Docstoc

V7 Known Issues List - Astaro

Document Sample
V7 Known Issues List - Astaro Powered By Docstoc
					# LIST OF KNOWN ISSUES FOR ASTARO SECURITY GATEWAY V7
# ====================================================
# The purpose of this list is to give you an overview of known issues and
# possible workarounds, as well as known problems in other software being
# used in connection with Astaro Security Gateway V7
# The ID denotes the internal Astaro bugtracking ID and will be shown in
the
# description of an Up2Date if the issue is fixed.
#
# We would appreciate if you contribute to this list and would give us
# feedback in this respect.
# For further infos please contact: knownissues@astaro.com
#
# Last edit (time is UTC):
# $Id: Known_Issues-ASG-V7.txt,v 1.99 2011/08/19 08:20:16 mgehrlein Exp $



Open Issues - Email Security
===============================


ID16551 7.509 Mails in Error Queue - Scanner timeout or deadlock
-----------------------------------------------------------------
Description: This issue occurs while setup one of the keyservers
              (blackhole.pca.dfn.de, wwwkeys.de.pgp.net,
              pgpkeys.pca.dfn.de) within the email encryption options.
              These servers are not responsive after the TCP connection
is
              established.
Workaround:   Use another keyserver or clear the keyserver field.
Fix:          ---


ID09174 7.302 Without email subscription (or deactivated smtp proxy) the
standard smtp profile is activated
-------------------------------------------------------------------------
-----------------------------------
Description: When activating the SMTP Proxy the default profile, that
              contains the "AntiSpam" and the "AntiVirus" feature, is
              activated, even without an Email filtering subscription.
The
              configuration can't be changed.
Workaround:   Please contact our support team
Fix:          ---



Open Issues - High Availability
==================================


ID16305   HA sync interface link aggregation only works with first LAG
group
-------------------------------------------------------------------------
---
Description: Only first LAG group is usable for HA sync interface
Workaround:   Use first LAG group for HA sync interface
Fix:          ---


ID06109 7.000 HA not working correctly on ESX Server v2.x
----------------------------------------------------------
Description: VMware ESX Server 2.x is not able to support HA- or
              Clustersetups. The heartbeat signal sent between HA/Cluster
              nodes may time out and lead to Master-Master scenarios.
Workaround:   Upgrade to VMware ESX 3.0 or higher.
Fix:          ---



Open Issues - Logging/Reporting
==================================


ID05465 7.000 Network interface graphs incorrect after turning back time
-------------------------------------------------------------------------
Description: After turning back the system time for a considerable
amount
              (e.g., 2 days), no data is shown in the network traffic
              graphs displayed on the Reporting >> Network >> Daily tab
in
              WebAdmin. The reason is that the graph generator is not
able
              to handle data with a timestamp older than the latest
              inserted data. Once the system time reaches the last
              inserted timestamp again, adding data will work again.
Workaround:   ---
Fix:          ---



Open Issues - Management
===========================


ID11279 7.500 since 7.490: traffic flow monitor not working on PPPoE
interfaces
-------------------------------------------------------------------------
-------
Description: For PPPoE interfaces, the traffic flow monitor shows an
              empty screen. No traffic data is beeing displayed.
Workaround:   Upgrade to Version 8
Fix:          ---


ID07379 7.000 Manual Up2Date upload may not work correctly
-----------------------------------------------------------
Description:   For large Up2Date packages (>100MB) the manual upload via
               WebAdmin may not work correctly if ASG has less than 512MB
               of RAM.
Workaround:    Download Up2Date automatically or contact Support.
Fix:           ---


ID06813 7.007 End-User Portal uses WebAdmin certificate
--------------------------------------------------------
Description: The End-User Portal uses the certificate generated for
              WebAdmin. This may cause problems when having different
              hostnames for End-User Portal and ASG/WebAdmin.
Workaround:   ---
Fix:          ---


ID06780 7.007 SSL client download fails on Windows Vista
---------------------------------------------------------
Description: Users using Internet Explorer 7 on Windows Vista may not be
              allowed to download the SSL VPN client from the Enduser
              Portal. This is up to security restrictions within
              Vista/IE7.
Workaround:   Add the Portal to the Trusted Sites in Internet Explorer
              (Extras->Security->Trusted Sites) in order to allow
              downloading an executable.
Fix:          ---


ID05356 7.000 WebAdmin certificate import problems with IE 6 & 7
-----------------------------------------------------------------
Description: After installing the WebAdmin certificate in Internet
              Explorer 7 you may only be allowed to connect to the
              specific ASG the certificate is coming from. Adding another
              certificate from another ASG allows access to this machine,
              too. In IE6, the popup warning may also occur after
              importing the certificate.
Workaround:   ---
Fix:          ---


ID05138 7.000 Import of WebAdmin CA certificates may fail with Firefox
-----------------------------------------------------------------------
Description: Depending on operating system and Firefox version, import
of
              WebAdmin's certificate may no work correctly.
Workaround:   ---
Fix:          ---



Open Issues - Networking
===========================
ID11671 7.501 Receiving Transmit timed out on network cards using tg3
----------------------------------------------------------------------
Description: In some rare cases Networkcards using the tg3 driver do a
              reset.
              This could be identified by the following log statements in
              the kernel.log:
              kernel: NETDEV WATCHDOG: eth0: transmit timed out
              kernel: tg3: eth0: transmit timed out, resetting

              After the reset communication continues.
              During this reset no communication is possible with the
              affected card.
Workaround:   Use a network card with other chipsets.
Fix:          ---



Open Issues - VPN
====================


ID14029 7.505 RED cannot be activated when "organization name" has more
than 38 character
-------------------------------------------------------------------------
-----------------
Description: RED cannot be activated when the "organization name" has
              more than 38 characters, due to limitations of the object.
Workaround:   Shorten the "organization name" to less than 39
characters.
Fix:          ---


ID12532 7.502 Ipsec on demand using ASC V9.2 on Windows 7?
-----------------------------------------------------------
Description: There are some changes in the behavior of the ASC. If a
              remote access ipsec connection is configured with more for
              more than one network, the ASC creates only the first
tunnel
              when you start the application. All the other tunnels will
              be created when the client sends the first packet for that
              connection.
Workaround:   ---
Fix:          ---


ID09100 7.301 Symantec Endpoint Protection conflicts with SSL VPN
------------------------------------------------------------------
Description: Using Symantec Endpoint Protection on a Windows system
              running the SSL VPN client will not work. The Symantec
              software causes the SSL VPN client to initialize.
Workaround:   Do not install both software pieces on the same system.
Fix:          ---
ID05405 7.000 PPTP/L2TP/SSL OpenVPN routes are not redistributed in OSPF
-------------------------------------------------------------------------
Description: VPN Pools like the ones mentioned above will not get
              redistributed when using OSPF.
Workaround:   ---
Fix:          ---


ID05375 7.000 Strict routing may also match locally generated traffic
----------------------------------------------------------------------
Description: For locally generated packets and strict routing enabled
for
              an IPSec tunnel, it is not possible to send locally
              generated plaintext packets to the same destination.
Workaround:   ---
Fix:          ---



Open Issues - Web Security
=============================


ID11746 7.501 Directory listing is not working for strato ftp server
---------------------------------------------------------------------
Description: Directory listing may not be working under certain
              conditions via FTP proxy.
Workaround:   As a workaround try skipping virus scanning for this
              specific server.
              If this should not work please contact support.
Fix:          ---


ID07899 7.103 AD SSO not working when NETBIOS domain name contains a dot
-------------------------------------------------------------------------
Description: Active directory Single-Sign-On Functionality may not work
              if the NETBIOS domain name contains a dot, e.g. if the
              domain is named 'ASTARO.DE'.
Workaround:   Rename the NETBIOS domain name, see
              http://technet.microsoft.com/en-
us/windowsserver/bb405948.aspx
              for instructions how to do that in Windows Server 2003.
Fix:          ---


ID06491 7.005 Customizable AV scanning size not used in HTTP profiles
----------------------------------------------------------------------
Description: It is possible to set the maximum size of the file to be
              scanned by the AV scanner in the HTTP Proxy setup. This
              allows much larger files to skip the processor and ram
              intensive task of scanning a 700mb ISO file for example.
              Currently, changing the file size will only work for the
              default HTTP Proxy profile. Additional profiles will
              continue using the default value of 50MB.
Workaround:   ---
Fix:          ---



Open Issues - Various
========================


ID05984 7.002 FTP upload/download stops during data transfer
-------------------------------------------------------------
Description: During an FTP transfer on a DNAT'd FTP server, incoming and
              outgoing FTP streams are timing out. This is due to
              expectations problems created by the Connection Tracking
              helper not allowing the connection to be revalidated.
Workaround:   Create an additional packetfilter rule allowing any
traffice
              from your source network to the FTP servers' address.
Fix:          ---


ID18469 7.511 After 7.511 up2date, AD authentication fails with
nt_status_access_denied
-------------------------------------------------------------------------
---------------
Description: After updating to 7.511, no Active Directory user can
              successfully use web proxy's Active Directory Single Sign-
on
              profile. Users are prompted to enter their login
              credentials. There are NT_STATUS_ACCESS_DENIED messages
              appearing in the web proxy log.
Workaround:   The ASG can no longer communicate to the Active Directory
              Domain because it doesn't have the necessary authentication
              credentials. These credentials are created by the domain
at
              the time the ASG is joined to the domain. Removing the
              ASG's computer account in AD and rejoining the ASG to the
              domain (via the webadmin portal's Single Sign-on section)
              will resolve this issue.
Fix:          ---


ID17464 7.510 Upgrade V7 > V8 not working at a HA-Setup
--------------------------------------------------------
Description: After starting the Upgrade from v7 to v8 the slave had the
              status: Upgrade, but after the reboot of the slave node,
the
              version was still 7.510, without any change.

              The problem came out to be with the GRUB bootloader, as the
              Upgrade fails when writing the MBR when about to prepare
for
              booting into the Upgrade Linux. It then fails because it is
              unable to find the correct disk.
              This is all because one entry in /boot/grub/device.map is
              wrong:
               (fd0) /dev/fd0
               (hd0) /dev/sdb

              The 2nd entry should be /dev/sda instead.

              This file is written by the V7 Installer on behalf of the
              BIOS information given. I assume the boxes were installed
              with the Astaro USB stick at that time, then because of an
              BIOS issue the first disk being named /dev/sdb (instead of
              /dev/sda) because of the stick being mounted (being
              /dev/sda) then.
Workaround:   The fix is just to replace /dev/sdb in
/boot/grub/device.map
              by /dev/sda:

              mount -o remount,rw /boot
              vi /boot/grub/device.map (# change
              /boot/grub/device.map)
              mount -o remount,ro /boot

              Then the Upgrade should work without any problem.
Fix:          ---


ID15813 7.508 After update to 7.508, network groups are not shown
correctly
-------------------------------------------------------------------------
---
Description: After the update to 7.508, network groups are not shown
              correclty.

              Networks definitions usually look
              like:

              WWW->INNTRANET
              INTRANET->WWW
              ..

              After updating to 7.508, group names are not displayed
              correctly:

              WWW -&gt ; INNTRANET
              INTRANET -&gt ; WWW
Workaround:   Contact Astaro Support
Fix:          ---


ID14447 7.505 Long webadmin sessions on the webadmin dashboard causes
memory leak
-------------------------------------------------------------------------
---------
Description:   When webadmin session's focus is kept on the webadmin
               dashboard for an extended amount of time, this will cause a
               memory leak until the session is closed.
Workaround:    ---
Fix:           ---


ID12855 7.503 SMTP Proxy domain entries are case sensitive
-----------------------------------------------------------
Description: If there is a mix of lower and upper case characters in the
              SMTP proxy conifguration of the routed domains, the mail
              traffic might stop since the configuration is not set
              properly by the system
Workaround:   Only use lower case characters in the domain names.
Fix:          ---


ID12687 7.502 arabic letters of the subject are not visible inside the
spam report
-------------------------------------------------------------------------
----------
Description: The subject of blocked E-Mails are not shown in the correct
              way inside the spam report if they contain Arabic letters
Workaround:   Please contact our support team
Fix:          ---


ID12594 7.502 SSL-VPN RAS addresses are not removed reliably when OpenVPN
is restarted or stopped
-------------------------------------------------------------------------
-------------------------
Description: In case OpenVPN is restarted or stopped, not all users are
              updated via RAS-update. Result is that a huge amount of
              users still have an 'old' ip-address in the user network
              object.
Workaround:   ---
Fix:          ---


ID11412 7.500 External OWA adress is no longer reachable via http proxy
------------------------------------------------------------------------
Description: External OWA adress is no longer reachable via http proxy
on
              the internal ip adress of the OWA server
Workaround:   Please add at network services > DNS a static entry for the
              domain to the internal ip address
Fix:          ---


ID11396 7.500 Webadmin is no longer reachable via http proxy after update
-------------------------------------------------------------------------
-
Description: Webadmin is no longer reachable via HTTP Proxy, since
              Webadmin's allowed networks check could be bypassed through
              HTTP proxy.
Workaround:   no workaround
Fix:          ---


ID11360 7.500 IPSec tunnel not coming up properly after 7.480 update,
continues at 7.500
-------------------------------------------------------------------------
----------------
Description: Upon restart of the ASG, site-to-site IPSEC tunnels will
not
              establish after successful PPPOE interface negotiation.
Workaround:   Manual restart of the IPSEC tunnel is required via the
              webadmin portal on both vpn endpoints once the PPPOE
              negotiation has completed.
Fix:          ---


ID11008 7.404 User will not be shown in the SSL VPN online statistics if
the name contains a space
-------------------------------------------------------------------------
--------------------------
Description: SSL VPN users will not be shown in 'Remote Access Status'
if
              the user name
              contains a space. This is a display issue only and does not
              affect the VPN
              functionality.
Workaround:   Avoid spaces in SSL VPN user names.
Fix:          ---


ID10429 7.402 ips loops if a exception for ssl vpn user exist and they
connect with Vista 32 bit
-------------------------------------------------------------------------
------------------------
Description: IPS cause a high load and loops if a ssl vpn user connect
              with Vista 32bit OS and a Exception exist for this user.
Workaround:   Please set the Protocol at Remote Access > SSL > settings
              from TCP to UDP
Fix:          ---


ID10338 7.401 Not possible to delete interface, get "One of the values
you entered is syntactically or logically incorrect"
-------------------------------------------------------------------------
---------------------------------------------------
Description: Not possible to delete an interface, getting the error "One
              of the values you entered is syntactically or logically
              incorrect"
Workaround:   The error appears in terms the interface is still in use in
              the configuration. Check your configuration and remove the
              affected interface from the configuration e.g. httpproxy
              profiles
Fix:          ---


ID10318 7.401 Time Events don't work correctly, after switched to
daylight-saving time (03/29/09)
-------------------------------------------------------------------------
-------------------------
Description: After switching to daylight-saving time, time-based rules
              don't work correctly.
Workaround:   Decrease the start- and end-time about one hour to make the
              time-based rules correctly functional.
Fix:          ---


ID10229 7.401 SIP counts dropped SIP RTP packets as connections
----------------------------------------------------------------
Description: When ringing, a lot of SIP RTP packets may be dropped by
the
              packet filter. Every dropped packet increases the SIP
              connection counter in Webadmin.
Workaround:   ---
Fix:          ---


ID10133 7.400 APC UPS does not restore the load after power outage:
Astaro stays off
-------------------------------------------------------------------------
------------
Description: On a power outage, when an APC UPS reaches critical battery
              level, upsmon initiates the shutdown of the Astaro and
tells
              the UPS to power down. After both devices turned off and
              power comes back, the UPS and therefore the Astaro as well
              stay powered off.
Workaround:   ---
Fix:          ---


ID10005 7.400 If you change to german language, some descriptions are
still in english
-------------------------------------------------------------------------
--------------
Description: By changing the global WebAdmin language to German, some
               descriptions are still in English.
Workaround:    ---
Fix:           ---


ID08063 7.104 active directory authentication for openvpn not possible if
using special characters in password
-------------------------------------------------------------------------
--------------------------------------
Description: There is an error called "TLS Auth Error: Auth
              Username/Password verification failed for peer" while
              connecting with SSL VPN and using a password containing
              special characters. The connection to the gateways fails.
Workaround:   It is not possible to use passwords containing special
              characters with OpenVPN at the moment. Please restrict to
              use only 7-bit characters (ASCII), i.e. for example
letters,
              numbers and an exclamation mark. Please note that this also
              applies for usernames as well.
Fix:          ---


ID06912 7.009 Problem authenticating new AD users to HA slaves
---------------------------------------------------------------
Description: In HA environments there might show up a problem when
trying
              to authenticate a newly generated Active Directory user via
              a HA slave system. This may happen e.g. when using the
              End-User Portal with AD authentication.
Workaround:   Authenticate the user against the master first, if
possible.
Fix:          ---


ID05897 7.001 End-User Portal downloads fail with Internet Explorer 7
----------------------------------------------------------------------
Description: While trying to download a file from the End-User Portal
              with Internet Explorer 7 a popup window may appear and
close
              after a second. The download will not start. Disabling
Popup
              blocker will not help.
Workaround:   Please enable "Automatic Prompting for File Downloads" in
              your zone settings of Internet Explorer 7.
Fix:          ---



Closed Issues - Email Security
=================================


ID11538 7.501 HA slaves can not connect to the internet via dynamic
interfaces
-------------------------------------------------------------------------
------
Description: In case of an HA setup with dynamic interfaces (e.g. PPPoE)
              the slave node can't reach the query database server and
              will send out the following notification: "[WARN-129] Spam
              Filter cannot query database servers".
Workaround:   Change the dynamic interface to a static interface. E.g. by
              moving the PPPoE dial-in to a router.
Fix:          Fixed in 7.502
ID11531 7.500 You must specify a route target (internal server) error
message on SMTP profile systems
-------------------------------------------------------------------------
-----------------------------
Description: After updating to 7.500 when attempting to change the
global
              anti-spam settings under mail security>>SMTP>>Antispam the
              system sends a warning:

              You must specify a route target (internal server).

