1

RIVERBED PRODUCT RELEASE NOTES

PRODUCT: STEELHEAD CX

RELEASE DATE: 15-MAY-2019

VERSION: 9.8.1

CONTENTS

1) New Features 2) Fixed Problems 3) Known Issues 4) Upgrading RiOS Software Version 5) SteelCentral Controller for SteelHead Software Requirements 6) Hardware and Software Requirements 7) Contacting Riverbed Support

1) NEW FEATURES These new features are available in version RiOS 9.8.1 Zakzero

SHSD feature from 9.7.1a

These new features are available in version RiOS 9.8.0

Authentication through Security Assertion Markup Language (SAML) SteelHead appliances support SAML 2.0, an XML standard that acts as an authentication interface between a SteelHead and an identity provider (IdP). You can use the IdP to provide additional requirements for authentication, such as multifactor authentication based on a common access card (CAC) or personal identity verification (PIV).

SteelHead support for federal Amazon Web Service (AWS) Secret Region SteelHead appliances can support traffic optimization for the AWS Secret Region, which is available to the U.S. Intelligence Community (IC). To configure this feature, see the

2

SteelHead (in the Cloud) User Guide.

SSL OCSP Stapling Server-side SteelHead appliances can now validate SSL certificates returned by the server using the Online Certificate Status Protocol (OSCP). You enable this feature with the protocol ssl backend server ocsp-stapling command. For more information, see the Riverbed Command-Line Interface Reference Manual.

Four-port 10-GbE SR/LR bypass card support for SteelHead appliances SteelHead models CX5070, CX7070, and GX10000 now support the following four-port 10-GbE bypass cards:

• 4-port 10-GbE SR fiber bypass NIC (NIC-1-010G-4SR-BP) • 4-port 10-GbE LR fiber bypass NIC (NIC-1-010G-4LR-BP)

See the Network and Storage Card Installation Guide for details. These cards are field mountable only for CX5070 and CX7070 and will be shipped separately from ordered systems. GX10000 offers both options: factory configured (NIC-1-010G-4SR-BP-C and NIC-1-010G-4LR-BP-C) and field mountable as spare.

Additional VM support for SteelHead-v appliances SteelHead-v appliances are now supported on the following additional hypervisors:

• ESXi 6.5 • Hyper-V on Windows 2016 Server

ESXi, KVM, and Hyper-V bypass card support for SteelHead-v appliances These cards now support SteelHead-v appliances running on the specified VMs: NIC-1-001G-4TX-BP: support added for ESXi (KVM and Hyper-V already supported)

• NIC-1-001G-4TX-BP: support added for ESXi (KVM and Hyper-V already supported) • NIC-1-001G-4SX-BP: support added for ESXi (KVM and Hyper-V already supported)

SR-IOV support for SteelHead-v appliances SteelHead (virtual edition) (SteelHead-v) appliances can now support single root I/O virtualization (SR- IOV).

IPv6 support for flow collection and export

You can now specify IPv6 addresses for traffic statistics collection, when adding a flow

3

collector, filters, and subnet side rules for NetFlow and SteelFlow data collection and export. For many deployments, this enhancement enables a Riverbed WAN optimization design with SteelHead, SteelCentral Controller for SteelHead (SCC), and Interceptor to run in a pure IPv6 environment.

Web proxy enhancements These enhancements were made in version 9.8:

• Filtering and reporting enhancements - You can filter reports based on the appliances, and you can select the top 25 reports instead of the top 10 reports.

• HTTPS bypass list - A report shows hostnames of HTTPS bypassed traffic for which web proxy was not able to provide a caching benefit, most likely due to missing certificates.

• YouTube filtering - An option has been added to filter statistics specific to YouTube traffic.

• Parent proxy whitelist enhancement - Added the ability to create a whitelist that lets you specify third-party proxy IP addresses and hostnames for caching.

• When the client explicitly proxies an HTTP connection through a third-party proxy, there is a mismatch between the packet destination address and the host header destination. Web proxy does not cache the response for HTTP traffic because there is a chance it may be a malicious attempt at cache poisoning. This enhancement lets you define known sites to cache.

See the Riverbed Command-Line Interface Reference Manual and the SteelCentral Controller for SteelHead User Guide for more details.

HTTP/2 caching support

SteelHead appliances can now support optimization of HTTP/2 cached traffic.

MPEG-DASH support

SteelHead appliances can now support Dynamic Adaptive Streaming over HTTP (DASH), also known as MPEG-DASH.

Changing encryption for domain replication passwords

SteelHead appliances add the protocol domain-auth encrypt-upgd command to change all domain replication user passwords from Data Encryption Standard (DES) to Advanced Encryption Standard (AES). For more information, see the Riverbed Command-Line Interface Reference Manual.

4

SteelConnect SaaS Optimization

This release adds SteelHead support for SaaS optimization through SteelConnect; however, the full functionality depends on a future release of SteelConnect Manager. Refer to S25532 for the compatibility information.

2) FIXED PROBLEMS Problems fixed in version 9.8.1 • 295696 The Procera Networks (sandvine) NAVL DPI version 4.3.1 build #48 has been

patched with a fix that provides the ability to handle inbound and outbound QoS definitions of SnapMirror traffic differently.

• 296826 Fixed an issue to ensure that RiOS does not overwrite the protocol ID based on the classification by DPI when latency optimization is none.

• 298919 Fixed an issue where the optimization service could crash when optimizing WebDAV Sharepoint traffic.

• 299704 Fixed an issue where SSH connectivity the appliance failed after the management IP address was changed via DHCP.

• 300639 In Administration > Maintenance > Licenses page, fixed an issue where on click of button 'Fetch Updates Now' was not fetching the license and its broken. Now, it is Fetching the License and Updated it.

