ScreenOS 5.3r3 is out!!!

  • I updated over 10 box (NS-5GT) and all is meantime OK.
    VPN vs Traffic Shapping is also already good.
    No crash, no unfounded reboot

  • administrators

    I’m running it now and haven’t noticed any issues.  Multiple VPN’s and OSPF running.

  • Hi all.

    Does anyone have experiences from the 5.3r3? Any new bugs/features?
    Is it stable, etc…


  • 6. Addressed Issues

    The following sections identify which major bugs have been fixed in each release of ScreenOS 5.3.0.

    6.1 Addressed Issues in ScreenOS 5.3.0r3

    04092 – When converting a policy to a set of rules, the ASIC sometimes used a conversion algorithm that created a different number of rules than had previously been generated for the same policy.

    04221 – (WebUI) The remove option did not remove a CA certificate.

    04334 – Setting traffic to a vsys had problems. Debugging the device would show traffic that was going to the vsys was incorrectly classified to the root vsys.

    04457 – A disabled IKE user could successfully connect through the VPN.

    04522 – Incoming mail did not pass through a MIP when AV was enabled.

    04553 – Occasionally, packets were not routed correctly even though they matched
    the session.

    04819 – An IGMP proxy to multiple host interfaces for the same group was disallowed.

    04978 – (WebUI) Antivirus information was incorrectly contained as Recent Event information.

    05284 – After a reboot, policy-based VPN tunnel, with SRC-NAT and DIP configured, was inactivate due to an incorrectly set proxy-ID.

    05471 – The discard counter did not increment properly.

    05515 – The get service any CLI command displayed the default timeout value as one

    05733 – In some cases, a track-ip ping response was lost.

    05738 – (WebUI) The Local Auth server timeout field was incorrectly limited to a three digit value when the value should have been four digits.

    05903 – A session failed when DI was enabled and the DI was unable to handle half-close state.

    05981 – (WebUI) An error occurred when deleting an aggregate interface or subinterface.

    06161 – (ISG-2000) In transparent mode, configuring a large number of policies resulted in a policy look up timeout and dropped packets.

    06240 – Source-based NAT did not occur on traffic from Trust to DMZ security zones.

    06295 – There was intermittent device failure due to policy database failure.

    06297 – In some cases, the RADIUS authentication over policy based tunnels stopped working.

    06441 – The antivirus option was unavailable when a policy was configured for multicell context.

    06990 – Corrupt mis-interpreted and mis-directed HA message caused the backup device to coredump and loose connectivity with the primary device.

    06991 – (NetScreen-50) Coredump and reboot occurred in an active/passive NSRP configuration, when secure-ID user inserted a long user name and password.

    07059 – DHCP requests from clients on untrust side of any NS device in X-mode acting as VPN initiator will be relayed to DHCP server behind the VPN responder through the VPN tunnel.

    07101 – DSCP marking for IPSec pass through traffic in route mode did not work properly on some platforms.

    07132 – Dial backup did not work (modem does not return dial) due to PPPLCP keepalives not being sent.

    07133 – Sometimes there were a few differences on SA’s SPI between Master’s SA and Backup’s SA when running the NSRP hot-sync.

    07177 – After an IGMP configured subinterface had participated in multicast, it could no longer be deleted or assigned to the null zone.

    07178 – In some cases, IPSec sessions were not cleaned up in the session table resulting in VPN failure.

    07217 – Modifying or adding an L2TP policy corrupted the system configuration.

    07218 – (WebUI) When modifying a policy ID and adding a service of ICMP-any to the untrust to trust policy, the device reloaded with a software forced error.

    • 07259 – (NetScreen-200 Series) Sometimes a device failed due to an ALG cookie between MSRPC and H.323 because the NAT cookie allocation and free process were not protected.

    07279 – A message, indicating that there was a corrupted session, was displayed on the console every 5 to 10 minutes on a backup device in an active/passive NSRP configuration.

    07295 – The exec policy verify CLI command returned incorrect results.

    07301 – (NetScreen ISG-2000) When using slow speed links, latency caused fragmented packets to be re-assembled incorrectly in the device because small fragments arrived fast but large fragment takes too long.

    07354 – (NetScreen-5XT) Issues occurred when a device was upgraded from 4.0 to 5.3.

    07402 – (NetScreen-5GT) When a device was configured as a DHCP client and connected to DHCP Server A but was disconnected from DHCP server A and connected to DHCP server B on a different network, the system continued to try to renew its IP address with the older network to which it was previously connected.

    07425 – Under certain circumstances in an NSRP configuration, the device suddenly stopped forwarding traffic, and the ARP table was empty. The device was unable to ping other hosts. This problem also caused the NSRP configuration to not failover to
    the backup device.

