vCloud Networking and Security 5.1.3 Release Notes
vCloud Networking and Security 5.1.3 | 11 FEB 2014 | Build 1563888
If you have a Cisco Nexus 1000V switch in your environment, do not upgrade to the vShield 5.1.3 release. Upgrading to this release may make the vShield Manager user interface unavailable. This does not affect customers with VMware standard or VMware vDS switches.
What's in the Release Notes
The release notes cover the following topics:
The vCloud Networking and Security 5.1.3 patch release includes all 5.1.2.x hot fixes along with many new bug fixes.
System Requirements and Installation
For information about system requirements and installation instructions, see the
vShield Installation and Upgrade Guide.
The following known issues have been discovered through rigorous testing and will help you understand some behavior you might encounter in this release.
The known issues are grouped as follows:
vShield Manager Issues
vShield Manager upgrade fails with an error
When vShield Manager has been upgraded from 4.1 to 5.0 to 5.1, vShield Manager fails to connect to the vCenter Server and the UI displays an Internal Server Error.
Workaround: Re-enter the vCenter Server credentials. If connectivity is not restored, reboot the vShield Manager.
"Invalid Data Format" error displayed inspite of ports being entered in correct format
While adding/creating a service, you may get an "Invalid Data Format" error inspite of ports being entered in correct format. This may happen when number of ports entered exceeds the maximum limit of 15 ports.
Workaround: If the service has more than 15 ports, create multiple services.
User must logout to view modified or added role
When a user adds or modifies his/her role while logged into a session, the session does not reflect the role changes.
Workaround: Log out and then log back in to view updated role assignments.
'Internal server error' displayed on deletion of a local user or role assignment for a vCenter user
Workaround: Disable the user account you want to delete.
vShield App Issues
If the vCenter Server becomes unavailable during the vShield App upgrade process, the upgrade fails and the Update link is not available
See Update link not available during vShield App upgrade.
Clusters cannot be prepared when vShield App is installed on a host
Workaround: Manually enter the host(s) into maintenance mode. When manually triggered, the vShield App appliances are shut down and the cluster preparation is allowed to proceed. Once completed, the host(s) exit maintenance mode and vShield App appliances continue to operate as normal.
Preparing a cluster for VXLAN does not succeed as the host cannot enter maintenance mode when vShield App is installed..
vShield Edge Issues
Cannot configure different certificates for two different features
Cannot configure different certificates for two different features. For example, you cannot use certificate a for IPsec and certificate b for SSL VPN.
Workaround: Use the same certificate for both features and then change the certificate for one of the features.
Cannot create CSR/Certificate if vShield Manager is upgraded to 5.1.3 and Edge is still on 5.0.2
When vShield Manager is upgraded to 5.1.3 and Edge is of a lower version, you cannot create a CSR of size 512/1024 bit
Workaround: Create CSR of size 2048 and 3072 bit.
The following issue has been resolved in the 5.1.3 patch release.
- Cannot import two intermediate root CA certificates in vShield Manager version 5.1.1
- Increase in rule provisioning since upgrade to version 5.1.2a
- vShield Manager CPU is at 90+ percent utilization since all DCN threads are stuck on flushing the objects in the transaction for large inventory
- Edge TCP idle timeout value can be configured using REST APIs in 5.1.3
- vShield Manager kernel panics after the storage which it is running on has problems or is unavailable due to low disk timeout value. New value is set to 120 seconds.
- Updates of Mac Address grouping (mac-set) do not happen for port groups that are members of security groups
- Certificate Signing Requests are generated with NULL in the City Name and State Name fields
- If vCloud Director license "vCloud Networking and Security - Networking for VCD" is used, new Isolation Org VDC Network cannot be created and fails with the error: "VSM response error (214): Not licensed for Entity : vcloud-netsec feature : vxlan : add on :".
- Virtual machines lose network connectivity after being migrated using vMotion from an ESXi host with no vShield App to an ESXi host with vShield Ap
- vShield App installation fails due to the vShield Manager sending invalid VNIC UUIDs in VMInfo message
- Virtual machines are not able to get on the network and/or get a DHCP address shortly after being migrated using vMotion. A force sync is required to allow them to get a DHCP address
- Connectivity to third-party antivirus offloading products is affected when vShield App is installed on the same ESXi host
- Virtual machines are not able to get on the network in some cases shortly after being migrated using vMotion
- Provisioning of firewall rules takes a long time
- Traffic blocked for virtual machines that have packets with shortened Ethernet trailers
- vShield App blocks traffic despite having no rules or all rules set to allow after the vSA is not able to communicate between key infrastructure components due to an end user misconfiguration such as combining powering off the vSM and/or vSA, disconnecting the vSA vnics and/or powering off the ESXi host which will cause an out of sync condition
- vSA kernel panics after the storage where it runs has problems, or it is unavailable due to a low disk timeout value. New disk timeout value is set to 180 seconds.
- Virtual machines on a vDS lose network connectivity as a result of moving an ESXi host between clusters
- Virtual machines moved from one vCenter Server object to another, such as vApp, Cluster, or Resource Pool, do not inherit the firewall rules applied on the target object
- vShield App appliance reboots when a large IP range (for example, entire class A) is used to define a rule
- Traffic is dropped due to sessions timing out at incorrect intervals
- Flow Monitoring reports reversed source and destination for some types of traffic originating from physical sources
- Security Groups may be inadvertently deleted by publishing a firewall rule after this rule has been re-published a certain number of times
- Publishing of Ethernet (L2) firewall rules fail when large MACsets are used
- Unable to add a load balancer Virtual IP (VIP) to a vShield Edge if RSA ACE server is also running
- RSA authentication fails after applying vShield Edge configuration changes such as a redeploy, upgrade, HA event
- Mac client for SSL VPN is not able to log in when password is about to reach the expiration timeout configured in the password policy
- vShield Edges configured in HA mode kernel panic simultaneously
- vShield Edge DHCP does not work on a VNIC on which two separate IP addresses and subnets are defined with one subnet as 0.0.0.0/32
- Both vShield Edges in an HA pair go into Active mode
- vShield Edge is not able to re-establish IPSEC VPN tunnels that have been dropped after hitting an Out of Memory (OoM) condition
- vShield Edge upgrade fails if a resource pool on which the vShield Edge was initially deployed is no longer available
- HA enabled vShield Edges utilizing SSL VPN services show high CPU utilization and fail over multiple times in a small window of time
- DHCP static binding configuration in the UI shows blank for vShield Edges that are connected to a Virtual Wire
- Low throughput and performance seen with vShield Edge
- Added an option for deploying 4-vCPU vShield Edge
- Datapath issues when going through an SSL L2 VPN tunnel
- SNAT rule over a vSE L2VPN tunnel prevents VMs behind vSE to reach public IPs
- vShield Edge appliance has no support for saving core dumps. Added debug crashdump command to the CLI
- IPsec tunnels get dropped frequently when PFS is enabled
- Setting or changing the Load Balancer Persistence Method from the UI fails to commit the changes
- Load Balancer crashes when the Persistence Method is set to SSL_SESSION_ID
- SSL VPN Client fails to install on OSX 10.9 (Mavericks)
- Inconsistent behavior between the UI and REST when using Security Groups in firewall rules
- vShield Edge configuration/installation/upgrade workflows report these errors
- An invalid response was received from VIX agent
- VIX agent is not connected to VC
- IPsec tunnels with certificate mode cannot be established