Вы находитесь на странице: 1из 43

RELEASE & DOCUMENTATION NOTES

Product: Riverbed Steelhead Appliance Release Date: July 27, 2009


RiOS Version: 5.5.4 (Build 105)

CONTENTS
1) 2) 3) 4) 5) 6) 7) 8) 9) New Features in RiOS 5.5 New Features in RiOS 5.5.2 New Features in RiOS 5.5.3 New Features in RiOS 5.5.4 Fixed Problems Known Issues Managing RiOS 5.5.4 with a Riverbed CMC Protecting Encrypted MAPI and Signed CIFS Traffic Upgrading RiOS Software What upgrades are allowed? Before you upgrade Important information about upgrading to version 5.5.x Upgrade model requirements Upgrading models 520, 1020, 1520, or 2020 to RiOS version 5.5 Steps to upgrade RiOS Software: Installing the Riverbed Services Platform (RSP) Requirements for RSP with RiOS version 5.5 Steps to install the RSP software: Upgrading RSP from RiOS version 5.0 to RiOS version 5.5 Upgrading Your Hardware Hardware and Software Requirements Limitations Documentation Notes

10)

11) 12) 13) 14)

1) NEW FEATURES IN RIOS 5.5


Riverbed Services Platform
In RiOS version 5.5, Riverbed extends its lead in the virtualized services space with a new version of the Riverbed Services Platform (RSP), which offers branch-office-in-a-box services via the following new benefits:

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

A VMware-based virtualization platform provides the benefits of the worlds most-deployed and advanced virtualization tool set. Support for running up to five different additional services on a single Steelhead appliance. New support for more services and new types of services. These now include in-band packages that sit inline with optimization, such as the new Universal Threat Management (UTM) security services, proxy solutions like video or network monitoring services, and improved support for out-of-band packages like Windows Active Directory, DNS/DHCP and print. A comprehensive integrated user management interface that provides granular control of the RSP, including setup, reporting, and the definition of the data flow between services.

Data Protection (backup and disaster recovery)


The new data protection features in RiOS version 5.5 further improve the throughput of Steelhead appliances resulting in improved recovery point and backup times. A combination of multi-core balancing, enhanced adaptive data streamlining modes and adaptive compression are all geared towards further improving throughput for Data Center workloads and data protection scenarios.

Lotus Notes Application Streamlining


With the new Lotus Notes Application Streamlining module in RiOS version 5.5, Lotus Notes users experience significantly improved performance in sending email attachments, server to server replication, and client to server replication across the WAN.

Acceleration of Encrypted Microsoft Exchange


New in RiOS version 5.5 is the ability to run all Microsoft Exchange Application Streamlining optimizations on encrypted Microsoft Exchange traffic. RiOS releases prior to RiOS version 5.5, provide optimization for unencrypted MAPI 2000, 2003 and 2007 traffic. The new optimization is particularly important for Outlook 2007 environments where encryption is turned on by default.

Microsoft Office AppLock Optimization


With the new MS Office AppLock Optimization feature in RiOS version 5.5, latency optimization now remains enabled for all users even in times of contention for the same file. In previous versions of RiOS, when two or more users tried to open the same document, latency optimizations would cease for the first user. This optimization improves access times specifically for Microsoft Word and Microsoft Excel files.

CIFS Optimization for SMB Signed Traffic


The new CIFS Optimization for SMB Signed Traffic in RiOS version 5.5 enables Steelhead appliances to deliver the same high levels of CIFS performance even when the CIFS traffic is signed by the server. In previous releases of RiOS, signed CIFS traffic would receive Data and Transport Streamlining optimizations but no CIFS Application Streamlining. This new optimization is valuable in environments where the domain controller is also used as a file server and where signing is explicitly enabled either on the client or on the server.
RIVERBED TECHNOLOGY CUSTOMER SUPPORT Page

NOTES: The RiOS SMB Signing feature requires delegate user accounts. If a delegate user has "Logon denied" set for the entire day (under Account -> Logon Hours), then delegation cannot be performed because the credentials for the delegate user cannot be obtained. A delegate user with access to the CIFS service does not have logon privileges. The RiOS SMB Signing feature does not support Windows NT or Windows 2000.

TCP Dump Tool


The TCP Dump Tool allows you to capture one or more traces in parallel directly from the Management Console without logging into the Steelhead appliance through the CLI. Common switches are selectable through check boxes and any custom parameters required for a trace can be entered into a free-form field. Captured trace files are easily accessible through HTML links directly from the Management Console.

SSL Certificate Chains


Server certificate chains no longer require manual installation of the entire chain onto the server-side Steelhead appliance. For example, server certificates that are signed by intermediary certificate authorities that in turn may then require validation by higher-level certificate authorities require only the server certificate itself to be installed onto the server-side Steelhead appliance. The Steelhead appliance automatically discovers the entire chain and completes validation seamlessly before commencing optimization.

Top Talkers
Top Talkers in RiOS version 5.5 delivers granular visibility into WAN bandwidth usage by reporting the top hosts, applications, and conversations based on the proportion of WAN bandwidth that is consumed. To understand both optimized and non-optimized traffic patterns, both optimized WAN traffic and all traffic passed through from LAN to WAN is included in the reporting.

Peer Scalability
Peer Scalability greatly increases the maximum amount of Steelhead appliances or Steelhead Mobile Clients that can connect in to any given Steelhead appliance, enabling large deployments to scale with ease.

2) NEW FEATURES IN RiOS 5.5.2


Backup and Restore RSP Slot Information
In RiOS version 5.5.2, users can now backup and restore information for installed RSP slots in case the Steelhead appliance fails. Use the rsp backup CLI command to backup and restore RSP data. See the Riverbed Services Platform Installation and Configuration Guide at https://support.riverbed.com/docs/rsp.htm for more detailed information.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

Simple Certificate Enrollment Protocol (SCEP)


This allows Riverbed Steelhead appliances to request signed certificates for enrollment and reenrollment from the certificate server.

Certificate Revocation List (CRL)


This allows Riverbed Steelhead appliances to download CRL lists which contain revoked certificates from certificate servers through LDAP. Revoked certificates will be considered invalid by the Steelhead.

Connection-Forwarding Statistics and Alarms


This feature will help make the status of Connection Forwarding more visible. It includes: Alarms to alert the customer to problems such as a connection failure, a keep-alive timeout, or when connection latency has exceeded a set threshold. Statistics and counters related to neighbor connections and latency.

3) NEW FEATURES IN RIOS 5.5.3


Windows Server 2008 Support
RiOS version 5.5.3 now supports Windows Server 2008 servers and domains for CIFS, PFS, SMB Signing, and both encrypted and unencrypted Microsoft Exchange traffic. These features are supported in all Windows Server 2008 domain functional modes (native or mixed mode - see http://technet.microsoft.com/en-us/library/cc754918.aspx for information on domain functional levels).

Enhanced NetFlow
Steelhead appliances will now export an enhanced version of NetFlow to Riverbed Cascade. This enhanced format will allow automatic discovery and interface grouping for Steelhead appliances in the Riverbed Cascade Profiler and seamlessly support Cascades new WAN and optimization reports.

4) NEW FEATURES IN RIOS 5.5.4


RiOS 5.5.4 introduces optional RAID on the 1050 appliance. This option can be factory ordered and configured or added through a RAID upgrade kit. The model codes for Steelhead 1050 appliances with RAID enabled are 1050LR, 1050HR, and 1050MR. Adding RAID is a destructive process and deletes the data store. Once you add the RAID option to a 1050 appliance, you can only upgrade to other RAID models.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

5) FIXED PROBLEMS
Fixed between 5.5.3c (Build 91_7) and 5.5.4 (Build 102):
23522 Fixed an issue where a passthrough connection would not appear in either the CLI or the web interface. 28565 Fixed a problem where attempting to sort within the Current Connections as user Monitor would return the user to the Home page instead of sorting. 32673 Fixed an issue where clicking "Clear Cache" in the web UI would not return any feedback to the user. 32896 Fixed a problem that occurred when switching to and from Domain and Local Work Group, after which the "Short Domain Name" field and "local work group" fields would contain invalid entries. 33438 It is now possible to copy and paste an SSL certificate between Peering Trust and Mobile Trust. 34417 Fixed an issue that caused the error "[rcu.ERR]: open_connection(),../mgmt/unix/gcl_connection.cc:377" after an upgrade. 35028 RSP slots can now be prioritized as Low, Normal, or High, with Normal the default setting. These settings are used to change the allocation CPU resources, with Low receiving the least and High the most. 36534 Fixed web errors that resulted when trying to jump to a log time earlier than any timestamps in the current log file. 36936 Fixed an issue where one-hour QoS graphs generated around 5-minute boundaries were missing detail. 37174 Fixed an issue where the monitor user could execute disallowed commands. 37224 Fixed an issue where a user could join a Steelhead appliance to a domain without confirming the Domain Administrator password. 37523 Change to ensure that Steelhead appliances do not respond if a user presses the CTRL-ALT-DELETE keyboard sequence. 39417 The command "show logging" is now allowed for the diagnostics role. 39504 Fixed a problem that caused an unexpected failure of process sport while optimizing HTTP traffic. 40380 Removed logging of messages like "Deferring the smb consume as another packet is currently processed". 40399 Added ability for the PFS feature to handle target servers in a different, but trusted, domain. 40669 Fixed NFS crash when the readdirplus reply from the server was returning two or more entries with the same file handle with different mtimes.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

40950 Errors on the Steelhead during a configuration restore may cause the CMC to report the restore operation as 'failed', even if the configuration restore was successful. The CMC will display an error message like 'Failed to issue configuration switch to remote appliance.' when this occurs. 41033 Fixed an issue where half-closed connections could not be reset in the web UI or on the CLI using "tcp connection send reset". 41558 Added error messages that occur when a user attempts to delete all RADIUS or TACACS servers. "Cannot delete all (TACACS or RADIUS) servers when no other possible authentication methods are configured". 41592 Steelhead appliance models 1050 and 2050 can now use 64-bit RSP packages. 41656 Fixed crash with log message "[assert.CRIT] - {- -} ASSERTION FAILED (a->state_ == TimerAction::PENDING) at ../rbt/iocore/unix/event_thread.cc:1543" 42504 Fixed problem where congested HS-TCP connections could end up using too much memory and cause the sport process to crash with log messages like: [dataseg.CRIT] - {- -} malloc of 65536 bytes for 65536 failed [assert.CRIT] - {- -} ASSERTION FAILED (seg) at ../misc/databuf.cc:693 42739 Fixed the appearance of the display from the CLI command "show ip sec peers". 42825 Fixed an issue where the ADD button was incorrectly enabled in the absence of entries for User, Password, and Password Confirm in the Windows Domain and Local Workgroup settings. 42894 The Asymmetric Routing table can now be sorted by clicking on column headers on the Configure > Networking > Asymmetric Routing page. 43213 Process statsd crash with log messages like "[mgmtd.WARNING]: Request failed; statistics subsystem not running". 43459 Clarified "Share has error" message when adding PFS share without correct permissions on origin folder. 43466 Remote commands executed through ssh logins are now limited. 43467 Added a CLI command, 'sport custom secure enable', that hardens the appliance by setting various kernel parameters to more conservative values. 'no sport custom secure enable' reverts the enhanced security settings. 43614 Fixed a problem where some buttons in the web UI were enabled when they should not have been. For example, the Add a New NTP Server button was not disabled when Set Time Manually had been selected. 43697 Fixed an issue where a Lotus client would time out while sending an attachment over a slow link with high latency. 43837 Fixed a memory leak in management of qos rules. 43843 Reduced memory consumption of MS-SQL optimization. 43845 The Connection-Forwarding latency alarm is now off by default. 43906 Disabled Nagle on the receiving side of the Connection Forwarding neighbor connection.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

