vShield 5.1 Release Notes

vShield 5.1 | 10 SEPTEMBER 2012 | Build 807847

Last updated: 10 SEPTEMBER 2012

What's in the Release Notes

The release notes cover the following topics:

What's New

  • VXLAN gateway: vShield Edge functions as a VXLAN gateway mapping VXLAN logical networks to traditional VLAN networks.
  • Multi-interface support: Allows for multiple internal and external interfaces on a single vShield Edge virtual machine.
  • Secondary IP Pools: Allows for non contiguous IP block assignment to a vShield Edge interface useful for extending IP namespaces.
  • Load Balancing enhancements: vShield Edge supports HTTPS and TCP load balancing along with improved health check options.
  • DNS Relay: vShield Edge can be configured to act as a forwarding DNS server providing DNS name resolution of external domain names for applications. The requests of the client application are forwarded directly to the ISP's DNS server and cache the response from ISP's DNS.
  • SSL VPN-Plus: Remote users can access private corporate applications using this feature.
  • vShield Edge High Availability: You can create two vShield Edge virtual machines in active-passive configuration allowing stateful failover to achieve device level resilience and increase service availability.
  • New vShield Edge CLI Commands: Allows for configuration, feature and system information, logging, and troubleshooting. SSH CLI and Role Based Access Control are also supported.
  • vShield Edge available at different performance levels: Compact and Large sizes allow you to choose the performance level.
  • Enhanced vShield Edge Logging: Offers easier troubleshooting.
  • Hardware offloads: vShield Edge can take advantage of hardware acceleration on Intel Westmere chips to offload AES cryptographic processing.
  • Service Insertion framework: Offers the ability to insert network services (such as WAN optimization, application delivery, advanced load balancing, etc) and network security services (such as advanced firewalling, intrusion prevention, etc.) from any vendor into a virtualized environment.
  • New vShield App and vShield Edge firewall UI: Simplified UI offers easier rule manipulation.
    • New firewall rule table view.
    • Ability to add multiple objects as source and destination, thus reducing the total numbler of rules you need to create.
    • Pre populated objects from vCenter containers and Tier 1 Application service groups for easy rule creation.
    • Rule management simplified through icon driven wizards for adding and editing rules, new reordering options, option to selectively enable rules etc.
    • Easier object manipulation with new ways to group, search and select objects for rules.
    • Actionable flow monitoring and graphical insight to traffic patterns.

System Requirements and Installation

For information about system requirements and installation instructions, see the vShield Installation and Upgrade Guide.

Known Issues

The following known issues have been discovered through rigorous testing and will help you understand some behavior you might encounter in this release.

The known issues are grouped as follows:

General Issues

vShield Manager not reachable after network interface is disconnected and reconnected
vShield Manager is not synched with vCenter Server after you disconnect and reconnect the vShield Manager vNic.
Workaround: Reboot vShield Manager.

vShield Administrator role is broken
vShield Administrator role cannot perform some operations on vShield Edge (create, configuration, upgrade).
Workaround: If you had implemented role delegation in 5.0 or 5.0.1 release with vShield Administrator role, elevate the privilege of those users to Enterprise Administrator role.

vShield components install status is lost for hosts when you unprepare cluster for VXLAN virtual wires
vShield components (vShield App, vShield Endpoint, vShield Data Security) install status is not shown correctly if VXLAN virtual wire unpreparation is not followed by a reboot.
Workaround: Reboot the host after unpreparing a cluster.

vmservice-vswitch not deleted during uninstallation
Uninstalling vShield components does not delete the vmservice-vswitch. If required, you can delete it manually.

Old flows are reported on reinstalling vShield App on the same host
When vShield App is reinstalled on the same host, flows for the virtual machines which were reported for the previous vshield App are also reported on the current vShield App.

vShield Manager Issues

Configuring vShield Manager with a vCenter Server takes too long
After configuring vShield Manager with a vCenter Server, the UI does not refresh.
Workaround: Reload the page.

vShield Endpoint Issues

Incorrect Health Status for SVMs
When the last protected guest VM on a host is powered off and there are no remaining connections to an SVM, the status of the SVM is unknown. However, the vShield Endpoint Health and Alarms page erroneously reports the status of the SVM as either green or red.

