RIVERBED PRODUCT RELEASE NOTES

PRODUCT: INTERCEPTOR APPLIANCE

RELEASE DATE: JULY 2, 2013
VERSION: 4.0.1

Contents
1. New Features in Version 4.0.1
2. New Features in Version 4.0
3. Fixed Problems 4.0.1
4. Fixed Problems 4.0
5. Known Issues
6. Hardware and Software Requirements
7. Contacting Riverbed Support

1) NEW FEATURES IN VERSION 4.0.1

Support for the 9200 model has been disabled with this release. Officially 4.x is not supported on
the 9200 and this release will prevent being able to boot into 4.0.1 on a 9200.

2) NEW FEATURES IN VERSION 4.0

VLAN Segregation

VLAN segregation targets large enterprise and service providers/managed service providers.
The new Interceptor 4.0 provides secure segregation of traffic in multi-tenant environments
Enabling reuse of IP addresses across different tenants, allowing dedicated Steelhead resources
for each tenant

Management ACL (Access Control List)

Allows customers to specify white lists and black lists for which hosts across different
management and in-path interfaces can access the Interceptor Appliance. The ability to specify
the ACL rules for both management and in-path interfaces is available only in Standard (or non
VLAN Segregation mode). In VLAN Segregation mode, customers can specify the ACL rules only
for management interfaces.
3) FIXED PROBLEMS 4.0.1
92372: Added support for Transparency Firewall Reset feature on the Interceptor.
Interceptor now forwards the Transparent RST packets to the Steelhead for correct
handling.
93529: Fixed an issue where show run was not reflecting the actual MTU values for
physical (lan/wan) interfaces when inpath interface MTU was changed.
93742: Interceptor now has the capability to enable and disable allow-failure for CDP.
Interceptor will send CDP packets on any available interface if allow-failure is enabled, if
not, CDP packets are sent only when all enabled interfaces are up and running.
103611: An alarm will trigger if no valid license is available on the Interceptor. Installing
a valid license and restarting service will bring back the box to healthy state.
103724: Interceptor now requires a valid base license for optimization service to work.
An alarm is triggered and the service is brought down if no valid license is available.
Installing a valid license and restarting service will bring back the box to healthy state.
110502: glibc update for the following security vulnerabilities:
CVE-2009-5029
CVE-2009-5064
CVE-2010-0296
CVE-2010-0830
CVE-2011-1071
CVE-2011-1089
CVE-2011-1095
CVE-2011-1659
CVE-2011-4609
111095: NMCI Retina scan hit on CVE-2011-3048 in libpng
DETAILS
--------
The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before
1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a
denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG
image file, which triggers a memory allocation failure that is not properly handled,
leading to a heap-based buffer overflow.

FIX
---
Patch has been added locally to the generic libpng-1.2.7-9 RPM. (NOTE: Scanners
looking for specific Libpng version may not pick up the fix)
118945: Fixed an issue where memory alarm is triggered but system dump does not
show any memory errors. Previous system dump skipped some important information.
This fix shows all the memory error counters in system dump.

2
 122427: Fixed an issue where in-path rules of an instance in VLAN Segregation mode
are not grouped together in the show running configuration
124739: Previously, a critical service in Interceptor polls the hardware information for
every few seconds. This may slow down the system when it is in heavy load, especially
with high disk I/O. This patch fixed the problem by using an event-driven method to
remove needless polling.
125405: Fixed a process crash that occurs when collecting interface statistics under high
cpu and disk load, typically due to running several tcpdumps.
127040: Fixed an issue in VLAN Segregation mode, where Interceptor health state is
incorrectly reported as healthy when one or more instances are in critical state. The
Interceptor will now report as Degraded when one or more instances are in critical state.
128844: Fixed an issue where management daemon may log errors when going down
e.g. after an upgrade.
130926: From Intels Design Clarification (see section 8.13 of the datasheet Intel
82571EB/82572EI Ethernet Controller), if both port are switching at the same time,
link does not occur since RX activity is never detected on the receiver (the device turns
off the RX circuit on the RX path so as not to falsely establish link from its own link
pulses). On reset, the PHY or when physically connecting the PHY to another device, the
pseudo random time of the port is reset and is different from the other port, thus
enabling the link to be established. Resetting the port when link fails can be used as a
workaround.
133390: Fixed an issue in VLAN segregation mode, where service restart message is
displayed when assigning IP address to Inpath interfaces (E.g. inpath0_0, inpath0_1 etc.)
even though a service restart is not required
133542: Only the vlan tag bits corresponding to the vlan id are now considered when
matching hardware assist rules.
134807: Adding the maximum number of VLAN interfaces supported (200)
simultaneously does not cause any issues with the routing table configurations.
134912: In Vlan Segregation mode, changes to MTU of a VLAN Inpath Interface will be
automatically propagated to the inpath interface and physical lan / wan interface(s). The
MTU is computed from the maximum MTU of all the VLAN Inpath Interface (inpathx_y.v)
for that Inpath Interface (inpathx_y)
139245: Fixed the issue where user configured TCP hardware-assist rules do not work
correctly in VLAN Segregation mode.
139862: When enabling vlan segregation or xbridge, the success message prompting the
user to reboot the appliance now has a hyperlink to the Reboot/Shutdown page.
140491: Fixed an issue where error messages are seen in system logs during connection
per second statistic collection under high load (e.g. while taking tcpdumps)

