AlteonOS 31-0-0 0 Release Notes

AlteonOS
Release Notes
Version 31.0.0.0 Rev. 1

February 21, 2017
TABLE OF CONTENTS
CONTENT ..................................................................................................................................................... 4
RELEASE SUMMARY .................................................................................................................................. 4
SUPPORTED PLATFORMS AND MODULES ............................................................................................ 4
UPGRADE PATH ......................................................................................................................................... 4
BEFORE UPGRADE - IMPORTANT! ............................................................................................................... 4
GENERAL CONSIDERATIONS ...................................................................................................................... 5
DOWNGRADE ............................................................................................................................................ 5
WHAT’S NEW ............................................................................................................................................... 5
Alteon 8820 – High Performance ADC ............................................................................................ 5

Alteon 6024 VX Platform Enhancements ......................................................................................... 6
Redundant Out-of-path Management Port....................................................................................... 6
Performance ..................................................................................................................................... 6
Authentication Gateway – SAML 2.0 Service Provider Support ...................................................... 8
SSL Inspection Capabilities ............................................................................................................. 9
Intermediate SSL Certificate for HTTPS Management Access ..................................................... 10
LinkProof Enhancements ............................................................................................................... 11
Alteon VA/NFV/Cloud ..................................................................................................................... 12
IPsec Support for Virtual Service IP ............................................................................................... 13
HTTP/S Health Check Enhancements........................................................................................... 13
High Availability Tracking for Selected Real Servers ..................................................................... 14
Alteon to Expand Support of BGP Prepend for VIPs ..................................................................... 14
Selectively Stop BGP Advertisements ........................................................................................... 14
Equal Cost Multipath Routing in OSPF .......................................................................................... 15
Geolocation-based Load Balancing ............................................................................................... 15
GSLB Enhancements..................................................................................................................... 16
Dynamic IP Reputation .................................................................................................................. 16
AppShape++ Enhancements ......................................................................................................... 17
HTTP/2 Full Proxy (H2 server side) – Beta.................................................................................... 18
Troubleshooting and Debugging .................................................................................................... 18
WHAT’S CHANGED AND/OR MODIFIED ................................................................................................. 23
EXTRACTING CLIENT CERTIFICATE SAN EXTENSION ................................................................................ 23
OPENSSL UPGRADE TO 1.0.1U ............................................................................................................... 23
Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 2

DEFAULT CIPHER CHANGES .................................................................................................................... 23
SYSLOGS FOR LACP LINK UP AND DOWN .............................................................................................. 23
5224 VADCS LIMIT ................................................................................................................................. 23
LONG OBJECT ID SUPPORT ..................................................................................................................... 23
GSLB − PREVENT NEGATIVE DNS RESPONSE CACHING .......................................................................... 24
SUPPORT FOR RFC6223 AND/OR RFC5626............................................................................................ 24
TROUBLESHOOTING AND DEBUGGING ...................................................................................................... 25
Technical Support Data (tsdmp) Formatting .................................................................................. 25
Configuration Adaptation on Upload .............................................................................................. 25
Command Line History Improvement ............................................................................................ 25
MAINTENANCE FIXES .............................................................................................................................. 26
FIXED IN 31.0.0.0 ................................................................................................................................... 26
KNOWN LIMITATIONS .............................................................................................................................. 26
Upgrade Limitations ....................................................................................................................... 26

vADC and ADC-VX Limitations ...................................................................................................... 27
Alteon VA Limitations ..................................................................................................................... 28
WBM Limitations ............................................................................................................................ 31
Static NAT Limitations .................................................................................................................... 35
General Limitations ........................................................................................................................ 35
FastView Limitations ...................................................................................................................... 45
AppWall Limitations ........................................................................................................................ 45
Alteon Management via APSolute Vision Limitations .................................................................... 46
RELATED DOCUMENTATION .................................................................................................................. 48

Content
Radware announces the release of AlteonOS version 31.0.0.0. These release notes describe
new and changed features introduced in this version on top of version 30.5.0.0.
Release Summary
Release Date: February 15, 2017
Objective: Major software release introducing new capabilities and offerings
Supported Platforms and Modules

This version is supported by the following platforms:
 5224, 5224XL
 5208, 5208 XL, 5208 Extreme
 6024, 6024 XL, 6024 Extreme
 6420, 6420 XL, 6420 Extreme
 6420p, 6420p XL, 6420p Extreme
 8420, 8420 XL, 8420 Extreme
 8820, 8820 XL, 8820 Extreme
 Alteon VA running on VMware ESX 5.0, 51, 5.5, 6.0, KVM, Hyper-V and OpenXen
 Alteon VA on AWS
 Alteon VA on Azure
For more information on platform specifications, refer to the Alteon Installation and Maintenance
Guide.
Alteon 31.0.0.0 is supported by APSolute Vision version 3.70 and later.
Upgrade Path
You can upgrade to this AlteonOS from AlteonOS versions 28.x, 29.x and 30.x.
General upgrade instructions are found in the Alteon Installation and Maintenance Guide.
Before Upgrade - Important!

1. Before performing an upgrade, back up your current configuration.
2. To ensure a successful upgrade, run the Upgrade Advisor Tool with your current
configuration and the target version. Then, perform the required actions as instructed in the

report output. The Upgrade Advisory Tool includes all the limitation and upgrade
considerations specifically relevant to the source configuration, version, device details and
target version. Make sure to update the Upgrade Advisory Tool DB before performing the
analysis. The Upgrade Advisor Tool is available on the Customer Portal.
3. Read the Upgrade Limitations in these Release Notes for new upgrade limitations related to
this version.
General Considerations
 Hypervisors (ADC-VX) running a certain version (for example, 31.0) only support vADCs
that run the same version or later.
Downgrade
Configuration rollback (downgrade) is not supported. The configuration should be saved before
upgrading to a newer version. If you perform version rollback, after the downgrade upload the
saved configuration.
What’s New
This section describes the new features and components introduced in this version on top of
Alteon version 30.5.1.0.
For more details on all features described here, see the Alteon Application Guide and the Alteon
Command Reference for AlteonOS version 31.0.0.0.
Alteon 8820 – High Performance ADC
Alteon Application Switch 8820 is the next-generation, carrier-grade application delivery

controller (ADC), providing superior performance coupled with advanced capabilities such as
ADC Virtualization, integrated application acceleration and on-demand scalability needed to
effectively meet mobile carrier and large enterprise data center and network needs.

Alteon 8820 Platform Highlights
 High performance application delivery appliance covering the high-end throughput range:
120 Gbps, 160 Gbps, and up to 200 Gbps throughput capacity
 Supports ADC-VX with up to:
 60 vADCs with 64 GB RAM
 100 vADCs with 256 GB RAM
 High-End connectivity capabilities:
 Four (4) 100 GbE QSFP28
 Four (4) 40 GbE QSFP+
 Twenty (20) 10 GbE SFP+
 Hot-swappable dual AC/DC power supply
 High performance SSL acceleration, compression, and caching
 Front-to-back fans suitable for new data center designs
Alteon 6024 VX Platform Enhancements
The Alteon 6024 VX platform includes the following enhancements as part of version 31.0:
 Maximum number of supported vADCs – This was increased from 20 to 32.
 Elastic Core Allocation on the Alteon 6024 Platform – Alteon 6024 supports the elastic
core allocation configuration (previously named "advanced core allocation”). There is no
option to disable the elastic core allocation on this platform. The system default mode is
performance mode, supporting up to 20 vADCs.
Redundant Out-of-path Management Port
In this version there are now two redundant management ports providing out-of-band highly
reliable management interfaces with enhanced security.
NFR ID: prod00237950
Performance
Improved SSL Price –Performance

Alteon 31.0 introduces a significant increase in SSL performance (up to 300% increase for CPS
and up to 400% for throughput) for software-based SSL processing (VA and non-XL
appliances). This was achieved by optimizing the SSL code to the Intel processors, including
using Intel’s special AES commands.
In addition, a significant increase in SSL throughput (up to 40% depending on the platform) was
achieved also on SSL hardware-accelerated platforms by introducing capabilities such as TCP
Segmentation Offload and hardware-based core selection at Layer 4.

