------------------------------------
Description: Basic authentication via httpproxy didn't work if username
and/or password contains special characters when using
Firefox or IE.
The proxy authentication fails, since the browser sends
utf8 characters in user credentials in an arbitrary
encoding.
Workaround: Successfully tested are the following browsers:
- Google-Chrome
- Opera
Fixed in:
ID17693 8.163 AntiVirus scan fails with cssd response: 500 Internal Server Error
------------------------------------------------------------------------
Description: Under some yet unknown conditions the Avira Anti-Virus
scanning daemon cssd fails to scan with the error message:
"500 Internal Server Error". This causes failures in all
proxies that use the cssd, namely SMTP, POP3 and Reverse
Proxy (WAS) if AV scanning is enabled.
Workaround:
Fixed in: 8.201
ID17498 8.102 Need an option to clear, set, or copy the DF bit flag for traffic related to the IPSEC tunnel
------------------------------------------------------------------------
Description: In version 8, IPSEC tunnel's MTU size is strictly based on
path mtu discovery. If mtu size is becomes too small,
large tcp packet with the don't fragment bit will fail to
traverse through the tunnel.
Workaround: Contact Astaro Support to obtain a patch to install on the
ASG to clear the DF-bit flag on the encrypted packet and
allow the packet to traverse through the tunnel.
Fixed in: 8.170
ID17452 8.102 HTTP proxy blocks file-download. Error processing archive by avira scanner
------------------------------------------------------------------------
Description: The following file can not be scanned by the Avira
Antivirus engine, because of a defective 2nd compression
header in the file.
http://static.slysoft.com/SetupAnyDVD6790.exe
This was checked and confirmed by Avira.
Workaround: We have to possible workarounds:
1) Build up an exception to skip the Antivirus Scanning
for this URL.
or
2) Disable the following option: "HTTP/S > Advanced >
Block unscannable and encrypted files"
Fixed in:
ID17199 8.102 RAS addresses are never removed from backend group network objects
------------------------------------------------------------------------
Description: In case OpenVPN is restarted or stopped, not all users are
updated via RAS-update. Result is that a huge amount of
users still have an 'old' ip-address in the user network
object.
Workaround: Please contact Astaro Support to obtain a Fix.
Fixed in: 8.260
ID16884 8.101 Confd: reject IP addresses with leading zeros
------------------------------------------------------------------------
Description: Remote Access is not working, if the RAS IP of a user
object contains a leading zero (e.g. 192.168.005.30). You
will get that error message in ipsec.log:
acquiring address from pool 'REF_DefaultRWPool' failed.
Workaround:
Fixed in: 8.260
ID16853 8.155 Radius secret containing backtick character (`) doesn't work
------------------------------------------------------------------------
Description:
Workaround:
Fixed in: 8.160
ID16593 8.100 Scheduled up2dates don't run when atd is dead. Selfmon check needed.
------------------------------------------------------------------------
Description: In rare cases, the scheduling daemon may die, and after
that, scheduled Up2Dates will not be installed
automatically.
Workaround: Either just install the system Up2Dates manually.
Or delete the scheduled Up2Dates using the WebAdmin,
restart the scheduling daemon by typing
# /etc/init.d/atd restart
at the root shell prompt,
and then schedule the missed Up2Dates anew for a time in
the future.
Fixed in: 8.161
ID16215 8.100 ctype: application/flash-video not contained per default in cc>http>noscancontent
------------------------------------------------------------------------
Description: Flash Videos with Content-type "application/flash-video"
cannot be shown via HTTP-Proxy
Workaround: Contact Astaro Support to obtain a Fix
Fixed in: 8.202
ID16206 8.003 [AUA] AD groups containing utf8 characters are not returned when using test authentication
------------------------------------------------------------------------
Description: When using the test authentication
(Webadmin > Authentication > Servers > 'Edit adirectory
server')
groups with special characters (for example: äöüß)
are not returned.
Nevertheless, when using the "real" authentication (for
example User Portal login), these groups matched as
expected.
Workaround:
Fixed in: 8.165
ID15141 8.002 Anti-Spam (ctasd) doesn't work after upgrading to v8.002
------------------------------------------------------------------------
Description: Under some conditions the Commtouch AntiSpam daemon used
for Spam classification does not classify messages, which
causes all messages to pass through unclassified. Spam is
not blocked, quarantined or marked any more. Using the
startup script /var/mdw/scripts/ctasd to restart the
daemon does not solve the problem.