43934 Fixed problem where some strictly invalid characters in HTTP referrer fields (e.g. space instead of "%20") were not parsed properly, and the HTTP session was no longer optimized. 44098 Disabled Nagle on the receiving side of the Connection Forwarding neighbor connection. 44204 Fixed a rare problem that caused process sport to crash in do_malloc. 44220 Fixed an issue where the menu bar in the web UI would not be active until the entire page had been loaded. 44324 Fixed an issue that caused a memory leak in the Current Connections report. 44334 Fixed a problem that caused a crash when obtaining the list of trusted domains needed by the SMB signing and encrypted MAPI features. 44432 Updated the version of "bind" on the appliance to fix security vulnerability CVE2009-0025. However, it is unlikely that the vulnerability can be exploited on Riverbed appliances as we do not use the affected feature. 44435 Fixed an issue with Traffic Summary data retrieval that caused a given day to show more data than the entire week when the end time fell within 1% of a data point for Steelhead 4.1.7 or 5.0.5 or later. 44495 Fixed a problem where the PFS alarm was not cleared after the offending share had been deleted. 44534 Fixed handling of RSA key generation failure when generating SSL server certificate. 44535 Fixed a problem leading to a log message such as "[mgmtd.ERR]: md_radius_commit_check(), md_radius.c:448, build 84: Error code 14000 (generic error) returned" when deleting remote authentication server. 44583 Fixed a problem with Enhanced Auto-Discovery and a serial cluster in a transit hub like in the following setup:
Client ---> Steelhead1 ---> WAN ---> Steelhead2 ---> Steelhead3 ---> Serial Cluster Router Server <--- Steelhead4 <--- WAN <--- Steelhead2 <--- Steelhead3 <--|

The SYN probes would be dropped by Steelhead2 on the way back from the hub router and the connection would fail. 44647 Added a feature that enables Steelhead appliances to drop RST (reset) packets generated by certain firewalls sitting in between the client-side and server-side Steelheads when the firewall times out or closes the pseudo connection created by the auto-discovery probe request and response. If the RST packets reached either the client or server, the optimized connection would be closed prematurely and dropping them avoids the problem. 44675 Patch for IPSec-tools security vulnerability CVE-2009-1632, which allows a remote attacker to cause a crash. 44694 Patches for MIT krb5 vulnerabilities CVE-2009-0844, CVE-2009-0845, and CVE2009-0846.
RIVERBED TECHNOLOGY CUSTOMER SUPPORT Page

44712 Updated time zone data to 2009g version. 44745 1U xx50 Steelhead appliances now use memory temperature on the motherboard instead of internal core CPU temperature as the system temperature. CPU core temperatures are highly variable depending on the individual CPUs as well as the system load and do not properly reflect the system operating temperatures. 44789 Updated base OS RPMs for the following security advisories. Vulnerabilities in cpio, curl, file, tcpdump, and tar were judged to be the most likely to be exploitable on the appliance, although it is not certain that they are exploitable. Others appear to be very unlikely to be exploitable on the appliance. o o o o o o o o o o o o o o o o coreutils: CVE-2008-1946 cpio: CVE-2005-4268 curl: CVE-2009-0037 cyrus-sasl: CVE-2006-1721 e2fsprogs: CVE-2007-5497 ed: CVE-2008-3916 file: CVE-2007-2799 krb5: CVE-2009-0846 libpng: CVE-2008-1382 CVE-2009-0040 libxml2: CVE-2008-4225 CVE-2008-4226 nfs-utils: CVE-2008-1376 openldap: CVE-2008-2952 perl: CVE-2008-1927 tcpdump: CVE-2007-1218 CVE-2007-3798 tar: CVE-2007-4131 util-linux: CVE-2007-5191

44795 Made improvements to the reporting graphs in the web UI. 44813 Fixed a problem that caused a crash with a log message such as "[assert.CRIT] - {- -} ASSERTION FAILED (refcount_ >= STEP) at ../rbt/misc/refcounted.h:67". 44831 Fixed a problem that displayed the error "An error has occurred while processing the Configure > My Account page. Please contact customer support." when an RBM user tried to view the My Account web page. 44890 Fixed an issue where the monitor user could access some inappropriate logs. 44911 Fixed an issue where a Lotus Notes client would time out while sending an attachment over a slow link with high latency. 44936 Updated ntp to version 4.2.4p7, which fixes security advisory CVE-2009-1252. 44968 Fixed a condition that caused a crash in md_web.c due to uninitialized lc_launch_result struct during SSL certificate generation.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

44997 Fixed a problem where some RBM users had incorrect access privileges. 45016 Updated default NTP servers to reflect change in Riverbed's NTP server IP addresses. 45038 Steelhead appliances now drop peer control connection when there are no optimized sessions 45090 Fixed a problem where trying to jump to a time in the system logs gave the message "An error has occurred while processing the Reports > Diagnostics > System Logs page. Please contact customer support." 45153 Fixed a memory leak in rcu_helperd. 45165 Fixed stated crash accompanied by numerous log messages, including "Error computing CHD 2050." 45276 Fixed differences in Connection-Forwarding alarm names to make them consistent in the web and command-line interfaces. 45402 Where connectivity issues between Steelheads exist, the [splice/client.ERR] log message noting a connection failure additionally lists IP address and port information. 45420 New user account names with capital letters are not allowed. 45476 Fixed a process sport crash due to a race condition. 45519 Fixed several issues that caused HTTPS connections to Oracle Applications R12 servers to be dropped. 45616 Hardened security of appliance by setting some kernel sysctl parameters to more secure states. 45668 Fixed an issue where the RSP Checkpoint Package fails to install with the following message: "Unable to install package's persistent disk Slot 1 could not be installed. 46130 Fixed an issue where the "View Running Config" link was not enabled for the Monitor user on the Configure > Configurations page in the web UI. 46147 Fixed a problem introduced in RiOS version 5.0.8 where the Steelhead would fail to intercept and optimize connections if packets for a connection that started on a certain inpath interface were routed and received on another in-path interface of the same Steelhead. This could occur in networks with asymmetric routing or packet load balancing, or when a routing change was caused by a router or WAN failure. 46213 Added "protocol ssl bug-workaround dnt-insrt-empty enable" to handle case where Microsoft Internet Explorer 6 cannot browse SSL connections encrypted with 3DES. 46218 Fixed a problem that occurred after changing the domain name on a Steelhead appliance where a web login would fail because the domain name had not been updated to the new value. 46272 Fixed an issue that resulted in poor performance when the client issues certain FSCTL calls 46367 Added the "rsp" option when generating a sysdump (debug generate dump rsp), which includes VMware support information in the sysdump for customers using RSP. 46408 Fixed an issue where folder permissions were being ignored during a manual sync of a PFS local-mode share.
RIVERBED TECHNOLOGY CUSTOMER SUPPORT Page

46740 The "Connection Forwarding" page is now available to users with network_settings role instead of requiring both the network_settings and acceleration_service roles. 46833 A "Restart needed" message is now displayed when Virtual In-Path mode is changed. 46852 Fixed a problem that displayed errors like "issubclass() arg 1 must be a class" when attempting to add or remove multiple licenses. 46875 Fixed an issue where there was no indication on the Configure > Security > User Permissions page when the Monitor user account was disabled. 46979 Fixed a problem where connections transitioning to pass-through had incorrect values for src and dst devices. 47102 Fixed a problem where a Steelhead appliance would sometimes fail to come out of bypass mode. 47136 Fixed a problem where the secure vault was not successfully converted after an upgrade, resulting in the message "Secure Vault Not Initialized" and the log error "[mgmtd.INFO]: An error was detected while initializing the secure vault. Please contact customer support." 47147 Fixed a problem that caused spurious internal error messages when an invalid authorization method was entered. 47527 RSP is limited to 1.5 GB on Steelhead models 250 and 550.

Fixed between 5.5.3b (Build 91_5) and 5.5.3c (Build 91_7)


43793 Double interception is supported on the branch side if the client is connecting to a server in the same branch but the connection goes over the WAN to a data center hub to be routed through a firewall or IPS/IDS device before being routed back to the branch. The branch Steelhead will be optimizing the connection twice with the data center Steelhead. Once on the way to the data center, and once on the way back from the data center. The data going through the firewall will be in clear and non-optimized. Client--->Steelhead1--->WAN--->Steelhead2---> | Firewall/IPS/IDS Server<---Steelhead1<---WAN<---Steelhead2<-- 44629 Fixed a problem that caused a memory leak when adding, deleting, or modifying rules. 46075 Fixed a problem where Full Transparency would not work after generating a sysdump on a Steelhead with RiOS Service Platform installed but not enabled because packets would be generated with the wrong TCP checksum.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

10

Fixed between 5.5.3a (Build 91_2) and 5.5.3b (Build 91_5)


44583 Fixed a problem with Enhanced Auto-Discovery and a serial cluster in a transit hub like in the following setup: Client -> Steelhead1 -> WAN -> Steelhead2 -> Steelhead3 -> | Serial Cluster | Router | Server <- Steelhead4 <- WAN <- Steelhead2 <- Steelhead3 <The SYN probes would be dropped by Steelhead2 on the way back from the hub router and the connection would fail. 44647 Added a feature that enables Steelhead appliances to drop RST (reset) packets generated by certain firewalls sitting in between the client-side and server-side Steelheads when the firewall times out or closes the pseudo connection created by the auto-discovery probe request and response. If the RST packets reached either the client or server, the optimized connection would be closed prematurely and dropping them avoids the problem. 45016 Updated default NTP servers to reflect change in Riverbed's NTP server IP addresses. 45038 Steelhead appliances now drop peer control connection when there are no optimized sessions 45668 Fixed an issue where the RSP Checkpoint Package fails to install with the following message: "Unable to install package's persistent disk Slot "1" could not be installed"

Fixed between 5.5.3 (Build 91) and 5.5.3a (Build 91_2)


41656 Fixed crash with log message "[assert.CRIT] - {- -} ASSERTION FAILED (a->state_ == TimerAction::PENDING) " 41592 Steelhead appliance models 1050 and 2050 can now use 64-bit RSP packages with RiOS version 5.5. 42504 Fixed problem where congested HS-TCP connections could end up using too much memory and cause the sport process to crash with log messages like: [dataseg.CRIT] {- -} malloc of 65536 bytes for 65536 failed [assert.CRIT] - {- } ASSERTION FAILED (seg) 44432 Updated bind RPMs for patches against CVE-2009-0025. However, it is unlikely that the vulnerability can be attacked on Riverbed appliances due to the lack of use of the affected feature. 44675 Patch for IPSec-tools security vulnerability CVE-2009-1632, which allows a remote attacker to cause a crash. 44694 Patches for MIT krb5 vulnerabilities CVE-2009-0844, CVE-2009-0845, and CVE2009-0846. Note that CVE-2009-0847 is not applicable. 44745 1U xx50 Steelhead appliances now use memory temperature on the motherboard instead of internal core CPU temperature as the system temperature.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

11

44831 Fixed a problem that displayed the message "An error has occurred while processing the Configure > My Account page. Please contact customer support." when an RBM user tried to view the My Account web page. 44867 Fixed a problem where the log filters in the web UI did not display anything. 44883 Fixed a problem where filtering and sorting were not working on the Reports > Networking > Current Connections page. 44997 Fixed a problem where some RBM users had incorrect access privileges.

