# LIST OF KNOWN ISSUES FOR ASTARO SECURITY LINUX 5.0 # ================================================== # The purpose of this list is to give you an overview of known issues and # possible workarounds, as well as known problems in other software being # used in connection with Astaro Security Linux 5.0 # The ID denotes the internal Astaro bugtracking ID and will be shown in the # description of an Up2Date if the issue is fixed. # # We would appreciate if you contribute to this list and would give us # feedback in this respect. # For further infos please contact: knownissues@astaro.com # # Last edit: # $Id: Known_Issues-ASL-V5.txt,v 1.28 2006/10/09 15:56:34 mgehrlein Exp $ Open Issues =========== ID2975 5.200 Windows Update does not work with NTLM authentication ------------------------------------------------------------------ Description: Windows Update does not work with HTTP-Proxy in NTLM mode. Clients may be able to connect, but downloading is not possible. Workaround: Fix introduced in V6 Fix: --- ID2738 5.203 Not possible to download logfiles with Internet Explorer --------------------------------------------------------------------- Description: Using Internet Explorer with 'Medium Security' settings will cause the download of logfiles from WebAdmin to fail. Mozilla based browsers are not affected. Workaround: Add ASLs IP to the Trusted Sites in Internet Explorer Fix: --- ID2565 5.000 Error while attempting to join NTLM domain with some hostnames --------------------------------------------------------------------------- Description: When trying to join a domain to use NTLM Authentication, an error might be issued when using a long hostname. If so, please check if the computer account has been created although the error occured. Workaround: Use a shorter name. Fix: --- ID2468 5.202 Error in illustration of list fields in Proxy Content Manager -------------------------------------------------------------------------- Description: Popups showing detailed information about the emails in Proxy Content Manager may not be rendered correctly on Windows systems using Internet Explorer. This problem only occurs with IE - Mozilla/Firefox is not affected. Workaround: --- Fix: --- ID2271 5.200 NTLM caches negative responses ------------------------------------------- Description: Authentication requests which result in a deny are cached by the NTLM daemon. Therefore login with correct username/password may also not work. Workaround: Change HTTP Proxy mode to Standard and then back to NTLM or use V6 where you can flush the NTLM cache. Fix: --- ID2074 5.102 HTTP proxy using SMP kernel consumes 99 % CPU ---------------------------------------------------------- Description: Using HTTP Proxy with all features turned on it might consume all CPU resources on SMP systems Workaround: --- (use default kernel) Fix: --- ID2047 5.102 Domain Controller Servers cannot use Proxy with NTLM ----------------------------------------------------------------- Description: Windows Servers running as Domain Controllers in an Active Directory domain can not use HTTP Proxy with NTLM authentication itself. This is important when planning to use Terminal Services - the Termial Server should not be a Domain Controller. Workaround: see Knowledgebase article no. 149823 Fix: --- ID1988 5.000 Wrong entries in the connection tracking table ----------------------------------------------------------- Description: There might be a problem e.g. with clients sending continously packets to a destination reachable via a vpn tunnel which has not been established after a reboot. This traffic will not be routed through the tunnel even after the tunnel has come up. Workaround: If you encounter this type of issue, please try increasing the clients retry interval to make sure connection tracking matches correctly. Fix: --- ID1852 5.027 Reporting->Network displays wrong values when using Gigabit NICs ----------------------------------------------------------------------------- Description: When using Gigabit interfaces the reporting graphs will not be correct if there is a lot of traffic on this interface. Workaround: This issue has been fixed in V6. Fix: --- ID1773 5.023 NTLM authentication can crash Domain Controller ------------------------------------------------------------ Description: Wording in WebAdmin may be misleading. Please do not try to enter a hostname of an existing host, especially a domain controller Workaround: --- Fix: --- ID1469 5.000 Outlook Express 6 does not handle SMTP errors correctly -------------------------------------------------------------------- Description: When delivering mails with Outlook Express 6 or higher directly to ASL V5, some SMTP error messages may not be handled correctly Workaround: --- Fix: --- ID1467 5.000 Browser Issues with Mozilla and Firefox ---------------------------------------------------- Description: There are several issues with Mozilla browsers: no blinking cursor; some smaller windows/frames may not scroll; on small windows, items may overlay Workaround: --- Fix: --- ID0941 5.000 HA connection tracking takeover not active ------------------------------------------------------- Description: The HA connection tracking takeover feature is currently disabled. Workaround: --- Fix: --- Closed Issues ============= ID3632 5.209 Spamassassin fails while preforking with a syswrite failure ------------------------------------------------------------------------ Description: The Anti-Spam daemon may encounter problems while scanning certain emails for spam. This may lead to high system load and non-responsive Anti-Spam daemon. Workaround: --- Fix: Fixed in 5.213 ID3750 5.211 Spamassassin may fill up root partition ---------------------------------------------------- Description: When using SpamProtection for SMTP or POP3 the root partition may fill up slowly. Workaround: --- Fix: Fixed in 5.212 ID1831 5.027 PPPoA daemon not terminated correctly -------------------------------------------------- Description: When reconnecting a PPPoA connection the PPP daemon might not be terminated correctly and thus the reconnect may not work. Workaround: --- Fix: Fixed in 5.212 ID3484 5.209 IPSec Client config includes wrong lifetimes --------------------------------------------------------- Description: IPSec-Client config may include wrong values for the IPsec and IKE SA lifetimes depending on the timezone used. Workaround: Set timezone to GMT. Fix: Fixed in 5.210 ID3394 5.206 Maximum conncurrent connection limited --------------------------------------------------- Description: The maximum conncurrent connections may drop below the value listed in the license agreement after rebooting. Workaround: --- Fix: Fixed in 5.209 ID3333 5.208 POP3 Proxy does not work correctly ----------------------------------------------- Description: While downloading mails