Description
Announcing ExOS 7.0.1Notes:
- Please read the note below about Monitoring changes.
- The supported upgrade path is to upgrade to 6.4.3 or later first. Then upgrade to 7.0.1.
- The upgrade from 6.4.3 may take longer than normal due to the database upgrade that takes place.
- v7.0.x will only accelerate with peers running 6.4.3 and later due to a change to the exinda internal protocol
- If you are installing v7.0.x into an x800 estate, the best approach is to upgrade your core box to 6.4.3 and then install v7 on one or more branch offices.
- This allows all the existing appliances to accelerate to the core appliance and allows the v7 appliance(s) to accelerate to the core box running 6.4.3
- New images for the Virtual appliances are not available. To install a new virtual appliance running 7.0.1, please first install 6.4.3 and upgrade to 7.0.1.
Platforms:
- 2061, 4010, 4061, 6060, 6062, 8060, 8062, 10060, 10062, Virtual
Supported upgrade versions:
- 7.0.0
- 6.4.3, 6.4.4, 6.4.5
Link to download the update:
- This release is free for people with Premium Maintenance and a paid upgrade for people with Basic Maintenance.
- See your Sales Rep or Contact Support for a link.
- 7.0.1 Update 1
- Image Size: 621,666,992 bytes
- MD5: ca28f0521be3fa8a0d908ddf8e58e13c
- 7.0.1
- Image Size: 621,262,051 bytes
- MD5: 99650379af27a191b36260e3d6e42715
Major Features
Graphing is now base 1000
To keep consistent with networking standards our definition of 1Mbps and 1Gbps have changed from being 1024 based to being 1000 based. As of this 6.5.3 Update 10, 6.4.5 Update 1 and 7.0.1, the following equalities are used for monitoring:
1 Mbps = 1000 KpbsThe ramification of this change is that if you had previous set up your policies and virtual circuits to show round Mbps and Gbps values by using 1024 based multiples of kbps, then monitoring will now show those values as 2.4% higher for Mbps values and 4.8% higher for Gbps values. If you require the graphing to show round Mbps and Gbps values, then you should change the settings of your Policies, Virtual Circuits and Circuits to be multiples of 1000 rather than 1024. License values for the current models have not been affected.
1 Gbps = 1000 Mbps
Graphing of a single application (B-03586)
On the Monitor -> Application page you can now select any of the applications from the Data Details tables and show the throughput over time for that application. Previously the only way to see throughput over time for an application was if that application was in the top 10. Now any application can be selected as long as it had traffic in the time period you were investigating. You can see the description of how to use the new feature in the context sensitive help for the Application page.
A new Policy Action for HTML Responses (B-03747)
A new policy action has been added. By selecting the new policy action of HTML Response, the source computer will be given an HTML response specified in the policy. This is useful when coupled with Adaptive Response. When a user has exceeded their usage, they are put into a specified network object. All users that are in that network object can be directed to a new policy with the HTML Response policy action so that when they try to visit an HTTP site, they will be given back a custom HTML page that can explain that they have exceeded their quota.
You can find this new feature documented in the online help on the policy documentation page.
You can also find some sample use cases in the online documentation.
A new Policy Action for HTTP redirect (B-03745)
A new policy action has been added. By selecting the new policy action of HTTP redirect, any http traffic from a source computer will be responded to with a redirection to the specified URL. This is useful for implementing a captive portal solution when combined with the AD user integration API.
You can find this new feature documented in the online help on the policy documentation page.
You can also find some sample user cases in the online documentation.
Time based Adaptive Response (B-03748)
The Adaptive Response feature has been extended to allow quotes based on Time. Adaptive Response objects could previously be defined in terms of the volume of data a user consumes. With this version, the quota can be defined in terms of data volume, elapsed time, or an amount of data volume or time consumed, whichever comes first. The time is tracked in increments of 5 minutes and starts counting down from the first flow for the defined user.
The online documentation for defining Adaptive Response objects has been updated.
Application Definition based on DSCP values (B-03743)
The Application Object definition has been extended to include DSCP marks. This allows you to define an Application object based on a single DSCP mark, multiple DSCP marks or a range of DSCP marks. In previous versions of the firmware, DSCP marks could be used as part of the policy definition independent of Application definition. This allowed QoS based on DSCP marks, however, the reporting based on DSCP marks was not as complete and robust as that of applications. By defining an Application object based on DSCP marks, all application reporting can be used to track traffic with particular DSCP marks.
