AOS11 2 Release Notes v4

This document contains Proprietary Trade Secrets of Allot Communications LTD and its receipt or possession does not convey any right to reproduce, disclose its contents or to manufacture, use or sell anything that it may describe. Allot reserves the right to make changes, add, remove or change the schedule of any element of this document.

Software Release Notes

Version 4

P/N D211092

Allot Operating System AOS11.2

This document details new features, known issues and clarifications concerning Allot operating system software version AOS11.2.

Please check http://www.allot.com/support.html for any updates to this document.

Applicable Devices .................................................................................................................... 2

New Features ............................................................................................................................ 2

New Protocols and Applications ................................................................................................ 5

Resolved Issues ........................................................................................................................ 6

Known Issues ............................................................................................................................ 7

Upgrade Procedures ................................................................................................................. 9

Allot Operating System AOS11.2 Release Notes

2010 Allot Communications. All rights reserved. 2

Applicable Devices AOS11.2 is available for the following devices only:

AC-1400

AC-3000

SG-Sigma

AOS compatible devices not found in the above list do not support AOS11.2 version and still support the previous AOS version.

New Features

HTTP Redirection Enhancements

AOS11.2 allows sending additional information when redirecting to a captive portal. The additional information available is:

The subscriber MSISDN available only when working with SMP.

The web address the subscriber tried to access

Using this information allows the portal to automatically detect the identity of the subscriber accessing it and present him with a custom web page (for example advising him on campaigns and showing him his account status). In addition it is now possible for the portal to automatically redirect the subscriber to the original page he wanted to access once the portal activity has ended.

Classification Enhancements

AOS11.2 improves the classification capabilities of the device and now allows the following capabilities on top of the existing ones:

Subscriber classification according to XFF field of the HTTP header. This capability allows classification of traffic to a subscriber based on the IP appearing in the XFF field instead of the IP of the TCP connection. In non-transparent proxy environments the proxy establishes the session with its own IP rather than the subscriber IP. If classification of traffic to the subscriber is done according to the subscriber IP, any traffic flowing through the proxy will not be classified correctly. In order to associate traffic flowing through the proxy to a subscriber the traffic needs to be classified according to the XFF field of the HTTP header that represents the actual subscriber for which the proxy established the session. Supporting this capability allows operator to deploy subscriber management capabilities in non-transparent proxy environments, without waving on any of the DPI capabilities.

Classification of traffic according to physical port. This capability allows the operator to classify traffic to a policy based on the physical port of the device from which the traffic came from. In many environments this capability can be used in order to differentiate domestic from international traffic as well as to differentiate traffic coming from different network elements.

Interface classification. It is now possible to define an entity called an interface. The interface represents a L2 or L3 encapsulation (for example GRE). When defining the classification of traffic as interface the traffic will be classified according to the interface type / connection rather than the encapsulated IP. For example, if GRE is defined as an interface all traffic that is encapsulated in GRE shall be classified as GRE and not with the encapsulated IP/application of the traffic. This capability allows the user to exclude specific interfaces from being applied with classification and QoS mechanisms.



Traffic Management

AOS11.2 supports the capability to bypass traffic based on user defined subnets. Traffic meeting the subnet criteria will be bypassed and will not go through QoS and/or monitoring mechanisms. Up to 2000 subnets can be defined for subnet bypass.

Element Management

AOS11.2 introduced some new capabilities that allow for better management of the system capabilities as well as management of elements within the system (such as Pipes and VCs).

The following capabilities were added in AOS11.2:

Threshold Crossing Alarms (TCAs). AOS11.2 allows definition of alarms for policy elements (Pipes / VCs). The TCAs are based on BW and allow the user to set threshold on the BW that will trigger an alarm when crossed. It is possible to set the threshold as either rising (BW is above a specific value) or falling (BW is below the specific value). It is possible to define up to 2000 elements (Pipes/VCs) to be monitored for TCAs.

Drop action on reaching CER limit. AOS11.2 allows setting a maximum CER limit for the device. When this value is reached it is now possible to select one of two actions to take place:

o Drop Any session over the CER limit will be dropped.

o Bypass every session above the CER limit will be bypassed and will not go through any of the DPI mechanisms.

