Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

GEO 2.3.48.0 Release Notes

GEO Version 2.3.48.0 is a feature enhancement and bug-fix update released in October 2019. Please read the sections below before installing or upgrading. 

New Features

The following new features have been implemented.

1.      Kernel Update

The kernel has been updated to version 4.14.137 of the Linux kernel.

2.      Security Vulnerabilities Closed

The following security vulnerabilities have been verified as closed with the new kernel update:

3.      SSO Password Reset Notification

A new option has been added to the ESP options for Virtual Services that allows you to specify that the user’s password expiration date will be checked whenever a user logs in through an SSO form. If the user’s password will expire within a configurable number of days, a warning is displayed to the user along with a link that will allow them to update their password. This new ESP option, User Password Expiry Warning, can only be enabled once the User Password Change URL setting is enabled. You can also set the number of days before password expiry that the warning will begin to appear; the default is 15 days. Please also see the New Known Issues section.

4.      TCP SACK Support

In previous releases, TCP Selective Acknowledgement (aka: TCP SACK) could be enabled on LoadMaster only by logging into the OS. With this release, you can now control the TCP SACK setting in the UI and via the API. This global setting is located in the UI under System Configuration > Logging Options > System Log Files > Debug Options. Note that TCP SACK is a global setting (i.e., it affects all TCP traffic) and is disabled by default. If you change the default setting, your change will persist across future LoadMaster reboots.

Change Notices

This release includes the following modification to existing behavior that may require changes to procedures and/or scripts currently in use within your organization.

1.      VMware vmxnet Network Interfaces No Longer Supported

Support for the VMware vmxnet network interface driver is removed from Loadmaster starting with this release and will no longer be available. Customers with existing VMware deployments that use vmxnet interfaces should modify the VMware configuration of the LoadMaster to use vmxnet3 interfaces before upgrading to LMOS 7.2.48. This will require a LoadMaster reboot.

2.      Weak hmac-sha1 MAC Algorithm No Longer Supported

SSH support for the weak MAC algorithm hmac-sha1 has been removed with this release. This may result is some older versions of SSH no longer working with LoadMaster.

3.      Licensing Workflows Simplified

The Licensing UI workflows have been modified and simplified for a better user experience, and so that the API and UI workflows are more consistent.

Issues Resolved

The following issues have been resolved in this release.

PD-13816

GEO: In previous releases, the DNS server returns NXDOMAIN or NODATA when there are disabled IPv4 or IPv6 records (i.e., sites) present in the configuration. The DNS server behavior has been modified so that it returns NOERROR in these cases.

PD-13808

Licensing API: For consistency, the aslactivate() and alsilicense() routines will now accept either licensetypeid or lic_type_id as the parameter specifying the license type.

PD-13785

User Interface: Fixed an issue that caused spurious text to appear at the bottom of the Certificates & Security > Remote Access UI when the Admin Login Method was modified.

PD-13776

User Interface LDAP Login: Fixed an issue where access is denied by some LDAP servers when specifying permitted groups.

PD-13752

User Interface: Modified the UI so that the date/time format on the Home page and the Update License page are the same.

PD-13750

WAF API: Fixed an issue with the maninstallwafrules() API returning ‘Unknown Command’ when the API was executed successfully.

PD-13749

Security / SSH: Support for the weak MAC algorithm hmac-sha1 has been removed with this release. This may result is some older versions of SSH no longer working with LoadMaster.

PD-13727

WAF Rules / User Interface Resiliency: In LMOS version 7.2.47, if the download and installation of WAF rules fails due to corruption, this failure could contribute to the exhaustion of available temporary storage, which would cause the UI to become unavailable. This issue has been fixed.

PD-13712

UI Cipher Sets: Modified the UI so that Cipher Set can be named using both plus (+) and minus (-) characters.

PD-13583

FIPS Ciphers: Fixed the list of FIPS ciphers in the UI so that it is correct.

PD-13551

Single Sign On (SSO): On LMOS 7.2.47.1 only, when a virtual service configuration uses NTLM + KCD for user authentication, the connection will close and force the user to re-authenticate. The LoadMaster will also log segfault errors. This issue has been fixed.