Fixed between 5.5.2e (Build 78_8) and 5.5.3 (Build 91)


7358 Resetting alarm thresholds is now allowed. 17544 The From: address of email notifications is now configurable using the new CLI command "email from-address <email address>". 24568 Fixed a problem where the Monitor user could not view available NFS volumes on the Configure -> Optimization -> NFS page. 25505 Fixed a problem with Microsoft Internet Explorer where pressing Enter while the focus was in the IP field of the "Add a New DNS Name Server" section of the Configure > Branch Services > Caching DNS page did not properly add the server. 26691 Fixed memory consumption issue with NFS traffic. 30624 When the logs are rotated, a message is now generated identifying the current software version. 30877 Fixed a problem that caused a CIFS crash in Smb::File::respond_to_queued_create_requests (). 33118 The date and time are now validated on the Reports > Diagnostics > TCP Dumps web page. 33945 Changed some wording in the web UI to reduce confusion about the "Main Interface." 33969 Added support for the SH to be able to join a domain when communicating with Microsoft Windows Server 2008 domain controllers. 34647 After removing "admin" in the Steelhead appliance from the field for Default Web Login ID (Configure > Security > Web Settings) the cursor now appears in the "Username:" field on next login instead of the "Password:" field. 35319 The Steelhead boot loader can now be password protected, which prevents users from changing the default value. 36950 Fixed a problem that caused process sport to crash during or after a winbindd restart. 37311 Fixed a memory leak in NTLM authentication. 37631 Fixed a problem that caused a crash that occurred when a slow client caused too much buffering. 38209 Improved PFS logging for synchronized files with non-domain ACL entries.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

12

38998 Fixed problem causing log messages like "add_data_if_new: len is 0, not adding databuf". 39313 Fixed an issue where the pre-population status data was not correctly displayed among different shares. 39344 Removed some expiring SSL certificates: - ABA.ECOM.cert.pem Asociacion_Nacional_del_Notariado_Mexicano.cert.pem Colegio_Nacional_de_Correduria_Publica_Mexicana.cert.pem DST_Baltimore_EZ_by_DST.cert.pem - Xcert_EZ_by_DST.cert.pem 39623 Fixed a problem that occurred when a Steelhead appliance started up with a locked secure vault that was subsequently unlocked, which produced incorrect log warnings about locked secure vaults when the service was restarted. 39643 Fixed a race condition that caused the optimization service to crash while in the process of shutting down 39664 Fixed a rare NFS race condition that caused a crash of the optimization service 39684 Updated OpenSSL library used by sport process to 0.9.8j for security advisory CVE2008-5077. Applied patches from OpenSSL 0.9.8k for security advisories CVE-2009-0590, CVE-2009-0591, and CVE-2009-0789. 40496 The PFS configuration is now properly cleared with the CLI command "reset factory." 40582 Fixed some problems with "Override the Global Default Key" checkbox in RADIUS and TACACS+ web pages. 41153 Fixed a problem with MAPI encryption that occurred when using a Microsoft Vista client with Service Pack 1 installed and a Microsoft Windows Server 2008. 41302 Reduce the verbosity of the debug logs, especially keeping out passwords. 41476 Fixed an issue that caused excessive memory consumption by the watchdog process. 41477 Fixed SSL commands to export peering or server certificates with private keys included. 41558 Added error messages that occur when a user attempts to delete the all RADIUS or TACACS servers. "Cannot delete all (TACACS or RADIUS) servers when no other possible authentication methods are configured". 41567 Improved the CLI hint message for RSP VLAN tags. 41812 Fixed a problem that prevented the installation of the RSP service from the Configure -> Branch services -> RSP service web page. 41825 Fixed a rare MAPI issue where email could not be sent or received with Microsoft Outlook 2007. 41984 Fixed an issue that prevented all email notifications from being sent after adding an email address prepended by a - (dash) character.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

13

42025 Fixed an issue where a client-side Steelhead appliance made repeated unsuccessful attempts to connect to an unreachable in-path interface of a multi-in-path server-side Steelhead even after the network path changed and the probe request was routed to another reachable in-path. This issue occurred when the client-side Steelhead kept trying to reopen the connection with the same source port after a very brief time interval because the Server-side Steelhead's probe response kept telling the client-side Steelhead to connect to the unreachable in-path interface for that connection, instead of telling it to use the in-path interface the probe request arrived on. 42060 Fixed a problem with Simplified Routing (all mode) and Connection Forwarding when 2 neighbor Steelheads are in the same subnet and incorrectly use each others' mac addresses to send packets to a remote peer Steelhead. When Connection Forwarding and Simplified Routing are both enabled, the Simplified Routing *dest-source* mode should be used instead of the *all* mode. With the recommended *dest-source* configuration, this bug will not occur. 42330 Fixed problem where INFO level log messages were logged even though the configured log level was NOTICE. 42344 Fixed a rare problem that caused slow CIFS directory browsing on DFS shares. 42428 Fixed a MAPI problem that prevented Microsoft Outlook from connecting to a Microsoft Exchange server in a different domain. 42439 Changed the log level for the message "Unable to load realm/workgroup info. SMB Signing will NOT work." from WARNING to INFO level. These messages would be previously incorrectly be displayed on client Steelhead appliances that had not joined the domain but had either SMB signing or Encrypted MAPI enabled. 42449 Fixed a problem where MX-TCP was not being applied for VLAN traffic or with port/full transparency. 42484 Fixed a problem that disabled the field for entering a protocol number while adding rules to RSP data flow at Configure -> Branch Services -> RSP Data Flow. 42550 Patched OpenSSL for CVE-2009-0590, CVE-2009-0591, CVE-2009-0789. 42570 Fixed a problem where restoring a backup of a Steelhead Mobile Controller RSP package did not restore the package's persistent storage. 42577 Fixed a problem where the HTTP optimization scheme for specific servers would be ignored after a service restart. 42625 Fixed a problem that occurred in virtual in-path configurations, where multicast and broadcast packets caused the in-path interface rx frame drop count to increment. 42669 Deletion of a PFS share when a share lock file is inaccessible now fails with an appropriate message; deletion of PFS share when origin server is inaccessible now occurs with an appropriate message. 42698 Fixed a potential problem with Simplified Routing and Failover where two failover Steelheads might use each other's MAC addresses to send packets to a remote peer Steelhead or to clients and servers. 42711 Fixed a problem that in some cases gave the error "Error building table, No table data available for graph" and did not display reports on the Reports > Optimization > Data Store SDR-Adaptive web page.
RIVERBED TECHNOLOGY CUSTOMER SUPPORT Page

14

42744 Fixed an issue where a domain join would not fail if the NETBIOS domain name in the configuration was incorrect. 42750 Fixed an issue where the RSP service could be installed when RSP was already running. 42765 Fixed display of connection-forwarding average-latency statistics in a memdump. 42861 Upgraded OpenSSH to 5.2p1 to improve resistance to attacks against CBC ciphers. 42989 Fixed an authentication issue that occurred with SMB signing when a user entered User@REALM for share mapping. 42991 Fixed a problem where logging in to Microsoft Windows triggered an unsupported SMB call that caused the client to be blacklisted by the Steelhead appliance CIFS SMB signing feature. 43005 Fixed an issue where a crash occurred when a high number of connections were killed (properly) due to a lack of cache pages. 43029 Fixed a memory leak that occurred when checking for expiring licenses. 43074 Fixed an Enhanced Auto-Discovery problem where a connection should be passed through but would fail instead because a middle Steelhead appliance would drop pure SYN packets that the client retransmits. 43141 Fixed an issue where SMB-signing delegation would fail with Microsoft Windows Server 2008. 43190 Renamed the term "Main Interfaces" to "Base Interfaces" on the web interface. 43214 Fixed handling of cached HTTP objects with lifetime longer than one day. 43232 Fixed a problem that caused optimization service aborts due to excessive memory consumption under load with log messages like "[escpacker/datacomp.CRIT] - {-} deflateInit2 failed : -4 insufficient memory" 43310 Fixed a problem where reception of very large Huffman-compressed attachments in Lotus Notes optimization would fail with log messages like "/notesserver/server err] couldn't handle decompression of get object response; dropping socket". 43332 Made the CLI command "protocol attach compression" available for Lotus Notes optimization. 43342 Fixed a page load issue that was caused by receiving a badly formatted POST/GET request while doing an HTTP pre-fetch. 43394 Fixed an issue with VLAN transparency and Connection Forwarding where packets forwarded from a forwarding Steelhead to the optimizing Steelhead were using the wrong VLAN and could not get to the optimizing Steelhead. 43405 Fixed handling of encapsulated packets with 'in-path neighbor fwd-vlanmac' configured which is used in certain Connection Forwarding setups. The packets will now be returned to the sender with proper encapsulation when encapsulation is needed. 43416 Fixed a problem where a CMC pushing an SSL policy to a Steelhead appliance would result in "Error 1 updating CRL service (CA already exists)". 15

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

43452 Fixed a problem where backing up and restoring a VM in RSP could result in a nonfunctional VM. 43464 Added a basic_diagnostics role that does not have the capability of creating a tcpdump. 43469 The bootloader password can now be set. 43472 Fixed an issue where Steelhead appliances with more than one NIC installed would not properly delete DSCP marking rules, leading to resource leaks. 43482 Fixed an issue that prevented completion of a tcpdump when VLAN was selected and a filter added. 43499 Reduced excessive logging of "/sbin/secure_vault_check_mount.sh" messages. 43510 Upgraded OpenSSL used by device management to 0.9.8k. This fixes CVE-20090590, CVE-2009-0591, CVE-2009-0789, although CVE-2009-0789 was not applicable at all to the appliance platform. 43517 Fixed a problem where removing inherited file permissions on a share would fail. 43559 Fixed an issue where restoring a nonexistent backup to an RSP slot would clear that slot instead of failing. 43601 Fixed a problem where CIFS SMB signing would fail for a Vista client attempting to access a share by computer name instead of by IP address. 43636 Fixed an issue where the SSL CRL service was not updated during a bulk import of CA certificates. 43638 Removed unnecessary error messages generated when the MTU of a non-RSP device was modified. 43642 Fixed an issue that gave an error when locally destined packets arrived on a different in-path interface. 43726 Fixed a problem that caused warnings like "[cli.WARNING]: user admin: Binding /rbt/wdt/config/interface/inpath1_0 not consumed during reverse mapping" 43824 Fixed a memory leak in SCEP upgrade rules. 43862 Upgrade OpenSSL RPM used by base OS programs to 0.9.7a-43.17.el4_7.2 for CVE2008-5077. 43871 Fixed a memory leak in RSP. 43879 Changed nomenclature in the web UI to reduce confusion about the "Main interface" designation. 43882 Fixed an issue where restoring an RSP backup did not explicitly unregister the .vmx file before clearing the slot. In addition, if the backup file does not exist, the restore process will now fail before clearing the slot. 43904 Changed the text 'Obtain IP Address Manually' to 'Specify IP Address Manually'.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

16

43907 Improved SDR-M performance on Steelhead appliance models 6120 and 6050 by allocating more memory to the optimization service. 43913 Added the CLI command "in-path module txhang-rd-fifo enable". 43914 Added the CLI command "in-path module tx-desc-pwr" to manage network interface transmission on certain Intel Ethernet chips. This value is the log base 2 of the maximum amount of data to put in a single descriptor. 43934 Fixed problem where some strictly invalid characters in HTTP referrer fields (e.g. space instead of "%20") were not parsed properly, and the HTTP session was no longer optimized. 43952 Fixed a problem where broadcast shares did not synchronize properly with Microsoft Windows 2008 servers. 43982 Added a change that prevents plain-text passwords from appearing in debug logs. 44012 Added the backup appliance IP address to the in-path rules table in the in-path rules policy page. 44038 Improved error messages that are displayed when a connection is rejected due to a request from the server for client authentication. 44039 Fixed problem resulting in log messages like "[web.ERR]: web: NameError: global name 'mgmt' is not defined". 44040 Fixed a crash with log "ASSERTION FAILED (txnq_cnt_ < _encoder_max_txn_cnt || force_flush == true) at ../codec/encoder.cc:1746". 44058 Fixed a problem where bidirectional network losses caused rare 3-6 second stalls on MX-TCP connections. 44079 Applied patch for kernel CIFS client security vulnerability CVE-2009-1439. 44232 Improved the handling of dropped connections in MAPI pre-population. 44350 Patch for IPSec-tools security vulnerability CVE-2009-1574, which allows a remote attacker to cause a crash. 44419 Fixed issue with Connection Forwarding on the client-side Steelhead if the SYN/ACK packet sent back to the client by the Steelhead goes through the neighbor Steelhead.

