ECS Connection Manager 220.127.116.11 Release Notes
ECS Connection Manager (ECS CM) is a hardware and virtual Application Delivery Controller for the DELL EMC Elastic Cloud Storage (ECS) object storage solution.
ECS CM 18.104.22.168 version 22.214.171.124 is a hardware-only release of the 7.2.54.x Long Term Support Feature (LTSF) branch. It is the factory installed release on the following new ECS CM hardware models launched in July 2023:
- ECS Connection Manager H2 NG
- ECS Connection Manager H3 NG
- ECS Connection Manager H4 55 NG
- ECS Connection Manager H4 75 NG
- ECS Connection Manager H4 100 NG
There is no update patch associated with this release for general consumption, since the contents of this version are exclusively related to the new hardware models.
UEFI System Boot
Support for the Unified Extensible Firmware Interface (UEFI) has been added and is the boot method used for all the new ECS CM models listed above.
TSO and 100Gb Interfaces
The setting of the System Administration > Logging Options > System Logs > Debug Options > Enable TSO switch determines whether or not TCP Segmentation Offload (TSO) is enabled on ECS CM's network interfaces; the default setting is disabled.
The behavior of this switch has been modified for the latest ECS CM hardware only. When this button is disabled, TCP Segmentation Offload (TSO) for 100Gb interfaces (if present) remains enabled on new ECS CM hardware models. In other words, TSO is always enabled for 100Gb interfaces on new ECS CM hardware models, regardless of the setting of this option. In all other cases, when this switch is disabled, then TSO is disabled on all interfaces (as in previous releases).
Existing Known Issues
Stability: In rare cases, an unexpected reboot may occur as the system is stopping a Virtual Service (because, for example, there are no Real Servers available). If a new connection to the Virtual Service is received during a very short period of time during the process of stopping the Virtual Service, then the system may reboot.
|Client Certificates: Authentication may be denied if multiple "Other names" are present in the client certificate.
|Content Rule UI: Display is incorrect when the 'Ignore case' option is enabled.
|LDAP UI Access: Under certain circumstances, a user that has no LDAP credentials can gain access to the UI.
|LDAP/Syslog: StartTLS is not working when the Server Certificate Validation flag is enabled.
|GEO: If you add a Zone Name to GEO after you have created working FQDNs, GEO may no longer respond to queries for one or more of the FQDNs after the Zone Name is added. The workaround is to remove and then re-add the FQDNs that are no longer working.
|VS Redirects: If you attempt to upload a new redirect error HTML file to a Virtual Service with Not Available Redirection Handling enabled while traffic is currently being redirected, then traffic to the VS is dropped. Click the Error Message radio button in the UI and the VS begins accepting connections again.
|SSO Timeout: In LMOS 126.96.36.199, a fix was introduced for issues that caused an SSO client to not be properly logged out when the configured session timeout expires. It has been observed that while sessions do timeout, they are not always closed immediately upon the expiry of the timer; it can take close to a minute longer for the session to be closed.
|ESP Verify Bearer Header: ECS CM does not return an error when an encrypted token is received and there is no SSL certificate assigned to the VS to decrypt the token.
|ESP Verify Bearer Header: Validation is not working when "Allowed Virtual Hosts" and "Allowed Virtual Directories" are blank on the Virtual Service.
|Single Sign On: When Form Based Authentication is enabled on the server side, it is possible that after filling out correct credentials and submitting the login form, the form will be presented again; once the second login form is submitted with correct credentials, the login succeeds.
|ACLs and Real Servers: Real Servers located on networks on which ECS CM also has an IP address are always allowed to access Virtual Services on that network interface regardless of any access control list (ACL) settings on ECS CM. For Layer 7 services, this issue can be worked around using Content Rules. The workaround for other services is to block access for local Real Servers (if desired) on another network device (firewall, switch, router, etc.).
|ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a SubVS.
|WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.
|Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package.
|Hardware Support: The ECS CM models LM-X15, LM-X25, and LM-X40 do not support the following SFP+ modules: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).
|HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state.
|ESP / RADIUS: In a ECS CM configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.
|RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the ECS CM for both WUI Authorization and ESP Authentication.
|Networking: Azure ECS CM doesn't translate the additional network address between the Master and Slave correctly.
|SharePoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.
|HA: An issue exists when setting up a 2-armed HA Virtual ECS CM in Azure.
|HA: Configuring HA using eth1 on an Amazon Web Services (AWS) Virtual ECS CM does not work.
|GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.
|Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.
|Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.
|Clustering: In a clustering configuration, a new node can be added with the same IP address as an existing node.
|WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.
|GEO: DNS TCP requests from unknown sources are not supported.
|Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.
|SharePoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.