Allied Telesis AT-WA1104G-10 User Manual

Software Maintenance Release Note
Maintenance Version 291-10
for AR415S, AR440S, AR441S, AR442S, AR450S, AR725, AR745, AR750S, AR750S-DP, and AR770S routers and AT-8600, AT-8700XL, Rapier i, Rapier w, AT-8800, AT-8900, x900-48, AT-9900, and AT-9800 Series switches
This software maintenance release note lists the issues addressed and enhancements made in Maintenance Version 291-10 for Software Version 2.9.1. Version details are listed in the following table:
Models Series Release File Date Size (bytes) GUI file
AR415S, AR440S, AR441S, AR442S, AR450S AR400 54291-10.rez 24 July 2007 4946220 415s_291-10_en_d.rsc
AR750S, AR750S-DP, AR770S AR7x0S 55291-10.rez 24 July 2007 4074888 750s_291-10_en_d.rsc (AR750S and AR750S-DP)
AR725, AR745 AR7x5 52291-10.rez 24 July 2007 4114292 _725_291-10_en_d.rsc
_745_291-10_en_d.rsc
AT-8624T/2M, AT-8624PoE, AT-8648T/2SP AT-86 00 sr291-10.rez 24 July 2007 2468216 8624t_291-10_en_d.rsc
8624poe_291-10_en_d.rsc
8648t_291-10_en_d.rsc
AT-8724XL, AT-8748XL AT-8700XL 87291-10.rez 24 July 2007 2411128 8724_291-10_en_d.rsc
8748_291-10_en_d.rsc
Rapier 24i, Rapier 48i, Rapier 16fi Rapier i 86291-10.rez 24 July 2007 4587048 r24i_291-10_en_d.rsc
r16i_291-10_en_d.rsc
r48i_291-10_en_d.rsc
Rapier 48w Rapier w 86291-10.rez 24 July 2007 4587048 -
Enabling and Installing this Release 2
Models Series Release File Date Size (bytes) GUI file
AT-8824, AT-8848 AT-88 00 86291-10.rez 24 July 2007 4587048 8824_291-10_en_d.rsc
8848_291-10_en_d.rsc
AT-8948, AT8948i, x900-48FE, x900-48FE-N, x900-48FS
AT-9924T, AT-9924SP, AT-9924T/4SP AT-99 00 89291-10.rez 24 July 2007 4884216 9924_291-10_en_d.rsc
AT-9812T, AT-9816GB AT-9800 sb291-10.rez 24 July 2007 3988344 9812_291-10_en_d.rsc
x900-48 89291-10.rez 24 July 2007 4884216 -
9816_291-10_en_d.rsc
Caution: Using a maintenance version on the wrong model may cause unpredictable results, including disruption to the network.
This maintenance release note should be read in conjunction with the following documents:
the Release Note for Software Version 2.9.1, available from www.alliedtelesis.co.nz/documentation/relnotes/relnotes.html, which describes the new
features since Version 2.8.1
your router or switch’s Document Set for Software Release 2.9.1. This document set is available on the CD-ROM that shipped with your router or switch, or
from www.alliedtelesis.co.nz/documentation/documentation.html
Caution: Information in this release note is subject to change without notice and does not represent a commitment on the part of Allied Telesis, Inc. While every effort has been made to ensure that the information contained within this document and the features and changes described are accurate, Allied Telesis, Inc. can not accept any type of liability for errors in or omissions arising from the use of this information.

Enabling and Installing this Release

To use this maintenance release you must have a base release license for Software Release 2.9.1. Contact your distributor or reseller for more information about licences. To enable this release and install it as the preferred release, use the commands:
enable rel=xx291-10.rez num=2.9.1
set install=pref rel=xx291-10.rez
where xx is the prefix to the filename, as shown in the table on page 1. For example, to install the release on an x900-48FE switch, use the commands:
enable rel=89291-10.rez num=2.9.1
set install=pref rel=89291-10.rez
Version 291-10 C613-10488-00 REV G
Levels 3

Levels

Some of the issues addressed in this Maintenance Version include a level number. This number reflects the importance of the issue that has been resolved. The levels are:
Level 1 This issue will cause significant interruption to network services, and there is no work-around.
Level 2 This issue will cause interruption to network service, however there is a work-around.
Level 3 This issue will seldom appear, and will cause minor inconvenience.
Level 4 This issue represents a cosmetic change and does not affect network operation.
Version 291-10 C613-10488-00 REV G
Features in 291-10 4

Features in 291-10

Software Maintenance Version 291-10 includes the resolved issues and enhancements in the following tables. In the tables, for each product series:
“Y” indicates that the resolution is available in Version 291-10 for that product series.
“–” indicates that the issue did not apply to that product series.