with large attachments the POP3 proxy may stop working at all. This effect may also occur when using POP3 proxy with lots of users. Workaround: --- Fix: Fixed in 5.209 ID3299 5.208 Spam report contains email preview ----------------------------------------------- Description: The spam report header contains an email preview which may lead to problems if there are special characters like umlauts in this preview. Some mail servers don't accept emails in this format. Workaround: --- Fix: Fixed in 5.209 ID2835 5.204 Site-2-Site VPN does not working after reconnect ------------------------------------------------------------- Description: When having a Site-2-Site VPN with DSL connections and static IPs, the tunnel may shutdown without coming up again after a DSL reconnect. Workaround: Restart tunnel manually. Fix: Fixed in 5.209 ID2270 5.200 Connections lost using passive FTP ----------------------------------------------- Description: Some clients experience an unexplained connection loss when using passive FTP. This is up to the connection tracking mechanism being triggered by another event (e.g. PPTP tunnel connect/disconnect). Workaround: --- Fix: Fixed in 5.208 ID3037 5.206 POP3 Proxy has problems downloading bigger emails -------------------------------------------------------------- Description: When trying to download bigger emails, POP3 Proxy may run into trouble. This may lead to a non-working proxy. Workaround: --- Fix: Fixed in 5.207 ID3018 5.000 Problems using PPPoE interfaces with static gateway IP ------------------------------------------------------------------- Description: When using PPPoE with statically configured IP addresses (at least for the gateway), the firewall may not work correctly after a DSL reconnect. This mainly affects VPN services. Workaround: Use 'assign by remote' if possible Fix: Fixed in 5.207 ID2906 5.206 Hostname has leading @ in IPsec Client config ---------------------------------------------------------- Description: Using hostname in a IPsec client config may not work due to a @ in front of the hostname. Workaround: --- Fix: Fixed in 5.207 ID2473 5.202 Greylisting limited to 31999 recipients ---------------------------------------------------- Description: The greylisting database is currently limited to 31999 receipients. This may not be enough in bigger installations. (e.g. having many SMTP domains routed through the SMTP proxy) Workaround: --- Fix: Fixed in 5.207 ID2451 5.202 Reporting does not count certain surf protection categories ------------------------------------------------------------------------ Description: Some categories in Surf Protection are not counted correctly by the reporting subsystem. Workaround: --- Fix: Fixed in 5.207 ID2866 5.203 Factory Reset may not work correctly on slow machines ------------------------------------------------------------------ Description: Running factory reset on a slower machine may not finish successfully. Before powering off, not all of initial the data gets restored and thus the device will not boot up correctly afterwards. Workaround: --- Fix: Fixed in 5.206 ID2819 5.204 Possible problem when closing POP3 connections ----------------------------------------------------------- Description: POP3 Proxy doesn't accept QUIT command in authorization state if the connection was closed by the remote server. Workaround: --- Fix: Fixed in 5.205 ID2787 5.203 Snort may fail to block traffic on web server ---------------------------------------------------------- Description: Snort may fail to block traffic to a web server if HTTP pipelining is used. Workaround: --- Fix: Fixed in 5.205 ID2732 5.203 Connection to POP3 Server is closed after several NOOPs -------------------------------------------------------------------- Description: Some POP3 server close the connection after POP3 Proxy sent several NOOPs. Workaround: --- Fix: Fixed in 5.205 ID2590 5.203 Domain setting in the SMTP Proxy is case-sensitive. ---------------------------------------------------------------- Description: Adding domain names to SMTP proxy domain lists is case-sensitve. Thus capital letters will not work with standard email domains. Workaround: --- Fix: Fixed in 5.205 ID2280 5.200 Virus Pattern Up2dates latest update shows 1969 on some firewalls ------------------------------------------------------------------------------ Description: Some firewalls are having problems updating the virus pattern correctly and show pattern date of 1969. This is because of an incomplete run of the pattern update process. Workaround: Retry pattern update manually in WebAdmin. Fix: Fixed in 5.203 ID2193 5.200 Selfmonitor improvement for licensing daemon --------------------------------------------------------- Description: In case the licensing daemon is not running, the firewall will not react fast enough to restart the service. Workaround: --- Fix: Fixed in 5.203 ID2086 5.103 "Phantom" Interfaces in Network->Accounting after renaming ----------------------------------------------------------------------- Description: After renaming of an interface the corresponding entry in Network->Accounting will not be handled correctly. Workaround: --- Fix: Fixed in 5.203 ID2277 5.201 Roadwarrior-Connections with X509 and IPV4 are not working ----------------------------------------------------------------------- Description: Roadwarrior Clients using X509 Certificates with IP addresses as identifier are not able to establish a VPN connection. Workaround: --- Fix: Fixed in 5.202 ID2276 5.201 Network and service definitions not saved to disk -------------------------------------------------------------- Description: Changes in Network and Service definitions will be lost after reboot since 5.201. Workaround: Do not reboot until 5.202 is available Fix: Fixed in 5.202 ID2144 5.200 "Pattern Up2Date" is incorrectly shown as "not licensed" --------------------------------------------------------------------- Description: When a license issued after 06 March 2005 is applied to version 5.200, the "Pattern Up2Date" feature is shown and treated as unlicensed even if the license includes a "Maintenance" option. Workaround: Please contact Support if the problem persists Fix: Fixed in 5.201 ID2126 5.200 License graph not updating in Reporting ---------------------------------------------------- Description: License graphs in Reporting are not updated. This issue only affects non-enterprise licensens. Workaround: --- Fix: Fixed in 5.201 ID2073 5.103 Adding a network group to itself causes trouble ------------------------------------------------------------ Description: When adding a network group to itself, the systems configuration daemon may fail to work. Workaround: --- Fix: Fixed in 5.201 ID2056 5.102 DNS hostnames with a single character are not allowed ------------------------------------------------------------------ Description: Adding a DNS hostname definition like x.abc.com does not work. Workaround: --- Fix: Fixed in 5.201 ID1863 5.027 Backup may not contain storage.xml file ---------------------------------------------------- Description: Some backup files do not contain the storage.xml file - an important part of the configuration. Restoring such a backup will result in an unstable/not-working system. Workaround: Try re-creating the backup. Fix: Fixed in 5.201 ID1275 5.011 Proxy Content Manager hangs on large e-mails --------------------------------------------------------- Description: Having a lot of large e-mails in Proxy Content Manager causes 100% CPU load and may break WebAdmin. Workaround: --- Fix: Fixed in 5.201 ID2059 5.103 ASL sends notification but everything seems to be ok ----------------------------------------------------------------- Description: Notifications from other firewalls may cause false positve notifications of the forwarding system. This only happens when these notifications are blocked by SMTP expression filter. Workaround: --- Fix: Fixed in 5.200 ID2036 5.102 Virus Scaner Test-Restart may take some time ---------------------------------------------------------- Description: After installing new AV pattern, the virusscanner checks if they are ok. In some cases, that check needs upto ~3 min to complete. While checking, no scanning is possible. Workaround: --- Fix: Fixed in 5.200 ID2032 5.102 Data table in executive report is one huge line ------------------------------------------------------------ Description: Some mail clients break the executive report, because of html-lines which are too long. This may result in 'black boxes' or HTML code showing up in the reports. Workaround: --- Fix: Fixed in 5.200 ID2030 5.102 Spelling incompatibility in bandwidth monitoring settings ---------------------------------------------------------------------- Description: Bandwidth monitoring may not work correctly, because of a configfile typo in 5.103. Not changing the settings will keep the system running. Workaround: Do no edit bandwidth monitoring settings Fix: Fixed in 5.200 ID2024 5.102 BATV does not work for capital letters --------------------------------------------------- Description: Sender addresses using capital letters will fail BATV signature check. Workaround: Make sure sender addresses use lowercase letters Fix: Fixed in 5.200 ID1989 5.100 Receipient-Verification does not work on Bounces ------------------------------------------------------------- Description: When Receipient-Verification is on then bounces to unknown receipients are not rejected but remain in the ProxyContentManager Workaround: --- Fix: Fixed in 5.200 ID1947 5.026 Password with $ in lilo ------------------------------------ Description: When using a '$' sign in bootmanager (lilo) password, kernel Up2dates may not apply. Workaround: Reset passwords via System->Settings Fix: Fixed in 5.200 ID1942 5.100 Tables in Exceutive Reports are not updating --------------------------------------------------------- Description: The executive report tables are not updated in current version Workaround: --- Fix: Fixed in 5.200 ID1925 5.100 MaxReceipients for SMTP commections limited to 1 ------------------------------------------------------------- Description: Even if BATV is not used, maxreceipients is limited to 1 for internal transports. Workaround: --- Fix: Fixed in 5.200 ID1840 5.027 Up2Date installation fails if package download is still in progress -------------------------------------------------------------------------------- Description: If a package is downloaded, it's already displayed in WebAdmin. Clicking install will not work before the description file is viewable. Workaround: --- Fix: Fixed in 5.200 ID1725 5.023 Squid Icons for FTP pages do not work -------------------------------------------------- Description: When using HTTP Proxy for FTP connections, the FTP server icons are not shown. Workaround: --- Fix: Fixed in 5.200 ID1992 5.101 Reporting interface graphs missing ----------------------------------------------- Description: The reporting graphs and executive reports don't work. Workaround: --- Fix: Fixed in 5.103 ID2006 5.101 Runaway HTTP proxy uses up all 99,9% CPU ----------------------------------------------------- Description: On very fast machines the HTTP proxy may stop working and consuming 99,9% of CPU time if Surf Protection is enabled and a lot of pages are blocked. Please contact the Astaro support organisation in this case. Fix: Fixed in 5.102 ID1924 5.100 Changing a network definition will no affect SMTP Routing Targets ------------------------------------------------------------------------------ Description: When editing network definitions, the corresponding entries in SMTP Proxy->Routing Target will not be updated automatically Workaround: Update the entries manually Fix: Fixed in 5.101 ID1914 5.100 SMTP sender blacklist groups do not work correctly --------------------------------------------------------------- Description: When using multiple domain groups with one single profile, the sender blacklists will only be used for the first domain group Workaround: --- Fix: Fixed in 5.101 ID1715 5.023 Proxy authentication fails if the startsite is a https URL ----------------------------------------------------------------------- Description: HTTPS site as startsite in Internet Explorer may not work when starting Internet Explorer (first connect) Workaround: Click reload to see the site Fix: Fixed in 5.101 ID1695 5.023 PDF Files not shown in browser while VP is enabled --------------------------------------------------------------- Description: When using Virus Protection with HTTP Proxy, PDF files may not be displayed in the browser window Workaround: --- Fix: Fixed in 5.101 ID1551 5.021 HA Takeover event will not appear in reporting ----------------------------------------------------------- Description: HA failover events will not appear in reporting. Counter will stay at 0. Workaround: --- Fix: Fixed in 5.100 ID1538 5.019 Backupconverter does not set IPSec Auto-Packetfilters correctly ---------------------------------------------------------------------------- Description: When importing a V4 backup, the autopacketfilters for each connection won't be set correctly Workaround: Edit your connections, enable autopacketfilter and save Fix: Fixed in 5.100 ID1468 5.000 SysKonnect NICs not supported by kernel ---------------------------------------------------- Description: Also there is a driver module, we experienced several problems with the SysKonnect cards. We do not recommend using those cards until an Up2Date is available Workaround: --- Fix: Fixed in 5.100 ID1433 5.016 HA linkbeat check does not support Intel and gigabit NICs ---------------------------------------------------------------------- Description: Intel e100/e1000 and