Announcing ExOS 6.4.4
Notes:
Auto-discovery now uses TCP Option 230 [B-03088]
Updated Layer 7 Signatures [B-003411]
Bug fixes and minor improvements:
Known Issues:
Notes:
- All versions in the 6.4.3 line after 6.4.3 Update 7 are not able to update to 6.4.4. A 6.4.4 Update 1 will be released that will allow upgrades of versions 6.4.3 Update 8 and later.
- This release includes all changes from 6.3.13 and 6.4.3 Update 6
- No 32-bit images are provided. 6.4 will not be supported on 32 bit hardware
- After upgrading and rebooting it is normal to see "No Data Available" on the graphs for a short period of time.
- This is due to the processes starting up after the restart. When all the processes have restarted, data will show up again.
- 2061, 4010, 4061, 6060, 6062, 8060, 8062, 10060, 10062, Virtual
- 6.0, 6.1, 6.3, 6.4
- 64 bit image (6.4.4)
- Image Size: 440,620,366 bytes
- MD5: e8897900e10b370d3ec56efb9649f0cc
- If you are upgrading to ExOS 6.4 from ExOS 5.x or earlier:
- This upgrade path is not supported. Please upgrade to ExOS 6.3 first.
- When updating to 6.4 from a previous version, there is an upgrade of all the data stored on the appliance. This update process may take up to 24 hours depending on the amount of data stored on the appliance and the type of appliance. While this upgrade is happening, the charts will show "no data available". You can check the status of the data update on the Dashboard -> System page.
Auto-discovery now uses TCP Option 230 [B-03088]
In versions prior to 6.4.4, the Exinda Appliance would always use TCP Option 30 to discover community member peers for acceleration. Starting in 6.4.4 this mechanism has moved to using TCP Option 230 instead.
Several modes of operation have been added for acceleration compatibility with versions prior to 6.4.4. The default compatibility mode used in 6.4.4 should be sufficient for all users. The other modes have been added to cover all necessary use cases. The modes are as follows:
- 30+230 (default setting) - This mode continues to send option 30, but sets a flag indicating that the device is capable of handling option 230. In this mode, the appliance will properly handle receiving an option 30 or an option 230. With this mode, the device attempts to learn which of its peers are capable of using option 230. Once the appliance has learned that a peer can use option 230, it will start using option 230 with that peer.
- 230 - This mode only sends and receives option 230. This will become the default in a future release.
- 30 - This mode only sends and receives option 30. This mode can be used if you are having problems with TCP option 230 being sent through various devices like firewalls.
- 230-compat - This mode will always send option 230 and will accept option 30
- 30-compat - This mode will always send option 30 and will accept option 230
This mode can be configured on the System-> Optimization -> TCP tab.
Updated Layer 7 Signatures [B-003411]
- New Applications:
- Tumblr
- Google Play Music
- Vimeo
- iTunes Radio
- Sina Weibo
- Forfone
- LiverJasmin
- jingdong (jd.com)
- last.fm
- IMS
- TN3270
- SCTP
- OSPF
- IPIP
- OFFSystem
- Windows Azure
- Ubuntu One
- Dailymotion
- Deezer
- Grooveshark
- CNTV
- SinaTV
- Zynga
- Crime City
- Modern War
- New protocols:
- Diameter
- MQTT
- Hike Messenger
- OS Updates with Subtype 'iOS', 'Android', 'Windows Mobile'
- DiDi
- Improved Signatures
- Ultrasurf
- BitTorrent
- GooberFixed
- HTTP application Google Talk
- HTTP
- Spotify
- YouTube
- Amazon Shop/Cloud
- Viber
Bug fixes and minor improvements:
- [B-03588] addressed an issue with the NIC driver for lower end hardware that caused the following log message: kernel: [16409.705443] e1000e 0000:05:00.0: eth4: Detected Hardware Unit Hang
- [B-03345] The PDF report for Virtual Circuits now lists the Virtual Circuit name and the size of the Virtual Circuit with the labels "Bandwidth Used: YY Guaranteed: XX"
- [B-02783] The bridge alert now contains more useful information to help explain what might be causing the alert. The message now includes: Description: Bridge may be connected incorrectly. More 'internal' IPs have been detected on the WAN-side of the bridge than on the LAN-side. This can occur if the WAN and LAN connections reversed, where the WAN port connects to your LAN and your LAN port connects to your WAN. Or this can occur if you have external network objects defined as internal or vice versa. Note: The bridge direction check is only enabled for a limited time after boot. If you are sure that the WAN and LAN connections are correct you can ignore this alert.
- [D-02927] show config has been modified to show the current state of link-state mirroring when it has been changed from the default value. Previously it was not being shown in show config.
