PacketShaper Release Notes

PacketWise Version 8.5.2

November, 2009

P/N 20-0260-852 Revision A

Disclaimer THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY EXPRESS OR IMPLIED WARRANTY OF ANY KIND, INCLUDING WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT OF INTELLECTUAL PROPERTY, OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT SHALL BLUE COAT SYSTEMS OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION) ARISING OUT OF THE USE OF OR INABILITY TO USE THIS DOCUMENT, OR THE PRODUCTS DESCRIBED HEREIN, EVEN IF BLUE COAT SYSTEMS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME JURISDICTIONS PROHIBIT THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. Blue Coat Systems and its suppliers further do not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within this document, or assume liability for any incidental, indirect, special or consequential damages in connection with the furnishing, performance, or use of this document. Blue Coat Systems may make changes to this document, or to the products described herein, at any time without notice. Blue Coat Systems makes no commitment to update this document. Copyright/Trademarks/Patents Copyright 1996-2008 Packeteer, Inc. All rights reserved. Copyright 2008-2009 Blue Coat Systems, Inc. All rights reserved. PacketShaper, PacketShaper Xpress; PacketSeeker, iShaper, and iShared appliances, and PolicyCenter, PacketWise, ReportCenter, iShared, iShaper, and IntelligenceCenter software protected by, or for use under, one or more of the following U.S. Patents: 5,802,106; 6,018,516; 6,038,216; 6,046,980; 6,115,357; 6,205,120; 6,285,658; 6,298,041; 6,412,000; 6,456,630; 6,457,051; 6,460,085; 6,529,477; 6,584,083; 6,591,299; 6,654,344; 6,741,563; 6,847,983; 6,850,650; 6,854,009; 6,928,052; 6,934,255; 6,934,745; 6,970,432; 6,985,915; 7,003,572; 7,012,900; 7,013,342; 7,032,072; 7,035,474; 7,051,053; 7,054,902; 7,103,617; 7,154,416; 7,155,502; 7,203,169; 7,236,459; 7,283,468; 7,292,531; 7,324,447; 7,324,553; and 7,343,398. Other U.S. and international patents pending. Blue Coat Systems, the Blue Coat Systems logo, PacketWise, PacketSeeker, PacketShaper, PacketShaper Xpress, PolicyCenter, ReportCenter, SkyX, iShared, Mobiliti, iShaper, IntelligenceCenter, and Falcon are trademarks or registered trademarks of Blue Coat Systems, Inc. in the United States and other countries. All trademarks and registered trademarks mentioned herein are the property of their respective owners. Other product and company names used in this document are used for identification purposes only, may be trademarks of other companies, and are the property of their respective owners. All rights reserved. No part of this document may be reproduced, photocopied, stored on a retrieval system, transmitted, or translated into another language without the express written consent of Blue Coat Systems, Inc. SNMP Research SNMP Agent Resident Module Version 14.2.1.7. Copyright 1989-1997 SNMP Research, Inc. This product includes software developed by the University of California, Berkeley and its contributors. Portions Copyright 1982, 1983, 1986, 1989, 1990, 1993 by The Regents of the University of California. All rights reserved. Portions Copyright 1996 by Internet Software Consortium. Portions Copyright 1993 by Digital Equipment Corporation. Portions Copyright 1990 by Regents of the University of Michigan. All rights reserved. This product includes software developed by the University of California, Berkeley and its contributors. Portions Copyright 2001 Mike Barcroft. Portions Copyright 1990, 1993 by The Regents of the University of California. All rights reserved. This product incorporates software for zipping and unzipping files. UnZip 5.42 of 14 January 2001, by Info-ZIP. Zip 2.3 (November 29th 1999). Copyright 1990-1999 Info-ZIP Portions copyright 1994, 1995, 1996, 1997, 1998, by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, by Boutell.Com, Inc. GIF decompression code copyright 1990, 1991, 1993, by David Koblas (koblas@netcom.com). Non-LZW-based GIF compression code copyright 1998, by Hutchison Avenue Software Corporation (http://www.hasc.com/, info@hasc.com). Portions Copyright 2006 Narciso Jaramillo. <nj_flex@rictus.com> TACACS+ software Copyright 2000,2001 by Roman Volkov. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. Fisheye Component v0.1 Copyright 2006 by Ely Greenfield ActionScript Library 3.0 (as3corelib v0.9) BSD 2.0 Copyright 2008, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of the University of California, Berkeley nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

U.S. Government Restricted Rights Blue Coat software comprises commercial computer software and commercial computer software documentation as such terms are used in 48 C.F.R. 12.212 (SEPT 1995) and is provided to the United States Government (i) for acquisition by or on behalf of civilian agencies, consistent with the policy set forth in 48 C.F.R. 12.212; or (ii) for acquisition by or on behalf of units of the Department of Defense, consistent with the policies set forth in 48 C.F.R. 227-7202-1 (JUN 1995) and 227.7202-3 (JUN 1995). Blue Coat software is provided with RESTRICTED RIGHTS. Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in FAR 52.227-14 and DFAR 252.227-7013 et seq. or their successors. Use of Blue Coat products or software by the U.S. Government constitutes acknowledgment of Blue Coats proprietary rights in them and to the maximum extent possible under federal law, the U.S. Government shall be bound by the terms and conditions set forth in Blue Coats end user agreement. Blue Coat Systems, Inc. 410 N. Mary Avenue Sunnyvale, CA 94085 http://www.bluecoat.com Revision History September, 2009 November, 2009

PacketWise 8.5.1 PacketWise 8.5.2

Introduction
ThesereleasenotesincludethechangestoPacketWise8.5.1and8.5.2only.Ifyouareupgradingfroman earlierversionofPacketWise,youcanlearnaboutothernewfeaturesandsoftwarechangesbyconsulting thereleasenotesfortheversionsbetweenyourcurrentsoftwareandv8.5.1. AcrobatPDFfilesofallversionsofreleasenotesareavailablefordownloadat http://support.bluecoat.com/documentation. Note: This document reflects current information at the time the release notes were finalized. The Blue Coat support website may contain additional late-breaking information: https://support.bluecoat.com Seethefollowingsectionsforspecificinformation: WhatsNewinPacketWise8.5....................................................................................................................... page2 ResolvedIssues ................................................................................................................................................ page8 BackingUpSoftwareConfigurations........................................................................................................... page9 UpgradingtoPacketWise8.5.2...................................................................................................................... page13 KnownIssuesinPacketWise8.5.2 ................................................................................................................ page17 KnownIssuesinXpress.................................................................................................................................. page21 AdditionalInformation .................................................................................................................................. page22 AdditionalInformationforXpress ............................................................................................................... page23

PacketWise 8.5.2 Release Notes

Whats New in PacketWise 8.5

ThissectiondescribesallthenewfeaturesinPacketWise8.5.Formoreinformation,seePacketGuideat:
https://support.bluecoat.com/packetguide/8.5/index.htm

New User Interface: Blue Coat Sky

AfterloggingintoPacketWise8.5,youwillbepresentedwiththenew,enhanceduserinterface:BlueCoat Sky.Skyisastreamlineduserinterfacethatoffersthefollowingfeatures: Dashboard Agraphicaldashboardthatallowsinsightintotheapplicationsthatareconsumingthe mostbandwidthonthenetwork,currentlinkutilization,andcompressionsavings(ifapplicable)

ClassTree LocatedinthetoppaneoftheTrafficManagementtab,theclasstreedisplaysasnapshot ofthecurrentactivityfortrafficclasses,partitions,andpolicies.Youcanselectoneormoreclassesin thetreeandthenusetheReportsmoduletocreaterealtimeorhistoricalreportsforthoseclasses.Or selectclassesandusePolicyManagertodelete/modifytheclassesorapplypoliciestotheclasses.