some other gigabit NICs are not supported by the linkbeat check. Workaround: --- Fix: Fixed in 5.100 ID1229 5.010 Peaks in network graphs after reboot ------------------------------------------------- Description: In the graphs of the Reporting->Network section there are peaks/spikes after rebooting Workaround: ---- Fix: Fixed in 5.100 ID1764 5.025 PPTP server gives out information about its version ---------------------------------------------------------------- Description: When scanning ASL with a security scanner like nessus, the PPTP server tells about it's name and OS version, which may help a potential attacker as well as cause some false positives Workaround: --- Fix: Fixed in 5.027 ID1746 5.024 Spam Score visible in the body of an email ------------------------------------------------------- Description: Some emails scanned by the contentfilter may have a part of the spam-scan results in the body of the email Workaround: --- Fix: Fixed in 5.027 ID1740 5.023 Some websites not reachable via PPTP ------------------------------------------------- Description: Some websites may not be reachable when surfing via a PPTP tunnel. This might be caused by large packets sent by the servers with the 'Don'f fragment' flag Workaround: --- Fix: Fixed in 5.027 ID1144 5.008 IP address of HA slave is always 0.0.0.0 ----------------------------------------------------- Description: In the HA options the IP for a current connected slave is always shown as 0.0.0.0 Workaround: --- Fix: Fixed in 5.027 ID1120 5.008 Dynamic packet filter rules do not work correctly -------------------------------------------------------------- Description: For new network groups and IPSec/PPTP/L2TP users the dynamic packetfilters may not work Workaround: --- Fix: Fixed in 5.027 ID1756 5.024 Packetfilterrules may not be set correctly after MiddleWare restart -------------------------------------------------------------------------------- Description: After restarting the MiddleWare (e.g. after applying an Up2Date) some packetfilter rules might be missing Workaround: --- Fix: Fixed in 5.026 ID1607 5.022 HTTP Virus Scanning fails Windows Update ----------------------------------------------------- Description: Microsoft Windows Update will not work correctly through HTTP Proxy with virus scanning Workaround: add microft.com to the whitelist domains Fix: Fixed in 5.026 ID1552 5.021 FTP with username and password not working ------------------------------------------------------- Description: When using HTTP Proxy for FTP as well, requests with username and password will not pass through Workaround: bypass HTTP Proxy Fix: Fixed in 5.026 ID1442 5.017 Virtual IP addresses don't work in mixed L2TP/non-L2TP environments -------------------------------------------------------------------------------- Description: Connecting with normal IPSec roadwarriors and virtual IPs does not work when using virtual IPs for L2TP connections Workaround: --- Fix: Fixed in 5.026 ID1696 5.023 Internet Explorer can not open HA Livelog ------------------------------------------------------ Description: High-Availability live log can not be opened when using any version of Internet Explorer Workaround: use Mozilla Fix: Fixed in 5.025 ID1703 5.023 HTTP Proxy does not work with IE6 on Windows NT 4.0 SP6a --------------------------------------------------------------------- Description: Using Internet Explorer 6 on Windows NT 4.0 and HTTP Proxy with User authentication may not work Workaround: Please apply latest patches for Internet Explorer Fix: Fixed in 5.024 ID1673 5.022 Selfmonitor restarts POP3 Proxy very often ------------------------------------------------------- Description: The transparent POP3 Proxy is restarted very often by the Selfmonitor Workaround: --- Fix: Fixed in 5.024 ID1399 5.013 Selecting English (UK) during installation causes failure ---------------------------------------------------------------------- Description: Installation can not complete, if English (UK) is selected as keyboard layout. Workaround: Select English (US) Fix: Fixed in 5.024 ID1092 5.007 USB keyboards not working -------------------------------------- Description: There is not support for USB keyboards included Workaround: Use PS/2 if possible Fix: Fixed in 5.024 ID0938 5.001 Middleware restarts when applying new Intrusion Protection pattern ------------------------------------------------------------------------------- Description: When updating Intrusion Protection pattern, MiddleWare needs to restart which results in loss of connectivity for one or more minutes Workaround: --- Fix: Fixed in 5.024 ID1564 5.022 HTTP uploads limited to 1 MB ----------------------------------------- Description: HTTP Uploads are currently limited to 1 MB when using the HTTP Proxy Workaround: --- Fix: Fixed in 5.023 ID1557 5.021 Uplink failover may not work correctly --------------------------------------------------- Description: When disabling Packetfilter->ICMP->ICMP from Firewall the Uplink failover feature does not work Workaround: (Re-)enable ICMP from Firewall Fix: Fixed in 5.023 ID1496 5.019 High Availability logs have wrong timestamp in WebAdmin -------------------------------------------------------------------- Description: The HA logfiles all have the same timestamp in WebAdmin (current date) Workaround: --- Fix: Fixed in 5.023 ID1491 5.019 Wrong formating in Proxy Content Manager ----------------------------------------------------- Description: Some emails may not be shown correctly in Proxy Content Manager when using Mozilla/Firefox Workaround: --- Fix: Fixed in 5.023 ID1482 5.019 Dead IPSec roadwarrior connections remain in system ---------------------------------------------------------------- Description: When roadwarrior connections are not terminated cleanly they may remain in the system until IPsec gets restarted Workaround: Restart IPsec Fix: Fixed in 5.023 ID1463 5.017 Check for renaming Network Definitions is incomplete ----------------------------------------------------------------- Description: When renaming a network definition to an already existing name, the system reports an error, but some entries (e.g. masquerading) are still updated. Workaround: --- Fix: Fixed in 5.023 ID1556 5.021 HTTPS / SSL vulnerable to DoS attack (CAN-2004-0748) ----------------------------------------------------------------- Description: HTTPS (WebAdmin) is vulnerable to a DoS attack See also: http://rhn.redhat.com/errata/RHSA-2004-349.html Workaround: Make sure 'Allowed Networks' for WebAdmin only contain trusted hosts/networks Fix: Fixed in 5.022 ID1533 5.020 IPS Pattern update fails with valid license -------------------------------------------------------- Description: Starting an Up2Date for both AntiVirus and Intrusion Protection pattern will only update the Antivirus pattern Workaround: Update Intrusion Protection pattern