Hardware-based Core Selection
Prior to version 31.0, traffic that arrives at Alteon is distributed by the NICs between the CPU
cores by performing hash on Layer 3 data only (source and destination IP addresses).
Alteon 31.0 introduces the ability to configure NICs to perform hash based on Layer 4 data (4-
tuple source and destination IP addresses and ports). This allows for
 improved core distribution
 on standalone appliances and Alteon VA form factors, improved full proxy throughput (force
proxy mode)
Important! On standalone appliances and VA form factors, when any SSL
encryption/decryption is performed (SSL offload, SSL Inspection), if SSL reuse is required, the
hardware hash must be set to Layer 3.
The hardware hash level can only be accessed via CLI using the following commands:
 /cfg/slb/adv/hwhash on standalone and Alteon VA platforms
 /cfg/sys/hwhash in ADC-VX environments
After upgrade, the hardware hash parameter is set to Layer 3 for backward compatibility. For
new 31.0 installations, this parameter is set to Layer 4 by default for standalone and Alteon VA
form factors and to Layer 3 for ADC-VX.
vADC Core Selection

The basic core allocation for vADC is performed at the hypervisor level (TD). Prior to version
31.0, the core selection was based on the source IP hash. The /cfg/slb/adv/spl4hash
parameter lets you select the core based on Layer 4 data (source IP address and source and
destination ports) and achieve better core distribution.
TCP Segmentation Offload

TCP segmentation offload (TSO) reduces the CPU overhead of TCP/IP on fast networks by
relying on the network interface controller (NIC) to segment the data and then add the TCP, IP
and data link layer protocol headers to each segment. This frees CPU resources for higher data
level processing and can improve full proxy throughput.
This parameter can be configured from the Application Delivery > Virtual Services >Settings
pane, or with the following CLI command: /cfg/slb/adv/tso.
Note: When performing service chaining, whether for SSL Inspection or not, if chain hop bypass
is required when the hop server group is down (Continue in Flow Fallback Action), the TSO
must be disabled.

Westwood TCP Optimization Protocol Support
The Westwood TCP optimization protocol is a sender-side-only modification to the New Reno
TCP optimization protocol that is intended to better handle large bandwidth-delay product paths
(large pipes) with potential packet loss due to transmission or other errors (leaky pipes), and
with dynamic load (dynamic pipes).
The Westwood protocol can now be selected as the Congestion Control Mechanism in a TCP
optimization policy.
Authentication Gateway – SAML 2.0 Service Provider Support
SAML SSO works by transferring the user’s identity from one place (the identity provider) to
another (the service provider). This is done through an exchange of digitally signed
XML documents. In this version, the Alteon Authentication Gateway introduces new support for
SAML 2.0 SP functionality. It can integrate with external SAML 2.0 Identity Providers (IdP) for
the purpose of Single Sign-on (SSO) implementation across the organization. The
Authentication Gateway functions in such a setup as the SAML Service Provider (SP), offering
authorization and access control services to the back-end applications along with its currently
available back-end authentication schemes, such as Form Based Authentication, NTLM, and
Kerberos Constrained Delegation (KCD).
One example of such integration with SAML IdP is Microsoft ADFS 3.0. ADFS provides
simplified and secured identity federation and Web Single Sign-on capabilities for end-users
who want to access applications within an ADFS-secured enterprise, or in the Cloud. The Alteon
Authentication Gateway can integrate with ADFS, which can be configured as a SAML IdP. In
such a setup, Alteon can offer comprehensive Application Delivery and security services for the
Microsoft application environment. Not only does it provide a replacement to TMG/UAG
functionality in such an environment, but it also provides significant enhancements to
functionality currently provided by TMG/UAG. SAML SSO provides better protection, significant
performance optimization, and scalability to Web-based applications. Next generation services,
built into the Alteon ADC, add advanced load balancing and health checks with Layer 7
awareness, content and URL filtering, content rewrites, user programmable policies and traffic
steering logic, a Web Application Firewall, network access control, an authentication gateway,
single sign-on, Web access management, and hardware-based SSL termination.
Alteon has also been tested and certified for Microsoft SharePoint based on its integration with
ADFS. A detailed Technical Integration Guide (TIG) for integrating the Alteon Authentication
Gateway with ADFS and SharePoint with back-end KCD authentication is available.

SSL Inspection Capabilities
Host-based Inspection Bypass

Alteon now supports host-based SSL Inspection bypass when installed as a transparent proxy.
This is achieved by retrieving the destination host from the SNI extension in the Client SSL
Hello.
Traffic can be bypassed based on the host category (URL Filtering) or list of specific hosts (or
the new SSL Content Class type).
Note: The SSL Content Class is supported only in SSL Inspection filters.
Reminder: Alteon already supports host-based SSL Inspection bypass when installed as
explicit proxy (starting with version 30.5).
IDS Servers Support

This version removes the previous limitation that required a special workaround to support an
IDS server group as the first or only hop in the inspection chain. In addition, multiple IDS groups
can now be included in the security inspection chain (both SSL and clear traffic inspection).
To enable this advanced IDS support:
1. Enable the new IDS Chain flag in the IDS server group.
2. Use a redirect filter to send traffic (copy) to the IDS group (the IDS group is configured as
filter Primary Group ID and not as IDS Group ID).
Notes:
 If the capability required is to copy the same traffic to all IDS servers (flood), use the legacy
IDS configuration (IDS Chain disabled, with an Allow filter with IDS Group ID configured).
 This advanced capability cannot be used on Alteon VA when DPDK fast packet processing
is used (DPDK is used when more than 3 GB of RAM is allocated to the Alteon VA).
 Do not mix advanced IDS support with legacy IDS support on the same flow/chain.
Server SSL Certificate Authentication

This version enhances the server authentication capability beyond checking the certificate chain
of trust. This is relevant mainly for outbound SSL traffic (SSL Inspection).
The new capabilities include:
 Revocation status check via OCSP
 Ability to specify whether to ignore certificate validity issues (expired certificate, untrusted
certificate or host mismatch) or reject a session when such an issue occurs.
For this purpose, the Client Authentication Policy object was promoted to an Authentication
Policy object that can be of type Client (default) or Server.

The Authentication Policy of type Server lets you define the following parameters:
 Trusted CA certificate/group and CA chain lookup depth
Note: The Trusted CA certificate/group was moved to the Server Authentication Policy pane
from the SSL Policy Backend pane. After upgrade, if such a parameter is configured in the
SSL policy, a server Authentication Policy is automatically generated including the Trusted
CA.
 Certificate validation method
 Validity issues handling
Chain Hop Bypass

In a service chaining environment, it is often required to continue the flow of traffic in cases
where one hop in the chain is unavailable, by bypassing the unavailable hop and forwarding the
traffic to the next hop.
This capability is now improved with the addition of a new redirect filter Fallback Action value,
Continue in Flow. When this value is selected, if the server group bound to the filter is down,
traffic matching this filter is forwarded to the next hop in the flow. To bypass this hop and
continue the flow, specify the physical port through which traffic from this hop (server group)
was expected to ingress Alteon with the Flow Continuation Ingress Port parameter.
Notes:
 To use this fallback action, the TSO (TCP Segmentation Offload) must be disabled on the
device.
 This fallback action cannot be used on Alteon VA when DPDK fast packet processing is
used (DPDK is used when more than 3 GB of RAM is allocated to the Alteon VA platform).
Intermediate SSL Certificate for HTTPS Management Access
This feature was first introduced in version 30.5.2.0.

In this version, you can define an intermediate CA certificate/group for Alteon management via
HTTPS. With this support, when accessing Alteon via HTTPS (WBM or REST API), Alteon
sends both its server certificate and the configured intermediate CA chain.
This facilitates the process of verifying the chain of trust (instead of installing the chained CA on
the client browsers).
The configuration is available in the following paths:
 From WBM ─ Configuration perspective > System > Management Access >
Management Protocol > HTTPS
 From CLI─ /cfg/sys/access/https

LinkProof Enhancements
PPTP Support
With the full implementation of the Smart NAT feature, Alteon now fully supports VPN and other
Point-to-Point Tunneling Protocols such as PPTP.
Limitation: Only IPv4 is supported
NFR ID: Prod00239734
Static NAT for Inbound and Outbound Link Load Balancing

The Smart NAT feature provides one centralized pane to configure all required NAT
translations. You can add, edit, and delete entries in one location, which simplifies the process
of NAT translation configuration.
The following types of NAT translations are supported:
 Static NAT — Ensures delivery of specific traffic to a particular server on the internal
network. For example, LinkProof uses Static NAT, meaning predefined addresses are
mapped to a single internal host to load balance traffic to the host among multiple
transparent traffic connections. This ensures that the return traffic uses the same path, and
also allows traffic to that single host to use multiple ISPs transparently. You assign multiple
Static Smart NAT addresses to the internal server, typically one for each ISP address range.
 Dynamic NAT — Enables LinkProof to hide various network elements located behind
LinkProof. Using this feature, LinkProof replaces the original source IP address and source
port of a packet that is with the configured NAT IP address and a dynamically allocated port
before forwarding the request to the group. The network elements whose addresses are
translated can be servers or other local hosts. You can set different NAT addresses for
different ranges of intercepted addresses.
For example, traffic from subnet A is translated using IP address 10.1.1.1, and traffic from
subnet B is translated using IP address 10.1.1.3.
 No Nat — Enables a simple configuration where internal hosts have IP addresses that
belong to a range of one of the group servers.
Traffic to and from these hosts should not be translated if the traffic is forwarded to this
group server
For more details on LinkProof capabilities, see the LinkProof NG User Guide or LinkProof for
Alteon NG User Guide, version 31.0.0.0

