SNS 4.6.6 bug fixes

System

IPsec VPN

Support reference 84823 - 84437

The half_open_timeout parameter can now be customized using the CLI/Serverd command CONFIG IPSEC UPDATE HalfOpenTimeout=<value> (30 seconds by default).

This parameter makes it possible to define the period after which an incomplete IKE association will be deleted (pending authentication of the IPsec client, for example.

Support reference 84701

In an IPsec configuration such as the following:

  • One of the remote networks overlapped with a local network directly connected or reachable via a static route,
  • The remote network in question was not placed in the first position in the IPsec policy,
  • The BypassLocalTraffic option was enabled (using the CLI/Serverd command CONFIG IPSEC UPDATE slot=<1-10> BypassLocalTraffic=1).

The corresponding IPsec phase 2 negotiations would not be saved in the Security Policy Database and the tunnel would not set up. This issue has been fixed.

IPsec VPN - IKEv1 - Certificate authentication and XAuth

Support reference 84775

During the setup of an IKEv1 IPsec tunnel with certificate authentication and XAuth, user groups are now correctly saved in the intrusion prevention engine's tables. Such groups can once again be used in filter rules. This regression appeared in SNS version 4.2.

IPsec VPN - DR mode

Support reference 85051

For tunnels in DR mode, CREATE_CHILD_SA requests now end, and the renegotiation of the Child SA keys in phase 1 no longer fails.

Kerberos authentication and TOTP

Support reference 84859

In configurations that use Kerberos authentication and TOTP, the OTP code field is now correctly displayed in the captive portal. When a user logs in, the error "TOTP code missing" no longer appears.

Certificate-based authentication

Support reference 84981

In configurations that use certificate authentication, and which have a backup LDAP directory configured, the lack of a response from the main LDAP server will now trigger the switch to the backup LDAP server.

Elastic Virtual Appliances (EVA)

Support reference 84714

The hyper-threading mechanism is enabled by default again on EVAs that have the expected number of virtual CPUs. This regression appeared in SNS version 4.2.

Multicast packets

Support reference 85180

When the intrusion prevention engine rewrote multicast packets, it could result in a double de-referencing that would cause the firewall to unexpectedly restart. This issue has been fixed.

Web administration interface

VLAN interfaces

Support reference 84822

VLANs would fail to be created if they were attached to an interface with a name that exceeded 10 characters. This a to the fact that after the web administration interface imposed a shorter name generated for the VLAN, it would appear in the list of interfaces, but would not actually be created. It would not be possible, for example, to assign a fixed IP address to it at the end of these operations. This issue has been fixed.