hewlett-packard vpn server
appliance
sa3110/sa3150/sa3400/
sa3450, and
hewlett-packard sa3000 series
vpn manager
release 6.8.2 release notes
Hewlett-Packard Company
HP: 5971-0875
P/N: A52438-001
March 2001
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
2
Disclaimer
Information in this document is provided in connection
with Hewlett-Packard Company products. No license,
express or implied, by estoppel or otherwise, to any
intellectua l property rights is granted by this document.
Except as provided in Hewlett-Packard C o mpan y’s Terms
and Conditions of Sale for such products, Hewlett-Packard
Company assumes no liability whatsoever, and HewlettPackard Company disclaims any express or implied
warranty, relating to sale and/or use of Hewlett-Packard
Company products including liability or warranties relating
to fitness for a particular purpose, merchantability, or
infringeme nt of any patent, copyright or othe r int e lle c tual
property right. Hewlett-Packard Company products are not
intended for use in medical, life saving, or life sustaining
applications.
Hewlett-Packard Company may make changes to
specifications and product descriptions at any time,
without notice.
This Hewlett-Packard VPN Server Appliance
SA3110/SA3150/SA3400/SA3450 and Hewlett-Packard
SA3000 Series VPN Manager Release 6.8.2 Release Notes
document as well as the software described in it is
furnished under license and may only be used or copied in
accordance with the terms of the license. The information
in this manual is furnished for informational us e only, is
subject to change without notice, and should not be
constru e d a s a commitm ent by Hewlett -Packard Company.
Hewlett-Pa c kard Comp a n y as sumes no responsibilit y or
liability for any errors or inaccuracies that may appear in
this document or any software that may be provided in
association with this document.
Release 6.8.2 Release Notes
Except as pe r mitted by such license, no part of thi s
document may be reproduced, stored in a retrieval system,
or transmitted in any form or by any means without the
express written consent of Hewlett-Packard Company.
Copyright © He w l e tt-Packard Company 2001.
3
4
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
Contents
DISCLAIMER 3
CONTENTS 5
INTRODUCTION 7
IMITATIONS TO THIS RELEASE
L
TATEMENT OF ENTRUST SUPPORT
S
ARDWARE SERVICE AND TELEPHONE SUPPORT NUMBERS
H
SYSTEM REQUIREMENTS 11
RELEASE 6.8.2 FEATURES 13
SNMP C
DHCP F
C
C
IPS
MPROVED AUTHENTICATION SUPPORT FOR
I
ICSA.
K
SPECIAL CONSIDERATIONS 20
KNOWN PROBLEMS 25
APABILITIES
UNCTIONALITY ADDED TO DEVICES
ONFIGURING
ONFIGURATION FILE
EC SECONDARY AUTHENTICATION IMPLEMENTED
NET CERTIFICATION EXTENDED TO REFLECT ADDITIONAL LOGGING
EYSTROKES CAN NOW BE USED FOR NAVIGATION
13
DHCP R
DHCP E
7
8
8
15
ELAY FOR SITE-TO-SITE
XAMPLES
17
SST 18
UNNELS
VPN T
18
19
15
19
EVICE
VPN D
VPN M
Release 6.8.2 Release Notes
25
ANAGER
29
5
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
6
Introduction
This document describe s the new feat ur e s and
improvements in Release 6.8.2 of the HP VPN Server
Appliance SA3110/SA3150/SA3400/SA3450 and HP SA3000
Series VPN Manager.
This document includes the following sections:
• System requirements
• Release 6.8.2 features
• Special considerations
• Known problems
For information regarding the HP SA3000 Series VPN
Client Release 6.8.2, refer to the Release Notes for that
application.
Limitations to This Release
Windows Me Not Supported
Reference Numbers 617, 631, 632, and 760
Release 6.8.2 Release Notes
Release 6.8.2 of the VP N Client on a Microsoft Windows
Millennium Edition (Me) syst em exhibits degraded
performance or crashes, displaying a fatal exception error
message. Performance problems include not being able to
use IPSec over dial-up connections, and, if your
implementation is for Windows NT domain logon, you will
not see the three-bar logon window until after the VPN
tunnel is connected. Hewlett-Packard Company
recommends you do not use the Release 6.8.2 VPN
products on a Windows Me system.
7
Statement of Entrust Support
Because of enhancements to the VPN Client and VPN
firmware, HP VPN technology supports up to and including
version 4.0 of Entrust Technologies' X.509 certificate
authority (CA) product set provides a scalable, LDAPcompliant security syst e m based on X.509.