3
 140570: Fixed the issue where the CLI command 'show stats alarm' is not working
correctly. CLI commands 'show stats alarm *' and 'show alarm *' can now be used to
check the status of the alarms on the appliance.
140678: Fixed a network outage issue when taking sysdump on an Interceptor with
large number of active connections.
141006: Patch cURL library for CVE-2013-1944
DETAILS
--------
The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not
properly match the path domain when sending cookies, which allows remote
attackers to steal cookies via a matching suffix in the domain of a URL.

FIX
----
Curl package has been upgraded to fix CVE-2013-1944.
141114: We are now displaying the Local Interceptor source IP:port under
Interceptor/Steelhead interfaces table along with the Remote Interceptor/Steelhead's
destination IP:port details
142314: Fixed an issue where the optimization service will not start when a large
number of in-path rules plus port labels are configured.
142992: CVE-2011-3188 IPv4 & IPv6 Linux kernel MD4 sequence numbers and
Fragment Identification remote DoS
DETAILS
--------
The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a
modified MD4 algorithm to generate sequence numbers and Fragment Identification
values, which makes it easier for remote attackers to cause a denial of service
(disrupted networking) or hijack network sessions by predicting these values and
sending crafted packets.

FIX
----
The Linux Kernel has been patched to use MD5 algorithm to generate sequence
numbers and Fragment Identification values which is harder to predict.

4) FIXED PROBLEMS 4.0

69197 Fixed an issue where changes to configuration on the 10Gige interfaces when
Xbridge is enabled does not work. The fix will now prompt a message that "service
restart" and "xbridge restart" is required for changes to take effect. This message is also
displayed in "show info" output.

4
 69470 Fixed the issue where Jumbo frame packets coming directly to the Interceptor's
Xbridge enabled 10G in-path could be truncated which could lead to a variety of issues
including loss of optimization.
69682 Fixed an issue where entering a tcpdump command with a comma in the file
name gave an internal error and the resultant file could not be removed.
74086 Fixed an issue that, under a specific upgrade path, Secure Vault alarm can be
triggered. As part of the fix, Secure Vault is removed from the Interceptor product as it is
not being used.
76199 Fixed a blank memory alarm error description when the system is unable to
identify the DIMM module associated with the memory error.
79691 The xbridge route caches have been improved and will no longer report
"SharedRouteCache is full" in the system logs when the route caches are not actually full.
The xbridge system dump files now contain more information. Error messages
generated by xbridge are now throttled.
87030 Fixed startup inconsistencies when a RiOS in-path interface was configured for
fail-to- block that would leave interfaces in the UP state, providing links. This resulted in
a period during boot time where external devices would see links without the
optimization service running.
87031 Fixed startup inconsistencies when a RiOS in-path interface was configured for
fail-to- block that would leave interfaces in the UP state, providing links. This resulted in
a period during boot time where external devices would see links without the
optimization service running.
87530 Fixed an issue where the optimization service could fail when an additional
Steelhead interface was added, the optimization service had not been rstarted and the
interface became disconnected from the Interceptor. This required dynamic port entries
(Interceptor on the client side for passive FTP, server side for active FTP, or client side
for MAPI).
87830 The paused/unpaused state of a Steelhead is now cleared when a Steelhead is
removed. This fixes the issue where a Steelhead stays paused even after it has been
removed and re-added.
91729 Removed the requirement of virtual in-path before enabling CDP.
92476 Fixed an issue where multiple snaplength options were being passed to the
tcpdump and xdump binaries.
93642 Fixed an issue in Xbridge based packet processing when operating in legacy
mode, where Interceptor does not honor the in-path native VLAN tag while NATing
packets to peer Steelheads. This is not an issue in VLAN segregation mode.
93669 Fixed a bug where, when a Steelhead is added to an FPv1 rule, it can carry over
its affinity that was accumulated in the default rule.