              This warning indicates that the user has not previously
              configured the basic Routing tab which may occur if all
              servers were set using profile mode only in previous
              versions.
Workaround:   As a workaround under Mail Security>>SMTP>>Routing either
              enter a normal or dummy domain such as donotresolve.net and
              set a route target IP address. This will allow for
              modification of the antispam settings tab.
Fix:          Fixed in 7.504


ID11430 7.405 SMTP work queue filled up after failover which causes delay
in delivery
-------------------------------------------------------------------------
-------------
Description: Mail work queue fills up in HA environments after takeover
              and will be processed very slow.
Workaround:   ---
Fix:          Fixed in 7.502


ID11424 7.500 While email-subscription is missing, scanning of
outgoing/incoming mails is still active
-------------------------------------------------------------------------
------------------------------
Description: If there is no valid Email Subscription installed
AntiVirus
              and AntiSpam is greyed out and not used, but in
              Smtp->Relaying the feature "Scan relayed (outgoing)
              messages" is not greyed out and still active. With that
              option, the system will try to scan mails sent from an
              internal mailserver, but the scanner backend is not
              available due to a non-valid subscription. As a result,
              mails will not be sent out.
Workaround:   Disable "Scan relayed (outgoing) messages" if you do not
              have a valid subscription.
Fix:          Fixed in 7.501


ID10391 7.402 POP3 prefetch fails at long MIME-encoded subjects
----------------------------------------------------------------
Description: The prefetch mechanism of the POP3 proxy stops at an email
              where the subject is MIME-encoded for multiple lines but
              without actual line feed. In this case the respective
              account will no longer be prefetched at all.
Workaround:   ---
Fix:          Fixed in 7.403


ID09374 7.303 DKIM signature will not be added in some cases
-------------------------------------------------------------
Description: Email headers containing special characters may miss the
              DKIM signature depending on the encoding.
Workaround:   ---
Fix:          Fixed in 7.400


ID09072 7.301 Signing may be reported as invalid
-------------------------------------------------
Description: For encrypted emails the signing may get reported as
invalid
              at the remote end if intermediate certificates are used.
              This is currently a restriction in the way the certificate
              is added to the email.
Workaround:   ---
Fix:          Fixed in 7.303


ID09028 7.301 Releasing of quarantined mails may not work
----------------------------------------------------------
Description: For emails being converted from pre 7.300 systems releasing
              them out of the Quarantine Manager may not work in all
              cases.
Workaround:   ---
Fix:          Fixed in 7.302


ID09017 7.301 Quarantine Report not sent as specified
------------------------------------------------------
Description: On some systems the Quarantine Report is not being sent as
              it should be, even if there are quarantined emails waiting
              for review.
Workaround:   ---
Fix:          Fixed in 7.302


ID08975 7.301 Special characters in emails are not processed correctly
-----------------------------------------------------------------------
Description: In some cases umlauts are still causing broken emails,
              especially when using them in footers.
Workaround:   Disable footers.
Fix:          Fixed in 7.302


ID08949 7.300 SMTP scanner caught in an endless loop
-----------------------------------------------------
Description: In some cases SMTP scanner may be caught in an endless loop
              which may stop the delivery of emails.
Workaround:   Restart SMTP service.
Fix:          Fixed in 7.301


ID08912 7.300 Email decryption may cut last character in line
--------------------------------------------------------------
Description: For some encrypted emails the decryption subsystem may cut
              the last character of each line. This has been encountered
              with encrypted mails coming from an Outlook 2003 client
              using the GnuPG plugin.
Workaround:   ---
Fix:          Fixed in 7.301


ID08910 7.300 Outgoing emails might get signed although signing is off
-----------------------------------------------------------------------
Description: In case there is email encryption but no signing is
              configured, the mails may get signed in any way if
              encrypting the message fails. This might be triggered by
              having no valid key for the external user.
Workaround:   ---
Fix:          Fixed in 7.302


ID08906 7.300 SMTP service running with high CPU usage
-------------------------------------------------------
Description: In case of corrupt emails in the queue directory the SMTP
              service will try to process them anyway and drain CPU while
              doing this.
Workaround:   ---
Fix:          Fixed in 7.301


ID08892 7.300 SMTP relaying not working correctly with special
configuration
-------------------------------------------------------------------------
----
Description: In some cases after importing a V6 backup the SMTP relaying
              may not work correctly and reject messages with the
              following statement: "451 Temporary local problem - please
              try later".
Workaround:   Enable Virusscanning if possible, switch scanners and
revert
              to old configuration state.
Fix:          Fixed in 7.303


ID08876 7.300 Special characters in emails are not processed correctly
-----------------------------------------------------------------------
Description: In some cases emails containing special characters will not
              be processed correctly and the special characters are shown
              wrong in the email client. This behaviour will mainly be
              triggered when adding additional footers also containing
              special characters.
Workaround:   Try disabling the additional footer.
Fix:          Fixed in 7.301


ID08864 7.300 Email encryption may stop SMTP service
-----------------------------------------------------
Description: When using Email Encryption with a large set of
              certificates, the system may not be able to start in time
              before a restart of the service is triggered. This will
              result in an endless loop of restarting.
Workaround:   Disable Email Encryption to get the SMTP service started.
Fix:          Fixed in 7.301


ID08853 7.300 SMTP service not starting on HA/Cluster systems
--------------------------------------------------------------
Description: In some cases the SMTP service is not able to start on
              HA/Cluster systems after updating to Version 7.300. This
may
              also affect FTP and POP3 services.
Workaround:   ---
Fix:          Fixed in 7.301


ID08849 7.300 End-User Portal does not show all emails
-------------------------------------------------------
Description: The email filter in End-User Portal is case sensitive which
              means emails arriving for a user containing e.g.
capitalized
              letters while his email addresses in ASG are lowercase will
              not be shown in the Portal
Workaround:   ---
Fix:          Fixed in 7.301


ID08200 7.104 Unable to create exceptions for domains with single
character
-------------------------------------------------------------------------
---
Description: It is not possible to add domains containing one character
              like a.example.com to the SMTP exceptions page.
Workaround:   ---
Fix:          Fixed in 7.300


ID07983 7.104 Daily Spam Report fails for some Recipients (case-sensitive
issue)
-------------------------------------------------------------------------
--------
Description: If an email arrives with an identical recipient but
              different spelling e.g. case sensitive notation, the daily
              spam report will not be generated in some cases. This may
              happen i.e. for recipients like this: support@astaro.com OR
              SUPPORTT@astaro.com.
Workaround:   Please contact support with the corresponding ID. They will
              be able to send you a new package which solves this issue.
Fix:          Fixed in 7.300


ID07833 7.100 Download of S/MIME certificate provides empty file
-----------------------------------------------------------------
Description: When trying to download a S/MIME cert you will receive an
              empty file. This is up to a problem in the frontend
              receiving/handling data from the backend incorrectly.
Workaround:   ---
Fix:          Fixed in 7.200


ID07483 7.100 Lots of config changes cause SMTP restarts
---------------------------------------------------------
Description: Having lots of config changes i.e. caused by heavy remote
              access connects/disconnects the SMTP proxy will get
              restarted very often. This causes many gaps where the
system
              is not able to receive or send emails.
Workaround:   ---
Fix:          Fixed in 7.102


ID07472 7.100 POP3 Proxy does not start with customized messages
-----------------------------------------------------------------
Description: In WebAdmin Management->Customization it is possible to
              change the default texts for messages the end users
receives
              like download manager or blocked pages. When entering
              characters like &, < or > into the messages for POP3 proxy,
              the service will not longer be available. The logfile shows
              a xml-parser error.
Workaround:   Do not use these characters or escape them properly. I.e.,
              use html notation.
Fix:          Fixed in 7.300


ID07034 7.009 If cffd fails during spam digest creation no resume for
digest is triggered
-------------------------------------------------------------------------
-----------------
Description: If the cff daemon, which is responsible for the whole
              content filtering procedure, fails during the creation of
              the daily spam digest, sending of the reports is not
              continued. This can be checked in the selfmonitor logfile
if
              the service is restarted at about 1 a.m.
Workaround:   We recommend that the settings of the quarantined emails
are
              reduced to 3 days.
Fix:          Fixed in 7.300
ID06982 7.009 Anti-Spam filter not working in some environments
----------------------------------------------------------------
Description: Using the Anti-Spam service for SMTP or POP3 email
              filtering, the service will not be available if the ASG has
              more than 10 local IP addresses configured on local
              (virtual) interfaces.
Workaround:   ---
Fix:          Fixed in 7.100


ID06926 7.009 Spam Digest not working on HA/Cluster systems
------------------------------------------------------------
Description: In HA/Cluster environments the Daily Spam Digest may not be
              sent out by ASG at all. This effect will occur if the
system
              has been installed with 7.005 or earlier .
Workaround:   ---
Fix:          Fixed in 7.010


ID06892 7.009 Astaro notification emails tagged as spam
--------------------------------------------------------
Description: In some cases the Astaro notification emails may get tagged
              as spam by other Astaro appliances.
Workaround:   Create exceptions matching these notifications.
Fix:          Fixed in 7.300


ID06865 7.007 Daily Spam Report is sent to all users
-----------------------------------------------------
Description: The Daily Spam Report is also sent to users an who are in
an
              exception list.
Workaround:   ---
Fix:          Fixed in 7.100


ID06772 7.007 SMTP Mail processing may stop completely
-------------------------------------------------------
Description: For some rare cases the SMTP mail processing may stop
              completely due to a deadlock within the SMTP scanning
              subsystem. This should not affect many installations.
Workaround:   Reboot the machine.
Fix:          Fixed in 7.008


ID06741 7.007 Email Encryption logfiles filling up partition
-------------------------------------------------------------
Description: The logfiles from the Email Encryption backend are filling
              up the storage partition even after Email Encryption has
              been disabled.
Workaround:   ---
Fix:          Fixed in 7.100


ID06703 7.005 Automatic import of SMIME certificates not working
correctly
-------------------------------------------------------------------------
--
Description: When using Email Encryption the automatic import of SMIME
              certificates will work in the backend, but the certificates
              will not be shown in the frontend.
Workaround:   ---
Fix:          Fixed in 7.008


ID06607 7.005 Daily Spam Report may not be sent out correctly
--------------------------------------------------------------
Description: The Daily Spam Report may not be sent correctly for users
              receiving spam emails with capital letters in their email
              address. The mail address matching is currently being done
              case sensitive.
Workaround:   ---
Fix:          Fixed in 7.008


ID06563 7.005 Possible memleak in Contentfilter backend system
---------------------------------------------------------------
Description: The MySQL, a database engine used on Astaro to store data,
              is taking up hardware resources over time. This is a bug in
              MySQL and will most probably show up in high-load
              environments.
Workaround:   At the moment you only can reboot the box or restart a
              service in the backend in order to regain system resources.
              Prior to 7.100, please restart the Contentscanner
              (/var/mdw/scripts/cffd). Starting with 7.100, there has
been
              some changes in the backend, so please restart Mysql
              (/etc/init.d/mysql).
Fix:          Fixed in 7.300


ID06481 7.005 Preview of quarantined emails not working for mail with
attachment
-------------------------------------------------------------------------
--------
Description: In the end user or administrator portal, overview of emails
              that have been stopped by Astaro for various reasons is
              possible. For mails containing an attachment a preview in
              the portal is not possible.
Workaround:   ---
Fix:          Fixed in 7.300


ID06471 7.005 Mail processing stops at message ID 1000000
----------------------------------------------------------
Description:   Mails having a message ID larger than 1000000 will not be
               processed correctly by the content scanning subsystem.
Workaround:    Call Support.
Fix:           Fixed in 7.006


ID06320 7.003 POP3 spam email not tagged correctly
---------------------------------------------------
Description: When downloading emails via POP3 the tagging (warn
              threshold) is not done correctly. Although the mail should
              reach the client, there is neither a spam tag in the
subject
              line nor a spam report in the header.
Workaround:   ---
Fix:          Fixed in 7.008


ID06311 7.003 Error while scanning emails may stop SMTP proxy
---------------------------------------------------------------
Description: In a few cases the SMTP proxy stopped working after a
              special scanning error occured. In the logfile there is a
              message like this 'Maximum number of scan retries
exceeded'.
Workaround:   Contact Support.
Fix:          Fixed in 7.006


ID06300 7.003 Unable to release/download quarantined POP3 messages
-------------------------------------------------------------------
Description: When trying to release or download the messages from the
              Quarantine Manager a popup window '404 not found' shows up.
              Trying to display a message shows '500 internal server
              error'.
Workaround:   ---
Fix:          Fixed in 7.005


ID06197 7.003 BATV secret not changeable in WebAdmin
-----------------------------------------------------
Description: Currently there is no option to change the BATV secret in
              WebAdmin.
Workaround:   ---
Fix:          Fixed in 7.005


ID06169 7.003 Problems with Vista Windows Mail and POP3 Proxy in
prefetch mode
-------------------------------------------------------------------------
-------
Description: When using the Windows Vista mail client along with the
POP3
              Proxy in prefetch mode, a lot of timeouts may appear when
              trying to get new mails.
Workaround:   ---
Fix:          Fixed in 7.005


ID06143 7.002 Incorrect BATV ACL check causes all bounces to be rejected
-------------------------------------------------------------------------
Description: Incorrect BATV ACL check causes all bounces to be rejected,
              unless either BATV is deactivated for the recipient domain
              or BATV is deactivated by an exception for the recipient or
              the sending host. This also causes sending mail to hosts
              which do sender verification to fail, since sender
              verification is usually implemented as a bounce test.
Workaround:   see above
Fix:          Fixed in 7.003


ID06081 7.002 Confidentiality footer may get added to incoming emails
----------------------------------------------------------------------
Description: The Confidentiality footer of the SMTP Proxy is also added
              to incoming emails when the email-domain has
              capital-letters.
Workaround:   ---
Fix:          Fixed in 7.003


ID06027 7.002 IOS error messages in Exim log - rendering the SMTP proxy
inoperable
-------------------------------------------------------------------------
----------
Description: Some rare ill formatted e-mails may render the SMTP proxy
              inoperable.
Workaround:   ---
Fix:          Fixed in 7.003


ID05994 7.002 Empty content-disposition header in the MIME part is
rendering the e-mail undeliverable
-------------------------------------------------------------------------
-----------------------------
Description: The problem only occurs with multipart messages, such as
              content type multipart/related or multipart/alternative.
Workaround:   ---
Fix:          Fixed in 7.003


ID05941 7.002 Base64 encoded subjects in quarantine manager are decoded
with an error
-------------------------------------------------------------------------
-------------
Description: Some Base64 encoded subjects listed in the quarantine
              manager are not decoded and thus not displayed correctly.
              This can be indicated by the message
              "Frontier::RPC2::Base64=SCALAR"
Workaround:   ---
Fix:          Fixed in 7.003
ID05925 7.002 Subject lines in Daily Spam Report corrupted
-----------------------------------------------------------
Description: Some e-mail clients such as Thunderbird for Windows
              operating systems often do not have the necessary character
              sets installed needed to correctly display special
              characters or CJK languages. However, if the correct
              charsets are installed, the problem no longer remains, as
is
              the case with Thunderbird for Linux, for example, which is
              UTF-8 based and has therefore all charsets pre-installed.
Workaround:   ---
Fix:          Fixed in 7.003


ID05844 7.002 Some POP3 messages are downloaded more than once
---------------------------------------------------------------
Description: Because of a changed handling of the unique message id the
              POP3 proxy downloads all messages from server again. If the
              user has configured his or her mail client in such way that
              it leaves messages on server, it might happen that older
              messages (i.e., messages which the client had already
              received) are downloaded a second time by the client.
Workaround:   ---
Fix:          Fixed in 7.003


ID05811 7.001 Daily Spam Digest also sent to external domains
--------------------------------------------------------------
Description: The Daily Spam Digest will be sent out to anyone receiving
              spam including external domains not configured in the SMTP
              Proxy. This behaviour is unwanted and should be limited to
              internal (specified) domains only.
Workaround:   ---
Fix:          Fixed in 7.005


ID05804 7.001 Special characters not possible in smarthost authentication
-------------------------------------------------------------------------
-
Description: Using special characters like $ or \ in SMTP smarthost
              authentication does not work.
Workaround:   --- (change password if possible)
Fix:          Fixed in 7.004


ID05797 7.001 Daily Spam Report mistakenly tagged as spam
----------------------------------------------------------
Description: Occasionally the Daily Spam Report of Astaro Security
              Gateway gets mistakenly tagged as spam due to a high spam
              score.
Workaround:   ---
Fix:          Fixed in 7.003
ID05782 7.001 Automatic cleanup of Quarantine Manager not working
correctly
-------------------------------------------------------------------------
---
Description: The autoclean feature for Quarantine Manager only works
with
              default settings. After changing them the default values
              will still be used.
Workaround:   ---
Fix:          Fixed in 7.004


ID05766 7.001 Incoming/outgoing e-mails are truncated if they contain a
'dot'
-------------------------------------------------------------------------
-----
Description: AN SMTP e-mail that contains a single dot in one line of
the
              message's body is truncated because the dot is interpreted
              as 'End of Message'.
Workaround:   Do not write an e-mail that has a single dot in one line. A
              dot having a preceding character does not cause the message
              to be cropped.
Fix:          Fixed in 7.002


ID05709 7.001 Confidential footer applies on incoming mails only
-----------------------------------------------------------------
Description: The confidential footer only applies to incoming emails
              instead of outgoing emails.
Workaround:   ---
Fix:          Fixed in 7.002


ID05698 7.001 Content filter mangles SMTP addresses
----------------------------------------------------
Description: Some characters like + get stripped off the local parts of
              email addresses.
Workaround:   ---
Fix:          Fixed in 7.002


ID05693 7.001 Sometimes the daily spam report is not created
-------------------------------------------------------------
Description: Users having a POP3 account configured but for which no
user
              object is existent on the Astaro Security Gateway unit
              sometimes do not receive a daily spam report for their POP3
              accounts.
Workaround:   ---
Fix:          Fixed in 7.003
ID05659 7.001 SMTP Banner does not show hostname
-------------------------------------------------
Description: The banner of the SMTP proxy only shows the standard "220
              ESMTP Ready" prompt but not the hostname. This may cause
              problems with some remote hosts.
Workaround:   ---
Fix:          Fixed in 7.004


ID05637 7.000 SMTP domains are case-sensitive when used in profiles
--------------------------------------------------------------------
Description: SMTP domain names are treated case-sensitive when SMTP
              profiles are used.
Workaround:   ---
Fix:          Fixed in 7.002


ID05568 7.000 Daily Spam Report misses percentage value of blocked e-
mails
-------------------------------------------------------------------------
---
Description: The percentage value for blocked e-mails in the Statistics
              section of the daily spam report might be missing.
Workaround:   ---
Fix:          Fixed in 7.003


ID05384 7.000 Daily Spam Report layout broken in Google Mail
-------------------------------------------------------------
Description: Images contained in the End User Spam Report are not
              displayed if the report is opened through the Google mail
              web portal. However, this is just a cosmetic issue and has
              no impact on the spam statistics included in the report.
Workaround:   ---
Fix:          Fixed in 7.003


ID05309 Broken subject lines quarantine manager
-------------------------------------------------
Description: Some Base64 encoded subjects listed in the quarantine
              manager are not decoded and thus not displayed correctly.
              This can be indicated by the message
              "Frontier::RPC2::Base64=SCALAR"
Workaround:   ---
Fix:          Fixed in 7.003



Closed Issues - High Availability
====================================
ID12956 7.503 Static routes missing in backend when activating High
Availability
-------------------------------------------------------------------------
--------
Description: Enabling High Availability (HA/Cluster) will lead to a loss
              of all static network routes in the backend. This is a
              one-time effect triggered by the activation of HA.
Workaround:   Reboot the system.
Fix:          Fixed in 7.505


ID11383 7.500 Cluster distribution enabled on HA systems
---------------------------------------------------------
Description: For active/passive HA systems, the cluster load
distribution
              for IPsec and HTTP Proxy packets may be active and thus
              distributing parts of the traffic to the passive box which
              will not process the data further. In that case, the
              connections will get dropped/lost.
Workaround:   Please contact support.
Fix:          Fixed in 7.501


ID10339 7.402 Slave nodes keeps UP2DATE state after manual action
------------------------------------------------------------------
Description: In case there is actually no Up2Date to perform, but
              nevertheless triggered via WebAdmin or ACC, HA/Clusternodes
              may remain in the UP2DATE state until next successful
              Up2Date is triggered.
Workaround:   ---
Fix:          Fixed in 7.403


ID10324 7.402 Possible db sync problem on HA nodes
---------------------------------------------------
Description: In some cases there might show up messages like this in
your
              High Availability logfile: 'FATAL main: Node has wrong
              Slony-I schema or module version loaded'. This means, the
db
              schema on the respective HA/Cluster nodes differ and no
data
              can be synced. Most often, this effect can occur if a the
              nodes have/had different versions when (re-)joining the
              cluster.
Workaround:   Contact Support, please.
Fix:          Fixed in 7.403


ID10323 7.402 High-Availability logfile filling up quickly
-----------------------------------------------------------
Description: In some cases the HA logfile is filling up quickly with
              messages like this: "ctsyncd: Got SIGUSR1, set status to
              SLAVE". In those cases, syncing the connection tracking
              table might not work correctly.
Workaround:   Please contact Support.
Fix:          Fixed in 7.403


ID09449 7.304 Problem accessing internal servers via HTTP Proxy on
cluster nodes
-------------------------------------------------------------------------
--------
Description: Having internal servers reachable via DNAT on ASG will
cause
              trouble when an internal client is trying to load the
              external address of this server via an active/active
              cluster. In case the request is processed by a slave or
              worker node it will not reach the internal server.
Workaround:   Define static DNS entries for the respective servers
              pointing to their internal addresses.
Fix:          Fixed in 7.400


ID09372 7.301 Problem when disabling HA backup interface
---------------------------------------------------------
Description: When using HA with backup interface functionality, the HA
              system might be able to shut down backup mode after
              disabling in WebAdmin. This means, that backup mode might
              still be active although it has been deactivated.
Workaround:   Reboot the system.
Fix:          Fixed in 7.305