Simplified LinkProof Configuration
The LinkProof WAN Link configuration was updated to work with the Smart NAT table. By
default, NAT settings on the WAN links are set to inherit, meaning that Alteon uses the NAT
settings configured in the Smart NAT table. The NAT settings in the WAN link can also be
explicitly configured on the WAN link and override the SMART NAT settings
LinkProof Inbound Host Based LLB Rules configuration was updated to also support the local
server without the need for virtual server configuration as the NAT addresses. Instead, the
Smart NAT table is used to define the NAT mapping.
Alteon VA/NFV/Cloud
Alteon VA for NFV – 225 Gbps Layer 4

Alteon VA for NFV version 31.0 reaches 225 Gbps Layer 4 throughput (with the KVM
hypervisor).
VMware
 Alteon VA on VMware reaches 10 Gbps throughput over VMware and no longer requires
PCI-[pass through/SR-IOV] to reach this throughput.
 Starting with this version, VMware ESXi version 4.1 is no longer supported.
Microsoft Azure Support (which will be available a few weeks after the official release of
version 31.0)
Alteon VA on Azure now supports both High Availability (HA) and Global Server Load Balancing
(GSLB):
 Ease of deployment – Similar to LBaaS
In version 31.0, Alteon VA is integrated with the Azure solution template.
This enables you to configure Alteon VA from the Azure portal without accessing either the
Alteon CLI or WBM.
 SLB configuration
To configure Alteon VA for Basic SLB, you only need to provide the number of real servers
and their IP addresses, beyond the regular VM deployment parameters. If you choose, you
can also change the SLB metrics.
After the Alteon VA is up, it is ready to load balance your servers, even without accessing
the Alteon VA user interface.

 HA configuration
To configure Alteon VA to operate in HA mode, you only need to select the HA deployment
mode and provide your Azure credentials beyond the basic SLB configuration as described
above.
Both HA instances are configured and run in a high availability environment without the
need to enter any of the Alteon VAs.
IPsec Support for Virtual Service IP
Virtual servers now support load balancing of IPsec along with TCP, UDP, and ICMP.
IPsec support has been added to the virtual service IP address (port 1).Now when the protocol
parameter is configured as both in the IP service configuration (/cfg/slb/virt
<xyz>/service 1/protocol both), it also includes IPsec along with TCP, UDP, and ICMP
Notes:
 IPsec negotiation does not work with the Gateway ID type as IP, but only with type FQDN
(DE19232).
 Proxy IP (PIP) cannot be used for an IPsec tunnel while NAT-T with IPsec Gateway is
working (DE19111).
 In an SLB environment with persistent binding set to Client IP and rport configured, IPsec
traffic is not load balanced (DE19089).
HTTP/S Health Check Enhancements
The following capabilities were added to HTTP/S health checks:

 Establish success based on absence of string in the response body.
To enable this capability, the new value Exclude was added to the Return String Type
parameter.
 Alteon authentication using client certificate during SSL Handshake (HTTPS health
check).
Alteon can now identify itself using a client certificate during HTTPS health checks when
required by the monitored server. To enable this capability, select a certificate from the
certificate repository as the health monitoring client certificate:
 From WBM ─ Application Delivery > Server Resources > Health Checks
 From CLI ─ cfg/slb/advh/cert

 Include SNI extension in the HTTPS health check.
When the Host parameter is configured in the HTTPS health check, an SNI extension with
the configured hostname is automatically included in the Client SSL Hello.
High Availability Tracking for Selected Real Servers
This NFR enhances the capabilities of tracking real servers for HA purposes. When selecting
this mode, you can either track all the real servers (as was done prior to version 31.0) or
explicitly select the real servers you want to track.
Notes:
 Using WBM in Switch HA mode only, when real server tracking is enabled, all the real
servers are considered for tracking.
Use the CLI if you want to configure Alteon to track just a smaller set of the real servers.
 Configure the active switch/group on the master Alteon before you configure the backup
Alteon.
If you configure the backup Alteon before the master, a failover occurs. The backup
switch/group takes control because its “priority” is higher (as a result of the new tracked
servers that were added to it).
 If one or more of the tracked servers becomes unavailable, an unexpected failover can
occur if the health check sent from the backup switch precedes the health check sent from
the master, and vice versa when the servers become available again.
Alteon to Expand Support of BGP Prepend for VIPs
This NFR provides additional flexibility in defining routes when advertising the VIPs through
BGP on Alteon platforms. The capability to assign a network class to the route map active list
and on top of network filters was added. You can assign either a network class or network filters
(but not both).
Selectively Stop BGP Advertisements
An option to stop the VIP BGP advertisement when all servers are set to operational disable
was added.

Equal Cost Multipath Routing in OSPF
The number of supported routes for Equal Cost Multipath Routing in OSPF was extended from
3 to 4.
Geolocation-based Load Balancing
In this version, Alteon now enables making load balancing decisions based on the geographical
location of the traffic source or destination. For this purpose, Alteon has integrated the MaxMind
GeoLite2 City geolocation database.
To define a geolocation, you must configure a network class of the new type Region. The
Region network class lets you define a location down to the State level (Continent, Country, or
State).
This feature includes the following capabilities:
 Select a data center based on the geographical location of the client (GSLB). The selection
is made via the DNS Rule Network metric:
 The DNS Network metric now lets you define the network using the legacy range or a
Network Class (either the IP or Region type).
 In addition, the selection can be made based on the geographical location of the DNS
client (LDNS) or on the geographical location of the actual client, if its IP address is
present in the DNS request (EDNS0 extension).
 Select a link based on the geographical location (LinkProof):
 For inbound traffic, the selection is made based on the geographical location of the
client. The selection is made via a DNS Rule Network metric (the same as for GSLB).
 For outbound traffic, the selection is made based on the geographical location of the
destination
 Provide different services based on the user’s geographical location. For example:
 Traffic from French customers should go to group of servers that have French content.
 Response traffic to a customer from Afghanistan should be compressed due to high
latency.
 Block traffic from/to certain countries.
 Enforce different bandwidth/rate limits per geolocation.
Geolocation Database Update

MaxMind updates the GeoLite2 databases on the first Tuesday of every month. The database
can be downloaded for free from MaxMind and uploaded to Alteon.
You can also buy the GeoIP2 City database from MaxMind and upload it to Alteon.

MaxMind provides both binary and CSV formats, both as .zip files. To upgrade the geolocation
database in Alteon, download both files from MaxMind and consolidate them in a .zip file.
Note: For vADC support of Geolocation, you must upgrade the ADC-VX to version 31.0 or later.
The Geolocation Database is uploaded to the ADC-VX and then can be used by all its vADCs.
GSLB Enhancements
Remote Real Server Status Update via DSSP

Alteon version 31.0 includes the option to update the status of remote real servers that are VIP
addresses on remote Alteon devices via DSSP communication instead of health monitoring.
A new global flag was added to let you select whether the status update will be achieved via
health check or DSSP:
 From WBM ─ Application Delivery > Global Traffic Redirection > DSSP: Health
Monitoring via DSSP
 From CLI - /cfg/slb/gslb/ddsphc
The flag is disabled by default (status update is performed via health checks).
Important: After the parameter is enabled, after Apply the health check of all remote real
servers is changed to NoCheck. If some of the remote real servers are not Alteon VIP
addresses, you must manually change their health check back to the desired one.
New GSLB Metric

A new GSLB metric called Current Least Connections lets you select a site (or WAN link)
according to the lowest absolute number of connections active on that site/WAN link. The
regular Least Connections metric selects the site/WAN Link with the lowest session utilization.
Session utilization is the percentage of sessions used over the total allowed (maximum)
sessions.
Dynamic IP Reputation
IP Reputation is a new added value security feature that protects Alteon from ‘known *’
malicious IP addresses.
The malicious IP addresses database is dynamically updated by Cyren (or in future versions,
any other vendor) and automatically downloaded by Alteon.
You can easily and effectively stop network based IP threats that are targeting your network,
and define whether to block or issues alerts of malicious IP addresses based on region,
category (spam/Malware) or level of severity.

Notes:
 For vADC support in IP Reputation, you must upgrade the ADC-VX to version 31.0 or later.
The IP Reputation Database is uploaded to the ADC-VX and then can be used by all its
vADCs.
 The IP Reputation time-based license is required for this support. After installing the license
and globally enabling the feature, a system reboot is required to make the feature
operational.
 Alteon VA using IP Reputation requires a minimum of 4 GB RAM and an 11 GB vDisk
Limitation: Only IPv4 addresses are supported.
AppShape++ Enhancements
Control Availability of Virtual Services with AS++ scripts

In previous versions, if an AppShape++ script was attached to a virtual service, the service and
the virtual server would always be Up, even when no real server was available (this allowed
implementing, using an AppShape++ script, a treatment for a “no real server available” scenario
- returning a sorry page, redirecting to sorry, server, selecting another server group, and so on.).
In this version, you can define whether the service should be kept always on or not when
AppShape++ scripts are attached. This lets you to keep a virtual service always on only if the
attached script is treating the “no real server available” scenario.
To configure this parameter:
 From the CLI: /cfg/slb/virt <virt id>/service <service
port>/https/appshape/alwayson
 From the WBM: Virtual Service > AppShape++ > Service Always On
This parameter is disabled by default for new services. After upgrading from previous versions,
this parameter is enabled on virtual services with AppShape++ scripts to preserve backward
compatibility
rdwr Cookie Command

The rdwr-cookie command retrieves data related to a cookie configured for persistency on the
current HTTP/S virtual service (Persistency Mode = Cookie/pbind cookie).
 rdwr-cookie name – Retrieves the name configured for the cookie.
 rdwr-cookie site-ip <value> – Retrieves the site IP identifier from the value of the
persistency cookie inserted by Alteon (relevant only for cookie insert persistency mode).