Workaround: As a work around the ctasd startup script from ASG 8.001
can be used, which does still work for ASG 8.002.
To restore the ctasd script from ASG 8.001 please copy
the file ctasd (which can be obtained via support) on the
ASG to /var/mdw/scripts/ctasd
Afterwards run the following command:
killall -9 ctasd
then wait for 30 seconds, and then restart the ctasd
daemon using the restored startup script:
/var/mdw/scripts/ctasd restart
Fixed in: 8.003
ID14869 8.001 WAF forces encoding of delivered pages and form data to UTF-8, causing broken Umlauts
------------------------------------------------------------------------
Description:
Workaround: The problem does not occur when the real web server
delivers its content as UTF8. So the workaround is to
configure the real web server to use UTF8 for all
delivered contents.
For OWA 2010 follow this guide on how to
Configure Character Settings for Outlook Web App:
http://technet.microsoft.com/en-us/library/bb124898%28EXCHG.140%29.aspx
For OWA 2007 follow this guide on how to
Configure Character Settings for Outlook Web App:
http://technet.microsoft.com/en-us/library/bb124898(EXCHG.80).aspx
Fixed in: 8.055
ID14688 8.000 Overflow in certificate creation will cause invalid certificates
------------------------------------------------------------------------
Description: Due to an overflow within the certificate creation, all
certificates being created after 4th September 2010 will
be invalid as the end date of the certificates will be in
the past. This affects all types of certificates (CAs,
user certificates, VPN certificates, ..) in all types of
systems.
Workaround: If possible, please apply Up2Date 8.001 by end of August
(or until 3rd September 2010).
Fixed in: 8.001
ID14588 8.000 PPTP not working with RADIUS authentication
------------------------------------------------------------------------
Description:
Workaround: Disable support for 56bit encryption on the Microsoft
RADIUS server.
Fixed in: 8.002
ID14519 8.000 GRUB fails to install properly on some HP servers
------------------------------------------------------------------------
Description: On some HP ProLiant G3 and G5 servers the system doesn't
boot after seemingly successful installation.
Workaround:
Fixed in: 8.001
ID14427 8.000 No successful boot with Perc H200
------------------------------------------------------------------------
Description: On Dell servers with Perc H200 RAID controller
installation works but the system doesn't boot afterwards.
Workaround:
Fixed in: 8.001
ID14416 8.000 ASG cannot join a Windows 2008 server domain when server is specified in WebAdmin
------------------------------------------------------------------------
Description:
Workaround: In some setups leaving the field "Server" at Users >
Authentication > Single-Sign-On empty will fix the issue.
Fixed in: 8.002
ID12286 8.000 IE8 may use 100% cpu in Initial Setup
------------------------------------------------------------------------
Description: Due to a weirdness in the new rendering engine, MS
Internet Explorer Version 8 may put huge load on the
workstation while going throgh the first installation
(Initial Setup) of the ASG Version 8.
Besides being slower than necessary, no functionality is
affected.
Workaround: Switch to IE8 Compatibility View
(http://blogs.msdn.com/ie/archive/2008/08/27/introducing-compatibility-view.aspx)
or use a different browser for the initial setup.
Fixed in:
ID11884 8.000 Screenshots missing from Manual and Online-Help
------------------------------------------------------------------------
Description: Online help and manual aren't completely updated to V8
yet, some screenshots are missing.
Workaround:
Fixed in:
Closed Issues - VPN
========================================================================
ID14712 8.000 ip-win32 dynamic option in the SSL Client Conf doesn't work with Linux, BSD, MAC OSX
------------------------------------------------------------------------
Description: The configuration file generated for SSL VPN Remote Access
includes the "ip-win32" option which will lead to errors
when trying to use SSL VPN on non-Windows systems, like
Mac OS X or Linux.
Workaround: Manually remove the line starting with "ip-win32" from the
configuration file.
Fixed in: 8.002
ID12839 8.000 Site-to-Site connection will not be established with SHA2 as ipsec authentication algorithm
------------------------------------------------------------------------
Description: Currently it is not possible to use SHA2 as IPSec
authentication algorithm for Site-to-site between Version
7 and Version 8.
Workaround: Use SHA1 or MD5 as IPSec authentication algorithm.
Fixed in: 8.164
ID11998 8.000 Default src addr parameter not working for S2S IPv6 routes
------------------------------------------------------------------------
Description: IPv6 connections initiated by the ASG itself to a remote
IPSec Tunnel subnet will have the external IPv6 address of
the ASG set as source IPv6 address and will therefore not
be encrypted.