5
 93786 Fixed an issue where the state of a previous incomplete connection on an
Interceptor and associated Steelhead was not cleared when a pure SYN for the same
connection was received on the WAN.
94334 Fixed an issue that occurred when two Interceptors were deployed back-to-back
and the cluster alert that occurred when the failover Interceptor was disconnected did
not get cleared after reconnection.
95881 Added a CLI command to clear the memor alarm ia clear hardware ecc alarm
103299 Fixed an issue where Xbridge will terminate and restart. When this problem
occurs, the system log indicates "Process xbridge terminated from signal 14 (SIGALRM)".
104780 Fixed an issue that causes capacity reduction messages to show up in the
system logs when FPv1 is enabled. No functionality is affected.
106057 Error handling logic was added to ensure that NAT rules will only be added if
they can be added to both the kernel NAT table and the Xbridge NAT table.
107384 CVE-2012-2110 has been fixed in device management use of OpenSSL.
107452 Fixed the issue where a GRE packet with a ttl value of 1 can cause a packet loop
between the Steelhead and Interceptor. When a packet with a ttl of 1 is seen twice with
the same characteristics, it is passed through instead of redirecting to a Steelhead.
108728 Fixed the issue of link flap caused by Xbridge restart on interceptors with link
state propagation enabled. Link state propagation now ignores the hardware reset of the
NIC done by Xbridge on a restart.
109375 Upgraded OpenSSL to fix CVE-2012-2333.
112938 Fixed the issue of an Interceptor process crash seen while tracing an optimized
connection in the event of receiving another SYN or SYN-probe for the same connection.
118765 Applied patch for CVE-2012-0053 to Apache httpd 2.0.64.
119371 To resolve this problem a copy of the frame is made before modification when a
trace is running.
120123 Fixed an issue in Non-VLAN segregation mode, where the Interceptor does not
use the in-path VLAN when redirecting transparent inner connection packets. The
packets carrying ARP, bridging and routing information were correctly using the VLAN
configured on the associated in-path interface.
120192 When there are multiple routes returned by a query to the kernel, Xbridge
selects the best match instead of the first match, and specifically exclude
00:00:00:00:00:00 as a next hop MAC address.
121045 Fixed the issue where Pressure state is not shown when the connected
Steelhead is paused. This has been fixed since pressure state and paused state are
independent variables. For example, the paused Steelhead could still be optimizing
existing connections and therefore could have an associated pressure value.

6
 122827 Fixed an intermittent issue that causes a Steelhead in an Interceptor cluster
with multi-interface enabled, to remain in paused state after a neighbor connection is re-
established.
122952 Fixed the issue to verify that valid values are provided when configuring CDP
124184 Fixed an issue where the Pressure state is displayed as Normal when Steelhead
is not connected
124239 Fixed the Xbridge performance drop observed in 3.0.0a release.
124670 Fixed the issue where Xbridge can crash during a process restart.
125662 Fixed an issue that causes the UI to continuously show capacity adjustment
when pressure monitoring is disabled and capacity adjustment is left enabled. Though
the UI shows capacity adjustment, this does not affect the FPv2 algorithm's use of
capacity.
126703 When XBridge is enabled, a Restart XBridge button appears on the top pane
next to the Save button. This button is enabled when an XBridge restart is required (an
interface is enabled/disabled) and disabled otherwise.
127519 Fixed the issue where, in an Interceptor deployment with multi-interface
support enabled, non-zero optimized connection count is displayed for a load-balancing
Steelhead which is in neighbor connection re-establishment phase.
128286 Fixed an issue where changing the Steelhead communication port does take
effect
128900 Renaming the disabled states of interface counters as follows:

Physical Inpath Self state Parent state

Disabled 0 N/A

Enabled 1 N/A

VLAN Inpath Self state Parent state

Disabled 0 0

Disabled 0 1

inpathX_Y 1 0
disabled

Enabled 1 1

7
 129504 Fixed the issue of a Xbridge crash on a process restart. Exceptions that are
raised during the construction of IPC facilities are now caught and handled.
129505 Fixed the issue where Interceptors with Xbridge enabled may run 2 sysdumps
simultaneously resulting in excess load on the Interceptor. The Xbridge watchdog now
checks for a running sysdump before spawning another one.
130239 Fixed an issue that can cause a Kernel crash due to an intermittent state while
removing/editing a WCCP Service group configuration with protocol UDP/ICMP
130337 Fixed the issue where Interceptor shows healthy status when Xbridge is
enabled but the Xbridge process is not running. With the fix, Interceptor's CLI and UI will
now be in Critical state if Xbridge is enabled but not running.
130840 Fixed issue to allow punctuation characters in SNMP community strings.
131357 Upgraded/patched OpenSSL for CVE-2013-0169, CVE-2013-0166 ("Lucky 13"
vulnerability).
131729 Add patch to disable SSL/TLS compression for SSL/TLS CRIME vulnerability
CVE-2012- 4929 and CVE-2012-4930.
132959 Fixed an issue where Interceptor can learn the back-up IP address of a
configured Interceptor incorrectly and try to connect to the incorrect IP Address
133487 Fixed an issue that could cause an Interceptor process with multi-interface
disabled to crash when other Interceptors in the cluster are configured with multi-
interface enabled.
134690 Fixed an issue that could cause the capacity alert to stay ON even after the
capacity adjustment for the Steelhead goes below maximum capacity adjustment (50%).

5) KNOWN ISSUES
100654 When Etherchannel feature is enabled on an Interceptor, packets may be sent
out of wrong interfaces on a network topology change (machines moving from lan side
to wan side and vice versa) if the Interceptor in-path interface does not learn this
change. Workaround: To work around this issue, enable routing on the lan-side switches
and remove any ACLs on the LAN side router that drop traffic that arrived on the egress
interface or disable one (1)link on each port-channel group (one legged port-channel)
124637 "Ran out of buffer space message" displayed in the connection trace details
when the number of connections traced are more than 1000, resulting in overwriting
existing traces. Workaround: Use specific connection-tracing rules to limit the number of
connections traced to less than 1000
134437 While switching Failover configuration between two configured Interceptors,
there can be an "Error adding Interceptor" message seen in the system logs. This can be
ignored and as prompted the service must be restarted for the Failover changes to take
effect.

8
 134699 In Vlan Segregation mode, adding/removing more than 125 VLAN interfaces at
once from the UI can cause the Interceptor to be in an inconsistent state. Sticking to the
recommended five VLANs per instance will not cause this issue. However the work
around to recover from the inconsistent state will be to reboot the Interceptor.

6) HARDWARE AND SOFTWARE REQUIREMENTS

The Interceptor Appliance has the following hardware requirements:

Install the appliance in a 19-inch (483 mm) two- or four-post rack. WARNING: The system must
be properly grounded (earthed) to reduce the risk of electrical shock. On European systems, the
Green/Yellow tab on the power cord must be grounded (earthed).

The Interceptor Management Console has the following requirements:

Any computer that supports a Web browser with color image display
JavaScript and cookies must be enabled on your Web browser
The Management Console has been tested with Mozilla Firefox 2.0 and Microsoft
Internet Explorer 6.

The Interceptor Command-Line Interface has the following requirements:

An ASCII terminal or emulator that can connect to the serial console (9600 baud, 8 bits,
no parity, 1 stop bit, and no flow control)

or
A computer with a Secure Shell (SSH) client that is connected by an IP network to the
Interceptor appliance Primary interface. Free SSH clients include PuTTY for Windows
computers, OpenSSH for many UNIX and Unix-like operating systems, or Cygwin.

9
7) CONTACTING RIVERBED SUPPORT
Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). Outside the U.S. dial
+1 415 247 7381.

You can also submit a support case online or email support@riverbed.com. A member of the
support team will reply as quickly as possible.

Visit the Riverbed Support site to download software updates and documentation, browse our
library of Knowledge Base articles, manage your account, or open a support case.

2013 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo used herein are
trademarks of Riverbed Technology. All other trademarksused herein belong to their respective owners. The trademarks and
logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.

10