Fixed between 5.5.2d (Build 78_6) and 5.5.2e (Build 78_9)


43499 Reduced excessive logging of "/sbin/secure_vault_check_mount.sh" messages. 43510 Upgraded OpenSSL used by device management to 0.9.8k. This fixes CVE-20090590, CVE-2009-0591, CVE-2009-0789, although CVE-2009-0789 was not applicable at all to the appliance platform. 43862 Upgrade OpenSSL RPM used by base OS programs to 0.9.7a-43.17.el4_7.2 for CVE2008-5077. 44350 Patch for IPSec-tools security vulnerability CVE-2009-1574, which allows a remote attacker to cause a crash.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

17

44432 Updated bind RPMs for patches against CVE-2009-0025. However, it is unlikely that the vulnerability can be exploited on Riverbed appliances due to the lack of use of the affected feature.

Fixed between 5.5.2c (Build 78_5) and 5.5.2d (Build 78_6)


43932 Added AUTH_NULL to the supported RPC authentication flavors. NFS traffic with authentication flavor as AUTH_NULL will now be optimized.

Fixed between 5.5.2b (Build 78_3) and 5.5.2c (Build 78_5)


42449 Fixed a problem where MX-TCP was not being applied for VLAN traffic or with port/full transparency. 43907 Fixed a problem where reclaimed memory was being underestimated on Steelhead appliance models 6120 and 6050. 44079 Applied patch for kernel CIFS client security vulnerability CVE-2009-1439.

Fixed between 5.5.2a (Build 78_2) and 5.5.2b (Build 78_3)


43392 Fixed a problem that caused an unexpected failure of process rbt_hald. 43405 Fixed handling of encapsulated packets with 'in-path neighbor fwd-vlanmac' configured, which is used in certain Connection-Forwarding setups. The packets will now be returned to the sender with the encapsulation when they should.

Fixed between 5.5.2 (Build 78) and 5.5.2a (Build 78_2)


36950 Fixed a problem that caused process sport to crash during or after a winbindd restart. 37311 Fixed a memory leak in NTLM authentication. 42577 Fixed a problem where the HTTP optimization scheme for specific servers would be ignored after a service restart. 43232 Fixed a problem that caused optimization service aborts due to excessive memory consumption under load with log messages like "[escpacker/datacomp.CRIT] - {-} deflateInit2 failed : -4 insufficient memory" 43394 Fixed an issue with VLAN transparency and Connection Forwarding where packets forwarded from a forwarding Steelhead to the optimizing Steelhead were using the wrong VLAN and could not get to the optimizing Steelhead.

Fixed between 5.5.1i (Build 58_21) and 5.5.2 (Build 78)


7358 Resetting alarm thresholds is now allowed. 11248 Fixed a problem that caused an unexpected exit of process smb when using CIFS prepopulation. 13752 The fakeindex option is now available in NetFlow. This is only applicable for virtual inpath or physical out-of-path deployments, where there is only a single interface - the WAN or Primary. When using the fakeindex option, the Steelhead knows about the direction of the flow (i.e. LAN-to-WAN or WAN-to-LAN) and can therefore substitute the interface index before exporting the packet to the NetFlow collector.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

18

13961 Fixed a problem that occurred when using the unsupported CLI command "inpath neighbor advertiseresync" with WCCP. In that case the Steelhead appliance would join the service group before it had fully received the NAT (Network Address Translation) entries from its neighbors. This could potentially have caused optimized connections to be reset as the router may have forwarded packets to the Steelhead before it was fully aware of all optimized connections and the Steelhead would not have forwarded the packets back to the optimizing Steelhead. 14851 Fixed-target rules on a Steelhead with multiple in-path interfaces will now track server-side Steelhead status relative to a particular in-path interface to properly handle cases where some in-path interfaces could reach the server-side Steelhead while others could not. 15821 Fixed problem where rapid entry and exit of admission control caused Steelhead appliances to get stuck in bypass with errors like: "Mar 25 13:17:45 sh-a sport[3927]: [tproxy/server/0x0xc798400.ALERT] - {- -} HALT tproxy server 10.21.5.55:7810 accept error: Address already in use(98) stopping listening" 17217 Sport crash with "Unknown event EVENT_READABLE from EVSRC_NETWORK". 23182 The text entered in the description field when configuring QoS marking is now displayed in the web UI. 25790 Fixed CIFS crash with log message "ASSERTION FAILED (0) at ../protocol/smb/smb_parser.cc:3438" 26873 Fixed a problem where permissions for files on a PFS (Proxy File Service) share were incorrectly set to read-only. 27467 Added the ability to manage the SSL certificate used by the management web user interface. 28584 The Web interface now allows defining a default gateway in the aux interface section (used when the primary is not used). 29192 When replacing a certificate in the SSL peering Web UI, entering the private key is optional. 29538 An empty string is now disallowed for configuration parameters where it is invalid input. 29547 Fixed a problem that occurred when taking a tcpdump on RIOS interfaces while using RSP. 30102 Fixed a problem where a "secure vault is locked" alarm did not send an SNMP trap. 30600 Added a progress meter for RSP package upload. 30810 Fixed marking of required field in PFS Shares web page. 31044 Added an explanation for Lan Subnets field in the Netflow web pages. 31335 Fixed problem where upgrading from web interface may fail if the filename uses special characters or spaces. 32129 Added statistics and alarms for connection forwarding.
RIVERBED TECHNOLOGY CUSTOMER SUPPORT Page

19

32394 Resetting MAPI Pre-population connections is now not allowed in the web UI. This avoids the issue of receiving the general error "Command execution failed." message when attempting to reset MAPI Pre-population connections in the web UI. 32509 Fixed an issue where the Apply button would become disabled (grayed out) in some web pages. 33896 Added column sorting in the Configure -> Configurations table in the web UI. 34485 Fixed an issue with SMB signing where a delegation problem that occurred when mapping a share caused the initial mapping attempt to fail. 34560 Fixed a problem where the Add button in the Configure -> Optimization -> SSL Imports and Exports page was incorrectly enabled when required fields had not been filled in. 34601 Fixed a problem causing an NFS crash in sunrpc::ReadAheadCall::~ReadAheadCall () which could result in traffic being blocked instead of bypassed. 34674 Fixed an issue in the Configure > Optimization > In-Path Rules web UI page where required fields were not indicated correctly. 34797 Fixed a problem where SNMP ifIndex interface mappings changed when a Steelhead appliance was upgraded, leading to inconsistency between the SNMP monitor and the Netflow collector. The SNMP ifIndex can now be configured by the user, and can be made persistent with the command snmp-server ifindex-persist. This results in the snmp-index for a given interface name remaining constant across system reboots, upgrades, and hardware changes. 34911 Fixed the error message that appeared when adding a NetFlow collector with no capture interfaces. 34936 Improved the Command-line help for the command "protocol cifs oopen policy". 35296 The CLI command "snmp listen interface" now checks for invalid interface names. 35578 Added validation of dates in the Reports -> Export web page. 35816 Users can now backup and restore information for installed RSP slots. 36088 Fixed a rare problem where MAPI pre-population was started in spite of active connections from the client. MAPI pre-population now occurs only when all active connections are closed. 36249 Fixed an issue where downloaded RSP packages would be appear in the web UI and the output from the CLI command "show rsp packages" before they were fully downloaded. 36313 It is now possible to clear the IPMI alarm that occurs after opening the case of a Steelhead appliance for a memory upgrade. 36396 Fixed a problem where a CIFS file save would fail on a server that issued invalid or reused tree and file identifiers.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

20

36505 Fixed a problem in the CIFS and NetFlow web pages where the Apply button remained enabled even though no valid input had been entered. 36538 Added column sorting to the Top Talkers web UI page. 36710 Improved the log messages that appear when a domain join fails. 36950 Fixed a problem that caused process sport to crash during or after a winbindd restart. 37176 Changed the log message "Failed to notify kernel of redirect ack" to give more information. 37215 Fixed validation of WCCP mask fields in the Steelhead appliance web UI. 37372 Added validation for the extension lists in the Configure > Optimization > HTTP and Configure > Optimization > CIFS web pages. 37387 Fixed handling of IP fragmented packets for the Steelhead to Steelhead connection when the Steelhead is in virtual-inpath mode. 37559 Changed the default NetFlow collector interface from None to All. 37639 When manually setting the time in the Configure > Networking > Host Settings web page, the entry for minutes is now properly validated. 37668 Removed unnecessary CIFS log messages like "forward_logoff_request() Request not in waiting statecmd". 37890 Fixed a problem that incorrectly denied the creation of an MX-TCP class that was defined under an H-QoS parent class with an actual lower percentage than the optimized limit. 37926 Fixed some aspects of display updates for CIFS Pre-population and PFS shares on the web interface. 37971 Fixed a problem where removing a single entry from an SSL peer list in the web UI using Microsoft Internet Explorer 7 removed all of the entries from the list. 38043 Fixed a problem where fans on Steelhead desktop models 250 and 550 ran at high speed but reported zero fan RPM values and triggered a Fan Error alarm after a reboot. 38082 Fixed validation of times for scheduled updates in the Configure -> Maintenance -> Software Upgrade web page. 38234 Improved the error messages that appear for impersonation failures when trying to optimize signed traffic. 38333 Removed a duplicate "You must restart the optimization service for your changes to take effect" message that appeared when adding an NFS server in the Override NFS Protocol Settings field on the Configure -> Optimization -> NFS web page. 38537 Fixed errors that occurred when attempting to view the logs in the Steelhead appliance web UI. 38595 Fixed some problems with CIFS that could have resulted in slow performance when there were many simultaneous connections reading/writing data.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

21

38601 Added the message "Note: The Short Domain Name is required if the NetBIOS domain name is different than the first portion of the fully qualified domain name" to the Configure > Networking > Windows Domain page in the web UI. 38747 Fixed an issue where the SMB-signing blade would shut down when used with Network Appliance CIFS servers. 38791 Fixed CIFS problem that causes log warnings like "locking_andx has unknown fid." 38792 Fixed a problem where a Steelhead appliance initiated MAPI pre-population even though other MAPI connections were still active. MAPI pre-population now starts only after all other MAPI connections are closed. 39037 Fixed problem where the winbind process crashed after upgrading to RiOS version 5.5 on a Steelhead appliance with CIFS pre-population enabled but not in use. 39044 Kernel patch for CVE-2008-5713 denial of service with heavy network traffic on SMP appliances. 39064 Steelhead xx50 models now automatically update SATA disk firmware for Seagate drives. 39142 Fixed a problem where RSP termination was not reported by the RSP shell until a key is pressed. 39158 Fixed the display of the QoS command "show running config" when a wildcard (0.0.0.0/0) source subnet was specified. 39178 Fix crash in HTTP when duplicate entries with different URL forms points to the same object. 39230 Fixed a problem that occurred when using a CMC to restore a backup from a Steelhead appliance running RiOS version 5.0 onto a Steelhead running RiOS version 5.5. 39256 TCP connection used to detect if a fixed-target rule proxy is up is now fully transparent when using oob full transparency (in-path peering oobtransparency mode full). 39417 The command "show logging" is now allowed for the diagnostics role, "show peers" is now allowed for report and acceleration role and "stat convert * *" for report user. 39550 Fixed an SMB signing problem that caused a crash when the constrained delegation kerberos ticket obtained for a target server expired. As per windows domain security policies, kerberos service tickets are only valid for a specified duration (600 minute default value) and must be renewed upon expiry. Prior to this fix, an SMB-signed CIFS connection that occurred when the constrained delegation service ticket was about to expire would result in a sport process crash. Please refer to the following 39590 Fixed a problem on the Licenses web page where the license would be printed multiple times. 39614 Added support to optimize certain versions of Windows 2008 server. 39618 Fixed a problem on Steelhead appliances that resulted in long timeouts for dead ssh connections between a Central Management Console (CMC) and the Steelhead.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