• 300924 Fixed an issue where HTTPS connection performance is affected or dropped when using HTTPS proxy mode.

This issue occurs when the client-side SteelHead accepts session reuse for connections the server-side SteelHead has in the bypass table. This happens because the proxy controls sessions to multiple domains and results in a connection drop.

The fix for the server-side SteelHead signals the client-side SteelHead not to accept reuse for proxied sessions."

• 301380 This fix added extra measures to protect critical code and avoid a race condition that could lead to the optimization services crashing.

• 301606 In some environments where Open VSwitch (OVS) is being deployed, packets that have the hardware-generated checksum cannot be accepted by OVS.

To fix this issue, the virtio net driver has to disable the use of the hardware-generated checksum in the packets.

• 301838 Fixed an issue where the use of domain labels could lead to a kernel crash on a client-side Steelhead.

• 301840 Fixed an issue where the optimization service crashed while processing an error in a MAPI-over-HTTP connection. The service collects diagnostic data during an exception while optimizing MAPI-over-HTTP traffic, and the service crash could occur while collecting the diagnostic data.

https://supportkb.riverbed.com/support/index?page=content&amp%3Bid=S32337

5

• 302962 When any QoS rule is configured with an application having a common name, set the global flag _dpi_process_ssl_cn to "true" so that the correct rule matches when any packet with a common name is received.

• 303397 Fixed the behavior in OpenSSL 1.0.2o+ to correctly detect renegotiation and respond with the "no renegotiation" SSL alert as was done previously.

• 303407 Fixed an issue where Peering CA CRL validation could fail with an indication that the peering CA is not found even when the correct peering CA is present.

• STEELHEAD-4369 Symptom: SaaS Accelerator in-path rules show the "Web Proxy" field enabled, which actually is not supported.

Condition: We have fixed this issue by hiding the Web Proxy field for SaaS Accelerator.

• STEELHEAD-4659 Symptom: After running the "no web-proxy enable" command once, in-path rules send internet traffic to web-proxy, resulting in traffic being blackholed.

Condition: In-path rules with the web-proxy option as auto/force are enabled but web-proxy is disabled.

• STEELHEAD-4719 Symptom: A customer sees warning logs about the following deserialization failure:

HTTP Response parsing: Detected an error state DESERIALIZATION_FAILURE Deserialization failure: MapiRopEngine::dispatchResponseRop - outputServerObject is missing for RopOpenMessage.

Condition: This deserialization failure happened when object open and close happened in the same MAPI-over-HTTP transaction, which was optimized via our MAPI optimization. The fix involved proper handling of this situation.

• STEELHEAD-4857 Symptom: A customer may see a stale SteelHead primary IP address being displayed on the SCM UI.

Condition: This issue occurs when the primary IP address of SteelHead has been changed through SCC or the SteelHead CLI/UI.

• STEELHEAD-5295 Symptom: The value of Outbound QoS DSCP shows incorrectly as 0 in connection_detail.

Condition: This happens under all conditions.

• STEELHEAD-5494 Symptom: When connection forwarding is enabled, SteelHeads would sometimes display redundant connections between clients/servers and SteelHead neighbors.

Condition: This issue is fixed by skipping the display of all entries where the destination IP address belongs to a SteelHead neighbor. These changes affect only those scenarios that have packet mode or path selection enabled.

• STEELHEAD-5497 Symptom: Kerberos Authentication fails whenever SH is unable to complete replication. SH can no longer perform kerberos authentication and falls back to NTLM authentication mode.

Condition:

6

Replication test fails after the expiry of kerberos ticket. Default lifetime of kerberos ticket is 10hours.

• STEELHEAD-5499 Symptom: winbindd crashes while refreshing DC list, which might cause domain authentication failures for a very short span of time.

• STEELHEAD-5502 Symptom: An SCM-deployed AWS Cloud SteelHead cannot connect to SCC.

Condition: This issue was caused by an empty serial number in the OCD database, which is now updated automatically.

• STEELHEAD-5503 Symptom: The Root Class does not show the correct data in the Inbound QoS report at Reports > Inbound QoS.

Condition: This issue happens under all conditions.

• STEELHEAD-5504 Symptom: While optimizing live video traffic, SteelHead may crash due to conflicting requests to the video cache.

Issue: This issue was introduced with the addition of MPEG-DASH support in RiOS 9.8.0.

• STEELHEAD-5552 Symptom: Domain Auth requests fail and encrypted MAPI and SMB connections are not optimized due to the winbind process getting stuck in a loop "DC list refresh is pending"

Condition: This issue occurs when SteelHead appliances are joined to a domain to optimize encrypted MAPI and SMB connections.

• STEELHEAD-5567 Symptom: The winbind process runs out of memory and eventually crashes, interrupting the SteelHead's ability to connect to a domain controller.

Condition: This issue occurs when a SteelHead is joined to the domain to optimize encrypted MAPI and SMB connections.

• STEELHEAD-5587 Symptom: The SteelHead appliance may generate errors such as "Management back end unavailable. Continuing with reduced functionality or syslog errors such as "gcl_session_provider_accept(), gcl.c:2788, build (null): accept: Too many open files".

Condition: This issue occurs under heavy load, where the mgmtd process on SteelHead has run out of the allowed limit of the open file descriptors.

• STEELHEAD-5599 Symptom: An optimization service crash can occur while optimizing a SMB2 protocol connection.

Condition: This can occur when a client tries to read the parent directory of a file or directory, but that parent directory no longer exists.

• STEELHEAD-5798 Symptom: In rare cases and under heavy load, the optimization service may crash.

Condition: This issue occurs when the optimization service is handling a lot of events related to connections opening and closing unexpectedly. It is not specific to a certain protocol.

7

• STEELHEAD-5841 Symptom: In-path GRE peering blocks NHRP traffic.