Level 1

No level 1 issues

Level 2

CR Module Level Description
CR00016759
CR00018655
CR00018656
Version 291-10 C613-10488-00 REV G
Switching,
DHCP
Snooping
IP Gateway 2 If the user did not specify the destination and dmask parameters when
2 Enabling DHCP snooping (correctly) adds a hardware filter to all untrusted
ports, to block all IP traffic coming from those ports. Previously, disabling DHCP snooping did not delete these filters. This meant that the switch dropped all IP traffic from the previously-untrusted ports until the switch was restarted.
Also, attempting to manually delete the hardware filters did not actually remove them.
These issues have been resolved. The switch now removes the filters if you disable DHCP snooping or manually delete the filters.
entering the set ip filter command, the destination and dmask of the filters were reset to any.
Also, it was not possible to delete an IP filter by using the delete ip filter command, even when all required parameters were present.
These issues have been resolved.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
--------YY-
YYYYYYYYYYY
Features in 291-10 5
CR Module Level Description
CR00018663
Switching 2 The resolution to CR 444 meant that packets processed by the CPU are now
subjected to the same filtering as packets switched in hardware. However, this filtering did not always return the expected results. Sometimes its IP address matching was incorrect, and it did not correctly process filters with an action of nodrop.
These issues have been resolved.
CR00018691
OSPF 2 On a router or switch with OSPF redistribution enabled, OSPF did not
redistribute the interface route when an interface came up (for example, after a reboot).
This issue has been resolved.
CR00018693
QoS 2 QoS policies, traffic classes, and flow groups could not have an ID number
of 0 (zero).
This issue has been resolved.
CR00018778
IP NAT, Firewall 2 When using IP NAT, the router or switch would reboot when processing
TCP SYN packets.
This issue only occurred with IP NAT, which is configured by using the add ip nat command. It did not occur with firewall NAT.
This issue has been resolved.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
---YYYYY---
YYYYYYYYYYY
- - - YYYYYYYY
YYY--------
Version 291-10 C613-10488-00 REV G

Level 3

Features in 291-10 6
CR Module Level Description
CR00018514
Ping 3 Traceroute (the trace command) did not work. It returned the error “The
destination is either unspecified or invalid” even if the destination was reachable.
This issue has been resolved.

Level 4

No level 4 issues

Enhancements

No enhancements
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYYYYYYY
Version 291-10 C613-10488-00 REV G
Features in 291-09 7

Features in 291-09

Software Maintenance Version 291-09 includes the enhancement in the following table, which is available for x900-48FE and x900-48FE-N switches.

Level 1-4

No level 1-4 issues

Enhancements

CR Module Level Description
CR00018530
Core - CPU fan monitoring is now disabled by default on x900-48FE and
x900-48FE-N switches. Monitoring the fan is unnecessary unless an accelerator card is installed on the switch, so disabling monitoring reduces the number of messages that the switch displays and logs.
To enable monitoring, use the command:
enable cpufanmonitoring
To disable it again, use the command:
disable cpufanmonitoring
When monitoring is enabled, the command show system displays the CPU fan status in the entry labelled “Main fan”.
Note that this behaviour is already available on AT-8948 switches.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
- - - - - - - -Y- -
AT-9800
Version 291-10 C613-10488-00 REV G
Features in 291-08 8

Features in 291-08

Software Maintenance Version 291-08 includes the resolved issues and enhancements in the following tables. In the tables, for each product series:
“Y” indicates that the resolution is available in Version 291-08 for that product series.
“–” indicates that the issue did not apply to that product series.

