IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.7.21 LTSB bug fixes
System
System events
Support reference 80426
System event no. 19 "LDAP unreachable" is now activated when there are issues accessing an LDAP directory defined in the firewall configuration.
IPsec VPN
Support reference 77477
IPsec configurations which included a NAT rule that applies to packets going to the tunnel and a QoS rule for traffic passing through this tunnel would flood the firewall’s memory and make the cluster unstable in a high availability configuration. This issue has been fixed.
Support reference 82403
When "INITIAL-CONTACT sent" and "INITIAL-CONTACT received" logs are sent via Syslog, they may cause major slowdowns when tunnels are being negotiated. This issue has been fixed and affected SN200, SN300, SN500, SN510, SN700, SN710, SN900, SN910, SN2000, SN2100, SN3000, SN3100, SN6000, SN6100, SNi40, U30S, U70S, U150S, U250S, U500S and U800S model firewalls.
Support reference 81471
In configurations using IPsec VPN tunnels that handle a high network load, when an ARP entry expires, network packets will no longer be lost.
IPsec VPN - Routing
Support reference 80662
When a change of status is applied to a network route associated with an IPsec Security Policy, the service would sometimes shut down unexpectedly and cause the firewall to freeze. This issue has been fixed.
LDAP directory - Backup server
Support reference 80428
In an LDAP(S) configuration defined with a backup server, when:
- The firewall switched to the backup LDAP(S) server because the main server stopped responding, and
- The backup server also does not respond,
The firewall will then immediately attempt to connect to the main server again without waiting for the 10-minute timeout defined in factory settings.
SNMP Agent
Support reference 81710
Issues with memory leaks on SNMP agent have been fixed.
Support reference 81573 - 81588 - 81529
When the firewall receives an SNMP request, the response address that the SNMP agent uses is correct again and corresponds to the IP address of the firewall queried during this SNMP request.
Support reference 81710
The mechanism that manages the SNMP alarm table has been enhanced to stop OIDs from being duplicated, as this prevented some alarms from being raised.
High availability (HA)
Support reference 80049
In high availability configurations, after a node switched from active to passive, the passive node would continue to monitor router objects in addition to HA interfaces, generating packet sending errors as a result. This issue has been fixed.
Support reference 80049
In high availability configurations, after the status of a node changed twice (active to passive, then to active again), an anomaly in the communication between several components of the gateway monitoring mechanism would generate inconsistencies in the status of monitored gateways, and in the update of routes that allow these gateways to be monitored. These issues have been fixed.
Network
Renewing a DHCP lease
Support references 82238 - 82359
When a UNICAST packet originating from port 67 and going to port 68 attempted to pass through the firewall (especially during a DHCP lease renewal), the firewall would occasionally freeze and fail to transmit the packet if the packet’s source and outgoing interface are not part of a bridge.
This issue can now be fixed by changing the value of the UseAutoFastRoute parameter to Off with the following CLI/Serverd command:
CONFIG PROTOCOL TCPUDP COMMON IPS CONNECTION UseAutoFastRoute=<On|Off>
Intrusion prevention
Intrusion prevention engine statistics
Support references 79713 - 82437 - 81466
The mechanism that manages intrusion prevention engine statistics has been optimized to stop potential packet loss when these statistics are recurrently processed on a firewall handling a high network load.