GEO 2.3.48.0 Release Notes
GEO Version 2.3.48.0 is a feature enhancement and bug-fix update released in October 2019. Please read the sections below before installing or upgrading.
New Features
The following new features have been implemented.
1. Kernel Update
The kernel has been updated to version 4.14.137 of the Linux kernel.
2. Security Vulnerabilities Closed
The following security vulnerabilities have been verified as closed with the new kernel update:
3. SSO Password Reset Notification
A new option has been added to the ESP options for Virtual Services that allows you to specify that the user’s password expiration date will be checked whenever a user logs in through an SSO form. If the user’s password will expire within a configurable number of days, a warning is displayed to the user along with a link that will allow them to update their password. This new ESP option, User Password Expiry Warning, can only be enabled once the User Password Change URL setting is enabled. You can also set the number of days before password expiry that the warning will begin to appear; the default is 15 days. Please also see the New Known Issues section.
4. TCP SACK Support
In previous releases, TCP Selective Acknowledgement (aka: TCP SACK) could be enabled on LoadMaster only by logging into the OS. With this release, you can now control the TCP SACK setting in the UI and via the API. This global setting is located in the UI under System Configuration > Logging Options > System Log Files > Debug Options. Note that TCP SACK is a global setting (i.e., it affects all TCP traffic) and is disabled by default. If you change the default setting, your change will persist across future LoadMaster reboots.
Change Notices
This release includes the following modification to existing behavior that may require changes to procedures and/or scripts currently in use within your organization.
1. VMware vmxnet Network Interfaces No Longer Supported
Support for the VMware vmxnet network interface driver is removed from Loadmaster starting with this release and will no longer be available. Customers with existing VMware deployments that use vmxnet interfaces should modify the VMware configuration of the LoadMaster to use vmxnet3 interfaces before upgrading to LMOS 7.2.48. This will require a LoadMaster reboot.
2. Weak hmac-sha1 MAC Algorithm No Longer Supported
SSH support for the weak MAC algorithm hmac-sha1 has been removed with this release. This may result is some older versions of SSH no longer working with LoadMaster.
3. Licensing Workflows Simplified
The Licensing UI workflows have been modified and simplified for a better user experience, and so that the API and UI workflows are more consistent.
Issues Resolved
The following issues have been resolved in this release.
PD-13816 |
GEO: In previous releases, the DNS server returns NXDOMAIN or NODATA when there are disabled IPv4 or IPv6 records (i.e., sites) present in the configuration. The DNS server behavior has been modified so that it returns NOERROR in these cases. |
PD-13808 |
Licensing API: For consistency, the aslactivate() and alsilicense() routines will now accept either licensetypeid or lic_type_id as the parameter specifying the license type. |
PD-13785 |
User Interface: Fixed an issue that caused spurious text to appear at the bottom of the Certificates & Security > Remote Access UI when the Admin Login Method was modified. |
PD-13776 |
User Interface LDAP Login: Fixed an issue where access is denied by some LDAP servers when specifying permitted groups. |
PD-13752 |
User Interface: Modified the UI so that the date/time format on the Home page and the Update License page are the same. |
PD-13750 |
WAF API: Fixed an issue with the maninstallwafrules() API returning ‘Unknown Command’ when the API was executed successfully. |
PD-13749 |
Security / SSH: Support for the weak MAC algorithm hmac-sha1 has been removed with this release. This may result is some older versions of SSH no longer working with LoadMaster. |
PD-13727 |
WAF Rules / User Interface Resiliency: In LMOS version 7.2.47, if the download and installation of WAF rules fails due to corruption, this failure could contribute to the exhaustion of available temporary storage, which would cause the UI to become unavailable. This issue has been fixed. |
PD-13712 |
UI Cipher Sets: Modified the UI so that Cipher Set can be named using both plus (+) and minus (-) characters. |
PD-13583 |
FIPS Ciphers: Fixed the list of FIPS ciphers in the UI so that it is correct. |
PD-13551 |
Single Sign On (SSO): On LMOS 7.2.47.1 only, when a virtual service configuration uses NTLM + KCD for user authentication, the connection will close and force the user to re-authenticate. The LoadMaster will also log segfault errors. This issue has been fixed. |
PD-13540 |
VLANs on Bonded Interfaces: In previous releases, when adding or deleting VLANs on a bonded interface, connectivity on that VLAN will be lost during the operation. With this release, you can add and delete VLANs to a bonded interface without losing connectivity on the VLAN. |
PD-13511 |
GEO: Modified how the view configuration file is generated to prevent intermittent response issues seen while using GEO with a Zone Name specified. |
PD-13507 |
SAML: Fixed an issue where the Subject Name Identifier in the SAML response was not being handled properly, resulting in errors. |
PD-13500 |
SSO: A colon character (:) can now be included in the Allowed Virtual Hosts value via the API and in the UI under a virtual service’s ESP Options. |
PD-13496 |
Powershell API: A new cmdlet, Get-SSODomainQuerySession, is provided to fetch SSO domain sessions. |
PD-13400 |
SSO: In previous releases, when Failed Login Attempts is set to ‘1’, a user will not get blocked until after 2 failed login attempts. This issue has been fixed. |
PD-13276 |
Statistics: Fixed issues observed on some platforms where the UI and/or API were reporting differing, incorrect, or invalid values. |
PD-13126 |
GEO: In previous releases, the DNS server returns NXDOMAIN for a query on the second level of a child domain. With this release, the NOERROR status is returned for a DNS query sent on any level of a child domain. |
PD-13053 |
SSO: In previous releases, clicking the ‘Kill All’ button when viewing the open sessions for one SSO domain also kills all open sessions in all other SSO domains. With this release, only the open sessions associated with the domain being displayed are killed. |
PD-13045 |
SAML: In previous releases, if there are many SAML based sessions open when trying to view open sessions, the WUI does not display the sessions and instead a segmentation fault appears in the logs. This issue has been fixed. |
PD-12767 |
SSO: API (and UI) response times for retrieving/displaying a large number of SSO open sessions has been improved so that most queries complete in under 1 second. |
PD-12384 |
KCD Server Authentication: Modified ticket handling to improve response times. |
PD-11737 |
SAML & KCD: In previous releases, SAML + KCD configurations were reported to experience high CPU usage and slow response times, causing interruptions in client traffic. Improvements to KCD authentication have been made to lower CPU utilization and provide faster response times. |
New Known Issues
The following known issues appear in these Release Notes for the first time.