Level 1

No level 1 issues

Level 2

CR Module Level Description
CR00000444
CR00000484
CR00001231
Version 291-10 C613-10488-00 REV G
Switching,
IGMP,
IP Gateway
Switching 2 When a nodrop action was specified on a port as part of an L3 filter, it was
Firewall 2 The router or switch sometimes recorded more events in its deny event
2 If a packet should have matched a hardware filter with a deny action and
have been discarded, but an IP routing entry had not yet been learnt for the packet, then the packet was not discarded.
This issue has been resolved and the packet is now discarded.
observed that the port was still dropping packets. This was observed after the ARP entry for the destination IP expired from the switch’s L3 table.
This issue has been resolved.
queue than was specified by the detail parameter of the set firewall policy attack command.
This issue has been resolved.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
---YYYYY---
---YYYYY---
YYYYYY- - - - Y
Features in 291-08 9
CR Module Level Description
CR00003495
Classifier 2 The following issues existed with classifiers:
classifiers matching protocol=ipv6 and ipprotocol=icmp could be
created more than once
classifiers matching protocol=ipv6 and ipprotocol=1 could be created
but were meaningless because 1 represents IPv4 ICMP
classifiers matching protocol=ip and ipprotocol=58 could be created
but were meaningless because 58 represents IPv6 ICMP.
These issues have been resolved.
Also, classifiers now default to protocol=ip (IPv4) if:
no value is specified for the protocol parameter, or
protocol=any and ipprotocol=icmp.
CR00004018
VLAN 2 Removing then re-adding ports to a Nested VLAN, with rapid STP enabled,
caused the port in the Alternate Discarding state to leak a small number of packets.
This issue has been resolved.
CR00005472
BGP 2 When BGP was in the OpenSent state and it received an out-of-sequence
message (such as a KeepAlive message), BGP would return to the Idle state.
This issue has been resolved. BGP now sends a notification message to the other BGP peer, as expected.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYY- - YYY
---------Y-
YYYYYY- - YYY
CR00005812
Version 291-10 C613-10488-00 REV G
IP Gateway 2 When the router or switch received an IP packet whose length was greater
than the MTU on the outgoing link, and the packet contained an IP option that was not designed to be fragmented (such as Timestamp), then the resulting constituent fragments would have incorrect IP header lengths. This could lead to data corruption.
On routers, this issue applied to all routed packets. On switches, it applied to packets processed by the CPU, not to packets switched in hardware.
This issue has been resolved.
YYYYYYYYYYY
Features in 291-08 10
CR Module Level Description
CR00007178
RIPng 2 The following issues occurred with RIPng:
RIPng dropped requests from peers with non link-local addresses.
for a solicited response, if the routes did not exist on the device, RIPng
returned a metric of 0 for them instead of returning a metric of 16
RIPng performed split-horizon checking for solicited responses
RIPng used the link-local address to respond to all requests, even if the
request used a non link-local address and therefore the reply should have also used a non link-local address
These issues have been resolved.
CR00008847
Install, MIB 2 Previously, the MIB objects configFile and createConfigFile would return the
current configuration file, and the MIB object currentConfigFile would return 'no such object'.
This issue has been resolved. The objects configFile and createConfigFile now return the boot configuration file. The object currentConfigFile now returns the current configuration file.
CR00009473
Classifier 2 The output of the show classifier=number command did not show the
protocol number.
This issue has been resolved.
CR00010654
Firewall 2 When adding a firewall application rule, it was possible to specify FTP as the
application but not specify the command parameter. This meant that the rule would allow all FTP commands through, even if action=deny had been specified.
This issue has been resolved by making the command parameter mandatory when the application is specified as FTP.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYY- - YYY
YYYYYYYYYYY
YYYYYYYYYYY
YYYYYY- - - - Y
CR00010951
Version 291-10 C613-10488-00 REV G
PPP 2 If the router or switch received an LCP packet with an unrecognised code,
it responded with a CodeReject packet of incorrect length that did not respect the established MRU of the peer.
This issue has been resolved.
YYYYYY- - YYY
Features in 291-08 11
CR Module Level Description
CR00010967
PPP 2 If the router or switch received an LCP packet with an unrecognised
protocol, it responded with a ProtocolReject packet of incorrect length that did not respect the established MRU of the peer.
This issue has been resolved.
CR00010968
PPP 2 When the established Maximum Receive Unit (MRU) of the remote PPP peer
was greater than the established MRU of the local PPP peer, Echo Reply packets did not respect the established MRU of the remote peer.
This issue has been resolved.
CR00011231
Core 2 In most circumstances the stack dump for an AR7x5 router was invalid and
did not contain complete information about the cause of a reboot.
This issue has been resolved.
CR00012218
VPN, GUI 2 Enabling VPN (IPsec) on the GUI caused the GUI VPN page to stop
displaying information about some or all of the existing VPN policies.
This issue has been resolved.
CR00012727
OSPF 2 Sometimes when a type 7 external LSA was translated to a type 5 external
LSA the forwarding address was set to 0.0.0.0 in the translated type 5 LSA.
This issue has been resolved, so that the forwarding address is always copied from the type 7 LSA being translated.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYY- - YYY
YYYYYY- - YYY
-Y---------
Y-Y--------
YYYYYYYYYYY
CR00012751
Version 291-10 C613-10488-00 REV G
OSPF 2 When the router or switch is acting as an area border router and one of the
areas is an NSSA (Not So Stubby Area), the router or switch will create a default route for the NSSA and inject this into the NSSA. Previously, the router or switch was also redistributing this route into other areas as a static route when static route redistribution was turned on. This was not desirable behaviour.
This issue has been resolved.
YYYYYYYYYYY
Features in 291-08 12
CR Module Level Description
CR00012871
TTY 2 Unexpected characters could appear on the terminal emulator display
when the column size was set greater than 80 and the user edited a command that spanned more than one line of the display.
This issue has been resolved.
CR00013597
DVMRP,
Frame Relay
2 If a frame relay interface was configured as a DVMRP interface, then the
DLC value was not correctly generated in output of the command show config dynam or in the configuration script generated by the command create config.
This issue has been resolved.
CR00013660
Core, SNMP 2 Previously, SNMP returned an incorrect product ID number for AR750S-DP
routers.
This issue has been resolved. The value of the sysObjectID object is now 80 for AR750S-DP routers.
CR00013735
LACP,
Switching
2 When moving ports from an LACP-controlled trunk to a manually-
configured trunk, ports were incorrectly set in an STP blocking state. Therefore, traffic would not flow over the trunk.
This issue has been resolved.
