# LIST OF KNOWN ISSUES FOR ASTARO SECURITY GATEWAY V6 # ==================================================== # The purpose of this list is to give you an overview of known issues and # possible workarounds, as well as known problems in other software being # used in connection with Astaro Security Gateway V6 # The ID denotes the internal Astaro bugtracking ID and will be shown in the # description of an Up2Date if the issue is fixed. # # We would appreciate if you contribute to this list and would give us # feedback in this respect. # For further infos please contact: knownissues@astaro.com # # Last edit: # $Id: Known_Issues-ASL-V6.txt,v 1.78 2007/11/27 11:18:37 mgehrlein Exp $ Open Issues =========== ID6624 6.310 Parts of the V6 configuration missing after Upgrade ---------------------------------------------------------------- Description: When updating from V6 to V7 settings for Generic Proxy, Spam Digest and ACC will not be converted. Workaround: Reconfigure the items mentioned above or import an V6 backup directly into V7. Fix: --- ID6603 6.310 Upgrade to V7 not working with encrypted configuration ------------------------------------------------------------------- Description: Having backup encryption turned on in V6 will cause an issue while upgrading the machine to V7 via WebAdmin. In this case the configuration will not be converted. Workaround: Turn off backup encryption before upgrading to V7. Fix: --- ID4284 6.303 SMTP domain groups containing qoutes can not be deleted -------------------------------------------------------------------- Description: Configuring a domain in quote signs at Proxies->SMTP Proxy->Domain Groups leads to a non-deletable entry. Workaround: --- Fix: --- ID4273 6.303 IPSec status may be wrong for PSK connections ---------------------------------------------------------- Description: When having multiple IPSec connections with remote endpoint 'Any' and PSK authentication the IPSec status view in WebAdmin may show wrong information. Some of the tunnels may show the IPSec SA as down (red) although the tunnels are up and running. This is a cosmetical issue for this type of tunnels only. Workaround: --- Fix: --- ID4269 6.303 Linkspeed settings with Intel e100 driver (Appliances only) ------------------------------------------------------------------------ Description: Having a static linkspeed setting on a switch connected to an ASG with an Intel e100 port (e.g. 10MBit-HD) and changing it to something different may not work correctly. Workaround: Set the linkspeed to the same as the switch has. If you change ASG back to autonegotiation you need to reboot. Fix: --- ID4240 6.302 Media Streaming does not work with activated HTTP Proxy -------------------------------------------------------------------- Description: Streaming media does not work through the proxy, as the proxy waits until the transmission is finished, to analyze the content. Workaround: See Knowledgebase article #211385 for examples how to bypass HTTP Proxy with streaming media. Fix: --- ID4227 6.301 Network accounting only supports about 20 hosts/networks --------------------------------------------------------------------- Description: Network accounting currently supports only about 20 host/network definitions in the backend. Also you can enter more than 20 in WebAdmin, the report will not be generated for all selected definitions. Workaround: --- Fix: --- ID4152 6.301 Astaro antivirus pattern not synced between master and slave ------------------------------------------------------------------------- Description: Virus pattern for the Astaro Antivirus scan engine (Authentium) are not synced to the slave in a HA environment. Workaround: --- Fix: --- ID4136 6.301 All Malware is reported as Phishing in reports ----------------------------------------------------------- Description: Due to some changes in the backend filter database, Spyware and other Malware will show up as Phising in the Reporting section. This only affects reporting. Workaround: --- Fix: --- ID3928 6.202 Custom HTML content removal not working like it did in V5 ---------------------------------------------------------------------- Description: The feature for custom HTML removing does not work properly. This mainly affects regular expressions using special characters like '<' or '>'. Workaround: --- Fix: --- ID3840 6.202 Site to Site VPN does not work after reconnect with static IPs on DSL ---------------------------------------------------------------------------------- Description: Having a DSL connection with a static IP as VPN endpoint may cause trouble after the automatic DSL reconnection. After unsuccessful reconnect the tunnel is not usable any longer. This problem may mainly occur on slower systems. Workaround: Restart tunnel manually. Fix: --- ID3786 6.201 PPTP issues related to connection tracking helper module --------------------------------------------------------------------- Description: The PPTP connection tracking module has problems with certain Windows clients either connecting to or through the firewall - depending on the system configuration. Workaround: Try unloading the connection tracking helper for PPTP in the Packetfilter->Advanced section. Fix: --- ID3760 6.201 No autopacketfilterrules IPSec roadwarriors with preshared key --------------------------------------------------------------------------- Description: The autopacketfilter does not work when using IPSec roadwarrior connections with preshared key (PSK). Workaround: Try to use RSA keys or X509 certificates for your connection. Fix: --- ID3743 6.200 MSN messenger blocked by Surf Protection ----------------------------------------------------- Description: Users using MSN messenger through the HTTP Proxy will be blocked if the category "Block Suspicious and Unknown Sites" is selected. Reason is that the requested URL loginnet.passport.com is not listed in the Cobion database. Workaround: Add loginnet.passport.com to the whitelist. Fix: --- ID3742 6.201 2GB File size restriction with http proxy ------------------------------------------------------ Description: Downloading files larger than 2GB through HTTP Proxy does not work. Larger files will not be downloaded. Workaround: --- Fix: --- ID3667 6.100 Automatic Windows Update via HTTP proxy fails ---------------------------------------------------------- Description: Windows Update Service uses the HTTP/1.1 RANGE feature to download software. This feature is not supported in V6 as it depends on other implementations of the HTTP protocol. Workaround: Bypass proxy for Windows Update Service. Fix: --- ID3664 6.100 Large amount of configuration changes indicated in reports ----------------------------------------------------------------------- Description: Using dynamic objects like DNS hostname definitions or autogenerated VPN user definitions may cause a large number of config changes in reporting. This is a normal behaviour. Workaround: --- Fix: --- ID3430 6.000 Upstream Proxy for Pattern Up2Date needs to connect to the Internet -------------------------------------------------------------------------------- Description: When using Upstream Proxy for the Patten Up2Date mechanism, the firewall must be able to resolve DNS names from public DNS servers and reach the Up2Date servers via netselect (UDP Port 33000-34000 and ICMP). Workaround: --- Fix: --- ID3410 6.100 Downloading files via Internet Explorer may not work correctly --------------------------------------------------------------------------- Description: When using Internet Explorer and clicking 