ID09324 7.303 Possible problem when resolving HA Master-Master situation
-------------------------------------------------------------------------
Description: The backup interface is used to prevent Master-Master
              situations. When backup and main sync interface fail
              together and only the backup interface comes back up again,
              the Master-Master situation is not resolved properly.
Workaround:   ---
Fix:          Fixed in 7.305


ID09274 7.302 HA/Cluster system may deliver messages several times
-------------------------------------------------------------------
Description: In some cases SMTP messages are delivered twice or even
more
              times in case of an error within the quene sync process of
              HA/Cluster systems.
Workaround:   ---
Fix:          Fixed in 7.305


ID09239 7.302 End users can't release spam on HA systems after a power
outage
-------------------------------------------------------------------------
-----
Description:   After a power outage of a complete set of HA clustered
               machines end users may not be able to release spam by
               clicking the release link in the daily digest email.
Workaround:    ---
Fix:           Fixed in 7.400


ID08409 7.104 IPsec/Pluto misses SA syncs during restart on slave
------------------------------------------------------------------
Description: When using IPSec VPN on active/active Cluster systems the
              reboot of a slave system may also shutdown the tunnel SA on
              the remote side without any need.
Workaround:   Actually the SA will get restablished once traffic should
              pass the tunnel automatically.
Fix:          Fixed in 7.303


ID08365 7.104 Slave stuck in 'UP2DATE' state in HA/Cluster environment
-----------------------------------------------------------------------
Description: In some cases a node in a HA/Cluster environment is not
able
              to update. WebAdmin will show status UP2DATE for a very
long
              time and node will not get back to ACTIVE.
Workaround:   Reboot the slave (after waiting some time for automated
              recovery) or call support.
Fix:          Fixed in 7.300


ID07906 7.103 Link detection on LAG interfaces does not work on
Slave/Worker nodes
-------------------------------------------------------------------------
----------
Description: Link detection on LAG interfaces will not work on
              Slave/Worker Nodes. Because of that, Slave/Worker nodes
will
              be in UNLINKED state.
Workaround:   ---
Fix:          Fixed in 7.200


ID07892 7.103 Cluster with four or more nodes will not update completely
-------------------------------------------------------------------------
Description: Having a cluster with four or more nodes, an Up2Date
              triggered via WebAdmin may not finish successfully. In some
              cases, half of the nodes seem to be stuck.
Workaround:   Trigger Up2Date a second time via WebAdmin.
Fix:          Fixed in 7.200


ID07831 7.102 High availablility logfile filling up with stats
---------------------------------------------------------------
Description: When using ASG in High availability or Cluster mode, the
              logfile will fill up with stats from a process called
              'ctsyncd'. Over time, the logfiles might get too large.
Workaround:   ---
Fix:          Fixed in 7.103


ID07475 7.100 IPsec starting in wrong mode after restart of HA system
----------------------------------------------------------------------
Description: In some cases, a member of a HA/Cluster system will not
              initialize its IPsec mode correctly when getting Master
              directly after booting. As a result all tunnels will not
              come up.
Workaround:   Reboot again.
Fix:          Fixed in 7.102


ID06886 7.009 Problem detecting linkbeat for HA on ASG525F
-----------------------------------------------------------
Description: Having two ASG525F in a HA configuration will not case a
              failover when linkbeat on a fibre interface is lost. This
is
              up to a driver problem.
Workaround:   ---
Fix:          Fixed in 7.200


ID06651 7.006 HA/Cluster stops working if ha password has special
characters
-------------------------------------------------------------------------
----
Description: In this version HA or Cluster does not work if the
              HA/Cluster encryption key contains any of the special
              characters " ' or (. This also affects Up2Dates from 7.005.
Workaround:   Remove special characters from encryption key or call
              support.
Fix:          Fixed in 7.100


ID06463 7.005 More than one Executive Report in HA/Cluster environment
-----------------------------------------------------------------------
Description: In some cases each node in a HA/Cluster environment may
send
              an own Executive Report.
Workaround:   ---
Fix:          Fixed in 7.100


ID06346 7.003 Ctsync process from HA/Cluster is restarting hourly
------------------------------------------------------------------
Description: The ctsync process ensures proper handling of connections
in
              HA and Cluster environments. In active/active clustering
              setups, this process may crash on the slave for some
special
              connections. In high-traffic environments this may occur
              more often.
Workaround:   ---
Fix:          Fixed in 7.008


ID06317 7.004 Pattern Up2Dates on cluster nodes running very slow
------------------------------------------------------------------
Description: In some cluster environments the Pattern-Up2Dates are
              running very slow due to some limitations of the sync
              process.
Workaround:   ---
Fix:          Fixed in 7.006


ID06316 7.004 File synchronization fails if HA/Cluster password has
special characters
-------------------------------------------------------------------------
--------------
Description: When using some special characters in the HA/Cluster
secret,
               the file syncronization between Master and other Cluster
               nodes will not work. In this case also console
               (loginuser/root) passwords will not be set correctly on the
               slave nodes.
Workaround:    Change HA/Cluster password.
Fix:           Fixed in 7.005


ID06285 7.003 HA file synchronization may sync in wrong direction
------------------------------------------------------------------
Description: In some cases the High Availability slave may also sync
data
              to the master. This can lead to wrong ssh keys or
              loginuser/root passwords, i.e.
Workaround:   ---
Fix:          Fixed in 7.005


ID06225 7.003 Problems syncing databases in HA/Cluster environments
--------------------------------------------------------------------
Description: Astaro uses MySQL and Sqlite databases for information
              handling. In some cases (takeover, crash, powerloss, ..)
              these databases may get corrupted and syncing will no
longer
              work correctly. This may affect single Cluster nodes or the
              complete system.
Workaround:   Call Support.
Fix:          Fixed in 7.010


ID06215 7.003 HA System reports "Error while scanning a message in
database"
-------------------------------------------------------------------------
----
Description:   On some HA systems the Email subsystem may report an error
               while scanning as stated above. This is up to a problem in
               the MySQL backend.
Workaround:    ---
Fix:           Fixed in 7.004


ID06031 7.002 HTTP traffic in cluster may not be distributed to worker
-----------------------------------------------------------------------
Description: After changing the port of the HTTP Proxy to another port
              than 8080, the distribution of the HTTP traffic to cluster
              nodes (slave/worker) will not work
Workaround:   --- (Change back port to 8080 if possible)
Fix:          Fixed in 7.008


ID05959 7.002 Time not synced via NTP in automatic HA mode
-----------------------------------------------------------
Description: When using HA in automatic mode the external NTP server is
              not used at all.
Workaround:   ---
Fix:          Fixed in 7.004


ID05845 7.001 Active directory authentication does not work on cluster
-----------------------------------------------------------------------
Description: When using HTTP Proxy in Cluster mode, the Active Directory
              authentication will not work correctly.
Workaround:   ---
Fix:          Fixed in 7.004


ID05613 7.000 Cluster not able to handle IPSec NAT packets
-----------------------------------------------------------
Description: An Astaro Security Gateway cluster is not able to handle
              IPSec NAT packets.
Workaround:   Will be fixed in the next kernel release.
Fix:          Fixed in 7.003


ID05564 7.000 NTP synchronisation does not work on slave nodes
---------------------------------------------------------------
Description: Cluster nodes will not sync time via NTP from the master.
Workaround:   ---
Fix:          Fixed in 7.001



Closed Issues - Intrusion Protection
=======================================


ID08323 7.200 Using predefined QoS traffic selectors for IM/P2P may cause
problems
-------------------------------------------------------------------------
----------
Description: In some cases the predefinded QoS traffic selectors for
              IM/P2P services are not working correctly and cause
              Middleware to stop working.
Workaround:   ---
Fix:          Fixed in 7.201


ID08305 7.200 No option to enter Controlled Networks for IM/P2P
----------------------------------------------------------------
Description: In WebAdmin IM/P2P->Settings->Global the drag'n'dropbox for
              Contolled Networks may be missing in some cases. This
mainly
              affects configurations coming from V6 via Backup converter.
Workaround:   ---
Fix:          Fixed in 7.201


ID06952 7.009 IPS not working correctly on ASG Cluster in bridge mode
----------------------------------------------------------------------
Description: IPS traffic is not correctly distributed to Active-Active
              Cluster nodes for bridge interfaces.
Workaround:   ---
Fix:          Fixed in 7.200


ID06530 7.005 IM/P2P: Winny blocking not working
-------------------------------------------------
Description: The detection/blocking of the P2P client Winny is not
              working currently.
Workaround:   ---
Fix:          Fixed in 7.200


ID06396 7.004 IPS hardware accelerated scanning terminates connections
-----------------------------------------------------------------------
Description: The hardware scanner is part of the ASG 425/525 models and
              accelerates various IPS and AV functions. In some cases the
              IPS daemon causes session disconnects of end users when the
              hardware scanner is running. This also might affect SSH
              sessions.
Workaround:   ---
Fix:          Fixed in 7.200


ID05747 7.001 Intrusion Protection counter in dashboard incorrect
------------------------------------------------------------------
Description: The Intrusion Protection counter in the dashboard may show
a
              larger number for the active rules than for the available
              rules. This is up to a problem counting the available rules
              and all its dependencies.
Workaround:   ---
Fix:          Fixed in 7.008



Closed Issues - Logging/Reporting
====================================


ID14654 7.506 Executive Report is empty
----------------------------------------
Description: Executive Reports created on our point products (Astaro
Mail
              Gateway and Astaro Web Gateway) are not created properly.
              You will get a empty email.
Workaround:   ---
Fix:          Fixed in 7.508


ID10409 7.402 Web Security reports not visible for auditors
------------------------------------------------------------
Description: Currently auditor users only get a blank page when trying
to
              access the WebSecurity reports in WebAdmin.
Workaround:   ---
Fix:          Fixed in 7.403


ID10139 7.400 Unable to download, clear, or delete log files
--------------------------------------------------------------
Description: Downloading or manipulating logfiles via WebAdmin does not
              work. This affects all types of actions in all browser
              variants.
Workaround:   ---
Fix:          Fixed in 7.403


ID10087 7.400 Historical WebSecurity usage data not shown
----------------------------------------------------------
Description: Installations updating to 7.400 will not be able to view
              historical WebSecurity usage. Data and reports are not lost
              and will be reenabled in an upcoming Up2Date.
Workaround:   ---
Fix:          Fixed in 7.401


ID09220 7.302 Email Usage and Email filtering not showing any values
---------------------------------------------------------------------
Description: The Daily Executive Report as well as the Email Reports in
              WebAdmin may not show values for Email Usage and Email
              Filtering. This is up to a mismatch in pattern file in the
              backend.
Workaround:   If possible, enable IPS and run a Pattern Up2Date.
Fix:          Fixed in 7.303
ID08035 7.104 Estimation of log partition fillup can be negative
-----------------------------------------------------------------
Description: In case the system is running on disks larger than 250 GB,
              the estimated log partition fillup rate can be negative.
Workaround:   --- (don't worry, this partition won't fillup that fast)
Fix:          Fixed in 7.200


ID07155 7.100 Network Usage may contain values larger than 100%
----------------------------------------------------------------
Description: The Network Usage statistics in WebAdmin and in the
              Executive Report may contain wrong values (larger than 100%
              or negative values) when files larger than 4GB are passing
              the system.
Workaround:   ---
Fix:          ---


ID06853 7.007 Reporting may stop working because of backend problem
--------------------------------------------------------------------
Description: In some cases a misformed logline in the backend may cause
              the reporting functions in WebAdmin to stop working. This
              may affect all types of reporting.
Workaround:   ---
Fix:          Fixed in 7.011


ID06715 7.006 Remote Syslog logs without facility and priority
---------------------------------------------------------------
Description: When sending logs from an ASG to a remote Syslog server,
ASG
              V7 does not send over the facility or selector in the logs
              like in V5 or V6.
Workaround:   ---
Fix:          Fixed in 7.008


ID06662 7.006 WebSecurity Reporting shows wrong numbers
--------------------------------------------------------
Description: Most reports from the WebSecurity system will show wrong
              numbers since many entries will be counted multiple times.
              This affects the Reporting section in WebAdmin as well as
              the Executive Report.
Workaround:   ---
Fix:          Fixed in 7.007


ID06639 7.006 Timezone glitch in WebSecurity Reporting
-------------------------------------------------------
Description: Having a timezone outside GMT WebSecurity Reporting will
not
              work correctly. If the system time moves over to a new
local
              day, HTTP reports for today won't show anything since the
              day only changed in the local timezone, but not yet in GMT.
Workaround:   ---
Fix:          Fixed in 7.008


ID06526 7.005 Accounting rotation process leads to slow system
---------------------------------------------------------------
Description: The accounting process, responsible for the various
              bandwidth and traffic statistics present on ASG, needs to
be
              archived, purged, and reset each night for a fresh workday.
              Customers in large installations that use the Astaro
              normally during the maintenance period will experience
              slowdowns. Possible solutions are being considered.
Workaround:   ---
Fix:          Fixed in 7.300


ID06525 7.005 Corrupt databases in HA/Cluster environment
----------------------------------------------------------
Description: In some HA/Cluster environments the databases may get
              corrupt while syncing with the slave. In this case,
              reporting will stop working properly.
Workaround:   ---
Fix:          Fixed in 7.010


ID06516 7.005 Large accounting database causes long processing times
---------------------------------------------------------------------
Description: This issue is regarding a lot of accounting data that must
              be tracked, then reported on. If the data that is stored in
              the accounting database gets too large too quickly, it can
              overwhelm the reporting scripts and rotation processess.
              Alternate methods of parsing and rotating are being
              investigated.
Workaround:   ---
Fix:          Fixed in 7.300


ID06421 7.004 HTTP Proxy does not log complete URL
---------------------------------------------------
Description: The HTTP Proxy does currently not log the full URL (e.g.
the
              query part) for users surfing via the proxy.
Workaround:   ---
Fix:          Fixed in 7.008


ID06265 7.003 Portscan detection and logging consumes too much CPU
resources
-------------------------------------------------------------------------
----
Description: When running a portscan against an ASG device lots of
              loglines are generated and processed. In this case the
              reporting subsystem may not be able to process all
logoutput
              from portscan detection in time. As a result the reporting
              subsystem will start allocating system resources (CPU and
              RAM) and may also lead to a Denial of Service. This also
              applies to logged packetfilter violations, i.e. when client
              generates lots of traffic which is blocked and logged on
              ASG.
Workaround:   Try to disable logging for packetfilter rules generating
              much logoutput and disable Portscan detection.
Fix:          Fixed in 7.008


ID06008 7.003 HTTP Proxy logging concerning file extension blocking is
incomplete
-------------------------------------------------------------------------
---------
Description: HTTP proxy log for blocked file extensions does not show
              file name and extension.
Workaround:   ---
Fix:          Fixed in 7.003


ID05947 7.002 Executive report shows blank blocked categories
--------------------------------------------------------------
Description: In the web reporting section some of the categories appear
              blank although there have been some blocked pages.
Workaround:   ---
Fix:          Fixed in 7.004


ID05781 7.001 Strange POP3 error messages
------------------------------------------
Description: The log file concerning POP3 shows confusing error messages
              that are of no relevance.
Workaround:   ---
Fix:          Fixed in 7.003


ID05694 7.001 Executive Reporting showing more than 5 entries in TOP5
lists
-------------------------------------------------------------------------
---
Description: Certain lists in the executive report show more than five
              items even though only the top5 entries should be
displayed.
Workaround:   ---
Fix:          Fixed in 7.002


ID05685 7.001 Traffic graphs still appear in reporting after deleting
interfaces
-------------------------------------------------------------------------
--------
Description: After deleting an interface the corresponding traffic
graphs
              in the reporting section should be remove one week later.
              This does not work correctly.
Workaround:   ---
Fix:          Fixed in 7.004


ID05657 7.001 Interface Name in reporting graphs is 'Unknown' for PPP-
Interfaces
-------------------------------------------------------------------------
--------
Description: PPP-interfaces are shown as 'Unknown' in reporting graphs.
Workaround:   ---
Fix:          Fixed in 7.002


ID05602 7.001 Logmask of HTTP proxy cannot be changed
------------------------------------------------------
Description: The log level of the HTTP proxy is always set to 'debug'.
              Other available log levels cannot be selected.
Workaround:   ---
Fix:          Fixed in 7.003


ID05540 7.000 Awkward Real Names in From and To fields in POP3 Log
--------------------------------------------------------------------
Description: E-mail addresses with special character encodings or
              non-Latin1 characters contained in the real name are not
              shown correctly in WebAdmin reporting pages.
Workaround:   ---
Fix:          Fixed in 7.001


ID05535 Font rendering of Executive Report in Outlook 2007 faulty
-------------------------------------------------------------------
Description: Microsofts Outlook 2007 does not support all of the style
              elements used in the Executive Report. Thus some fonts may
              not be displayed correctly.
Workaround:   ---
Fix:          Fixed in 7.004



Closed Issues - Management
=============================


ID09249 7.302 External SMTP server for notifications not used after a
reboot
-------------------------------------------------------------------------
----
Description:   In some cases the external SMTP server for notifications is
               not used after rebooting the system.
Workaround:    ---
Fix:           Fixed in 7.400


ID08930 7.300 User data can not be changed
-------------------------------------------
Description: In some cases when upgrading from 7.2 user data can not be
              changed e.g. when setting preferences for Email Encryption.
              This is up to a missing real name in the user settings
page.
Workaround:   Go to Definition->Users, edit the user and set a real name.
Fix:          Fixed in 7.302


ID08899 7.300 Data partition filling up on small systems
---------------------------------------------------------
Description: On small systems and also on systems having lots of
              reporting data, the 'Storage-Partition' may fill up too
              fast. This is due to conversion of reporting data to a
              faster and more flexible model.
Workaround:   ---
Fix:          Fixed in 7.301


ID08850 7.300 IP counting for licensing adds external hosts
------------------------------------------------------------
Description: In some cases the license IP counter detects and adds also
              external IPs to the internal pool. This may happen on alias
              interfaces using a hostmask (/32) as netmask.
Workaround:   ---
Fix:          Fixed in 7.301


ID08385 7.200 Middleware may stop working after factory reset
--------------------------------------------------------------
Description: In some cases the Middleware may stop working when a
factory
              reset has been done in version 7.10x or 7.200 and when you
              are using the HTTP Proxy or HA/Clustering features after
the
              factory reset.
Workaround:   ---
Fix:          Fixed in 7.201


ID08369 7.200 Licenses can not be installed on Virtual AWG Appliance
---------------------------------------------------------------------
Description: In many virtual environments there are problems importing a
              valid license for AWG Virtual Appliance.
Workaround:   In case updating works, please try to apply System Up2Date
              7.201 and try again, in case updating is not an option,
              please backup your configuration and restore it in a 7.201
              Virtual Appliance.
Fix:          Fixed in 7.201


ID08317 7.104 USV support is not working properly
--------------------------------------------------
Description: When connecting a UPS the device might not get detected
              properly. In some cases no progressbar is shown and in many
              cases the UPS icon is not shown at all in the dashboard. In
              those cases, there will also be no notifications and not
              shutdown action in case of a power outage.
Workaround:   ---
Fix:          Fixed in 7.400


ID08073 7.180 Blank password allowed for encrypted backups
------------------------------------------------------------
Description: When enabling encrypted backups it is possible to supply a
              blank password. Backups encrypted this way can not be
              restored. A check is needed to make sure a valid password
is
              supplied.
Workaround:   Make sure you've set a valid password (also try importing
              one of the encrypted backups)
Fix:          Fixed in 7.300


ID08005 7.104 Webadmin/End-User Portal hangs when backend user logs in
-----------------------------------------------------------------------
Description: When a backend user having two identical mail addresses in
              the backend service (e.g. Active Directory primary and
              secondary mail address) logs into End-User Portal, ASG
              strips away the duplicate email and restarts a service
which
              causes the Portal/WebAdmin to hang.
Workaround:   ---
Fix:          Fixed in 7.200