22

39620 The secure vault password now requires at least six characters. 39664 Fixed a rare NFS race condition that caused a crash of the optimization service 39702 Fixed a problem where the VLAN IDs of tagged broadcast/multicast packets were not being validated before the packets were accepted by an inpath interface. 39727 Fixed a problem where enabling encrypted communication from the web UI would fail. 39821 Fixed a problem where the alarm for "connection-forwarding latency exceeded" did not clear when the latency subsequently fell below the alarm threshold, which caused the Steelhead appliance to remain in a degraded state. 39866 Added the CLI command "protocol cifs clear_read_resp_data" to control when the Steelhead may purge data from the CIFS read-ahead cache. 39904 Fixed kernel deadlock with top talkers and inner connection failure. 40045 Fixed a kernel deadlock triggering a reboot as a result of restarting the service. 40110 Fixed condition that caused an SMB signing crash during Kerberos authentication due to the expiration of the Kerberos User Ticket. Kerberos user tickets by default are only valid for 10 hours and must be renewed upon expiry. Prior to this fix, a new SMB-signed CIFS connection that coincided with user ticket expiry would result in a sport process crash. Please refer to the following Microsoft Technet article for more information regarding Kerberos user ticket expiry: http://technet.microsoft.com/ 40159 Fixed incorrect NetFlow reporting of the IP and port of some flow records as 0. 40190 When the hostname of a Steelhead appliance is changed, the window titles are now changed to match. 40191 The CLI command "protocol ssl crl peering cas enable" no longer needs the service to be restarted to take effect. 40238 Logs of join failures now include fully qualified domain names. 40265 Log message filenames are now listed in the correct order. 40306 Fixed a problem where NetFlow egress tracking was not turned off when the Top Talkers feature was disabled. 40437 If local login authentication is disabled, deletion of all usable remote authentication servers (RADIUS and/or TACACS+) is no longer permitted. 40489 Fixed a crash that occurred in MAPI 2003 optimization with log messages like "[mapiclient/SafeFxSrcClient.INFO] ... [IP Addresses] Killing dispatch queue" 40496 The PFS configuration is now properly cleared with the CLI command "reset factory." 40567 Fixed a problem where the average value displayed in the Throughput report could be inaccurate when multiple granularity levels are present on a single graph.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

23

40625 Fixed a WCCP issue with GRE redirect/GRE return and full transparency where a Steelhead Appliance sent transparent GRE-encapsulated packets for the Steelhead-toSteelhead connection to a different router than the one that originally redirected the packets from the client or server. 40660 Added status reporting for data store catch-up synchronization to display percentage complete. 40673 Updated bzip2 to 1.0.2-14.el4_7 for security vulnerability CVE-2008-1372. 40682 Fixed an issue where SMB-signed connections were not correctly identified and passed through for cases when the user did not have privileges to authenticate to the Steelhead. 40824 Fixed incorrect processing of ARP response coming in a different inpath from ARP request. 41142 Fixed a problem when joining a Windows domain while handling very long user names that led to an optimization service crash. 41154 Fixed occasional Lotus Notes optimization failures with "byte_buffer_to_databuf failed" log message. 41212 Fixed a signing issue that occurred when a server's NetBIOS domain name did not match the fully qualified domain name prefix. 41223 Fixed a CIFS problem that resulted in error messages like "request stat changed to REQ_RESP_PASSTHRU : cmd 0x71". 41234 Fixed a web UI problem where RBM (Role-based Management) roles changed on the user permissions page after more RBM users were added. This was a web-only issue, as the CLI always displayed the correct user roles and permissions. 41250 RSP memory is now shown even if RSP is not installed or enabled. 41271 Fixed a problem with Lotus Notes acceleration in the attachment send sequence that gave errors including the text "/notesclient/NotesCfeState notice] {- -} destructing NotesCfeState". 41279 Fixed a problem where connections with duplicate SYN packets were passed through. 41281 Removed internal packet processing counters from in-path interface statistics. 41300 Fixed a problem that caused Lotus Notes optimization to not optimize a connection with the log error Error parsing open_session response in 0[0]{Open_session}". 41307 Fixed a problem in Windows Vista and Windows Server 2008 where the presence of SMB2 traffic caused a Steelhead to drop a connection when signing was being used. 41320 Fixed an issue where Steelhead appliances would continually query the file system statistics, resulting in idle connections remaining open. 41401 CIFS reparse point optimization is now configurable. 41413 Fixed a crash in Encoder::clear().

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

24

41423 Fixed a HTTP performance degradation issue that occurred when the same object was embedded in a page with two different URI formats (absolute and relative). 41487 Fixed a problem that could cause IPSec connections to fail. 41523 Fixed a MAPI problem that prevented an encrypted Outlook client from connecting to the server when encryption was enabled. 41529 Made the terminology in the CLI and web UI consistent with respect to SMB signing. 41552 Fixed a problem that caused a MAPI crash when corrupt RPC packets were encountered. 41557 A valid entry is now required for the Primary Gateway IP on the Configure -> Networking -> Main Interfaces web page. 41572 Fixed a rare situation where a Lotus Notes client would get a networking error. 41599 Fixed a problem where an RSP Virtual Machine failed to power on when a virtual serial port was misconfigured. 41630 Changed the in-path interface counters to 64 bits on 64-bit appliances. 41654 Fixed a problem where a Steelhead appliance configured on a VLAN trunk with a fiber NIC would send incorrect packets which prevented optimization. 41660 Improved the Connection-Forwarding log messages to include the source port number of the neighbor connection when available and to remove it when not available. 41675 Fixed a problem that occurred when there was no data to synchronize between master and slave Steelheads, and the catch-up percentage was incorrectly displayed as 0% instead of 100%. 41709 Fixed a problem where port ranges where not checked before a QoS marking passthrough rule was added and resulted in the log error "Management back end unavailable. Continuing with reduced functionality." 41721 Fixed problems with the secure vault on Steelhead xx50 models. 41741 Fixed a problem that caused a kernel crash and an unexpected reboot with Enhanced Auto-Discovery when the connection between the server-side Steelhead and the server took too long to establish either because of a network condition or due to the Steelhead or server being unresponsive. 41834 Fixed a problem where newly created files on PFS stand-alone shares inherited readonly permissions for Domain Users and Everyone. 41875 Fixed a problem where CIFS warm performance is slower than normal. 41933 Assuming no installed RSP package is using an Optimization VNI, fixed a problem whereby enabling the RSP Service on Steelhead appliances running RiOS version 5.5.x with virtual in-path configurations resulted in blocked traffic. 41965 Fixed a problem where the Ports label on the Configure -> Networking -> Port Labels page was not validated. 42002 Fixed a problem found only in RiOS version 5.5.1e that caused an unexpected reboot and kernel panic when using Simplified Routing and a multi-inpath Steelhead appliance.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

25

42054 Fixed a problem where the inner connection failed if the SYN packet was VLANtagged but the probe response was untagged. 42055 Fixed a problem where improper locking of shared objects resulted in memory corruption and a crash. 42090 Fixed a problem where an issue with datastore synchronization would correctly cause an alarm condition to be raised, but the associated SNMP trap would not be sent. 42116 Fixed a problem that caused a process sport crash in SegstoreSyncClient::SegIOInfo::~SegIOInfo. 42157 Fixed a problem where the tables on the TCP dumps web page were not displayed, and there was a JavaScript error "ipv4ListAll not defined". 42164 Fixed a Lotus Notes optimization crash in NotesSfeConsumer::process_attachment_data (). 42206 Fixed a problem where Domain Join would fail if anonymous access to named pipes was restricted. 42348 Fixed an RSP problem where VM lock files where not removed, giving the error "vm:/proxy/__RBT_VSERVER_SHELL__/rsp2/slots/1/rsp.vmx' 1075595616 info] Question info: Cannot open the disk '/proxy/__RBT_VSERVER_SHELL__/rsp2/slots/1/Virtual Machine.vmdk' or one of the snapshot disks it depends on. Reason: Failed to lock the file." 42361 Fixed PFS Local Mode incremental sync on xx50 Steelhead appliances. 42498 Fixed problems that resulted in the message "Error building table" in the Reports -> Diagnostics -> Alarm Status web page. 42709 Fixed a Steelhead appliance crash that resulted from a dynamic configuration event (e.g. replacing a peering SSL certificate) on the inner SSL when the SSL blade was powered off. 42898 Fixed an issue that occurred when probe caching was disabled and when the Steelhead to Steelhead connection could not be established which resulted in connections being blocked instead of being passed through.

Fixed between 5.5.1h (Build 58_19) and 5.5.1i (Build 58_21)


41834 Fixed a problem where newly created files on PFS stand-alone shares inherited readonly permissions for Domain Users and Everyone. 42361 Fixed a problem with PFS local mode incremental sync on xx50 Steelhead appliances. 42567 Fixed a problem with the initial sync for broadcast or stand-alone PFS shares.

Fixed between 5.5.1g (Build 58_15) and 5.5.1h (Build 58_19)


26873 Fixed a problem where permissions for files on a PFS (Proxy File Service) share were incorrectly set to read-only. 35337 The extended file attributes such as HIDDEN, READ-ONLY and ARCHIVE are now supported for files and directories when using PFS (Proxy File Service).

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

26

41031 Fixed an issue for directory read-ahead optimization on DFS reparse points 41279 Fixed a problem where connections with duplicate SYN packets were passed through. 41281 Removed internal packet processing counters from in-path interface statistics. 41320 Fixed an issue where Steelhead appliances would continually query the file system statistics, resulting in idle connections remaining open. 41401 CIFS reparse point optimization is now configurable. 41654 Fixed a problem where a Steelhead appliance configured on a VLAN trunk with a fiber NIC would send incorrect packets which prevented optimization. 42164 Fixed a Lotus Notes optimization crash in NotesSfeConsumer::process_attachment_data (). 42206 Fixed a problem where Domain Join would fail if anonymous access to named pipes was restricted.

Fixed between 5.5.1f (Build 58_14) and 5.5.1g (Build 58_15)


37890 Fixed a problem that incorrectly denied the creation of an MX-TCP class that was defined under an H-QoS parent class with an actual lower percentage than the optimized limit.