'Download as .zip' in the Proxy Content Manager, IE blocks the download and shows the little yellow bar "IE protected you from a download". If you click "allow this download" it does not work and times out sooner Workaround: Add the WebAdmin URL to the IE Trusted Sites in 'Tools > Internet Options > Security' Fix: --- ID3404 6.000 Routing issues with subnets of locally attached networks --------------------------------------------------------------------- Description: When a static route is set via WebAdmin it is not routed to the target host if the network is included in a local attached network. Example: 192.168.1.0/24 can not be routed to another host if 192.168.0.0/16 is a local network (configured on an interface) Workaround: --- Fix: --- ID3323 6.102 Ipsec restarting completely when activating a tunnel on another interface -------------------------------------------------------------------------------------- Description: As soon as there are tunnels on different endpoint-interfaces, all tunnels will be restarted when a new tunnel with another endpoint-interface is added or removed for the first time. Workaround: --- Fix: --- ID3255 6.100 Backup Converter does not care about V6.1 files ------------------------------------------------------------ Description: When importing a backup from version 6.0 or 5.2, the sections 'AV Engines' and 'Command Center' may not get reset correctly. Workaround: Please check the settings of these pages after importing an older backup. Fix: --- ID3198 6.100 No progressbar shown on certain downloads ------------------------------------------------------ Description: Downloading certain files via the http-proxy may result in not showing the progress bar, if the content-type of that file is not given correctly from the webserver. See a technical explanation for this in the Knowlege-Base. Workaround: Just wait, until the file can be saved on the client machine Fix: --- ID2897 6.001 L2TP VPN fails when multiple connections occur ----------------------------------------------------------- Description: L2TP VPN does not work for two or more clients connecting from behind a NAT device to the public IP address of the firewall. Workaround: Use IPsec (with Secure Client) instead of L2TP Fix: --- ID2600 6.000 L2TP over IPSec does not work with Mac OS X 10.4 (Tiger) --------------------------------------------------------------------- Description: L2TP connections from Mac OS 10.4 (Tiger) are not working correctly. The tunnel seems to be established successful, but it is not possible to send packets through this tunnel. Workaround: --- Fix: --- ID2564 6.000 Error while attempting to join NTLM domain with some hostnames --------------------------------------------------------------------------- Description: When trying to join a domain to use NTLM Authentication, an error might be issued when using a long hostname. If so, please check if the computer account has been created although the error occured. Workaround: Use a shorter name. Fix: --- Closed Issues ============= ID6598 6.000 Upgrading to V7 may fail on filesystem creation ------------------------------------------------------------ Description: Some machines having less than 512MB RAM may experience problems when trying to upgrade to V7 because of filesystem creation errors. These errors are caused by an unmountable swap partition. Workaround: Reboot and try again. If that does not help, try shutting down some processes using lots of memory. Fix: Fixed in 6.312 ID6518 6.000 Problems while updating DynDNS entries --------------------------------------------------- Description: DynDNS has changed their abuse policy and will now treat updates of the same IP address within 28 days as a service misuse. They may shut down the account or delete the DNS record completely. Workaround: --- Fix: Fixed in 6.312 ID6171 6.304 Problems initializing antivirus database ----------------------------------------------------- Description: On some machines there problems have shown up while initializing new antivirus pattern. This will cause the virus scanner to stop working. Workaround: --- Fix: Fixed in 6.312 ID5916 6.303 Daily Spam Digest not working for Subdomains --------------------------------------------------------- Description: The Daily Spam Digest only covers main domain names. Optional subdomains addresses are ignored. Workaround: --- Fix: Fixed in 6.305 ID5823 6.303 Local Snort rules overwritten by ruleset update ------------------------------------------------------------ Description: Newer Snort rules shipped via Pattern Up2Date may overwrite previously defined custom rules. Workaround: --- Fix: Fixed in 6.305 ID5575 6.303 Possible L2TP connection problems ---------------------------------------------- Description: In some cases L2TP connections are established and disconnected immediately with a 'Fatal signal 11' error in the logfile. Workaround: --- Fix: Fixed in 6.305 ID4050 6.300 No IPsec traffic after PPPoE reconnect --------------------------------------------------- Description: In some cases the IPsec tunnels will not come up correctly after an IPsec reconnect. The connection might be established, but no traffic will pass through the tunnel. Workaround: --- Fix: Fixed in 6.305 ID5187 6.303 Daylight savings time adjustments for USA and Canada ----------------------------------------------------------------- Description: In 2007 daylight savings will start three weeks earlier and one week later than in 2006 for may regions in USA and Canada. Workaround: --- (Change timezone) Fix: Fixed in 6.304 ID4221 6.300 Selfmonitor checks for hardware scanner missing ------------------------------------------------------------ Description: The hardware anti-virus scanner integrated in ASG 425 and ASG 525 are not completely monitored by the selfmonitoring system. This may lead to overusage of system memory or problems with depending processes. Workaround: --- Fix: Fixed in 6.304 ID4241 6.202 Outlook/Exchange emails may get high spam scores ------------------------------------------------------------- Description: Some emails sent by MS Outlook or Exchange server may get high spam scores because of a false positive RATWARE_OUTLOOK check in spamassassin. This also might happen for MS DirectPush emails. Workaround: --- Fix: Fixed in 6.303 ID4159 6.301 Connection tracking table in WebAdmin may be cut ------------------------------------------------------------- Description: In some cases the connection tracking output in WebAdmin is not completely shown. Workaround: --- Fix: Fixed in 6.303 ID3987 6.203 WebAdmin settings don't take effect in the backend --------------------------------------------------------------- Description: In some cases the middleware daemon is not able to register itself on the configuration daemon, which leads to a working frontend without a working backend. Changes done via WebAdmin will not take effect. Workaround: Reboot the system. Fix: Fixed in 6.303 ID3923 6.203 Clock issues when running as VMware installation ------------------------------------------------------------- Description: In some VMware installations the hardware clock of the guest system may run slower than the realtime clock. Workaround: There are different possibilities on host and guest system. Please check VMware website or contact support. Fix: Fixed in 6.303 ID3813 6.201 Kernel memory leak in IPsec subsystem -------------------------------------------------- Description: There is a memory leak in the IPsec part of the kernel. In some cases, within some days or weeks the kernel