HTTP/2 Full Proxy (H2 server side) – Beta
The full HTTP/2 Proxy capability lets you load balance HTTP/2 traffic to HTTP/2 real servers.
The following features are available for the HTTP/2 Proxy:
 Front end SSL offload
 Backend SSL encryption
 HTTP/2 health check
Important: HTTP/2 Full Proxy support is in beta mode. You must contact the local Radware
account team if you want to activate and test this capability.
Troubleshooting and Debugging
The below capabilities were added in order to make technical support more efficient:
 Identifying the RCA quicker
 Reducing the need to install the debug version in the field
 Reducing the need for reproduction (better traceability)
 Understanding upgrade issues quicker
Packet Capture Improvements
Capture on Standalone Management Port

Enables capturing the traffic on the management port with the command:
/maint/pktcap/mgmt/capture
To capture traffic of a specific vADC management port, use the following command on ADC VX:
capture host <vADC MNG IP>.
The maximum Capture file size is 100 MB.
Note: Capture on the ADC VX management port is available starting with version 30.5.0.
For more information on Alteon packet capture capabilities, see the Alteon Command
Reference
Alteon Related information in Data Capture

Enables including Alteon related information in the data capture file using a new flag (-E) with
the /maint/pktcap/data/capture command.
The information is available in the Wireshark under Extra Info section. It includes:
 Physical Port number
 Direction − In or Out.
 Source – For example: AX IN, SP INGRESS, MP > SP OUT

 SP Number
 Session ID – Links Frontend & Backend flow
Limitations: Not supported for IPv6 traffic or filter flow.
The capture file can be filtered by any of these parameters.
Note: The Extra Info capability requires the Wireshark plug-in see the Knowledgbase article in
the following link for instructions: KB
Reference
Live Capture on TD in Data Capture

You can perform live capture on the ADC-VX Traffic Distributor using the
/maint/pktcap/td/capture command.
The TD capture enables filtering the traffic by IP address, MAC, VLAN and more.
Traffic for a specific vADC can be captured by filtering on the vADC VLANs.
Note: File Capture on a TD is available starting with version Alteon 30.5
Reference
Traceability and Log Enrichment
BSP and ND Logger modules

BSP and ND logger information can assist with identifying upgrade and traffic related issues.
The information is logged at /disk/logs/BSP_ADMINMP and exportable via techdata.
SP Logger
SP logger information is used for critical SP issues, such as the SP not being able to load.
The information is logged at /disk/logs/messagesSP and exportable via techdata.
Configuration Audit log

The default value of configuration audit command (/cfg/sys/syslog/audit) was changed
to disable.
In addition, the configuration audit logs are saved to disk regardless of the configuration audit
settings. The information is logged at /disk/logs/syslogAudit and exportable via techdata.
Console Log
This feature was first introduced version 30.5.2.0.
All console output is saved to disk. The information is logged at /disk/logs/console_log and
exportable via techdata.

SNMP Log
All SNMP calls are saved to disk. The information is logged at /disk/logs/snmpAudit and
REST API Log

All REST API calls are saved to disk. The information is logged at /disk/logs/webui and
Historical Events and Error Counters

The event and error counters allow R&D to quickly identify the reason for specific events and
errors.
These counters are available in previous releases. In version Alteon 31.0 a trend on the active
events and errors was added, showing the counters in the last 15, 30, 45, 60 and 75 seconds.
The relevant commands are /stats/counters/geterrors and
/stats/counters/getevents.
The output of these commands is also part of the tsdmp.
vADC Console
The vADC console feature provides console access to individual vADCs, and lets you easily
switch between the vADCs on the platform.
The vADC console is enabled by default for version 31.0 and later, or for upgrades from version
31.x and later.
When upgrading from earlier versions, the vADC console is disabled. In order to enable it run
the command /c/sys/vconsole on the VX console. (This requires applying, saving the
configuration, and rebooting the platform.)
This feature is available using the Telnet protocol, with a Linux keyboard simulation.
Use the following key combinations to switch between the vADC consoles:
 CTRL+B, N — Goes to the next vADC console screen.
 CTRL+B, P — Goes to the previous vADC console screen.
 CTRL+B, <terminal slot number> — Goes to the specified vADC console screen
For slots greater than 10, press CTRL+B, ' and, when prompted, enter the slot number.
 CTRL+B, 0 — Goes to the base ADC-VX console screen.

Note:
 Only one console session to the ADC VX or one of the vADCs should be connected
simultaneously. If more sessions are opened, the console display may become corrupted.
 The slot numbers are determined according the order the vADCs were activated (enabled),
and not according to the vADC ID.
 This feature is not compatible with outdated terminals/terminal emulations (such as VT 100
and ProCom terminal emulation).
For more details on all described features, see the Alteon Command Reference for Alteon
version 31.0.0.0.
New Counters and Statistics
SP Distribution Monitoring
In order to visualize the CPU utilization distribution between all SPs, use the
/stats/sp/allcpu command. The default sampling interval is set to 4 seconds and can be
changed to 1 or 64 seconds.
New Back-end SSL Statistics

New back-end SSL statistics commands are now available from /stats/slb/ssl/backend.
These statistics are mainly used for SSL inspection debugging. The new statistics are:
 SSL ignored certificates (session/seconds)
 SSL expired certificates (session/seconds)
 SSL untrusted certificates (session/seconds)
 SSL certificates hostname mismatches (session/seconds)
 SSL rejected handshakes (session/seconds)

Run time SSL Cipher Statistics
You can now view the CPS rate per SSL cipher (per device measuring period, default 5
seconds). The information is available per virtual service and per filter for either the front-end or
back-end connection. Using the /stats/slb/ssl/frontend and
/stats/slb/ssl/backend menus.
CLI Commands
‘apropos’ – New Global Command

Using the apropos command, you can find any CLI command based on a given pattern.
Syntax: apropos <pattern> [-i] [-d] [-u], where:
 -i = Ignore case
 -d = Also search for the pattern in the description
 -u = Also search pattern for the pattern in the command usage
‘cc’ – New Global Command

For a quick and more readable configuration dump, use the new global command cc, which
prints the configuration output without keys and certificates.
Configuration Related Improvement
MD5 on Configuration File

Starting with version Alteon 31.0, Alteon identifies if the configuration uploaded to the device
was manually changed. The following warning appears on the console, in the CLI, and as a
syslog message:
Warning: The imported configuration differs from the original exported
configuration

Config Sync Error
When a config sync failure occurs, the failure reason is displayed on the device that issued the
sync (console, Telnet, and syslog).
What’s Changed and/or Modified

This section describes the changes to existing features and components introduced in version
31.0.0.0 on top of Alteon version 30.5.1.0.
For more details on all described features, see the Alteon Application Guide and the Alteon
Command Reference for AlteonOS version 31.0.0.0.
Extracting Client Certificate SAN Extension

The X509::extensions AppShape++ command now also retrieves the Subject Alternative
Name (SAN) extension, letting you extract the User Principal Name (UPN) value that might be
included in that extension.
NFR ID: Prod00241468
OpenSSL Upgrade to 1.0.1u

OpenSSL on both the data and management paths was updated to OpenSSL1.0.1u.
Default Cipher Changes

The default SSL policy cipher (Main) was updated according to the latest security
recommendations. Ciphers that used the 3DES symmetric algorithm (DES-CBC3) were
removed.
Syslogs for LACP link UP and DOWN

A trap is set upon LACP status change
5224 vADCs Limit

Starting with version 31.0, the Alteon 5224 VX platform with 24GB RAM only supports 16
vADCs (as compared to 20 vADCs in earlier versions).
Long Object ID Support

The ID field length for real servers, server groups and virtual servers has been extended to 255
characters to support the FQDN naming convention with dot.