1GE Copper Ports Support (SG-Sigma Only)

AOS11.2 upgrades the switch fabric software of the SG-Sigma and allows the Sigma to support 16X1GE Copper interfaces. Fiber 1GE ports are already supported with AOS11.1.

Please note, upgrading the switch fabric software requires down time of the Sigma and requires specific procedure. Please contact customer support at [email protected] for further details. Switch fabric upgrade is only needed for support of 1GE copper ports and is not included in the generic upgrade procedure of AOS11.2. In case 1GE copper ports are not needed please follow the generic upgrade procedure.

New Host Blade Support (SG-Sigma Only)

AOS11.2 supports the new host blade for SG-Sigma. The new blade is more powerful than the old one with more CPU power and memory. New Sigma units are now delivered with the new version of the host blade.

AOS11.2 is backward compatible to the old blade and fully supports all capabilities with both new and old blades.

Please note that the new host blade is supported from AOS11.2 and above. Previous versions do not support the new blade.

Hanging of a Router Deployment (AC-1400/3000 Only)

AOS11.2 allows AC-1400/3000 devices to be deployed in configuration usually referred to as hanging of a router configuration. This configuration connects the device to a router and uses the router PBR to route traffic to the DPI device and from the device back to the router.

Codec Identification

AOS11.2 is now capable of detecting the VoIP codec in use by RTP stream. This capability allows for a more accurate QoS control for VoIP allowing guaranteeing of the exact BW needed by every codec, as well as providing the operator the ability to block unwanted / BW consuming codecs.



Supported codecs are G723, G729, GSM and G711A/U. Codecs are identified over UDP RTP for SIP and/or H.323 VoIP protocols.

MediaSwift Enhancements

AOS11.2 can identify traffic as cache out traffic coming from the MSW service allowing the operator to control it differently than P2P and/or streaming traffic not generated by the cache. This allows the operator to limit non-cached traffic while at the same time allowing cache out traffic to flow maintaining the QoE of his subscribers.



New Protocols and Applications This version supports Allot Protocol Updates package version 3.11 and above.

For a complete list of the supported protocols and applications and for details on upgrading your protocols identification with the recent protocol pack go to: https://c.eu1.visual.force.com/apex/KB?KBID=11895137.

Please also find in this location the latest release notes for the protocol pack and its predecessors, in which youll find detailed information about the supported applications, as well as information on resolved and known issues.



Resolved Issues

Fixed an issue that could cause the SG- Sigma to shape media traffic served by a MediaSwift cache and apply maximum QoS settings to P2P and/or streaming traffic.

Fixed an issue that could cause policy updates to take a very long time when defining asymmetry configurations.

Fixed an issue that could cause up to 3 seconds of traffic loss when changing action on failure configuration in the device from fail pair to bypass. Configuration change no longer results in packet loss.

Fixed an issue that could cause the device to remain in bypass mode after disconnecting a bypass cable and connecting it again. The device no longer stays in bypass upon re-connecting the bypass cable.

Fixed an issue that could cause ServiceProtector to fail if a device with ServiceProtector is migrated from one NX server to another.

Fixed an issue that could cause the device to fail to report the reason for bypass when bypass was entered due to link failure (AC-3000/1400 only).

Fixed an issue that could prevent WebSafe blacklists from loading correctly after the device reboots.

IWF blacklists are no longer accessible by the system admin.

Fixed an issue that prevented using Drop Precedence while using percentage QoS.



Known Issues

When upgrading from previous AOS versions the statistics collection profile is not maintained. This can cause graph inaccuracies.

Allot Recommends: Following installation make sure the collection profile is identical to the defined profile prior to installation. Update the profile manually if not matching the previously defined profile. In case assistance with this procedure is required please refer to the following KB item https://c.eu1.visual.force.com/apex/KB?KBID=13697339

In some cases when performing an upgrade and the action on failure defined prior to upgrading was not the default setting, after the upgrade the system may remain in bypass state due to the inconsistency.