Note: When you move ports from an LACP-controlled trunk to a manually­configured trunk, you must delete the ports from LACP.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYYYYYYY
YYYYY- - - - - -
--Y--------
--------YY-
CR00013763
Version 291-10 C613-10488-00 REV G
OSPF 2 If the obsolete command set ospf rip=both was entered, the router or
switch correctly automatically replaced it with the following two commands in the dynamic configuration:
add ospf redistribute protcol=rip
set ospf rip=export
However, if the command create config was used to save the configuration, after system start-up the configuration file did not contain the command add ospf redistribute protocol=rip. This meant that OSPF stopped redistributing RIP routes after a reboot.
This issue has been resolved.
YYYYYYYYYYY
Features in 291-08 13
CR Module Level Description
CR00013778
CR00013893
CR00013982
CR00014044
CR00014146
CR00014230
IPv6 2 If a user shortened the prefix length of an IPv6 interface address, then
lengthened it, it became impossible to change the prefix length again.
This issue has been resolved.
MSTP 2 Executing the commands disable mstp port=number or enable mstp
port=number would not disable or enable the port on all MSTIs.
This issue has been resolved.
L2TP 2 An L2TP call could be deleted when still attached to the PPP interface.
Doing this caused the router or switch to reboot.
This issue has been resolved.
IGMP 2 When large numbers of multicast streams were passing through the switch
and there was no multicast routing protocol running (such as PIM or DVMRP), the CPU would experience regular periods of extended high utilisation. This could result in lost control packets and network instability.
This issue has been resolved.
TTY 2 When a file was redirected (for example, by a trigger), if the mail hostname
was not available or not configured, the router or switch would reboot.
This issue has been resolved.
TTY 2 If the built-in editor was used to delete the last line of a file, the router or
switch could reboot.
This issue has been resolved.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYY- - YYY
- - - YYYYYYY-
YYYYY- - - - - -
----------Y
YYYYYYYYYYY
YYYYYYYYYYY
CR00014295
CR00014320
Version 291-10 C613-10488-00 REV G
IGMP 2 IGMP snooping would process IGMP protocol packets that had incorrect IP
TTL fields (i.e. that had values other than 1).
This issue has been resolved.
OSPF 2 Occasionally, when OSPF was started, not all the Type-7 LSAs were
translated into Type-5 LSAs.
This issue has been resolved.
Y- YYYYYYYYY
YYYYYYYYYYY
Features in 291-08 14
CR Module Level Description
CR00014827
PIM6 2 If an IPv6 accelerator was used, and the upstream router forwarded IPv6
multicast data just before the prune limit timer expired, then the downstream router sometimes did not send the prune until significantly after the timer expired.
This issue has been resolved.
CR00015169
MSTP, GUI 2 Using the web-based GUI to set the Point-to-Point Link in the MSTP CIST
Port configuration to a non-default value would generate an error.
This issue has been resolved.
CR00015805
ISAKMP, IPv6 2 During the boot up, the router or switch waited 5 seconds before
beginning ISAKMP prenegotiation. For VPN tunnels over IPsec for IPv6, this was not long enough for the router or switch’s interfaces to come up before prenegotiation began.
Also, the router or switch did not obtain the most recent active ISAKMP SA when multiple SAs existed.
These issues have been resolved. The router or switch now waits 6 seconds, and obtains the most recent SA and uses that for Phase 2 negotiations.
CR00015964
Switching 2 If the switch had a large number of routes in its forwarding database (FDB),
and the command show switch fdb was used to display the contents of the FDB, and the switch’s CPU was busy at the time, then the switch sometimes rebooted.
This issue has been resolved.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
--------YY-
- - - YYYYYYY-
YYYYYY- - - - -
--------YY-
CR00016262
CR00016340
Version 291-10 C613-10488-00 REV G
Load 2 When attempting to upload files from the switch using TFTP to an IPv4
server address, the router or switch reported an error if IPv6 was not enabled. It was not possible to upload files using TFTP to an IPv6 server address at all.
These issues have been resolved.
DHCP
Snooping
2 DHCP Snooping has been enhanced to operate in a customised VLAN ID
translation (VID translation) environment. Previously, DHCP Snooping was not supported with VID translation.
This issue has been resolved.
YYYYYY- - YYY
- - - YYYYYYY-
Features in 291-08 15
CR Module Level Description
CR00016587
IPv6 2 The timer that governs the interval between repeated neighbour
solicitation messages could only be configured by using the ndretrans parameter of the set ipv6 nd command, and not through router advertisements that the router or switch received from other routers.
This issue has been resolved. Instead of using the ndretrans parameter of the command set ipv6 nd, use the retrans parameter to configure the timer interval. Also,routers or switches acting as hosts will now correctly update their timer values to the value specified in any router advertisements that they receive.
CR00016592
DHCP6 2 Previously, it was possible to enter the incomplete commands delete
dhcp6 policy=name or set dhcp6 policy=name without specifying any
other parameters.
This issue has been resolved. If this is done, the router or switch now displays the warning:
Warning (2117007): One or more parameters may be missing.
CR00016840
STP 2 Previously, when the switch was a Spanning Tree root bridge in a network
and a user raised the switch’s root bridge priority enough to stop the switch from being the root bridge, unnecessary delays in convergence occurred.
This issue has been resolved.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYY- - YYY
YYYYYY- - YYY
- - - YYYYYYYY
CR00016956
CR00016964
Version 291-10 C613-10488-00 REV G
IP Gateway 2 The set ip filter command would not accept the protocol parameter.
This issue has been resolved.
ISAKMP 2 When the router or switch negotiated an IPsec tunnel with RFC3947 NAT-
T, its NAT-OA payload had two bytes of reserved fields after the ID field instead of the three bytes specified by RFC 3947. This could prevent the tunnel from working properly when the tunnel was between an Allied Telesis router or switch and some other vendor.
This issue has been resolved.
YYYYYYYYYYY
YYYYYY- - - - -
Features in 291-08 16
CR Module Level Description
CR00016985
ATM 2 If a PPP instance was destroyed after an attached ATM channel had been
modified using the set atm channel command, the router rebooted. The router could also reboot if an ATM channel was deleted under similar circumstances.
This issue has been resolved.
CR00016989
IPsec 2 AlliedWare IPsec would not interoperate with Microsoft Windows Vista
VPN clients. This was because Microsoft changed the IPSec behaviour in Vista such that Vista's private local IP address is sent as the local identification instead of an FQDN. When an IPSec tunnel between AlliedWare and Vista was brought up, the hosts could not communicate.
This issue has been resolved. AlliedWare IPsec can now communicate with peers that send their private local IP address as the local identification.
CR00017081
Classifier 2 The show classifier command did not allow users to display only the
classifiers that had their IP source address and MAC source address parameters set to dhcpsnooping.