HP provides support for the Entrust CA through a licensed
dynamic link library (.dll) file within the VPN Manager
application. This file, named kmpapi32.dll, must be
obtained from Entrust Te chnologies.
Please note that HP does not provide the Entrust client or
certificate authority software. It is the responsibility of the
end user to purchase this from Entrust Technologies.
To retrieve an Entrust certificate with the VPN Client, you
must install the Entrust client. For complete
documentation on installing and configuring Entrust
software , contac t your Entrust T e c hnologie s support
representative.
Hardware Service and Telephone Support
Numbers
Hardware service and telephone support information is
provided next by geographical location.
U.S. and Canada
In the U.S. and Canada, for hardware service and
telephone support, contact an HP-authorized reseller or
the HP Customer Support Center at 1-800-633-3600.
Europe
In Europe, for hardware service and telephone support,
contact an HP-authorized reseller or the HP Customer
Support Center nea r e st you:
• Austria: 0660 6386
• Belgium: Dutch: 02 626 8806; French: 02 626 8807
• Czech Republic: 420 2 613 07 310
• Denmark: 3929 4099
• English (non-UK; see also: UK): +44 20 7512 5202
8
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
• Finland: 02 03 47 288
• France: 01 43 62 3434
• Germany: 0180 525 8143
• Greece: +30 (0) 16196411
• Hungary: 36 1 382 1111
• Ireland: 01 662 5525
• Israel: 972 9 952 4848
• Italy: 02 2 641 0350
• Netherlands: 020 6068751
• Norway: 22 11 6299
• Poland: +48 22 8659800
• Portugal: 21 317 6333
• Russia: 7095 797 3520
• South Africa: RSA: 086 000 1030; outside RSA: +27 11
258 9301
• Spain: 902 321 123
• Sweden: 08 619 2170
• Switzerland: 084 880 1111
• Turkey: 90 212 221 6969
• United Kingdom: 0870 842 2339
Asia
In Asia, for hardware service and telephone support,
contact a n HP-aut hor ized reseller or one of th e following
support ce nters:
Release 6.8.2 Release Notes
• Australia: 03-8877-8000
• Hong Kong: 800-96-2598
• India: 91-11-6826035
• Indonesia: 0800-21511
• Japan: 0120-220-119
• Korea: +82-2-32700911
• Malaysia: 60 3 2931811 or 1-800-881811
• New Zealand: Upper North Island: 09 -356-6640; L o wer
North Island: 04-499-2026; South Island: 03-365-9805
• People’s Republic of China: 86-8008105959
• Philippines: 63 2 811-0643
• Singapore: + 65-2725300
• Taiwan: +866-080-010055 or 886-2-7170055
• 8324155
9
Latin America
In Latin America, for hardware service and telephone
support, contact an HP-authorized reseller or one of these
support ce nters:
• Argentina: (541) 4778-8380
• Brazil: Sao Paulo: (11) 3747-7799; All Others: 0800-15-
77-51
• Chile: 800-360-9999
• Columbia: 9-800-91-9477
• Guatemala: 1-800-999-5305
• Mexico: Ciud ad de Mexico: 5258-9922; All Others: 800-
472-6684
• Peru: 0-800-10111
• Puerto Rico: 1-877-232-0589
• Venezuela: 207-8488; All Others: 800-47-777Thailand: 66
2 6613891
• Vietnam: Hanoi: 84 4 9430101; Ho Chi Minh City: 84 8
10
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
System Requirements
This section provides the system hardware and software
requirements for Release 6.8.2
VPN Manager
The system hardware and software requirements for the
VPN Manager Release 6.8.2 software are as follows:
• PC or PC-compatible desktop computer
• Windows 95 running on:
− Intel Pentium® 200-MHz processor performance
level
− 10 MB free disk space
− 32 MB RAM
− Dial-Up Networ k i n g (DUN) 1. 3
− Winsock 2 — required for protocol 99 and IPSec
features
• Windows 98 running on:
Release 6.8.2 Release Notes
− Intel Pentium 200-MHz processor performance level
− 10 MB free disk space
− 32 MB RAM
• Windows NT 4.0 (Workstation or Server version with
Service Pack 4, Service Pack 5, or Service Pack 6a)
running on:
− Intel Pentium 200-MHz processor performance level
− 10 MB free disk space
− 32 MB RAM
11
• Windows 2000 Professional running on:
− Intel Pentium 200-MHz processor performance level
− 10 MB free disk space
− 64 MB RAM
Note: Release 6.8 and later software are the first releases
of the VPN Manager software to support the Windows 2000
operating system.