Condition: NHRP is running as well as "in-path peering-gre enable."

• STEELHEAD-5853 Symptom: The proxy is returning the wrong URL, which breaks access to the page.

Condition: This issue occurs with some faulty server implementations that do not accept absolute URI after HTTP verbs, instead of relative URI.

• STEELHEAD-5854 Symptom: QoS classification did not work.

Condition: This issue occurred when the user directly upgraded from SteelHead release 8.6.x to 9.6.x, which has been addressed through this bug fix.

• STEELHEAD-5860 Symptom: The SteelHead optimization service crashes.

Condition: When MAPI over HTTP optimization is enabled in 9.8.0 or later, a specific kind of MAPI over HTTP request followed by a non-MAPI over HTTP request can crash the optimization services.

• STEELHEAD-5872 Symptom: An unexpected appliance reboot due to a kernel crash.

Condition: This issue occurs with the use of domain labels.

• STEELHEAD-5915 Symptom: The optimization service crashes.

Condition: This issue occurs while optimizing Citrix traffic. This is a regression introduced by another bug fix in an earlier version. The necessary code has been reverted to fix this bug.

• STEELHEAD-6139 Symptom: An unexpected Steelhead appliance reboot due to a kernel crash.

Condition: Rare conditions with netflow enabled.

• STEELHEAD-6165 Symptom: The QoSd process consistently crashes.

Condition: This issue occurs when qos is enabled. The bug is introduced in RiOS 9.8.0.

• STEELHEAD-6284 Symptom: The optimization service does not start.

Condition: In cloud steelhead deployments, upgrade or downgrade to a release without this bug fix is affected. This is fixed when upgrading to 9.8.1 and 9.9.0, but downgrade to prior releases are affected.

• STEELHEAD-6329 Symptom: A SteelHead SD appliance may not be able to install an image to upgrade, with this error: "The upgrade image provided does not pass validation."

Condition: This issue can occur if there is not enough space on the /var disk.

• STEELHEAD-6342 Symptom: The optimization service may crash.

Condition: This can occur while optimizing MAPI-over-HTTP traffic and the service is processing a protocol error.

8

• STEELHEAD-6419 Symptom: The LAN bypass feature from the SteelHead is not bypassing the traffic from the QoS engine.

Condition: When LAN-to-LAN traffic passes through the SteelHead, it is being subjected to outbound QoS, which limits the LAN traffic rate.

• STEELHEAD-6527 Symptom: A SteelHead CX appliance may reboot due to a kernel crash, or the RiOS portion becomes unresponsive in a SteelHead CXSD.

Condition: This issue occurs in SteelHead CXSD or a SteelHead CX deployed behind a SteelConnect appliance, where the SteelConnect compatibility is enabled (enabled by default on CXSD).

• STEELHEAD-6542 Symptom: The following error message is possible:

Jan 28 13:48:08 oak-sh878 sport[67806]: [httpfwk/client/rsp.WARN] 88 {10.5.189.11:59265 13.107.136.9:443} Dropping connection due to exception: stoi

Condition: This error occurs when an http connection downloads objects larger than 4 GB.

• STEELHEAD-6563 Symptom: Top talkers was not working in SteelHead 9.8.0 when the "show stats top-talkers" CLI command was used. This issue has been fixed.

Condition: This issue occurred when the following flags were enabled in the NETWORKING -> Flow Statistics page in the SteelHead GUI:

Enable Top Talkers

Enable Flow Export

• STEELHEAD-6653 Symptom: Email gets stuck in the Outbox and not sent as quickly as it does in pass-through. Eventually, in the background, the Outlook client reattempts to send the email, which gets sent and leaves the Outbox and gets placed in the Sent box.

A TCP dump on the SFE shows that an optimized connection hangs soon after processing a non-MAPI-over-HTTP request and gets closed by the host about a minute later.

Condition: This issue can occur with Office 365 Outlook traffic for large email attachments.

• STEELHEAD-6742 Symptom: Email may get stuck in the Outlook Outbox or takes longer to be sent than if the connection were in pass-through. The Outlook client reattempts the send, and the email does get sent and placed in the Sent box. A TCP dump on the SFE shows that a pair of pipelined requests got sent out for both MAPI-over-HTTP traffic and non-MAPI-over-HTTP transactions.

Condition: This issue can occur with Office 365 Outlook traffic for large email attachments.

• STEELHEAD-7266 Symptom: The SteelHead appliance reboots due to a kernel panic.

Condition: This issue can occur when a configuration change is made to reduce bandwidth percentage on a QoS class.

9

Problems fixed in version 9.8.0b • 243373 Fixed an issue where the SteelHead exports conflicting flow_direction

information. The implementation has been changed to pass the correct value of flow_direction for the connection based on the reason, which can be easily interpreted by the user without any confusion.

• 269478 Fixed an issue where the use of domain labels in in-path rules could cause a kernel crash at intercept_vip_return on server-side SteelHeads.

• 304143 HTTP optimization may block traffic with 100-Continue responses when followed by the final response and body data. INFO logs of bypass due to "MISSING_EXPECT" or "unsolicited response" may be observed on either the client or server SteelHead.

The 100-Continue message was interfering with how the HTTP blade was parsing HTTP transactions. This fix ensures the internal state is reset when evaluating the final transaction response.

• STEELHEAD-5497 Symptom: Kerberos Authentication fails whenever SH is unable to complete replication. SteelHead can no longer perform Kerberos authentication and falls back to NTLM authentication mode.

Condition: The replication test fails after the expiry of the Kerberos ticket. The default lifetime of Kerberos ticket is 10 hours.

• STEELHEAD-5599 Symptom: An optimization service crash can occur while optimizing SMB2 protocol connection.

Condition: This issue can occur when a client tries to read the parent directory of a file or directory, but that parent directory no longer exists.