This issue has been resolved. For example, the command show classifier ipsa=dhcpsnooping now displays those classifiers that have their IP source address set to dhcpsnooping.
Also, it is no longer possible to create two identical classifiers with DHCP snooping parameters.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
Y----------
YYYYYY- - - - -
--------YY-
CR00017093
Version 291-10 C613-10488-00 REV G
Firewall 2 When the router was acting as a firewall and performing DNS relay, it used
the local IP interface private address as the source address for some packets that it sent out the public interface. When the router acts as a DNS relay, it receives DNS requests from the private interface and sends a new packet on the public interface. These new packets were given the wrong address.
This issue has been resolved. Such packets now have their source address set to the public interface address as required.
YYYYYY- - - - Y
Features in 291-08 17
CR Module Level Description
CR00017226
IPsec 2 If an IPsec tunnel with no encryption (NULL) was negotiated in AlliedWare
over NAT-T, the ESP packets did not contain an RFC 3948 compliant checksum. This means that some vendors may have discarded packets sent by the AlliedWare peer over such a tunnel.
This issue has been resolved.
Note the null encryption is useful for debugging the traffic over an IPsec tunnel and should not be used in a working IPsec solution.
CR00017227
IPsec 2 An IPSec checksum recalculation error occurred with UDP traffic when the
ESP encapsulation was added.
This issue has been resolved.
CR00017255
Switching 2 Previously, trunk members were given the STP state in hardware of port 1,
instead of having the STP state of the lead port in the trunk. The software state (as displayed with the command show stp port) was correct.
This issue has been resolved.
CR00017256
Switching 2 When using multi-homed IP interfaces on a VLAN, it was possible that L3
hardware switching would stop for all multi-homed interfaces on that VLAN, if one of the multi-homed interfaces was removed or went into an administratively down state.
This issue has been resolved.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYY- - - - -
YYYYYY- - - - -
---YYYYY---
--------YY-
CR00017337
Version 291-10 C613-10488-00 REV G
Switching 2 It was possible to set up a classifier that matched MPLS frames at layer 2,
but the switch would not correctly match these MPLS frames against the classifier.
This issue has been resolved. The switch now correctly matches MPLS frames against such a classifier.
--------YY-
Features in 291-08 18
CR Module Level Description
CR00017368
QoS,
DHCP
Snooping
2 Some small memory access violations existed in DHCP snooping.
These violations have been resolved.
Also, a new console error message is displayed if a user tries to add a duplicate classifier to a QoS policy. For example, if traffic class 101 belongs to policy 2 and a user tries to add a flow group to traffic class 101 when the flow group’s classifier is number 54 and already belongs to policy 2, the following message is displayed:
Error (3099297): Duplicate classifier (54) on policy 2.
A similar new log message has also been added, which says:
Duplicate classifier (<number>) found on <string> <number>
Note that a classifier can exist in two separate policies but cannot exist twice in the same policy.
CR00017456
IP Gateway 2 The router or switch could reboot when the local interface address had
been specified by using the set ip local command, and then the underlying interface from which the local interface took its address was either deleted or had its address changed. In both these cases, the local interface was correctly reset back to an undefined address, but a route to this address was not deleted. This could cause routing difficulties and a reboot when packets for that address were received.
This issue has been resolved. The route is now correctly deleted.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
- - - YYYYYYY-
YYYYYYYYYYY
CR00017488
Version 291-10 C613-10488-00 REV G
Firewall 2 When a VoIP call using SIP was initiated from the public side of the firewall,
occasionally the firewall created two UDP sessions for the call with different UDP source ports. This happened if the first packets of the STP (voice data) stream arrived earlier than the 200 OK message that was supposed to establish the session. The result was that the public side caller could not hear the call.
This issue has been resolved.
YYYYYY- - - - Y
Features in 291-08 19
CR Module Level Description
CR00017518
ISAKMP 2 The router or switch sometimes could not establish a VPN when the remote
peer was behind a NAT gateway and the router or switch’s remote ID was set to default.
This issue has been resolved.
CR00017634
PPP 2 If a PPPoE AC service had been added, but AC mode had not been enabled
by using the enable ppp ac command, PADI frames were processed anyway, potentially leading to a reboot.
This issue has been resolved.
CR00017659
TTY 2 Previously, it was not possible to configure a TTY service on the router (by
using commands like create service).
This issue has been resolved.
CR00017662
Core 2 Stopping and restarting two fans on the switch in a particular order could
put the fan fault detection mechanism into a state in which the system LED would not flash for a fan fault.
This issue has been resolved.
CR00017724
IGMP 2 When the switch had a hardware filter configured that would match and
discard a received IGMP packet, IGMP snooping still processed the packet and added the details to its snooping database.
This issue has been resolved.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYY- - - - -
YYYYYY- - YYY
Y-Y--------
----Y------
---YYYYY---
Version 291-10 C613-10488-00 REV G
Features in 291-08 20
CR Module Level Description
CR00017731
IP Gateway,
DHCP
2 When the DHCP server was enabled on a router or switch that also had a
local IP interface defined by using the set ip local command, outgoing DHCP server packets would use the set ip local command's IP address as their source address. Furthermore, if the broadcast flag was set to TRUE in the DHCP Discover message that the server was replying to, then the server would send the DHCP Offer packet out the wrong IP interface with the wrong source IP address. Microsoft Windows Vista has the broadcast flag set to TRUE.
These issues have been resolved. The DHCP server configuration now ignores any local IP interfaces set by using the set ip local command, and the server now sends the Offer message out the interface that it received the Discover on.
CR00017749
Switching 2 If a multicast route had an odd number of downstream interfaces attached
to it, and the last downstream interface was deleted, the second to last downstream interface could experience a loss of packets.
This issue has been resolved.
CR00017816
PIM 2 PIM would sometimes start forwarding duplicate packets from the RP to
downstream interfaces if the SPT Bit had been set and had become unset.
This issue has been resolved.
CR00017906
VLAN, MSTP 2 If ports were removed from a VLAN and MSTP was enabled, then the port
removal was not included in the configuration displayed by the command show config dynam or saved by the command create config.
This issue has been resolved.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYYYYYYY
--------YY-
YYYYYYY- YYY
- - - YYYYYYY-
Version 291-10 C613-10488-00 REV G