consumes all available memory. Workaround: Depending on configuration and traffic, rebooting at least helps for a while. Fix: Fixed in 6.303 ID3795 6.201 Spamassassin fails while preforking with a syswrite failure ------------------------------------------------------------------------ Description: The Anti-Spam daemon may encounter problems while scanning certain emails for spam. This may lead to high system load and non-responsive Anti-Spam daemon. Workaround: --- Fix: Fixed in 6.303 ID3443 6.103 Squid uses a lot of memory --------------------------------------- Description: On some installations, squid uses a very high amount of memory. This may impact other parts of the system and slow down HTTP surfing as well as the complete installation. Workaround: --- Fix: Fixed in 6.303 ID3022 6.002 SNMP dies regularly and gets restarted by selfmon -------------------------------------------------------------- Description: The SNMP daemon may crash when using dynamic interfaces or static IP assignment on PPPoE/PPPoA interfaces. This can result in regular restarts by the selfmonitor. Workaround: --- Fix: Fixed in 6.303 ID4182 6.301 Chinese language support not working properly ---------------------------------------------------------- Description: The chinese WebAdmin translation has a wrong default character set which renders most of the pages unreadable when 'big5' is not set as standard charset. Workaround: Select 'big5' as charset. Fix: Fixed in 6.302 ID4060 6.301 HA might not work correctly on ASG425 with eth4-eth7 ----------------------------------------------------------------- Description: Using HA with ASG425 may lead to problems when an interface between eth4 and eth7 is used as HA interface. This may lead to Master-Master situations which will not be resolved automatically. Workaround: Use eth0-3 as HA interface if possible. Fix: Fixed in 6.302 ID4059 6.300 Possible problem when scanning RAR files ----------------------------------------------------- Description: Having both Antivirus scanners enabled, there might be a problem when scanning RAR files which may result in getting these RAR files through the contentfilter without being scanned properly. Workaround: --- Fix: Fixed in 6.302 ID3965 6.203 HTTP Proxy Report Blocked Pages show @ --------------------------------------------------- Description: Using HTTP Proxy in standard or transparent mode may cause blocked pages report '@' as username. Workaround: --- Fix: Fixed in 6.302 ID4025 6.300 NIC hardware offloading may cause problems ------------------------------------------------------- Description: We had a longterm issue at a customer where we finally found out, that the hardware offloading has caused sporadic connection problems which lead to long delivery times of smtp. Workaround: --- Fix: Fixed in 6.301 ID4012 6.300 HW acceleration creates large swapfiles ---------------------------------------------------- Description: On ASG 425/525 the swapfiles for hardware accelerated virus scanning may get very large and fillup the /tmp partition. This may lead to an unresponsive HTTP Proxy. Workaround: Disable and reenable HW acceleration. Fix: Fixed in 6.301 ID4010 6.300 Duplicate emails from SMTP Proxy when using HTTP parent proxy -------------------------------------------------------------------------- Description: If a parent proxy is configured in the HTTP Proxy, the SMTP Proxy will use that parent proxy as well for spam categorization. An automatic packetfilter rule allowing this traffic is missing. This may lead to duplicate emails in some cases. Workaround: Create a temporary rule allowing traffic to from your external interface. Fix: Fixed in 6.301 ID4009 6.300 Hardware acceleration conflicts with HA ---------------------------------------------------- Description: In some environments using Hardware Acceleration for Anti-Virus scanning there might be problems when using HA (High Availability). Issues may arise when configuration related to Anti-Virus scanning gets changed. Workaround: --- Fix: Fixed in 6.301 ID4001 6.300 Authentium pattern updates not visible in reporting ---------------------------------------------------------------- Description: Authentium pattern updates are not counted correctly in the Contentfilter section of the reporting module. Workaround: --- Fix: Fixed in 6.301 ID3999 6.300 Individual pattern Up2date does not work correctly --------------------------------------------------------------- Description: With some licenses it is not possible to update single pattern types individually via WebAdmin (Error: Licenses not a valid md5sum string). However, updating the all and automatic Up2Date works. Workaround: Use 'Update now' for manual pattern updating on the System->Up2Date page. Fix: Fixed in 6.301 ID3992 6.300 Problem in handling of HTTP Port Ranges in IPS causes huge memory usage ------------------------------------------------------------------------------------ Description: When using port ranges for the HTTP service in IPS->Advanced, the system will allocate a lot of memory and will probably stop responding. This issue will happen on machines having more than 256MB of RAM. Workaround: Use a single port definition for HTTP service. Fix: Fixed in 6.301 ID3991 6.300 DNAT does not bypass WebAdmin port ----------------------------------------------- Description: A port forward of all traffic such as HTTPS or Any to an internal server will not forward the webadmin defined port in most cases. WebAdmin port has priority over less specific NAT rules. Workaround: Change WebAdmin port. Fix: Fixed in 6.301 ID3982 6.203 Kernel Panic with DNAT und FTP ------------------------------------------- Description: There is an issue in the connection tracking helper of the kernel for FTP. When a FTP client sends a PASV command over a natted connection, the kernel may panic. Workaround: Unload connection tracking helper for FTP. Fix: Fixed in 6.301 ID3980 6.203 VPN Id for X.509 certificates ------------------------------------------ Description: When creating x509 CSRs with X.509 DN as VPN Id the Id field gets automatically filled and any input in WebAdmin should be ignored. When entering data while creating CSRs, the system will refuse to create more than 2 CSRs. Workaround: Do not enter a VPN Id when creating X.509 certificates. Fix: Fixed in 6.301 ID3968 6.203 Possible ethernet loop when using HA and bridging -------------------------------------------------------------- Description: Having to machines in a HA configuration with bridging enabled may cause ethernet loops when there are two HA masters in the network and one of them shuts down to slave mode. Workaround: --- Fix: Fixed in 6.301 ID3957 6.203 Missing network graphs for VLAN interfaces ------------------------------------------------------- Description: When adding new VLAN interfaces, sometimes the interface graphs in reporting will not show up. Workaround: --- Fix: Fixed in 6.301 ID3933 6.000 DNS Proxy does not resolve IPs from internal network ----------------------------------------------------------------- Description: The system creates dns zones for all locally attached networks with only one entry pointing to the corresponding interface IP. This may cause trouble when trying to resolve other hosts. Workaround: --- Fix: Fixed in 6.301 ID3876 6.202 Some pictures missing when website is viewed over HTTP Proxy ------------------------------------------------------------------------- Description: When surfing through the Web, some files or pictures may not be shown correctly via HTTP Proxy. This mainly