SNS 4.3.11 bug fixes

System

High availability - IPsec VPN

Support references 84273 - 84460

An issue regarding the synchronization of Security Associations (SA) during a switch in a cluster, which could cause IPsec VPN tunnels to malfunction, has been fixed.

High availability (HA) - Synchronization

Support reference 84340

The HA synchronization mechanism no longer causes errors when it does not detect the file relating to the backtracking mechanism for configurations deployed via SMC.

IPsec VPN

The keepalive function on IPsec VPN tunnels in IPv6 has been removed to improve the stability of IPsec tunnels.

IPsec VPN through a dialup default gateway

Support reference 84631

When the default gateway is based on a PPPoE modem (dialup connection), IPsec tunnels set up through this default gateway now recover correctly after the dialup connection goes down temporarily and recovers.

Log management mechanism

Support references 84605 - 84577

Issues regarding memory leaks in the log management mechanism, which could cause it to shut down unexpectedly, have been fixed.

DMA remapping (DMAR) on SN1100 firewalls

The DMAR mechanism was optimized to improve performance and allow core dump files to be obtained for the purpose of analysis when issues arise on the firewall.

Static routing - IPsec VPN

Support reference 84507

When filter rules are reloaded after a static route used by an IPsec tunnel is changed, the firewall's static route engine no longer runs the risk of shutting down unexpectedly.

Bird dynamic routing

Support reference 84337

Networks declared in Bird dynamic routing are once again classified correctly as protected networks in the intrusion prevention engine, and no longer wrongly raise an alarm regarding an IP spoofing attempt. This regression appeared in SNS version 4.3.

Restoration of the SNS firewall configuration or configuration deployment via SMC

Support reference 84630

An issue preventing configurations from being restored on the SNS firewall or new configurations from being deployed on the SNS firewall via the SMC server has been fixed. This issue generated the error "Unable to move restored files to their final location".

Network

8-port RJ45 module

Support reference 82270

When an unexpected freeze on the 8-port RJ45 network module is detected, the firewall will be automatically restarted to allow this module to reconnect to the network.

Web administration interface

HTML tags in log messages

Support reference 84494

When the web administration interface detects HTML tags in error messages associated with certain log entries, it no longer wrongly displays the error message "XSS protection: HTML tag found in following commands".

Certificates and PKI

Support reference 84470

Attempts to generate the CRL of a sub-certification authority no longer wrongly require the root certification authority's private key and no longer causes a system error.

Certificates and PKI - CRL distribution points (CRLDP)

Support reference 84618

When CRDLPs were added (Objects > Certificates and PKI > Certificate profiles tab of the selected CA) the option to Enable regular retrieval of certificate revocation lists (CRL) was no longer offered. This anomaly, which could prevent certificate-based IPsec tunnels from being set up, has been fixed.