Youcansorttheclasstreebyanycolumn,filtertheviewusingtheSearchfield,andcreateclasslist selectionsforfutureuse.NotethattheBlueCoatSkyclasstreedisplaysdifferentlythaninthe originalUI:InboundandOutboundclassesarecombinedandtheclassesaresortedalphabetically. However,thereisasettingtodisplaytheInboundandOutboundclassesseparately,similartothe originalUI. Reporting Atoolforcreatingrealtimeandhistoricalreports

PacketWise 8.5.2 Release Notes

 PolicyManager Asimplifiedapproachforcreatingtrafficclassesandcontrollingtrafficwith policiesandpartitions

VoIPOptimization AVoIPOptimizationtabthatsimplifiestheconfigurationofVoIPtrafficclasses byrecommendingappropriatepolicysettingsforeachcodec

BecausenotallPacketShaperfeaturesandcapabilitiesareavailableinBlueCoatSky,theoriginalfull featureduserinterfaceisstillavailable:justclicktheLegacyUIlinkinthebanner.BlueCoatSkyinthe currenttaborwindowwillbeinstantlyreplacedwiththeoriginaluserinterface. HereisapartiallistoftasksavailableonlyintheLegacyUI: Configurehardwareandsoftwarefeatures(Tip:TheChangeSettingsbuttonontheSkyInfotabgoes directlytotheLegacyUIsettingspage) Monitorresponsetimestatistics Usereventnotificationoradaptiveresponsefeatures Createreportsonpartitions Schedulecommands Performtophostanalysis Createhostlists Note: To switch back to Sky, click the BLUE COAT SKY link in the banner. Note that you should not use the browser Back button for navigation between the two user interfaces, as it will display the login screen. IfyoupreferhavingtheLegacyUIasthedefaultinterface,youcanselectthispreferenceontheSystem Variablessetuppage.BlueCoatSkyhascontextsensitivehelpavailable:clickthe icontoopenthehelp windowrelatedtothecurrentSkyscreen.

PacketWise 8.5.2 Release Notes

More Information in PacketGuide Blue Coat Sky Overview

Service Groups
Aservicegroupisasetofservicesthathavebeengroupedtogetherbasedonacommonfunctionality.For example,allservicesthatclassifyonlinegamesareintheGamesgroup.Allserviceshavebeenpresorted into25groups,calledbuiltingroups.Youcancreateyourowncustomgroupsaswell. Servicegroupsofferaquickwaytoclassifyandcontrolagroupofrelatedservices.Forexample,suppose youwanttolimitpeertopeertrafficonyournetwork.Previously,youwouldhavehadtocreateclassesfor eachP2Pserviceandapplythesamepolicytoeachclass.Withtheservicegroupfeature,youcancreatea classbasedontheP2Pservicegroupandapplyapolicytothissingleclass. Note: If you create a service group class (such as P2P) when the class tree already contains classes for individual services (such as eDonkey and Pando) in that group, you will need to delete the service-based classes so that new flows get classified into the service group class. AServiceGroupssetuppageisavailableintheLegacyUIforcreatingcustomgroups,movingservices betweengroups,andperformingothergroupmanagementoperations.

Thecommandlineinterfacealsoofferscommandsforviewingandmanagingservicegroups.Theclass groupcommandoffersthefollowingsubcommands:
new delete move show reset Create a new service group container Delete a service group container Move one or all services from one group to another Show service groups Reset one service or all services within a group to the default group

Inordertomonitorandcontroltrafficinaservicegroup,youmustcreateatrafficclassforthegroup.You cancreatetheclassineitherBlueCoatSkyortheLegacyUI;whenaddingtheclass,selectthegroupname fromtheServiceGroupdropdownlist.

PacketWise 8.5.2 Release Notes

WhencreatingagroupbasedclassintheCLI,usethegroup:<groupname>matchingrule.Forexample:
class new inbound games inside group:games outside group:games

More Information in PacketGuide Service Group Tasks andService Groups Best Practices

Auto-Discovery of VoIP Agents

Whenglobaltrafficdiscoveryisenabled,PacketWisewillautodiscoverRTPtrafficandcreatechildclasses foreachRTPIencodingattribute.PacketWise8.5addsanewfeaturethatallowsautomaticclassdiscovery basedontheVoIPuseragentattribute(thatis,VoIPdevice).YouenablethisnewfeatureintheCLI,using asystemvariable:
setup variable enableVoIPUseragentAutoDiscovery 1

WhenthisvariableisenabledandRTPIisautodiscovered,PacketWisewillautodiscoverchildclasses basedonVoIPuseragenttraffic(suchasRTPIMotorola_VT1000andRTPIGoogle_Talk).

Microsoft Office Communications Server Classification

PacketWise8.5hastheabilitytoclassifyMicrosoftOfficeCommunicationsServer(OCS)andOfficeLive Meeting(LM)audioandvideocalls.OCSandLMaudio/videoflowsareinitiallyclassifiedasSession TraversalUtilitiesforNAT(STUN)andthenasRealTimeProtocol(RTP)orRealTimeControlProtocol (RTCP).ThisdualclassificationistheconsequenceoftheRTP/RTCPpacketsbeingmultiplexedwithSTUN overthesameflow. WhenanetworkhasalotofOCStrafficthattunnelsthroughSTUN,PacketShaperperformancecanbe impacted.Therefore,anewsystemvariableisavailabletodisableSTUNclassification:
setup variable enableSTUNclassification 0

NotethatRTP/RTCPwillstillbeclassifiedevenwhenSTUNclassificationisdisabled. TherearenootherchangestoLiveMeetingandOCSclassification.FiletransfersarestillclassifiedasMSN IMFileXsferandtheinitialconnectionisclassifiedasSSLorSSLNoCert.

Classification Enhancements
The following services have been added to or enhanced in v8.5: Service Name DragonFly (new) FlashVideo (enhanced) Gnutella (enhanced) MPEG-4 (new) Pando (enhanced) Description DragonFly Storm Video Sharing Service This service was previously available as a plug-in. Enhancements to the FlashVideo service; previously available in a plug-in Enhancements to the Gnutella service; previously available in a plug-in MPEG-4 Audio/Video Content This service was previously available as a plug-in. Enhancements to the Pando service; previously available in a plugin P2P Multimedia Service Group Multimedia

P2P

Multimedia

PacketWise 8.5.2 Release Notes

Service Name Perforce (new) PPStream (new) RDP (enhanced) STUN (new) Thunder (new) Veetle

Description Perforce Software Configuration Management System This service was previously available as a plug-in. PPStream P2P IPTV Application This service was previously available as a plug-in. Enhancements to the RDP service; previously available in a plug-in

Service Group FileServices

P2P

RemoteAccess

Session Traversal Utilities for NAT (see Microsoft Office Communications Server Classification on page 5) Thunder P2P Traffic This service was previously available as a plug-in. Veetle Video Service This service was previously available as a plug-in. VMware View VDI * * Classification for non-SSL connections between the VMware View client/portal and VMware View Connection server VMware View VDI Offline Desktop

NetworkMgmt

P2P

ContentDelivery

VMware-View (new)

RemoteAccess

VMware-View-Desktop (new) VMware-View-Tunnel (new) VMware-View-Command (new) WCCP-Control (new)

RemoteAccess

VMware View VDI Tunnel

RemoteAccess

VMware View VDI Command and Administration

RemoteAccess

Web Cache Communication Protocol Control Traffic

NetworkMgmt

More Information in PacketGuide Applications, Protocols, and Services Classified by

PacketWise 8.5

PacketShaper Heartbeat Emission

PacketShaperemitsamessage,calledaheartbeat,toadesignatedBlueCoatserveronthefollowing occasions: PacketShaperbootup(onwarmresetorcoldboot) Daily(every24hoursofuptime) Afterasystemfailure(onbootup,followingasystemrestart) TheheartbeatmessageprovidesBlueCoatsupportprofessionalswithkeyinformationaboutthe PacketShaper,suchaswhatmodulesareenabled,itsmemoryallocationandusage,howlongtheunithas beenrunningsincelastreboot(uptime),bannermessages,andbasicconfigurationsettings.Bootupand crashheartbeatmessagesappendthebootlog(alistoftheversionsthatwerebootedonthePacketShaper, includingthedateandtimeofeachboot).Crashheartbeatmessagesincludethecrashlog.

PacketWise 8.5.2 Release Notes

Usingtheinformationcontainedintheheartbeatmessages,BlueCoatisabletoprovidebetter,faster supporttoitsusers.Itcanalsocompilestatisticsonthestabilityofvarioussoftwarereleasesandhardware products.Theheartbeatscanalsobeusedtoidentifyandresolvedefects. Heartbeatemissionisenabledbydefault.BlueCoatrecommendsthatyounotdisablethefeature.Be assuredthatthemessagesareencrypted,containnoprivateinformationsuchaspasswordsandIP addresses,andaresentsecurelyviaHTTPS.Thesizeofthedailyheartbeatmessageisnegligible(3040K) andhasvirtuallynoimpactonPacketShaperperformance. HeartbeatemissionisconfiguredintheLegacyUIontheHeartbeatsetuppage,orusethefollowing commandintheCLI:

setup heartbeat on|off|default|show

More Information in PacketGuide Configure Heartbeat Emission

PacketWise 8.5.2 Release Notes

Resolved Issues
ThefollowingissuesdiscoveredinpreviousversionsofPacketWisehavebeenresolved.