Traffic originated by network clients is not affected.by
this and works as expected. IPv4 traffic is also not
affected,
Workaround: Add the external IPv6 address of the ASG to the Local
Networks list and the external IPv6 address of the remote
IPSec endpoint to the Remote Networks list.
Fixed in: 8.165
Closed Issues - Web Application Security
========================================================================
ID18604 8.200 Web Application Firewall mixes backend websites
------------------------------------------------------------------------
Description: In case multiple virtual web servers exist with exactly
the same settings but listening on different interfaces,
the WebAppication Firewall mixes the real web server
sites. This only happens, if the first entry in the domain
list is the same for all involved virtual web servers.
Workaround: Make sure that each virtual web server's first domain name
is unique.
Fixed in: 8.202
ID16880 8.102 WAF logfile does not show block reason for "XSS Filter" or "SQL Injection Filter"
------------------------------------------------------------------------
Description: If a request is being blocked because of the "Cross Site
Scripting (XSS) Filter" or the "SQL Injection Filter", the
Web Application Firewall logfile doesn't give detailed
information about the block reason.
Workaround: Setting the profile mode to 'Monitor' logs the reject
reason, but doesn't block the request. Please set the mode
temporarily to 'Monitor' in your WAF profile.
Fixed in: 8.165
ID15972 8.080 Exceptions do not work for Cross Site Scripting, SQL-Injection or Cookie Signing
------------------------------------------------------------------------
Description: Creating an exception for "SQL Injection Filter", "Cross
Site Scripting (XSS) Filter" or "Cookie Signing" has no
effect. HTTP requests matching the exception might still
get blocked.
Workaround:
Fixed in: 8.151
ID15305 8.000 Too long signing keys cause invalid WAS configuration
------------------------------------------------------------------------
Description: If you use a very long string for the "URL Hardening
Signing Key" or the "Cookie Signing Key", a invalid
configuration might be written, causing the Web
Application Firewall to stop working.
Workaround: Use a shorter key. The limit is 57 bytes which usually
corresponds to 57 characters.
Fixed in: 8.055
ID14903 8.000 URL Hardening: Forms using GET method requests don't work
------------------------------------------------------------------------
Description: If URL Hardening is enabled, HTML forms using GET method
get blocked on submit with reason "No signature found".
Workaround: There are two ways to work around this issue:
1. Change the HTML form to use method POST instead of
GET. If this is not possible, add a wildcard exception for
the URL provided in the action attribute of the form tag.
2. Enable the "From Hardening" feature (will be available
in ASG 8.200).
Fixed in: 8.200
ID14820 8.002 Virus uploads don't get blocked if XSS or SQL Injection filter (mod_security) is enabled
------------------------------------------------------------------------
Description: If a WAF profile with enabled "SQL Injection Filter" or
enabled "Cross Site Scripting (XSS) Filter" is used, virus
uploads don't get blocked, even though the WAF profile is
in reject mode and AntiVirus scanning is enabled for
uploads.
Workaround: Don't use the "SQL Injection Filter" or the "Cross Site
Scripting (XSS) Filter" feature if you want to block virus
uploads.
Fixed in: 8.165
ID14758 8.000 URLs in CSS definitions do not get signed for URL hardening
------------------------------------------------------------------------
Description: URLs contained CSS (e.g. to reference pictures) do not get
signed when enabling URL hardening. When the browser tries
to follows the unsigned links, the request will get
rejected.
Workaround:
Fixed in: 8.055
ID14400 8.000 WAF disabled in predefined reverse proxy profiles
------------------------------------------------------------------------
Description: The filters for XSS and SQL Injection attacks are not
enabled in the predefined WebApplication Firewall profiles
even though WebAdmin shows them as active.
Workaround: Create a completely new profile with WebAdmin.
Fixed in: 8.001
Closed Issues - Web Security
========================================================================
ID19597 8.201 Trendmicro updates filling up tmp directory with downloads
------------------------------------------------------------------------
Description: Trendmicro updates fill the /var/storage partition with
files in the /var/storage/chroot-http/tmp directory.
Workaround: Create an exception for Trendmicro updates:
^http:\/\/[A-Za-z0-9.-]*\.activeupdate.trendmicro.com\/activeupdate\/
Fixed in: 8.203
ID19241 8.201 Firefox updates filling up tmp directory with downloads
------------------------------------------------------------------------
Description: Updates fill up storage partition, because the update tool
(e.g. of Mozilla) cannot handle HTTP proxy download page.