Launching the VPN Manager through Intel
Device View Application
Reference Number 436
Intel Device View (IDV) is management software for
switches and routers. If the Intel Device View application
is installe d on your system prior to installing the VPN
Manager software, then the VPN Manager can be launched
from within Intel Device View.
Note: The minimum Release of In t el Device View that you
need is 2.1.10.x. If you encounter problems installing the
VPN Manager, check the Release number in the Intel
Device View About dialog box.
If Intel Devic e View is not installed on your system, when
you install the VPN Manager a message appears concerning
Intel Device View not being installed. You can disregard
this message as I n tel Device View is not required to
operate the HP VPN devices' software and hardware.
12
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
Release 6.8.2 Features
SNMP Capabilities
SNMP functionality has been supplemented significantly in
Release 6.8.2.
For network monitoring purpo ses, seven new traps were
added to the existing Warm Start trap:
• Threshold percent per tunnel
• Maximum bytes /second per tunnel
• Aggregate threshold percent per device
• Aggregate maximum bytes/second per device
• Failed tunnel
• Tunnel up/tunnel down
• Link up/link down
To set the tunnel usage percentage threshold or the
maximum number of bytes per second for a tunnel, use the
snmp-threshold or snmp-bytes-per-sec
commands, which you access either in the VPN Manager
GUI or in the Console window. If the snmp-bytes-per-
sec command is not configured, the device uses the
theoretical maximum value, 1.25-million bytes per second,
to determine whether the trap should be sent.
Release 6.8.2 Release Notes
To set the device usage threshold or the maximum number
of bytes per second for the device, use the snmp-
aggregate-threshold or snmp-aggregate-bytesper-sec command, which you access either in the VPN
Manager GUI or in the Console window. If the snmpaggregate-bytes-per-sec comman d is not
configured, the device uses the theoretical maximum
value, 1.25-million bytes per second, to dete r mine whether
the trap should be sent.
Tunnel utilization is computed on a per -tunnel basis, as
well as on an aggregate-total basis. Each computation (per
tunnel and aggregate) includes the number of bytes per
second received through the tunnel after decryption, plus
the number of bytes per second sent down the tunnel
before encryption. The computed values are updated in the
13
MIB every 60 seconds as the average utilization over the
past 60 seconds.
The utilization value stored in the MIB is compared against
the user-defined or theoretical threshold every 60 seconds,
and a trap is generated for a particular tunnel or for the
aggregate total for the device if the corresponding
threshold is exceeded. The failed tunnel command sends a
trap when a tunnel connection fails to complete
negotiation after a successful first contact with the peer.
Tunnel up/tunnel down sends a trap when a tunnel is
connected or disconnected. If a tunnel disconnects, the
trap distinguishes between a disconnection because of
user action, and a disconnection because of some other
circumstance, such as a timeout.
Link up/link down sends a trap when a physical interface
comes up or goes down. The link down trap cannot be sent
if the interface sending the trap is down.
To ensure a specific SNMP management station is always
sent the traps from the device, use the snmp-trapip
command to specify the IP address for the SNMP
management station. Use of a community name following
the IP address is optional. The community name can be
from 2 to 61 characters in length. To set this command, use
the following format:
snmp-trapip <a.b.c.d> community-name
Some system administrators use community names to
identify groups of devices by their primary function, such
as applications and bridges. Subsequently, different SNMP
managers can be assigned to receive information by
function through use of community names.
Note: If you use the default community name, Public,
then any SNMP agent can query the device using its default
settings. If you change the community name for the
command, you must also change the community name on
the management station o r browser, as it must use the
correct community name in its query.
14
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
DHCP Functionality Added to Devices
DHCP functionality has been added in Release 6.8.2. Now a
device’s physical Ethernet interfaces can be configured to
obtain an IP address using DHCP (Dynamic Host
Configuration Protocol).
The DHCP functionality was implemented in the software
by adding a dhcp option to the existing ip address
command. To enable DHCP functionality for a device, type
dhcp after the ip address command in the device’s
configuration file, from the Console or Telnet window, or
select the DHCP option in the VPN Manager GUI.
By virtue of its presence in the configuration file, the dhcp
option following the ip address command tells the device
interface to broadcast to a DHCP server to obtain a ClientIP address.