ID08001 7.104 Daylight Saving Time (DST) not updating properly
---------------------------------------------------------------
Description: Some countries had changes to their Daylight Saving Times
              which are not reflected by ASG currently. Thus, the
              summer-/wintertime starts at a wrong date. Known countries
              are Canada, Venezuela, New Zealand, ..
Workaround:   ---
Fix:          Fixed in 7.200


ID07939 7.102 Hostname for End User Portal no longer acceps IPs
----------------------------------------------------------------
Description: The hostname box in Management->End User Portal->Advanced
              does only accept hostnames. In some cases there is a need
              for putting IP addresses in there.
Workaround:   ---
Fix:          Fixed in 7.200


ID07920 7.104 Problem with usernames containing spaces
-------------------------------------------------------
Description: Users having usernames with space character can not
download
              configuration files for SSL VPN from End-User Portal. As
              error there is only a popup reading "UNKNOWN". This mainly
              comes from Active Directory users having different names
              (with and without space) in their attributes (CN and
              sAMAccountName).
Workaround:   ---
Fix:          Fixed in 7.200


ID07866 7.102 Up2Date package verification fails after factory reset
---------------------------------------------------------------------
Description: After executing factory reset the system and pattern
Up2Date
              packages can not be verified. An 'Error in GPG verification
              (return code: 512)' is shown in the logfile.
Workaround:   Contact support.
Fix:          Fixed in 7.104


ID07823 7.102 Active Directoy dot-notation not working
-------------------------------------------------------
Description: Users having different values in Active directory
attributes
              'CN' and 'sAMAccountName' will have problems authenticating
              agains ASG.
Workaround:   ---
Fix:          Fixed in 7.200


ID07443 7.100 Customization Texts for HTTP Proxy not working
-------------------------------------------------------------
Description: The customizable texts for HTTP Proxy (i.e. download
              manager) entered via WebAdmin will be ignored and default
              texts will be used.
Workaround:   ---
Fix:          Fixed in 7.101


ID07442 7.100 High system load after remote access login
---------------------------------------------------------
Description: For systems with lots of remote access users the system
load
              will increase when users connect/disconnect to ASG. This is
              due to a backend service using CPU resources for user and
              system management.
Workaround:   ---
Fix:          Fixed in 7.101


ID07314 7.100 Bridge can not be disabled after importing a backup
------------------------------------------------------------------
Description: In some cases it is not possible to disable a bridge
              interface after importing a backup.
Workaround:   Change the hardware of one of the bridge interfaces (e.g.
              from eth2 to eth3) and retry disabling the bridge.
Fix:          Fixed in 7.102


ID07097 7.011 Nics listed twice in WebAdmin overview
-----------------------------------------------------
Description: In some cases after importing a V6 backup the interfaces in
              WebAdmin Network->Interfaces->Hardware will get listed
              twice.
Workaround:   ---
Fix:          Fixed in 7.102


ID07014 7.011 eDirectory authentication does not work if BaseDN is empty
-------------------------------------------------------------------------
Description: When using eDirectory authentication and leaving the BaseDN
              empty the ASG will try to search the eDirectory without
Base
              DN for a matching user. This will not work in all cases.
Workaround:   Set BaseDN for eDirectory authentication.
Fix:          Fixed in 7.100


ID07001 7.010 eDirectory authentication in standard mode not working
---------------------------------------------------------------------
Description: In certain cases non-eDirectory-SSO (Single Sign On)
              authentication will not work.
Workaround:   ---
Fix:          Fixed in 7.011


ID06869 7.008 Up2date package upload via WebAdmin not possible
---------------------------------------------------------------
Description: The Upload of Up2Date packages is not working correctly in
              version 7.008. When trying to upload a valid Up2Date
package
              an error 'File extension not allowed' may show up.
Workaround:   Please contact support.
Fix:          Fixed in 7.009


ID06855 7.007 Problem in Authentication service under high load
----------------------------------------------------------------
Description: In high load scenarios (e.g. with many concurrent users
              logging on/off) the authentication service may run in to
              problems and mix up requests internally. This will mainly
              lead to a non-working authentication service.
Workaround:   ---
Fix:          Fixed in 7.010


ID06740 7.007 Authentication of new users may fail
---------------------------------------------------
Description: When adding a new user and allowing access to i.e. SSL VPN,
               the user may not be able to authenticate. The
authentication
               backend may not be informed correctly about the new user.
Workaround:    Try disabling/enabling the feature, otherwise reboot.
Fix:           Fixed in 7.008


ID06713 7.006 Changes to backend query order do not take effect
----------------------------------------------------------------
Description: If you try to change the backend query order in
              Users->Authentication->Advanced by moving for example
Radius
              to the top of the list the position changes correctly.
After
              clicking apply it says changes saved, but when coming back
              to the menu the list is back to the original order.
Workaround:   ---
Fix:          Fixed in 7.008


ID06701 7.006 Possible problem when syncing eDirectory users
-------------------------------------------------------------
Description: The error handling for syncing eDirectory users can lead to
              unexpected restarts of the authentication subsystem. This
              may be caused by wrong context syntax or LDAP communication
              problems.
Workaround:   ---
Fix:          Fixed in 7.007


ID06628 7.005 Wrong message after too many failed WebAdmin logins
------------------------------------------------------------------
Description: After too many failed WebAdmin logins the popup should tell
              about that. Instead, it only says 'Wrong username or
              password'.
Workaround:   ---
Fix:          Fixed in 7.100


ID06492 7.005 WebAdmin becomes unresponsive after a longer log-in period
-------------------------------------------------------------------------
Description: After working in WebAdmin and not clicking anything for
some
              minutes, the session might be stale or time out.
Workaround:   ---
Fix:          Fixed in 7.100
ID06460 7.005 Authentication daemon restarting in eDirectory environments
-------------------------------------------------------------------------
-
Description: On some lookup errors in eDirectory environments the
              authentication daemon may die. Selfmonitor will restart the
              daemon, but in this timeframe no more authenticaion
requests
              will be processed.
Workaround:   ---
Fix:          Fixed in 7.006


ID06438 7.000 WebAdmin SSO support for ACC not working
-------------------------------------------------------
Description: Using Astaro Command Center (ACC) for accessing WebAdmin
via
              Single Sign On is not working.
Workaround:   ---
Fix:          Fixed in 7.100


ID06391 7.004 User objects fail to be created when user name contains a
numeral
-------------------------------------------------------------------------
--------
Description: Usernames for either local user or backend authentication
              against edirectory/AD will not create a user object
              automatically if a number is used for the username.
Workaround:   ---
Fix:          Fixed in 7.006


ID06203 7.003 Backend sync for users with multiple mail adresses does not
work
-------------------------------------------------------------------------
------
Description: If a user is created in an Active Directory using multiple
              e-mail adresses, the auto-creation function of Astaro
              Security Gateway used for synchronizing users with back end
              authentication servers may not not work correctly.
Workaround:   ---
Fix:          Fixed in 7.005


ID05881 7.002 Dyndns-custom only supports one hostname
-------------------------------------------------------
Description: Users having a dyndns-custom account may want to set their
              hostname to something like
              "www.mydomain.com,mail.mydomain.com,mydomain.com" which is
              not allowed at the moment.
Workaround:   ---
Fix:          Fixed in 7.006
ID05789 7.001 User certificate will not be deleted at all
----------------------------------------------------------
Description: When deleting a local user the corresponding certificate
              will remain on the firewall. This will not allow creating a
              new user with the same username the deleted user had.
Workaround:   ---
Fix:          Fixed in 7.008


ID05788 7.001 eDirectory authentication for several users fails
----------------------------------------------------------------
Description: Due to a limited number of concurrent eDirectory requests
              (especially sub tree searches) eDirectory authentication
may
              fail.
Workaround:   ---
Fix:          Fixed in 7.004


ID05765 7.001 Network groups in DNS allowed networks not allowed
-----------------------------------------------------------------
Description: It is not possible to add network groups to allowed
networks
              for DNS access.
Workaround:   ---
Fix:          Fixed in 7.002


ID05686 7.001 Not possible to set GoogleTalk/Jabber "Block file transfers
only"
-------------------------------------------------------------------------
-------
Description: The ruleset controlling the option "Block file transfers
              only" for instant messaging using Google Talk/Jabber is
              ineffective.
Workaround:   ---
Fix:          Fixed in 7.002


ID05671 7.001 eDirectory does not allow to use eDirectory containers in
backend groups
-------------------------------------------------------------------------
--------------
Description: It is not possible to select an eDirectory container for a
               backend group.
Workaround:    Add all users to a certain eDirectory group.
Fix:           Fixed in 7.004


ID05669 7.001 Global HTTP Settings - Allowed Networks can not be changed
-------------------------------------------------------------------------
Description:   Changing and applying of global HTTP settings may be
broken.
               The settings for 'Allowed Networks' in the HTTP Proxy menu
               cannot be changed. Reloading the page will revert to the
               previous settings, even though the 'successfully applied'
               message is shown after the configuration has been changed.
Workaround:    ---
Fix:           Fixed in 7.002


ID05649 7.001 "Re-generate WebAdmin certificate" may fail
-----------------------------------------------------------
Description: When clicking the "Re-generate WebAdmin certificate" button
              in WebAdmin, there is no check for an existing certificate
              with the same hostname. In this case the certificate
              creation fails without notice.
Workaround:   Change the hostname prior to re-generating the WebAdmin
              certificate.
Fix:          Fixed in 7.002


ID05603 7.000 Changing the name of ContentFilter categories not working
correctly
-------------------------------------------------------------------------
---------
Description: Editing the name of a ContentFilter category is not
              reflected in HTTP Proxy Profiles->Filter Actions.
Workaround:   ---
Fix:          Fixed in 7.002


ID05580 7.000 Up2date Overview page: Unable to complete backend request
------------------------------------------------------------------------
Description: Right after installation you may encouter a blank page when
              trying to access the Up2Date Overview page. When trying to
              switch to other configuration pages you get an error
"Unable
              to complete backend request".
Workaround:   Relogin to WebAdmin. Check KIL ID5592 and wait at about 5
              minutes. Try again.
Fix:          Fixed in 7.001


ID05579 7.000 Release symbol is shown in Quarantine Manager when prefetch
is off
-------------------------------------------------------------------------
--------
Description: The release icon for releasing emails in Quarantine Manager
              is always shown for POP3 emails. Releasing POP3 emails is
              only possible if Prefetching is enabled, thus it will not
              work if Prefetch is turned off.
Workaround:   Enable Prefetch to use this feature.
Fix:          Fixed in 7.001
ID05576 7.000 Blank HTTP Profiles/Proxy Profiles page after deleting
objects
-------------------------------------------------------------------------
----
Description: After deleting Contentfilter Actions used in Contentfilter
              Profiles, the Proxy Profiles page may stay empty (grey).
Workaround:   ---
Fix:          Fixed in 7.001


ID05569 7.000 Error while trying to update group membership
------------------------------------------------------------
Description: While being logged in to WebAdmin via a backend
              authentication mechanism, you will not be able to update
              e.g. WebAdmin Access Control lists.
Workaround:   Try using the local authentication to edit the respective
              access controls.
Fix:          Fixed in 7.001


ID05422 7.000 Changing eDir SSL settings breaks eDir Browser for current
session
-------------------------------------------------------------------------
--------
Description: If your change SSL settings for eDir, the eDir Browser does
              not work. Also the current webadmin session breaks at the
              moment you try to open eDir Browser. Then you have to
              relogin to webadmin. After the relogin the eDir Browser
              works fine. If you enable/disable SSL for eDir again, the
              eDir Browser does not work again until you relogin to
              webadmin.
Workaround:   ---
Fix:          Fixed in 7.300



Closed Issues - Network Security
===================================


ID12338 7.502 Snort SID link in IPS notifications is invalid
-------------------------------------------------------------
Description: As there has been a change in the backend of the snort
              system, the links within the IPS notification are broken.
Workaround:   ---
Fix:          Fixed in 7.504


ID11621 7.501 Paketfilter is dropping own DNS replies
------------------------------------------------------
Description: The handling of non-resolvable dns-queries cause a default
              packetfilter drop.
              If a request could not be resolved, a not resolvable
              message
              will be transmitted after 30 seconds. The
              ip_conntrack_udp_timeout
              is 30 seconds, so the answer packet will be dropped.
Workaround:   ---
Fix:          Fixed in 7.505


ID10028 7.400 Service-only NAT rules cause backend problems
------------------------------------------------------------
Description: Using NAT rules (DNAT or SNAT) and leaving the
'Destination'
              field blank will cause a crash in the backend. This leads
to
              a mainly unusable system as the backend service will get
              restarted permanently.
Workaround:   Enter a destination for the NAT rule, if
              possible.
              Alternatively, for maximum safety, disable the affected NAT
              rules before installing the 7.400 Up2date and re-enable
them
              after installing the 7.401 Up2date. If both Up2date
              packages are installed at the same time, no special action
              is required.
Fix:          Fixed in 7.401


ID10024 7.400 Using Service groups for NAT can cause backend problems
----------------------------------------------------------------------
Description: Using service groups for NAT (DNAT/Full NAT) rules can
cause
              backend problems when a group should be mapped to a single
              port. In such cases, the backend will crash while being
              restarted by selfmonitoring permanently.
Workaround:   ---
Fix:          Fixed in 7.401


ID08109 7.104 Packetfilter may drop locally generated packets
--------------------------------------------------------------
Description: In some cases packetfilter may drop locally generated
              packets like outgoing requests for DNS, VPN, Email or NTP.
              This will not apply to all packets of a connection, but
just
              to some of them.
Workaround:   Reboot the system.
Fix:          Fixed in 7.200


ID07479 7.100 SNAT rule for network groups not set
---------------------------------------------------
Description: For network definitions it is now possible to bind them to
a
              specific interface. Adding such a bound network to a group
              and the using this group in a SNAT rule will not work. The
              rules will not be set in the backend.
Workaround:   Try using the definition without the group.
Fix:          Fixed in 7.101


ID06478 7.005 Packetfilter rules not set correctly when using additional
addresses
-------------------------------------------------------------------------
----------
Description: When a packetfilter rule is configured whose
              sourec/destination is an addiontal interface address, a
              filter rule is added to USR_FORWARD chain, not
              USR_OUTPUT/INPUT chain. Also Auto packet filter for IPsec
              connections whose local network is attitional interface
does
              not create OUTPUT/INPUT chain.
Workaround:   ---
Fix:          Fixed in 7.006


ID05986 7.002 Enduser Portal and SSL VPN not reachable via DNAT
----------------------------------------------------------------
Description: It is not possible to use DNAT for Enduser Portal or SSL
VPN
              on an upstream router. This is because of the local IP
              address used in the redirection response from the HTTP
              Proxy.
Workaround:   ---
Fix:          Fixed in 7.300


ID05728 7.001 Problems with Full-NAT handling
----------------------------------------------
Description: SNAT and DNAT rules are applied independently from one
              another, thus making it impossible to associate both within
              a full-NAT rule. In order to fix this issue, SNAT rules
must
              be extended by a connection tracking parameter allowing to
              associate an SNAT rule with a corresponding DNAT rule.
Workaround:   ---
Fix:          Fixed in 7.003



Closed Issues - Networking
=============================


ID13126 7.504 Link status of LAG interfaces is misleading
----------------------------------------------------------
Description: It might happen for LAG interfaces that the link status is
              shown as up although all cables of participating NICs are
              unplugged. This will lead to wrong status information
within
              i.e. the dashboard.
Workaround:   ---
Fix:          Fixed in 7.508


ID11259 7.405 IP counting in bridge configuration not working in all
cases
-------------------------------------------------------------------------
--
Description: In some cases when using a bridge configuration, the IP
              counting is not working correctly. This mainly happens when
              having only a bridge interface.
Workaround:   ---
Fix:          Fixed in 7.501


ID10607 7.400 Problems reconnecting to DSL via PPPoE
-----------------------------------------------------
Description: Some DSL modems seem to announce availability of the access
              concentrator on the remote side without actually having a
              connection. This can cause the backend system being stuck
              while trying to establish a connection to the access
              concentrator.
Workaround:   Either try disabling and renabling the PPPoE interface or
              reboot the system.
Fix:          Fixed in 7.404


ID10588 7.403 Problems connecting via DHCP / Cable modem
---------------------------------------------------------
Description: When the default gateway is assigned to a cable DHCP
              interface, the backend may fail to bring up the connection
              correctly.
Workaround:   Reboot the system gracefully worked in most cases.
Fix:          Fixed in 7.404


ID10423 7.402 Using proxy arp may cause loss of WebAdmin connectivity
----------------------------------------------------------------------
Description: After installing a backup of an older version with proxy
arp
              feature enabled, the respective interface might not come up
              correctly and WebAdmin access might no longer work. This
              effect can also show up after rebooting the system.
Workaround:   ---
Fix:          Fixed in 7.403


ID10284 7.401 Uplink interface not showing up sometimes
--------------------------------------------------------
Description: In some cases the Uplink interface will not show up in the
              interface selection list. This is an error when unhiding
the
              respective object.
Workaround:   Disable and reenable Uplink Balancing in WebAdmin. The
              Uplink interface should appear in the interfaces selection
              list.
Fix:          Fixed in 7.403


ID10200 7.400 Problem with auto packetfilter rules for outgoing traffic
------------------------------------------------------------------------
Description: Using uplink failover before upgrading to version 7.400 can
              lead to a faulty conversion of check hosts for 7.400 which
              will cause some automatic packetfilter rules for outgoing
              traffic to not be activated at all. This may affect various
              places of the system using these rules for communication to
              outside services.
Workaround:   ---
Fix:          Fixed in 7.402


ID10195 7.401 Same domain name in request routing and static entries
prevents named from starting
-------------------------------------------------------------------------
-------------------------
Description: Using the same domain for both "Request Routing" and
"Static
              Entries" prevents the named service from starting.
Workaround:   Please delete one of this two entries with the same domain
              name.
Fix:          Fixed in 7.500


ID10158 7.401 Multipath persistence by connection not working properly
-----------------------------------------------------------------------
Description: In case two multipath rules match a certain traffic flow
and
              the first rule is nonpersist, the last one wins.
Workaround:   ---
Fix:          Fixed in 7.402


ID10108 7.400 ASG 525-F eth8 and eth9 may loose link
-----------------------------------------------------
Description: After upgrading to 7.400 on some ASG525-F machines the
fibre
              NICS eth8 and eth9 may loose link and not transfer any
data.
              This only affects fibre NICS. ASG525 models with copper-
only
              NICs are not affected.
Workaround:   Switch to another free NIC if possible. Change hardware for
              this interface in WebAdmin after recabling.
Fix:          Fixed in 7.402
ID09207 7.200 OSPF debug output in WebAdmin is empty
-----------------------------------------------------
Description: When trying to gather debug information about OSPF, all the
              windows may stay empty.
Workaround:   ---
Fix:          Fixed in 7.303


ID08948 7.300 Problem with masquerading rules after uplink failover
--------------------------------------------------------------------
Description: Masquerading rules will not be set correctly after
switching
              back to the primary uplink failover interface.
Workaround:   ---
Fix:          Fixed in 7.303


ID08503 7.103 VLAN sometimes fails on bonding device
-----------------------------------------------------
Description: In some cases there might be a problem creating a vlan
              interface on a link aggregation group.
Workaround:   ---
Fix:          Fixed in 7.300


ID08384 7.200 Kernel reports 'Detected Tx Unit Hang' on e1000 hardware
-----------------------------------------------------------------------
Description: For some e1000 hardware a there might appear messages like
              the one listed above in the kernel log. This may also show
              up if e.g. eth0 is connected to a 1000MBit/s switchport
              while eth1 is connected to 100MBit/s only.
Workaround:   If this message appears for just one interface, please make
              sure that this NIC is also connected to a 1000 MBit/s
              switchport.
Fix:          Fixed in 7.300


ID08254 7.104 Using service 'Any' as traffic service breaks DNAT and SNAT
rules
-------------------------------------------------------------------------
-------
Description: Adding DNAT/SNAT rules with service 'Any' will not work.
              When updating to 7.300 these rules will get disabled
              automatically.
Workaround:   Please use one of the predefined service definitions or add
              a new one matching your target service.
Fix:          Fixed in 7.300