Thus, the directory /var/chroot-http/tmp is filling up
with files.
Workaround: Create a HTTP exception with the following values:
Skipping: Antivirus
Matching these URLs: ^https?://.*/[A-Za-z0-9.-]*\.mar$
To emtpy the directory, please restart the http proxy.
Fixed in: 8.203
ID18771 8.200 Passwords with special characters (@, =) cause authentication to fail when using 'Transparent w/ Auth' mode
------------------------------------------------------------------------
Description: Passwords that contain special characters such as '@' or
'=' cause authentication to fail when using the Web Proxy
mode Transparent with Authentication.
Workaround:
Fixed in: 8.202
ID18213 8.103 Some websites have been reported to not support requests without Accept-Encoding header
------------------------------------------------------------------------
Description: Some websites have been reported to not support requests
without Accept-Encoding header.
These pages may be rendered incorrectly or fail to load
at all.
Workaround: As workaround please skip httpproxy for such affected
sites.
In transparent mode add the affected site to the
transparent mode skiplist.
In standard mode skip this site in the browser settings.
Fixed in:
ID16590 8.100 Exceptions without a configured source network that are in 'AND' mode are ignored by httpproxy
------------------------------------------------------------------------
Description: HTTP proxy exceptions that have no "Source Networks"
specified and use the "AND" operator are not applied.
Workaround: Add the "Any" network definition to "Source Networks".
Fixed in: 8.102
ID16515 8.100 Only HTTP keytab entries are created by default, host entries are missing
------------------------------------------------------------------------
Description: ASG did not generate all necessary entries in the Kerberos
keytab when joining an AD domain. This could lead to
clients being rejected from using the HTTP proxy.
Workaround:
Fixed in: 8.101
ID16500 8.100 Content Filter request does not honour parent proxy settings
------------------------------------------------------------------------
Description: In version 8.100 (and 8.101 Soft-Release), the Content
Filter does not honor parent proxy settings. It tries to
contact the categorization servers directly.
Workaround:
Fixed in: 8.101
ID16438 8.100 Self signed certificate in chain and an exception for all requests going to this category will not work for some banking sites
------------------------------------------------------------------------
Description: There a problems to open some banking sites.
In standard mode you can see a browser message self
signed certificate in certificate chain.
In transparent mode you will get a browser timeout and in
the log "Failed to verify server certificate"
Workaround: Disable Scan HTTPS (SSL) Traffic
Fixed in: 8.103
ID16255 8.101 Exception for Certificate Trust Check does not work in transparent mode
------------------------------------------------------------------------
Description: Exception for Certificate Trust Check does not work in
transparent mode.
After creating an exception for a site, the site is
still blocked with "Failed to verify server certificate".
Workaround: Disable Scan HTTPS (SSL) Traffic
Fixed in: 8.103
ID16184 8.100 FTP doesn't work via HTTP Proxy
------------------------------------------------------------------------
Description: Accessing a FTP servers via the HTTP Proxy (e.g. if HTTP
Proxy is configured as proxy for FTP in web browser)
doesn't work in 8.100.
Workaround:
Fixed in: 8.101
ID15144 8.001 HTTPS certificate exception fails when in transparent mode
------------------------------------------------------------------------
Description: HTTPS sites with invalid certificate may not work after an
exception is added for only the website domain name.
Workaround: As the HTTPS exceptions work best with the IP address
rather than the hostname, instead of entering an exception
for www.domain.com enter the HTTPS exception for
certificate check as IP address such as 123.123.123.123
Fixed in:
ID14681 8.001 HTTP proxy restarts if country-based blocking is enabled
------------------------------------------------------------------------
Description:
Workaround:
Fixed in: 8.055
ID12789 8.000 Https scanning may block certain instant messengers
------------------------------------------------------------------------
Description: Instant messengers that abuse tcp port 443 (https) to
connect to their motherships may get confused when the
HTTP/S Proxy is configured to do https scanning.
Workaround:
Fixed in:
Closed Issues - Wireless Security
========================================================================
ID18607 8.200 No Wireless-Communication between AP30 and Clients using "AVM Fritz USB WLAN-Stick N"
------------------------------------------------------------------------
Description: After update to 8.200 the communication between several
USB WLAN sticks and
the AP30 doesnt work. At this time this affcects the
following devices:
AVM Fritz USB WLAN-Stick N
Intel Pro Wireless 3945ABG in a Lenovo T60 notebook
Workaround: Do not upgrade to 8.200 yet.
Fixed in: 8.201