Also in Release 6.8.2, you may add a unique alphanumeric
client identifier up to 61 characters in length after the ip
address command and dhcp option. The client ID can be
used as a machine name equivalent, for example, if you are
using a c ab le modem c onne c tion to the Internet that
requires a machine name, enter it here.
To finish configuring DHCP functionality, in addition to
specifying dhcp after the ip address command, specify that
both Ethernet interfaces should be DHCP capable, and that
the device should be the default gateway.
Configuring DHCP Relay for Site-to-Site VPN
Tunnels
In Release 6.8.2, you can assign internal (remote) network
addresses centrally using DHCP relay over a tunnel. The
DHCP rela y capability is pr o vided for both IPSec and SST
site-to-site (fixed) VPN tunnels.
The relay functionality allows the remote device to
recognize a DHCP request broadcast packet, to amend the
packet so it has a specific destination past the central
device (down to the granularity of the scope level of the
DHCP server, if desired), and to forward the modified
packet to its new destination.
Release 6.8.2 Release Notes
15
An extr a pa r a me ter added to the cu r r ent interface
command in the configuration settings allows system
administrators to turn on the relay capability for a
particular interface. Also, system administrators can define
a default gateway address for use by the relay agent. A
DHCP broadcast then can be passed along to a DHCP
server at the other end of a site-to-site tunnel using the
configured gateway address.
To configure the new DHCP relay capability for a VPN
tunnel, on the remote device:
To enter configuration mode, at the Hostname:NORMAL#
prompt, type config, then press Enter.
Set the black (public) Ethernet interface to dhcp-relay
enable in the following format:
int e 0
dhcp-relay enable
Type exit, th en press Enter.
Set the red (private) Ethernet interface to dhcp-relay
enable in the following format:
int e 1
dhcp-relay enable
Press Enter.
Set the red Ethernet interface to dhcp-relay-server
followed by the IP address of the DHCP server and the IP
address of the central device in the following format:
dhcp-relay-server 192.168.1.10 207.37.244.51
Type end, th en press Enter.
To save the configuration, type write, the n press
Enter.
When the remote device receives a DHCP request
broadcast packet from a VPN Client, the device forwards
the packet according to the settings you made for the new
dhcp-relay-server command.
Note: You can relay requests from the internal (remote)
network only. You cannot relay requests for the internal
device’s interface from the device’s red interface. You must
configure the red interface using a local DHCP server or
using static IP.
16
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
Configuration File DHCP Examples
To illustrate this new DHCP capability, sample
configuration file excerpts are provided that use the
following values:
Remote device red interface’s IP address: 192.168.1.10
Remote device black interface’s IP address: 10.250.145.3
Central device black interface’s IP address:
207.37.244.51 (used as default gateway)
Central device red interface’s IP addre ss: {not use d for this
command se t}
DHCP server’s IP address: 192.168.1.10 (using an IP
address that identifies the correct scope for the DHCP
server to use, in this case, 192.168.1.0)
Desired DHCP scop e’s subnet address:
192.168.1.0 255.255.255.0
This is the co m m and for th e remote device:
[conf]
int e 0
dhcp-relay enable
exit
int e 1
dhcp-relay enable
dhcp-relay-server 192.168.1.10
207.37.244.51
end
These commands cause the remote device to send and
receive DHCP broadcast packets through the site-to-site
tunnel between 10.250.145.3 and 207.37.244.51. The device
sends t he broa dc ast packe ts throug h the VPN tunnel, then
through the black interface at IP address 207.37.244.51 to
the DHCP server at IP address 192.168.1.10.
Release 6.8.2 Release Notes
To view the collection of relay entries, in the Console
window, enter sh conf.
17
For this example, the following information appears:
Prompt>
int e 0
ip address 10.250.145.3 255.255.0.0
…
dhcp-relay enable
int e 1
ip address 207.37.244.51 255.255.255.0
dhcp-relay enable
dhcp-relay-server 192.168.1.10 207.37.244.51
To shut down the relay capability on the first interface,
enter the following command sequence:
[conf]
int e 0
dhcp-relay disable
end
This design assumes that the remote device has fixed IP
addresses for both the black and red interfaces and that it
is the default gateway for the local network.
IPSec Secondary Authentication
Implemented
Release 6.8.2 of the VPN Manager extends IPSec capability
to provide an X-Auth implementation of authentication
using SecurID or RADIUS in conjunction with IKE/IPSec
negotiation. Accordin gly, ch an ges have been made to the
GUI to provide for IKE secondar y authentica tion in tunnel
security profiles and ACLs.