ID07950 7.104 Changing link speed/mode does not take effect in bridge
mode
-------------------------------------------------------------------------
--
Description: It is currently not possible to successfully change
              autonegotiation for a bridge interface.
Workaround:   ---
Fix:          Fixed in 7.200


ID07927 7.201 OSPF not working correctly in HA/Cluster environment
-------------------------------------------------------------------
Description: The dynamic routing protocol OSPF does not work correctly
on
              HA/Cluster system because of all nodes answering OSPF
              broadcasts. This will mess up routing tables.
Workaround:   ---
Fix:          Fixed in 7.200


ID07641 7.101 NIC autonegotiation not working in all cases
-----------------------------------------------------------
Description: There are some reports, that autonegotiation for does not
              work on some systems, especially when connecting to DSL
              modems or routers. In most cases there are Intel NICs
              involved (e100/e1000).
Workaround:   Try setting NIC speed in WebAdmin directly
              (Network->Interface->Hardware) or add a small switch in
              between. If problem persists, please contact support with
              detailed hardware data.
Fix:          Fixed in 7.501


ID07005 7.011 Middleware may mix up static DHCP mappings
----------------------------------------------------------
Description: Running DHCP server on more than on (e.g. two, eth0 and
              eth1) interfaces may cause problems when the IP of a static
              mapping from eth0's pool is changed to eth1's pool.
Workaround:   Delete the mapping and create a new one.
Fix:          Fixed in 7.300


ID06821 7.007 Combining DNAT and policy routing may not work in all cases
-------------------------------------------------------------------------
-
Description: If a DNAT rule is created combinded with a policy route
that
              uses the translated destination address as the desination
              match of the policy route, than it does not work.
Workaround:   ---
Fix:          Fixed in 7.200


ID06763 7.007 Problems with IPSec and DNAT on bridge interfaces
----------------------------------------------------------------
Description: When trying to use IPSec and DNAT on a bridge interface the
              IPSec packets will not get handled correctly. This means
              there is no option to configure an IPSec tunnel.
Workaround:   ---
Fix:          Fixed in 7.100


ID06732 7.007 Can not change PPPoE Daily Reconnect Time to 'never'
-------------------------------------------------------------------
Description: When editing a PPPoE connection and setting the Daily
              Reconnet Time to 'never' the setting will not be saved
              correctly.
Workaround:   ---
Fix:          Fixed in 7.008


ID06692 7.006 Interface used in Dyndns settings can not be removed
-------------------------------------------------------------------
Description: Once configured, the interface used for Dyndns can not be
              removed anymore.
Workaround:   ---
Fix:          Fixed in 7.008


ID06620 7.006 QoS rules are not applied to backup interface when using
UFO
-------------------------------------------------------------------------
--
Description: When using Uplink failover (UFO) and QoS on the primary
              interface the QoS settings will not be applied to the
backup
              interface in a failover case.
Workaround:   ---
Fix:          Fixed in 7.400


ID06339 7.004 SSL VPN route will be deleted after enabling a static route
-------------------------------------------------------------------------
-
Description: When using SSL VPN the route to an active client will be
              deleted when enabling a static route in WebAdmin.
Workaround:   Reestablish the tunnel.
Fix:          Fixed in 7.005


ID06106 7.003 Changing type of an interface will delete corresponding
NAT/Masq rules
-------------------------------------------------------------------------
------------
Description: When changing the type of an interface all NAT/Masq rules
               bound to that interface will be deleted.
Workaround:    Create them again.
Fix:           Fixed in 7.100
ID05756 7.001 DHCP server may serve wrong IPs on VLANs
-------------------------------------------------------
Description: When using multiple DHCP server instances on different
VLANs
              it will serve IPs from the highest range first. These IPs
              will most probably not work for the other subnets.
Workaround:   ---
Fix:          Fixed in 7.004


ID05607 7.001 Link Aggregation on PCI-E interfaces at ASG425
-------------------------------------------------------------
Description: Using Link Aggregation on the PCI-Express interfaces of an
              ASG 425 works, but does not increase the bandwidth.
Workaround:   ---
Fix:          ---


ID05555 7.000 No DynDNS update on UFO Uplink interface
-------------------------------------------------------
Description: In case of an Uplink failover the DynDNS information may
not
              be updated correctly.
Workaround:   ---
Fix:          ---


ID05495 7.000 Link Aggregation on 425 does not work correctly
--------------------------------------------------------------
Description: With ASG 425 units, Link Aggregation to be configured on
the
              Network >> Interfaces >> Link Aggregation tab in WebAdmin
              does not work. Two interfaces of the same group, which are
              connected to two interfaces of the same group on the
switch,
              get different aggregator IDs in the backend. Thus it is not
              possible to ping a Link Aggregation Group (LAG) interface
on
              ASG 425.
Workaround:   ---
Fix:          Fixed in 7.001



Closed Issues - VPN
======================


ID14025 7.505 Site-to-Site SSL Server fails to add routes when bounced
quickly
-------------------------------------------------------------------------
------
Description: When reconnecting multiple SSL VPN clients quite quickly, a
              race condition may occur causing the corresponding routes
              not being set correctly in the backend.
Workaround:   ---
Fix:          Fixed in 7.506


ID12539 7.502 Pushed dns server are randomly not used
------------------------------------------------------
Description: Configured SSL-VPN DNS server are sometimes not used during
              an established SSL client connection.
              DNS queries will be sent out on the local standard
              gateway.
              Issue occurred on Windows XP SP3 systems only, so far.
Workaround:   If the issue occurs on the system, please execute the
              following command on your Windows system to flush the DNS
              resolver cache:
              ipconfig /flushdns
Fix:          Fixed in 7.508


ID11780 7.501 IPsec Remote Access not working properly
-------------------------------------------------------
Description: Having lots of connection tracking entries will slow down
              the setup process of IPsec connections, especially when
              using roadwarriors. Depending on the size of the system
used
              this may also lead to non-working IPsec access.
Workaround:   ---
Fix:          Fixed in 7.505


ID11302 7.500 SSL VPN not starting correctly
---------------------------------------------
Description: In some cases the SSL VPN backend will not start up
              correctly. In most of these cases the problem is caused by
              some overlapping pool networks.
Workaround:   Please check where the SSL VPN pool network is used and
make
              sure it is only used for SSL VPN and not overlapping with
              any other pool network. If that does not help, please
              contact support for further assistance.
Fix:          Fixed in 7.501


ID10708 7.403 VPN connections cannot established on iPhone 3.0 using
Cisco VPN client.
-------------------------------------------------------------------------
--------------
Description: VPN connections using Cisco IPSec Client on an IPhone with
               firmware version 3.0 and later cannot be established.
               Certificates are rejected by the client.
               Following errormessage will appear: Could not validate the
               server certificate
Workaround:    ---
Fix:           Fixed in 7.500
ID10633 7.403 Conntrack failed error messages in ipsec.log
-----------------------------------------------------------
Description: In some cases, there are 'conntrack failed with status: 2'
              error messages in the IPsec logfile. In most of the cases,
              this will not have any operational impact.
Workaround:   ---
Fix:          Fixed in 7.404


ID10355 7.402 Problem reinitializing tunnels after HA takeover
---------------------------------------------------------------
Description: Using IPsec VPN in an HA/Cluster environment may cause
              problems when more than one tunnel will be reinitiated
after
              a HA takeover has taken place.
Workaround:   Restart IPsec subsystem, if possible.
Fix:          Fixed in 7.403


ID10233 7.401 Regenerating the Signing CA might cause problems
---------------------------------------------------------------
Description: When regenerating the Signing CA used e.g. for VPN remote
              access, the common name (CN) is missing and thus the
              certificate is not usable. As a result, the CA is not able
              to sign new certificates.
Workaround:   --- (recreate your Signing CA manually after applying the
              Up2Date which holds the fix, please)
Fix:          Fixed in 7.403


ID10147 7.400 IPsec tunnels with remote network 'Any' will not work
--------------------------------------------------------------------
Description: Using the network 'Any' as remote subnet for passing all
              traffic to a VPN concentrator will not work.
Workaround:   ---
Fix:          Fixed in 7.402


ID10023 7.400 SHA256/SHA512 not working for IPsec tunnels
----------------------------------------------------------
Description: Using SHA256/SHA512 as hash algorithm for IPsec tunnels
does
              not work correctly, no matter if used in phase 1 or 2. This
              problem does not affect any predefined IPsec policy. In
case
              you only use predefined policies, IPsec should work as
              expected.
Workaround:   ---
Fix:          Fixed in 7.401


ID09376 7.302 Ipsec VPN tunnel not coming up after takeover
------------------------------------------------------------
Description: After a takeover in an active/passive High-Availability
              environment there might show up a problem when trying to
              reestablish VPN tunnels which will result in actually no
              tunnel will get established.
Workaround:   ---
Fix:          Fixed in 7.402


ID09278 7.302 Klips error when transmitting lots of traffic through IPsec
tunnel
-------------------------------------------------------------------------
--------
Description: On some installations, a klips error showed up when
              transmitting larger amounts of traffic through an IPsec
              tunnel. The problem only shows up sporadically and is not
              bound to certain size limits.
Workaround:   ---
Fix:          Fixed in 7.400


ID08349 7.200 L2TP connection terminates after 60 minutes
----------------------------------------------------------
Description: Most L2TP connections are terminated after 60 minutes by
the
              VPN backend. This mainly happens when some control packets
              are lost between client and server.
Workaround:   ---
Fix:          Fixed in 7.301


ID08313 7.200 SSL VPN not working correctly in all cases
---------------------------------------------------------
Description: Having lots of network definitions in allowed networks for
              SSL VPN may cause problems. The problem depends on the sort
              order of the networks used in the configuration. In case
              networks addresses are sorted descending the service may
not
              start.
Workaround:   Try sorting used networks ascending.
Fix:          Fixed in 7.201


ID08248 7.104 ASC config file doesn't set IKE config mode correctly
--------------------------------------------------------------------
Description: When downloading an ASC configuration via End-User Portal
              with user setting "use static remote access IP" unset, the
              configuration misses an entry which leads to failing
              connections if the remote user is behind a NAT device.
Workaround:   ---
Fix:          Fixed in 7.300


ID07766 7.101 IPSec connection problems in HA/Cluster environments
-------------------------------------------------------------------
Description: IPSec connections may become unusable when a slave node
              tries to contact remote server over the IPSec tunnel. This
              may mess up IPSec SA tables.
Workaround:   ---
Fix:          Fixed in 7.200


ID07631 7.100 Problem showing logged in remote users after HA takeover
-----------------------------------------------------------------------
Description: SSL, L2TP and PPTP remote user are shown as logged in on
the
              remote access status page even if the user is not connected
              when there was a HA takeover.
Workaround:   ---
Fix:          Fixed in 7.500


ID07585 7.100 Problems when SSL VPN user logs in twice
-------------------------------------------------------
Description: When a SSL VPN user logs in twice from different
              workstations, the system is playing ping-pong with both
              accounts causing high load on the ASG.
Workaround:   ---
Fix:          Fixed in 7.200


ID07580 7.101 IPSec error: No space left on device
---------------------------------------------------
Description: In some cases the IPSec backend is not able to establish a
              tunnel and logs out 'No space left on device', although
              there is enough free disk space. This is up to kernel
space.
Workaround:   A reboot fixes this at least temporarily.
Fix:          Fixed in 7.200


ID07555 7.101 Problem with Site-to-Site VPN having a NAT router inbetween
-------------------------------------------------------------------------
-
Description: There is a possible problem when two ASGs are having a
              Site-to-Site VPN tunnel with a router inbetween
              NATting/masquarading the IPSec packets. In this case the
              tunnel might not reestablish correctly once it has been
              down.
Workaround:   Restart tunnel on both ends.
Fix:          Fixed in 7.200


ID07091 7.011 L2TP packets may get lost on bridge interfaces
-------------------------------------------------------------
Description: Using L2TP on a bridge may cause loss of packets when the
              L2TP traffic gets masqueraded on ASG.
Workaround:   ---
Fix:          Fixed in 7.200


ID06920 7.009 SSL VPN renegotiates keys every hour
---------------------------------------------------
Description: The SSL VPN renegotiates its key every hour which may cause
              a prompt for a new password depending which authentication
              type is used.
Workaround:   ---
Fix:          Fixed in 7.010


ID06716 7.006 L2TP over IPsec offers wrong certificate
-------------------------------------------------------
Description: When using L2TP over IPsec a wrong certificate is offered
in
              the Enduser Portal which will disallow the user to
establish
              a valid connection.
Workaround:   ---
Fix:          Fixed in 7.008


ID06649 7.006 ASC may not connect correctly via NAT-Traversal
--------------------------------------------------------------
Description: When a Roadwarrior VPN Client wants to connect to the VPN
              Gateway through a NAT device, the connection cannot be
              established due to an issue with Nat Traversal. The logfile
              indicates this error with the follwing meesages in the
              logfile: INVALID_ID_INFORMATION and INVALID_MESSAGE_ID.
Workaround:   Please define a virtual IP address inside the user
              definition.
Fix:          Fixed in 7.400


ID06493 7.005 IPSec subsystem may crash when connecting to Lancom devices
-------------------------------------------------------------------------
-
Description: Pluto, the engine that controls Astaro VPN tunnels, is
              crashing in certain situations when tunnels are made to
              Lancom VPN gateway products. The problem will show up if
one
              side allows NAT-T (Nat-Traversal) while the other side does
              not.
Workaround:   Disable or enable NAT-T on both endpoints.
Fix:          Fixed in 7.008


ID06483 7.005 PPTP connection may stop passing traffic
-------------------------------------------------------
Description: The PPTP service has problems when reordering incoming
              packets. Once a PPTP connection is established it may get
              interrupted by packets arriving in incorrect order at ASG.
Workaround:   ---
Fix:          Fixed in 7.010


ID06456 7.004 Deleting the default L2TP pool may cause problems
----------------------------------------------------------------
Description: All ASGs come with a default range of IP addresses assigned
              for Roadwarrior access, one each for L2TP, IPSec, SSL VPN
              and PPTP. This bug outlines an issue where the end user
              deletes the pre-assigned definition before activating L2TP,
              then tries to activate it using a new definition which will
              not work because of a logical deadlock.
Workaround:   Try using a backup where the initial definition is still
              present.
Fix:          Fixed in 7.100


ID06439 7.004 SSL-VPN and Windows Vista does not work correctly
----------------------------------------------------------------
Description: SSL VPN in combination with Windows Vista works in general
              but we experienced some scenarios/configurations where it
              does not work properly.
Workaround:   ---
Fix:          Fixed in 7.010


ID06321 7.004 Possible problem when restarting SSL VPN
-------------------------------------------------------
Description: In some cases there is a problem when restarting the SSL
VPN
              service. This also showed up on many installations when
              updating to 7.004.
Workaround:   Reboot the system.
Fix:          Fixed in 7.005


ID06271 7.003 SSL VPN does not start with more than 30 network
definitions
-------------------------------------------------------------------------
--
Description: Running SSL VPN works fine until less than 30 network
              definitions are used. Adding more will cause a failure when
              starting the SSL VPN service.
Workaround:   Either try to aggregate your networks into supernets or use
              'Any' and restrict access via packetfilterrules.
Fix:          Fixed in 7.200


ID06222 7.003 IP rule for IPsec site-to-site remote network missing
--------------------------------------------------------------------
Description: In some cases the ip rule for an IPsec site-to-site remote
              network is missing. In this case, the tunnel will be
              established correctly but not traffic will pass through.
Workaround:   ---
Fix:          Fixed in 7.004
ID06065 7.002 Pluto.pid not deleted after DSL reconnect
--------------------------------------------------------
Description: The IPsec daemons' pidfile will not be deleted after a DSL
              reconnect which may cause the VPN tunnels to stay down.
Workaround:   ---
Fix:          Fixed in 7.003


ID05999 7.002 No IPsec traffic after PPPoE reconnect
-----------------------------------------------------
Description: After PPPoE reconnect the ipsec0 interface may have a
              mac-address of 0-0-0-0-0-0-0-0-0-0-0-0-0 and no more
traffic
              passes the tunnel.
Workaround:   ---
Fix:          Fixed in 7.003


ID05965 7.002 IPSec tunnels over DSL interface missing after reboot
--------------------------------------------------------------------
Description: On installations configured with a PPPoE interface (usually
              found in some types of ADSL Internet connections), a reboot
              of the system may cause the IPSec interface used by the
              Astaro in building VPN tunnels to become ready up before
the
              corresponding DSL interface has been initialized. In this
              case no tunnel will be established.
Workaround:   Reboot the machine again or try disabling/enabling all
              tunnels if possible.
Fix:          Fixed in 7.008


ID05920 7.002 IPSec status view shows wrong status
---------------------------------------------------
Description: Under certain circumstances the IPSec status is wrong. This
              may occur, for example, if the VPN ID is a distinguished
              name.
Workaround:   ---
Fix:          Fixed in 7.003


ID05904 7.002 ASC config download for multiple local networks
--------------------------------------------------------------
Description: When building a Roadwarrior IPSec VPN, a local network for
              permissions must be defined. If multiple definitions are
              added to the local networks box, the ASC config will have
              errors and the download will not work.
Workaround:   Review IPSec settings and use only one local network if
              possible.
Fix:          Fixed in 7.008
ID05895 7.002 SSL VPN does not check user certificate
------------------------------------------------------
Description: Once a user successfully authenticated via SSL VPN and his
              certificate, username and password another user may get
              access just by providing a valid username and password.
              Certificate is not being rechecked for next user.
Workaround:   ---
Fix:          Fixed in 7.004


ID05790 7.001 SSL client package should install Windows service
----------------------------------------------------------------
Description: In order to be able to automatically start tunnels during
              system startup, the OpenVPN service should be added to the
              SSL client installation package.
Workaround:   ---
Fix:          Fixed in 7.004


ID05786 7.001 SHA-2 with 512 bit not compatible with NCP/ASC IPSec client
-------------------------------------------------------------------------
-
Description: The IPsec backend of ASG uses a wrong blocksize in the SHA-
2
              algorithm if 512 bit key length is selected. This leads to
              the problem that the ISAKMP SA can not be established with
              SHA2-512 if an NCP client (ASC version 9) is used.
Workaround:   Use SHA 256 bit.
Fix:          Fixed in 7.008


ID05711 7.001 IPSec tunnels may not come up after DPD event
------------------------------------------------------------
Description: Dead Peer Detection (DPD) helps recovering lost IPSec
              tunnels if the remote gateway has been down. In some cases
              tunnels (also multiple tunnels to an endpoint) may not come
              up after a DPD event and need a manual trigger.
Workaround:   Disable and reenable the connection in WebAdmin.
Fix:          Fixed in 7.008


ID05667 7.001 SSL VPN doesn't work with special characters in
certificates
-------------------------------------------------------------------------
--
Description: The OpenVPN client config file holds the DN of the server,
              so that the server can be verified (this prevents man in
the
              middle attacks). For special characters, the encodings do
              not match.
Workaround:   Replace all characters in the tls-remote line that are not
              part of ([A-Z,a-z,0-9], '_', '-', '.', '@', ':', '/', '=')
              by '_' symbols in the OpenVPN client config file (Program
              files\Astaro\Astaro SSL VPN Client\config\*.ovpn)
Fix:          Fixed in 7.004


ID05666 7.001 Wrong status for added networks of a ipsec-tunnel and
listview
-------------------------------------------------------------------------
----
Description: Both yellow and green status icons are shown for
              IPSec-tunnels even though all tunnels are up and running.
Workaround:   Ignore yellow status icons; "n of n SA established" is the
              information of relevance.
Fix:          Fixed in 7.002


ID05572 7.000 PPTP shuts down if no user or group is set
---------------------------------------------------------
Description: If you want to enable PPTP Remote Access with Radius
              authentication only, WebAdmin disables the feature
              automatically if not user or group is selected.
Workaround:   Add a user or group.
Fix:          Fixed in 7.001


ID04533 7.000 L2TP doesn't work with IP addresses assigned via DHCP
--------------------------------------------------------------------
Description: Using L2TP with IP assignment via DHCP may not work
              correctly.
Workaround:   Try enabling debugging in L2TP over IPSec.
Fix:          Fixed in 7.300