You can read about how to define applications with DSCP marks in the online help page for application definition.
Updated Layer 7 Signatures (B-03952)
- New Applications:
- 360 Mobile Security
- Foursquare
- iLive.to
- Net2Phone
- Tumblr
- Vine
- New Protocols
- Tango subtypes: "IM" and "File-Transfer"
- Improved Signatures
- Armagetron
- BitTorrent
- Demand5
- eDonkey
- FiCall
- Flickr
- GaduGadu
- Gmail
- GTP
- Hotmail
- HTTP
- IRC
- iTV
- L2TP
- Live.com
- Netflix
- Oscar
- RTP
- Scydo
- SIP
- Skinny
- Skype
- SMB
- Steam
- Tango
- TeamViewer
- UltraSurf
- Vimeo
- WindowsMedia
- Yahoo
- YourFreedom
- YouTube
Bug Fixes and minor improvements
- 7.0.1 includes all fixes and changes up to and including 6.4.3 Update 10 and 6.4.5 Update 1
- [D-02908] In a cluster environment with devices using Wan Memory (x800 licenses), the yellow strips and the graphics indicating if the flow is local or remote was not consistent and accurate. This has been modified to be completely consistent and accurate. As a result, new icons on the real-time conversation screen have been introduced to convey the proper information. The letter in the icon indicates if the flow entered the cluster on the local node or a remote node. The colour of the icon indicates if the flow is being accelerated locally or remotely. If it is being accelerated locally, the background colour will be yellow.
- A green background L indicates that the flow is locally bridged and remotely accelerated. This means that the flow entered the cluster on the node that you are viewing and was passed to a different node in the cluster for acceleration processing.
- A brown background R indicates that the flow is remote bridged and remotely accelerated. Note that it doesn't mean that the same machine that is bridging the flow is also accelerating the flow.
- A yellow background L indicates that the flow is locally bridged and locally accelerated.
- A yellow background R indicates that the flow is remote bridged and locally accelerated.
- [D-02978] Removed a duplicate email event for paging-high.
- [D-03050] Added missing CLI configuration for scheduling PDF reports directly from monitoring pages. Now when scheduling PDF reports directly from a monitoring page, the details of these reports is accurately captured in the CLI configuration. You can now use these CLI command: report pdf NAME custom-url URL to schedule the reports. The URL parameter is the URL of the monitoring page to schedule.
- [D-03172] fixed a bug where the Hosts PDF report could show the wrong data for Internal hosts. The pie chart was correct but the corresponding table was showing external hosts.
- [D-03173] fixed a memory leak when the cluster link gets congested and information can not be shared between cluster members in a timely manner.
- [D-03178] Fixed an issue where the system would restart unexpectedly when in a cluster doing acceleration.
- [D-03228] Reverted: New versions of Ubuntu are using extensions to SMB. When these extensions are in use, acceleration was disabled. Acceleration has been enhanced to understand these extensions and take advantage of them in acceleration. The result is SMB flows from a wider variety of client and server types will be accelerated. This fix caused an issue with accelerating to Windows XP clients. Another fix is being worked on that will properly fix the Ubuntu issue and the Windows XP issue.
- [D-03275] fixed an issue where the diagnostic tool kdump was not working in 6.4.5 and 7.0.1. The diagnostic tool works again. Use this tool only as directed by Exinda's TAC team
- [D-03285] When manufacturing a machine with a version after 6.4.2, the Anonymous proxy URL was incorrect. This resulted in [D-02222] and the work around listed for that bug. The root cause has been fixed and the Anonymous proxy URL is always correct now during upgrades and manufacturing.
- [D-03298] Fixed an issue that prevented SMB pre-population from working. With 6.4.5 and 7.0.1 the SMB pre-population jobs were failing.
- [D-03357] Fixed an issue where WCCP would suffer from poor performance due to retransmissions.
- [D-03364] Starting with 7.0.1, the prioritization graph is empty and hence the prioritization value on the dashboard was always reporting 0%. This has been addressed in 7.0.1 Update 1. The prioritization graph is populated again and the prioritization rate is being reported correctly on the dashboard.
- [D-03367] Fixed an issue where the bar graph in the chart on the control page may show greater than 100%. This was a display anomaly only. The throughput for the policy was accurately being capped at the policy limits
- [D-03449] Fixed an issue where port ranges stopped working in application objects after an update to 6.4.5 or 7.0.1.