PD-13540

VLANs on Bonded Interfaces: In previous releases, when adding or deleting VLANs on a bonded interface, connectivity on that VLAN will be lost during the operation. With this release, you can add and delete VLANs to a bonded interface without losing connectivity on the VLAN.

PD-13511

GEO: Modified how the view configuration file is generated to prevent intermittent response issues seen while using GEO with a Zone Name specified.

PD-13507

SAML: Fixed an issue where the Subject Name Identifier in the SAML response was not being handled properly, resulting in errors.

PD-13500

SSO: A colon character (:) can now be included in the Allowed Virtual Hosts value via the API and in the UI under a virtual service’s ESP Options.

PD-13496

Powershell API: A new cmdlet, Get-SSODomainQuerySession, is provided to fetch SSO domain sessions.

PD-13400

SSO: In previous releases, when Failed Login Attempts is set to ‘1’, a user will not get blocked until after 2 failed login attempts. This issue has been fixed.

PD-13276

Statistics: Fixed issues observed on some platforms where the UI and/or API were reporting differing, incorrect, or invalid values.

PD-13126

GEO: In previous releases, the DNS server returns NXDOMAIN for a query on the second level of a child domain. With this release, the NOERROR status is returned for a DNS query sent on any level of a child domain.

PD-13053

SSO: In previous releases, clicking the ‘Kill All’ button when viewing the open sessions for one SSO domain also kills all open sessions in all other SSO domains. With this release, only the open sessions associated with the domain being displayed are killed.

PD-13045

SAML: In previous releases, if there are many SAML based sessions open when trying to view open sessions, the WUI does not display the sessions and instead a segmentation fault appears in the logs. This issue has been fixed.

PD-12767

SSO: API (and UI) response times for retrieving/displaying a large number of SSO open sessions has been improved so that most queries complete in under 1 second.

PD-12384

KCD Server Authentication: Modified ticket handling to improve response times.

PD-11737

SAML & KCD: In previous releases, SAML + KCD configurations were reported to experience high CPU usage and slow response times, causing interruptions in client traffic. Improvements to KCD authentication have been made to lower CPU utilization and provide faster response times.

 

New Known Issues

The following known issues appear in these Release Notes for the first time.

PD-13904

SSO: Password expiry notifications do not currently work with Forms Based Authentication (FBA) enabled on the server side. This issue will be addressed in a future release.

 

Existing Known Issues

The following known issues appeared in the Release Notes for the previous release.

PD-12838

ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a on a subVS.

PD-12653

Networking: A Hyper-V VLM won't boot when a 4th NIC is added.

PD-12616

WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option.

PD-12492

Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package.

PD-12354

Hardware Support: The LoadMasters LM-X25 and LM-X40 do not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF).

PD-12237

HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state.

PD-12147

ESP / RADIUS: In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established.

PD-12058

Browser Support: An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster.

PD-11861

RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication.

PD-11166

Networking: Azure LoadMasters are not translating the additional network address between the Master and Slave correctly.

PD-11044

Sharepoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication.

PD-10917

HA: An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure.

PD-10784

HA: Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work.

PD-10586

GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled.

PD-10490

Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed.

PD-10474

Intrusion Detection: A SNORT rule is triggering a false positive in certain scenarios.

PD-10466

Hardware Support: The LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF).

PD-10193

Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported.

PD-10188

Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available.

PD-10159

Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI.

PD-10136

Clustering: In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node.

PD-10129

Virtual Services: There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout.

PD-9854
PD-13385

WAF: When WAF is enabled, any requests received that have chunked transfer encoding enabled (e.g., POSTs) are not processed properly and are not forwarded to a real server.

PD-9816

WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves.

PD-9765

GEO: DNS TCP requests from unknown sources are not supported.

PD-9507

Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario.

PD-9476

WAF: There is no RESTful API command to get/list the installed custom rule data files.

PD-9375

Sharepoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication.

PD-8853

GEO: Location Based failover does not work as expected.

PD-8725

GEO: Proximity and Location Based scheduling do not work with IPv6 source addresses.


Comments