Closed Issues - Web Security
===============================


ID14097 7.505 HTTPS scanning only applies for the first network in list
------------------------------------------------------------------------
Description: If http proxy is active in transparent mode with more than
              one network in the allowed networks section and activated
              ssl scanning, the SSL inspection works only for the first
              network in the list.
              All other networks won't be scanned on https protocol.
Workaround:   Create one single network and add all networks to it which
              should be scanned.
Fix:          Fixed in 7.510


ID13085 7.504 HTTP Proxy may restart several times
---------------------------------------------------
Description: Due to a problem within the SSL exceptions, the proxy might
              stop working when processing transparent SSL traffic.
              Although the Selfmonitor will restart the service, internet
              access will get interrupted shortly.
Workaround:   ---
Fix:          Fixed in 7.508


ID12695 7.502 HTTP Proxy content filter does not work with new license
model
-------------------------------------------------------------------------
----
Description: Installations running with a new license will not filter
              HTTP Proxy traffic correctly. Although the proxy is
starting
              up, the content filtering will remain inactive.
Workaround:   ---
Fix:          Fixed in 7.503


ID12668 7.502 FTP directory listing over HTTP Proxy may not work
correctly
-------------------------------------------------------------------------
--
Description: In some cases a remove FTP site may not be shown completely
              via HTTP Proxy. This mainly affects files carrying special
              attributes.
Workaround:   ---
Fix:          Fixed in 7.506


ID12466 7.502 HTTP Proxy may not recognize new eDir users logging in
---------------------------------------------------------------------
Description: In some cases the HTTP Proxy may not recognize eDirectory
              users logging in for up to 5 minutes.
Workaround:   ---
Fix:          Fixed in 7.504


ID11660 7.501 Directory listing for FTP folder over HTTP proxy is empty
------------------------------------------------------------------------
Description: Directory listing for FTP folder over HTTP proxy is empty,
              if files contain special file flags.
Workaround:   ---
Fix:          Fixed in 7.504


ID11453 7.500 Virus pattern updates may conflict with HTTP Proxy
-----------------------------------------------------------------
Description: In some cases a reload of the HTTP Proxy is required after
              updating the virus pattern. Rarely this action can cause a
              conflict and result in a complete restart of the Proxy,
              which in turn could impact websurfing for up to some
minutes
              depending on system speed and features used. This ID is
              about reducing reloads and restarts to a bare minimum and
              make sure to avoid all known conflicts.
Workaround:   Suggested temporary workaround to reduce occurrences
related
              to AV pattern updates is to increase the
              Management->Up2date->Configuration Pattern
              download/installation interval from 15 minutes to a higher
              value.
Fix:          Fixed in 7.504


ID11257 7.405 Auto packetfilter rules missing for spcial traffic in HTTP
Proxy
-------------------------------------------------------------------------
------
Description: Hosts and networks which have been added to "Transparent
              mode skiplist" and/or "Allow HTTP traffic for listed
              hosts/nets" within HTTP Proxy configuration will not get
              auto packetfilter rules which actually allow the traffic.
              Thus, these hosts/networks can not bypass the Proxy
              automatically.
Workaround:   Add rules manually if possible.
Fix:          Fixed in 7.501


ID10441 7.402 HTTP block action not working in all cases
---------------------------------------------------------
Description: In case of a missing or expired WebSubscription, the
              block-filteraction of the HTTP Proxy is no longer working
as
              a default or fallback option.
Workaround:   ---
Fix:          Fixed in 7.403


ID10361 7.401 File Extensions missing from Filter Action page
--------------------------------------------------------------
Description: In WebAdmin the File Extension filter lists are not shown
              completely at the Filter Action page unless you hit the
Edit
              button. All the extensions listed in the edit-view will
also
              be blocked by the Proxy.
Workaround:   Click edit to see all extensions.
Fix:          Fixed in 7.403


ID10189 7.401 Usergroups with umlauts are not working in HTTP Proxy
profiles
-------------------------------------------------------------------------
----
Description: Using special characters like umlauts will not work with
              usergroups when using them in HTTP Proxy Profiles.
Workaround:   ---
Fix:          Fixed in 7.402
ID10095 7.400 Problem with HTTP Parent Proxy and SSL connections
-----------------------------------------------------------------
Description: Using an HTTP Parent Proxy will not work for HTTPS/SSL
              connections without using HTTPS scanning. This means all
              HTTPS connections handled by the proxy would need either
SSL
              scanning or bypass the proxy.
Workaround:   Enable HTTPS scanning if possible. Bypassing the HTTP Proxy
              for HTTPS traffic is also an option.
Fix:          Fixed in 7.401


ID10034 7.400 HTTP Proxy AV scanner will skip some content types
------------------------------------------------------------------
Description: For installations updating to 7.400 or importing a pre
7.400
              configuration the HTTP Proxy will not scan all content
types
              available for viruses. This behaviour can not be changed
via
              WebAdmin.
Workaround:   ---
Fix:          Fixed in 7.401


ID10032 7.400 Cluster slave is not able to authenticate AD SSO users
---------------------------------------------------------------------
Description: Running HTTP Proxy with Active Directory Single Sign-On
              authentication in an active/active HA/Cluster environment
              will cause problems when a slave node tries to authenticate
              users directly. This will result in an authentication only
              working partly.
Workaround:   ---
Fix:          Fixed in 7.401


ID10015 7.400 Active content removal not working correctly
-----------------------------------------------------------
Description: The HTTP Proxy feature for remove embedded objects like
              ActiveX, Java or Flash will not show any effect and thus
not
              filter the active objects in most cases.
Workaround:   ---
Fix:          Fixed in 7.403


ID09914 7.305 HTTP Proxy erroneously sets keepalive for some requests
----------------------------------------------------------------------
Description: For requests without content length the HTTP Proxy uses
              keepalive which may lead to long delays for some websites
to
              load completely.
Workaround:   Whitelist those sites if possible.
Fix:          Fixed in 7.400


ID09319 7.303 Edirectory authenthication stops working after some time
-----------------------------------------------------------------------
Description: When surfing the web via HTTP Proxy with eDirectory SSO
              enabled, successful authentication will stop after a while.
              This is up to an internal counter reaching a certain limit.
Workaround:   Restart HTTP Proxy or call support.
Fix:          Fixed in 7.304


ID09318 7.303 Authentication pop-up window not showing for HTTP Proxy
----------------------------------------------------------------------
Description: When surfing the web via HTTP Proxy with eDirectory SSO
              enabled, the authentication pop-up will not show if the SSO
              auth-request was not successful. This means there is no
              other option to enter credentials.
Workaround:   Switch to basic auth profile using eDirectory in direct
              (LDAP) access mode for getting the pop-up.
Fix:          Fixed in 7.304


ID08414 7.200 HTTP Proxy may expire cached objects even if expire time
isn't reached
-------------------------------------------------------------------------
------------
Description: In some cases the HTTP Proxy may expire objects from the
              cache before the cache lifetime expires.
Workaround:   ---
Fix:          Fixed in 7.300


ID08361 7.200 HTTP Proxy not working for VLANs on top of a bridge
------------------------------------------------------------------
Description: Using a setup with some bridged interfaces and configuring
              VLANs on top of that will cause trouble when trying to
              enable a transparent HTTP Proxy as the packets will not get
              routed correctly in the backend. After all, this setup is
              not working.
Workaround:   ---
Fix:          Fixed in 7.502


ID08336 7.200 HTTP Proxy misbehaviour when reloading configuration
-------------------------------------------------------------------
Description: In some cases HTTP Proxy may run into an error when
              reloading the configuration. Once this happens the proxy
may
              either die and get restarted via selfmonitor or hang and
              consume RAM and CPU resources.
Workaround:   Restart HTTP Proxy.
Fix:          Fixed in 7.201
ID08184 7.104 Cache for HTTP Proxy AD SSO not updating sometimes
-----------------------------------------------------------------
Description: The cache database used for Active Directory Single Sign-On
              in HTTP Proxy may not be updated correctly every time
              resulting in providing outdated information to the
              authentication module of HTTP Proxy.
Workaround:   ---
Fix:          Fixed in 7.301


ID08147 7.104 FTP file downloads stop at 2GB
---------------------------------------------
Description: FTP Proxy can not handle files larger than 2GB correctly.
Workaround:   ---
Fix:          Fixed in 7.300


ID08070 7.104 Web Security reporting shows largs numbers
---------------------------------------------------------
Description: Web Security reporting calculates the amount of traffic by
              using the filesize information provided from the
webservers.
              In some cases, the webservers report unrealistic numbers
              (ranging above 10GB per file) which messes up the
reporting.
Workaround:   ---
Fix:          Fixed in 7.200


ID07717 7.101 Problem with colon in local user password
--------------------------------------------------------
Description: Having local users with colon in their password may cause
              problems when using HTTP Proxy.
Workaround:   Change password.
Fix:          Fixed in 7.302


ID07569 7.101 Unresolved HTTP parent proxy kills the backend system
--------------------------------------------------------------------
Description: In ASG v7.100 and v7.101, using a DNS host object in
              WebSecurity->HTTP->Advanced->HTTPParentProy->Host can kill
              the backend system if the hostname cannot be resolved. This
              may lead to unstable network connectivity.
Workaround:   Until the release of ASG v7.102, only use plain "Host"
              objects in
              WebSecurity->HTTP->Advanced->HTTPParentProy->Host,
              explicitely specifying the IP address.
Fix:          Fixed in 7.102


ID07455 7.100 Adobe Download Manager may fail to download pdf files
--------------------------------------------------------------------
Description:   Downloading pdfs using HTTP Proxy and Adobe Download
Manager
               may fail in certain cases.
Workaround:    ---
Fix:           Fixed in 7.101


ID07445 7.100 Kaspersky Antivirus blocks HTTPS through proxy
-------------------------------------------------------------
Description: When using Kaspersky antivirus on a client, surfing the web
              via HTTP Proxy may not work in all cases.
Workaround:   ---
Fix:          Fixed in 7.101


ID06874 7.008 HTTP Proxy authentication exceptions not working correctly
-------------------------------------------------------------------------
Description: The option for skipping authentication in HTTP Proxy
              (Exceptions) is not working as intended.
Workaround:   ---
Fix:          Fixed in 7.010


ID06867 7.008 HTTP Proxy profiles not assigning correctly
----------------------------------------------------------
Description: The HTTP Proxy profiles may not assign all authentication
              methods correctly, which will result in profiles having too
              much authentication dependencies. Thus for most profiles
              authentication seems to stop working completely.
Workaround:   ---
Fix:          Fixed in 7.009


ID06862 7.008 New HTTP exceptions not matching substrings
----------------------------------------------------------
Description: Up to version 7.007, the 'Target Domains' match in the
              'Exceptions' tab of the HTTP Proxy was a pure substring
              match against the domain part of URLs. For example, an
entry
              of 'astaro.com' would match all domains (including
              subdomains and hostnames) containing 'astaro.com'. This has
              been changed in 7.008 to exact (sub)domain names by use of
              regular expressions. Unfortunately this also causes some
              existing expressions to no longer work because they now
              require an exact match - so the entry "astaro.com" only
              matches the domain 'astaro.com' but not 'www.astaro.com'.
Workaround:   This can be corrected by using regular-expression style
              wildcarding, in this case '.*astaro\.com' would achieve the
              desired effect; however it requires manual adaptation of
              each entry.
Fix:          Fixed in 7.009


ID06859 7.008 Downloads via HTTP Proxy do not work with Internet Explorer
-------------------------------------------------------------------------
-
Description: When trying to download a file via HTTP Proxy with
Microsoft
              Internet Explorer 6 or 7, the download manager page does
not
              refresh automatically and the download is not shown as
              finished after scanning succeeded. Mozilla based browsers
              are not affected.
Workaround:   --- (use Firefox if available)
Fix:          Fixed in 7.009


ID06656 7.006 Possible problem after updating Antivirus pattern
----------------------------------------------------------------
Description: In some cases the HTTP Proxy is not able to initialize the
              latest antivirus pattern. This may lead to restarts of the
              HTTP Proxy by the selfmonitor. The Proxy logfile will show
              lines containing the following message: 'Failed to
              initialize virus database'.
Workaround:   Contact support or try downloading latest pattern manually.
Fix:          Fixed in 7.100


ID06618 7.005 HTTP Proxy closes sessions after response
--------------------------------------------------------
Description: The HTTP Proxy announces the possibility to use keepalive
              for HTTP sessions but closes the connection after a request
              has been answered successfully. This will may cause trouble
              e.g. for Windows Media Player.
Workaround:   ---
Fix:          Fixed in 7.008


ID06616 7.005 Missing Contentfilter categories in WebAdmin
-----------------------------------------------------------
Description: After importing a v6 Backup into version 7, the content
              filter categories are missing in rare cases.
Workaround:   Please contact Astaro Support
Fix:          Fixed in 7.102


ID06510 7.005 Up and down arrows don't work correctly in HTTP Profiles
-----------------------------------------------------------------------
Description: When trying to move down a filter assignment in Web
              Security->HTTP Profiles it will always jump to the last
              position in the profile. This also happens when trying to
              move it to the top. Also, all assignments in the profiles
              are set to "1" and not numbered consecutively.
Workaround:   ---
Fix:          Fixed in 7.008


ID06375 7.004 Contentfilter whitelist does not use regular expressions
-----------------------------------------------------------------------
Description: When using whitelists or exceptions in HTTP Proxy, regular
              expressions will not work everywhere in the same way.
              Basically, everywhere regular expressions should be used.
Workaround:   ---
Fix:          Fixed in 7.008


ID06281 7.003 NTLM doesn't work with IE7 and Windows Vista
-----------------------------------------------------------
Description: Active Directory Single-Sign-On (SSO) does not work for
              clients running IE7 under Windows Vista because NTLMv1 auth
              is not supported in this combination. This issue will be
              fixed in ASG version 7.100.
Workaround:   There is no workaround, except for using a different
browser
              (e.g. Firefox).
Fix:          Fixed in 7.100


ID06178 7.003 Whitelisting does not work under certain circumstances
---------------------------------------------------------------------
Description: By adding a profile to a user that should be allowed to
surf
              a website and to a surf-protection-category, the user is
              only able to reach the website OR the surf protection
              category but not both as defined.
Workaround:   ---
Fix:          Fixed in 7.100


ID06103 7.002 Empty Source network breaks HTTP proxy profile config
--------------------------------------------------------------------
Description: When creating an HTTP profile the source network setting is
              optional and may break the configuration if not specified.
Workaround:   Select a valid source network.
Fix:          Fixed in 7.004


ID06102 7.002 .com websites are blocked by file extension scanner
------------------------------------------------------------------
Description: The file extension scanner in HTTP Proxy will block
websites
              ending with .com if the extension .com is listed for
              blocking.
Workaround:   Remove .com from file extension scanner.
Fix:          Fixed in 7.100


ID06100 7.002 Streaming downloads aren't aborted on client disconnect
----------------------------------------------------------------------
Description: When a client starts an HTTP stream download a
              disconnects/resets the connection, the HTTP Proxy will
              continue downloading the stream.
Workaround:   ---
Fix:          Fixed in 7.005


ID06021 7.002 Downloads are not aborted when a user closes the downloader
page
-------------------------------------------------------------------------
------
Description: Downloads interrupted by the user will not be aborted by
the
              HTTP proxy until the download is finished.
Workaround:   ---
Fix:          Fixed in 7.003


ID06011 7.002 Canceled downloads are not deleted by the HTTP proxy
-------------------------------------------------------------------
Description: Deferred downloads that aren't downloaded by the users will
              not be deleted and gradually fill up the storage.
Workaround:   A reboot will delete all temporary files.
Fix:          Fixed in 7.003


ID05997 7.002 Users may use HTTP Proxy even if not explicitly allowed
----------------------------------------------------------------------
Description: When using the default HTTP profile of Web Security in
              combination with authentication than the system will still
              allow access for users, even if the user/group is not in
the
              allowed users list. This only happens if the user has
              successfully authenticated himself. A failed authentication
              will lead to a blocked page.
Workaround:   Set the http default profile to standard mode. Go to the
              menu item 'Web Security > HTTP Profiles' and create a new
              'filter action' with the name 'block all', the type 'block
              everything ...', leave the rest empty/unchecked and click
              save. Then create a new 'filter assignment' with the name
              'allowed users', add the user/groups that should have
              access, set the 'filter action' to 'Default Filter Action'
              and click save. Afterwards create a new 'proxy profile',
              select the allowed network, check the box at 'allowed
users'
              in the 'filter assignments', select 'block all' as the
              'Fallback action', define your prefered authentication mode
              and click save. This should solve the issue.
Fix:          Fixed in 7.400


ID05951 7.000 Cache size for HTTP Proxy (squid) too small
----------------------------------------------------------
Description: The cache size for squid is calculated very conservative.
              Although the cache size depends on the disk size, it is
very
              low even on larger disks.
Workaround:   ---
Fix:          Fixed in 7.004


ID05889 7.002 Content blocked page showing up twice
----------------------------------------------------
Description: When using file extension blocking the content blocked
              pages' content (when HTTP Proxy blocks a URL) is displayed
              twice.
Workaround:   ---
Fix:          Fixed in 7.005


ID05864 7.002 HTTP Proxy is restarted by selfmon very often
------------------------------------------------------------
Description: There seems to be a memory corruption problem within the
              HTTP Proxy daemon showing up in rare scenarios only. In
this
              case the Selfmonitor will restart the proxy quite
              frequently.
Workaround:   ---
Fix:          Fixed in 7.008


ID05801 7.001 Authentication exceptions per domain do not work
---------------------------------------------------------------
Description: Using the HTTP proxy, exceptions with regard to user
              authentication per domain do not work correctly. Clients
are
              still prompted for entering credentials even the domain is
              configured to be exempt from user authentication. This will
              cause automatic Windows updates to fail in any environment
              requiring user authentication.
Workaround:   ---
Fix:          Fixed in 7.003


ID05780 7.001 Missing download progress due to unknown content length
information
-------------------------------------------------------------------------
---------
Description: If the content length is unknown to the client, download
              progress information shown on the HTTP proxy download page
              is missing.
Workaround:   ---
Fix:          Fixed in 7.003


ID05683 7.001 File extension filter blocks file after complete download
------------------------------------------------------------------------
Description: Files having an extension supposed to be blocked are
              downloaded nonetheless before the user who requests the
file
              is shown the Astaro block message.
Workaround:   ---
Fix:          Fixed in 7.002


ID05652 7.001 Using Internet Explorer, the HTTP proxy fails to display a
web page that requires a POST request
-------------------------------------------------------------------------
---------------------------------------
Description: Internet Explorer adds an extra CRLF character to a POST
              request that is sent to an HTTP 1.1 server, causing the
HTTP
              proxy to fail to deliver the page. For more information,
see
              Microsoft Knowledgebase
              (http://support.microsoft.com/kb/823099).
Workaround:   Use an alternative browser (e.g., Firefox 2).
Fix:          Fixed in 7.003


ID05651 7.001 Whitelist mode in HTTP Proxy Profiles not working
----------------------------------------------------------------
Description: The Filter Action mode 'block everything except the
              selection below' configured on the Web Security >> HTTP
              Profiles >> Filter Actions tab in WebAdmin does not work
              even though the profile matches. The user can access every
              web site, not just the ones allowed.
Workaround:   ---
Fix:          Fixed in 7.002


ID05609 7.001 HTTP Proxy allocates a lot of memory
---------------------------------------------------
Description: When downloading a file that has a size larger than the max
              scanning size, the HTTP Proxy downloads the complete file
to
              memory, and delivers it to the client. When the client
              download is aborted before it has been finished or the
              internet uplink is faster than the client link speed the
              proxy does not free the memory used for downloading the
              body.
Workaround:   ---
Fix:          Fixed in 7.003


