SNS 4.3.19 LTSB bug fixes

System

IPsec VPN

Support reference 84701

In an IPsec configuration such as the following:

  • One of the remote networks overlapped with a local network directly connected or reachable via a static route,
  • The remote network in question was not placed in the first position in the IPsec policy,
  • The BypassLocalTraffic option was enabled (using the CLI/Serverd command CONFIG IPSEC UPDATE slot=<1-10> BypassLocalTraffic=1).

The corresponding IPsec phase 2 negotiations would not be saved in the Security Policy Database and the tunnel would not set up. This issue has been fixed.

IPsec VPN - DR mode

Support reference 85051

For tunnels in DR mode, CREATE_CHILD_SA requests now end, and the renegotiation of the Child SA keys in phase 1 no longer fails.

Proxy

Support reference 84971

An issue regarding competing access in the management of connection source ports, which caused the proxy to suddenly freeze, has been fixed.

Certificate-based authentication

Support reference 84981

In configurations that use certificate authentication, and which have a backup LDAP directory configured, the lack of a response from the main LDAP server will now trigger the switch to the backup LDAP server.

Intrusion prevention engine

High availability - SCTP protocol

Support reference 85118

SCTP associations are now correctly synchronized when the corresponding SCTP traffic follows a filter rule that has an IP address as its destination.

Filter - NAT

Support references 85004 - 85061 -85072 - 85131 - 85132 - 85133 - 85142 - 85157 - 85173 - 84957 - 84667-84955

When the filter policy is reloaded after a rule that contains address translation is edited, the firewall will no longer unexpectedly freeze.

Elastic Virtual Appliances (EVA)

Support reference 84714

The hyper-threading mechanism is enabled by default again on EVAs that have the expected number of virtual CPUs. This regression appeared in SNS version 4.2.

Web administration interface

VLAN interfaces

Support reference 84822

VLANs would fail to be created if they were attached to an interface with a name that exceeded 10 characters. This is due to the fact that after the web administration interface imposed a shorter name generated for the VLAN, it would appear in the list of interfaces, but would not actually be created. It would not be possible, for example, to assign a fixed IP address to it at the end of these operations. This issue has been fixed.