• STEELHEAD-5860 Symptom: The SteelHead optimization service crashes.

Condition: When MAPI-over-HTTP optimization is enabled in 9.8.0 or later, a specific kind of MAPI- over-HTTP request followed by a non-MAPI-over-HTTP request can crash the optimization services.

Problems fixed in version 9.8.0a • 219890 Fixed the way tproxytrace configures the socket it interacts so that it no longer

enters a tight polling loop causing it to trigger a CPU alarm.

• 301382 Fixed the problem with visibility of IPv4 routing table under the menu: Networking > Networking > Base Interfaces.

• 301442 Fixed an issue where the appliance could hit an out-of-memory condition due to a memory leak when QoS is enabled. This could lead to appliance instability and processes being restarted.

• 303409 Fixed an issue where an optimization service crash could occur rarely in certain connection forwarding scenarios.

10

• 302728 Fixed an issue in the Office 365 SaaS UID feature to not add an additional cookie header on the HTTP request.

Problems fixed in version 9.8.0 • 101561 The TACACS+ first-hit option defaults to on for new installations (appliances

upgraded from previous versions are not changed). This means that failing TACACS+ authentication on the first server will not cause the appliance to try other TACACS+ servers. Organizations that have automatic account lockouts after a small number of retries should have the first-hit option on. The TACACS+ first-hit option may be turned on with the tacacs-server first_hit command in the CLI (or prefixed by "no" to turn it off). In addition, a checkbox to turn it on or off has been added to the TACACS+ settings page of the administration web interface. The TACACS+ first-hit option may not be suitable for setups where each TACACS+ server authenticates a different set of users.

• 265585 After a negotiate response from the SMB server, if the negotiated authentication mechanism includes both NegoEx and NTLM, the Windows 10 client logged in the live ID tries to establish the SMB session using NegoEx. Usually the domain joined server drops NegoEx context and falls back to NTLM. In this scenario, SteelHead blacklists the connection immediately after seeing NegoEx context in the session setup request. With the fix, SteelHead passes through the session setup request with NegoEx context to the server. If the server replies with NTLM, then it optimizes the connection; otherwise, it silently shuts down the signing blade for the particular session.

• 279018 Flash drive with firmware version 560 will sometimes have I/O errors and cannot access the drive. The flash drive firmware must be upgraded to version 60L or later. The vendor has found an issue with the flash drive firmware 560.

This upgrade must be performed prior to the flash drive exhibiting this problem. If the issue has already occurred, there is no fix. The problematic flash drive will need to be replaced.

• 280776 Data store sync keeps dropping the sync connection because we did not distinguish two connections; while one is off, we destroy both. In some rare cases, it creates the connection creation/destroy loop. If the server connection is in an end-of-stream state, we keep the existing client connection.

• 282345 During password refresh, sometimes SteelHead generates a random password with an invalid character. Fixed this issue by generating the random password with valid characters.

• 283847 Added support for LIS driver 4.2.3 for Hyper-V VCX.

• 283920 Connections are getting stalled or resetting with MX-TCP and loss.

11

Implementation: Each TCP connection starts off being a normal connection, using standard congestion control and marking all packets sent out with the blaster_request flag. If the outgoing packet hits our Round-Robin TCP (RRTCP) queueing discipline (RRTCP Round Robin TCP), RRTCP makes a callback to the TCP connection, changing the connection into a blaster-enabled connection. This puts one packet onto the RRTCP queue and blocks waiting for RRTCP to call it back so it can enqueue another packet. RRTCP makes a callback to the connection only when its respective packet is dequeued from it, which depends on the rate shaper associated with it.

Condition: Each time a TCP connection attempts to enqueue a packet onto the RRTCP queue, it has to check if it’s in unblocked state. If it’s blocked, it can’t enqueue the packet. Ideally the connection is unblocked in a matter of milliseconds. If the connection is in blocked state for more than 3 seconds, we revive the connection and unblock it, allowing the TCP connection to continue to send packets onto the RRTCP queue.

• 285196 Fixed an issue where a SteelHead upgrade to 9.2.0 or later from the Riverbed Support site resulted in the error "Unable to connect to Riverbed support site."

• 286517 High latencies in file transfer were observed when the latest versions of Windows clients were querying security information while copying files from shares mounted on Windows servers such as win2k12, win2k16, and so on. This fix provides support to prefetch and cache security information in the in-memory metadata cache and later serve the data from the cache upon getting a query request for security from the client.

• 286653 Fixed an issue where the CLI command show service cloud-accel statistics connections incorrectly reported pass-through connections that no longer existed. The command now correctly shows active pass-through connections. The Akamai binary running on SteelHead was updated for the fix.

• 287229 Fixed an issue where CAPWAP traffic was not being marked consistently. Added two CLI commands as part of this bug fix: By default, the inner packet is classified in case of tunneling. If you want the outer packet to be classified, enter the no qosd dpi-tunneling enable. To specify the application for which you want the outer protocol to be classified, create a custom app for that application with DPI tunneling disabled by application app-prot transport-prot dpi-tunneling no command. For that application, the outer protocol will be classified. For CAPWAP to be classified, you need to enter the following commands: no qosd dpi-tunneling enable and application app-prot Control-And- Provisioning-of-Wireless- Access-Points dpi-tunneling no. If none of the above commands are entered, the default behavior will be to classify the inner protocol.

• 288668 Made improvements to support stronger Domain Auth delegation/replication password encryption algorithms. See the "Changing encryption for domain replication passwords" section in the SteelHead Deployment Guide.

• 288935 The optimization service may crash after operating with memory utilization above the admission control memory cutoff limit for a period of time. The following message is observed in the system log:

12

FATAL ERROR: Out of memory trying to allocate internal tcmalloc data (bytes, object-size) 131072 48

• 290102 CIFS connections initiated with Kerberos authentication and down negotiated to NTLM fail with the message "access denied" when NTLMv1 is used. Replace the current mechListMIC with a newly generated one by updating the session setup request.