vShield Endpoint health monitoring and vShield Data security do not function properly when there are multiple virtual machines with the same UUID
When there are multiple virtual machines with the same UUID, vShield Endpoint reports only one virtual machine as protected and vShield Data security violations may be reported on the wrong object..
Workaround: When you copy a VM, make sure to always indicate that you copied the VM so that a new UUID is generated. In addition, power cycle the VM once (no soft reboot) after the copy.

vShield App Issues

vShield App install fails in a scenario where one of the hosts is not the part of dvSwitch
vShield service virtual machines install can fail in certain scenarios. Consider a scenario where there are two DRS-enabled clusters in a datacenter and each cluster has two hosts. You create a dvSwitch and add one host from each cluster into the dvSwitch successfully. Now if you deploy a new virtual machine or install vShield Edge with its vnic in the port group of the above created dvSwitch, the virtual machine is not created and the OVF file is not imported.
Workaround: If DRS is enabled, you must add at least two hosts from the same cluster in a dvSwitch.

vShield Edge Issues

vShield Edge statistics are reset if vShield Edge is redeployed or converted to compact, large or x-large.
vShield Edge statistics are reset to zero if you redeploy vShield Edge or change the vShield Edge appliance size or configuration. Also, statistics may be incorrect if any of the virtual machines are down when vShield Edge is in HA mode.

Windows 7 64-bit computers not accessible after full tunnel logout
In full tunnel mode, default gateway changes so that all traffic is sent over the VPN tunnel. When you log out from the SSL VPN client, the default gateway is not restored back to original for Windows Vista & above computers.
Workaround: Disable and enable the network adapter.

Unable to delete org vdc network due to vShield Manager response error
You cannot delete a resource pool if vShield Edge is installed on it.
Workaround: Edit the appliance configuration to reflect new resource pool before deleting the resource pool.

vShield VXLAN Virtual Wire Issues

Cluster preparation fails if any host outside the cluster connected to same vDS is out of sync or not responding
During VXLAN virtual wire preparation, the vDS MTU configuration is set as part of the switch configuration (Prepare Infrastructure for VXLAN networking dialog box). If hosts are disconnected from the vDS, configuring the MTU value returns a failure from vCenter Server as the subset of hosts added to the DVS are unreachable when disconnected. This stops the remainder of VXLAN preparation.
Workaround: Reconnect all VXLAN hosts and prepare the cluster again.

VXLAN virtual wire VIB uninstall or upgrade requires host reboot
When deployed from vShield Manager, the uninstall and upgrade cases are displayed in the ESX Agent Manager agency status and in the vShield Manager UI.
Workaround: Rebooting the host allows proceeding with the uninstall or upgrade of the VXLAN module.

VXLAN virtual wire preparation and service insertion deployment requires valid vCenter managed IP and FQDN
Workaround: Set valid vCenter managed IP address and ensure that FQDN is either resolvable or unset. vCenter managed IP address is in vCenter Server Settings > Runtime Settings. FQDN is visible through vCenter Server Settings > Advanced Settings > FQDN.

Cannot specify multiple VXLAN multicast address ranges while preparing your network for VXLAN virtual wires
Workaround: Specify multiple multicast address ranges using a REST call.

vShield Data Security Issues

vShield Data Security appliance becomes unreachable if backup restore is done on vShield Manager which is already connected to vCenter Server
Workaround: Restore the backup on a freshly deployed vShield Manager which is not connected to the vCenter Server.

Data security scan should not start until at least one regulation is added
If a new Data Security scan is started without choosing any regulations, the scan runs but no violations are detected.
Workaround: Add at least one regulation before running a data security scan.

State specific policies match US driver licenses from all states
If one of the US state policies is enabled in vShield Data Security, files containing driver's licences from other states may be incorrectly identified as violating files.

Incorrect Health Status for SVM during installation
When the vShield Data Security SVM is being deployed by the vShield Manager, an alarm may be prematurely triggered for the SVM. The alarm is removed once the SVM is up and running.

Resolved Issues

The following issues have been resolved in the 5.1 release.

  • If the vShield CLI enable password is changed by the admin user, only the admin user can change it again
  • Cannot create a new user with the same name as an existing user
  • vShield App uninstallation fails if the host is in maintenance mode
  • If the vShield Edge virtual machine is migrated during installation, the install fails
  • VPN configuration fails if CN contains special characters
  • Uninstalling vShield Endpoint stops vShield Data Security from working
  • vShield Manager does not support UTF8 character encoding for display and reporting purposes
  • vShield Data Security scan start and stop do not work after restoring a backup configuration