    07462 – SSL based FTP server was inaccessible when AV was enabled on the policy.

    07488 – NetScreen-Security Manager returned a error when trying to set physical link-down of any interface on an ISG device.

    07508 – In some cases, during IKE negotiation, device failure occurred when the IP ID was generated

    07519 – In an ECMP configuration, when devices were connected through more than one point-to-point physical link, OSPF advertised next-hop as instead of the actual IP address.

    07562 – In some situations, when processing BGP updates, a second withdrawn message was sent 30s after the first withdrawn message.

    07614 – When multiple services were added to a policy, a hidden service group was created, members of which were the services attached to the policy. When a user removed the custom defined service, a hidden service group without a member was left. Under this circumstance, when a user tried to access a member, the device failed.

    07623 – Inter vsys routing was handled improperly.

    07627 – In a route based VPN multi-VR environment, the security device incorrectly performed a route lookup in the wrong VR.

    07633 – Out of order TCP packets caused a lot of TCP Seq check failed error messages. These messages led the debug buffer to fill up because the debugging capability was hindered.

    07637 – When an FTP client established the connection with an FTP server through the device, the device created a stand-alone FTP data session, but did not create FTP control sessions for the child session.

    07660 – Passive FTP traffic was translated incorrectly.

    07661 – Interface last_change attribute was sometimes displayed incorrectly and did not get updated when the interface state was changed to up.

    07729 – An ARP packet buffer was increased to improve performance.

    07760 – (WebUI) Having the same IP address for interface track IP & NSRP track-IP
    was not permitted.

    07772 – Internal mishandling of H.323 traffic caused device failure.

    07803 – While using Web Authentication, the vsys pointer for a secure-id path was set improperly, causing the response failure. This action resulted in a Web Auth failure inside a vsys.

    07814 – A device failure occurred when user configured the ninth DHCP server.

    07816 – In some cases, CPU utilization displayed a spike due to ARP aging out

    07871 – The device failed while handling ISAKMP packets with invalid and/or
    abnormal contents.

    07884 – (NetScreen-5200) The get log sys saved CLI command sometimes displayed trace dump on the device console.

    07887 – (NetScreen-25) The device failed to ping to a local interface due to failure in freeing the allocated net-pak and caused failure in getting ICMP response from local subnets.

    07888 – In some cases, outbound SIP calls caused device failure.

    07931 – The device passed traffic incorrectly when using address groups.

    07964 – In some cases, the device failed when issuing the debug flow CLI command.

    07995 – When a user upgraded from 5.1.0pw7.0 to 5.3, there were problems passing
    traffic to a VPN site behind a NAT firewall.

    08032 – Internal mishandling of RADIUS traffic caused device failure.

    08053 – (NetScreen-204) The unset nsrp vsd-group id 0 CLI command required that the device be reset if there was any interface assigned to the management zone.

    08066 – Unresolved unicast route had a missing null ptr check which caused device

    08073 – An internal task incorrectly increased the CPU usage.

    08077 – large number of VPN tunnels and traffic caused the device to fail.

    08079 – Dial Line remained open even though there was no interesting traffic as idle timer was reset every few seconds.

    08080 – (WebUI) When a user clicked the hangup button on the Modem-Trustee page, the serial interface was brought down. This button should only disconnect the modem, not bring down the interface.

    08085 – (WebUI) While entering a TCP port with a trailing blank into the custom service page, the firewall set the port to 0 without providing errors.

    08109 – The device accepted the default route on the serial interface through the PPP connection made which resulted in the leakage of data through the default route if no other route was available to send traffic.

    08113 – In some cases, the device management was delayed after about an hour.

    08161 – Syn cookie mechanism was working incorrectly on logical interfaces.

    08164 – Due to incorrect storage of buffer packet for reassembly, a device reset and displayed the console error “### No DIMM found on board ###”.

    08256 – (NetScreen-5000 Series) The get flow CLI command incorrectly displayed that the rcp-rst-invalid session was unsupported.

    08257 – (NetScreen-5GT) Due to possible zero length option or EOL which processing TCP header options, the device performed a coredump on the console after downloading an image/file from any TFTP server.

    08265 – Overlapping UDP customer service port range with IKE port (UDP port 500) caused incorrect session timeout for IKE sessions.

    08279 – (WebUI) After configuring an Xauth local authentication user group, the CHAP Only was automatically selected and it was impossible to disable it.

    08293 – Sometimes an internal error page was displayed when a page was browsed with a zero byte content length and the connection was closed by the server.

  • administrators

    Correct me if I’m wrong, but isn’t the r2 to r3 upgrade minor one?  I seem to remember something about a change in the way it pulled down AV data or licensing.

    Are there more fixes than this?