Fixed between 5.5.1d (Build 58_7) and 5.5.1f (Build 58_14)


29258 Steelhead appliances now take into account proxy-connection header when deciding whether to keep an HTTP connection persistent. 34485 Fixed an issue with SMB signing where a delegation problem that occurred when mapping a share caused the initial mapping attempt to fail. 36950 Fixed a problem that caused process sport to crash during or after a winbindd restart. 38043 Fixed a problem where fans on Steelhead desktop models 250 and 550 ran at high speed but reported zero fan RPM values and triggered a Fan Error alarm after a reboot. 38890 Fixed a problem that could cause a crash in Netflow. 41552 Fixed a problem that caused a MAPI crash in DataIterator::DataIterator when corrupt RPC packets were encountered. 41741 Fixed a problem that caused a kernel crash and an unexpected reboot with Enhanced Auto-Discovery when the connection between the server-side Steelhead and the server took too long to establish, either because of a network condition or due to the Steelhead or server being unresponsive. 41875 Fixed a problem where CIFS warm performance is slower than normal. 42002 Fixed a problem found only in RiOS version 5.5.1e that caused an unexpected reboot and kernel panic when using Simplified Routing and a multi-inpath Steelhead appliance.

Fixed between 5.5.1c (Build 58_6) and 5.5.1d (Build 58_7)


39064 Steelhead xx50 models now automatically update SATA disk firmware.
RIVERBED TECHNOLOGY CUSTOMER SUPPORT Page

27

40489 Fixed a crash that occurred in MAPI 2003 optimization with log messages like "[mapiclient/SafeFxSrcClient.INFO] ... [IP Addresses] Killing dispatch queue." 41307 Fixed a problem in Windows Vista and Windows Server 2008 where the presence of SMB2 traffic caused a Steelhead to drop a connection when signing was being used. 41487 Fixed a problem that could cause IPSec connections to fail. 41523 Fixed a MAPI problem that prevented an encrypted Outlook client from connecting to the server when encryption was enabled.

Fixed between 5.5.1b (Build 58_4) and 5.5.1c (Build 58_6)


40987 Fixed a problem that caused RSP free memory reports to incorrectly include slots that were not enabled or powered on. After the fix, only slots that are enabled, powered on, or both will consume RSP memory. 41142 Fixed a problem that caused process sport to crash in NTLMkey::parse_ntlm_auth as a result of incorrect checking of username length. 41234 Fixed a web UI problem where RBM (Role-based Management) roles changed on the user permissions page after more RBM users were added. This was a web-only issue, as the CLI always displayed the correct user roles and permissions.

Fixed between 5.5.1a (Build 58_3) and 5.5.1b (Build 58_4)


37398 Fixed a crash due to improper MAPI protocol processing. 40405 Fixed a problem that caused email to accumulate in the queue as a result of a Lotus Notes server returning an error when sending an LZ-compressed attachment. 40824 Fixed incorrect processing of ARP response coming in a different inpath from ARP request. 40887 Fixed a problem that caused a kernel panic and repeated reboots during service shutdown in some Netflow situations. 40982 Fixed a problem in a L2 WAN setup where a Steelhead appliance on a non-native VLAN would send out Steelhead-to-Steelhead traffic to both the LAN and WAN interfaces simultaneously.

Fixed between 5.5.1 (Build 58) and 5.5.1a (Build 58_3)


36152 Fixed problem resulting in log messages like "[web.ERR]: web: pygs_init() gclsession.c:710, build 88: gclSession initialization failure" 38367 Fixed a problem that could cause a crash after log message like "/phash64 err] {- -}Inserting in a valid node for offset: 8364033" 39037 Fixed problem where the winbind process crashed after upgrading to RiOS version 5.5 on a Steelhead appliance with CIFS pre-population enabled but in use. 39178 Fixed a failure in HttpClient::handle_resp_done_apt().

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

28

39550 Fixed an SMB signing problem that caused a crash when the constrained delegation Kerberos ticket obtained for a target server expired. As per windows domain security policies, Kerberos service tickets are only valid for a specified duration (600 minute default value) and must be renewed upon expiry. Prior to this fix, an SMB-signed CIFS connection that occurred when the constrained delegation service ticket was about to expire would result in a sport process crash. Please refer to the following Microsoft Technet article for more information regarding Kerberos service ticket expiry: http://technet.microsoft.com/enus/library/dd277401.aspx 39904 Fixed kernel deadlock with top talkers and inner connection failure. 40045 Fixed a crash and reboot when restarting the service due to incorrect intercept shutdown. 40047 Enabled weekly reporting of basic system information to Riverbed. See https://support.riverbed.com/announce/dns.htm for more information. 40110 Fixed condition that caused an SMB signing crash during Kerberos authentication due to the expiration of the Kerberos User Ticket. Kerberos user tickets by default are only valid for 10 hours and must be renewed upon expiry. Prior to this fix, a new SMB-signed CIFS connection that coincided with user ticket expiry would result in a sport process crash. Please refer to the following Microsoft Technet article for more information regarding Kerberos user ticket expiry: http://technet.microsoft.com/en-us/library/dd277401.aspx 40306 Fixed a problem where egress tracking was not turned off when the Top Talkers feature was disabled. 40667 Fixed a crash and reboot when restarting the service due to incorrect intercept shutdown.

Fixed between 5.5.0f (Build 50_13) and 5.5.1 (Build 58)


1737 Log display no longer displays in red INFO lines that contain the string ERR. 8674 Fixed destination host unreachable error when "ping -I" is used to specify an inpath interface. 19163 The command "service port 80" is now allowed if "no web http enable" is executed without requiring setting "web http port" to something other than 80. 19603 Fixed QoS classification for active FTP connections, added QoS classification support for passive FTP connections. 20275 Fixed a problem that resulted in misidentification of the inpath interface names, which resulted in log messages such as "[mgmtd.ERR]: mri_get_bypass_state(), md_rbt_intercept.c:1046, build 0: Error code -1 (unknown error) returned" 21179 Fixed crash in DataIterator::peek () when optimizing MS-SQL. 21325 SNMP contact and location strings are limited to less than 256 characters. 21566 Scheduling an update job at a time in the past is not allowed. 22571 Fixed problem that could cause log messages like "[cgi.ERR]: lcgi_process_param(), lcgi_util.c:258, build 24_3: Required condition was not met"
RIVERBED TECHNOLOGY CUSTOMER SUPPORT Page

29

23360 Fixed NFS problem that caused excessive memory use. 23696 Fixed problems caused by replacing a NIC with another one having fewer interfaces, e.g. replacing a 4-port NIC with a 2-port NIC. 24251 Removed references to nonexistent SSL hardware from documentation. 24624 Removed message to restart service in situations where it is not necessary. 24925 A warning message is now displayed if an interface IP address is modified while DHCP is enabled. 25102 A destination port cannot be mapped to a nonexistent service port. 26319 Fixed CIFS crash caused by corrupt packets with invalid datacount() 28055 Removing a password from a WCCP service group is now allowed. 28551 Fixed crash in TdsState::remap_id_ctos_named when doing MS-SQL optimization. 29930 Fixed a CIFS crash in SMB signing. 30428 Fixed a MAPI warning "Error on unknown request" when using encrypted Outlook 2003 traffic. 31353 Improved CLI description of netflow "ip flow-export" command 31446 Fixed MAPI problem elicited by LoadSim resulting in log messages like "Error for accelerated callid 201234573." 31565 Added a separate alarm for failure to join a Windows domain rather than listing it as a PFS error. 31746 Fixed condition that caused mgmtd log errors when an RBM (Role-Based Management) user with limited permissions browses the Manage -> Policies page. 31770 Fixed a CIFS problem that could cause a crash in Smb::Parser::remove_request. 31776 Added missing GRE option to QoS rule CLI command. 31959 Fixed SNMP errors after adding interface alias with no IP address or netmask assigned. 31998 The "show logging" CLI command now correctly shows the maximum number of log files instead of displaying "no limit" for the finite value of 4294967295. 32406 Fixed handling of RADIUS and TACACS+ configuration to require confirmation when global keys are specified. 32545 Added statistics and state information for connection forwarding 33647 Fixed a memory leak in CIFS optimization. 33832 If a Steelhead appliance does not have sufficient disk space, attempting to generate a system dump now gives the message "Insufficient disk space to perform sysdump." 33994 Fixed problem where joining a domain causes problems in Radius or TACACS+ authentication.
RIVERBED TECHNOLOGY CUSTOMER SUPPORT Page

30

34046 Fixed condition that produced the log error "Internal error (code 1003)" when removing QoS classes. 34128 Assigning the same interface IP addresses to multiple neighbors is now disallowed. 34150 Added a check to make sure that at least one hash flag or one mask bit is set when setting up a WCCP service group. 34238 Added a configurable Connection-Forwarding feature enhancement to kickoff neighbor's optimized connections if neighbor becomes unreachable. 35015 Fixed problem where joining a domain with a password with a + character in it fails. 35293 Fixed coloring of errors and warnings in log messages. 35392 Fixed condition where a Steelhead ignored all but the first-configured TACACS+ server when multiple servers were configured and the first-hit authentication option was enabled. As a result, if the first TACACS+ server was down, the Steelhead did not check any of the other servers. 35864 Leaving a Windows Domain is now disallowed if SMB signing is enabled. 35875 The command "protocol connection lan half-closed kill-timeout *" is now more aggressive in cleaning up half-closed connections. 36162 User names with characters other than lower case letters, numbers, dashes, or underscore characters are no longer allowed. 36175 Fixed condition that caused Microsoft Internet Explorer to leak 4 Mbytes of memory per hour when displaying the Steelhead appliance web interface. 36280 Fixed situation where some log lines are not rendered with the correct color in the web interface. 36442 Fixed problem where per-command authorization does not fall back to local if TACACS+ authorization fails 36487 An alarm is now displayed if the RSP license is about to expire. 36559 The fan configuration has been modified so that the appliance runs more quietly. 36592 Fixed slowness in displaying RSP packages page. 36677 Fixed a problem where an error message was returned when adding/removing QoS class with mxtcp queue type 36678 Fixed problem with some RSP CLI commands that resulted in error "[cli.ERR]: user admin: keyword '*' is missing v1 capabilities. Add capab_required keyword parameter to the Command." 36681 Changed the labels for SMB signing rules "always-sign" and "never-sign" to "sign-only" and "sign-all-except." 36727 The options to set IP/Port hash flags, ports mode, and ports are now correctly displayed when adding a new WCCP service group. 36763 The user is now prompted to restart service after modifying WCCP group weights. 36764 Improved output for CLI "show rsp" command.
RIVERBED TECHNOLOGY CUSTOMER SUPPORT Page

31

36865 Fixed some problems with coloring log messages in the web interface. 36978 Fixed traffic summary reporting of MAPI optimization on client Steelhead appliance in transparency mode. 37015 Non-recurring jobs can now be rescheduled after completion 37023 Fixed a CLI crash when a user defined by TACACS+ is logged in and the TACACS+ server sends a bad packet. This has been observed when the user uses the "enable" command. 37078 Fixed display of page titles in the web UI. 37082 Enabled weekly reporting of basic system information to Riverbed. See https://support.riverbed.com/announce/dns.htm for more information. 37104 Fixed problem in MAPI component where messages like "Error for accelerated callid 201234586" appear in the logs. 37125 NFS connections using Kerberos authentication are now passed through, instead of being dropped. 37184 Fixed problem with WCCP mask bucket allocation calculation that could lead to unbalanced distribution of connections. 37236 Fixed condition where the command "tcp connection send" produced log errors but the command line did not return an error, falsely indicating success. 37254 Fixed a simplified routing issue where a server-side Steelhead would send out packets using the wrong destination mac address to servers which are in the same subnet as its inpath but for which it received the packets from the remote sites with a different VLAN from its inpath VLAN. 37265 The command "show wccp detail" now displays the protocol in use. 37298 Invalid RSP images and packages are now correctly displayed so that the user can remove them. 37334 Fixed problem where if a packet from localhost is sent before a packet was received from the destination, the vlan header will not be attached to the packet sent from the localhost. 37337 User names that include spaces are now properly handled in the command-line interface. 37347 Log errors with [web.ERR] no longer appear when RSP is not supported on a Steelhead appliance. 37368 Fixed problem where "Last Minute" time-interval statistics were not displayed for the Data Store reports in Reports > Optimization. 37414 Fixed joining a domain using long user name formats like DOMAIN\Username and Username@REALM. 37439 Fixed problem that prevented enabling Netflow exports for the RiOS LAN and WAN interfaces from web UI. 37454 Fixed problem using domain rejoin via web interface.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