Allot Recommends: Prior to installation set the action on failure settings to default. After installation change the action on failure settings to the required settings. . In case assistance with this procedure is required please contact customer support at [email protected]

In some rare cases following an upgrade, the failure to automatically boot a blade may result in the device remaining in bypass state.

Allot Recommends: If the device remains in bypass state after reboot, access every blade separately via the SMC and perform ac_reboot for any blade that did not boot. In case assistance with this procedure is required please contact customer support at [email protected].

RTP codecs are only identified if a policy element is associated with a Codec. It is enough to associate a single policy element with one Codec in order for all the codecs to be identified and reported.

Allot Recommends: If reporting per codec is needed define a dummy policy element with no QoS that is associated with a Codec. If you policy already includes codecs there is no need for this definition.

When setting QoS max on Pipe level to value of X, the minimum at the VC level needs to be set to X-1 in order to achieve the correct behavior and avoid admission by priority situations.

Example:

Correct: Pipe Max = 2048kbps, VC Min = 2047kbps

Incorrect: Pipe Max = 2048kbps, VC Min = 2048kbps

SG-Sigma will not reject an invalid key and will overwrite the current key definitions.

Allot Recommends: Following an upgrade make sure (via the NX GUI) that all key definitions are correct. In case key definitions are incorrect, re-enter the key.

The Asymmetry port (the port used to connect to other devices for asymmetry purposes) is not configurable and is set as follows:

SG-Sigma: SFC-200 blade in slot 7, Port 3

All other AOS devices: Port 3

Host name and MAC definitions in Host catalog are not supported.

Most Active URL report needs to be activated from NetXplorer. Please refer to the NetXplorer Operations Guide for instructions on how to activate the feature. Please note that report information starts appearing about 20min after activation of the feature.

Provisioning of large host catalogs (over 4000 entries) may take a few minutes.



The number of packets (packets in / packets out) is not reported or presented in NetXplorer.

When setting a DOS (Denial of Service) catalog entry option to Reject, the actual behavior will be identical to Drop on TCP traffic.

DOS catalog entries in the policy are enforced in the Pipe/VC level only, not on the Line level.

Cisco ISL encapsulation is currently not supported the device only sees the tunnel and not the encapsulated traffic inside the tunnel.

In scenarios in which the devices Quality of Service engine is configured for high buffering on large portions of the traffic, the device might suffer from significant performance degradation.

When changing the devices software key, a "rebooting the box message may appear. This should be ignored since no reboot will occur unless the software version is changed.

Packets with destination MAC of zero (0) are dropped by the device.

When some of the VCs under a specific Pipe are defined with priority settings and some without it is possible that the VCs that do not have priority settings will not be allowed to transmit data. Allot recommends: Make sure all elements under a specific Pipe either have priority definitions or all of the elements do not have priority definitions at all.



Upgrade Procedures

Service Gateway SG-Sigma

NOTES A new license key is required when upgrading to AOS11.2. Please make sure you have a valid license for AOS11.2 before starting the upgrade. Allot strongly recommends that after upgrading, you keep the previous license key in a safe place in case you must rollback to the previous version. If you are upgrading the SG-Sigma from a version prior to AOS10.1.1, please upgrade first to AOS10.1.1 (follow the SG-Sigma upgrade instructions which were documented in the release notes for AOS10.1.1), and only then upgrade to AOS11.2.

1. Make sure the version currently installed is AOS10.1.1 or above and confirm the M1 port of SFC1 (the SFC-200 blade inserted in slot 7 of the SG-Sigma chassis) is connected to your management network.

2. Connect a terminal to the SGSV-110 Console port (to be used in case SSH access is lost during the upgrade). The terminal speed is 19200.

M1 Port on the SFC1 blade (slot 7) and the Console Port on the SGSV blade (slot 1)

SFC1 Blade SGSV Blade

M1 Port

Console Port



3. Log into the system via SSH as User Name sysadmin, Password sysadmin

4. Create a directory called AOS11.2. To do this, type the following command: mkdir AOS11.2

5. Move to the newly created directory. To do this, type the following command: cd AOS11.2

6. Download the version files.

From the AOS11.2 directory enter the following command: ftp ftp.allot.com (the IP address is 209.62.76.11)

Log into the ftp site as an anonymous user.