separately Fix: Fixed in 5.021 ID1532 5.020 Notifications about exceeding 100% user count ---------------------------------------------------------- Description: Due to a backend problem, some installations may send out notifications about exceeding user count - even with unlimited license Workaround: --- (ignore these notifications) Fix: Fixed in 5.021 ID1479 5.018 Changing Interface definition does not work -------------------------------------------------------- Description: Editing existing interface options is not possible Workaround: --- Fix: Fixed in 5.019 ID1410 5.015 Blocked HTTP pages are not transferred via remote syslog --------------------------------------------------------------------- Description: It is not possible to select http_block.log for remote syslog Workaround: --- Fix: Fixed in 5.019 ID1405 5.015 Selfmonitor does not send notifications ---------------------------------------------------- Description: The selfmonitoring daemon does not send notifications after any action Workaround: --- Fix: Fixed in 5.019 ID1417 5.016 Block embedded objects and JavaScript is not working in all cases ------------------------------------------------------------------------------ Description: JavaScript removal does not work, if 'Block Embedded Objects' is enabled, too Workaround: Disable enabled object blocker Fix: Fixed in 5.018 ID1416 5.016 Connection Tracking Helper for FTP may not get loaded ------------------------------------------------------------------ Description: Advanced Packetfilter feature Connection Tracking Helper for FTP may not get loaded when enabled. Workaround: Reboot Fix: Fixed in 5.018 ID1407 5.016 Identical SMTP Proxy options have different names -------------------------------------------------------------- Description: 'Pass' and 'Warn' are actually the same and should be renamed to avoid confusion Workaround: --- Fix: Fixed in 5.018 ID1402 5.015 POP3 Spam Average is incorrect under certain circumstances ----------------------------------------------------------------------- Description: For some spamscores the average is not calculated correctly Workaround: --- Fix: Fixed in 5.018 ID1384 5.015 Kernel log fills up when using sundance driver module ------------------------------------------------------------------ Description: The sundance driver (e.g. used for D-Link 580TX) produces lots of kernel messages and fills up kernel log/harddrive. Workaround: --- Fix: Fixed in 5.018 ID1379 5.015 HTTP Usage Report -> Accessed Sites do not map to user names ------------------------------------------------------------------------- Description: Due to a technical limitation username mapping is not possible at the moment Workaround: --- Fix: Fixed in 5.018 ID1359 5.014 User definition can be accidently deleted ------------------------------------------------------ Description: Clicking the name and the password file followed by 'Save' without changing anything can delete the account Workaround: --- Fix: Fixed in 5.018 ID1351 5.013 FTP downloads with IE may show XML content in browser ------------------------------------------------------------------ Description: Some FTP downloads via Internet Explorer may not work and show XML content instead Workaround: Whitelist affected servers/domains Fix: Fixed in 5.018 ID1334 5.012 Changing interface name may lead to unresolved items ----------------------------------------------------------------- Description: When changing the name of an interface, the interface definitions in Definitions->Networks may not work Workaround: Rename back Fix: Fixed in 5.018 ID1321 5.012 Webadmin can be set to operate on already used ports ----------------------------------------------------------------- Description: Some few ports in the system are not allowed for webadmin usage, but not blocked Workaround: --- Fix: Fixed in 5.018 ID1207 5.010 HTTP Proxy Contentfilter needs anonymitiy level 'None' ------------------------------------------------------------------- Description: When setting the anonymity level for the HTTP Proxy to 'Standard' or 'Paranoid', the contentfiltering does not work correctly. Workaround: Set anonymity level to 'None' Fix: Fixed in 5.018 ID1187 5.009 SSH Accession can not handle V5 certificates --------------------------------------------------------- Description: Certificates generated with ASLs CA Management will not work with SSH Accession. Workaround: --- Fix: Fixed in 5.018 ID1182 5.009 Deleting all mails in Proxy Content Manager may not work --------------------------------------------------------------------- Description: When selecting a large amount of emails in Proxy Content Manager, the mails may not get deleted Workaround: Delete smaller amounts Fix: Fixed in 5.018 ID1143 5.009 Packetfilter: not possible to drop IGMP multicast packets ---------------------------------------------------------------------- Description: Adding a rule with a multicast address as destination won't match traffic on local interfaces Workaround: --- Fix: Fixed in 5.018 ID1377 5.015 RBLs not working in ASL V5 Version 5.015 ----------------------------------------------------- Description: The RBLs available in SMTP proxy are not working in Version 5.015 and 5.016. Workaround: --- Fix: Fixed in 5.017 ID1372 5.015 Bootup sequence needs improvement for first boot ------------------------------------------------------------- Description: After first bootup the antivirus scanner is not started correctly and does not work. Workaround: Reboot or apply an Up2Date. Fix: Fixed in 5.017 ID1361 5.017 System hangs after removing all allowed networks for SNMP ---------------------------------------------------------------------- Description: When using SNMP and removing all items from the allowed networks list, the system may hang Workaround: Reboot Fix: Fixed in 5.017 ID1270 5.012 Up2Date Parent Proxy feature may not work correctly ---------------------------------------------------------------- Description: Using a parent proxy for Up2Date may not work correctly without authentication. Workaround: --- Fix: Fixed in 5.017 ID1220 5.010 Static IPs for PPPoE interfaces may cause trouble -------------------------------------------------------------- Description: Using static definitions for PPPoE interfaces may cause problems e.g. when using masquerading. Workaround: Use dynamic IP assignment, if possible Fix: Fixed in 5.017 ID1066 5.000 Radius for PPTP may not work with all radius servers ----------------------------------------------------------------- Description: Some radius servers which worked with ASL V4 and PPTP do not correctly work with ASL V5 and PPTP. Workaround: --- Fix: Fixed in 5.017 ID1314 5.012 POP3 Proxy timed out if there are two headers in the email ----------------------------------------------------------------------- Description: Zero length messages (empty mailbox entries) stop