PacketWise 8.5.1
Inpreviousversions,whenyouselectedCustom:ShapingOff/DiscoveryOffduringtheweb basedGuidedSetup,thesesettingsdidntgetappliedproperly;thisissuehasbeenresolved. ThePacketShapernolongerresetswithMTUsizeslargerthan2000. ThelinkCompressionModeOIDnowworksforalltunnelmodes.

PacketWise 8.5.2
StartinginPacketWise8.5.1,youcanopenuptoeightconcurrentSSHsessionstothePacketShaper. (Previously,onlyfourconcurrentsessionswereallowed.)However,ifyouopenedmorethansix concurrentSSHsessionsandthendisconnectedfromtheseventhoreighthconnection,the PacketShaperwouldreset.ThisissueisresolvedinPacketWise8.5.2. InPacketWise8.5.1,thePacketShaperwouldresetwhenmorethan30concurrentsessionswere openedtoconnecttothePacketShaperviaSSH,HTTP,HTTPS,Telnet,andFTP.Thisissueisresolved inPacketWise8.5.2. PacketWise8.5.2isabletoidentifytheAvagoSmallFormfactorPluggable(SFP)transceiver.In previousversions,thistransceivershowedasSFP:UnknownontheBasicSettingssetuppage,even thoughthetransceiverfunctionedproperly.

PacketWise 8.5.2 Release Notes

Backing Up Software Configurations

Overview
Important:BeforeupgradingtoPacketWise8.5.2,itisimperativetobackupyourconfiguration.Youmay needtousethesebackupfilesincaseyourconfigurationdoesntloadproperlyafterinstallingthenew software.Forinstructions,seethefollowingsectionsHowDoISaveMySettings?andHowDoIBack UpConfigurations? Note: If you are using PolicyCenter, follow the backup instructions in PolicyCenter 8.5.2 Release Notes. In addition, make sure to upgrade to PolicyCenter 8.5.2 before installing PacketWise 8.5.2 on your PacketShapers.

How Do I Save My Settings?

PacketWiseautomaticallystoresyoursettingsinafilenamedconfig.ldi.Thisfilecontainsthetraffictree configuration(includingallclasses,classIDs,partitions,policies,hostlists,andevents),aswellasall sharableconfigurationsettings,suchaspacketshaping,trafficdiscovery,passwords,SNMP,email,SNTP, compression,andSyslog.Theconfig.ldifileshouldbebackeduponaregularbasis,asitcanbeusedto restoreaconfigurationifneeded. Inaddition,PacketWiseoffersawaytocaptureyourtrafficconfigurationandsettingsinanexecutable command(.CMD)file.First,usethesetupcapturecommandtocreatetheCMDfile.Then,ifyouwantto restorethesettingsyoucaptured,usetheruncommandtorecreatetheconfiguration. NotethatrestoringaconfigurationbyrunningaCMDfiletakesmuchlonger(possiblyhours)thanloading aconfig.ldi(lessthanaminute).However,BlueCoatrecommendsthatyoucreateandbackuptheCMDfile asasafeguardincasetheconfig.ldifailstoload. TosaveyoursettingsinaCMDfile,usethefollowingcommand:
setup capture complete <filename>

where<filename>isthenameoftheCMDfile(suchasbackup.cmd).Thisfilewillautomaticallybecreated inthe9.256/cmddirectory. ThisCMDfileshouldbebackedupalongwithyourconfig.ldiconfigurationfile.

How Do I Back Up Configurations?

Aftercapturingtheunitsconfigurationinacommandfile,youshouldcopytheconfig.ldifileandtheCMD filetoaworkstationsharddrive. TotransferfilesfromthePacketShapertoaworkstation: 1. 2. Atyourworkstationscommandline,createadirectorywherethebackupfileswillbestored. Gotothenewlycreateddirectoryandenter:
ftp <ipaddress>

where<ipaddress>isthePacketShapersaddress(forexample,ftp192.166.0.100). WhenyoupressEnter,thescreenmessagesindicatethattheconnectionhasbeenmadeandthatthe serverisready. 3. 4. 5. 6. Enterausername(suchastouch). Entertheunitstouchpassword. TogotothePacketShapersdirectorywheretheconfigurationfilesarestoredontheflashdrive,type:

cd cfg

Totransfertheconfig.ldifilefromthePacketShapertoyourlocaldrive,enter:
ascii (to go into ASCII mode) get config.ldi (to copy the file)

PacketWise 8.5.2 Release Notes

7.

TotransfertheCMDfileyoucreatedinHowDoISaveMySettings?enter:
cd /cmd get <filename> (where <filename> is the file to be copied) quit

How Do I Restore Configurations?

Intheeventthatyourcurrentsoftwareconfigurationbecomescorrupt,usethefollowingprocedureto restoretheunittoitslastoperationalstate: 1. 2. 3. 4. 5. Atyourworkstationscommandline,gotothedirectorywherethebackupfileswerestored. FTPtothePacketShaper. Enterausername(suchastouch). Entertheunitstouchpassword. Totransfertheconfig.ldifilefromyourworkstationsdrivetothePacketShapersflashdrive,enter:
ascii (to go into ASCII mode) put config.ldi (to copy the file) quit

6.

Toloadthenewconfiguration,gotothePacketShaperscommandlineinterface,andtypethe followingcommand:
config load config.ldi

7.

Ifaconfigurationwontloadorthetraffictreestillisntinplace,youcanrestoretheconfigurationby runningtheCMDfileyoubackedup.Forexample,ifyouusedthesetupcapturecommandandcreated afilenamedbackup.cmd,youneedtoFTPthebackup.cmdfiletothePacketShaperandthentyperun backup.cmdattheCLIprompt.

Reverting to a Backup Image

WhenyouupgradePacketWise,thenewlyinstalledversionbecomesthemainimage,andtheprevious mainimagebecomesthenewbackupimage. Therearetimeswhenyoumaywanttoreverttoyourbackupimage(thatis,replacethemainimagewith thebackupimage): AfterattemptingtoloadaversionofPacketWisethatdoesnotsupportyourPacketShapermodel. AfterevaluatinganewversionofPacketWise,butbeforedeployingthenewversion. WhenyouobserveproblemswithyourPacketShaperthatbeganafterloadingadifferentversionof PacketWise. PacketWiseofferstwomanualandoneautomaticmethodtoreverttothebackupimage: Usingtheimagerevertcommand.(SeeReverttotheBackupImageUsingtheCLIonpage 11.) PressingCtrl+Bduringthebootupprocess.(SeeReverttotheBackupImagebyPressingCtrl+B onpage 11.) Automaticreversionwhenaunitrepeatedlyfailstoboot.(SeeAutomaticReversiontotheBackup Imageonpage 12.) Considerations When Reverting HerearesomeconsiderationswhenrevertingtoapreviousversionofPacketWisesoftware: MakesureyouareawareoftheminimumrequiredversionforyourPacketShapermodel:

ThePacketShaper1200modelrequires7.1.0orhigherandthuscannotberevertedtoapre7.1.0 image.

PacketWise 8.5.2 Release Notes

10

ThePacketShaper10000model(RevisionsAF)requires7.0.0orhigherandthuscannotbe revertedtoapre7.0.0image. ThePacketShaper1700,3500,7500,and10000(RevisionGorhigher)modelsrequire7.4orhigher andthuscannotberevertedtoapre7.4image. ThePacketShaper1400modelrequiresPacketWise7.4.x7.5.x,or8.1.xandhigher,andthuscannot berevertedtoearlierversionsofPacketWise(suchas7.3or8.0). ThePacketShaper900modelrequiresPacketWise8.2.xandhigher,andthuscannotberevertedto earlierversions.