Limitations:
 The Quick Application Setup does not work with this extended ID length and currently works
only with a maximum ID length of 32 characters.
 APM supports virtual service IDs with up to 245 characters without a period (.).
 SNMP supports OIDs up to a maximum of 128 digits, including the parameter OID and the
key. Alteon implements a special mechanism that lets you browse the table (GetNext), Get a
specific object, or change (Set) a specific parameter. However, you cannot create a new
object with a long ID via SNMP.
 When configured long IDs, some audit log messages might be displayed distorted.
 A virtual server ID longer than 50 characters does not display in DPM.
 The FQDN server cannot be created when the ID of the template real server ID is more than
32 characters.
GSLB − Prevent Negative DNS Response Caching

In previous versions, when there was no site available for the requested domain, Alteon would
answer DNS queries with No Such Name. Many DNS clients would cache this answer and
would not retry resolution. As of this version, to prevent this, Alteon no longer answers if there is
no site available. This results in the client continuing retrying to resolve the DNS record until the
site becomes available.
Support for RFC6223 and/or RFC5626

The Alteon SIP parser now allows keep alive messages to pass from the client to the server,
and vice versa, without blocking or discarding the messages.

Troubleshooting and Debugging
Technical Support Data (tsdmp) Formatting
The Technical Support Data File (tsdmp), which is part of the techdata file, is one of the main
debugging tools in Alteon. It contains all the required information on the device (such as
configuration, statistics, run-time information, events and so on) to help with problem
investigation. Starting with Alteon 31.0.0.0, in order to ease the use of this file, the following
improvements were made:
 Table of contents
 Summary Section – Section that includes highlights
 Command Headlines – These headlines display the CLI command name before the
command output.
 CLI Command Conditional Output – Rarely needed outputs are now conditional
techdata <hostname> <filename> <-tftp|username password> [-mgmt|-
data] [-scp] [-key <passphrase>] [-dnssec] -[persist] [-ucb]
 Added Historical Event and Error Counters – Displays the last 15 seconds, 30 seconds,
45 seconds, 60 seconds, 75 seconds counters
Configuration Adaptation on Upload

Configuration adaptation as part of an upgrade process is now also available as part of
configuration file upload. For example: when uploading a configuration file from version 30.0 to
a device running version 30.5.2.0, the required configuration adaptation is performed as part of
the configuration upload and will be available in the diff.
Command Line History Improvement
The following improvements were made to the history command:

 The history size increased from the last 10 to the last 100 commands
 The history command itself is no longer added to the list of commands in the history
 Duplicate commands are no longer recorded
 !<string> − This syntax is used to execute the last command in the history that starts with
specified string (for example: !/info )
 history <string> − This syntax prints only history commands that contain the specified
string.

Maintenance Fixes
Fixed in 31.0.0.0
Version 31.0.0.0 includes all field bug available in version 30.5.3.3. The following additional
bugs were fixed in 31.0.0.0.
Item Description Bug ID
1. In an environment with inbound NAT using Smart NAT, the prod00250420
incoming traffic was NATed when sent to the internal network
but not NATed correctly when sent back, causing inconsistent
services availability.
2. After performing one global Save operation, when attempting to prod00250014
again perform a Save using the agSaveConfig MIB, the
response was incorrect.
3. The response values for the ADC-VX's MAC address and all the prod00249937
vADCs that are returned by polling SNMP OID
1.3.6.1.2.1.2.2.1.6 (Object Name : ifPhysAddress) were
incorrect.
4. When attempting to download a large file (an approximately prod00249847
150MB file) via the Alteon HTTPS (using SSL offloading)
service with forceproxy, the operation failed.
5. In an SLB environment with some aged certificates, a memory prod00248637
leak occurred in the inspection flow, resulting in the allocation
failing and the configuration was being lost after reboot.
6. When there was a memory leak in the Management Processor prod00248532
(MP) and the process reached its limit of dynamic memory
allocations, the Apply operation failed and the Save operation
corrupted the configuration file.
7. Using WBM, when attempting to delete a previously created prod00243746
(applied and/or just submitted) LOGEXP advanced health check
from the list of "customized HCs," a REST API unknown
error occurred.
Known Limitations
This section lists known limitations for version 31.0.0.0.
Upgrade Limitations

1. In order to upgrade 6024 or 6420 from 30.5.x to 31.0, upload the DE21406
new image is possible via the WBM while the selection of the
image after reboot and the reset should be done from CLI.
This issue is scheduled to be fixed in version 31.0.1.0.
2. Starting with version 31.0, Alteon 5224 VX with 24 GB RAM DE21457
supports 16 vADCs (compared to 20 vADCs in earlier versions).
3. After upgrading from version 30.5.3.0 to 31.0 with syslog servers DE22603
configured, the configuration remains in diff.
Reason: The syslog settings in version 30.5.3 contain the syslog
port, while the syslog settings in version 31.0 do not support it.
Workaround: Before the upgrade, remove the syslog settings from
the configuration. After upgrade, reconfigure the syslog settings.
4. After upgrade to version 31.0 with a duplicate syslog server IP DE21305
address configured, the configuration remains in diff and the
following error displays:
Duplicate Syslog Server with same IP <syslog IP>
Workaround: Remove the duplicated syslog setting from the
configuration before the upgrade.
vADC and ADC-VX Limitations

1. The vADC management access protocols can be enabled or DE6362,
disabled via ADC-VX only upon vADC creation. Once a vADC is DE6449
created, these settings can only be changed through the vADC.
If SNMP is not enabled on the vADC on creation, it cannot be
accessed via APSolute Vision.
2. In an ADC-VX environment where the ADC-VX version is earlier DE2183,
than 30.0 and the vADCs are version 30.0 or later, packet capture prod00245015
on the vADC does not work.
The issue also occurs when ADC-VX is running version 30.0.x with
vADCs with version 30.1 or later.
Workaround: Upgrade ADC-VX to version 30.1.x, or upgrade both
ADC-VX and the vADCs to the same Alteon versions.
3. After deleting a vADC, if the saved platform configuration that prod00218109
includes the deleted vADC is uploaded via the GA environment and
pushed to all vADCs. The deleted vADC still exists, but its

configuration is cleared.
4. When uploading a vADC configuration using the padc option prod00216519
(configuration from a standalone platform), if when you are
prompted to "Enter vADC Number" you leave a blank and press
Enter, the GA management IP address is overwritten by the vADC
management IP address.
5. From WBM, you cannot change the vADC management IP address prod00216388
from within the ADC-VX environment.
6. Login to a vADC with RADIUS or TACACS authentication fails prod00206201
when MP utilization is at 100%.
7. On an Alteon 8420 platform in an ADC-VX environment, when prod00225998
Alteon is only using Layer 3, there could be packet loss even with
small traffic.
8. In a virtualization environment, the MP statistics displayed in the DE22030
vADC and for the same vADC in the ADC-VX do not match.
Note: The value displayed in vADC is correct.
9. In a virtualization environment, when an ADC-VX has version DE21465
30.5.x and a vADC has version 31.0, the SP CPU Utilization value
displayed in the vADC is incorrect.
10. Using FastView on an Alteon ADC-VX, when using the ADC-VX DE9649
management console to import a configuration from an older
version to a vADC that is using FastView, while the vADC is
enabled and actively running the import process takes a long time
and a timeout failure alert displays. Although the timeout error
displays, the file upload does complete successfully. To avoid the
timeout, Radware recommends stopping (disable) the vADC before
importing the configuration.
Alteon VA Limitations

1. On an Alteon VA platform with more than 2.5 GB RAM in vSphere DE22180
with no DPDK ports, an IDS chain in the group and a fallback
action Continue in Flow in the filters cannot be used.
2. For Alteon VA to run in PCI pass-through mode on HP servers with NA
VMware virtualization, ESXi 6.0 or higher is required.
3. Alteon VA with more than 3 GB RAM works with DPDK and not N/A
TUN/TAP (KVM/VMWare). This requires that the host processor is

the Intel Westmere architecture or higher (Xeon series 36xx, 56xx,
and the Core i7-980X).

