IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.11.9 LTSB bug fixes
System
System events
Support reference 80426
System event no. 19 "LDAP unreachable" is now activated when there are issues accessing an LDAP directory defined in the firewall configuration.
IPsec VPN
Support reference 77477
IPsec configurations which included a NAT rule that applies to packets going to the tunnel and a QoS rule for traffic passing through this tunnel would flood the firewall’s memory and make the cluster unstable in a high availability configuration. This issue has been fixed.
Support reference 82729
Whenever a certificate was identified by a name (DN - Distinguished Name) longer than 128 characters, the firewall would retain only the first 128 characters. The deployment of an IPsec configuration via SMC with such a certificate would therefore fail because the DNs of the certificates do not match.
The maximum supported length is now 204 characters (technical limit).
Support reference 81471
In configurations using IPsec VPN tunnels that handle a high network load, when an ARP entry expires, network packets will no longer be lost.
Support references 82645 - 83087
In IPsec configurations that use groups containing address ranges, mounted tunnels could be interrupted when such groups were modified, generating TS_UNACCEPTABLE errors as a result. This issue has been fixed.
IPsec VPN - Routing
Support reference 80662
When a change of status is applied to a network route associated with an IPsec Security Policy, the service would sometimes shut down unexpectedly and cause the firewall to freeze. This issue has been fixed.
LDAP directory - Backup server
Support reference 80428
In an LDAP(S) configuration defined with a backup server, when:
- The firewall switched to the backup LDAP(S) server because the main server stopped responding, and
- The backup server also does not respond,
The firewall will then immediately attempt to connect to the main server again without waiting for the 10-minute timeout defined in factory settings.
SNMP Agent
Support reference 81710
Issues with memory leaks on SNMP agent have been fixed.
Support reference 81573 - 81588 - 81529
When the firewall receives an SNMP request, the response address that the SNMP agent uses is correct again and corresponds to the IP address of the firewall queried during this SNMP request.
Support reference 81710
The mechanism that manages the SNMP alarm table has been enhanced to stop OIDs from being duplicated, as this prevented some alarms from being raised.
CRL verification
Support reference 82370
Whenever a CRL contained an object identified by a fully qualified domain name (FQDN), the DNS resolution of this FQDN would function correctly again when the firewall verified the CRL. This regression appeared in SNS version 3.11.1.
ICMP - IPv6
Support reference 82547
In configurations that use IPv6, an issue with competing access could make the firewall freeze whenever it received “destination unreachable” ICMP packets. This issue has been fixed.
Network link aggregation
Support reference 82211
If a link was lost in an aggregate, a switch to a new link could not be made before a 3-second wait, thereby disrupting traffic for 3 seconds. This issue has been fixed.
High availability (HA)
Support reference 82211
The ARP cache clearing mechanism, a high availability option, has been enhanced to remove entries at the right moment. Before this fix, such entries were occasionally deleted too early, potentially causing delays in the recovery of some network traffic streams.
Support reference 80049
In high availability configurations, after a node switched from active to passive, the passive node would continue to monitor router objects in addition to HA interfaces, generating packet sending errors as a result. This issue has been fixed.
Support reference 80049
In high availability configurations, after the status of a node changed twice (active to passive, then to active again), an anomaly in the communication between several components of the gateway monitoring mechanism would generate inconsistencies in the status of monitored gateways, and in the update of routes that allow these gateways to be monitored. These issues have been fixed.
Network
Renewing a DHCP lease
Support references 82238 - 82359
When a UNICAST packet originating from port 67 and going to port 68 attempted to pass through the firewall (especially during a DHCP lease renewal), the firewall would occasionally freeze and fail to transmit the packet if the packet’s source and outgoing interface are not part of a bridge.
This issue can now be fixed by changing the value of the UseAutoFastRoute parameter to Off with the following CLI/Serverd command:
CONFIG PROTOCOL TCPUDP COMMON IPS CONNECTION UseAutoFastRoute=<On|Off>
Intrusion prevention
Intrusion prevention engine statistics
Support references 79713 - 82437 - 81466
The mechanism that manages intrusion prevention engine statistics has been optimized to stop potential packet loss when these statistics are recurrently processed on a firewall handling a high network load.
Elastic Virtual Appliances (EVA)
CLI/Serverd commands
Support reference 82637
The CLI / Serverd MONITOR HEALTH command run on an EVA now returns the value N/A for absent physical modules (e.g., fan, disk, etc.) instead of Unknown, which caused an anomaly on SMC administration consoles.