Improved Authentication Support for SST
Reference Numbers 675P2-2 and 670P10GW-1
The HP device firmware supports RADIUS, SecurID, and
Intel NetStructure Certificate Authority, Shiva Certificate
Authority and Entrust certificate authentication over
unreliable connections.
18
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
Also, improvements were made to the way in which Phase
2 and Phase 3 packets were handled, including replies for
Phase 3 packets in the event of a dropped packet, and the
retries and retransmits of Phase 2 packets.
These improvements were made in Release 6.8.2.
ICSA.net Certification Extended to Reflect
Additional Logging
Reference Number 675P2-2
In Release 6.8.2, access logging capability accommodated
unsuccessful attempts to gain access to the VPN device.
Now, all failed attempts to reach the inside (red) or outside
(black) interfaces of a VPN device using any management
protocol – including attempts from the VPN Manager – will
be logged. Also, the messages regarding such illegal
attempts to gain access to a device will be more verbose.
ICSA.net certified the additional access logging capability.
Keystrokes Can Now Be Used For Navigation
In the VPN Manager, keystrokes can be used for navigation
between the different panes in the device view, that is,
between the right-hand and left-hand sides and between
dialog boxes and list panes on the right-hand side. The
new commands are as follows:
Release 6.8.2 Release Notes
<Tab> — Moves from one control to the next and then to
the subsequent window pane
Ctrl+<Tab>, <F6>, Ctrl+<F6> — Moves directly to the
subsequent window pane
Shift modifier — Reverses the preceding movements
19
Special Considerations
Outbound Proxy Rule With Dual-Default
Gateways Requires Static Route
Reference Number 262DF
Although a VPN device may have a red default gateway
defined, a black default gateway defined, an outbound
proxy rule, and a requirement to reach services, such as a
RADIUS server or an ACE/Server, you will not be able to
reach the service from the VPN devic e u n less a specific
static route is defined.
IPSec-Default and Remote-Group IPSec
Not Removable
Reference Number 13DF
IPSec-Default and Remote-group IPSec cannot be removed
permanently from a device configuration. Although you
can go throu g h the steps to delete these items and then
attempt to write the configuration change to memory,
when you reboot the device, enter Normal Mode, and enter
the Show Configuration command, the deleted Remotegroup IPSec and the Secure-profile IPSEC-Default are still
present.
This functionality supports policy-based management.
Static Client IP Assignments Using ACL
Typically, Client-IP addresses are not assigned statically in
the Access Control List (ACL). However, if there are
occasions where the addresses are assigned statically in
the ACL, note that an IP address or a range of IP addresses
must be set aside in the group tunnel corresponding to the
ACL.
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
20
Specifically, the range should not overlap any of the ClientIP addresses specified in the ACL.
Configuration of Both DHCP and Static IP
Addresses on One Tunnel
The VPN Manager allows you to configure both DHCP and
static Client-IP addresses on the same remote-use tunnel,
but should not sin ce this con f i guration is not supported.
You can, however, co n figure either multiple static Client-IP
address entries or multiple DH CP e nt rie s (as long as you
enter the DHCP gateway’s IP address), but not a
combination of these.
DHCP Server of Client-IP Addresses
To successfully use the VPN device as a DHCP server or
forwarder for a VPN Client, the client-IP address assigned
must fall within one of the subnets on a red interface so
that the VPN device can return an a p p r o pr iate subnet mask
and DHCP server.
For example:
remote-group test
client-ip 10.20.1.17 2
assigns two IP addresses to the group test, 10.20.1.17 and
10.20.1.18.
Release 6.8.2 Release Notes
To service DHCP requests, a red interface could be
configured as follows:
int e 0
mode red
ip address 10.20.1.1 255.255.255.240
ip address 10.20.1.19 255.255.255.240 secondary
The secondary address 10.20.1.19 is the address/mask that
is used when responding to VPN Client DHCP requests.