4. Multi core VA is not supported over Hyper-V, Open XEN, and AWS. N/A
5. When working with DPDK more than 3 GB RAM (KVM/VMware), NA
the SP CPU usage displays high utilization when monitored by
external tools.
The Alteon internal SP CPU utilization displays the correct value.
6. When reallocating vCPUs to the Alteon VA under KVM, you must NA
modify the VM XML file on the host to utilize the correct number of
the cores.
7. LACP is not supported when working in SR-IOV mode. NA
8. A NIC won’t be recognized by a VA when adding it after the initial NA
boot of the VA when operating in TUN/TAP mode (with less than 3
GB RAM or on Hyper-V, OpenXen, AWS, or Azure)
9. When reallocating vCPUs to Alteon VA under KVM, you must
adjust the CPU pinning for performance optimization.
10. Alteon VA must have at least 3G RAM size to avoid panic in some prod00249837
scenarios like configuration import
11. Alteon VA MP CPU utilization is 12% in idle mode (no configuration prod00217990
or traffic).
12. On an Alteon VA platform, when accessing the platform over Telnet prod00206162
or SSH using an IPv4 interface, the log message incorrectly
displays access via an IPv6 interface.
13. Using Alteon VA or NFV, BWM is not supported. DE137
14. When installing Alteon VA over KVM, the virtual machine name DE384
cannot contain spaces.
15. Using Alteon VA, the displayed disk size is smaller than the actual
configured disk size, even though Alteon VA utilizes the entire disk
size configured for it.
16. Disabling TD vCPUs should be done through the CLI and not DE13352
through WBM.
17. When configuring a second Alteon VA on the same host, and the DE13928
same NUMA that already has a running Alteon VA does not have
enough memory, the first Alteon VA might crash.
18. Using WBM, when logged in to Alteon VA with User privileges, the DE14588
landing or the Welcome pane displays as blank and the actual
pane does not appear.
19. On an Alteon VA platform, deleting or removing a TD can be DE17038

performed only through CLI and not through WBM.
WBM Limitations

1. Using WBM, when managing a vADC in the Memory Management
pane, the Allocated Session Table Capacity parameter displays
twice. Only the second display actually changes the configuration.
2. Both the SLB admin and Layer 4 admin cannot view the URL
Filtering statistics using the WBM monitoring screen and cannot DE20796,
delete an URL Filtering policy DE20793
3. A virtual service with 256 virtual service IDs does not display in the
Service Status View. DE21262
4. Using WBM, when navigated to Configuration > Application
Delivery > Global Traffic Redirection > DNS Direction Rules.>
Rule Type field is grayed out and cannot be edited.
Workaround: Use CLI to edit this field DE19103
5. Using the WBM, when trying to duplicate a virtual service and the
duplicated service is created with Group ID 1, an error displays. DE21577
6. On an 8820 platform, in the port settings WBM panes, the port DE21907,
types of the 40G and 100G ports are incorrect. DE21906
7. Using URL filtering, a URL will be categorized at the “undefined”
fallback category in the following cases: URL longer than 256 or DE21740,
when HTTP 1.0 packets sent without a host header DE21741
8. In the Link Load Balancing pane, an Inbound LLB Rule > IPv6
Inbound LLB Rule, with Service Type Group via IPv6 NAT
address or service type: Server via IPv6 Server, IPv6 inbound LLB
rule creates an IPv4 Client Network Rule
Workaround: Access the created Client Network Rule and DE21241,
manually change it to IPv6. DE21242
9. Using WBM, copying the Inbound Link Load Balancing rule does
not work and returns an error. DE21547
10. Using WBM, on a 6024 platform you cannot set more than eight (8)
AppWall (Websec) Capacity Units. DE20585

11. Using WBM, in an SLB environment, you cannot set the
persistency mode as cookie for an HTTPS virtual service, because
the persistency mode drop-down only displays clientip, sslid, and
disable, but not cookie. DE20486
12. Using WBM, when copying a server group, sometimes the real
servers configuration in the server group is not copied, causing a
submit error. DE19962
13. Using WBM, when managing with the user Class of Service set to
L4admin, SLBadmin, user, or certificate administrator, there
may be few discrepancies between the screen display and the CLI
menu display. DE19885
14. Using WBM, on an 8820 platform, in the Configuration > Network
> Physical Ports > Port Settings pane, the port types for 40G and
100G are displayed incorrectly. DE18106
15. After an idle timeout of a WBM session, if you click Cancel instead
of entering the credentials in the Authentication dialog box, an
incorrect error message is displayed instead of an
unauthorized error message. DE18092
16. Using WBM, when the Global SLB statistics are cleared, the
cleared acknowledgement message displays twice. The duplicate
message should be ignored. DE16456
17. Even though an AppShape++ script is not associated to a virtual
service, it might be displayed in the Service Status view and should
be ignored. DE16660
18. The Initial Startup Configuration does not support configuring
tagged VLANs.
19. Using WBM, in the SSL Client Authentication Policy pane at
Configuration > Application Delivery > SSL > SSL Policy >
Client Authentication Policy, the search in the table does not
work on the Redirect URL on failure column. DE16075
20. Using WBM, when the sync peer is preconfigured and you perform
any configuration change to an HTTP/2 policy, the Sync button is
not automatically highlighted. DE15480
21. Using WBM, when configuring an SSL Policy, the Intermediate CA DE13877
Certificate drop-down list gets stuck after the first time it is clicked.
22. Using WBM, when a device is managed via a data port, the log DE13962
messages do not display.

23. When editing an SNMPv3 user, you cannot only change the DE7889
authentication protocol.
24. Using WBM on an Alteon VA platform, you cannot set the IDS port DE21296
in the real server configuration to a value greater than 2.
25. In an ADC-VX environment, the APM license display has the DE1919
following issues:
 Using WBM, it displays with the string “Status Unknown”.
 If there is more than one license, the additional APM license
display overwrites the license display of the previous APM
license.
26. Using WBM, you cannot import server certificates with an existing prod00213833
ID (replace existing certificate).
Workaround: Delete the existing certificate and apply, then import
the new certificate using the same ID.
27. WBM does not support the Safari browser in MacOS. Instead, you N/A
should use Chrome or Firefox.
28. In the STG monitoring pane, not all values are updated. prod00214839
29. Using large configurations, generating a techdata file may cause prod00212041
the MP to reach 100% and WBM disconnects.
30. Using the Service Status view, when the primary real server is prod00211854
down but its backup is up, the backup real server does not display.
31. Using the Service Status view, a real server in blocking mode US2349
displays as Up instead of as Warning.
32. The Traffic Contract for Non-IP Traffic field is not available in the prod00211136
VLAN configuration pane.
33. Using WBM on an Alteon VA platform, in the VRRP Configuration prod00216395
pane, the Advertisement source MAC address mode field is
missing.
34. WBM has partial support for monitoring and statistics. For full N/A
support, use the CLI.
35. You cannot renew a server Certificate with the new Validation prod00218841
Period.

36. Using WBM, the SNMPv3 configuration has the following prod00204831
limitations:
 When creating or updating SNMPv3 USM users, the admin
password validation is skipped.
 When creating SNMPv3 vacmAccess, the security level might
not be set properly
37. In WBM in the AppShape++ Monitoring pane, the Aborts value is prod00204783
not updated and may display an incorrect value.
38. In CLI, there is a new display for SP Dynamic Memory usage. In prod00204612
WBM, this display is not available and instead incorrectly shows the
old display.
39. In WBM, DNSSEC has the following limitations: prod00204527
 The DNSSEC responder VIP table may display irrelevant
columns such as service and protocol, which can be ignored.
 In the DNS responder VIP Configuration pane, you must select
the virtual Server ID that has DNS TCP and DNS UDP as
services. You cannot pre-select the server.
The Virtual Server pane incorrectly does not display the DNS
responder VIP.
40. In WBM, in the filter configuration, two-way VPN load balancing is prod00204182
missing.
41. In WBM, the VRRP Virtual Router state displays either Init, Master, prod00201915
or Backup (the Holdoff state is missing). To obtain a detailed
status, Radware recommends using the CLI.
42. In WBM, on a vADC platform, you cannot turn off/on IP Forwarding prod00205717
on a port. You can only perform this using the CLI command
/cfg/l3/port.
43. In WBM, in ADC-VX mode, after enabling RADIUS authentication, prod00206275
logging in might not work.
Workaround: In the browser, clear the cache and retry logging in.
44. In WBM, panes in which virtual servers are associated and panes prod00206278
that have virtual server dual lists or select boxes might display DNS
responders VIP addresses that are irrelevant.
Workaround: Ignore or skip these irrelevant VIP addresses.

45. In WBM, after deleting an object, if the object is associated to other prod00206486
entities, these associations are not automatically removed. You
must remove these associations manually so that Apply does not
fail.
46. In WBM, the HTTPS body health check configuration can accept prod00206608
only 512 characters, while 1024 characters are allowed.
47. Enabling or disabling a real server per group is not available using prod00206965
WBM.
48. Using WBM, when attempting to delete a configuration object and prod00201414
then adding a new object of the same type using the same ID, the
Apply command must be run between the two operations for the
addition to be successful.
49. Using WBM, converting a standalone configuration to a vADC prod00216210
configuration does not work.
Static NAT Limitations
This section includes limitations of the Smart NAT feature that was added in version 30.5.2.0.
All of these limitations are scheduled to be fixed in version 31.0.0.0.
1. In a Smart NAT environment for outbound traffic and Global SLB
DNS queries, sometimes the priority doesn't work as expected. DE19218
2. Statistics are displayed for the wrong NAT ID. DE19177
3. In a No NAT static NAT environment, even though the local server
is up and running and HTTP requests are forwarded to the local
server, no response is given to the ICMP command (that is, the
ping to the static address does not work). DE18963
4. You can submit a Smart NAT entry with different IP versions (such
as IPv4 SNAT and IPv6 WAN link). DE18862
5. When adding an IPv6 NAT, in the Smart NAT table the local
address and NAT address columns display address 0.0.0.0 instead DE19118,
of the IPv6 address. DE20225
General Limitations

1. An FQDN Server cannot be created when the ID of the template DE21734

real server ID is more than 32 characters.