32

37460 Fixed condition that occurred in a vlan_conn_based setting with probe-caching enabled that resulted in packets being sent on an incorrect VLAN. 37472 Enhanced CIFS optimizations to add support for some operations used by Microsoft Windows Vista clients. 37493 Fixed condition that resulted in connection failure when both RSP and hardware checksum for an in-path interface were enabled. 37503 Fixed problem that prevented clearing the value for the optional slot watchdog IP address in the RSP packages page. 37525 Fixed condition that prevented a client-side Steelhead appliance from joining a domain when SMB signing is enabled on the server-side Steelhead. 37544 Fixed problem that caused the Data Store Hit Rate graph (Reports -> Optimization -> Data Store Hit Rate) to display no data. 37546 Fixed display of uncompressed traffic in Reports > Optimization > Data Store SDRAdaptive. 37567 Fixed some instances of incorrect HTTP prefetch when doing Parse and Prefetch optimization. 37583 Fixed handling of interfaces in VMX images for RSP. 37623 Changed string for default compression value from Default [1] to Default. 37654 Added "ssh server allowed-ciphers *" command to allow limiting ciphers for the ssh server. This allows limiting ciphers to those which do not have the vulnerability found in CBC ciphers (i.e. user can set it to allow only aes128-ctr, aes192-ctr, and aes256ctr). New appliances will default to allowing only aes*-ctr ciphers for the ssh server; upgraded appliances will retain the previous settings (which by default included all of those supported by the ssh server). 37666 Fixed a problem where RSP packages wouldn't receive license information after a package restart. 37687 Fixed problem where "_SID_= ..." message box pops up when filtering system log for "cookie" or "referer". 37694 The "show ver" and "show clock" commands are now available to non-admin users. 37740 Fixed problem where flex license installation does not take effect until after a service restart or a reboot. 37748 Fixed display of the continuous log on Firefox and Microsoft Internet Explorer 7. This is not yet fixed in Safari. 37757 Fixed problems that occurred when "Add Cookie" was enabled for HTTP optimization. This was more likely to be seen in Microsoft Internet Explorer than in Mozilla Firefox. 37787 Fixed problem where AAA accounting did not work for non-admin users. 37802 Disabled the Destination Hash and Source Hash fields when the WCCP Assignment Scheme is set to "Mask" in the Configure -> Networking -> WCCP web UI.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

33

37839 Added "Additional configuration required for best security, see documentation" text to web interface page for enabling MAPI encrypted optimization and CIFS SMB signing. 37846 Improved the icons for RSP Data Flow LAN and WAN in the web interface. 37853 Fixed problem that gave log errors and an "Error building table" message in the RSP Dataflow table when the Dataflow contained an invalid VNI name or the name of a disabled VNI. 37855 Corrected text for "Enable Destination Network Address Translation." 37940 Fixed problem that produced numerous "[ssl/SrvClientAccept.WARN]" log messages for some SSL actions. 37967 Fixed problem receiving some attachments when using Lotus Notes optimization. 38039 Fixed MAPI problem that caused an Outlook 2007 client in non-cached mode to get the message "Network problems are preventing connection to Microsoft Exchange." 38050 Fixed condition that prevented powering on a package that specified 32MB as its memory allocation. 38051 When a duplicate license is entered, the warning "[mgmtd.WARNING]: Duplicate license rejected" is now displayed. 38063 Fixed a rare CIFS crash while answering read requests from local cache. 38064 Fixed a sport crash in FullDiskPHash64::remove with log messages like "[phash64.ERR] - {- -} Reached bucket end while searching for offset: 62390273 node idx :57346 node valid: 1node hihash : 692514371" 38112 Fixed problem sending some attachments when using Lotus Notes optimization. 38127 Fixed a problem where removing a QoS class resulted in log messages like "[mgmtd.ERR]: QoS (Class Del): RTNETLINK answers: Device or resource busy" 38138 Fixed a kernel memory leak. 38247 Fixed a Javascript error that occurred when editing a RADIUS or TACACS+ server at Configure -> Security -> TACACS+. 38266 Fixed problem with EAD where a middle Steelhead appliance whose LAN interface was connected to a client Steelhead would not pass through a connection when the client Steelhead had already decided to pass it through because the connection could not be intercepted which would cause a connection failure. 38324 Fixed issue that prevented PCI-X fiber NIC cards from establishing links when installed in Steelhead xx20 models. 38330 Fixed RSP "Enable Slot" button so that it is ON when the VM is in an OFF state. 38356 Added support for in-path RSP packages. 38390 Fixed a rare problem that occurred when sending a Lotus Notes attachment.
RIVERBED TECHNOLOGY CUSTOMER SUPPORT Page

34

38391 Fixed a CIFS problem where a crash may occur when using SMB signing with Microsoft Windows Vista and/or Microsoft Windows Server 2008. 38450 Entering the command "show rsp slot <slot>" when RSP is disabled now displays "Not available" for "Power State," "VMware Tools State," and "Number of CPUs." 38477 Updated BIOS version to 1.03A in Steelhead model 5050 to prevent memory errors that may occur with RSP when there are exactly 5 DIMMs per bank. 38491 Fixed problem where optimization service fails to start on a Steelhead appliance upgraded from 2.1 to 4.1 to 5.0 or 5.5 after the second restart. 38574 The Priority field is now displayed when the CLI command "show rsp slot" is entered. 38592 The Monitor user is now disallowed from viewing or downloading system logs. 38619 PFS and CIFS Prepopulation now try port 445 as well as port 139 in order to handle Microsoft Windows 2008 servers or servers with NetBIOS turned off. 38684 Fixed condition that resulted in a kernel panic when a Steelhead appliance received corrupted packets with incorrect length values in the IP or TCP headers. 38690 Fixed problem where Steelhead to Steelhead packets would be sent even after the corresponding client to server connection had already been passed through because it could not be intercepted properly. 38712 The "show jobs" CLI command finds no longer displays an error if no jobs are found. 38730 Fixed problem that caused the log error "/opt/hal/bin/hal: line 998: /sbin/update_eeprom.py: No such file or directory." 38741 When the HTTP "strip compression" option is enabled, it now strips out the "Vary: Accept-Encoding" response header. This allows Microsoft Internet Explorer to cache content. 38776 Proxy File Service is now supported on Steelhead appliance model 250. 38832 Fixed incompatibility between SH 5.0 and CMC versions 3.0.0 and earlier. 38948 Shortened help for command "reset factory clear-rsp" to prevent error message 'Description help for command "reset factory clear-rsp" is of length 67, maximum ideal length is 62' 39097 Fixed condition that caused process sport to crash when restarting service from the Steelhead Mobile GUI. 39111 Fixed missing pop-up online help on Windows Domain page. 39123 Fixed problem with double interception in virtual in-path deployments. 39178 Fixed a failure in HttpClient::handle_resp_done_apt(). 39221 Fixed a crash with log error "[assert.CRIT] - {- -} ASSERTION FAILED (phmembase_) at ../segstore/phash64.cc:215" that occurred on Steelhead appliance model 250-L when using PFS.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

35

39234 Fixed a problem that caused an error on the CLI after removing an email recipient from the "notify events" list 39275 Updated the warning message that appears when a user enters duplicate in-path neighbor IP addresses to "IP address 'xxx.xxx.xxx.xxx' may not be reused in this neighbor peer. This is an invalid configuration. Please remove one of the duplicate addresses." 39291 Fixed incorrect display of statistics for MAPI traffic on a Steelhead Mobile client. 39339 Fixed a memory leak in the SNMP client. 39358 Fixed display of the error description in the hardware error alarm notification email. 39416 Fixed condition that caused failure with NT_STATUS_INVALID_NETWORK_RESPONSE when attempting to join a domain on a Microsoft Windows 2000 domain controller. 39556 Add support for connection forwarding via multiple inpath interfaces. 39570 Fixed an RSP problem that caused the management interface to bind to the aux interface instead of the primary interface. 39585 Fixed the RSP UI so that users can select the management VNI interface. 39611 Fixed problem that produced the warning "[cli.WARNING]: user admin: Binding /mgmtd/db/xml/product_version not consumed during reverse mapping." 39624 Fixed problem that prevented creating RSP packages with the same name as a VM directory. 39705 Fixed problem that could result in numerous log errors like "[mgmtd.ERR]: md_debug_upgrade_downgrade(), md_debug.c:352 : Unexpected NULL" after upgrading from RiOS version 4.1 to version 5.5.

Fixed between 5.5.0e (Build 50_12) and 5.5.0f (Build 50_13)


39037 Fixed problem where the winbind process crashed after upgrading to RiOS version 5.5 on a Steelhead appliance with CIFS pre-population enabled but in use. 39221 Fixed crash with log error "[assert.CRIT] - {- -} ASSERTION FAILED (phmembase_) at ../segstore/phash64.cc:215" that occurred on Steelhead appliance model 250-L when using PFS. 39416 Fixed condition that caused failure with NT_STATUS_INVALID_NETWORK_RESPONSE when attempting to join a domain on a Microsoft Windows 2000 domain controller.

Fixed between 5.5.0d (Build 50_11) and 5.5.0e (Build 50_12)


38477 Updated BIOS version to 1.03A in Steelhead model 5050 to prevent memory errors that may occur with RSP when there are exactly 5 DIMMs per bank. 38619 PFS and CIFS Prepopulation now try port 445 as well as port 139 in order to handle Microsoft Windows 2008 servers or servers with NetBIOS turned off.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

36

38948 Shortened help for command "reset factory clear-rsp" to prevent error message 'Description help for command "reset factory clear-rsp" is of length 67, maximum ideal length is 62' 39123 Fixed problem with double interception in virtual in-path deployments.

Fixed between 5.5.0c (Build 50_9) and 5.5.0d (Build 50_11)


38324 Fixed issue that prevented PCI-X fiber NIC cards from establishing links when installed in Steelhead xx20 models. 38747 Fixed SMB signing when used with Network Appliance CIFS servers.

Fixed between 5.5.0b (Build 50_7) and 5.5.0c (Build 50_9)


33647 Fixed a memory leak in CIFS optimization. 37654 Added "ssh server allowed-ciphers *" command to allow limiting ciphers for the ssh server. This allows limiting ciphers to those which do not have the vulnerability found in CBC ciphers (i.e. user can set it to allow only aes128-ctr, aes192-ctr, and aes256ctr). New appliances will default to allowing only aes*-ctr ciphers for the ssh server; upgraded appliances will retain the previous settings (which by default included all of those supported by the ssh server). 38391 Fixed a CIFS problem where a crash may occur when using SMB signing with Microsoft Windows Vista and/or Microsoft Windows Server 2008. 38491 Fixed problem where service fails to start on a Steelhead appliance upgraded from 2.1 to 4.1 to 5.0 or 5.5. 38776 Proxy File Service is now supported on Steelhead appliance model 250.