Level 3

Features in 291-08 21
CR Module Level Description
CR00000503
CR00001106
CR00001438
CR00002587
CR00003354
PKI 3 Some PKI commands (including add pki ldap, create pki enroll, and
create pki keyupdate) only worked if their parameters were entered in a
particular order.
This issue has been resolved.
3 The command add fire policy=name rule=number act=allow int=int
ip=ipadd list=filename would incorrectly be rejected, with an error
message stating that list and ip were mutually exclusive.
This issue has been resolved, so that list and ip can be used together in the same firewall rule.
TACA CS+ 3 If TACACS+ was used for authentication and the TACACS+ server went
down during an authentication attempt, the router or switch added the attempted login names to the TACACS+ user list (as displayed in output of the show tacplus user command). However, the router or switch correctly did not log users in with those names.
This issue has been resolved.
IP Gateway 3 Sometimes an incorrect error message was printed if a user tried to enable
IP multicast switching on a device that did not support it.
This issue has been resolved.
Firewall 3 The firewall message “Port scan from <source> is underway” was repeated
more times than messages about other attack events. This could cause confusion.
This issue has been resolved. The message is now displayed with the same frequency as other firewall attack event messages.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYYYYYYY
YYYYYY- - - - Y
YYYYYYYYYYY
---YYYYY---
YYYYYY- - - - Y
CR00003356
Version 291-10 C613-10488-00 REV G
Firewall 3 The firewall sometimes did not report that an attack had finished until
several minutes after it actually finished.
This issue has been resolved.
YYYYYY- - - - Y
Features in 291-08 22
CR Module Level Description
CR00004004
File 3 The show file command did not check whether the specified file system
was valid. If an invalid file system type was entered (such as show file=abc:*.*), the router or switch reported that no files found instead of reporting that the file system abc did not exist.
This issue has been resolved.
CR00005048
GUI 3 The following issues occurred with the GUI:
the menu item and related page title for configuring PPPoE and PPPoA
interfaces was incorrectly named “PPP”. This issue has been resolved by changing the names to “PPPoE / PPPoA”.
the UPnP selection option on the firewall pages did not work. This issue
has been resolved.
Note that if you want to use the GUI to configure a PPP interface over ISDN, use the Dial-up menu option to do so.
CR00005187
LACP 3 If a user attempted to enable LACP on AT-9800 series switches—which do
not support LACP—the switch incorrectly said that the module had been enabled.
This issue has been resolved. The switch now displays an error message instead.
CR00005894
Classifier 3 Previously, a classifier with protocol=ip matched both IPv4 and IPv6
packets when used with software QoS, instead of only matching IPv4 packets.
This issue has been resolved.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYYYYYYY
Y-Y--------
----------Y
YYYYY- - - - - -
CR00005940
Version 291-10 C613-10488-00 REV G
BGP 3 There were several cases in BGP where an error was discovered in an
incoming packet, but the incorrect error subcode was reported in the accompanying NOTIFICATION message. Also, NOTIFICATION messages did not contain the aberrant data in their data fields, as required by the RFC.
These issues have been resolved.
YYYYYY- - YYY
Features in 291-08 23
CR Module Level Description
CR00006303
SNMP 3 On AR725 and AR745 routers, which have no VLAN support, an SNMP Get
request for dot1qMaxVlanId or dot1qMaxSupportedVlans incorrectly returned a value.
This issue has been resolved.
CR00006613
Bridge 3 Predefined bridge protocols XEROX PUP and PUP Addr Trans with the
encapsulation of EthII and protocol type 0x0200 and 0x0201 are invalid and obsolete, since they are less than the minimum ETHII protocol type of 1500 (decimal). Bridging with these protocols could cause the router to reboot.
This issue has been resolved by replacing the predefined protocol types with the more modern equivalents 0x0a00 and 0x0a01. Also, if you enter a protocol type less than the minimum, the router now displays an error message.
CR00007394
GUI 3 When a user used the GUI to attempt to delete a local interface that was in
use by another protocol, the operation (correctly) failed, but the GUI did not display an error message to explain the failure.
This issue has been resolved.
CR00007404
MSTP 3 If a network running MSTP was connected to a network running RSTP and
MSTP message debugging was enabled on a switch, the debug output could loop for a very long time with invalid data.
This issue has been resolved.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
-Y---------
YYY--------
YYYY- YYY- YY
- - - YYYYYYY-
CR00007926
Version 291-10 C613-10488-00 REV G
Switching,
IP Gateway
3 The x900 series switches did not send an ICMP Redirect packet when they
received a packet and the route to the packet’s destination was back to the packet’s sender. The switches routed the packet back to the source but did not send an ICMP Redirect message.
This issue has been resolved. The x900 series switches now send an ICMP Redirect message.
--------Y--
Features in 291-08 24
CR Module Level Description
CR00008122
TTY 3 When prompted to enter a file name while using the command line file
editing utility, no more than 23 characters could be typed, even if the existing characters were deleted using the backspace key.
This issue has been resolved.
CR00008378
Firewall 3 The command enable firewall notify=port port=asyn-number was not
available on switches, only on routers. If a user created a configuration on a router and used this option, the configuration had to be modified if transferred to a switch.
This issue has been resolved. The notify=port option and the port parameter are now available on switches. However, these port parameters have been deprecated in favour of the asyn parameters, so warning messages are printed to indicate this if the commands are used.