• 290277 Remove logging of the encrypted password to the log.

• 290709 Fixed an issue that occurred after upgrading a SteelHead appliance from an earlier version to 9.6.1, where the QoS page does not load and the error "Cannot read property 'nodes' of qos_profiles" is thrown in logs.

• 291259 Fixed an issue where SteelHeads were not allowed to query for Traffic Summary data older than one month. Validation will now let users select a date range older than a month.

• 291888 When the Optimization Service failed to recognize SOCKS traffic routed through it, it was not forwarding the packets to the server. The fix is to correctly flush packet queues with these unrecognized packets after disabling Citrix latency optimization.

• 291971 The ICMP probe response coming on the WAN side should be relayed to the LAN interface without applying any path-reflect information or path-selection rules.

• 292611 Fixed an issue where MTU set on an internal SteelHead interface used for SCA was incorrect when SCA was enabled for the first time and when logging levels on the SteelHead were changed. MTU is now set to the correct value when SCA is enabled for the first time and when logging levels change.

• 292893 Fixed an issue where the fail-to-bypass feature did not work on some of the shipped network interface cards that had been configured as Standard NIC mode. With the modification of the driver code, RiOS is now able to change (via sysfs) NICs that have been configured as Standard NIC mode to normal Bypass mode.

• 292938 The Outlook Anywhere optimization service's handling of this kind of traffic was fixed.

• 293032 Fixed an issue where the in-path rule statistics hit counter would increase even for a disabled rule.

• 294566 The optimization service crashes when CFE tries to request a lease on behalf of a MAC client when the client issues a create request. The logic to get the CFE to request a lease on behalf of the client has been removed.

• 294995 Fixed an issue where the EIGRP and OSPF protocols appeared under the Application-Protocol category. The third-party Procera network's NAVL DPI was not able to classify the EIGRP and OSPF protocols as "Transport Layer" protocols as expected by the customer or customer support.

The Riverbed solution made some changes to the parameters passed to the "navl_classify()" API in a conditional way and now is able to classify the EIGRP and OSPF protocols as "Transport Layer" protocols.

13

• 295166 Newer WinStation Citrix Receivers, such as 13.5+ on Linux, will see connections go into pass-through. Update the Citrix optimization service to understand the new driver name and allow optimization.

• 295265 Fixed a locking issue that may occur when Outlook uses multiple connections to a server. An internal message system was reworked to avoid the possibility of a deadlock.

• 295675 SteelHead crashes due to a deadlock between threads when lease code is executed. Acquiring a single lock for a thread solves the problem.

• 295975 CFE experiences assert when the client uses the same lease key for files under different trees of the same server. Identify the scenario and blacklist the connection.

• 296206 Fixed an issue where file copy operations from Windows 10 clients were stopped as incorrect file attributes and were stored and served locally from the metadata cache of SteelHead. The fix introduces a new way of calculating and maintaining file attributes in the metadata cache of SteelHead.

• 296253 Fixed an issue where the OneDrive traffic was not recognized by the DPI engine. This issue was due to the limitation in classifying OneDrive traffic in Vineyards NAVL DPI. Procera Networks provided a patch that has been merged into SteelHead software.

• 296337 Added support for the VCX Provisioning feature for Virtual SteelHead on Hyper-V.

• 296548 Fixed an issue where an optimization service crash occurred with indications of "Double-free detected." This behavior seemed limited to configurations using Lotus Notes optimization. Discovered a multi-threaded race condition related to use of the OpenSSL library that could lead to the crash. The thread safety issue was resolved.

• 296787 Fixed an issue where a user is unable to login to the BMC WebUI on CX-5070, CX- 7070 and Interceptor 9600 appliances.

• 296840 Fixed an issue where WARN messages like "[sh.periscope.utils.WARNING] Inserting stats into RRD failed (KeyError): 'Metric adl not found'" are seen in the syslog. These messages had no functional impact.

• 297126 The client experienced a delay of 60 seconds to get a warning message while overwriting files as the cancel request reached the server out of sequence with invalid MID. The fix implements a way to make sure that the cancel request reaches the server after the original request that is to be canceled.

• 297133 Fixed an issue where the SteelCentral Controller "Send CLI command" feature failed to configure in-path rule settings on SteelHead.

• 297179 Fixed an issue where a QoS configuration push from SteelCentral Controller to SteelHead fails and an error "name: input must be no more than 30 chars" is displayed.

• 297506 Connections may be incorrectly optimized by web proxy when an in-path rule with a web proxy+domain label is present above a rule to optimize Exchange/MAPI.

• 297952 Added support for Layer 2 flow control on NIC-1-010G-4TX-BP and NIC-1- 010G- 4SR-BP.

14

• 298021 Added support for IPv6 SteelFlow and NetFlow. This is a new feature enhancement.

• 298366 In some cases, with SharePoint optimization enabled, when a client sends a specific SharePoint request using the basic authentication schema, the SteelHead can respond with a 401 error. This may cause some web pages to display incorrectly. Fix the issue by handling the basic authentication schema correctly.

• 299120 Fixed an issue related to SSL session reuse that could cause an optimization service crash on the client-side SteelHead if there are long-lasting SSL connections and a peer SteelHead is repeatedly going up and down.

• 299832 Fixed an issue where the optimization service would crash when SSL client Authentication is enabled and the client attempts an SSL session resumption while also negotiating ALPN.

• 300021 Fixed an issue where the IPv6 default gateway could not be removed using the GUI from the primary interface. This issue occurred due to improper handling of the UI gateway fields in the support file.

• STEELHEAD-4091 When using domain labels in in-path rules, SSL connections with no SNI go pass-through.