the download process from finishing. Workaround: --- Fix: Fixed in 5.016 ID1153 5.009 POP3 Proxy gives '-ERR proxy error' on special mails ----------------------------------------------------------------- Description: Heavily malformed messages may cause POP3 Proxy to stall. Workaround: --- Fix: Fixed in 5.016 ID1343 5.013 'Authentication Methods' and 'Profile Assignment via' problem -------------------------------------------------------------------------- Description: If you select a Authentication Method (LDAP for instance), you can not select that method in 'Profile Assignment via'. It just disappears. Workaround: --- Fix: Fixed in 5.014 ID1340 5.013 POP3: missing iptables rules if destination network is !Any ------------------------------------------------------------------------ Description: If man provide a host or a network range as destination in POP3 proxy settings ASL doesn't create neither redirection nor AUTO_OUTPUT rules. Definition 'Any' is operational. Workaround: --- Fix: Fixed in 5.014 ID1339 5.013 Downloaded files from firewall containing HTML code ---------------------------------------------------------------- Description: Downloaded files from fireall containing HTML code on the end of the file. Workaround: --- Fix: Fixed in 5.014 ID1305 5.012 After 1-3 hours of http usage, SP stops working ------------------------------------------------------------ Description: After ~1-3 hours of http usage, SP stops working. Prozess is still running, but SP does not answer to requests. Because of this, http proxy is not working. Workaround: --- Fix: Fixed in 5.014 ID1171 5.009 HTTP Proxy - https does not work with SP enabled (Ebay) -------------------------------------------------------------------- Description: Some HTTPS Pages do not work with Surf Protection enabled. Workaround: --- Fix: Fixed in 5.014 ID1169 5.009 HTTPS pages don't work over HTTP proxy with content scanning ------------------------------------------------------------------------- Description: Some HTTPS Pages do not work with Surf Protection enabled. Workaround: --- Fix: Fixed in 5.014 ID1296 5.011 Packetfilterrule for SMTP Authentication missing ------------------------------------------------------------- Description: When using SMTP authentication without having any incoming domains defined, there is no packetfilterrule allowing the users to connect to the SMTP Proxy. Workaround: Add an incoming domain Fix: Fixed in 5.013 ID1283 5.011 Network groups for SNMP not working ------------------------------------------------ Description: Adding a network group to SNMP allowed networks may lead to loss of connectivity Workaround: Remove the group Fix: Fixed in 5.013 ID1268 5.011 Remote Logging to SMB-Share may not work correctly --------------------------------------------------------------- Description: Some SMB shares still need port 139, which is not allowed by default. Workaround: Add a packetfilterrule allowing port 139 Fix: Fixed in 5.013 ID1264 5.011 Surfprotection profile can be accidently removed ------------------------------------------------------------- Description: Clicking 'Save' in the SurfProtection profile editor without any change, deletes the profile. Workaround: Import a backup Fix: Fixed in 5.013 ID1262 5.011 IPsec section may not restart correctly ---------------------------------------------------- Description: Disabling and reenabling the IPsec module may not work correctly. Workaround: Wait some seconds before reenabling Fix: Fixed in 5.013 ID1245 5.011 PPPoA Interface may not be able to establish connection -------------------------------------------------------------------- Description: Some PPPoA connections do not work correctly. Workaround: --- Fix: Fixed in 5.013 ID1235 5.011 False alerts on loopback traffic ('BAD-TRAFFIC same SRC/DST') -------------------------------------------------------------------------- Description: Heavy traffic on the loopback interface may cause false alerts from the Intrusion Prevention system. Workaround: --- Fix: Fixed in 5.013 ID1189 5.010 Listbox element order can not be changed ----------------------------------------------------- Description: Listbox elements e.g. for UserAuthentication can not be sorted in any order. This might be important for selecting a preference order. Workaround: --- Fix: Fixed in 5.013 ID1157 5.009 NAT for local connections does not work ---------------------------------------------------- Description: Connections from localhost to localhost do not work when they get natted. Most popular example: Webserver in DMZ, External interface has a DNAT to this server and access from local network fails Workaround: --- Fix: Fixed in 5.013 ID1069 5.000 NAT-Traversal does not work with Sentinel 1.4 ---------------------------------------------------------- Description: Older Sentinel versions do not work correctly with ASL V5 and NAT-Traversal. Workaround: Update to Sentinel 1.4.1 Fix: Fixed in 5.013 ID1217 5.010 Selfmonitoring does not check DNS proxy ---------------------------------------------------- Description: DNS proxy is not monitored by Selfmonitoring, so there will be no restart of this serviceif this proxy fails. Workaround: --- Fix: Fixed in 5.011 ID1211 5.010 POP3 File Extension / Expression filter does not work ------------------------------------------------------------------ Description: The File Extension and the Expression filters are not filtering mails matching the expressions. Workaround: --- Fix: Fixed in 5.011 ID1204 5.010 Uplink Failover ignores editing the 'Check IP' ----------------------------------------------------------- Description: After setting the Check IP once, editing is possible, but will be ignored in the backend. Workaround: --- Fix: Fixed in 5.011 ID1200 5.010 Network definitions may not be edited/deleted ---------------------------------------------------------- Description: Network definitions like 'Host (dummy' may not be edited or deleted. Workaround: Use another definition Fix: Fixed in 5.011 ID1198 5.010 Periodic services may not work after updating ---------------------------------------------------------- Description: After updating the firewall, periodically executed services like pattern updating may not work correctly. Workaround: Reboot Fix: Fixed in 5.011 ID1195 5.010 User Authentication does not work with all passwords ----------------------------------------------------------------- Description: When entering a password for a local user in WebAdmin, a digest is generated. Some digests may contain a character which is not readable for the authentication service. Workaround: Reset the password Fix: Fixed in 5.011 ID1109 5.005 Possibility to bypass Contentfilter/HTTP Proxy needed ------------------------------------------------------------------ Description: Some sites e.g. send broken HTTP headers or may be blocked due to false positives