Fixed between 5.5.0a (Build 50_6) and 5.5.0b (Build 50_7)


38356 Fixed problem where stopping an in-path package blocks traffic.

Fixed between 5.5.0 (Build 50) and 5.5.0a (Build 50_6)


35875 The command "protocol connection lan half-closed kill-timeout *" is now more aggressive in cleaning up half-closed connections. 37398 Fixed crash with log message "[eventthread/watch/worker/7.ERR] -} watcher:EventThread(worker)[LWP 10752] 0x186a000 is not healthy" 37583 Fixed handling of interfaces in VMX images for RSP. 37654 Added "ssh server allowed-ciphers *" command to allow limiting ciphers for the ssh server. 37839 Added "Additional configuration required for best security, see documentation" text to web interface page for enabling MAPI encrypted optimization and CIFS SMB signing. 37846 Improved the icons for RSP Data Flow LAN and WAN in the web interface. 37855 Corrected text for "Enable Destination Network Address Translation." 37

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

37967 Fixed problem receiving some attachments when using Lotus Notes optimization. 38064 Fixed process sport crash in FullDiskPHash64::remove with log messages like "[phash64.ERR] - {- -} Reached bucket end while searching for offset: 62390273 node idx :57346 node valid: 1node hihash : 692514371" 38112 Fixed problem sending some attachments when using Lotus Notes optimization.

6) KNOWN ISSUES
26067 Enabling IPSec with Full Transparency results in blocked traffic. 35141 The Web UI and Command-Line Interface may be temporarily unavailable due to very slow writing of snapshots and sysdumps.

7) MANAGING RIOS 5.5.4A WITH A RIVERBED CMC


RiOS version 5.5.4a can only be managed by Riverbed Central Management Console (CMC) versions 4.1.3c or later, 5.0.3e or later, or version 5.5.0 and later.

8) PROTECTING ENCRYPTED MAPI AND SIGNED CIFS TRAFFIC


IMPORTANT: If you have enabled either encrypted MAPI or signed CIFS traffic, Riverbed strongly recommends that you enable IPSec encryption to protect that traffic between two Steelhead appliances over the WAN. For details, see Configuring Encryption in the Management Console Users Guide, available on the Riverbed Support site.

9) UPGRADING RiOS SOFTWARE


The following instructions assume you are familiar with the Steelhead appliance, the CLI, and the Management Console.

What upgrades are allowed?


You can upgrade this version of RiOS to another version that is both higher in version number and chronologically newer. To identify potential upgrades for an engineering build such as 5.5.4a, use the date on which the base version (5.5.4) was released (July 27, 2009).

Before you upgrade


Riverbed recommends that the client-side and server-side Steelhead appliances on any given WAN link be upgraded at the same time. After the Steelhead appliances have been upgraded on each side of the network, you will see the maximum benefits of the version 5.5.x features and enhancements.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

38

Riverbed supports mixing different versions of code simultaneously in a network and RiOS 5.5 is backward compatible with previous RiOS versions. However, as a best practice, Riverbed recommends running the same version of RiOS on all Steelhead appliances in your network. If you mix RiOS releases, the software might support different optimization features and you won't be able to take advantage of the latest features that are not part of the older software versions. For example, optimization of encrypted MAPI connections was introduced in RiOS 5.5, and that feature can only be used between Steelheads that are both running RiOS 5.5 or later. Additionally, starting in 5.0, the user interface (including the menu naming and organization) significantly changed and upgrading all appliances to 5.0 and later ensures a consistent experience while performing system administration.

Important information about upgrading to version 5.5.x


Upgrading from version 5.0.x: To upgrade a Steelhead appliance running RiOS version 5.0 to version 5.5, you must first upgrade that Steelhead to version 5.0.5c or later before you upgrade to version 5.5. Upgrading from version 4.1.x: If you are upgrading from version 4.1 to version 5.5, you should first upgrade to version 4.1.7d or later and then to version 5.5.

Upgrade model requirements


The 50 and 20 series of Steelhead appliances are supported by RiOS 5.5 as well as the desktop 50, 100, 200, and 300 models. The older xx00 and xx10 series of Steelhead appliances are no longer supported. Nearly all models in 5.5 now use the 64-bit build. The only models which run the 32-bit build are the 50, 100, 200, 300, 250 and 550. NOTE: Upgrading the 1U xx20 (520, 1020, 1520, 2020, and 2520) models requires switching from 32-bit builds to 64-bit builds and must be done from a specific RiOS version. See the following section for detailed information.

Upgrading models 520, 1020, 1520, or 2020 to RiOS version 5.5


IMPORTANT: Beginning with RiOS version 5.5.0, Steelhead models 520, 1020, 1520, and 2020 will only run 64-bit software images and will no longer run 32-bit images. This change is necessary to support the additional address space used by RSP. To upgrade one of these appliances to version 5.5, you must first upgrade to a version 4.1 or 5.0 release that supports the upgrade from 32-bit to 64-bit. You will be able to install the 64-bit version 5.5 software from the following versions:

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

39

5.0.5c or later 4.1.7d or later Note: Software versions prior to 5.0.5c and 4.1.7d will incorrectly allow the 32-bit image to be installed, however RiOS 5.5 will fail to run and the appliance will start up using the older version. If you upgrade from versions 4.1.7d or 5.0.5c to version 5.5 and change the data store encryption level, you will need to perform a restart clean if you later wish to downgrade back to versions 4.1 or 5.0.

Steps to upgrade RiOS Software:


1. Download the software image from the Software tab of the support site to a location such as your desktop. 2. Log in to the Management Console using the Administrator account (admin). 3. Navigate to the Setup: Software Upgrade page and choose one of the following options: 4. From URL. Type the URL that points to the software image in the text box. 5. From Local File. Browse your file system and select the software image. 6. Click Install Upgrade. The software image is quite large; uploading the image will take a few minutes. On 3020, 3520, 5520 and 6020 model appliances the software may take up to 4 minutes to boot when upgrading for the first time to RiOS version 4.0.x or later. This is normal, as the software is configuring the recovery flash device. Do not press Ctrl-C, unplug, or otherwise shut down the system during this first boot. There is no indication displayed during system boot that the recovery flash device is being configured. After the upload is complete, you are reminded to reboot the appliance in order to switch to the new version of the software. After reboot, the software version is displayed on the Home page of the Management Console.

10)

INSTALLING THE RIVERBED SERVICES PLATFORM (RSP)

The RSP service is a separate service from the Steelhead appliance service. You must install the RSP installation image, which contains the RSP service, separately from RiOS. After you install the RSP installation image onto the Steelhead appliance, you can deploy RSP packages onto the Steelhead appliance. Before installing a new RSP installation image, you must stop the RSP service currently running on the Steelhead appliance. See the Riverbed Services Platform Installation and Configuration Guide at https://support.riverbed.com/docs/rsp.htm for more detailed information.

Requirements for RSP with RiOS version 5.5


To run the RSP service with RiOS version 5.5, you will need: 2 GB additional memory on the Steelhead appliance. 40

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

Steelhead appliance models 250, 520, 550, 1020, 1050, 1520, 2020, 2050, 3020, 3520, 5050, and 6050. Note: The desktop 50, 100, 200, and 300 can't be upgraded with enough memory to support 5.5 RSP packages and the 5520 and the 6020 don't have a PFS partition to use for RSP. An RSP service license. The VM Server does not need a separate license.

Steps to install the RSP software:


1. Download the RSP image from the Software tab of the support site to a location such as your desktop. Be sure the image you download is supported on your version of RiOS. 2. Log in to the Management Console using the Administrator account (admin). 3. Go to Configure > Branch Services > RSP Service and choose one of the following options: 4. From URL. Type the URL that points to the software image in the text box. 5. From Local File. Browse your file system and select the software image. 6. From Previous Installation Image. 7. Click Install Upgrade. 8. Reboot the appliance.

Upgrading RSP from RiOS version 5.0 to RiOS version 5.5


If you have previously installed RSP for RiOS version 5.0.x, you must reinstall the RSP installation image for RiOS version 5.5 or later. RSP for RiOS version 5.0.x is not compatible with RSP for RiOS version 5.5. If you are running RSP with RiOS 5.0 and Wowza or the Linux Print packages and you upgrade to version 5.5 you will need to re-install completely by installing RSP for 5.5 and the RSP 5.5 package for Wowza or Linux print services. If you are running RSP with RiOS 5.0 and you are using Infoblox, please do not upgrade yet to RiOS 5.5. The Infoblox package for RSP version 5.5 will not be available until mid-year 2009.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

41

11)

UPGRADING YOUR HARDWARE

The following table lists the supported hardware upgrades available for RiOS version 5.5.2, including any additional hardware that is required. All upgrades require a new license. Memory (DIMMs) 0 0 0 1 1 0 Hard Disks 0 0 0 1 1 4

From Steelhead Model

To Steelhead Model

License

1050L 2050L 2050M 1050L 1050M 5050M

1050M 2050M 2050H 1050H 1050H 5050H

new new new new new new

12)

HARDWARE AND SOFTWARE REQUIREMENTS

Steelhead Appliance:
The appliance is designed to be installed in a 19 inch (483 mm) two- or four-post rack (models 100 and 200 do not require a rack). WARNING: The system must be properly grounded (earthed) to reduce the risk of electrical shock. On European systems, the Green/Yellow tab on the power cord must be grounded (earthed).

Steelhead Management Console:


Any computer that supports a Web browser with a color image display. The Management Console has been tested with Mozilla Firefox version 1.0.x, 1.5.x, 2.0.x and Microsoft Internet Explorer version 6.0.x and 7.0. NOTE: Javascript and cookies must be enabled in your Web browser.

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

42

Steelhead Command-Line Interface:


An ASCII terminal or emulator that can connect to the serial console (9600 baud, 8 bits, no parity, 1 stop bit, and no flow control) or A computer with a Secure Shell (ssh) client that is connected by an IP network to the Steelhead appliance Primary interface. Free ssh clients include PuTTY for Windows computers, OpenSSH for many Unix and Unix-like operating systems, or Cygwin.

13)

LIMITATIONS

Please note that the use of transparency features in RiOS 5.x is not supported in Interceptor releases prior to 2.0. A Samba SMB client on Linux with either a Windows or Samba server will gain bandwidth optimization only, and not latency optimization An SMB mount from Linux to any CIFS server is not significantly accelerated. It performs Scalable Data Referencing but does not perform Transaction Prediction. CIFS performance degradation occurs with multiple sets (pairs) of in-path Steelhead appliances. For example:
Client -> Steelhead 2010 -> WAN -> Steelhead 2010 -> Steelhead 1010 -> Steelhead 2000-> server

This problem is dependent on configuration. Contact Riverbed Technical Support for further information.

14)

DOCUMENTATION NOTES

Documentation is available on the Riverbed Support site at: https://support.riverbed.com.

2009 Riverbed Technology, Inc. All rights reserved. Riverbed Technology, Riverbed, Steelhead and the Riverbed logo are trademarks or registered trademarks of Riverbed Technology, Inc. Portions of Riverbeds products are protected under Riverbed patents, as well as patents pending.
Riverbed Technology, Inc. 199 Fremont Street San Francisco, CA 94105 Tel: (415) 247-8800 www.riverbed.com Riverbed Technology Ltd. UK Farley Hall London Road Binfield Bracknell Berkshire, RG42 4EU United Kingdom Tel: +44 1344 206000 Fax: +44 1344 828850 Riverbed Technology Pte. Ltd. 391A Orchard Road #22-06/10 Ngee Ann City Tower A SINGAPORE 238873 Tel: +65 6508-7400 Fax: +65 6508-7401 Riverbed Technology K.K. Shiba-Koen Plaza Building 9F, 3-6-9, Shiba, Minato-ku Tokyo Japan 105-0014 Tel: +81 3 5419 1990

RIVERBED TECHNOLOGY CUSTOMER SUPPORT

Page

43