Type cd /DPI_device/SG-Sigma/GA/AOS.SGS.11.2.0_B7

Type hash.

Type bin.

Type prompt.

Type mget *

All required files will be downloaded automatically.

When the download finishes, type bye. This will close the ftp site but leave Telnet open.

7. You should now have the following files in the AOS11.2directory:

sigma-instl.sh

sigma-11.2.0-7.tgz

8. Type the following command: chmod u+x sigma-instl.sh

9. Switch the SG-Sigma to bypass mode by running the following command: go config network -dev_mode system:bypass Output Example:

host-blade:~$ go config view network

==== Network ====

Redundancy Mode standalone

Bypass Unit Configuration enable

Bypass Unit Detection primary

System Status bypass

Minimum number of Core Controllers 1

Number of active Core Controllers 3

Minimum number of Switch Fabrics 2

Minimum number of Flow Balancers 2

Cards list :

|Slot |Card Type |SMC State |Card Status



--------------------------------------------

|1 |HOST |ON |ACTIVE

--------------------------------------------

|2 |CC |ON |BYPASS

--------------------------------------------

|4 |CC |ON |BYPASS

--------------------------------------------

|6 |FB |ON |ACTIVE

--------------------------------------------

|7 |SFC |ON |ACTIVE

--------------------------------------------

|8 |SFC |ON |ACTIVE

--------------------------------------------

|9 |FB |ON |ACTIVE

--------------------------------------------

|10 |CC |ON |BYPASS

--------------------------------------------

|12 |VAS |ON |

--------------------------------------------

Request completed successfully.

10. Start the installation by running the following command: ./sigma-instl.sh

11. Wait for the upgrade to complete successfully.

Output Example:

Test:~/AOS11.2$ ./sigma-instl.sh

Please wait, extracting package...

...........

Installing Flow Balancer Blade located on slot 6.

Installing Flow Balancer Blade located on slot 9.

Installing core controller located in slot 2.



Installing Switch Fabric Blade located in slot 8.

........

Installation on slot 2 finished.

....................


....




................................................................................




Installing Host controller.

Please wait...

..............................................................................................................................................

...............

The installation of sigma-host-11.2.0-7.tgz finished.

Installing Switch Fabric Blade located in slot 7.

Connection to 11.11.11.70 closed by remote host.

Installation summary:

---------------------

Successfully installed slots: 2 4 10 6 9 8 7

Empty slots: 12

System will automatically reboot.

Broadcast message from dev (pts/0) (Mon Sep 20 14:42:10 2010):

The system is going down for reboot NOW!

Test:~/AOS11.2$ The following message appears at the end of the upgrade and may vary depending on the SG-Sigma chassis population:

The device will reboot automatically when the installation completes.

12. Wait for the device to be reachable again after the reboot and log into the system again via SSH as User Name sysadmin, Password sysadmin

13. Add the new key by running the following command: go config key

Output Example:

host-blade:~$ go config key SGSigma-123456-ABCDEFGHIJ2020HYK1U1P1MK2U1P1MK3U1P1MK7U1P1MK9U1P1MK10U1P1MH

Installation summary:

---------------------

Successfully installed slots: 2 4 10 6 9 8 7

Empty slots: 12


Broadcast message from dev (pts/2) (Tue Sep

14 10:59:34 2010):



Broadcast message from dev (pts/2) (Tue Sep

14 10:59:34 2010):




YH-6C8BD4B166 A notification that the request was completed will appear if the key was accepted

14. Verify the correct key functionalities are enabled by running the following command: go config view key

Output Example:

host-blade:~$ go config view key

==== Global information ====

Product Name SGSigma

Activation Key SGSigma-123456-ABCDEFGHIJ2020HYK1U1P1MK2U1P1MK3U1P1MK7U1P1MK9U1P1MK10U1P1MHYH-6C8BD4B166