affects file requests which get redirected to other servers. Depending on server and client configuration the request may not be handled correctly Workaround: --- Fix: Fixed in 6.301 ID3793 6.200 Remote syslog does not send facility and level ----------------------------------------------------------- Description: When using remote syslog, the logging facility and the loglevel are not transferred in the remote syslog data. Workaround: --- Fix: Fixed in 6.301 ID3787 6.100 Surf Protection Category names uneditable after adding special characters -------------------------------------------------------------------------------------- Description: Changing the name of any category to contain i.e. an apostrophe results in the category no longer being editable. Workaround: --- Fix: Fixed in 6.301 ID3785 6.200 Uplink failover interface may not come up correctly ---------------------------------------------------------------- Description: When setting an interface as backup interface for uplink failover, the last status of this interface is used in case of uplink failover. This means if the interface was disabled before choosing as backup interface, uplink failover will not work. Workaround: Enable interface before selecting as backup. Fix: Fixed in 6.301 ID3653 6.105 HTTP pages graph missing in reporting -------------------------------------------------- Description: The graph for the accessed HTTP pages is missing in reporting and the executive report. Workaround: --- Fix: Fixed in 6.301 ID3168 6.100 Proxy Content Manager incorrectly deletes emails ------------------------------------------------------------- Description: While trying to delete a message in the proxy content manager a java script popup appears, asking if you are sure. Clicking cancel and afterwards 'Refresh Content Manager' will delete the message without further asking. Workaround: --- Fix: Fixed in 6.301 ID3148 6.100 Missing user in HTTP-Proxy after name change --------------------------------------------------------- Description: When changing a username in Definitions->Users the user definition gets lost in HTTP-Proxy->Profile Assignments. There is only an empty entry. Workaround: Readd the users manually to the profile. Fix: Fixed in 6.301 ID3106 6.004 Connection tracking in WebAdmin misses entries ----------------------------------------------------------- Description: Sometimes the connnection tracking table shown in WebAdmin misses entries. In this case the last line often looks 'cut'. Workaround: Try reloading the page (may only work up to a certain amount of connections). Fix: Fixed in 6.301 ID3966 6.203 Duplicate emails sent from SMTP Proxy -------------------------------------------------- Description: Also there has been some improvements to avoid duplicate emails being sent from SMTP Proxy, an issue in the server backend may have caused some emails to be duplicated again. In order to avoid this kind of problems another software change is necessary. Workaround: --- Fix: Fixed in 6.300 ID3930 6.203 HA slave looses connection to master ------------------------------------------------- Description: After a certain time the HA slave on uniprocessor systems may stop responding and is no longer available for the master. Workaround: Reboot the slave. Fix: Fixed in 6.300 ID3908 6.202 PPTP user may be shown as inactive even it is connected -------------------------------------------------------------------- Description: If the Windows domainname is included in the username, the user is not shown as active after connecting. Workaround: Change the client not to add the domainname to the userstring. Fix: Fixed in 6.300 ID3904 6.203 IPS reports Bad Traffic Same Src/Dst IP ---------------------------------------------------- Description: E.g. when having a webserver in the DMZ which is reachable via DNAT, this type of connection may not work correctly with latest up2date and report a lot of 'Bad Traffic Same Src/Dst IP' messages in the Intrusion Protection logfile. Workaround: Either disable HTTP proxy or IPS if possible. Fix: Fixed in 6.300 ID3896 6.202 Deletion of logfiles older X days does not work ------------------------------------------------------------ Description: There is still a problem with when trying to delete logfiles older than a specific period of time. Workaround: --- Fix: Fixed in 6.300 ID3873 6.202 Log Files are blank when viewing via WebAdmin ---------------------------------------------------------- Description: Some logfiles may appear to be empty when viewing then via WebAdmin although they have some content. Mainly this may happen after timewarps. Workaround: --- Fix: Fixed in 6.300 ID3866 6.202 FTP connection tracking helper modules are not loaded in all cases ------------------------------------------------------------------------------- Description: The connection tracking helper modules for FTP are not loaded in all cases, so e.g. when no NAT/Masquarading rule is configured there will also be no FTP connection tracking helper. Workaround: Create a dummy NAT/Masquerading rule Fix: Fixed in 6.300 ID3848 6.202 Trusted senders does not work for RBL -------------------------------------------------- Description: When a target sender is blocked by Realtime-Blackhole-Lists (RBLs) you can not whitelist them by putting their email address to the Trusted Senders list. Workaround: Add the host to Trused Hosts/Sites. Fix: Fixed in 6.300 ID3386 6.102 'Current System QoS Rules' does not show proper information ------------------------------------------------------------------------ Description: The current QoS settings output shown in the WebAdmin is incomplete. Only the iptables part is visible. Workaround: --- Fix: Fixed in 6.300 ID2999 6.002 Overwrite an existing interface by editing another one ------------------------------------------------------------------- Description: When editing an existing interface and changing its name to the name of an already existing interface, the data of the existing interface will get overwritten. Workaround: --- (please do not try to reproduce) Fix: Fixed in 6.300 ID2997 6.002 CA-Certificate is not deleted on the HA slave ---------------------------------------------------------- Description: When deleting a certificate on a HA master device, the same certificate is not deleted on the slave and will reappear after a takeover. Workaround: Delete certificate again. Fix: Fixed in 6.300 ID2996 6.002 CA-Certificate is not synced to HA slave immediately ----------------------------------------------------------------- Description: When creating a new CA-Certificate in a High Availability environment, the certificate is not synced to the slave automatically. However it will be synced together with the next config change (e.g. a new VPN connection). Workaround: Make any config change after creating a certificate. Fix: Fixed in 6.300 ID3852 6.202 Max MTU limited to 3000 octets by WebAdmin ------------------------------------------------------- Description: The MTU size is limited from 300-3000 by WebAdmin. This may not be enough when using gigabit NICs and jumbo frames. Please note: MTU sizes larger than 1500 (default) need to be supported by the NIC and by the corresponding driver. Workaround: --- Fix: Fixed in 6.203 ID3838 6.202 Download window is too small when using Internet Explorer ---------------------------------------------------------------------- Description: When using Internet Explorer on certain websites when a file is downloaded the popup window for the download and scanning notification appears as a small popup. This popup