21
The DHCP informa ti o n returned fo r the fir st VPN Client is:
IP Address: 10.20.1.17
Subnet Mask: 255.255.255.240
DHCP Server: 10.20.1.18
If the VPN device is configured to relay requests to a DHCP
server on an inside network, there must be a secondary IP
address that maps into the address space of the pool of
addresses that the DHCP server issues. This pool can
optionally be selected by specifying the secondary IP
defined on the red interface in the client-IP command as
follows:
remote-group test2
client-ip DHCP 2 10.20.1.18
For example, if a DHCP server is configured with two
pools of addresses:
10.1.1.1 to 10.1.1.20 mask 255.255.255.0
and
20.2.2.1 to 20.2.2.10 mask 255.255.255.240
then the VPN device must be configured with two IP
addresses, one in the 10.1.1.21-10.1.1.254 range and one in
the 20.2.2.11-20.2.2.14 range to support both subnets.
The groups would be configured as follows:
remote-group tenNetwork
client-ip DHCP 20 10.1.1.21
remote-group twentyNetwork
client-ip DHCP 10 20.2.2.11
The red interface would be configured as follows:
int e 0
mode red
ip address 10.1.1.21 mask 255.255.255.0
ip address 20.2.2.11 mask 255.255.255.240
22
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
SST Tunnel Renegotiation Requirements
Two hours before the key lifetime expira tio n for an SST
tunnel, the tunnel renegotiates, which is normal.
The reason for this behavior is that if your VPN device has
a large number of active tunnels, it may take that amount
of time (2 hours) to renegotiate all the tunnels.
RADIUS, SecurID, and SoftID users must re-authenticate
their tunnels after renegotiation, however challenge phrase
and Shiva CA and Entrust certificate users do not have to
re-authentic a t e t heir tunne ls as reneg ot ia tion is transpar ent
to them.
Unable to Connect With PPP/CHAP
Through Synchronous Line Without Match
Reference Number 104330DF
Attempting to co n n ect with PPP (Poi nt-to-Poi n t Proto co l )
using CHAP (Challenge Handshake Authentication
Protocol) through a synchronous line is unsuccessful if
there is not a match of peer user names and password. If
unsuccessful, the PPP session does not complete as result
of CHAP failure for interface S0 remote. The message
states no name found.
Release 6.8.2 Release Notes
To avoid this problem, it is important to remember that
CHAP negotiation requires both user names and a
password at the local device and the remote device. At
each device, the local user name is used as configured in
the General settings. You must enter the CHAP Peer User
Name and the CHAP password, that is, the user name from
the peer device and the CHAP password, at each device.
The CHAP password must be identic al, that is , both
devices must use the same password.
23
Net-Include and Static Route Shortfalls
Overcome by SAs for IPSec Tunnels
Reference Number 185DF
When you w a n t to r oute subnet traffic to a destina tio n that
is within the tunnel destination, use a Security Association
(SA) to define the tunnel end-points. SAs override netincludes and static routing statements.
Frame Relay Sprint Certification Testing
Release 6.8.2 passed all Frame Relay Sprint certification
testing except for one suite of tests that was not run. Since
congestion management is not fully supported currently in
the Frame Relay module, the Congestion Control
certific ation test wa s not run.
56-Bit DES and 168-Bit 3DES Versions
There are two versions of the software. One version
provides 56-Bit DES encryption, while the other version
provides 168-Bit 3DES encryption.
As a result of certain countries' im por t and export
restrictions on security technology, use of encryption
encapsulation algorithms that exceed 56 bits may be
limited. If you are using the software in one of these
countries, please disregard instructions concerning
encryption greater than 56 bits in the online Help file as
both software versions include the same online Help file.
Tunnel Negotiation Attempted After
Interface Shut Down
Reference Number 114DF
As a res ult its architecture, the VPN device tries to bring up
tunnels even though the interface is shut down. This
happens for SST, as we ll as IPSec, tunnels.
No packets are sent on the physical media as a result of
this internal behavior.
24
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
Known Problems
This section describes known problems at the time of
release and is divided into the following sections:
• VPN device
• VPN Manager
VPN Device
Simultaneous Upload Of lrvg.exe and
isbr.exe Files Fails
Reference Numbers 602 and 736
In Release 6.8.2, simultaneous upload of lrvg.exe and
isbr.exe files to device devices with Release 6.8.2 firmware
fails.
The ability to carry out simultaneous file transfers was
disabled in the VPN device devices in order to have the
Policy Manager software operate successfully.
HP VPN Server Appliance SA3110
Synchronous Interface Becomes
Unreliable At E1 Speed
Reference Numbers 573DF, 699, and 727DF
Release 6.8.2 Release Notes
In Release 6.8.2, the HP VPN Server Appliance SA3110
synchronous interf ace is unreliable at E1 speed.