• 101561 Failing TACACS+ authentication results in trying all TACACS+ servers, which may trigger account lockouts at some organizations. The TACACS+ first-hit option should be used in this case (CLI command tacacs-server first_hit).

• 265585 SteelHead blacklists the connection with the following error when the SMB client tries to use NegoEx authentication:

"error: unable to process security buffer: SRVAUTH: REPLY_UNSUPPORTED_MECH"

• 279018 Flash drive with firmware version 560 will sometimes have I/O errors and cannot access the drive.

• 280776 Data store sync keeps dropping the sync connection.

• 282345 SteelHead may fail to connect to the domain controller after the password refresh, if the machine password refresh is set.

• 283847 Added support for LIS driver 4.2.3 for Hyper-V VCX.

• 285196 SteelHead upgrade to version 9.2.0 or later from the Riverbed Support site results in the error "Unable to connect to Riverbed support site."

• 286517 High latencies in file transfer occur when the latest versions of Windows clients query security information while copying files from shares mounted on Windows servers such as win2k12, win2k16, and so on.

• 286653 The CLI command show service cloud-accel statistics connections incorrectly reports pass-through connections that no longer exist.

• 287229 CAPWAP traffic is not being marked consistently.

• 288668 The Domain Auth delegation/replication password encryption does not support stronger encryption algorithms.

15

• 288935 In rare cases, the optimization service may crash when operating at peak memory utilization.

• 290102 CIFS connections initiated with Kerberos authentication and down negotiated to NTLM fail with the message "access denied" when NTLMv1 is used.

• 290277 During the configuration of a replication user, the encrypted password gets printed in the log message.

• 290709 The QoS page does not load and the error "Cannot read property 'nodes' of qos_profiles" is thrown in logs. Hence Add/Edit of QoS class, QoS profiles, and QoS rules will not be possible.

• 291259 SteelHeads show only last one month's values in Traffic Summary reports even when data older than a month is queried.

• 291888 Citrix traffic encapsulated in the SOCKS protocol is blackholed by the SteelHeads if carried over the configured Citrix ICA or CGP port. This happens when Citrix clients connect to a SOCKS proxy in the data center.

• 291971 ICMP probe is blackholed when "path-selection settings path-reflect probe enable" is selected and the remote secondary link is flapped in a serial cluster.

• 292611 MTU set on an internal SteelHead interface used for SCA is incorrect when SCA is enabled for the first time and when logging levels on the SteelHead are changed.

• 292893 For some of the shipped network interface cards that have been configured as Standard NIC mode, the fail-to-bypass feature will not work.

• 292938 In rare cases, certain chunk-encoded HTTP data causes large delays and CPU spikes when the Outlook Anywhere optimization service is being used to optimize traffic.

• 293032 In-path rule statistics hit counter increases for a disabled rule.

• 294419 Traffic performance is impacted under specific conditions in a system that has a 40-G NIC installed, with optimization disabled on the in-path interfaces associated with that NIC.

• 294566 The optimization service crashes when CFE tries to request a lease on behalf of a MAC client when the client issues a create request.

• 294861 HTTP prepop fails to open HTTPS URL with traces indicate failure is due to unknown CA.

• 294995 The EIGRP and OSPF protocols appear under the Application-Protocol category.

• 295166 Newer WinStation Citrix Receivers, such as 13.5+ on Linux, will see connections go into pass-through.

• 295265 A deadlock may occur during processing of a MAPI-over-HTTP request, resulting in a restart of the optimization process.

• 295675 SteelHead crashes due to deadlock between threads when lease code is executed.

16

• 295975 CFE experiences assert when the client uses the same lease key for files under different trees of the same server.

• 296206 File copy operations from Windows 10 clients are stopped as incorrect file attributes and are stored and served locally from the metadata cache of SteelHead.

• 296253 OneDrive traffic is not recognized by the DPI engine.

• 296337 The VCX Provisioning feature is not supported for Virtual SteelHead on Hyper-V.

• 296465 An optimization service crash may occur when SSL renegotiation is enabled and the server requests SSL renegotiation at the same time the client is sending data.

• 296548 An optimization service crash occurs with indications of "Double-free detected." This behavior appears limited to configurations using Lotus Notes optimization.

• 296787 Unable to login to BMC WebUI of CX-5070, CX-7070, and Interceptor 9600 appliances.

• 296840 WARN messages with no functional impact appears in the log like "[sh.periscope.utils.WARNING] Inserting stats into RRD failed (KeyError): 'Metric adl not found'."

• 297123 A memory leak in stream-splitting code will lead to degraded performance of some HTTP optimizations. The impact is likely limited to HTTP optimization.

• 297126 The client experiences a delay of 60 seconds to get a warning message while overwriting files as the cancel request reaches the server out of sequence with invalid MID.

• 297133 SteelCentral Controller "Send CLI command" feature fails to configure in-path rule settings on SteelHead.

• 297179 Sometimes QoS configuration push from SteelCentral Controller to SteelHead fails and an error "name: input must be no more than 30 chars" is displayed.

• 297506 Exchange connections may be incorrectly optimized by web proxy when using domain labels.

• 297952 Layer 2 flow control is not supported on NIC-1-010G-4TX-BP and NIC-1-010G- 4SR-BP.

• 298021 Added support for IPv6 SteelFlow and NetFlow.

• 298366 In some cases, with SharePoint optimization enabled, when a client sends a specific SharePoint request using the basic authentication schema, the SteelHead can respond with a 401 error.

• 299120 An optimization service crash can occur on the client-side SteelHead if there are long-lasting SSL connections and a peer SteelHead is repeatedly going up and down.

• 299832 An optimization service crash occurs when SSL client Authentication is enabled and the client resumes an SSL session while also negotiating ALPN.

