SNS 4.3.21 LTSB bug fixes

System

IPv6 Bird dynamic routing

Support reference 84849

Whenever OSPFv6 or BGPv6 peers could not be reached, enabling IPv6 Bird dynamic routing would cause excessive consumption of memory buffers. This issue has been fixed.

Static routing

Support references 85213 - 85027 - 85218

An anomaly in the mechanism that reloads IPsec policies has been fixed to prevent potential failures while loading static routes.

Storage devices

Support references 84901 - 85018 - 85145

Issues that could result in SN2100 and SN3100 firewalls unexpectedly shutting down have been fixed by updating the firmware of the system storage device.

SD-WAN

Support references 84839 - 85165

If no changes have been made, the firewall no longer wrongly generates a “Remote host unreachable” log entry for every static route when its network configuration is being reloaded.

Interfaces - Object database

Support references 85267 - 85294

When an interface does not have an IP address (such as a dialup that is not yet connected after a firewall is restarted), Firewall_ and Network_ objects linked to this interface will be automatically generated again. This regression, which first appeared in SNS version 4.3.19 LTSB, would prevent the filter policy from being loaded.

Authentication - SSO agent

Support reference 85133

In configurations that use SSO agent authentication based on a main external LDAP directory and a backup external LDAP directory, switching from the main directory to the backup directory would cause the authentication engine to unexpectedly shut down. This issue has been fixed.

IPsec VPN

Support references 85095 - 85252

Firewalls on which the option Do not initiate the tunnel (Responder only) is enabled no longer wrongly generate phase 1 re-authentication requests.

Network

You can now configure how frequently ARP requests will be sent to a gateway so that ARP entries on the SNS firewall never expire. This makes it possible to prevent packet loss in some specific cases.

Intrusion prevention engine

SSLProtocol

Even though the alarm "Invalid SSL packet" (ssl alarm:118) is set to pass (alarm that does not block packets), packets that raise this alarm would wrongly stop the SSL protocol analysis. This anomaly has been fixed.

UDP

Support references 84913 - 85142 - 85157

An issue during the analysis of some UDP packets has been resolved to no longer cause the unexpected shutdown of the firewall.

LDAP protocol

Support reference 83800

The alarm "Possible attack on capacity" (alarm ip:91) is no longer wrongly raised when a CRL larger than 128 KB is downloaded via an LDAP request.

High availability - SCTP protocol

If the properties of source and destination hosts that are part of an SCTP association are not available when the association is synchronized among members of the cluster, the SCTP association in question will no longer be deleted but a new attempt to synchronize this association will be scheduled.

Web administration interface

Monitoring

Support reference 84535

Expanding a category in the Reports section of the Monitoring tab no longer wrongly takes the user back to the previous screen.

Certificates and PKI - TPM

Support references 84223 - 84462

On firewalls with TPMs that have not been initialized, the health status of the TPM would indicate a minor alarm, and any attempt to access the Certificates and PKI module would show a message asking the administrator to initialize the TPM. Administrators can now click on the button found in this message to stop reminders and switch off the minor alarm.