CR00009086
Switching 3 When the commands enable switch port=number automdi and
disable switch port=number automdi were executed from a telnet
session, some INFO messages were output to the asyn0 console session instead of the telnet session.
This issue has been resolved.
CR00010144
STP, SNMP 3 Previously, newRoot and topologychange traps (located at
1.3.6.1.2.1.17.0) were only generated by the bridging module.
This has been extended to the STP module. Please note that this applies only to standard STP, not Rapid STP.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYYYYYYY
---YYY----Y
--------YY-
- - - YYYYYYYY
CR00010229
Version 291-10 C613-10488-00 REV G
Install, SNMP 3 Previously, MIB objects instRelMajor, instRelMinor and instRelInterim values
were only correct for bootrom (default) builds.
This issue has been resolved. Now the correct values are returned for these objects when the current install matches the temporary or preferred install.
YYYYYYYYYYY
Features in 291-08 25
CR Module Level Description
CR00010306
Install 3 If a user attempted to enter a filename with an invalid format, the resulting
error message did not correctly describe the format that should have been used. Also, the router or switch returned an incorrect error message when a user attempted to delete a non-existent release licence file.
These issues have been resolved.
CR00010315
BGP 3 Previously, it was possible to enter bad BGP peer IP addresses, such as
0.x.x.x, 127.x.x.x and 255.255.255.255.
This issue has been resolved.
CR00010465
Switching 3 The “?” help for the command show switch sock=con inst=value
showed a maximum value of 4294967295.
This issue has been resolved. Valid instance values are 0 and 1.
CR00010538
Firewall 3 When firewall events were recorded in the Notify queue (displayed in
output of the command show firewall event=notify), the IP address shown would be the address of the very first packet that belonged to that event flow. For example, if 64 host scan packets were required to trigger a host scan event and the first packet had a target IP of 1.1.1.1 and the 64th had an IP of 1.1.1.64, then the IP address recorded would be 1.1.1.1, even though the event was not actually recorded until the 64th packet arrived. Additionally, the source and destination ports in this display would always show as 0.
These issues have been resolved.The IP addresses shown are now those of the particular packet that triggered the event notification, and the source and destination ports match the actual ports used by that packet.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYYYYYYY
YYYYYY- - YYY
---YYYY----
YYYYYY- - - - Y
CR00010976
Version 291-10 C613-10488-00 REV G
PPP 3 If the router or switch received an Echo-Request that did not comply with
RFC 1661, it processed and replied to the Echo-Request.
This issue has been resolved. Non-complying Echo-Requests are now ignored.
YYYYYY- - YYY
Features in 291-08 26
CR Module Level Description
CR00010979
PPP 3 PPP incorrectly ACKed a LCP ConfigureRequest containing the Magic-
Number option with a value of 0.
This issue has been resolved.
CR00010984
PPP 3 If the router or switch received an incorrectly formatted PAP request packet,
it used to process the packet. This issue has been resolved—now it silently discards the packet.
Also, if the router or switch received a PAP request packet with a zero length user ID, it used to send the packet to the authentication database. This issue has been resolved—now it NAKs the packet.
CR00011223
Core 3 On AT-8948 and AT-9924SP switches with an empty PSU bay, an SNMP
walk through of the fanAndPsPsuStatusTable would display lines for the non-existent PSU, with the value of “no such instance”.
This issue has been resolved. The walk through now only includes installed PSUs.
CR00011259
GUI 3 Some of the features supported in the web-based GUI did not have a
complete set of online help pages generated for them.
This issue has been resolved.
CR00011315
IP Gateway 3 When the limit for the number of IP interfaces was reached and a user tried
to add another IP interface over a VLAN, the router or switch displayed the following misleading error message:
Error (3005273): No more VLAN interfaces may be added.
This issue has been resolved. The error message is now:
Error (3005273): No more IP interfaces over VLANs may be added.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYY- - YYY
YYYYYY- - YYY
--------YY-
YYYY- YYY- YY
YYYYYYYYYYY
Version 291-10 C613-10488-00 REV G
Features in 291-08 27
CR Module Level Description
CR00011438
Ping 3 When the router or switch pinged a host whose hostname consisted only
of the digits 0-9 and the letters A-F, it treated the given hostname as a hexadecimal IPX address even if the hostname was in the host list.
This issue has been resolved. Now, when the router or switch pings a host using a hostname, it checks the hostname in the host list first. If it does not find the host in the host list, then it treats the hostname as an IPX address.
CR00011824
Firewall 3 When a firewall UDP session starts up, the session timeout should be 5
minutes for the first 5 packets of the session, then change to the configured UDP session timeout value. Previously, the timeout changed after the 6th UDP packet belonging to that session, instead of after the 5th packet.
This issue has been resolved.
CR00012066
IP Gateway 3 The command show ip cassi command is obsolete but was still available.
This issue has been resolved. The command has been removed from the command line. To obtain the same information, use the command show conf dyn=ip.
CR00012168
Classifier 3 Output of the show classifier command displayed only the hexadecimal
protocol value for IP SNAP, instead of also displaying the protocol name.
This issue has been resolved. The output now displays:
0000000800 (IP SNAP)
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYYYYYYY
YYYYYY- - - - Y
YYYYYYYYYYY
YYYYYYYYYYY
CR00012885
CR00013352
Version 291-10 C613-10488-00 REV G