ID05565 7.000 HTTP proxy download manager stops refreshing
-----------------------------------------------------------
Description: Multiple simultaneous downloads in one browser stall the
              download manager's progress bar for each download. This is
              due to certain browser limitations in terms of concurrent
              connections.
Workaround:   Press the browser's reload button manually to refresh the
              progress bar display.
Fix:          Fixed in 7.100
ID05451 7.000 File extension filter blocks file only after download is
complete
-------------------------------------------------------------------------
-------
Description: Files having an extension supposed to be blocked are
              downloaded nonetheless before the user who requests the
file
              is shown the Astaro block message.
Workaround:   ---
Fix:          Fixed in 7.002



Closed Issues - Wireless Security
====================================


ID15337 7.508 WiFi: Possible connectivity problems with 40Mhz channels
-----------------------------------------------------------------------
Description: Under some circumstances it is possible that wireless
              clients that are capable of using 40Mhz channels cause the
              AP to stop delivering frames to all clients intermittently.
              Possible impact is higher then usual latency and low
              throughput as well as connection loss.
Workaround:   Disabling 40Mhz channel width in the client configuration
              mitigates this problem.
Fix:          Fixed in 7.511



Closed Issues - Various
==========================


ID17198 7.510 Upgrade to V8 not possible in a special case
-----------------------------------------------------------
Description: Having the V8-Upgrade initialization done with a version
              prior to 7.510 and trying to start the upgrade with 7.510,
              the system will not continue. V7 is still running without
              any other restrictions.
Workaround:   ---
Fix:          Fixed in 7.511


ID16088 7.508 No entries in the Packetfilter Log (HA/Cluster Mode)
-------------------------------------------------------------------
Description: After a HA/Cluster takeover the Master might possibly not
              write any Packetfilter Log. When this problem occurres you
              also can't see any reporting information in the Network
              Security area.
Workaround:   Please contact our support team
Fix:          Fixed in 7.510
ID15225 Availability groups deployed via ACC are unresolved
-------------------------------------------------------------
Description: User defined Availability Groups coming from an ACC system
              will show up in WebAdmin as 'unresolved' no matter how many
              hosts are in and if they're reachable.
Workaround:   ---
Fix:          Fixed in 7.511


ID14680 7.505 Scheduled Up2Dates do not work
---------------------------------------------
Description: In all ASG 7.5 versions up to and including 7.507, Up2Dates
              scheduled on the Management >> Up2Date >> Overview WebAdmin
              tab are not started automatically at the scheduled time.
Workaround:   Start the Up2Dates manually on the same WebAdmin tab.
Fix:          Fixed in 7.511


ID14657 7.505 Overflow in certificate creation will cause invalid
certificates
-------------------------------------------------------------------------
------
Description: Due to an overflow within the certificate creation, all
              certificates being created after 4th September 2010 will be
              invalid as the end date of the certificates will be in the
              past. This affects all types of certificates (CAs, user
              certificates, VPN certificates, ..) in all types of
systems.
Workaround:   If possible, please apply Up2Date 7.507 by end of August
(or
              until 3rd September 2010).
Fix:          Fixed in 7.507


ID14594 7.506 After update to v7.506, german online-help is not reachable
anymore
-------------------------------------------------------------------------
---------
Description: If your webadmin is set to german language, the online-help
              is no longer working after upgrading the firmware to v7.506
              or higher.
Workaround:   Will be fixed within the next up2date-packages.
Fix:          Fixed in 7.510


ID14404 7.506 RED: UDP flood protection blocks RED traffic
-----------------------------------------------------------
Description: When UDP Flood protection is turned on, incoming traffic
              from RED devices may be dropped. The RED link will still
              work, but throughput is heavily impaired.
Workaround:   Turn off UDP flood protection for the time being. This
issue
              is fixed in version 7.508 and higher.
Fix:          Fixed in 7.508


ID14349 7.505 Unsupported archive format encountered
-----------------------------------------------------
Description: When downloading FirefoxPortable.paf.exe or
FirefoxSetup.exe
              the HTTP-Proxy reports the error message "Unsupported
              archive format encountered". (unsupported uncompressed
              NSIS-header)
Workaround:   Workaround 1:

              Create an exception for Anti-Virus and enter in
              URL:

              FirefoxPortable_3.6.6_German.paf.exe

              Firefox%20Setup%203.6.6.exe

              Workaround 2:

              Disable "Block unscannable and encrypted files" in
              HTTP-Proxy/Advanced (by default this feature is DISABLED at
              all)
Fix:          ---


ID14089 7.505 Antispam daemon may restart frequently
-----------------------------------------------------
Description: In a few cases the antispam daemon is restarted by the
              Selfmonitor after updating to the latest AxG version.
You'll
              find lots of messages regarding a failed check for
              'ctasd_mem_usage' in the Selfmonitor logfile.
Workaround:   Please reboot the system.
Fix:          Fixed in 7.508


ID12596 7.502 AMG/AWG backup import to ASG not possible
--------------------------------------------------------
Description: It is not possible to import backups from a Web or Mail
              Appliance (AWG,AMG) into an Astaro Security Gateway.
Workaround:   Please contact support.
Fix:          Fixed in 7.504


ID12449 7.502 ASG crashes, caused by special character ")" in PPPoE
password
-------------------------------------------------------------------------
----
Description: A ISP given pppoe password, which contains ")" as a
              character, may crash the ASG after saving the interface
              settings.
Workaround:   Use an another password, the ISP can change it.
Fix:          Fixed in 7.508


ID12337 7.502 When the password contains german umlauts the referring
account cannot be created in POP3 proxy
-------------------------------------------------------------------------
-------------------------------------
Description: POP3 prefetch accounts will not be created when the
password
              contains certain special characters, as e.g. german
umlauts.
Workaround:   Please use only characters of the ASCII charset.
Fix:          ---


ID12176 7.502 PPTP routing is broken if PPTP pool is part of the internal
network
-------------------------------------------------------------------------
---------
Description: PPTP routing is broken if the PPTP pool is overlapping with
              the internal network e.g 192.168.0.0/16 is used for LAN and
              192.168.1.0/24 for RA. Remote connections will be unable to
              communicate with these overlapping networks. Traffic
between
              non-overlapping subnets are not affected.
Workaround:   a) Setup a Masquerading rule, so connections from remote
              clients will be NAT'ed to the LAN ASG address and there is
              no direct connection anymore between LAN and Remote
              Access.

              b) Don't use overlapping subnets for Remote Access and LAN,
              e.g. use 192.168.0.0/24 for LAN and 192.168.1.0/24 for RA
              instead of 192.168.0.0/16 LAN and 192.168.1.0/24 for
              RA

              c) contact support to install a pre-rpm
Fix:          Fixed in 7.504


ID11987 7.502 Can't dissolve bridge or remove bridge ports
-----------------------------------------------------------
Description: Removing a bridge completely does not work as expected.
Workaround:   ---
Fix:          Fixed in 7.504


ID11932 7.501 When activating or change the "daily reconnect" time on a
PPPOE interface, the ASG stops responding on the WAN
-------------------------------------------------------------------------
----------------------------------------------------
Description: When activating or changing the PPPOE network inteface's
              "reconnect time", the ASG stops routing traffic over the
              PPPOE interface due to loss of the default route. This also
              causes the ASG to stop responding on the WAN interface.
Workaround:   When, after a manual minor change, the default route gets
              lost in the way described here, manually disable and
              re-enable the interface in the WebAdmin.
Fix:          Fixed in 7.508


ID11871 7.501 IPS logging can cause root partition fillup
----------------------------------------------------------
Description: The IPS log files will be written to an incorrect directory
              causing the root disk partition to be filled up to maximum
              capacity.
Workaround:   Please contact Astaro Support to clear the root disk
              partition.
Fix:          Fixed in 7.504


ID11857 7.501 Serial numbers showing up as "MISSING" in the webadmin
dashboard
-------------------------------------------------------------------------
------
Description: On some units the hardware serial in WebAdmin show up as
              missing after reinstalling the system.
Workaround:   ---
Fix:          Fixed in 7.505


ID11844 7.501 Cannot use HTTPS scanning in a profile if HTTPS is not
enabled for the global settings.
-------------------------------------------------------------------------
-----------------------------
Description: In Transparent mode, HTTPS scanning specified by a HTTP/S
              proxy profile will not work for hosts in the profile which
              are also in the Global Allowed networks list unless HTTPS
              scanning is enabled in Global settings.

              Example:
              Network 10.0.0.0/24 is in the Global Allowed Networks
              list
              Proxy is in Transparent mode, Scan HTTPS (SSL) Traffic is
              not enabled on the Global tab
              Profile including the host 10.0.0.1 in Transparent mode
with
              HTTPS scanning enabled, HTTPS traffic will not be scanned.
Workaround:   ---
Fix:          Fixed in 7.505


ID11837 7.501 Prefetch of an AD user fails if the mail address is case-
sensitive
-------------------------------------------------------------------------
--------
Description: When using Active Directory back-end authentication with
the
              ASG, user objects will not automatically get created,
              because there is a email address case-mismatch associated
              with AD user account.
Workaround:   Review all email addresses associated with the Active
              Directory user account and ensure that all email addresses
              are in the same case.
Fix:          Fixed in 7.504


ID11807 7.501 MIME blocking inspects HTTP body not working
-----------------------------------------------------------
Description: Files with renamed file extension are not identified.
              MIME blocking inspects HTTP body not working.
Workaround:   ---
Fix:          Fixed in 7.504


ID11760 7.501 Reporting Exceptions missing from AWG and AMG Appliances
-----------------------------------------------------------------------
Description: This does not break anything major in the Astaro, traffic
              will still pass without issue. This just affects the
ability
              to add exceptions for reporting output. The Exceptions tab
              is missing from Reporting->Settings.
Workaround:   ---
Fix:          Fixed in 7.504


ID11753 7.501 Incoming mails with inline PGP encryption can cause
problems
-------------------------------------------------------------------------
--
Description: In some cases PGP inline encrypted mails can raise the cpu
              up to 100%. If this problem accures the process
              /bin/emailenc will be visible in the top list and the mail
              will not be delivered.
Workaround:   ---
Fix:          Fixed in 7.502


ID11620 7.501 DNS resolution problem through SSL VPN connection
----------------------------------------------------------------
Description: Sometimes the DNS resolution of internal clients do not
              work, although internal DNS servers are defined in the
              remote access settings. To fix this you have to execute a
              ipconfig /registerdns on the client machine.
Workaround:   ---
Fix:          Fixed in 7.502


ID11544 7.501 Default gateway will not be set with SSL VPN client 1.5
----------------------------------------------------------------------
Description: After updating to 7.500 the SSL VPN client will not add a
              default route if network "Any" (0.0.0.0) is in use.
Workaround:   ---
Fix:          Fixed in 7.502


ID11532 7.501 Handling of encrypted zip files is inconsistent
--------------------------------------------------------------
Description: Handling of encrypted zip files is not consistent at HTTP
              and SMTP proxy. This is not only when configuring, but also
              when actually scanning the content. I.e. an eicar test-
virus
              will not be detected as unscannable and get passed through
              in some cases.
Workaround:   ---
Fix:          Fixed in 7.502


ID11524 7.500 Wrong aua connection count for transparent proxy
---------------------------------------------------------------
Description: Proxy is showing error message "Max number of AUA
              connections reached" when transparent authentication mode
is
              enabled.
Workaround:   Please contact support.
Fix:          Fixed in 7.502


ID11505 7.500 Special words with different meanings may be blocked by
content-filter
-------------------------------------------------------------------------
------------
Description: The content-filter doesn't provide a semantic parser, so
               false classifications of special words with different
               meanings can't be prevented.

              For example:
              Stosunek pracy (pl.) = employer-employee relationship
              (engl.)
              Stosunek (pl.) = coitus (sexual)
Workaround:   Add a whitelist/exception entry for this.
Fix:          ---


ID11496 7.500 State of additional addresses remains at DOWN after the
daily reconnect
-------------------------------------------------------------------------
-------------
Description: After daily reconnect of PPPoE-interfaces, additional
              addresses bounded to those interfaces remains in state
DOWN.
Workaround:   Please contact the Astaro Support Team.
Fix:          Fixed in 7.505


ID11425 7.500 Classic base licenses no longer allows basic SMTP usage
----------------------------------------------------------------------
Description:   Using basic SMTP features with a classic license and no
Mail
               Subscription will not work correctly.
Workaround:    ---
Fix:           Fixed in 7.504


ID11420 7.403 Cannot log archive to windows share when windows password
contains a percent sign (%).
-------------------------------------------------------------------------
----------------------------
Description: Remote archive logging fails to copy to windows shares when
              authentication password contains a percent sign (%).
Workaround:   Set another windows password that doesn't contain the
              percent sign (%).
Fix:          Fixed in 7.504


ID11411 7.500 File downloads via ftphelper may be corrupt
----------------------------------------------------------
Description: Random file downloads via FTP using the HTTP Proxy can get
              corrupt. This is mainly seen when using Filezilla as a
              client.
Workaround:   ---
Fix:          Fixed in 7.502


ID11407 7.500 For inline PGP encrypted emails only the attachment is
decrypted
-------------------------------------------------------------------------
------
Description: For PGP inline encrypted emails there will only be
              attachements decrypted after receiving, but the body of the
              mail will remain encrypted.
Workaround:   ---
Fix:          Fixed in 7.502


ID11379 7.500 Missing fields for WebAdmin settings
---------------------------------------------------
Description: After updating to 7.500 allowed networks, allowed
              administrators and allowed auditors fields are no longer
              visible in WebAdmin.
Workaround:   Please contact our support team
Fix:          Fixed in 7.502


ID11371 7.500 eDirectory authentication may stop working when no BaseDN
is specified
-------------------------------------------------------------------------
-------------
Description: Authentications for users in the eDir fails. If you press
              "Test server settings" in the eDir setup dialog, you get
              "server test passed OK"
              but if you try to authenticate an eDir user with the
              "Authenticate example user" button, you will get an "LDAP
              call error" message
Workaround:   Specify one or more base DNs in the eDir server settings
Fix:          Fixed in 7.508


ID11359 7.500 SMTP proxy is not usable anymore if no mail subscription is
installed
-------------------------------------------------------------------------
-----------
Description: It is not possible to configure the tabs Routing,
              Exceptions, Relaying and Advanced within Mail Security
              without a Mail Security Subscription.
Workaround:   Please contact our support team.
Fix:          Fixed in 7.501


ID11299 7.500 Unreachable Astaro news feed might break the dashboard
---------------------------------------------------------------------
Description: In case the Astaro news feed is not reachable, the
dashboard
              might not show up properly. Instead you'll find a grey page
              reading 'undefined'. In some cases, this issue might also
              prevent users from logging in to WebAdmin when trying to
              load/cache objects.
Workaround:   Make sure Internet access is available.
Fix:          Fixed in 7.501


ID11239 7.405 Yahoo messenger will not be detected by IM/P2P security
----------------------------------------------------------------------
Description: Yahoo Messenger will not be blocked by IM/P2P-Security
while
              connecting via the HTTP-Proxy of the ASG.
Workaround:   ---
Fix:          Fixed in 7.505


ID11236 7.405 Bridge setup without an IP is not working
--------------------------------------------------------
Description: Bridging does not work when no IP is assigned. This can be
              done when not using a convert interface and not assigning
              any standard or VLAN interface after creating the bridge.
In
              this case hosts behind the bridge will not be reachable.
Workaround:   ---
Fix:          Fixed in 7.502


ID11235 7.404 "ICMP Fragmentation needed" packets are not handled
correctly when using Multipath
-------------------------------------------------------------------------
------------------------
Description:   "ICMP Fragmentation needed" packets are not handled
               correctly when using Multipath.
               This can cause that some connections (e.g. HTTPS) do not
               work.
Workaround:    Contact Astaro Technical Support
Fix:           Fixed in 7.504


ID11212 7.405 Gateway route to PPTP client IP is missing after PPTP
reconnect
-------------------------------------------------------------------------
-----
Description: Static routes / Policy routes get missing after minor
              interface change. E.g. gateway route to PPTP client IP is
              missing after PPTP reconnect.
Workaround:   ---
Fix:          Fixed in 7.500


ID11129 7.404 Accounting information in executive report incorrect
-------------------------------------------------------------------
Description: The accounting logs each transfer with it's beginning
              timestamp, but in case the transfer crosses midnight, the
              transfer is written to the database the next day (or
several
              days later, in case of very long standing
              connections).

               So it could happen that the transfer is listed in the daily
               executive report one (or more) days after the transfer is
               started.
Workaround:    ---
Fix:           ---


ID11070 7.404 All CA's listed in CA authorites will be added as signature
-------------------------------------------------------------------------
-
Description: In some cases the signature of an outgoing email could have
              a size of some kilobytes. This is caused by adding all
known
              CA authorites to the email by default.
Workaround:   Add only the CA's to the list which are really needed.
Fix:          Fixed in 7.502


ID10909 7.403 Middleware problem after restarting the service
--------------------------------------------------------------
Description: In some cases, Middleware is not able to start up
completely
              and writing the following error message to
              /tmp/mdwdebug.log: 'MLDBM error: Second level tie failed,
              "File exists" at /PerlApp/Astaro'. This is caused by an
              incorrect file cleanup/access.
Workaround:   ---
Fix:          Fixed in 7.501


ID10808 7.403 After update to version 7.403 the remote access menu item
is missing
-------------------------------------------------------------------------
----------
Description: After update to version 7.403 on a AMG system, the remote
              access menu item is missing.
Workaround:   Contact Astaro Technical Support
Fix:          Fixed in 7.500


ID10426 Importing license via wizard may not work correctly
-------------------------------------------------------------
Description: In some cases a race condition will prevent a license from
              being properly imported when using the setup wizard.
Workaround:   Please import the license after finishing the wizard via
              Management->Licensing.
Fix:          Fixed in 7.403


ID10425 7.401 Slave stuck in status UP2DATE and update was not started on
slave
-------------------------------------------------------------------------
-------
Description: Under certain circumstances, the update process auisys.pl
              cannot be started due to another running instance. This is
              indicated by the following line in the update logfile:

              auisys[<pid>]: Another instance of this process is already
              running, exiting
Workaround:   By entering the command 'ha_daemon -c up2date VERSION',
              where version is the next update to install, e.g. 7.402,
the
              update process is triggered again.
Fix:          Fixed in 7.500


ID10387 7.402 Webadmin AWG and ASG - Translation error in "Filteraktion"
of http profiles
-------------------------------------------------------------------------
-----------------
Description: By changing webadmin language to german, in http profiles /
              filter actions is a wrong translation for manual blacklist.
              Text is "Immer diese URLs/Seiten zulassen" for black-, and
              whiltelist.
Workaround:   ---
Fix:          Fixed in 7.500


ID10375 7.402 IPSec local hosts/networks are missing in ASC-Configfile,
if you add more than 5 hosts
-------------------------------------------------------------------------
----------------------------
Description: If you define more than 5 IPsec local hosts/networks, some
              of them are missing in Astaro Secure Client (IPsec) config
              file which causes missing network routes on connect. The
              Astaro Secure Client supports up to 20 host/network entries
              in a config file, but the configuration the Astaro Gateway
              generates contains only 5 (The file you may download via
the
              User Portal).
Workaround:   If you can't wait for v7.500, you can manually edit the
              config file to contain up to 20 hosts/networks by simply
              adding the necessary entries by extending the current
              format.
Fix:          Fixed in 7.500


ID10374 7.402 License expiry when BIOS clock resets
----------------------------------------------------
Description: When any event that drastically changes the date on the
              machine occurs, permanent licenses may be considered
invalid
              and restrict users from logging into Webadmin. For
instance,
              this can be caused by the BIOS clock being reset or an
              adminstrator setting the date back some years.
Workaround:   ---
Fix:          Fixed in 7.500


ID10360 7.402 Exception list can not be created for Share
----------------------------------------------------------
Description: Trying to create an exception list for P2P application
Share
              will not succeed. The exception will not get created at
all.
Workaround:   ---
Fix:          Fixed in 7.403


ID10337 7.401 DNS requests from Windows 2003 server to domain controller
will be detect as trojan
-------------------------------------------------------------------------
-------------------------
Description: DNS requests from a Windows 2003 server to domain
controller
              will be detect as trojan
Workaround:   Put the domain controller into a exception list to skip
IPS.
Fix:          ---


ID10221 7.401 SSL Site2Site VPN default route to remote site does not
work
-------------------------------------------------------------------------
--
Description: When configuring SSL Site-toSite VPN with one side acting
as
              default gateway, you get "NOTE: unable to redirect default
              gateway -- Cannot read current default gateway from system"
              in the Logfile and the default route will not be
redirected.
Workaround:   ---
Fix:          Fixed in 7.500


ID10181 7.401 Wrong translation (English => German or French) in HTTP-
Profiles >> FilterActions
-------------------------------------------------------------------------
-----------------------
Description: By changing the global WebAdmin language to German or
French
              and create a new FilterAction in the HTTP-Profiles, 'Allow
              these URLs/sites' and 'Block these URLs/sites' are both
              translated as 'Immer diese URLs/Seiten zulassen' or rather
              'Toujours autoriser ces URL/sites'
Workaround:   The first checkbox below the categories is to permanently
              allow websites, the second one to permanently block
              websites.
Fix:          Fixed in 7.500


ID10123 7.400 Dashboard view of RAM incorrectly labeled SWAP on Japanese
webadmin
-------------------------------------------------------------------------
---------
Description: In webadmin dashboard view if the language selection is set
              to Japanese the Swap and RAM values are swapped.
Workaround:   None - The graphs are correct just interpret RAM graph to =
              Swap
Fix:          Fixed in 7.500


ID10027 7.400 Network and service group definitions unordered after 7.400
up2date
-------------------------------------------------------------------------
---------
Description: When viewing network or service group definitions
containing
              multiple objects the objects will appear unordered.