2. On an 8820 platform with a 100 G port, a forward error
correction (FEC) cannot be set to OFF, which is required to operate
LR transceivers. Currently only SR transceivers are approved for
use. DE22524
3. On 6024 or 8420 platforms, when an Alteon is connected to a
Cisco router in a simple STG topology, as all the ports remain in
Forwarding state, a loop occurs.
4. In an SSL inspection environment with more than one security
device flow, the reverse setting must be set to enabled on all
related filters.
5. In an SSL inspection environment, if the cache size reaches 100%,
traffic failures occur.
However, there is a clean mechanism with 10% deletion of the
system for an 80% cache size. If the R is being cleaned too quickly
(meaning greater than 100Mb per second) traffic failures might still
occur.
6. In a VRRP environment, centisecond advertisement is not
supported. All the intervals must be in seconds.
Currently, centiseconds are supported only with IPv6
advertisements and works incorrectly most of the times.
7. If you are using different image versions in Master (later than
version 30.0.0.0) and Backup (earlier than 30.0.0.0), syslog
messages display regarding the mismatch in address count, and
advertisement errors are incremented accordingly on the Backup.
However, this does not affect the VRRP master-backup scenario.
All the functionality is expected to work as before, except for the
error counter increment.
8. In a VRRP with SLB environment and PIP and network class DE21252
configured, the incorrect MAC address (the base MAC address)
instead of the VPR MAC is reflected in the MP ARP responses,
causing sessions that were NATed before going to the Internet to
return to the same MAC address.
Workaround: Delete the network class and configure the specific
address as PIP:
/c/slb/real LTM_F5/adv/pip
mode address
addr 171.182.204.63 255.255.255.255 persist
disable

/c/slb/nwclss SNAT/del
9. Using APSolute Vision, configuring a network class with a country
or state that contains special characters may fail.
Workaround: Use Alteon WBM for such a configuration. DE21625
10. In an SLB environment with a gateway per VLAN configured in a
network without a PIP configuration, Alteon forwards server
returned packets to clients tagged with different VLAN IDs, causing
packets to be discarded by the gateways.
Radware recommends setting the Return to source MAC value for
a relevant virtual service using the rtsrcmac ena command, which
was introduced in version 30.1. prod00246941
11. LACP does not work when MSTP is enabled. DE13199
12. In an ADC-VX, when changing the management IPv6 gateway
address, the previous IPv6 gateway address is not removed from
the routing table. DE21599
13. Using WBM in the Firefox Mozilla browser with an HTTPS
connection, it might take a very long time to open the applet for
Alteon. DE20462
14. In high availability environment, The configuration synchronization
failure reason doesn’t appear on the master device when IPv6 peer
IP address is used.
Workaround: use IPv4 peer IP address DE19918
15. Alteon does not forward BPDUs between Cisco and Juniper when
the VLANs are in different STGs and the STG is set to off. DE19690
16. On an 8820 platform in an ADC- VX environment, even though the
threshold CUs should be only 144, WBM limits the user to up to
152 CUs. DE19548
17. In an SLB environment, Layer 7 Direct Server Return (DSR) with
FTP does not work. DE17741
18. In a DNS cloud environment with FQDN real servers configured,
after a few DNS responses, the real server capacity information
displays incorrectly with the CLI command
/info/sys/capacity/. DE17650
19. In a BGP environment where Floating IP advertisement is used,
when you disable or delete a floating/VR IP address, BGP routes
are not updated. DE16514
20. In a VRRP unicast environment on an Alteon VA platform (KVM), DE16513

with Direct Access Mode (DAM) disabled, matrix and mirror
enabled, after backup the mirrored sessions are not distributed to
all SPs.

21. In a VRRP unicast environment with TSO enabled on the backup
and synced to the backup, when the backup becomes the master,
even though the TSO enable is synced, manual reboot is required
for TSO to work. DE15820
22. On the 5224 FIPS platform, when back-end SSL encryption is DE13959
enabled, SSL performance is very low.
23. When performing outbound link load balancing in an IP gateway
environment (different IP versions used on LAN and WAN),
proximity checks are not initialized.
24. When using FQDN servers, configuration synchronization from DE13680,
backup to master is not supported (it causes FQDN servers to be DE13559
disabled or deleted).
25. When a backup device with FQDN servers comes up after reboot,
no ephemeral real servers are present.
26. GSLB Proxy Redirection for an HTTPS or SSL service does not DE13265
work when SSL ID persistency is configured on a virtual service.
27. Using GSLB, availability priority set for a VIP on a remote Alteon is DE13545
not taken into consideration by the local Alteon.
28. Alteon sends beacons to the APM on the default port only. DE12551
29. When using a network class for PIP, the range of the network class DE2065
cannot overlap with the VIP IP address.
30. When the CDP server is not accessible and the CDP Interval value DE2168
is reached, the current CDP is deleted even though it is still valid.
31. Uploading a large CRL file on a vADC with one (1) CU may take a N/A
very long time. For example, uploading a 5M CRL file on a vADC
with one (1) CU may take 30 minutes.
32. Return to the source MAC address only works when Direct Access DE792
Mode (DAM) is enabled.
33. IPv6 DSR DNS load balancing does not work. DE2284
34. The IPv6 DNS client does not work. DE802
35. For a virtual service, the insert cookie configuration should be DE881
performed either by setting the persistency mode to insert cookie,
or by using an AppShape++ script with a persistent cookie. Both
settings should not be performed together on the same service.
36. On an 8420 platform, when the management port and next host prod00225576
(SMB/NIC) is configured as 10 HDX/FDX auto off, the link displays
as down using the info/sys/mgmt command, even though the

link LED is orange and the activity LED is green.

37. On an 8420 platform, when the system is up, pulling out the fan prod00225314
tray, blocking it, and then reinserting it, there is a log message that
the fan is plugged in, but there is no message that the fan failed.
38. On a 5208 platform with management port enabled, after rebooting prod00217388
the platform (/boot/mgmt) with the factory configuration, the
platform becomes operational with the management port disabled,
when it should have been enabled by default.
39. On a 5208 platform, when setting the next boot to load from the prod00223651
factory default configuration without keeping the management
configuration, after reset, the management port becomes disabled
(although by default it is enabled).
40. When audit is enabled on a platform and an audit message prod00223697
contains more than 1000 characters, the message is truncated and
the audit may not display all configuration change details in the
message.
41. Some audit messages related to enable/disable might display as prod00223516
deleted when the field is actually being modified.
Example command: /c/sys/access/https/https d
This may display if HTTPS was deleted as it was changed from its
default.
42. Using an AppShape++ script, the UDP::response does not work in prod00221228
SERVER_DATA for DNS.
43. Under high traffic load, terminated sessions are not removed from prod00213645
the backup platform mirror table.
44. The IP interface of a VRRP group that includes IPv4 VRs cannot be N/A
configured using IPv6.
45. While retrieving techdata, the MP CPU utilization may reach 100%, prod00212041
making the management interface inaccessible.
46. GSLB Proxy Redirection does not work for IPv6 traffic. prod00215426
47. GSLB Client Proximity does not work when HTTP traffic is prod00215327
processed in forceproxy mode.
48. On a standalone platform connected to a Cisco switch, STP prod00207648
Root bridge election does not occur.
49. On a 5224 platform, 1 GB fiber SFP links are not operational when prod00219478
connected to a Juniper switch. This is a Juniper-Broadcom
interoperability problem.

Workaround: Disable auto-negotiation or use a copper GBIC.
50. On a 6420 platform, ports that are connected to a Cisco or Juniper prod00217649
switch are incorrectly reported as up even when disabled.
51. Statistics of IPv6 virtual servers are incorrect on the backup prod00217544
platform.
52. When activating traffic capture on a platform that is under high load prod00210096
and high SP CPU, failover to the backup platform may occur.
53. Outbound SIP traffic works only for a standard 5060 port. prod00217348
54. SSL decryption of an SSL capture is not supported for IPv6 traffic. prod00217115
55. Using redirect filtering, Layer 7 pattern match does not work when prod00212657
delayed binding is enabled.
56. The OSPF MD5 key is displayed in a config dump as clear text prod00214646
instead of encrypted.
57. In IPv6 filters, when delayed binding is enabled internally, it prod00214645
functions as forceproxy.
58. For a VR group that includes both IPv4 and IPv6 VRs, the prod00214159
advertisements are sent only via IPv6 interfaces when the method
is unicast.
59. No warning message is displayed when APM is enabled on a prod00213522
service with no APM license.
60. When all persistent entries in the Dynamic Data Store (persistence prod00212945
via AppShape++) are purged, sometimes new persistent entries
are not mirrored to the backup platform. Radware recommends
also purging entries from the backup platform.
61. If the real server has the description configured, the real server prod00220874
description is shown instead of the real IP address under
/info/slb/cookie.
62. When a buddy server does not belong to any service, after Apply it prod00212727
and the real server go down for a short time.
63. When two IPv6 interfaces are configured on the same VLAN and prod00216479
they both have VRs configured, only one interface is in status "up
(preferred)", while the other is in status "up (tentative)".
Workaround: Disable and then enable the interface.
64. Uploading the configuration taken from a techdata file is not prod00216036
supported. After uploading such a configuration, after rebooting the
"bad syntax" error is issued, and most of the configuration is