may be too small and cannot be resized to allow the user to select the file to down Workaround: --- Fix: Fixed in 6.203 ID3822 6.202 Single failed Webadmin login counts two times in reporting ----------------------------------------------------------------------- Description: Due to an extension of the logging module, WebAdmin logins are counted twice by accident. Workaround: --- Fix: Fixed in 6.203 ID3816 6.202 Uplink Failover check IP is ignored for VLAN interfaces -------------------------------------------------------------------- Description: When using Uplink Failover on a VLAN interface the Check-IP from WebAdmin is ignored and the default gateway is used instead. Workaround: --- Fix: Fixed in 6.203 ID3811 6.202 Blocked webpages showing too much details ------------------------------------------------------ Description: When a website is blocked because of blacklisted expressions while browsing the web via HTTP Proxy with SurfProtection enabled, all the blacklist expressions are shown to the user in the details page. This information leak may help users to find a way to Workaround: --- Fix: Fixed in 6.203 ID3802 6.201 HTTP download gets blocked as virus Oversized.zip -------------------------------------------------------------- Description: When downloading files with VirusProtection and ClamAV as active scanner a default setting might lead to false positives. Clam blocks archives with a compression ratio higher than 250 as possible archive bombs. Thus files which can be packed with a ratio Workaround: Whitelist the specific URL Fix: Fixed in 6.203 ID3798 6.201 IPSec autopacketfilter do not work in bridge mode -------------------------------------------------------------- Description: Using autopacketfilter for IPSec VPN tunnels does not work if the interface is in bridge mode. Workaround: Set packetfilter manually in WebAdmin. Fix: Fixed in 6.203 ID3789 6.200 Petabyte spikes in network graphs ---------------------------------------------- Description: Sometimes large network spikes appear in the network graph during normal operations. These spikes indicate very high traffic (petabytes) for a very small timeframe making the graph unreadable because of the large scale. Workaround: --- Fix: Fixed in 6.203 ID3767 6.201 IPSec Strict-Flag only used in Phase 2 --------------------------------------------------- Description: When enabling the 'Enforce Algorithms' option for an IPSec policy only phase 2 algorithms are checked. In phase 1 (IKE) there is no policy enforcement. Workaround: --- Fix: Fixed in 6.203 ID3744 6.201 Usernames do not show up in contentfilter blocked log ------------------------------------------------------------------ Description: When running the HTTP proxy in user authentication mode, the ContentFilter blocked log only shows the IP address of offending users. Workaround: --- Fix: Fixed in 6.203 ID3719 6.100 SIP Proxy host length is limited to 32 characters -------------------------------------------------------------- Description: The call id host in the SIP Proxy is limited to 32 characters. This may cause trouble with some sip providers. Workaround: --- Fix: Fixed in 6.203 ID3642 6.104 Problem when using IPsec VPN on bridge interfaces -------------------------------------------------------------- Description: Having an IPSec endpoint on an interface in bridge mode will affect the statefulness of the interface. Connection tracking does not work correctly. Workaround: --- Fix: Fixed in 6.203 ID3715 6.200 Factory reset via cmdline may result in defective system --------------------------------------------------------------------- Description: When trying to perform a factory reset via commandline by entering 'default factoryreset' at the boot prompt, the system may not recover completely. This mainly affects slower systems like the ASG 110/120 appliance. Workaround: Appliance users should contact Support. Fix: Fixed in 6.203 ID3630 6.104 Large swapfiles for hardware accelerated scanning -------------------------------------------------------------- Description: When using hardware acceleration for anti virus scanning, some swapfiles will be stored in the tmp-partition. These files grow larger and larger and may lead to a not responding hardware scanner. Workaround: Reboot the system to clean tmp-partition. Fix: Fixed in 6.203 ID3482 6.104 Default ICMP Flood Protection settings may cause issues -------------------------------------------------------------------- Description: The default value for ICMP flood protection is quite low and may cause trouble for standard applications like traceroute. We recommend changing the value to 20 at least. Also, you need to reboot after changing this value in order to apply it to the system Workaround: Set value to 20 and reboot. Fix: Fixed in 6.203 ID3464 6.104 Usernames do not show up in http_access log -------------------------------------------------------- Description: When using user authentication on some requests the username is shown in contentfilter log, but not in http_access log. Workaround: --- Fix: Fixed in 6.203 ID3462 6.104 Blacklist extension filter blocks wrong downloads -------------------------------------------------------------- Description: Downloads like .exe files or pictures may get blocked when using fileextension filter and if the webserver sends a wrong content-type for the corresponding file. E.g. application/octet-stream should match .exe files, but if the server sends this for a .pd Workaround: --- Fix: Fixed in 6.203 ID3340 6.102 DHCP server not authoritative ------------------------------------------ Description: The DHCP server runs in unauthoritative mode, which may lead to problems when renewing Windows IP addresses. A change to authoritative mode is needed. Workaround: --- Fix: Fixed in 6.203 ID3270 6.101 L2TP does not work if bridge is enabled ---------------------------------------------------- Description: It is not possible to connect via L2TP to the firewall if the interface is member of a bridge. Routing mode is not affected. Workaround: Try connecting to an interface in routing mode. Fix: Fixed in 6.203 ID3766 6.201 Flood-Protection log-limit-burst is not set correctly ------------------------------------------------------------------ Description: When using UDP, TCP or ICMP flood protection, the log-limit-burst value is not set correctly in the backend. Workaround: --- Fix: Fixed in 6.202 ID3759 6.201 Duplicate packetfilter rules in backend ---------------------------------------------------- Description: Some packetfilter rules as well as NAT rules may be generated twice in the backend System. This is not visible in the Packetfilter section of WebAdmin and does not impact the security of the system. When have very large packetfilter rulesets, this may aff Workaround: --- Fix: Fixed in 6.202 ID3722 6.201 Squid localhost ACL uses static destination port ------------------------------------------------------------- Description: Starting with 6.200 the HTTP Proxy does not allow connections to localhost. Instead of using the port selected in WebAdmin, the restriction only matches connections to port 8080. Workaround: --- Fix: Fixed in 6.202 ID3409 6.100 IPSec Client config includes wrong lifetimes --------------------------------------------------------- Description: IPSec-Client config may include wrong values for the IPsec and IKE SA lifetimes depending on the timezone used. Workaround: Set timezone to GMT. Fix: Fixed in 6.202 ID2935 6.001 SNMPd loses track of interface indexes --------------------------------------------------- Description: Interface graphs in reporting may not be calculated correctly for reconnecting PPP interfaces (e.g. DSL). Workaround: --- Fix: Fixed in 6.202 ID2844 6.001 PPPoA connections may not reconnect correctly ---------------------------------------------------------- Description: When using PPPoA connections there might be a problem while automatic reconnecting to the provider. Workaround: --- Fix: Fixed in 6.202 ID3709 6.200 eDirectory browser may not work with large trees ------------------------------------------------------------- Description: The eDirectory browser may not work correctly with large eDirectory trees, because all data are transferred multiple times. Workaround: --- Fix: Fixed in 6.201 ID3708 6.105 Wrong SurfProtection categories in details view ------------------------------------------------------------ Description: When viewing the Contentfilter categories details for HTTP Proxy, the list may show empty parts. Workaround: Import a backup. Fix: Fixed in 6.201 ID3707 6.200 Download Manager causing error in IE ------------------------------------------------- Description: Newer IE versions may show an error symbol in the status line on the bottom when accessing a download via Download Manager. Older versions may pop up a script debugger error asking if the script should be executed, also the script is ok. Mozilla based bro Workaround: Disable script debugging in IE Tools->Internet Options->Advanced. Fix: Fixed in 6.201 ID3700 6.105 CC password restrictions do not apply when adding new users ------------------------------------------------------------------------ Description: Currently you have to enter complex passwords on the initial setup page and when editing users. This must also affect adding new users, in order to be Common Criterial compliant. Workaround: --- Fix: Fixed in 6.201 ID3698 6.200 Browser fails to show logfiles or fails to browse eDirectory ------------------------------------------------------------------------- Description: After browsing a eDirectory tree and not closing the session completely other popups like logfile browser may not work. Workaround: Close unneeded browser windows or wait for 5 minutes. Fix: Fixed in 6.201 ID3697 6.200 eDirectory SSO does not work for users with aliases ---------------------------------------------------------------- Description: If a user has aliases, SSO does not work for this user because the IP to authenticate exists in more than one user object. Workaround: Remove user aliases from eDirectory. Fix: Fixed in 6.201 ID3676 6.105 USB connection to Uninterruptible Power Supply (UPS) for status information causes Kernel Oops ------------------------------------------------------------------------------------------------------------ Description: On some systems there are problems with USVs connected via USB leading to kernel failures. Workaround: --- Fix: Fixed in 6.201 ID3650 6.105 Logfiles not accessible via WebAdmin ------------------------------------------------- Description: The option to download logfiles via Log Files->Browse logs is not working correctly. Workaround: Use the 'view log' mechanism on the same page to inspect logfiles. Fix: Fixed in 6.201 ID3472 6.104 PPTP will not establish when windows-logon is enabled ------------------------------------------------------------------ Description: It is not possible to logon to a Windows domain using PPTP. Workaround: --- Fix: Fixed in 6.201 ID3659 6.105 Kaspersky virus scanner may stop working ----------------------------------------------------- Description: The Kaspersky anti virus scanner daemon may stop working with pattern issued after March 21st, 2006. Workaround: Update to 6.106 Fix: Fixed in 6.106 ID3649 6.105 Contentfilter categories may show empty fields after factory reset ------------------------------------------------------------------------------- Description: After performing a factory reset, the contentfilter categories list may show up empty. Adding or modifying is not possible. Workaround: --- Fix: Fixed in 6.200 ID3402 6.102 Large harddrives cause squid errors ------------------------------------------------ Description: Having some large harddisks in a raid array (>350 GB) may cause HTTP Proxy / squid to fail upon starting. Workaround: Try reducing harddisk size. Fix: Fixed in 6.200 ID3621 6.100 Deleting oldest logfiles via archive settings not working ---------------------------------------------------------------------- Description: If an action for logfile archive settings is set to 'delete oldest logfiles', the files won't get deleted if the threshold is reached. Workaround: --- Fix: Fixed in 6.105 ID3485 6.100 ClamAV reports RAR files as Unknown Virus ------------------------------------------------------ Description: Current ClamAV version can not scan RAR 3.0 files due to license restrictions and reports an 'Unknown Virus'. This behaviour will get changed when this issue gets closed: RAR files will not be scanned for viruses. Workaround: Disable ClamAV for HTTP to download RAR files. Fix: Fixed in 6.105 ID3413 6.100 Dowload Manager delivers wrong sized files ------------------------------------------------------- Description: After a certain time, the download manager of the HTTP Proxy fails to deliver new downloads correctly. The files might get cut or you'll see an 'Unknown Download ID' error. Workaround: If this problem occurs, you can try disabling and reenabling the HTTP Proxy, which should help at least for a certain time. Fix: Fixed in 6.105 ID3414 6.102 HA daemon not starting up correctly ------------------------------------------------ Description: Due to a missing check, the HA daemon may fail to start correctly after booting up. In this case, the system will stop in slave mode. Workaround: Reboot the system (again). Fix: Fixed in 6.105 ID3408 6.102 POP3 sender whitelist is case sensitive ---------------------------------------------------- Description: The POP3 whitelist is currently case sensitive, that means a mail from Domain.com would not match a whitelist entry 'domain.com'. Workaround: Use exact notation and/or add multiple whitelist entries Fix: Fixed in 6.105 ID3167 6.100 Compression for Net-to-Net IPSec tunnels not working ----------------------------------------------------------------- Description: Activating compression for Net-to-Net tunnels will report about a successfully established tunnel with encryption and compression enabled, but compression is not used. Workaround: --- Fix: Fixed in 6.105 ID2792 6.001 Automatic CRL Fetching not working ----------------------------------------------- Description: The Automatic CRL Fetching functionality for IPsec CAs is not working correctly. Workaround: --- Fix: Fixed in 6.105 ID3419 6.103 HA config sync may not work correctly -------------------------------------------------- Description: When using similar addresses for HA Master and Slave where one machine has an address which is part of the other machines' address (e.g. 10.1.1.1/24 and 10.1.1.11/24) configuration syncing in HA mode does not work. Workaround: Use other IP addresses on the HA interface. Fix: Fixed in 6.105 ID3353 6.102 Parser problem in HTTP Proxy Usage reports ------------------------------------------------------- Description: Due to a parser problem, some data may not get parsed correctly in large reports. These fields will show useless information in the 'UserID' field of the report. Workaround: --- Fix: Fixed in 6.104 ID3349 6.102 No network group support in IPS advanced section ------------------------------------------------------------- Description: Network groups added in the IPS advanced settings are not handled properly and thus may not work. Workaround: --- Fix: Fixed in 6.103 ID3308 6.101 Linkbeat checking also down interfaces --------------------------------------------------- Description: The High Availablility linkbeat check also checks interfaces which are in administrative down status. This may lead to an unwanted failover while reconfiguring the device. Workaround: --- Fix: Fixed in 6.103 ID3296 6.101 Pluto crashes with mismatching phase 2 policy ---------------------------------------------------------- Description: In case the phase 2 policies on the system and the remote endpoint do not match exactly, the VPN subsystem may crash. Workaround: Make sure that phase 2 policies match exactly on both sides. Fix: Fixed in 6.103 ID3291 6.101 Changing setting of Dead Peer Detection seems to have not effect ----------------------------------------------------------------------------- Description: After toggling the IPsec Dead Peer Detection setting, the changes has no effect until ipsec gets restarted. Workaround: Restart ipsec (disable/reenable). Fix: Fixed in 6.103 ID3276 6.101 Daily Spam Digest mails are marked as spam ------------------------------------------------------- Description: Sending a daily spam digest through the SMTP proxy with Spam Protection enabled, the mail may get marked as spam. Workaround: Add the sender to the Spam Sender Whitelist. Fix: Fixed in 6.103 ID3257 6.101 DNAT rules with local connections not working ---------------------------------------------------------- Description: Connections initiated from the system itself targetting a DNAT rule which redirects them to another machine are not working correctly. Workaround: --- Fix: Fixed in 6.103 ID3249 6.100 File extension blocking is too strict -------------------------------------------------- Description: The file extension filter finds a file with a proper extension, but an invalid content-type in the headers, it will block it. This behaviour turned out to be too strict and generated a lot of false positives. Matching by content-type should only be done i Workaround: Make sure the senders' content-type is set correctly. Fix: Fixed in 6.103 ID3218 6.100 Windows XP/SP2 L2TP client loops during connection establishment ----------------------------------------------------------------------------- Description: Under certain circumstances a Windows XP client behind a NAT router may fail to establish the L2TP over IPSec connection. In this case the phase 1 and phase 2 SAs are established OK, but the client loops: the phase 1 and phase 2 SAs are established again Workaround: --- Fix: Fixed in 6.103 ID3143 6.004 Activating compression causes problems on Roadwarrior Connections. ------------------------------------------------------------------------------- Description: Using Roadwarrior Connections with compression enabled will not work if the Roadwarriors connect through NAT. Workaround: Use a policy without compression. Fix: Fixed in 6.103 ID2546 5.000 PSK-based roadwarrior or L2TP connections may fail to establish ---------------------------------------------------------------------------- Description: If NAT-Traversal option is disabled in WebAdmin PSK-based roadwarrior or L2TP connections fail to establish. Workaround: Enable NAT-Traversal. Fix: Fixed in 6.103 ID3301 6.101 HTTP Proxy Usage Report limited to 50 users -------------------------------------------------------- Description: The HTTP Proxy Usage report only shows the 50 top users. It is not possible to view reports for all users. Workaround: --- Fix: Fixed in 6.102 ID3268 6.101 PPTP connection tracking table may get corrupted ------------------------------------------------------------- Description: The connection tracking table of the PPTP Server may get corrupted. If this happens, the PPTP Server may not get (re-)started correctly. Workaround: --- Fix: Fixed in 6.102 ID3183 6.100 Executive Report doesn't show up2dates for VirusProtection ----------------------------------------------------------------------- Description: The executive report currently does not show the virus pattern updates. Workaround: --- Fix: Fixed in 6.102 ID2993 6.002 Uplink failover does not work correctly with PPPoE interface ------------------------------------------------------------------------- Description: Using a PPPoE/PPPoA interface as primary interface and a standard ethernet as backup interface will cause Uplink failover not to switch back after a failover. Workaround: --- Fix: Fixed in 6.102 ID3220 6.100 LDAP port resets to default 389 -------------------------------------------- Description: After changing LDAP port in System->UserAuthentication WebAdmin displays the new port correctly, but when reloading the page the port will be set back to 389. Workaround: --- Fix: Fixed in 6.101 ID3219 6.100 Java Applet errors with HTTP Proxy ----------------------------------------------- Description: Some Java Applets are not working correctly via HTTP Proxy Workaround: Whitelist the URLs Fix: Fixed in 6.101 ID3213 6.100 L2TP authentication does not work with '#' symbol in the password ------------------------------------------------------------------------------ Description: Using the '#' symbol in a password causes L2TP to fail on connect. Workaround: Change password Fix: Fixed in 6.101 ID3207 6.100 Some VPN tunnels fail to come up automatically ----------------------------------------------------------- Description: When restarting the system, some VPN tunnels may fail to come up correctly. The tunnels may come up later or stay down. Workaround: Disable and reenable the respective connection in WebAdmin Fix: Fixed in 6.101 ID3170 6.004 VPN subsystem may crash when using many roadwarriors ----------------------------------------------------------------- Description: There is a known problem in the open-source part of the VPN subsystem which may lead to a crash when connecting via roadwarrior. In this case, all connections will be lost, but should be reestablished automatically Workaround: --- Fix: Fixed in 6.101 ID3169 6.100 Autogenerated IPSec key objects with DN as VPN ID do not work -------------------------------------------------------------------------- Description: When generating a new IPSec key in CA management using DN (Distinguished Name) as VPN ID the autogenerated object in Definitions->Networks does not work. It stays inactive all the time, even if a roadwarrior is connected. Workaround: --- Fix: Fixed in 6.101 ID3162 6.100 Issue on AV engine page with certain licenses ---------------------------------------------------------- Description: Users running their gateway with a SecureWeb license are currently not able to select/deselect AV engines for web-scanning. Thus both will be used. Licenses including Secure Mail are not affected. Workaround: --- Fix: Fixed in 6.101 ID3090 6.004 Cannot delete VLAN interface when using alias ---------------------------------------------------------- Description: Having to VLAN interfaces and an alias on the first, it is not possible to delete the second VLAN interface. Workaround: --- Fix: Fixed in 6.101 ID3116 6.004 HA Heartbeat is dropped by snort --------------------------------------------- Description: When using High Availability together with Intrusion Protection, some packets on the HA interface might get dropped depending on the IPS settings. Workaround: Add the HA network to the IPS local networks. Fix: Fixed in 6.100 ID3057 6.002 Timebased packetfilter does not interrupt exiting connections -------------------------------------------------------------------------- Description: Once a timebased packetfilter has been expired, only new connections are dropped. Existing connections are not affected and will stay until they are closed by the client. Workaround: --- Fix: Fixed in 6.100 ID3053 6.002 L2TP login fails with special password --------------------------------------------------- Description: When using some special passwords L2TP authentication will not work correctly. This is up to a character conversion in the backend. Workaround: Try changing the password for the L2TP user. Fix: Fixed in 6.100 ID3024 6.000 No dots in NT domain names allowed ----------------------------------------------- Description: When using domain names for NTLM authentication, dots are not allowed. Workaround: --- Fix: Fixed in 6.100 ID3016 6.002 Service definitions in policy routing not updated -------------------------------------------------------------- Description: Using a service definition in the policy routing section, the name of the service definition will not be updated after renaming. Workaround: Readd the correct service definition to the corresponding policy route. Fix: Fixed in 6.100 ID2981 6.002 HA interface is selectable as member of the bridge. ---------------------------------------------------------------- Description: In a HA environment, it is possible to add the HA interface to a bridge, which will not work at all. Workaround: Do not add your HA interface to a bridge. Fix: Fixed in 6.100 ID2857 6.001 Adding rules to large packetfilter rulesets -------------------------------------------------------- Description: When having very large packetfilter rulesets, adding new rules may not work correctly. The rules show up in WebAdmin, but are not set in the backend system. Workaround: Try minimizing your rulesets Fix: Fixed in 6.100 ID2743 5.900 Daily Spam Digest not correctly calculated ------------------------------------------------------- Description: The Yesterday's value of the Daily Spam Digest is not calculated correctly. Workaround: --- Fix: Fixed in 6.100 ID3015 6.002 DHCP Relay turns off before configuration set ---------------------------------------------------------- Description: Some machines running with an imported V5 backup might have problems enabling DHCP relay. WebAdmin seems to forget all settings after the page has been edited. Workaround: --- Fix: Fixed in 6.003 ID3007 6.001 Communication to kaspersky virus scanner failed ------------------------------------------------------------ Description: In some environments we noticed a problem with the contentfilter connecting to the virusscanner. This might result in requests not being handled properly at first request. Workaround: --- Fix: Fixed in 6.003 ID2998 6.002 Not possible to establish two L2TP tunnel to more than one interface --------------------------------------------------------------------------------- Description: Connecting to the firewall via L2TP via more than one interface does not work. Workaround: --- Fix: Fixed in 6.003 ID2995 6.002 Network-accounting in briged mode shows no traffic --------------------------------------------------------------- Description: Brigde Interfaces are not included in network accounting reports. Workaround: --- Fix: Fixed in 6.003 ID2933 6.001 Policy routes have wrong sort order for more then 9 routes ----------------------------------------------------------------------- Description: When adding more than 9 policy routes, the sort order is alphabetically but not numerically. Workaround: --- Fix: Fixed in 6.003 ID2900 6.001 All POP3 spam mails reported as threshold 1 -------------------------------------------------------- Description: The POP3 reporting module counts all spam mails as threshold 1. Threshold 2 is not used. Workaround: --- Fix: Fixed in 6.003 ID2922 6.001 IPS cannot be enabled on some firewalls ---------------------------------------------------- Description: On some machines Intrusion Protection settings will not be saved. Changes in WebAdmin will not affect the system. Workaround: --- Fix: Fixed in 6.002 ID2917 6.001 Problems using PPPoE interfaces with static gateway IP ------------------------------------------------------------------- Description: When using PPPoE with statically configured IP addresses (at least for the gateway), the firewall may not work correctly after a DSL reconnect. This mainly affects VPN services. Workaround: Use 'assign by remote' if possible Fix: Fixed in 6.002 ID2883 6.001 PPP Modem disconnect not properly detected ------------------------------------------------------- Description: After a disconnect of the PPP modem, the interface is still shown as up in WebAdmin. Workaround: --- Fix: Fixed in 6.002 ID2874 5.000 Factory Reset may not work correctly on slow machines ------------------------------------------------------------------ Description: Running factory reset on a slower machine may not finish successfully. Before powering off, not all of initial the data gets restored and thus the device will not boot up correctly afterwards. Workaround: --- Fix: Fixed in 6.002 ID2870 6.001 LDAP authentication does not work in a special case ---------------------------------------------------------------- Description: LDAP authentication does not work, if DN length is exactly 75 characters. Workaround: --- Fix: Fixed in 6.002 ID2849 6.001 IPsec policies with DH/PFS group X 4096 don't work --------------------------------------------------------------- Description: Using selfdefined IPsec policies with DH or PFS group X (4096) does not work. An attempt to establish a tunnel fails. Workaround: Use smaller DH/PFS groups if possible Fix: Fixed in 6.002 ID2802 6.001 Some reports stop working after deleting local logfiles -------------------------------------------------------------------- Description: After pressing the "Delete local archives now" button, HTTP Proxy usage and Accounting reports will not be created/updated anymore. Workaround: --- Fix: Fixed in 6.002 ID2090 5.000 Windows Update does not work with NTLM authentication ------------------------------------------------------------------ Description: Windows Update does not work with HTTP-Proxy in NTLM mode. Clients may be able to connect, but downloading is not possible. Workaround: --- Fix: Fixed in 6.002 ID2748 5.900 NAT-Traversal IPSEC connections may fail ----------------------------------------------------- Description: Due to restrictive packetfilter rules, IPsec may fail to establish connections via NAT-Traversal (nat-t). Workaround: Set packetfilter manually. Fix: Fixed in 6.001 ID2734 5.900 Portscan Detection does not send notifications ----------------------------------------------------------- Description: Portscan Detection does neither log portscans nor send notification, although the portscan is detected. Workaround: --- Fix: Fixed in 6.001 ID2646 6.000 Dead Peer Detection fails to re-establish tunnel ------------------------------------------------------------- Description: When using Dead Peer Detection, a tunnel will fail to reestablish once it has been successfully established. Workaround: Disable Dead Peer Detection Fix: Fixed in 6.001 ID2641 6.000 PPPoA fails to connect ----------------------------------- Description: PPPoA connections will fail to establish successfully. Workaround: --- Fix: Fixed in 6.001 ID2628 6.000 Resuming System Up2Date fails ------------------------------------------ Description: If a system up2date has been downloaded only partially, resuming will fail. Workaround: --- Fix: Fixed in 6.001