- [D-03451] Fixed an issue with acceleration where UDP packets that were VLAN tagged and needed to be fragmented were being sent corrupted.
- [D-03521] Fixed an issue where multi-per-vc queuing mode did not distribute the shaping queues properly after an upgrade to 6.4.5 and 7.0.1. The result is that multi-per-vc did not provide the proper shaping.
7.0.1
- [B-04035] Support for a new filesystem has been added. This isn't being used in this version. It has been added to allow upgrades to and downgrades from new versions in the future. Once you have upgraded to 7.0.1, you will be able to install this newer format in the future. The advantage of the newer format will be significantly smaller install image.
- [B-04098] A new option has been added to the Virtual Circuit PDF report to provide a separate Peak vs Average Throughput report. This new graph displays two line graphs, one for the Peak throughput (maximum throughput seen in a 10 second sample) and the other is the throughput of traffic averaged over the time range (bytes seen during the sample period divided by the sample period duration). An option for this new graph is the scale on the Y axis. If the Y axis is requested in Kbps, then the Y axis will show the absolute throughput seen. If the Y axis is requested as a percent, then the Y axis will be 0 - 100%, where 100% represents the maximum bandwidth of the virtual circuit or circuit. If "All" is selected as the Virtual Circuit, then the peak vs average will be displayed for the circuit that.
- [B-04135] The CA certificates have been updated from CA bundle v63/2010 to v97/2013. There were also numerous fixes done around handling importing and exporting of certificates.
- [D-02060] when setting private keys using web https customssl privatekey, these keys were dumped in the configuration when doing a show config. This has been changed to handle these private keys like other private keys in the system and are no longer dumped out with the configuration.
- [D-02454] Removed the table of all VCs from the single VC PDF report. Previously when creating a PDF of a single VC, there was a page left in the report that listed all the VCs configured on the appliance and their sizes. This has been removed when only a single VC is being included in the report.
- [D-02636] Exporting configuration as a binary file exported the objects in the wrong order preventing import of the configuration. This has been addressed, objects are now written in the correct order for proper importing.
- [D-02664] When using the configuration text fetch command, the resulting file would be named "false" rather than the name specified. This behaviour has been fixed so that the filename specified is now the filename that is used.
- [D-02681] When doing an upgrade of the firmware the screen would either continuously display the spinning wait cursor, or would not show the spinning cursor at all. The only way to see the status of the upgrade was to refresh the page. This has been fixed and the screen now auto-refreshes to correctly show the status.
- [D-02686] Fixed an issue that was preventing the interfaces of multiple bridges from having the same VLAN ID. It is now possible to assign the same VLAN id to multiple bridges.
- [D-02797] The command "factory default keep-connect" has been modified to keep the VLAN ID information tied to sub-interfaces on bridges.
- [D-02799] When creating a policy if you set the guaranteed bandwidth to be a percentage but do not set the burst bandwidth, the resulting policy would have the burst bandwidth set to 2048%. This has been fixed.
- [D-02837] An issue has been fixed that prevented disabling SSH access from the Web UI.
- [D-02846] Fixed an issue where the appliance would become temporarily unresponsive and no monitoring data would be available if upgrading from an earlier 6.4.3 Update and you have a large number of policies and virtual circuits (more than 1500 policies)
- [D-02872] An "_" was not accepted as a valid character for a Windows Domain name. This has been fixed.
- [D-02875] When loading config that has a FQDN in it and the device has no connectivity to the DNS server, the CLI becomes very slow as the system tries to resolve the name. The work around is to set config that requires a FQDN after the device has connectivity to a DNS server.
- [D-02927] show config has been modified to show the current state of link-state mirroring when it has been changed from the default value. Previously it was not being shown in show config.
- [D-02938] Occasionally exporting a configuration through CLI commands would output quote characters as an escaped character sequence. This would then prevent that configuration from being successfully imported. This export issue has been fixed.
- [D-02960] Improved the optimizer startup time when the configuration has lots of policies (more than 1500).
- [D-02997] Addressed a UI performance issue when the configuration has more than 1500 policies.
- [D-03028] When using the latest Microsoft Operating systems, some SMB traffic was being classified as NETBIOS traffic. This has been corrected.
- [D-03040] The system disk was filling up with the URL logging data when this option was enabled. This has been corrected.
- [D-03041] SMB wasn't accelerating traffic to newer SAMBA servers running on linux. This has been addressed and SMB acceleration is working with these servers now.