ignored.
65. The default share value for /cfg/l3/vrrp/group and prod00177054
/cfg/l3/vrrp/vr is disabled in Alteon versions 26.8 and 28.0,
and enabled starting with version 28.1. After upgrading from
versions 26.8 or 28.0 to version 28.1 or later, if the share
parameter had a default value, you must disable it manually.
66. The BWM module is not working properly. prod00190470
67. For IPv6 virtual routers (VRs), only VRIDs up to 255 can be used. prod00191837
68. HTTP Layer 7 processing using legacy delayed binding in enabled prod00198986
mode does not work with fragmented traffic.
69. On an Alteon 5412 platform (XL or non-XL), the 1 GB fiber module prod00200279
is not working with auto-negotiation on.
Note: The port might be displayed as up but it does not function
properly.
Workaround: Set the auto-negotiation to off at both sides.
70. On a 5412 platform, an SFP port with the SI8512-X5AT0-3C fiber prod00200619
module should not be used for ISL. The port speed is reported as
10M, causing VRRP flaps.
71. SSL ID persistency is not supported in force proxy mode. When prod00200668
upgrading from version 28.1.x to 29.5.0.0, if there are virtual
services configured with SSL ID persistency and force proxy mode,
configuration apply fails until either SSL ID persistency is disabled
or force proxy mode is deactivated.
Radware recommends performing this before upgrade.
72. A GSLB configuration with cookie-based persistency between sites prod00201333
does not work for IPv6 requests.
73. The incorrect APM license value is reported to APSolute Vision. prod00201942
74. On an HTTPS service with a non-standard service port and server prod00202219
port 443, in force-proxy mode, real server IP leakage is observed.
Workaround: Add a proxy IP address or change delayed binding
to enabled mode.
75. When a new configuration is applied, there might be "server up" prod00202693
messages for servers that are not attached to any VIP.
76. If more than 256 virtual routers (VRs) are configured on the same prod00202886
IP interface, flipping between master and backup device can occur.
77. Sometimes persistent sessions exist for twice the persistency prod00203494

timeout value.
78. When processing traffic via a redirect or NAT filter, if an ICMP type prod00203850,
3 code 4 message arrives from the client-side, it is not properly prod00203888
processed.
79. X-Forwarded-For can be enabled for an HTTPS service without prod00204113
SSL offload (requires delayed binding enabled), even though it
cannot be performed.
80. MP Utilization data sent to the Device Performance Monitoring prod00204922
module is sometimes incorrect.
81. Generation of a 4096 key size may take up to 30 seconds. During prod00204939
this time, the CPU utilization may reach 100 %.
82. Trying to upload a very large capture file via FTP/TFTP fails. prod00205038
83. On an Alteon 4408 platform with 1G copper SFP ports, the port prod00206900,
status is always displayed incorrectly on these ports and does not prod00115850
take effect when operationally disabled or enabled.
84. Some of the cache statistics are incorrect: prod00207290,
 The number of new cached bytes is always reported as 0. prod00207297,
prod00207299
 The new cached bytes rate is incorrect.
 The cached objects average size counters are incorrect.
85. HTTP/2 Gateway is not supported in conjunction with AppShape++.
FastView Limitations

1. When using FastView for an HTTPS service in conjunction with DE6100
Pass SSL Information to Backend Servers, Radware
recommends using the default header names. The FastView
fetcher uses default SSL headers to indicate front-end SSL, and
not the user-defined custom headers.
2. Using FastView with deferral for images, the images are not DE13859
displayed.
This is scheduled to be fixed in version 31.0.1.0.
AppWall Limitations

1. The AppWall management applet does not work when the prod00216858
management user is authenticated via TACACS or RADIUS (only
local users are supported).
2. After upgrading to version 31.0.0.0, as the internal security page DE22203
.zip files are deleted from the disk, the vulnerability response is
always returned as a 404 not found page instead of the configured
security page.
Workaround: After the upgrade to version 31.0.0.0, re-upload the
internal security page .zip files to avoid the 404 response.
This is scheduled to be fixed for version 31.0.1.0.
3. In an Authentication Gateway environment, uploading several files DE21801
in a short period might sometimes fail.
4. In the Authentication GW panes, in some rare cases when only the DE1929
authentication GW license is installed, more filters display than are
defined.
Workaround: For authentication GW functionality, use only the
Allowlist and Pathblocking filters.
5. In some rare cases, the request data in the Forensics table does DE1373
not display information
Alteon Management via APSolute Vision Limitations

1. From APSolute Vision, when working in a vADC that is set with DE20789
unlock system access. after applying any system changes in the
vADC, the Revert Apply from APSolute Vision may cause the
vADC to disconnect, as the SNMP access setting will revert to
default (disabled).
Workaround: Perform the Revert Apply from the Alteon WBM.
This is scheduled to be fixed in version 31.0.1.0.
2. Using APSolute Vision version 3.60 with this Alteon version, the prod00246805
import/export from the Operations menu does not work.
Workaround: Navigate to the individual pages for the export/import
of a specific configuration (for example), or upgrade to APSolute
Vision version 3.70.
3. Using APSolute Vision 3.0, techdata cannot be generated. DE1850
Workaround: To generate techdata, use the Alteon WBM, or use

the CLI command /maint/techdata.
4. Using APSolute Vision to manage FastView on Alteon, the controls DE14140,
in the Treatment Set screens do not work properly. DE13816

Related Documentation
New! Version 31.0.0.0 introduces the Alteon Getting Started Guide. This guide is designed to
quickly assist you in configuring a new installation from scratch.
The following documentation is related to this version:

 Alteon Installation and Maintenance Guide
 Alteon VA Installation and Maintenance Guide
 Alteon Getting Started Guide
 Alteon Web Based Management Application Guide
 Alteon Command Line Interface Application Guide
 Alteon Command Reference
 Alteon REST API User Guide
 Alteon AppShape++ SDK Guide
 Alteon NG Deployment Guide
 AppWall for Alteon NG User Guide
 FastView for Alteon NG User Guide
 LinkProof for Alteon NG User Guide
 LinkProof NG User Guide
 Alteon Troubleshooting Guide
North America International
Radware Inc. Radware Ltd.
575 Corporate Drive 22 Raoul Wallenberg St.
Mahwah, NJ 07430 Tel Aviv 69710, Israel
Tel: +1-888-234-5763 Tel: 972 3 766 8666
© 2017 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered
trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective
owners. Printed in the U.S.A

AlteonOS 31-0-0 0 Release Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AlteonOS 31-0-0 0 Release Notes

Uploaded by

Copyright:

Available Formats

AlteonOS

Version 31.0.0.0 Rev. 1

Alteon 8820 – High Performance ADC ............................................................................................ 5

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 2

Upgrade Limitations ....................................................................................................................... 26

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 3

Supported Platforms and Modules

Before Upgrade - Important!

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 4

Alteon 8820 – High Performance ADC

Alteon Application Switch 8820 is the next-generation, carrier-grade application delivery

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 5

Alteon 6024 VX Platform Enhancements

Redundant Out-of-path Management Port

Improved SSL Price –Performance

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 6

vADC Core Selection

TCP Segmentation Offload

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 7

Authentication Gateway – SAML 2.0 Service Provider Support

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 8

Host-based Inspection Bypass

IDS Servers Support

Server SSL Certificate Authentication

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 9

Chain Hop Bypass

Intermediate SSL Certificate for HTTPS Management Access

This feature was first introduced in version 30.5.2.0.

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 10

Static NAT for Inbound and Outbound Link Load Balancing

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 11

Alteon VA for NFV – 225 Gbps Layer 4

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 12

IPsec Support for Virtual Service IP

HTTP/S Health Check Enhancements

The following capabilities were added to HTTP/S health checks:

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 13

High Availability Tracking for Selected Real Servers

Alteon to Expand Support of BGP Prepend for VIPs

Selectively Stop BGP Advertisements

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 14

Geolocation-based Load Balancing

Geolocation Database Update

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 15

Remote Real Server Status Update via DSSP

New GSLB Metric

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 16

Limitation: Only IPv4 addresses are supported.

Control Availability of Virtual Services with AS++ scripts

rdwr Cookie Command

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 17

Troubleshooting and Debugging

Packet Capture Improvements

Capture on Standalone Management Port

Alteon Related information in Data Capture

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 18

Live Capture on TD in Data Capture

Traceability and Log Enrichment

BSP and ND Logger modules

Configuration Audit log

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 19

REST API Log

Historical Events and Error Counters

Alteon 31.0.0.0 Release Notes Rev. 1, February 21, 2017 Page 20