OSPF, GUI 3 If there were virtual OSPF interfaces, then the OSPF Interfaces GUI page
showed all interfaces as belonging to the backbone area (0.0.0.0).
This issue has been resolved.
STP 3 The help displayed by the command set stp port=all ? listed some
parameters twice.
This issue has been resolved.
YYYY- YYY- YY
- - - YYYYYYYY
Features in 291-08 28
CR Module Level Description
CR00013494
IP Gateway 3 Once a default local IP address had been set, it could not be deleted. This
was because the default interface does not have an interface number, but to delete a local interface, the user must specify the interface’s number.
This issue has been resolved, by adding an option called default to the delete ip local command. To delete the default local interface’s address, use the command:
delete ip local=default
Note that this resets the interface, including removing its IP address, but does not remove the interface itself.
CR00013543
DHCP 3 If a user attempted to add a policy option to a DHCP policy by using the set
command instead of the add command, then the resulting error message did not clearly indicate the cause of the error.
For example, entering the command:
set dhcp policy=test arptimeout=234
resulted in the error message:
Error (3070061): ARPTIMEOUT not found.
This issue has been resolved. The error message now reads:
Error (3070279): Option ARPTIMEOUT was not found in policy test or was not added using the ADD DHCP POLICY command.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
YYYYYYYYYYY
YYYYYYYYYYY
CR00013635
CR00013637
Version 291-10 C613-10488-00 REV G
Ping,
Traceroute
Ping,
Traceroute
3 In the set trace command, it was possible to specify a minimum TTL value
that was higher than the maximum TTL value.
This issue has been resolved. The minttl and maxttl parameter are now checked to ensure that the value of minttl is less than or equal to the value of maxttl.
3 If the value specified for the minimum time-to-live parameter (minttl) of
the traceroute command exceeded the value set for the maximum time­to-live parameter (maxttl), the router or switch would attempt to execute the trace rather than generate an error message.
This issue has been resolved.
YYYYYYYYYYY
YYYYYYYYYYY
Features in 291-08 29
CR Module Level Description
CR00013832
EPSR, SNMP 3 When a user destroyed an EPSR domain, SNMP Requests returned
information about the domain even though it no longer existed.
This issue has been resolved.
CR00013920
Ping,
Traceroute
3 If a user attempted to perform a traceroute without specifying the address
to trace (either in the trace or set trace commands), the router or switch attempted to trace 0.0.0.0.
This issue has been resolved. The router or switch now displays an error message.
CR00014103
VRRP, GUI 3 The VRRP priority could not be modified through the GUI—the priority
option was there but did nothing.
This issue has been resolved.
CR00014137
PPP 3 A PPPoE Access Concentrator service that had been added by using the
acinterface parameter to specify a VLAN (or by using the deprecated vlan
parameter) could be deleted without specifying the acinterface parameter (or the deprecated vlan parameter).
This issue has been resolved.
CR00014159
3 RSTP (correctly) only uses the top 4 of the available 16 bits for the bridge
priority. If a user enters a value that is not a multiple of 4096, the switch rounds the value down. Previously, the switch did not inform users when it rounded the value.
This issue has been resolved. The switch now displays an info message when it rounds the bridge priority.
Note that this only happens for RSTP. STP uses all 16 bits for the bridge priority.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
--------YY-
YYYYYYYYYYY
YYYY- YYY- YY
YYYYYY- - YYY
- - - YYYYYYYY
CR00014203
Version 291-10 C613-10488-00 REV G
OSPF 3 When OSPF was disabled and a BGP redistribution definition existed, then
the obsolete command set ospf bgplimit=limit did not update the limit in the BGP redistribution definition. This meant that the limit was incorrect when OSPF was enabled again.
This issue has been resolved.
YYYYYY––YYY
Features in 291-08 30
CR Module Level Description
CR00014304
LLDP 3 The help displayed for the LLDP port parameter (in such commands as
show lldp port=?) incorrectly indicated that the port parameter is a
“string 1 to 255 characters long”. The port parameter is instead an Ethernet switch port number or a range of numbers.
This issue has been resolved. The help is now correct.
CR00014330
Ping 3 The maximum value for the delay parameter of the ping command was
too long.
This issue has been resolved by changing the range for the delay from 0-4294967295 to 0-604800. This new maximum is the number of seconds in one week.
CR00014879
Switching,
RSTP, SNMP
3 Previously, an incorrect value was returned for the port number when
responding to an SNMP Request for MIB object dot1dSTPRootPort.
This issue has been resolved.
CR00015466
Core, Install,
PoE
3 The output of the show cpu command on the AT-8624POE switch showed
relatively high CPU usage when the device was idle.
This issue has been resolved.
CR00016183
File 3 If a user attempted to delete a locked file, such as the currently-installed
GUI resource file, the router or switch displayed both an operation error message and an operation successful message.
This issue has been resolved by removing the incorrect operation successful message.
AR400
AR7x5
AR7x0S
Rapier i
Rapier w
AT-8800
AT-8600
AT-8700XL
x900-48
AT-9900
AT-9800
Y- YYYYYYYYY
YYYYYYYYYYY
- - - YYYYYYYY
------Y----
YYYYYYYYYYY
CR00016429
Version 291-10 C613-10488-00 REV G
OSPF 3 Previously, OSPF logged the same message for two separate errors. These
errors were when OSPF rejected a database description message because:
the neighbour was in a state of “down” or “attempt”, or
the MTU received from the neighbour was larger than the receiving
system could handle.
This issue has been resolved. Separate error log messages are now generated for these two errors.
YYYYYYYYYYY
Loading...
+ 69 hidden pages