WhenyourevertfromPacketWise6.0orabovetoapre6.0version,allmeasurementdatawillbe cleared. IfyouusefeaturesnewtoPacketWise8.5,andthenreverttoapreviousversion,thenewsettingsand anyrelateddatawillberemoved.Thisappliestoevents,measurementvariables,andservicesas well.Notethatyoumayseeconfigurationerrorsafteryoureverttoapreviousversion;thisistobe expectedsincethenewfeaturesarenotavailableinolderversions.Youshoulddeleteanytraffic classesthathaveconfigurationerrorssincetrafficmaynotclassifyproperlyintheseclasses. Furthermore,theseconfigurationerrorscouldcauseothertypesofproblemsaswell.Forexample,if youdowngradefromPacketWise8.xto7.x,compressionwillnotfunctionin7.xuntilyoudeletethe PRIVENCRYPTclasses(whichhaveconfigurationerrors). Ifyouhavecreatedanyuserdefinedservicesinv8.5,youshoulddeletealloftheseservices(andany classesbasedontheseservices)beforerevertingtoapre8.4version. Ifyouhavecreatedanyclassesbasedonservicegroupsinv8.5,besuretodeletetheseclassesbefore revertingtoapre8.5version.Ifyoudontdeletetheseclasses,theywillbecomematchallclasses afterdowngrading. Ifyouloadany8.5.xspecificpluginsandthenreverttoapre8.5.xversion,youwillseethefollowing errormessage:Unknownlocaltype0in<pluginname>.Toeliminatethismessage,deletethe incompatiblepluginfileandresettheunit. Ifyouhavehostliststhatincludesubnets,IPaddressranges,orsubnetranges,youshoulddeletethe hostlistspriortorevertingtoapre6.2.0version(whichdontsupportthesetypesofhost specifications).

Revert to the Backup Image Using the CLI

IfyourPacketShaperhassuccessfullybooted,youcanreverttothebackupimageusingtheCLI: 1. 2. Atthecommandlineinterface,reverttothebackupimagebyentering:
image revert

ReconnecttoyourPacketShaper,andwaitatleastoneminute.

Iftheclasstreedisappearedduringtherevertingprocess,runtheCMDfileyouhadpreviouslycreated beforeupgrading.Forexample,ifyouusedthesetupcapturecommandandcreatedafilenamed backup.cmd,youneedtoFTPthebackup.cmdfiletothePacketShaperandthentyperunbackup.cmd.(To seeifallthecommandsexecutedsuccessfully,typecatbackup.out.)

Revert to the Backup Image by Pressing Ctrl+B

IfyouhaveattemptedtoloadaversionofPacketWisethatisnotsupportedbyyourhardwareplatform, suchasversion7.3or8.0onaPacketShaper1400,yourPacketShaperwillnotbootandwillbecome inaccessibleexceptbyconsoleconnection.OnmodelsthathaveLCDs,themessageLoading...willremain ontheLCDpanel. Torecovertheunit,youneedtoreverttothebackupimageofPacketWise,whichistheimagepreviously installedontheunitbeforeyouloadedtheunsupportedimage.Therecoveryproceduremustbeperformed fromaconsoleconnection:

11

PacketWise 8.5.2 Release Notes

1. 2. 3.

Usingtheprovidednullmodemcable,attachaworkstationorPCtotheunitsportlabeledCONSOLE. Thiscableoffersboth9pinand25pinconnectorsoneachend. Startyourterminalemulationprogram(suchasHyperTerminal). Verifythatyouhaveconfiguredtheprogramwiththefollowingvaluestocommunicatewiththeunits consoleserialport: 9600bps,8databits,1stopbit,noparity,hardwareflowcontrol Ifyouareusingamodemconnectedtotheserialport,themodemmustbesetto:9600bps,8data bits,1stopbit,noparity,autoanswer(usuallyATH1inthestandardHayescommandset),andDTR alwayson(usuallyaDIPswitchsetting).Checkthemodemmanualfordetails.

4. 5.

Powercycleunit. Astheunitisattemptingtoboot,(themessageLoading...appearsontheLCDpanel),pressCtrl+B.This forcesthePacketShapertorebootusingitsbackupimage.

Automatic Reversion to the Backup Image

IfaPacketShapercrasheseightconsecutivetimes,itwillautomaticallyreverttothebackupimageandre boot.Thisprocesscantake2040minutes,dependingonthePacketShapermodel.

PacketWise 8.5.2 Release Notes

12

Upgrading to PacketWise 8.5.2

Supported Hardware Platforms
PacketWise8.5.xissupportedonthefollowingPacketShapermodels:900,1400,1700,3500,7500,and10000.

Adobe Flash Player

BecausetheBlueCoatSkyuserinterfaceisdisplayedusingAdobeFlashPlayer,youmusthaveAdobeFlash Player9(orlater)installedontheclientsystemfromwhichyouwillaccessSky.Ifyouhaventalready installedthelatestversion,makesuretodosobeforeusingBlueCoatSky.Ifyouarentsurewhichversion ofAdobeFlashPlayerisinstalledonyourclientsystem,goto:
http://www.adobe.com/software/flash/about/

Todownloadthelatestversion,goto:
http://www.adobe.com/products/flashplayer/

IfyoudonothaveFlashinstalledandyouattempttologintoBlueCoatSky,youwillberedirectedtothe Flashdownloadpage.

Supported Browsers
TheLegacyUIandBlueCoatSkycanbeaccessedusingthefollowingwebbrowsers: MicrosoftInternetExplorerv6.0orhigher MozillaFirefox2.0orhigher

Measurement Data Reset

DependingontheversionofPacketWiseyouareupgradingfrom,youmayneedtoresetmeasurementdata afterloading8.5.2.Notethatallstoredmeasurementdatawillbelostafterresettingthemeasurement engine.Todeterminewhetheraresetofmeasurementdataisnecessary,usethemeasureshowcommand; iftheoutputsaysAcompleteMeasurementResethasnotbeendone,youneedtousethemeasurereset commandtoresetthemeasurementdata. Note: If you are using PolicyCenter, make sure to upgrade to PolicyCenter 8.5.2 before installing PacketWise 8.5.2 on your PacketShapers.

Upgrading Overview
Toupgradeyoursoftware,downloadthenewimageandloadthesoftwareontothePacketShaper.There aretwowaystodownloadthesoftware: UsethePacketWisebrowserinterface(seeOption1below) UsetheBlueCoatdownloadwebsite(seeOption2) TrydownloadingthesoftwarewiththePacketWisebrowserinterfacefirst.Ifthismethoddoesntwork (perhapsbecausethecorporateLANisprivateorbecauseasecuritypolicyorfirewallisinplace),download theimagefromtheBlueCoatdownloadwebsitetoacomputerthatisnotsubjecttotheserestrictions.

Option 1
Use the PacketWise Browser Interface to Upgrade the Software ToupgradethePacketWisesoftwareimage: 1. 2. Makesureyouhavebackedupyourconfigurationfiles.(SeeBackingUpSoftwareConfigurationson page9.) AccessthePacketWisesoftwarebyenteringthePacketShapersIPaddressinyourwebbrowser.

13

PacketWise 8.5.2 Release Notes

3. 4. 5.

Clickthesetuptab. FromtheChooseSetupPagelist,selectimage.Theimageconfigurationwindowisdisplayed. IntheImageFileLocationfield,entertheexplicitpathnameoftheFTPserverthatholdsthesoftware imagefile.TheImageConfigurationwindowsuppliesthedefaultpathnameforthelatestimagethatis availableontheBlueCoatwebsite:

//ftp.packetshaper.com/latest8.zoo

ToloadanewimagefiledirectlyfromanotherFTPserver,enter:
[//<hostname>/]<filename>

[//<hostname>/]isthenameoftheFTPserver.Forexample: //corpserver.example.com/ <filename>mustbetheexplicitpathnameplusfilename.Forexample,todownloadfromtheunits localflash:/bin/latest.zoo 6. 7. 8. EnterausernametoaccessyourFTPserver,ifrequired.Ifyouaredownloadingthelatestimagefile fromftp.packetshaper.com,donotenterausername. Enterapasswordifitisrequired.Ifyouspecifiedausername,apasswordisrequired.Ifyouare downloadingthelatestimagefilefromftp.packetshaper.com,donotenterapassword. Clickloadnewimageintheimageconfigurationwindowtoinstallthelatestsoftwareimage.

Whenyouloadanewimage,PacketWisereplacesthecurrentbackupimagewiththeactiveimageand replacesthecurrentactiveimagewiththenewimage.Also,aftertheimageisloaded,adialogboxprompts youtoconfirmtheunitreset. Note: If the configuration didnt load properly (for example, the traffic tree disappeared), see Loading a Traffic Configuration on page 16. PacketWise8.5.2doesntcontainanynewmeasurementvariables,butifyouareupgradingfromanolder versionofPacketWise(suchas8.2.0orearlier),youmayneedtoresetthemeasurementdata. Toresetmeasurementdata: 1. 2. 3. 4. Clickthesetuptab. FromtheChooseSetupPagelist,chooseunitresets.TheunitresetsoptionsappearontheSetupscreen. Selectthetypeofmeasurementdatatoreset:Link,Partition,Class,Host,orAll. Clickresetmeasurementdata.

