VMware

vCloud Networking and Security 5.1.4 Release Notes

vCloud Networking and Security 5.1.4 | 16 APR 2014 | Build 1740417

The vCloud Networking and Security 5.1.4 release replaces the 5.1.3 release.

What's in the Release Notes

The release notes cover the following topics:

What's New

The vCloud Networking and Security 5.1.4 release includes a fix for the OpenSSL security issue CVE-2014-0160/CVE-2014-0346 (Heartbleed) bug as well as other bug fixes documented in the Resolved Issues section. For details on the OpenSSL issue, see Response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346.

Customers using vCloud Networking and Security 5.1.3 must immediately upgrade to 5.1.4.

System Requirements and Installation

For information about system requirements and installation instructions, see the vShield Installation and Upgrade Guide.

To upgrade to this release, follow the steps below.

  1. Upgrade vShield Manager and all vShield App and vShield Edge virtual machines in your environment to the vCloud Networking and Security 5.1.4 release. For instructions, see Upgrading vShield in the vShield Installation and Upgrade Guide.
  2. Change the certificates and keys used by SSL VPN by following the steps below.
    1. Add a new server certificate.
      1. In the vSphere Client, select Inventory > Hosts and Clusters.
      2. Select a datacenter resource from the inventory panel.
      3. Click the Network Virtualization tab and click the Edges link.
      4. Double-click a vShield Edge and click the Configure tab.
      5. Click the Certificates link.
      6. Click the Add icon and select Certificate.
      7. Paste the certificate contents and private key.
      8. Click OK
    2. Delete the old server certificate.
      1. Select the old certificate and click the Delete icon.
      2. Click OK.
    3. Configure SSL VPN to work with the new certificate.
      1. Click the SSL VPN-Plus tab.
      2. In the Configure panel, click Server Settings. and click Change
      3. From the Server Certificates table, select the new server certificate and click OK.
    4. Contact your certificate provider to get the old certificate revoked.
  3. Remove trust to the old certificate from your browser and OS. Also, ensure that revocation checking is enabled for your system.
  4. Change the SSL VPN passwords. For instructions, see Managing VPN Services vShield Administration Guide.

Known Issues

The following known issues have been discovered through rigorous testing and will help you understand some behavior you might encounter in this release.

The known issues are grouped as follows:

vShield Manager Issues

vShield Manager upgrade fails with an error
When vShield Manager has been upgraded from 4.1 to 5.0 to 5.1, vShield Manager fails to connect to the vCenter Server and the UI displays an Internal Server Error.
Workaround: Re-enter the vCenter Server credentials. If connectivity is not restored, reboot the vShield Manager.

"Invalid Data Format" error displayed in spite of ports being entered in correct format
While adding/creating a service, you may get an "Invalid Data Format" error in spite of ports being entered in correct format. This may happen when number of ports entered exceeds the maximum limit of 15 ports.
Workaround: If the service has more than 15 ports, create multiple services.

User must logout to view modified or added role
When a user adds or modifies his/her role while logged into a session, the session does not reflect the role changes.
Workaround: Log out and then log back in to view updated role assignments.

'Internal server error' displayed on deletion of a local user or role assignment for a vCenter user
Workaround: Disable the user account you want to delete.

vShield App Issues

If the vCenter Server becomes unavailable during the vShield App upgrade process, the upgrade fails and the Update link is not available
See Update link not available during vShield App upgrade.

Clusters cannot be prepared when vShield App is installed on a host
Preparing a cluster for VXLAN does not succeed as the host cannot enter maintenance mode when vShield App is installed.
Workaround: Manually enter the host(s) into maintenance mode. When manually triggered, the vShield App appliances are shut down and the cluster preparation is allowed to proceed. Once completed, the host(s) exit maintenance mode and vShield App appliances continue to operate as normal.

vShield Edge Issues

Cannot configure different certificates for two different features
Cannot configure different certificates for two different features. For example, you cannot use certificate a for IPsec and certificate b for SSL VPN.
Workaround: Use the same certificate for both features and then change the certificate for one of the features.

Cannot create CSR/Certificate if vShield Manager is upgraded to 5.1.3 and Edge is still on 5.0.2
When vShield Manager is upgraded to 5.1.3 and Edge is of a lower version, you cannot create a CSR of size 512/1024 bit.
Workaround: Create CSR of size 2048 and 3072 bit.

Resolved Issues

The following issues have been resolved in the 5.1.4 release.