by the Virus Protection. For trusted sites, there needs to be the possibility to bypass the checks. Workaround: --- Fix: Fixed in 5.011 ID1090 5.000 RSA connections may fail when using X.509 and RSA keys ------------------------------------------------------------------- Description: IPsec connections using RSA keys may fail when using X.509 keys besides the RSA keys. Workaround: Make sure there is at least one RSA connection above the first X.509 connection. (alphabetical order) Fix: Fixed in 5.011 ID1046 5.006 Importing a V4 backup causes packetfilter issues ------------------------------------------------------------- Description: After importing a V4 backup, all packetfilter rules are displayed with priority '0' (zero). Workaround: Edit and save a rule, priority should be like in V4 afterwards. Fix: Fixed in 5.011 ID1039 5.004 Configuring Contentfilter related parts ---------------------------------------------------- Description: When configuring Contentfilter in WebAdmin (HTTP/SMTP/POP3 Proxy) the services need some time to restart. This also depends on CPU speed. Workaround: wait some seconds Fix: Fixed in 5.011 ID1021 5.004 Importing a V5 backup deletes IPsec policy MS_DEFAULT ------------------------------------------------------------------ Description: After importing a V4 backup, the MS_DEFAULT policy for IPsec is overwritten. This policy is needed for L2TP connections. Workaround: Readd the policy manually Fix: Fixed in 5.011 ID1173 5.007 Surf Protection configuration not tolerating config errors ----------------------------------------------------------------------- Description: Surf Protection is not as fault tolerant as it should be. - in Standard mode there must not be a user configured - in UserAuth mode there must be a network configured Workaround: Make sure config is correct Fix: Fixed in 5.010 ID1152 5.009 Possible issues with FTP over HTTP Proxy ----------------------------------------------------- Description: There might be some problems using FTP via the HTTP Proxy/ Contentfilter when using User Authentication or after changing the squid port in WebAdmin. Workaround: --- Fix: Fixed in 5.010 ID1119 5.007 In some cases the Contentfilter reduces download sizes ------------------------------------------------------------------- Description: Especially when using Internet Explorer, there might be some problems with the size of the downloaded files. Workaround: --- Fix: Fixed in 5.010 ID1104 5.008 Config download for IPsec roadwarriors may be unavailable ---------------------------------------------------------------------- Description: The config generated for IPsec roadwarrior clients may get deleted, downloading is no longer possible. Workaround: --- Fix: Fixed in 5.010 ID1095 5.007 Dell Perc4 RAID controller not detected by installer ----------------------------------------------------------------- Description: The Perc4 RAID controller used in some Dell servers is not detected by the installer. Workaround: --- Fix: Fixed in 5.010 ID1094 5.007 HTTP proxy with Virus Protection forgets file extension -------------------------------------------------------------------- Description: We know about many Internet Explorer versions not saving the file extension (e.g. .exe) correctly when surfing via HTTP proxy with Virus Protection enabled. Workaround: Rename the file and add the extension Fix: Fixed in 5.010 ID1093 5.007 Reset licensed users (IPs) listing does not work ------------------------------------------------------------- Description: Pressing the 'Reset Users' button in WebAdmin has no effect. Workaround: --- Fix: Fixed in 5.010 ID1084 5.005 HTTP Proxy/UserAuth - first profile always matching ---------------------------------------------------------------- Description: When using HTTP Proxy with User Authentication, all users will match the first profile configured. Workaround: --- Fix: Fixed in 5.010 ID1076 5.007 LDAP auth doesn't work if user is nested in several OUs -------------------------------------------------------------------- Description: Users located in a deeper OU structure of the LDAP server can not authenticate correctly against the firewall. Workaround: --- Fix: Fixed in 5.010 ID1071 5.006 HTTP Proxy - blacklist has higher priority than whitelist ---------------------------------------------------------------------- Description: Within the contentfilter profiles, the blacklists have a higher priority than the whitelists. So adding some few sites to the whitelist, but block all others does not work. Workaround: --- Fix: Fixed in 5.010 ID1053 5.006 HTTP Proxy/Contentfilter download bar not showing 100% ------------------------------------------------------------------- Description: When downloading a file via HTTP Proxy/Contentfilter the progressbar may not show 100%. This is a cosmetic issue - the file gets downloaded and scanned completely. Workaround: --- Fix: Fixed in 5.010 ID1052 5.006 HTTP Proxy - changing default port affects target services ----------------------------------------------------------------------- Description: After changing the default port for HTTP Proxy, the 'Squid' service in 'Allowed Target Services' gets changed as well. Workaround: Add a new service definition with squid port to 'Allowed Target Services' Fix: Fixed in 5.010 ID0921 5.000 Local and radius users with . (dot) inside are not working ------------------------------------------------------------------------ Description: Handling of locally created users as well as radius users containing a dot in their username is not correct and thus does not work correctly. Workaround: Either do not use the dot or use SAM/LDAP if possible. Fix: Fixed in 5.010 ID1129 5.008 Can't add static mappings to DHCP config ----------------------------------------------------- Description: DHCP-Server settings does not allow adding new static mappings. When disabling the DHCP-Server interface, all DHCP related settings are lost. Workaround: --- Fix: Fixed in 5.009 ID1117 5.008 Downloading files from WebAdmin may not work --------------------------------------------------------- Description: Downloading files like backups, VPN-keys or logfiles may not work correctly. Workaround: --- Fix: Fixed in 5.009 ID1080 5.007 Possible to upload two signing CAs ----------------------------------------------- Description: In IPsec->CA-Management it was possible to upload more than one CA for signing. Only the last one was used. Workaround: Delete the signing CA before uploading a new one. Fix: Fixed in 5.009 ID1037 5.004 Licensed Users (IPs) shows ASLs' interface IPs ----------------------------------------------------------- Description: The IPs counted for the licensed users may include external IPs as well as local interfaces. Workaround: --- Fix: Fixed in 5.009 ID1043 5.004 Dyndns username not editable ----------------------------------------- Description: In some configurations, the dyndns-username is not editable Workaround: --- Fix: Fixed in 5.008 ID1029 5.004 WebAdmin timesettings do not match system time ----------------------------------------------------------- Description: Time in WebAdmin may differ to local system time. Workaround: --- Fix: Fixed in 5.008 ID1024 5.004 More information needed when deleting interfaces ------------------------------------------------------------- Description: When trying to delete an interface which is still used, the error is not showing where this interface is used. Workaround: Search manually Fix: Fixed in 5.008 ID1058 5.006 HTTP Proxy with Surfprotection blocks sites ( '.' ) ---------------------------------------------------------------- Description: After configuring SurfProtection, all sites are getting blocked by the profile '.'