Option 2
Download the Software from the Blue Coat Download Website ThismethodofupgradingthePacketWisesoftwareisathreepartprocess.First,downloadthesoftware imagefilefromtheBlueCoatdownloadwebsitetoyourclientworkstation.Second,FTPthefilefromyour clientworkstationtothePacketShaper.Third,loadthenewsoftwareimage. Todownloadthelatestsoftwareimage: 1. 2. 3. 4. 5. Makesureyouhavebackedupyourconfigurationfiles.(SeeBackingUpSoftwareConfigurationson page9.) GototheBlueCoatdownloadsite:http://support.bluecoat.com/download. Intheproductlistontheleft,selectPacketShaper. Ifprompted,enteryourBlueCoatSupportusernameandpassword. SelectPacketShaper.

PacketWise 8.5.2 Release Notes

14

6. 7. 1. 2.

InthePacketShaperreleaselist,selectthesoftwareversionyouwanttodownloadandfollowthe onscreeninstructions. Verifythefilewasdownloadedsuccessfully. Atthecommandline,changetothedirectorywhereyoudownloadedthesoftwareimage. ToopenanFTPsessiontothePacketShaper,type:

ftp <ipaddress>

TocopythenewsoftwaretothePacketShaper:

where<ipaddress>istheIPaddressofthePacketShaper(forexample,ftp 207.78.98.254).Youcanalso typethedomainname. WhenyoupressEnter,thescreenmessagesindicatethattheconnectionhasbeenmadeandthatthe serverisready. 3. 4. 5. 6. 7. 8. Enterausername(suchastouch). EnterthePacketShaperstouchpassword. Enterbintogointobinarymode. ToselectthePacketShapersharddriveastheFTPdestination,type:

cd 9.258/

Optional:Toturnhashprintingon,enterhash.(Withhashenabled,youwillseea#symbolforevery 2Ktransferred.) TotransferthefiletothePacketShaper,type:

put <filename>

where<filename>isthenameofthefileyouarecopyingtothePacketShaper(forexample,putlatest.zoo). AfteryoupressEnter,thefilewillbetransferredtoyourPacketShaper. 9. 1. 2. ExittheFTPsession(quitorbye). OpenaTelnetwindowandconnecttoyourPacketShaper. ToselectthePacketShapersharddriveasthesourcedirectory,type:

cd 9.258/

Toloadthenewsoftwareimage:

3.

Toloadthenewimage,type:
image load <filename>

where<filename>isthenameofthefileyoucopiedtothePacketShaper(forexample,imageload latest.zoo).AfteryoupressEnter,youwillbeaskedtoconfirmtheprocess.PressEntertoproceed. 4. 5. ClosetheTelnetwindow,andwaitfortheimageload/bootupprocesstocomplete. Toconfirmthatthenewversionwasinstalled,accessthePacketWisesoftwarebyenteringthe PacketShapersIPaddressinyourwebbrowser.Afteryoulogin,thesoftwareversionnumberwill appearinthewindow. Note: If the configuration didnt load properly (for example, the traffic tree disappeared), see Loading a Traffic Configuration on page 16. IfyouareupgradingfromanolderversionofPacketWise,youmayneedtoresetmeasurementdata.Use themeasureshowCLIcommandtodeterminewhetherameasurementresetisnecessary. Toresetmeasurementdata: 1. OpenaTelnetwindowandconnecttoyourPacketShaper.

15

PacketWise 8.5.2 Release Notes

2.

Typemeasureshow.IfthemessageAcompleteMeasurementResethasnotbeendoneappearsinthe measureshowoutput,PacketWisehasdetectedthatyouupgradedtoanimagethathasnew measurementvariables. Typemeasurereset.

3.

Loading a Traffic Configuration

Ifyourconfigurationdidntloadproperlyafterupgrading,youcanloadatrafficconfigurationfroma previousversion.Youmightalsowanttoloadatrafficconfigurationifyouwanttouseaconfigurationfrom anotherunit.Hereisthegeneralprocedure: 1. Resetthetraffictree:
class reset

2. 3.

FTPtheconfigurationfilestothePacketShapersflashdiskrootdirectory (9.256/).Theconfig.ldifilemustbetransferredinASCIImode. Loadtheconfigurationusingtheclassloadcommand.Forexample:

class load 9.256/config.ldi

Ifaconfigurationwontloadorthetraffictreestillisntinplace,youcanrestoretheconfigurationby runningtheCMDfileyoucreatedbeforeupgrading.Forexample,ifyouusedthesetupcapturecommand andcreatedafilenamedbackup.cmd,youneedtoFTPthebackup.cmdfiletothePacketShaperandthen typerunbackup.cmd.

PacketWise 8.5.2 Release Notes

16

Known Issues in PacketWise 8.5.2

ThissectionlistsknownissuesinPacketWise8.5.2.

Xpress Issues
SeeKnownIssuesinXpressonpage21.

Blue Coat Sky UI Issues and Limitations

WhenBlueCoatSkyisthedefaultuserinterface,neithertheLegacyUInortheSkyUItimeoutafter aperiodofinactivity.Previously,theLegacyUIwouldtimeoutafter60minutesofinactivityand wouldrequireyoutologinagain. BlueCoatSky,inparticularitsrealtimegraphingfeatures,canplaceahighCPUloadontheclient machinerunningSky.ToavoidunnecessaryCPUload,BlueCoatrecommendsthatyouonlyrun realtimegraphswhenyouareactivelyviewingthem.Notethatthisdoesntimpacttheperformance ofthePacketShaper,althoughitcanaffecttheperformanceoftheclientmachine.ForbestSky performance,theclientmachineshouldhavethefollowingminimumrequirements:Pentium4@ 3GHzwith2GBofRAM. Inconfigurationswithlargetrafficclasstrees(morethan2000classes),performanceinBlueCoatSky maynotbeoptimal.Forexample,reportgenerationmaybeslow. WhenXpresstunnelsareconfiguredtoruninlegacymode,thestatuslineinBlueCoatSkymaynot accuratelyreflectthecurrentstateofcompression.Forexample,thestatuslinemayshow Compressiononwhen,infact,itisturnedoff.ThestatuslineintheLegacyUIdoesshowthecorrect compressionstate. Whenyouresizethebrowserwindow,someoftheSkyscreenelementsandtextmayoverlap. Enlargingthewindowwillfixthisproblem. Graphing IfyouhaveaBlueCoatSkybrowsersessionopenwhenthePacketShaperisreset(forexample,viaa CLIcommandorbyturningtheunitoffandbackon),realtimegraphswillstopupdatingandaRetry Update?errormessageappears.Beforeresettingtheunit,youshouldclosethebrowserwindowor manuallylogout(withtheLogoutlink).Ifyoudont,youwillneedtocloseallopenbrowser windowsafterresettingthePacketShaper.(Loggingoutwontbesufficient.) Occasionally,eachselectedclasswillbegraphedtwiceonhistoricgraphs.Ifyouseethisbehavior, clicktheRefreshClassTreeNow icon. ThehigherthelatencyonthenetworkorthehighertheloadonthePacketShaper,thelongerittakes forhistoricalgraphstorenderinBlueCoatSky.IfagraphfailstodisplayinSky(inotherwords,it timesout),trycreatingasimilargraphintheLegacyUI. Class Tree TheSkyclasstreedoesnotshowalltheinformationthatisdisplayedonthetraffictreeintheLegacy UI.Forexample,thedynamicpartitionsettingsandcertainclassproperties(autodiscoveredvs. manuallycreated,exceptionvs.standardclass)arenotshown.YouwillneedtoswitchtotheLegacy UItoseethesesettings. WhenaclasshasdifferentsettingsforInboundandOutbound(forexample,Inbound/VOIPhas discoveryenabledandOutbound/VOIPdoesnot),BlueCoatSkymaynotdisplaythesettings properlyincombinedview.Displayingtheclasstreeinseparateviewmaybemoreappropriate whenclasseshaveasymmetricsettings.