- [D-02875] When loading config that has a FQDN in it and the device has no connectivity to the DNS server, the CLI becomes very slow as the system tries to resolve the name. The work around is to set config that requires a FQDN after the device has connectivity to a DNS server.
- [D-02872] An "_" is not accepted as a valid character for a Windows Domain name. This will be fixed in an upcoming release. If you have this issue, contact support for a work around.
- [D-02797] The command "factory default keep-connect" has been modified to keep the VLAN ID information tied to sub-interfaces on bridges.
- [D-02686] Fixed an issue that was preventing the interfaces of multiple bridges from having the same VLAN ID. It is now possible to assign the same VLAN id to multiple bridges.
- [D-02664] When using the configuration text fetch command, the resulting file would be named "false" rather than the name specified. This behaviour has been fixed so that the filename specified is now the filename that is used.
- [D-02492] In some situations when using VRRP with an acceleration cluster deployment and having tcp acceleration dual bridge bypass enabled, the appliance may crash. This defect has been addressed and this deployment with these options no longer crash the appliance.
- [D-02453] Fixed an issue with the Virtual Circuit scheduled report. When the Y-axis was scaled as a percentage of the virtual circuit rather than absolute bandwidth, there were circumstances when the graph was scaled incorrectly.
- [D-02454] Removed the table of all VCs from the single VC PDF report. Previously when creating a PDF of a single VC, there was a page left in the report that listed all the VCs configured on the appliance and their sizes. This has been removed when only a single VC is being reported.
- [D-02311] After upgrading to 6.4.3 existing scheduled reports from 6.4.2 and earlier no longer run on their schedule. This has been fixed and all scheduled reports run as per their configured schedule. This includes reports created in 6.4.2 and earlier as well as reports created in 6.4.3
- [D-02060] when setting private keys using web https customssl privatekey, these keys were dumped in the configuration when doing a show config. This has been changed to handle these private keys like other private keys in the system and are no longer dumped out with the configuration.
- [D-02001] When the system is configured to have more than a few thousand policies, the WUI becomes slow and unresponsive.
- [D-01699] You may notice lots of log messages that say "net_ratelimit: 11 callbacks suppressed". These messages are harmless. Since Apple released iOS7, the number of systems using TCP Option 30 (TCP Multipath) have increased. The Exinda system currently issues a log message each time it sees a packet with TCP Option 30. The net_ratelimit message is saying that the output to another internal log file was suppressed because it happened 11 times in a very short period of time. These net_ratelimit messages can be ignored as they carry no useful information. This has been addressed with the Option 230 feature of this version.
- [D-01654] When using a very large number of policies, the appliance will occasionally be seen to use a high amount of CPU when a change to the policy is made. Under extreme circumstances the appliance WUI may appear to lock up.
Known Issues:
- [D-02595] A regression has been introduced in 6.4.3 that causes the VoIP scores to be incorrect. VoIP scoring is now showing very high loss on the inbound side of the traffic which results in the loss measure being very high (30-50%) and the rFactor score to be inaccurate. This will be addressed in an upcoming release.
- [D-03060] Google has started to deliver YouTube over https. This hides the URL from the Exinda appliance. As a result the stream is being classified as google encrypted traffic.
- [D-02222] [D-02222] Anonymous Proxy: If the url listed on the Objects -> Applications -> Anonymous Proxy tab is http://www.exinda.com/ap/apdata.tar.gz, then the Anonymous proxy feature will not work. The correct URL is http://updates.exinda.com/aplist/alist.gz. If your Exinda appliance has the wrong URL set, you can issue the following CLI command to set it to the correct URL: anonymous-proxy url http://updates.exinda.com/aplist/alist.gz
- [D-02199] When an acceleration HA cluster is configured and the traffic being accelerated is located on a VLAN and has a VLAN tag, the traffic will not flow through the HA cluster properly. This issue is currently being investigated and a fix is expected soon.
- [D-01777] snmp: after a period of repeatedly querying the following sensors, the WUI will appear to be locked up and various processes within the appliance will crash. This will eventually repair itself. system health/cpu alarm, system health/disk alarm, system health/ram alarm, system health/nic alarm. The work around is to not query these SNMP values.
- [D-01876] With SMB acceleration enabled, the Exinda Appliance can cause the Dell Kace K1000 to fail. The work around is to create a network object defining the Dell Kace server and create a specific rule for Dell Kace traffic that does not accelerate the traffic.
- [D-01921] Under some circumstances Microsoft Lync traffic will be classified as MSN traffic.
- [APP-7426] pre-population: NTLMv2 authentication for HTTP is not supported
- [APP-3275] monitoring: Graphs/tables show data for "last 60 minutes" show "this hour" in the drill-down reports.
- [APP-668] cli: command completion does not work for names with multiple words (that contain a space). e.g. show policy my policy