. This means, the requests are getting blocked by the default drop profile. Workaround: Review your profile settings. Fix: Fixed in 5.007 ID1055 5.006 HTTP Proxy (squid) is running out of filedescriptors ----------------------------------------------------------------- Description: For larger installations, you might see a warning in squid-log telling squid is running out of filedescriptors. Workaround: --- Fix: Fixed in 5.007 ID1018 5.004 XML-Content displayed in Internet Explorer ------------------------------------------------------- Description: When downloading a file via Internet Explorer with SurfProtection turned on, XML content may be displayed instead of a progress bar. Workaround: Use Mozilla. Fix: Fixed in 5.007 ID1003 5.003 Pattern Up2Date does not work in some config conditions -------------------------------------------------------------------- Description: For some config conditions, Pattern Up2Date will fail. Workaround: --- Fix: Fixed in 5.006 ID0999 5.004 WebAdmin does not support special characters --------------------------------------------------------- Description: Special characters are not supported and may break the configuration Workaround: --- Fix: Fixed in 5.005 ID0998 5.004 POP3 does not move fetched emails into quarantine -------------------------------------------------------------- Description: Emails fetched by POP3 Proxy and moved to quarantine are not shown in WebAdmin. Workaround: --- Fix: Fixed in 5.005 ID0996 5.003 SurfProtection license expires May 6th, 2004 --------------------------------------------------------- Description: SurfProtection will stop working on May 6th, 2004 Workaround: --- Fix: Fixed in 5.005 ID0946 5.000 Contentfilter does not support special characters -------------------------------------------------------------- Description: Entering special characters in HTTP/POP3 Proxy causes the Contentfilter to stop working. Workaround: Do not use special characters Fix: Fixed in 5.005 ID0940 5.000 Older videocards may not support framebuffer/bootsplash -------------------------------------------------------------------- Description: Some older videocards do not support framebuffer mode with 1024x768 pixel. Workaround: Use the 'nosplash' boot option Fix: Fixed in 5.005 ID0918 5.000 Reporting->Administration->Config changes does not work -------------------------------------------------------------------- Description: The config changes are not counted for the reports Workaround: --- Fix: Fixed in 5.005 ID0912 5.000 Interfaces names in Reporting->Networks missing ------------------------------------------------------------ Description: The reporting graphs only show the hardware names, but not the symbolic names. Workaround: --- Fix: Fixed in 5.005 ID0995 5.003 Kaspersky Antivirus scanner key expires on April 30th, 04 ---------------------------------------------------------------------- Description: The license for the antivirus scan engine expires on April 30th, 2004. After this date, scanning does not work. Workaround: --- Fix: Fixed in 5.004 ID0964 5.000 Importing a V4 backup with two default gateways fails ------------------------------------------------------------------ Description: Importing older backups with more than one default gateway failed completely. Workaround: Limit amount of default gateways to 1 Fix: Fixed in 5.003 ID0958 5.001 DHCP client does not work after booting up ------------------------------------------------------- Description: After rebooting the system, the DHCP client won't work correctly. Workaround: Disable/Enable the interface in WebAdmin Fix: Fixed in 5.002 ID0956 5.001 DSL reconnect does not work correctly -------------------------------------------------- Description: Automatic reconnecting after 24 hours for PPPoE lines does not work correctly. Workaround: --- Fix: Fixed in 5.002 ID0952 5.001 POP3 mail retrieving/deleting with Outlook Express 6 ----------------------------------------------------------------- Description: Retrieving emails via POP3 Proxy with larger attachment or deleting emails via Outlook Express 6 does not work correctly. Workaround: --- Fix: Fixed in 5.002 ID0932 5.001 WebAdmin clock always shows GMT -------------------------------------------- Description: The clock in WebAdmin always shows GMT, even if another timezone has been configured. Workaround: --- Fix: Fixed in 5.002 ID0910 5.000 HTTP proxy restarts too often ------------------------------------------ Description: When doing changes in WebAdmin, the HTTP proxy gets restarted quite often, which results in loss of HTTP connectivity. Workaround: --- Fix: Fixed in 5.002 ID0875 5.000 WebAdmin needs a lot of RAM for large packetfilter rulesets ------------------------------------------------------------------------ Description: For very large packetfilter rulesets, WebAdmin needs too much RAM. Workaround: --- Fix: Fixed in 5.002 ID0916 5.000 Accounting not working properly -------------------------------------------- Description: Accounting does not collect data for reports. Workaround: --- Fix: Fixed in 5.001 ID0911 5.000 Traffic on VLAN interfaces not reported ---------------------------------------------------- Description: Traffic statistics on VLAN interfaces are collected, but not shown in Reporting->Networks. Workaround: --- Fix: Fixed in 5.001 ID0905 5.000 Broken SMTP messages - Spam header is seen in email body --------------------------------------------------------------------- Description: Some SMTP messages may contain a part of the spam header in the email body. Workaround: --- Fix: Fixed in 5.001 ID0892 5.000 POP3 proxy blocks all messages ------------------------------------------- Description: Due to a missing file, POP3 proxy did not work as expected. Workaround: --- Fix: Fixed in 5.001 ID0882 5.000 User authentication page may be blank -------------------------------------------------- Description: After editing settings in the 'User Authentication' menu or importing a backup, the page stays blank. Workaround: --- Fix: Fixed in 5.001