17

PacketWise 8.5.2 Release Notes

 Incombinedview,whenyouwanttocopyasingledirectionclass(suchasInbound/test)totheother direction(forexample,toOutbound),chooseRootfortheTolocation.Afterthecopyoperation,the classwillthenappearinthetreeas (bidirectional). Incombinedview,whenyoutrytocopyasingledirectionclasstoadestinationinbothdirections, theclassismovedinsteadofcopied.Inthissituation,itsbesttocopytheclassinseparateview (TrafficManagement>Settings>Inbound&Outboundseparated). BlueCoatSkycopiesallchildrenwhencopyingaparentwithchildren,evenifyouselectedonly someofthechildclasses.Forexample,supposeyouhaveaparentwithfourchildclasses.Ifyou selecttheparentandthreeofthechildclasses,BlueCoatSkywillcopyallfourchildclasses. Policy Manager Whenaclasshaschildren,youshouldnotcreatepoliciesontheparentclass.Becausepoliciesshould beappliedtochildclassesonly,theLegacyUIpreventsyoufromsettingpoliciesonparentclasses; BlueCoatSkydoesnot. Whenyouattempttodeleteaninheritedclass,BlueCoatSkywillcorrectlydisplayamessagethat theclassisinheritedandcannotbedeleted.Althoughtheclassthenappearstobedeletedfromthe classtree,ifyourefreshtheclasstree,theclasswillredisplay. Aftereditingorcreatingaratepolicy,youmayseetheerrormessage,Policynotboundwithclass. However,thepolicyisstillcreatedsuccessfully. Whenyouareassigninganeveradmitpolicy,BlueCoatSkyallowsyoutoselectWebRedirectfor alltypesofclasses;however,thisoptionisapplicabletoonlyHTTPclasses. Whencreatingasimplematchclass,theAutoDiscoveryinClassoptionisavailableforallclasses, evenwhenitsnotapplicable.BlueCoatSkywill,however,displayanerrormessageifyou inappropriatelyselectthecheckbox. BlueCoatSkycreatesincorrectmatchingruleswhenyouselectaserviceandoneofthefollowing additionalcriteria:Device,MACaddress,IPaddress,HostList,Subnet,Ports.Tocreatethesetypes ofclasses,youshouldusetheLegacyUI. RTPIcanbeclassifiedbycriteriainBlueCoatSky;toenterapplicationspecificcriteriaforother classes,youneedtocreatetheclassintheLegacyUI. Incombinedview,ifyoucreateaclassinbothdirectionswhenyourPacketShaperiswithintwo classesofitsconfigurationlimit,Skywillbeabletocreateonlyoneclass.Theerrormessageindicates thatitcouldntcreatetheclass,butinfact,itcreatedtheInboundclassbutcouldntcreatethe Outboundclass.(Note:Themaximumnumberofclassesinyourclasstreeisactuallyonelessthan theconfigurationlimitsonyourPacketShapermodel.Forexample,thePacketShaper900canhave upto63classes:64limitminus1.)

Switching Between Sky and Legacy UIs

IfyouswitchtotheLegacyUIandthenpressthebrowsersBackbutton(perhapsbecauseyouwant toreturntoBlueCoatSky),theLoginscreendisplays,givingtheappearancethatyoursessionhas loggedout.Youhavenotactuallyloggedout,though:youcanpressthebrowsersForwardbutton toreturntoBlueCoatSkyatthispoint.TheproperwaytoswitchbetweentheLegacyUIandSkyis tousetheBlueCoatSkylinkinthebanner;avoidusingthebrowsersBackbutton. WhenyouopenasecondbrowsersessiontoyourPacketShaper,theUItypeofthefirstsessionwill bedisplayedinthesecondwindow/tab,regardlessofwhichUIisthedefault.Forexample,ifyou haveaLegacyUIwindowopenandyouopenasecondbrowsersession,theLegacyUIwilldisplay inthesecondbrowser(evenifBlueCoatSkyisthedefaultUI). BlueCoatrecommendsthatyouhaveonlyoneSkysessionopenatatime.

PacketWise 8.5.2 Release Notes

18

UI Doesnt Display after Logging In

Iftheinitialpage(InfotabinLegacyUI,DashboardinSkyUI)doesntdisplayafterloggingintothe PacketShaper,clickthebrowsersRefreshbutton.YoumayneedtoclicktheStopbuttonfirst.

Service Groups Issues

Whileamoveoperationisinprocess,itspossiblethatsomeoftheselectedserviceswillnotbe moved,evenifyougetamessagethattheoperationwassuccessful.Thismightoccurifsomeoneelse iscreatingclassesinanotherusersessionorifyoupressCtrlCtoaborttheoperationwhileitsin process.Ifthishappens,repeatthemovecommandontheservicesthatwerentmoved. Priortodeletingacustomgroup,deleteanyclassesbasedonthatgroup.Ifyoufailtodothis,the classwillhaveaconfigurationerrorandyouwillbeunabletodeleteitinthebrowserinterface.A workaroundistousetheclassdeletecommandinthecommandlineinterface. Ifaclasshasduplicatematchingruleswithanotherclass(forexample,alocal/Inbound/HTTPand aninherited/Inbound/Internet/HTTP),oneoftheseclasseswillhaveaconfigurationerror.Untilyou resolvethiserror,trafficwillstillgetclassifiedintotheerroredclass. OccasionallyPacketWisedisplaystheconfigurationbeforeaservicegroupoperationiscompleted. Iftheconfigurationdoesntlookcorrect,tryrefreshingthebrowser.

RADIUS Issue
PAP,CHAP,andversiontwo(v2)ofMSCHAPcanbeusedtoauthenticateagainstaRADIUSserver;MS CHAPv1currentlyhasissues.

Firefox/Flash Issue
SomeversionsofFirefoxmayhavetroubleinitiallyloadingfeaturesrequiringAdobeFlashPlayer(suchas theServiceGroupssetuppageandtheStatisticalGraphingtool).

SNMP Issue
IfSNMPlookandtouchcommunitystringsareidentical,thePacketShaperwillnotsendSNMPtraps.Be suretosetuniquelookandtouchcommunitystrings.

Issues with User-Defined Services

Ifyoudeleteauserdefinedservice(UDS),makesuretoalsodeleteanytrafficclassesthatarebased onthisservice.Ifyoufailtodeletetheclass,aconfigurationerrorwillresult.Inaddition,thetraffic hitcountonaclasscreatedwithaUDSdoesnotgetresetaftertheUDSisdeleted.ThenextUDS createdmaycontinuetohittheclasspreviouslycreatedbytheoriginalUDS. IfyoucreateaUDS,deleteit,andthencreateanotherUDS,thenewUDSmayhavethesameservice IDastheonethatwasdeleted.ThiscancreatemisinterpretationofFDRdatainthirdpartyFlow DetailRecord(FDR)collectors.

Customer Portal Issues

DonotsetasecondarycustomerportalIPaddressifusingasecureLDAPconnectionbetween PolicyCenterandtheDirectoryServer;settingtheportalIPaddresswillcauseLDAPtousetheportal IPaddressinsteadofthemanagementaddress. WhenacustomerportalIPaddressisconfigured,severalPacketShaperfeaturesusetheportalIP addressinsteadofthePacketShapersmanagementIPaddress.Inparticular,SNMPwillsendthe portalIPaddressasthesourceaddressinnotifyandresponsepackets,andheartbeatsaresentfrom theportalIP.Ifthisisanissueforyou,youcancleartheportalIPaddressandhavecustomerslogin totheportalwiththefollowingURL:http://<managementIP>/customer.

19

PacketWise 8.5.2 Release Notes

Matching Rule Issues

IntheLegacyUI,youmayseeanError0000messagewhentryingtodeleteamatchingrule.This typicallyhappensafteryouhaveattemptedtoedittherulewithaninvalidspecification(suchas duplicatematchingrule).Ifthishappens,youwillneedtodeletetheclass. Inordertoclearoutaportmatchingrule,youmusttypeanyinthePortfield;youcannotsimply deletetheportnumber.

Classes with Duplicate Matching Rules

Typically,PacketWisewillnotletyoucreateatrafficclasswithmatchingrulesthatduplicateanotherclass. However,inthefollowingsituationPacketWisewillallowittohappen:whenaclasshasaDefaultchild class,youwillbeabletocreateaclasswithadifferentnamebutwiththesamematchingrules.Forexample, supposeyouhavecreatedaclassnamedInternetthatclassifiestrafficfortheInternetservicegroup,and classdiscoveryisenabled(whichcreatesaDefaultchildclass).PacketWisewillthenletyoucreateanother classnamedMyInternetbasedontheInternetservicegroup,withoutdisplayinganerrormessageor configurationerror.Trafficwillgetclassifiedintoonlyoneoftheclasses(whicheverappearsfirstintheclass tree).