17

CVE bugs fixed in version 9.8.1 For additional details, refer to the Security Finder.

• 302237

Details:

https://www.openssl.org/news/vulnerabilities.html

OpenSSL 1.0.2n has the following vulnerabilities:

CVE-2018-0739 Constructed ASN.1 types with a recursive definition could exceed the stack

CVE-2018-0737 Cache timing vulnerability in RSA Key Generation

CVE-2018-0732 Client DoS due to large DH parameter

Fix:

Upgraded OpenSSL to 1.0.2o with additional patches to fix these vulnerabilities.

Recommendation:

Upgrade to a software release with the fix.

• STEELHEAD-6152

DETAILS:

Curl on some SteelHead versions is vulnerable to the following:

CVE-2018-16842: Curl versions 7.14.1 to 7.61.1 are vulnerable to a heap-based buffer over-read in the tool_msgs.c:voutf() function that may result in information exposure and denial of service.

CVE-2018-16839: Curl versions 7.33.0 to 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service. Note: This issue can only be triggered by using a POP3, IMAP, or SMTP URL with a username longer than 1 GB or password longer than 2 GB.

CVE-2018-16840: When closing and cleaning up an "easy" handle in the Curl_close() function, the library code first frees a struct (without nulling the pointer) and might then subsequently erroneously write to a struct field within that already freed struct.

FIX:

Upgraded curl to 7.62.0.

Recommendation:

Upgrade to a software version with this fix.

https://supportkb.riverbed.com/support/index?page=cve

18

• STEELHEAD-6410

DETAILS:

CVE-2018-18384: Info-ZIP UnZip 6.0 has a buffer overflow when a ZIP archive has a crafted relationship between the compressed-size value and the uncompressed-size value. UnZip is used to unpack software upgrade images on SteelHead appliances. A "social engineering" attack that convinces the appliance administrator to install the attacker's image could be used to exploit this vulnerability.

FIX:

Upgraded UnZip to a version with the vulnerability fixed.

RECOMMENDATION:

Upgrade to a software version with the fix. Install only trusted software upgrade images obtained directly from Riverbed.

CVE bugs fixed in version 9.8.0 • 291697 CVE-2017-1000253: kernel: load_elf_ binary() does not take account of the need

to allocate sufficient space for the entire binary.

• 292300 CVE-2017-1000111: Linux kernel packet_set_ring() race condition lets local users obtain root privileges.

• 292358 CVE-2017-15274: Local denial of service vulnerability.

• 292359 CVE-2017-12192: kernel: NULL pointer dereference due to KEYCTL_READ on negative key.

• 292984 CVE-2017-16531: Local denial of service vulnerability.

• 292987 CVE-2017-16533: Local denial of service vulnerability.

• 292990 CVE-2017-16526: Invalid pointer dereference results in DoS by local user.

• 292991 CVE-2017-13089, CVE-2017-13090: Upgrade wget to 1.19.2.

• 293544 CVE-2017-1000158: CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution).

• 293788 CVE-2017-16994: kernel:mm/pagewalk.c:walk_hugetlb_range function mishandles holes in hugetlb ranges causing information leak.

• 293839 CVE-2017-16939: The XFRM dump policy implementation allowed local users to gain privileges or cause a denial of service.

• 293934 CVE-2017-12190: Memory leak when merging small consecutive buffers in SCSI I/O vectors.

• 293937 OpenSSL before 1.0.2n has vulnerabilities CVE-2017-3737 and CVE-2017-3738 as described at https://www.openssl.org/news/secadv/20171207.txt.

• 294165 CVE-2017-8817, CVE-2017-8816: Upgrade curl to 7.57.0.

19

• 294888 CVE-2017-1000407: Linux kernel >= 2.6.32 DoS by flooding diagnostic port 0x80 (Intel x86).

• 294890 CVE-2017-8824: Linux kernel

20

Known issues in version 9.8.0 • STEELHEAD-4420 Symptom: Virtual SteelHead fails to initialize due to a kernel panic.

• STEELHEAD-4005 Symptom: Change in the name server on the SteelHead results in warning messages with web proxy still trying to perform DNS resolution with the older name server.

Condition: This issue occurs when:

- the name server is changed and the old name server is no longer reachable.

- web proxy is enabled before the name server is configured.

4) UPGRADING RIOS SOFTWARE VERSION Upgrading Alert:

• 9.2.0 Upgrade, Path Selection, and QoS: Operators must disable path selection and QoS in SteelHead 9.0.x or SteelHead 9.1.x prior to rebooting into SteelHead 9.2.0, which uses new path identifiers. Refer to S28250 for detailed instructions. Failure to follow this process can block preexisting connections and render the SteelHead unreachable after the first SCC 9.2.0 Path Selection policy push.

• Path Selection: Upon upgrading a SteelHead from RiOS version 8.6.x or earlier to

9.0.0 and later, existing path selection rules are not automatically migrated. Refer to S25533 for details.

• QoS: RiOS version 9.0.0 and later use a completely new QoS management and syntax compared to RiOS version 8.6.x and earlier. Refer to S25532 for details prior to upgrading to RiOS version 9.0.0 or later.

Review the SteelHead CX Installation and Configuration Guide for information on upgrading the RiOS software version on SteelHead appliances. For Virtual SteelHeads, see the Virtual SteelHead CX Installation Guide. If running Cloud SteelHeads, see the SteelHead (in the Cloud) User Guide.