- [D-03081] Adjusted caching of YouTube to accommodate more changes by Google to prevent caching. This also improved the amount of caching of YouTube content.
- [D-03096] Fixed a bug where the internal process mysql_syncd would crash when using custom application definitions.
- [D-03098] Fixed an issue that prevented the display of the Control graph after renaming a Virtual Circuit
- [D-03116] Improved Netflix detection across all netflix capable devices.
- [D-03193] After failing over to standby link (in a cluster) there is no SMB Object Cache benefit. This has been addressed.
- [D-03197] Upgraded OpenSSL to v1.0.1e-16.14. This OpenSSL version covers the following vulnerabilities: CVE-2010-5298 - possible use of memory after free CVE-2014-0195 - buffer overflow via invalid DTLS fragment CVE-2014-0198 - possible NULL pointer dereference CVE-2014-0221 - DoS from invalid DTLS handshake packet CVE-2014-0224 - SSL/TLS MITM vulnerability CVE-2014-3470 - client-side DoS when using anonymous ECDH
- [D-03208] Fixed a bug introduced in 7.0.0 where passwords with the following characters, %&=+, would not be handled properly during login, preventing users from logging in.
- [D-03212] Fixed an issue where the data collection process would crash in certain circumstances when cluster membership would change (i.e., appliances dropping out of the cluster or changing IP address while staying part of the cluster)
- [D-03215] Fixed an issue where changing the host name while logged in via https would result in an error message that the certificate was invalid.
- [D-03219] All conversions from kbps to Mbps and Mbps to Gbps are now 1000 base where in the past they were 1024 base. The result of this will be that if you have policies based on 1024, you will now see that the reporting will say that you are allowing 1.024Mbps instead of 1.0Mbps that would have been displayed in the past. The industry accepted conversation from kbps to Mbps and Mbps to Gbps per second is 1Mbps = 1000kbps. This change makes the Exinda monitoring align better with other monitoring tools you may have in your network. Note that if you have previous setup your VCs so that monitoring would report exactly 1Mb by specifying your VC to be 1024Kbps, you should now change the definition of your VC to be 1000Kbps so that reporting shows that it is a 1Mb VC.
- [D-03228] New versions of Ubuntu are using extensions to SMB. When these extensions are in use, acceleration was disabled. Acceleration has been enhanced to understand these extensions and take advantage of them in acceleration. The result is SMB flows from a wider variety of client and server types will be accelerated.
- [D-03232] A new CLI command has been added to assist with configuring the appliance when using Multi-per-vc queuing mode. When using Multi-per-vc queuing mode, the largest VC that could be accommodated was 500Mbps. Any VC above 500Mbps would automatically be treated as if the queuing mode is muti-queue. This does not affect the other VCs, but does affect the large VC that is now in multi-queue mode. This 500Mbps limit was hard coded in the firmware. It is now configured via a CLI command on the optimizer command.
- #optimizer queueing single-vc-bw-switch
- single-vc-bw-switch Specify bandwidth at which to force a single VC in multi-per-vc mode to switch to a multi queue mode for that VC.
- [D-03237] PDF reports for the Virtual Circuit graphs now auto scale their Y-axis to appropriate units: kbps, Mbps or Gbps
- [D-03261] When upgrading from any version prior to 6.4.3 Update 8, 6.4.4 or 6.4.5 or earlier, the upgrade will take an extra 2 minutes after the first reboot of the appliance. During this period the system will remain in bypass as work is done to the underlying filesystem to get the system ready to run the new firmware version
- [D-03285] When manufacturing a machine with a version after 6.4.2, the Anonymous proxy URL was incorrect. This resulted in [D-02222] and the work around listed for that bug. The root cause has been fixed and the Anonymous proxy URL is always correct now during upgrades and manufacturing.
Known Issues
- [D-02199] When an acceleration HA cluster is configured and the traffic being accelerated is located on a VLAN and has a VLAN tag, the traffic will not flow through the HA cluster properly. This issue is currently being investigated and a fix is expected soon.
- [D-01777] snmp: after a period of repeatedly querying the following sensors, the WUI will appear to be locked up and various processes within the appliance will crash. This will eventually repair itself. system health/cpu alarm, system health/disk alarm, system health/ram alarm, system health/nic alarm. The work around is to not query these SNMP values.
- [D-01921] Under some circumstances Microsoft Lync traffic will be classified as MSN traffic.