Limitations of the VoIP Summary Report

TheClassdropdownlistfortheVoIPSummaryreportwillonlylistVoIPclassesifthenameappearswith theexactupper/lowercaseastheautodiscoveredclass(RTPI).Ifyoucreatedtheclassmanuallyandtyped thenamedifferently(suchasrtpi),thenamewillnotappearontheClassdropdownlist.

Config Save Filenames

WhenprovidingafilenameintheconfigsaveCLIcommand,enteranamethatiseightcharactersorless; enteringalongerfilenamewilldisplayanerrormessageNosuchaddress.

PacketWise 8.5.2 Release Notes

20

Known Issues in Xpress

ThissectionlistsknownissueswiththeXpressfeatureinPacketWise8.5.2

Classification Issue When Acceleration is Enabled

TheclassificationofCitrixprioritytagsdoesnotworkonacceleratedflows.Notethatallothertypesof Citrixclassificationworksonacceleratedflowsandprioritytaggingclassificationworksonnonaccelerated flows.

MTU Issues
AccelerationdoesnotrespecttheMTUimposedbylowspeedlinkvalues(lessthan384k).The workaroundistousethetunnelmtu<mtu>CLIcommandtoforcethedesiredMTUvalue. Whenpackingisusedinconjunctionwithacceleration,theMTUnegotiationmechanismmaynot workproperly.WhenthetunnelMTUissettoautoinXpress,checktheoutboundMTUestablished bytherouterormodem.IftheMTUhasanobviouslywrongvalue,youcanmanuallyconfigurethe MTUinXpresstotheappropriatevalue(usingthetunnelmtu<mtu>CLIcommand).

Command-Line Interface Issues

ThePacketWisecommandlineinterfaceisabletocompletepartialcommandsifauserentersenough informationtospecifyjustasinglecommand.Forexample,enteringjusttrtrwillreturntheoutput forthecommandtraffictree.However,thecommandtodeterminethevalueofthemeasurement enginevariablebytessavedbycompression,evenwhentypedinfull,isalsothepartialtextforthe commandtodeterminethevalueofthebytessavedbycompression%variable. IfyouuseasinglemeasuredumpCLIcommandtodeterminethevalueofboththebytessavedby compressionandbytessavedbycompression%measurementvariables,listthebytessavedby compressionvariablebeforethebytessavedbycompression%variable.Ifthevariablesarelistedin theoppositeorder,thebytessavedbycompressionvariablewillreportthesamevalueasbytes savedbycompression%.

Miscellaneous Xpress Issues

Withshortflows(thatis,flowscontainingonlyafewpackets),youmaynoticeadiscrepancyin measurementdatabetweendirectstandbypartners.Forexample,theactivePacketShapermayshow morecompressionsavingsthanthepassivePacketShaper.Thissituationoccursinenhancedtunnel modeonly. IfyouarehavingproblemscontrollingVoIPtrafficwithratepoliciesandpartitionswhenthereis significantcompetingtraffic,youmaywanttodisablepackingandcompression. IftwoPacketShapersareconnectedviathedirectstandbyfeature,thoseunitsmaynotformaproper accelerationtunnelforasymmetricflowsunlessthesamestaticlocalhostsandtunnelpasswordsare configuredonbothunits.

21

PacketWise 8.5.2 Release Notes

Additional Information
Thissectioncontainsimportantadditionalinformationthatwillhelpyoubetterunderstandanduse PacketWise8.5.

SNMP Requests
PacketWise8.3.xandhighersupportsSNMPv1,SNMPv2candSNMPv3.IfyourPacketShaperis configuredtorespondtoSNMPv1requestsandyouupgradethatunittoPacketWise8.3.xorlater,the PacketShaperwillrespondtobothSNMPv1andSNMPv2crequests.

PacketShaper 3500 Fan Speed

OnaPacketShaper3500,whichhasonlyonefan,theinfotabreportsaspeedof0.00Hzforpowersupply fantwo.Aspeedofzerosimplyindicatesthatthefanisnotpresent.

Unsupported Images
SomePacketShapermodelsrequireaspecificversionofPacketWisesoftwareinordertorun.Forexample, thePacketShaper1400requiresPacketWise7.4(orhigher)or8.1(orhigher).However,itispossibleto overwritethesupportedversionwithanunsupportedimageofPacketWise.Inthiscase,theunitwillnot boot,andyouneedtoreboottheunitusingitsbackupsoftwareimage.

Direct Standby on PacketShaper 1400

IfyouplantodeployPacketShaper1400modelsinadirectstandbyconfiguration,pleasecontactBlueCoat CustomerSupportforassistance.

PacketWise 8.5.2 Release Notes

22

Additional Information for Xpress

Thissectioncontainsimportantadditionalinformationthatwillhelpyoubetterunderstandandusethe Xpressfeature.

Understanding Acceleration
AccelerationisdesignedtoimproveTCPperformanceinthefollowingthreecases: Onlinksthathavealargebandwidthdelayproduct,accelerationcanprovidesubstantial throughputimprovementoverTCPforbulkdatatransferssuchasFTPtransfersoflargedatafilesor downloadingoflargeimagesinabrowser. Onlinksthathaveahighlossduetotransmissioncharacteristics,asopposedtohighlossfrom congestion,acceleratedflowswilltypicallyperformsubstantiallybetterthanTCP.(TCPseesany kindoflossascongestionandslowsdownaccordingly.) ForHTTPtraffic,accelerationcanbeconfiguredtoprefetchobjectsonawebpage,substantially reducingthetimeneededtodisplayapageonhighlatencylinks. NonTCPtrafficisneveraccelerated.Also,accelerationwillprovidelittleornobenefitinthefollowing situations: Transactionprocessingoverahighlatencylinkwillnotbeimproved.Thus,WindowsFileSharing (CIFS)whichreliesonlargenumbersoftransactionstransferringsmallobjectswillnotbenefitfrom acceleration. Lowlatencylinkswithonlycongestionloss.Forexample,linkswithbandwidthdelayproductsunder 100Kbyteswillseeminimalornoperformancebenefit. Inaddition,HTTPprefetchdoesnotuniformlyimprovealltypesofwebpagedownloads.Prefetchrelies onextrabandwidthbeingavailableforprefetchedobjects.Prefetchingwillalsobeautomaticallydisabled ifthePacketShaperisrunninglowonavailablememory.

Configuration Options for Acceleration

Inordertoachievethebenefitsofacceleration,PacketShapersneedtobeproperlyconfiguredforyour networkandtheflowsyouwishtoaccelerate.SomePacketShaperconfigurationsthatperformperfectly wellwithoutaccelerationmayactuallygetpoorperformancewithacceleration,ifaccelerationisenabled withoutregardtotheissuesstatedaboveandwithoutsomeappropriateconfigurationchanges. Accelerationusesoneoftwostrategiesfortransmittingpackets.Ifcongestioncontrolisenabled(the default),dataissentattheoutboundlinkorpartitionrate,andpacketlossistreatedascongestion;this causesaccelerationtoslowdown.Thismechanismisconceptuallythesameasthecongestioncontrollogic usedbyTCP.Ifcongestioncontrolisdisabled,thenaccelerationreliestotallyontheoutboundlinkor partitionsetting;ittreatslossasdatacorruption,notcongestion,anddoesnotslowdown.

Preferred Configuration for Acceleration

Accelerationworksbestwhentheavailablelinkrateisfixed,andthePacketShaperoutboundlinkor partitionratecanbesettoavaluewhichmatchesthisavailablerate.Byavailable,wemeantheamount ofbandwidththatisavailableforacceleratedTCPflows.Forexample,ifalinkissharedbetweenVoIPand FTPfiletransfers,theavailablebandwidthiswhatisleftoverafteraccountingforVoIPtraffic(which,being UDPbased,isneveraccelerated).Iftheavailablerateisknownandrelativelysteady,thenthebest performancecanbeachievedbysettingtheoutboundlinkorpartitionrateofthesendingsidePacketShaper toavaluethats12%smallerthanthisavailablelimit.Inthiscase,youwillwanttodisablecongestion control.

23

PacketWise 8.5.2 Release Notes

IfPacketShapersconfiguredfordirectstandbyareusingtheaccelerationfeaturetoaccelerateasymmetric traffic,bothdirectstandbypartnerPacketShapersmustbeabletoaccessInsidehostsviatheunitsXpress IP.IfInsidehostsareonadifferentsubnetfromtheXpressIP,thatPacketShapermusthaveanIngress gatewaydefined.UsetheCLIcommandtunnelipconfiguretoconfigureanIngressgateway.