Although the synchronous interface will synchronize to a
provided clock of 2 Mbits per s econd (E1), the device will
not operate rel iably at this speed. Failure symptoms for
high-speed Frame Relay connections include CRC errors
and lost packets.
To work around this problem, operate the VPN device at a
maximum recommended clock of 1.54 Mbps, the T1 rate.
25
An SA of 0.0.0.0 Does Not Pass Traffic On
Site-To-Site Tunnels
Reference Numbers 369P and 679
In Release 6.8.2, an SA of 0.0.0.0 does not pass traffic on
site-to-site tunnels and the destination device does not see
packets.
Some Running SAs Are Not Renegotiated
After Being Deleted by a Cisco Device
Reference Number 451DF
In Release 6.8.2, when a HP VPN device initiates a VPN
tunnel between a VPN device and a Cisco device, the
following sequence of commands are issued from the
Cisco device:
clear crypto isakmp is issued by Cisco to delete the MAIN
SA, a delete notification from Cisco is sent to HP VPN, the
VPN device deletes its Main SA and Cisco deletes its Main
SA.
clear crypto sa is issued by Cisco, Cisco deletes its QUICK
SA, but a delete notification is not sent fo r this act ion to
the HP VPN device.
As no delete notification is received, the HP VPN device
does not delete its Quick SA. Since th e Quick SA remains,
the VPN device does not renegotiate the SA.
Removing Flash When Device Powered Up
Causes Crash
Reference Number 105DF
When the VPN device is powered on and in disable mode,
if you remove the flash, then type enabled and your
password, first a message appears: Unable to write
DiskCachePasse, then the device crashes.
To preve n t this crash and potential damage to the flash, if
the VPN device is powered up, do not remove the flash.
26
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
Static Route and Default Gateway Do Not
Work For Synchronous Interface Using
Frame Relay When Next Hop Is Physical
Interface
Reference Numbers 353P, 10P, 642DF and 676P
A defined static route and default gateway do not work for
a synchronous interface using Frame Relay when the next
hop is a physical interface.
In the case of Frame Relay interfaces, the next hop cannot
be set to a physical interface since there are several DLCI
that can be active on the interface.
Also, if you define a static route with A0 as the next hop
interface, the route does not show in the routing table.
This is because when you set the next hop to be the
asynchronous interface, the asynchronous inte rface and
the protocol must be up for the route to appear in the
Show Route command.
Filter Rate May Be Lower When Small
Packets Forwarded And Bi-Directional
Data Secured
Reference Number 439P
Release 6.8.2 Release Notes
In Release 6.8.2, HP VPN Server Appliance SA 3400/SA3450
devices may demonstrate a lowered filter rate when small
packets are forwarded and bi-directional data is secured.
The new VPN devices' performance numbers are meeting
expectations, that is, they are able to transmit >90 Mbps of
encrypted traffic in a best case scenario, however, at this
time the devices do not transmit >90Mbs in all scenarios.
27
Large Configuration File Takes Long Time
to Reload
Reference Numbers 493P and 701
In Release 6.8.2, if you TFTP a configuration file containing
20,474 static routes to a device and then do a reload, the
reload with this large routing table takes more than 60
minutes and the device is entirely occupied with the task.
100 Mbps TX LED Stays Lit When LAN
Cable Unplugged
Reference Number 425P
In Release 6.8.2, the 100 Mbps TX LED is not turned of f
when the LAN cable is unplugged.
IP Route 0.0.0.0 Can Have Two Meanings
Reference Number 129P and 645
In Release 6.8.2, an IP route of 0.0.0.0 can be entered in the
VPN Manager. However, the 0.0.0.0 route also can be used
to specify a default gateway.
To work around this problem, do not use 0.0.0.0 as an IP
route.
PCB Not Freed With Synchronous
Interface After Overwhelming Traffic
Reference Number 652
In Release 6.8.2, if you send more packets through the
synchronous interface of a HP VPN Server Appliance
SA3450 than it can handle, during operation the device
stops transm itting. If y ou s hut down the seria l in t e rface,
you free the packet control buffers (PCBs), but when you
re-enable the interface, it starts queuing packets and not
sending them.
28
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
VPN Manager
Free Disk Space Can Be Calculated
Incorrectly
Reference Numbers 559 and 722
In Release 6.8.2, if you try to commit changes, the free disk
space on the device can be calculated incorrectly.
When this miscalculation occurs, a VPN Manager dialog
box appears displaying the following message:
[host name]: This device does not have
enough free disk space to upload the
isbr.cfg.