Global Expiration Date 31/12/2019

Global status valid

==== Features information ====

1) QoS

Status: valid

Status enable

2) Real time reporting

Status: valid

Status enable

3) Long term reporting

Status: valid

Status enable

4) Allot Protocol Update

Status: valid

Status enable

5) WebSafe update subscription

Status: valid

Status enable

6) Traffic steering

Status: valid

Status enable

15. Change the device to Active by running the following command: go config network -dev_mode system:active

16. Verify all cards are up and active by running the following command: go config view network

Output Example:



host-blade:~$ go config view network

==== Network ====

Redundancy Mode standalone

Bypass Unit Configuration enable

Bypass Unit Detection primary

System Status active

Minimum number of Core Controllers 1

Number of active Core Controllers 4

Minimum number of Switch Fabrics 2

Minimum number of Flow Balancers 2

Cards list :

|Slot |Card Type |SMC State |Card Status

-------------------------------------------- |1 |HOST |ON |ACTIVE -------------------------------------------- |2 |CC |OFF | ACTIVE -------------------------------------------- |4 |CC |ON |ACTIVE -------------------------------------------- |6 |FB |ON |ACTIVE -------------------------------------------- |7 |SFC |ON |ACTIVE -------------------------------------------- |8 |SFC |ON |ACTIVE -------------------------------------------- |9 |FB |ON |ACTIVE -------------------------------------------- |10 |CC |ON |ACTIVE -------------------------------------------- |12 |CC |OFF | ACTIVE --------------------------------------------

NetEnforcer AC-3000

If the NetEnforcer being upgraded will be managed by the full NetXplorer Server along with one or more other NetEnforcers, follow this procedure:

NOTE The Software Upgrade Procedure may fail if your NetEnforcer database is corrupted. In such cases, please consult Allot Customer Support at [email protected].

1. Download the software version from the Allot ftp site by completing the following steps:

Open Telnet and log in to the NetEnforcer as User Name: sysadmin Password: sysadmin (default).

Type mkdir AOS112.



Type cd AOS112.

Type ftp ftp.allot.com (the IP address is 209.62.76.11)


Type cd /DPI_device/AC-3000/GA/AOS.AC3K.11.2.0_B7

Type hash.

Type bin.

Type prompt.

Type mget *



2. Type chmod u+x ac3k-instl.sh

3. Type ./ac3k-instl.sh

4. The upgrade procedure could take as long as 10 minutes. You will be prompted to enter a new key.

5. Type ac_reboot when you see a message that states that the upgrade completed successfully.

NetEnforcer AC-1400

If the NetEnforcer being upgraded will be managed by the full NetXplorer Server along with one or more other NetEnforcers, follow this procedure:

NOTE The Software Upgrade Procedure may fail if your NetEnforcer database is corrupted. In such cases, please consult Allot Customer Support at [email protected].

1. Download the software version from the Allot ftp site by completing the following steps:

Open Telnet and log in to the NetEnforcer as User Name: sysadmin Password: sysadmin (default).

Type mkdir AOS112.

Type cd AOS112.

Type ftp ftp.allot.com (the IP address is 209.62.76.11)


Type cd /DPI_device/AC-1400/GA/AOS.AC1K.11.2.0_B7

Type hash.

Type bin.

Type prompt.

Type mget *



2. Type chmod u+x ac1k-instl.sh

3. Type ./ac1k-instl.sh



4. The upgrade procedure could take as long as 10 minutes. You will be prompted to enter a new key.

5. Type ac_reboot when you see a message that states that the upgrade completed successfully.

Applicable DevicesNew FeaturesHTTP Redirection EnhancementsClassification EnhancementsTraffic ManagementElement Management1GE Copper Ports Support (SG-Sigma Only)New Host Blade Support (SG-Sigma Only)Hanging of a Router Deployment (AC-1400/3000 Only)Codec IdentificationMediaSwift Enhancements

New Protocols and ApplicationsResolved IssuesKnown IssuesUpgrade ProceduresService Gateway SG-SigmaNetEnforcer AC-3000NetEnforcer AC-1400

Documents

AOS11 2 Release Notes v4