Patch Version: 2.8.3.0300.13 Product: Intel NetStructure 7175 Traffic Director Release Date: 04/16/02 Fix Details: CR002056: server state remains "Unknown" for extended period of time When adding new servers to a Layer 7 service configuration or changing a Layer 7 server from type disabled to type primary (disabled to enabled), the server status may remain "Unknown" for an extended period of time if there are dead servers in the configuration. This change reduces the amount of time that servers remain in the "Unknown" state. CR003111: tcpdump with high traffic on the interface can cause a page fault panic This panic occurs when the system is running with high traffic, including traffic for Layer 4 services. When the CLI trace command is executed with options, or when a tcpdump command is executed from the shell, the kernel panics and the system restarts because the wrong mbuf pointer was passed to the filtering function that handles the tcpdump or trace options. This change resolves the problem by providing the correct mbuf pointer to the filtering function. CR003184: kernel panic: page fault at tcp_subr.c:742 in tcp_drain() This panic occurs when the system is running low on mbuf memory for network connections. The tcp_drain() function is called to walk through the TCP internal structures, looking for memory that is no longer in use. A page fault results when a NULL pointer is dereferenced in error. This change modifies the behavior of tcp_drain() to skip the entries when a NULL pointer is encountered. CR004104: CLI and GUI can hangup due to Policy Manager failure When the Policy Manager fails, the CLI and GUI can become non-responsive. This change allows inter- process communication to be set up correctly when Policy Manager restarts. CR004158: nat_mon: fid 0 failed to drain queue natmon_get_buf_ptr: no space aggrigate services These messages can occur when a the Stat Collector process does not restart normally after a Policy Manager failure. This change allows the Stat Collector process to start successfully when Policy Manager restarts. CR004775: rich_app does not work with custom methods with Content-Length When custom HTTP methods are used, rich_app does not forward additional data if it is received in a separate packet although Content-length is specified in the HTTP header. This change modifies rich_app to always check for Content-length and forward additional data associated with any POST, PUT or custom HTTP method. This change affects Layer 7 services only. CR004876: RICH does not insert Connection: close header in HTTP/1.1 connections When a request is received without the "Connection: Keep-alive" or "Connection: close" directive in the HTTP header, rich_app does not insert it into the header prior to forwarding the request to the fulfillment server. With HTTP/1.1, the default action is "Connection: Keep-alive". Layer 7 services do not support HTTP Keep-alive connections, and the results of subsequent requests may be unsuccessful. This change modifies rich_app to always insert the "Connection: close" directive in the HTTP header prior to forwarding the request. CR004972: rich_app parse for "Content-length" string starts after end of buffer This issue is related to CR004775. When searching for the "Content-length:" directive in the HTTP header, the parser incorrectly initialized the search of the request buffer and searched outside of the buffer. This occasionally caused rich_app to find the string when the request did not include additional data. This caused the client browser to hang. This change confines the search to the request buffer correctly. This change only applies to Layer 7 services. CR005037: don't check status for disabled servers When servers on the dead server list are disabled and remain dead, their status shows as "Dead" and they continue to be probed although they have been disabled. This change stops dead server probes when servers are disabled. CR005459: rich_app adds new configured servers to the active list without state info When a new server is added to a Layer 7 service, it was initially available to receive new client requests, although it may have been disabled or dead. This change does not allow servers to receive client requests until the status has been verified as "Active" by the Policy Manager. CR005850: Need to disable SSH1 support This change removes support for SSH1 and the NULL cipher to prevent potential security problems. CR006105: booting to patch after removing base release fails with permission error When booting to a patch build after the base release boot index has been deleted, a permission error is displayed and the boot does not occur because of an invalid location of a symbolically linked file for the MSD agent in the patch directory. This change corrects the symbolic link location of the file to eliminate this error. CR006340: Brokers not sending error when Content-length is smaller than actual data received The broker was not forwarding HTTP requests or sending an error to the client when the Content-length specified in the HTTP header was smaller than the actual data received. This change allows the broker to forward requests that are received with more actual data than specified in Content-length to the server, and allows the server to handle the request. CR006444: MTU value can not be renegotiated after initial "syn" When a client connection attempted to renegotiate the MTU, the broker did not handle the ICMP message correctly. The result was a failure to forward the server response to the client successfully. This change allows the broker to successfully modify the MTU value when a client attempts to renegotiate. The rich_bias parameter in tht boot monitor must be DISABLED for use with this patch. CR006540: kernel panic: "Recursive nat_tcp_input call" This kernel panic was caused by kernel memory that was allocated for Layer 4 connections in SAP mode but was not not used or deallocated normally. This change modifies SAP mode to avoid the unecessary kernel memory allocation. CR006793: rich_app doesn't forward the FIN to the server in STATE_PROXY_TO_DEATH When a server does not send a FIN after sending all data to be forwarded to a client, the FIN from the client was not forwarded to the server, and the connection resources in rich_app were not freed correctly. This caused problems with memory usage in rich_app that could have other adverse affects. This change modifies rich_app to forward the FIN from the client to the server if the server has responded with data but has not yet closed the connection. CR006788: Connection: close header does not get put in header If an HTTP 1.1 request with Content-length was received without the "Connection:" header, the headers inserted for Layer 7 processing were placed in the data portion of the request when they should have been inserted in the HTTP header. This change modifies Layer 7 processing to insert the headers in the correct place in the HTTP header. CR007090: Revocation: mode ENABLE accepted by CLI but not recognized by rich_app The command "... key client-ca revocation mode ENABLE" is accepted by the CLI, but it was being treated as disabled by rich_app. The reason was that rich_app was searching only for a lower-case "enable". This change modifies the Policy Manager to force it to provide the revocation mode to rich_app in lower case. CR007115: login to CLI immediately after reboot hangs and never returns a prompt This problem occurs if the user logs in to the CLI before the background processes on the broker are started. The CLI waited forever for messages that were never sent. This change modifies the communication flow between the CLI and the background processes to ensure that the CLI session can be used normally in this case. Installation Instructions: 1) Download the patch install file to a local ftp server. 2) Verify that the device is currently booted to a valid boot index for patch installation. This patch can only be installed on release 2.8.3.x.13 for the same product with a patch version less than 0300. Note: If this patch is installed on an incorrect release, the "config sys software install" command may report that the image has been installed, but the new boot index will not be shown with the "config sys software info" command. 3) Save the current policygroup configuration to a save filename (not default.cfg). Note: This is a precautionary measure. A manual restore of the configuration will only be necessary if the current running configuration fails to restore normally after booting to the new boot index. 4) Install the patch install file file using the CLI "config sys software install" command or the GUI Update Software facility. 5) Verify the newly installed boot index is available for boot. 6) Boot to the newly installed boot index. 7) Verify the policygroup configuration has restored normally.