PD-13904 |
SSO: Password expiry notifications do not currently work with Forms Based Authentication (FBA) enabled on the server side. This issue will be addressed in a future release. |
Existing Known Issues
The following known issues appeared in the Release Notes for the previous release.
PD-12838 |
ESP / SSO: The ESP Permitted Group SID(s) setting is not working as expected when configured on a on a subVS. |
PD-12653 |
Networking: A Hyper-V VLM won't boot when a 4th NIC is added. |
PD-12616 |
WAF / Compression: With Web Application Firewall (WAF) enabled, compressed files are incorrectly decompressed. As a workaround, ensure compression is enabled in VS Advanced Properties by selecting the Enable Compression option. |
PD-12492 |
Downgrade: If an Azure VLM is downgraded to the LTS firmware release (7.1.35.x), the WUI may display in the top right-hand corner that the VLM is a Hyper-V VLM. This indicates that the Azure VLM Add-On Package must be added to the system to provide full Azure VLM functionality. If this occurs, please contact Kemp Support to get the required add-on package. |
PD-12354 |
Hardware Support: The LoadMasters LM-X25 and LM-X40 do not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000BASE-LX 1310nm, 10KM over SMF). |
PD-12237 |
HA / NTP: Configuring NTP for the first time after the system is running in High Availability (HA) mode and when the current time on the machines is not correct, may cause the systems to both go into the Master state. |
PD-12147 |
ESP / RADIUS: In a LoadMaster configuration with ESP and Radius server-side authentication enabled, sessions may fail to be established. |
PD-12058 |
Browser Support: An issue exists when connecting to the LoadMaster WUI when using newer versions of the Firefox browser on initial configuration of a hardware FIPS LoadMaster. |
PD-11861 |
RADIUS / IPv6: IPv6 is not supported by the current RADIUS implementation in the LoadMaster for both WUI Authorization and ESP Authentication. |
PD-11166 |
Networking: Azure LoadMasters are not translating the additional network address between the Master and Slave correctly. |
PD-11044 |
Sharepoint Virtual Services: A second authentication prompt is presented when a file is uploaded to SharePoint with the following configuration: WAF is configured with Process Responses enabled on the main Virtual Service and KCD is enabled on the SubVS level for server-side authentication. |
PD-10917 |
HA: An issue exists when setting up a 2-armed HA Virtual LoadMaster in Azure. |
PD-10784 |
HA: Configuring LoadMaster HA using eth1 on an Amazon Web Services (AWS) Virtual LoadMaster does not work. |
PD-10586 |
GEO: If a GEO FQDN is configured with All Available as the Selection Criteria, IP addresses are returned even if the cluster is disabled. |
PD-10490 |
Content Rules: The vsremovewafrule RESTful API command does not allow multiple rules to be removed. |
PD-10474 |
Intrusion Detection: A SNORT rule is triggering a false positive in certain scenarios. |
PD-10466 |
Hardware Support: The LoadMaster LM-X15 does not support the following SFP+ modules in this release: LM-SFP-SX (SFP+ SX Transceiver 1000BASE-SX 850nm, 550m over MMF), LM-SFP-LX (SFP+ LX Transceiver 1000Base-LX 1310nm, 10KM over SMF). |
PD-10193 |
Exchange 2010 Virtual Services: A WAF, ESP, and KCD configuration with Microsoft Exchange 2010 is not supported. |
PD-10188 |
Browser Support: (Safari) When adding a Real Server to a Virtual Service or SubVS using the Safari browser, the list of available Real Servers is not available. |
PD-10159 |
Statistics: When upgrading firmware from version 7.1.35.n, CPU and network usage graphs are not appearing. As a workaround, reset the statistics in the WUI. |
PD-10136 |
Clustering: In a LoadMaster cluster configuration, a new node can be added with the same IP address as an existing node. |
PD-10129 |
Virtual Services: There is a discrepancy in validation between global-level connection timeout and Virtual Service-level timeout. |
PD-9854 |
WAF: When WAF is enabled, any requests received that have chunked transfer encoding enabled (e.g., POSTs) are not processed properly and are not forwarded to a real server. |
PD-9816 |
WAF: There is an API command to list individual rules in a ruleset, but there is no command to list the available rulesets themselves. |
PD-9765 |
GEO: DNS TCP requests from unknown sources are not supported. |
PD-9507 |
Networking: Unable to add an SDN controller using the RESTful API/WUI in a specific scenario. |
PD-9476 |
WAF: There is no RESTful API command to get/list the installed custom rule data files. |
PD-9375 |
Sharepoint Virtual Services: Microsoft Office files in SharePoint do not work in Firefox and Chrome when using SAML authentication. |
PD-8853 |
GEO: Location Based failover does not work as expected. |
PD-8725 |
GEO: Proximity and Location Based scheduling do not work with IPv6 source addresses. |