To close the dialog box, click OK. Your next attempt to
commit c ha nges should succeed.
Simultaneously Closing Frames During
Uploading Causes Crash
Reference Numbers 542PDF and 713
In Release 6.8.2, if you upload firmware to five or six
devices, starting each subsequent upload very quickly, then
when all are active, you can cel all of the frames, the
software will crash.
Release 6.8.2 Release Notes
To avoid this problem, do not cancel a frame before
uploading is finished.
Issues With New ACL Option
Reference Numbers 109PDF and 644
In Release 6.8.2, when a new Access Control List (ACL) is
created through the New ACL menu option, there is no
warning message to make it clear that committing the new
ACL will overwrite the existing ACL on the device, if
present.
Also, in o rder to use this option to delete the existi ng ACL
intentionally one match entry must be added and then
deleted before committing.
29
Cannot Upload New Firmware and View
Configuration at the Same Time
Reference Numbers 607 and 739
In Release 6.8.2, uploading new firmware and attempting
to view that device's configuration at the same time from
the VPN Manager does not work. The configuration
window opens blank (empty) and remains blank and static
showing the progress indicator at 100%.
To work around this problem, do not attempt to upload
new firmware and to view the device's configuration at the
same time.
Windows 2000 Pro Manager Connectivity
Problem When Interface Setting Changed
Reference Numbers 611 and 743
In Release 6.8.2, on a VPN Manager running on a Windows
2000 Professional system, with traffic from a system other
than the one with the VPN Manager running on it, if you
change the interface setting from Auto or 100 to 10, and
there is no traffic to or from the device with the changed
setting, the VPN Manager PC loses its connection to the
device. Until one of the conditions is broken, VPN Manager
on a Windows 2000 system will not be able to
communicate with the VPN device to which the changes
were committed.
Note: If both interfaces are set to 10, you must go through
the Console and restore the e1 interface setting to Auto to
restore communication.
Misleading Message Displayed When
Changing ESP v1 Profile Authentication
Header
Reference Number 835
In Release 6.8.2, if you create a new ESP v1 security profile
and choose AH: Keyed MD5, AH Key Length: 1 and you
create a new site-to-site tunnel with this as its profile, if
you then set the AH Key, go back to the profile and change
the AH to Keyed MD5 Replay, when you return to the
30
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
tunnel and change the AH Key, although the Key data does
match the profile key length, the following message
appears:
Key data does not match profile key length
SAs Defined for Site-to-Site Tunnels Can
Have Invalid Profiles
Reference Number 850DF and 851
In Release 6.8.2, Security Associations (SAs) defined for
Site-to-Site Tunnels can have invalid profiles. For example,
if you open a device configuration from the VPN Manager,
add a site-to-site tunnel using an ESP v2 (IKE) Security
Profile, right click the tunnel to add an SA, and select an
ESP v1 Security Profile the following message correctly
appears:
Encryptor profile and SA profile do not match
However, if you now select an L2TP Over IPSec security
profile, you are erroneously allowed to use it. Similarly, if
you choose an ESP v2 (Man) Tunnel, you are allowed to
choose an ESP v 1 SA and if you choose an L2TP tunnel,
you are allowed to choose an ESP v2 (IKE) SA.
Release 6.8.2 Release Notes
Similarly, if you create a site-to-site tunnel using an ESP v2
(IKE) security profile, then you add an SA using this
security profile, then you drag and drop the SA from the
manual tunnel to the IKE tunnel, the following message
appears:
Paste of item "SA1" failed
Encryptor Profile and SA profile types do not
match
The Larger the Client-IP Count, the
Longer the Wait
Reference Number 852DF
In Release 6.8.2, if you define a static Client-IP with a large
count for a Remote Group tunnel, the VPN Manager takes
a long time to process your definition.
The delay begins to appear at counts of about 5,000, and
increases as you increase the count. Once you click OK, a
count of 10,000 can take up to two minutes to process
31
using a Pentium III 600 MHz microprocessor performance
level with 128 MBytes of RAM.
Unexpected ACL Characteristics If Cancel
Selected During Upload
Reference Number 875
In Release 6.8.2, if you select the Cancel button when an
ACL file is being uploaded, all of the fields in the ACL
window are selectable.
These fields should only be selectable as long as the check
box on the right of the field is enabled.
32
Hewlett-Packard VPN Server Appliance SA3110/SA3150/SA3400/SA3450
Loading...