When to Use Congestion Control with Acceleration

Bydefault,PacketShaperswillusecongestioncontrolwhenaccelerationisenabled.Thisisavery conservativeapproachdesignedtominimizeperformanceproblemsthatwilloccurifthesendingside PacketShapersoutboundlinkandpartitionratesarenotproperlyset.Thisisalsonecessaryforthe(not recommended)configurationinwhichInboundpoliciesontheremotePacketShaper(s)areusedtocontrol datathroughput.Generallyspeaking,youshouldenablecongestioncontrolforlinkswithwildlyvarying availablerates,forexample,whatisleftoverfromVoIP.Congestioncontrolmayalsobenecessaryforfull meshnetworkswhereyoucannotpredicttheactualbandwidthavailablebetweenanytwoendhosts. Notethatsincecongestioncontrolisasuboptimalsettingforacceleration,anyaccelerationbenefitsmay varygreatlyovertimeorbetweendifferenthosts.Youmustassessperformanceonyourparticularnetwork andthendecidewhetherornotitbenefitsfromacceleration.

ICNA Algorithm
TheICNApluginisnotnecessarywhenusingenhancedtunnelmodebecausetheICNAalgorithmisbuilt intoenhancedcompression.However,ifyouareusinglegacyormigrationtunnelmode,youwillneedto installtheICNAplugin.NotethattheICNApluginwillonlyloadwhenyouareusinglegacyormigration mode.

Limitations in Xpress
WatchmodeisnotavailablewithenhancedXpresstunnels,andcanbeenabledonlywhen PacketShaperissettolegacytunnelmode.Ifwatchmodewasenabledin7.x,itwillbeenabledafter theupgradeandtheunitwillbeinlegacymode. BecauseTCPisconvertedtoXTPwhenaccelerationisenabled,theresponsetimemeasurement (RTM)variablesarentabletomeasureatransactionthroughitscompleteroundtrip,anddoesnot accountfortheportionthatisnotTCP. Thetcpearlyretxtosspktsandtcpearlyretxtosspkts%variablesrelyonTCPRateControlsothey wontincrementforacceleratedconnections. IfonlylegacycompressiontunnelsexistbetweentwoPacketShapers,andyoucreateanenhanced compressiontunnelbetweenthoseunitsbutthenlaterdisableenhancedcompressionononeorboth ofthoseunits,thepreviouslegacycompressiontunnelswillnotautomaticallyreform.Deletethe enhancedtunneltoreenablethelegacycompressiontunnels.

Multicast Compression
Multicasttrafficcanbecompressedinv8.xassumingthatthefollowingconditionsaremet: TheClassDaddressesmustbeaddedtoremoteand/orlocalhostlistsusingthetunnellocaladdand tunnelremoteaddcommands.Unlikeunicastcompressionhosts,multicasthostswillnotbe discoveredautomatically. Thetunnelmustbestatic(sinceonlystatictunnelscanbeconfiguredwithremoteandlocalhosts.) Otherimportantpoints: Inorderforthetraffictogetdisseminatedtomultiplerecipients,thedecompressedmulticasttraffic mustbeforwardedtoarouter.Ifnot,onlyonehostwillreceivetheflow.

PacketWise 8.5.2 Release Notes

24

 Multicastaddresseesareintherange224.0.0.0239.255.255.255.Formoreinformationabout multicastaddresses,see:
http://www.iana.org/assignments/multicast-addresses

Multicasttrafficcannotbeaccelerated.

Asymmetric Flows
Foraccelerationtowork,trafficneedstopassthroughasinglepairofPacketShapersinbothdirections.Ifa redundanttopologyisconfiguredinsuchawaythataserverisreachablethroughapaththatdoesnotfirst traversetheremotePacketShaper,theasymmetricflowwillnotbeaccelerated. Incertaincircumstances,connectionswillfailwithasymmetricflows: Whenpacketsfromtheclienttotheserverpassthroughbothaclientsideandserverside PacketShaper,butreturnpacketsbypasseitherofthesePacketShapers. WhenroutingchangescauseTCPpacketstonotgothroughtheirnearsidePacketShaper WhenroutingchangescauseXTPpacketstopassthroughanacceleratingPacketShaperthatisnot theoriginalpartner. IfXpressisunabletosuccessfullycompleteanacceleratedconnectiontoaparticularhost(perhapsbecause theflowwasasymmetric),Xpresswillrememberthisonaperdestinationbasisforaperiodoftimeandwill nottrytointerceptadditionalconnectionsforthefaileddestination. IfPacketShapersconfiguredforDirectStandbyareusingtheaccelerationfeaturetoaccelerateasymmetric traffic,bothDirectStandbypartnerPacketShapersmustbeabletoaccessInsidehostssourcedviaXTP.If theXIPhostsareonadifferentsubnet(sothereisarouterconnectedtotheInsideportofthePacketShaper, thatPacketShapermusthaveadefinedIngressgateway.

Xpress-IP Configuration for Units on the Same Subnet

WhentwoPacketShapersareconfiguredwithXpressIPaddressesonthesamesubnet,theXpressIP gatewaymustbesettononeonbothPacketShapers,ifeitherofthefollowingistrue: accelerationisoff or alloftheendhostsinthenetworkarealsoonthatsamesubnet. Thissetupismostcommoninnetworkconfigurationsusedfortesting,demonstrations,andtrainingwhere thePacketShapersandhostsbeingusedareallonthesamesubnet.Itmayalsobefoundincaseswhere networksarebridgedoveraWAN.

Localhost Traffic Doesnt Get Tunneled

LocalhosttrafficdoesntgetcompressedorpackedbecauseXpressdoesnttunnelflowsthathavea PacketShaperastheendpoint.Inotherwords,whenyouaccessyourPacketShaperviaTelnet,webbrowser, orFTP,thistrafficwillnotgettunneled.

Acceleration Notes
Importantnotesaboutacceleration: Thesiteroutermustbesettononewhenyouareusingacceleration. Forbestperformance,BlueCoatrecommendsthatshapingbeenabledwhenusingacceleration. IfaPacketShaperisresetwhilethereareactiveacceleratedconnections,thoseconnectionswillbe terminated. Fortunnelsusingdynamichostdiscovery,connectionstodestinationsthatarenotalreadyinthe remotehostlistwillnotbeaccelerated.Newconnectionsstartedafterdiscoveryofthehostwillbe accelerated.

25

PacketWise 8.5.2 Release Notes

 Bydefault,Xpresswillusecongestioncontrolforacceleratedconnectionsonthesender.Thissetting willbeappropriateformostnetworktopologies,suchasfullymeshednetworks.However,ifthe networkhasfixed,dedicatedbandwidth,youmaywanttodisablecongestioncontrolusingthe tunnelaccelerationcongestioncontroloffcommand.

Using Acceleration with Multiple Inline PacketShapers

CertaintopologiesrequiretheaccelerationStrictHostChecksystemvariabletobeenabledinorderfor accelerationtoworkproperly: MultipleinlinePacketShapers HubandspoketopologiesinwhichtrafficacceleratedattheedgePacketShaperwillpassthrough anintermediatePacketShaperatthecentralsite WhentheaccelerationStrictHostCheckvariableisenabled,outboundTCPflowswillbeacceleratedonlyif thesourcehostisconfigured(ordiscovered)onthelocaldeviceandthedestinationhostisconfigured/ discoveredasaremotehostviatheoutboundtunnel.Likewise,inboundacceleratedflowswillnotbe interceptedunlessthesourcehostisconfigured/discoveredasaremotehostviatheinboundtunnelandthe destinationhostisconfigured/discoveredonthelocaldevice. Notes: EnablingthisvariablemayresultinaslightdegradationofperformanceforXTPacceleration,since lookupandvalidationoflocalandremotehostsaredoneperpacket.SCPSaccelerationdoesnothave thissideeffect. IfpacketspassthroughthesamePacketShapermultipletimes,itmaybenecessarytoeitherrestrict hosts(usingthetunneldiscoveryhostcommand),tomanuallyprovisionhostsonaparticularside (usingthehostdbsidemanualcommand),ortodisablehostdiscovery(usingthetunneldiscovery command).

PacketWise 8.5.2 Release Notes

26

27

PacketWise 8.5.2 Release Notes