5) STEELCENTRAL CONTROLLER FOR STEELHEAD SOFTWARE REQUIREMENTS

If you use SteelCentral Controller for SteelHead (SCC) to manage your appliances, you must upgrade SCC to a specific version before you upgrade your appliances to this software version. Failure to do so will prevent communication between SCC and your appliances. See Knowledge Base Article S27759 for complete details.

https://supportkb.riverbed.com/support/index?page=content&amp%3Bid=S28250https://supportkb.riverbed.com/support/index?page=content&amp%3Bid=S28250https://supportkb.riverbed.com/support/index?page=content&amp%3Bid=S25533https://supportkb.riverbed.com/support/index?page=content&amp%3Bid=S25532https://supportkb.riverbed.com/support/index?page=content&amp%3Bid=S25532https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=m29mu92aeduhnla79mib2490u0&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=m29mu92aeduhnla79mib2490u0&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=m29mu92aeduhnla79mib2490u0&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=m29mu92aeduhnla79mib2490u0&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=m29mu92aeduhnla79mib2490u0&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=m29mu92aeduhnla79mib2490u0&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=m29mu92aeduhnla79mib2490u0&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=cs9cpeb1r1npoh4599gr3m75sa&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=cs9cpeb1r1npoh4599gr3m75sa&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=cs9cpeb1r1npoh4599gr3m75sa&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=cs9cpeb1r1npoh4599gr3m75sa&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=cs9cpeb1r1npoh4599gr3m75sa&amp%3Bversion=9.8.0https://supportkb.riverbed.com/support/index?page=content&id=S27759

21

SCC was formally known as Central Management Console (CMC). Review the SteelHead CX Installation and Configuration Guide for information on SCC compatibility.

6) HARDWARE AND SOFTWARE REQUIREMENTS The SCC appliance has the following requirements: If you use SteelCentral Controller for SteelHead (SCC) to manage your appliances, you must upgrade SCC to a specific version before you upgrade your appliances to this software version. Failure to do so will prevent communication between SCC and your appliances. See S27759 for complete details.

SCC was formally known as Central Management Console (CMC). Review the SteelHead CX Installation and Configuration Guide for information on SCC compatibility.

Review the SteelHead CX Installation and Configuration Guide for information on upgrading the RiOS software version on SteelHead appliances. For Virtual SteelHeads, see the Virtual SteelHead CX Installation Guide. If running Cloud SteelHeads, see the SteelHead (in the Cloud) User Guide.

7) CONTACTING RIVERBED SUPPORT Visit the Riverbed Support site to download software updates and documentation, browse our library of Knowledge Base articles, and manage your account. To open a support case, choose one of the options below.

Phone Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). Outside the U.S. dial +1 415 247 7381.

Online You can also submit a support case online.

Email Send email to support@riverbed.com. A member of the support team will reply as quickly as possible.

https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65&version=9.8.1https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65&version=9.8.1https://supportkb.riverbed.com/support/index?page=content&amp%3Bid=S27759https://supportkb.riverbed.com/support/index?page=content&amp%3Bid=S27759https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65&version=9.8.1https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65&version=9.8.1https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=o1991ca6jaie8e38ciks7ffg65https://support.riverbed.com/bin/support/download?did=m29mu92aeduhnla79mib2490u0&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=m29mu92aeduhnla79mib2490u0&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=m29mu92aeduhnla79mib2490u0&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=m29mu92aeduhnla79mib2490u0&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=m29mu92aeduhnla79mib2490u0&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=m29mu92aeduhnla79mib2490u0&version=9.8.1https://support.riverbed.com/bin/support/download?did=m29mu92aeduhnla79mib2490u0&version=9.8.1https://support.riverbed.com/bin/support/download?did=cs9cpeb1r1npoh4599gr3m75sa&version=9.8.1https://support.riverbed.com/bin/support/download?did=cs9cpeb1r1npoh4599gr3m75sa&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=cs9cpeb1r1npoh4599gr3m75sa&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=cs9cpeb1r1npoh4599gr3m75sa&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=cs9cpeb1r1npoh4599gr3m75sa&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=cs9cpeb1r1npoh4599gr3m75sa&amp%3Bversion=9.8.0https://support.riverbed.com/bin/support/download?did=cs9cpeb1r1npoh4599gr3m75sa&amp%3Bversion=9.8.0https://support.riverbed.com/https://support.riverbed.com/cases/index.htmmailto:support@riverbed.com

22

©2019 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.

RIVERBED PRODUCT RELEASE NOTES1) New Features2) Fixed Problems3) Known Issues4) Upgrading RiOS Software Version5) SteelCentral Controller for SteelHead Software Requirements6) Hardware and Software Requirements7) Contacting Riverbed Support1) New FeaturesSR-IOV support for SteelHead-v appliancesIPv6 support for flow collection and exportYou can now specify IPv6 addresses for traffic statistics collection, when adding a flow collector, filters, and subnet side rules for NetFlow and SteelFlow data collection and export. For many deployments, this enhancement enables a Riverbed WAN opti...Web proxy enhancementsHTTP/2 caching supportSteelHead appliances can now support optimization of HTTP/2 cached traffic.MPEG-DASH supportSteelHead appliances can now support Dynamic Adaptive Streaming over HTTP (DASH), also known as MPEG-DASH.Changing encryption for domain replication passwordsSteelHead appliances add the protocol domain-auth encrypt-upgd command to change all domain replication user passwords from Data Encryption Standard (DES) to Advanced Encryption Standard (AES). For more information, see the Riverbed Command-Line Inter...SteelConnect SaaS Optimization

2) Fixed ProblemsProblems fixed in version 9.8.1Problems fixed in version 9.8.0bProblems fixed in version 9.8.0aProblems fixed in version 9.8.0CVE bugs fixed in version 9.8.1For additional details, refer to the Security Finder.CVE bugs fixed in version 9.8.0

3) KNOWN ISSUESKnown issues in version 9.8.0

4) UPGRADING RIOS SOFTWARE VERSIONUpgrading Alert:

5) SteelCentral Controller for SteelHead Software Requirements6) Hardware and Software RequirementsThe SCC appliance has the following requirements:

7) Contacting Riverbed Support