              The objects are ordered according to backend reference ID
              rather than alphabetical.
Workaround:   None
Fix:          Fixed in 7.500
ID09617 7.305 Problem authenticating users with umlauts via Active
Directory
-------------------------------------------------------------------------
----
Description: Usernames containing german umlauts can not be used in HTTP
              proxy profiles since the character set is not parsed
              correctly. All non-ASCII characters will be skipped, which
              leads to an "Authorization denied" failure.
Workaround:   As the HTTP proxy does not convert any character set, only
7
              bit ASCII characters work. Please change the affected
              username to 7 bit ASCII, e.g. "mueller" instead of
              "m&uuml;ller".
Fix:          Fixed in 7.400


ID09120 7.301 System may boot up with factory defaults after power cycle
-------------------------------------------------------------------------
Description: There has been some reports about systems booting up with
              factory defaults after a power loss. There is a possible
              race condition when storing the configuration data which
              could cause this.
Workaround:   ---
Fix:          Fixed in 7.303


ID08875 7.300 Active Directory Browser makes no sense when groups should
be used in HTTP-Proxy
-------------------------------------------------------------------------
----------------------
Description: When creating a new AD backend group in Users->Groups with
              the help of the AD browser, the group will be taken with
the
              complete CN-notation instead of just the first attribute of
              the DN.
Workaround:   Either you enter the group name by yourself or you drag it
              into the groups field via AD browser and delete all but the
              group name. For example,
              CN=http_allow_all,OU=internetusers,OU=DE,
              DC=intranet,DC=local must be http_allow_all. (without a
              trailing dot)
Fix:          Fixed in 7.400


ID08635 7.201 Deactivating SIP support does not work correctly
---------------------------------------------------------------
Description: When disabling SIP support in WebAdmin, not all modules get
              unloaded properly in the backend.
Workaround:   Reboot the box after deactivating SIP support.
Fix:          Fixed in 7.300


ID08626 7.201 DHCP fails to start on state toggle in WebAdmin
--------------------------------------------------------------
Description:   When toggling state of DHCP server in WebAdmin in some
cases
               the server might not start up properly.
Workaround:    Please try again.
Fix:           Fixed in 7.400


ID08469 7.201 Packetfilter log shows drops of local packets
------------------------------------------------------------
Description: When using IM/P2P detection there might be loglines in the
              packetfilter logs indicating localhost traffic (srcip and
              dstip is 127.0.0.1).
Workaround:   Reboot the system or disable IM/P2P detection.
Fix:          Fixed in 7.300


ID08366 7.200 Online Help and Manual for AWG may not work after
installation
-------------------------------------------------------------------------
----
Description: For AWG appliances, online help and manual may not be
              accessible right after installation.
Workaround:   Make sure internet connection is working and automatic
              pattern updates are enabled.
Fix:          Fixed in 7.201


ID08359 7.200 Readable eDirectory passwords in debugging mode
--------------------------------------------------------------
Description: When doing debugging the bind users password is printed in
              plain text to one of the debug logs.
Workaround:   ---
Fix:          Fixed in 7.300


ID08358 7.200 High memory usage for IM/P2P detection
-----------------------------------------------------
Description: Using IM/P2P detection will cause the backend to allocate a
              lot of memory which may slow down the system at all.
Workaround:   ---
Fix:          Fixed in 7.300


ID07900 7.103 VLAN sometimes fails on LAG devices
--------------------------------------------------
Description: Creating a VLAN Interface on basis of a Link Aggregation
              group sometimes fails. The exact scenario of failing is yet
              unknown.
Workaround:   Contact support if you have a failing setup.
Fix:          Fixed in 7.402


ID07814 7.102 Middleware may slow down on some systems
-------------------------------------------------------
Description:   On systems with heavy roadwarrior traffic the Middleware
may
               slow down and allocate large amounts of memory.
Workaround:    Restart system.
Fix:           Fixed in 7.103


ID07260 7.011 System freezes on Vmware ESX Server V3
-----------------------------------------------------
Description: Some installations running in VMware ESX Server 3.0 or 3.5
              may freeze after a random time.
Workaround:   ---
Fix:          Fixed in 7.300


ID06911 7.009 Backend problem after importing a license
--------------------------------------------------------
Description: After importing a license, the backend system may not be
              restarted correctly. Connecting to WebAdmin will show a
              message like 'Please wait, connecting to backend ...'.
Workaround:   Reboot the machine.
Fix:          Fixed in 7.010


ID06903 7.009 Checkboxes for HTTP Proxy profiles not working with IE6
----------------------------------------------------------------------
Description: When editing HTTP Proxy profiles, the checkboxes for the
              filter assignments can not be selected when using Internet
              Explorer 6.
Workaround:   Use another browser.
Fix:          Fixed in 7.010


ID06687 7.006 Kernel freezes on ASG 110/120/220
------------------------------------------------
Description: For some small appliances (ASG 110/120/220) the system may
              freeze during normal operation. No network traffic is
              possible anymore, the screen (if attached) will remain
black
              and also keyboard input is no longer possible. This may be
              caused by a problem within the ASG kernel.
Workaround:   Reboot the machine.
Fix:          Fixed in 7.200


ID06674 7.006 DynDNS may not update because of a missing packetfilter
rule
-------------------------------------------------------------------------
--
Description: The DynDNS service will not be able to update the dynamic
              hostname after any interface configuration has been done
via
              WebAdmin. This is because the automatic packetfilter rule
                allowing that specific traffic will be removed
automatically
                after any successful interface parameter change.
Workaround:     Either create a packetfilter rule allowing HTTP traffic
from
                the DSL interface address to Any or reboot the machine.
Fix:            Fixed in 7.007


ID06660 7.006 Search for IP addresses not working with many definitions
------------------------------------------------------------------------
Description: Having more than 51 definitions and searching for IP
              addresses in network definitions will not show any results.
Workaround:   ---
Fix:          Fixed in 7.007


ID06571 7.006 L2TP daemon will not be restarted automatically
--------------------------------------------------------------
Description: The L2TP daemon responsible for remote access will not be
              restarted automatically in case of an internal failure. The
              selfmonitoring is not checking all of the relevant
              processes.
Workaround:   ---
Fix:          Fixed in 7.008


ID06484 7.005 Sorting of policy routes not working correctly
-------------------------------------------------------------
Description: The sorting of policy routes introduced in 7.005 does not
              work for all cases, especially after editing routes.
Workaround:   On most systems a reload of the routing page should show
the
              correct order.
Fix:          Fixed in 7.006


ID06473 7.005 Disabled End User Spam report enabled after editing custom
text
-------------------------------------------------------------------------
-----
Description: When editing the custom text for the Enduser Spam Report
the
              feature is turned on automatically.
Workaround:   Turn it off again if you don't need it.
Fix:          Fixed in 7.006


ID06472 7.005 Middleware stops working with unresolved routing targets
-----------------------------------------------------------------------
Description: Middleware stops working when a static route has an
              unresolved DNS definition as target.
Workaround:   Change route target to static host definition.
Fix:          Fixed in 7.006
ID06469 7.005 Online help will not open when WebAdmin language is set to
Japanese or Chinese
-------------------------------------------------------------------------
--------------------
Description: The online help will not open when WebAdmin language is set
              to Japanese or Chinese, which were supported from version
              7.005 on. It gets stuck at the message "Please wait,
              connecting to backend".
Workaround:   ---
Fix:          Fixed in 7.006


ID06389 7.005 WebAdmin very slow when using many objects
---------------------------------------------------------
Description: With large amounts of definitions, such as many groups,
              hosts, or users that have been defined, the WebAdmin login
              can take a long time to process and as a result sometimes
              the session will timeout and/or repeated attempts to login
              are necessary.
Workaround:   Astaro recommends to use Microsoft IE7 or Mozilla Firefox
2.
Fix:          Fixed in 7.100


ID06342 7.004 Large HTTP blacklist may cause WebAdmin slowdown
---------------------------------------------------------------
Description: Having a large amount of HTTP blacklist entries may slow
              down WebAdmin extremely when trying to view the page.
Workaround:   ---
Fix:          Fixed in 7.005


ID06333 7.004 Drag-and-drop fails with Internet Explorer
---------------------------------------------------------
Description: There is a problem when using Internet Explorer for
              configuring via WebAdmin. When the scrollbar of the browser
              is scrolled to the bottom, drag-and-drop fails. The mouse
              pointer points to the location where you want to drop an
              object (e.g. network object), but the object itself hovers
              quite a bit above the mouse pointer position. In this
              situation it is not possible to drop the object.
Workaround:   Move the dragged object bottom-up from the area you'd like
              to drop it until the area is highlighted or use another
              browser.
Fix:          Fixed in 7.008


ID06325 7.004 Nic order mixed up on ASG 320
--------------------------------------------
Description: On some ASG320 systems the NIC order may have mixed up
after
              installing Up2Date 7.004.
Workaround:   Check cabling or contact Astaro Support.
Fix:          Fixed in 7.005


ID06255 7.003 ASG 425 interface problem after Up2Date to version 7.003
-----------------------------------------------------------------------
Description: For some devices of ASG 425 series the interfaces were not
              correctly ordered after installing Up2Date 7.003.
Workaround:   ---
Fix:          Fixed in 7.004


ID06148 7.003 Empty hostname for DNS host cause system lockup
--------------------------------------------------------------
Description: When creating a DNS host definition and leaving the host
              field empty, the system may lock up.
Workaround:   --- (do not try to reproduce)
Fix:          Fixed in 7.004


ID06132 7.002 System allows interface routes without target interface
----------------------------------------------------------------------
Description: It is possible to create an interface route without
              selecting a target interface. This will result in a
              non-accessible routing page in WebAdmin.
Workaround:   ---
Fix:          Fixed in 7.005


ID06098 7.002 IP counting for licensing is too strict
------------------------------------------------------
Description: In some cases the IP counting also adds ARP requests to the
              licensed IPs which may result in a license usage false
              positive.
Workaround:   ---
Fix:          Fixed in 7.004


ID06094 7.002 MySQL may stop working after time change
-------------------------------------------------------
Description: When changing the time backwards MySQL may not work
              correctly afterwards. This will affect email handling
              (SMTP/POP3).
Workaround:   Reboot the system.
Fix:          Fixed in 7.004


ID05963 7.002 Timewarp shell script hangs on MiddleWare restart
----------------------------------------------------------------
Description: In case of a time warp effect (aimed at the past for more
              than 90 seconds), the MiddleWare may fail.
Workaround:   ---
Fix:          Fixed in 7.003
ID05956 7.002 Huge amount of SMTP domains will slow down WebAdmin
------------------------------------------------------------------
Description: When configuring a large amount of SMTP domains WebAdmin
              will slow down extremely. It also may not be possible to
              display the SMTP page at all.
Workaround:   ---
Fix:          Fixed in 7.005


ID05944 7.002 Wildcards in exception lists not allowed
-------------------------------------------------------
Description: Wildcards (using an asterisk *) in sender or recipient
              addresses in an exception list for HTTP, SMTP, and POP3 may
              not be working correctly.
Workaround:   ---
Fix:          Fixed in 7.003


ID05910 7.002 MiddleWare fails when Radius server is unresolved
----------------------------------------------------------------
Description: When using a DNS host definition as Radius server, the
              systems' Middleware may stop working when this host
              definition is not resolvable.
Workaround:   Use a static host definition for the Radius server.
Fix:          Fixed in 7.003


ID05876 7.002 IPSec Roadwarrior Connection not counted in Dashboard view
-------------------------------------------------------------------------
Description: In the Remote Access view of the Dashboard the IPsec
              Roadwarriors are not counted.
Workaround:   ---
Fix:          Fixed in 7.004


ID05824 7.002 Possible parsing errors concerning SIP control packets
---------------------------------------------------------------------
Description: Due to a missing out-of-bonds check of the FROM line in a
              SIP control packet, a parsing error may occur, which may
              bring the entire system down at the worst case.
Workaround:   ---
Fix:          Fixed in 7.003


ID05796 7.001 Unable to expand the preview window in quarantine manager
------------------------------------------------------------------------
Description: It is not possible to expand the preview window in
              Quarantine Manager. The popup window you get after clicking
              on the preview button is to small.
Workaround:   ---
Fix:          Fixed in 7.005
ID05778 7.001 User objects not allowed as source/destination in DNAT/SNAT
rules
-------------------------------------------------------------------------
-------
Description: When creating a DNAT or SNAT rule, you can not select a
              "User network" object to be used as NAT destination or
              source. Nevertheless the objects can be used for "traffic
              source" and "traffic destination" parameters.
Workaround:   ---
Fix:          Fixed in 7.008


ID05740 7.001 No space left on device due to too many tmpLFI* files
--------------------------------------------------------------------
Description: Not removed temporary files in the /opt/tmpfs/ directory
may
              fill up the hard disk drive of the device rendering
WebAdmin
              inaccessible.
Workaround:   Reboot Astaro Security Gateway, because /opt/tmpfs/ is
              deleted during startup.
Fix:          Fixed in 7.002


ID05735 7.001 Wrong definition of the NTP service
--------------------------------------------------
Description: In WebAdmin->Definitions->Services NTP is defined as TCP.
Workaround:   Edit it to your needs.
Fix:          Fixed in 7.004


ID05732 7.001 Static Usergroups don't work in the Packetfilter
---------------------------------------------------------------
Description: Having standard usergroups in the Packetfilter ruleset will
              not work.
Workaround:   Create rules for the user objects directly.
Fix:          Fixed in 7.002


ID05716 7.001 Scalability of object tables in WebAdmin
-------------------------------------------------------
Description: Large object tables in WebAdmin (e.g., the list of network
              definitions) may take too long to be rendered in time, thus
              causing a repeating error message.
Workaround:   Click OK whenever the error message occurs. Depending on
the
              size of the object list, this might occur several times. A
              future version of WebAdmin will implement an alternative
              representation of object tables containing a larger number
              of objects.
Fix:          Fixed in 7.003


ID05703 7.000 Enduser Portal shows 127.0.0.1 as login source IP
----------------------------------------------------------------
Description: After activating SSL VPN, users connecting to the Enduser
              Portal port will get redirected because of the port sharing
              of SSL VPN and Enduser Portal. For the Enduser Portal it
              seems that you are coming from localhost, although you are
              coming from somewhere else.
Workaround:   ---
Fix:          Fixed in 7.300


ID05682 7.001 Internet Explorer 7 (IE7) is incompatible to WebAdmin
--------------------------------------------------------------------
Description: Internet Explorer 7 (IE7) is partly incompatible to
              WebAdmin. Some options such as the HTTP Proxy Profiles
              cannot be configured correctly using IE7.
Workaround:   Use Firefox 2 or Internet Explorer 6 to access WebAdmin.
Fix:          Fixed in 7.002


ID05665 7.001 Broken rendering of WebAdmin tabs in QoS settings
----------------------------------------------------------------
Description: Having lots of interfaces will leave the QoS page unusable.
Workaround:   ---
Fix:          Fixed in 7.006


ID05660 7.001 HTTP Proxy Profiles sorting
------------------------------------------
Description: The sorting order of proxy profiles is broken. When an
              exisiting proxy profile is edited and the place of an item
              is changed to position n, it is always placed on position
              n-1. However, the positions 'Top' and 'Bottom' work
              correctly.
Workaround:   ---
Fix:          Fixed in 7.002


ID05631 7.001 Downloaded Up2Date package may not get unpacked
--------------------------------------------------------------
Description: Due to a race condition between the downloader and the
              installer it might happen that an Up2Date package is
              successfully downloaded but not unpacked. Since only
              unpacked Up2Date packages are shown in WebAdmin as "ready
to
              install", it is not possible to install the firmware
update.
Workaround:   ---
Fix:          Fixed in 7.002


ID05592 7.000 Up2Date and Reporting may not work after installation
--------------------------------------------------------------------
Description: After initial setup System and Pattern Up2Date as well as
              inline reporting and logfile rotation may not work
              correctly. This is due to a missing configuration detail in
              the backend system.
Workaround:   Go to Management->System Settings->Shell Access and set a
              password for the root user at least. You do not need to
turn
              on Shell Access at all. Astaro recommends leaving it
              disabled. If you need Shell Access, please make sure to
              restriced access to trusted hosts/networks only and use
              strong passwords.
Fix:          Fixed in 7.001


ID05584 7.000 Spam threshold can not be switched off in SMTP profiles
----------------------------------------------------------------------
Description: In the per-domain profiles of the SMTP Proxy there is no
              option to switch off the spam thresholds at all.
Workaround:   ---
Fix:          Fixed in 7.005


ID05574 7.000 Additional interface menu may not be reachable
--------------------------------------------------------------
Description: After adding an additional interface to a primary and
              editing this primary interface, the configuration page of
              the additional interfaces does not load completely. In most
              cases you will see a grey page.
Workaround:   ---
Fix:          Fixed in 7.001


ID05474 7.000 No progressbar for UPS is shown in WebAdmin
----------------------------------------------------------
Description: When an Uninterruptable Power Supply (UPS) is connected to
              the ASG, the progressbar visible in the dashboard will not
              update.
Workaround:   ---
Fix:          Fixed in 7.400


ID05468 7.000 Definition dialog boxes with fixed width only
------------------------------------------------------------
Description: Some browsers the definition dialog boxes in the left
column
              do not show the horizontal scrollbar.
Workaround:   Use appropriate definitions.
Fix:          Fixed in 7.008


ID05404 RSA keys may be displayed incorrectly
-----------------------------------------------
Description: For a remote gateway, if an RSA key is imported as
              hexadecimal (0x) instead of base64 (0s), WebAdmin
interprets
              the keys as a hex value and displays "Infinity" instead of
              the key. This may happen for some versions of the Firefox
              browser on Windows operating systems.
Workaround:   Use a different browser/OS combination to access WebAdmin.
Fix:          Fixed in 7.003


ID05264 7.000 Wrong inline report data for H323 and SIP connections
--------------------------------------------------------------------
Description: The VoIP inline reporting for SIP may not work correctly.
              For H323, some data may not match the actual number of
              connections.
Workaround:   ---
Fix:          Fixed in 7.000


ID05239 Some IM/P2P protocols won't be blocked
------------------------------------------------
Description: Some of the IM/P2P protocols will not be blocked correctly.
Workaround:   ---
Fix:          Fixed in 7.002


ID04920 Interfaces that are part of a LAG are not shown in dashboard
----------------------------------------------------------------------
Description: Interfaces which are part of an Link Aggregation group are
              shown as 'unused' in the dashboard.
Workaround:   ---
Fix:          Fixed in 7.001

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:23
posted:10/28/2012
language:English
pages:96