Ecessa Firmware Notes
Version: 10.6.1
Release Date: 2015.04.17
Important Note
Because of Static Route changes it is recommended that you make a backup of your config before upgrading. In the event of a downgrade this config will need to be applied to preserve correct static route type and any VPN enabled static route.
New Features
1. A One-to-One NAT can be applied to a Site-to-Site IPSec VPN.
Improvements
1. Simplified WAN UI Page.
2. Session Load-Balanced Static Routes are more proportional to tunnel speeds.
3. Simplified cohesive routing view and configuration.
4. Simplified VPN Configuration.
5. The access log now shows SSH logins and login attempts.
6. Management ACL’s can now use aliases.
7. DNS Resource Record items can now be duplicated and inserted for easier editing.
Changes
1. Page activations will display a warning if the activation will cause traffic disruption.
2. The side and top navigation items have been reorganized.
3. Help pages have been updated for WAN Virtualization and Static Routes. For the CLI the recursive-resolver option is now documented for ‘lan dhcp settings’.
4. The email reports feature is now enabled by default.
5. Packet Options for a single tunnel WAN Virtualization Static Route do not apply, so the select field is disabled.
6. WAN peers now accept a range of addresses.
7. Increased the number of ‘wan peer’ entries from 32 to 2048.
Fixes
1. Packet duplication could fail for existing sessions if a WAN line was abruptly pulled.
2. When WAN Virtualization Compression was used, WAN Virtualization Static Routes were ignored. This included the default Load Balance static route.
3. WAN Virtualization site-to-site traffic could be blocked by the firewall.
4. An IPSec or L2TP VPN could enter a state that would result in very high CPU utilization.
5. When disabling or deleting a VPN through the CLI the VPN is not stopped and continues to run.
6. Using an ‘anywhere’ remote LAN (0.0.0.0/0) would enter a default route into the main routing table and cause all traffic to go over the VTI VPN.
7. The Active Failover Testing option is not valid for VTI VPNs. Using this option would cause the VPN SA to fail to start.
8. Previous firmware versions IPSec VPN configurations could be incompatible with 10.4 versions and above.
9. IPSec L2TP LNS settings are not loaded on boot. This causes users to fail to authenticate.
10. IPSec L2TP VPN setting changes would not be applied unless the VPN was stopped and started.
11. Enabling the firewall would not create inbound allow rules for an already running VPN.
12. Automatically restrict gratuitous ARP and proxy ARP for bridged WANs.
13. The bridging multicast passthrough option is now compatible with a full bridged WAN and LAN configuration.
14. Configuring a DHCP LAN and DHCP Relay would cause one of these services to fail.
15. SNMP allow rules were not being correctly created for LAN access when the firewall was enabled.
16. In rare cases the busy light for a VoIP phone would not show the correct state because of dropped SIP Notify messages.
17. Creating a logical port for a VLAN and then adding a WAN or LAN that also had a VLAN set would not create the correct port on the backend.
18. Trying to download the Remote Syslog certificate would cause high CPU utilization and the user would be unable to complete the download.
19. Possible crash with a very large amount of Dual Role entries and configuration changes.
20. The maximum speed values for QoS were set too low and validation was failing for valid entries.
21. Adding a ‘wan’ and ‘wan peer’ in the same commit would map peer to wrong WAN (CLI).
22. Moving a WAN that has ‘wan peer’ addresses from a port that has another WAN or LAN would cause the peer addresses to exist on both the old and the new interface.
Security
BEAST - [CVE-2011-3389]
0 Comments