  • OpenSSL security issue CVE-2014-0160/CVE-2014-0346 (Heartbleed) applicable to OpenSSL 1.0.1 pre-g leads to the leak of memory contents from the server to the client and vice versa
  • Virtual machines losing network connectivity
  • vShield Manager failed to come up after upgrading from 5.1.2a to 5.1.3 with Cisco N1k
  • Adding a 5.1 ESX host to a 5.5 vCenter running a NetX service fails to install fast path vib
  • NTPD running on vShield Manager discloses NTP variables
  • To support vShield Networking and Security appliance deployment on NFS or SAN, scsi block layer timeout should be increased
  • vShield 5.1.3 tries to load the 5.5 fast-path vib in a 5.1 vSphere environment
  • vShield App logs rotation failure causing 100% disc usage
  • Logs rotation failure causing 100% disc usage on secondary vShield Edge virtual machine
  • Inconsistent status of load balancer HTTP/HTTPS protocols
  • Low network throughput in vShield environment
  • ISEC 8: Encryption Keys Stored Within the Source Code
  • Possible breach in vShield Manager manager due to insufficient hardening of web server ciphers
  • Various XSS vulnerabilities found in vShield 5.1.2

The following issues have been resolved in the 5.1.3 release.

  • vShield Manager did not come up after upgrading from 5.1.2a to 5.1.3 with CiscoN1k
  • Adding a 5.1 ESX host to a 5.5 vCenter running a NetX service fails to install fast path vib from vShield
  • Virtual machines protected by vShield App don't have network connectivity after moving between vApps
  • Low network throughput in vShield environment with large number of L2 rules, each rule containing MAC security groups
  • Cannot import two intermediate root CA certificates in vShield Manager version 5.1.1
  • Increase in rule provisioning since upgrade to version 5.1.2a
  • vShield Manager CPU is at 90+ percent utilization since all DCN threads are stuck on flushing the objects in the transaction for large inventory
  • Edge TCP idle timeout value can be configured using REST APIs in 5.1.3
  • vShield Manager kernel panics after the storage which it is running on has problems or is unavailable due to low disk timeout value. New value is set to 120 seconds.
  • Updates of Mac Address grouping (mac-set) do not happen for port groups that are members of security groups
  • Certificate Signing Requests are generated with NULL in the City Name and State Name fields
  • If vCloud Director license "vCloud Networking and Security - Networking for VCD" is used, new Isolation Org VDC Network cannot be created and fails with the error: "VSM response error (214): Not licensed for Entity : vcloud-netsec feature : vxlan : add on :".
  • Virtual machines lose network connectivity after being migrated using vMotion from an ESXi host with no vShield App to an ESXi host with vShield Ap
  • vShield App installation fails due to the vShield Manager sending invalid VNIC UUIDs in VMInfo message
  • Virtual machines are not able to get on the network and/or get a DHCP address shortly after being migrated using vMotion. A force sync is required to allow them to get a DHCP address
  • Connectivity to third-party antivirus offloading products is affected when vShield App is installed on the same ESXi host
  • Virtual machines are not able to get on the network in some cases shortly after being migrated using vMotion
  • Provisioning of firewall rules takes a long time
  • Traffic blocked for virtual machines that have packets with shortened Ethernet trailers
  • vShield App blocks traffic despite having no rules or all rules set to allow after the vSA is not able to communicate between key infrastructure components due to an end user misconfiguration such as combining powering off the vSM and/or vSA, disconnecting the vSA vnics and/or powering off the ESXi host which will cause an out of sync condition
  • vSA kernel panics after the storage where it runs has problems, or it is unavailable due to a low disk timeout value. New disk timeout value is set to 180 seconds.
  • Virtual machines on a vDS lose network connectivity as a result of moving an ESXi host between clusters
  • Virtual machines moved from one vCenter Server object to another, such as vApp, Cluster, or Resource Pool, do not inherit the firewall rules applied on the target object
  • vShield App appliance reboots when a large IP range (for example, entire class A) is used to define a rule
  • Traffic is dropped due to sessions timing out at incorrect intervals
  • Flow Monitoring reports reversed source and destination for some types of traffic originating from physical sources
  • Security Groups may be inadvertently deleted by publishing a firewall rule after this rule has been re-published a certain number of times
  • Publishing of Ethernet (L2) firewall rules fail when large MACsets are used
  • Unable to add a load balancer Virtual IP (VIP) to a vShield Edge if RSA ACE server is also running
  • RSA authentication fails after applying vShield Edge configuration changes such as a redeploy, upgrade, HA event
  • Mac client for SSL VPN is not able to log in when password is about to reach the expiration timeout configured in the password policy
  • vShield Edges configured in HA mode kernel panic simultaneously
  • vShield Edge DHCP does not work on a VNIC on which two separate IP addresses and subnets are defined with one subnet as 0.0.0.0/32
  • Both vShield Edges in an HA pair go into Active mode
  • vShield Edge is not able to re-establish IPSEC VPN tunnels that have been dropped after hitting an Out of Memory (OoM) condition
  • vShield Edge upgrade fails if a resource pool on which the vShield Edge was initially deployed is no longer available
  • HA enabled vShield Edges utilizing SSL VPN services show high CPU utilization and fail over multiple times in a small window of time
  • DHCP static binding configuration in the UI shows blank for vShield Edges that are connected to a Virtual Wire
  • Low throughput and performance seen with vShield Edge
  • Added an option for deploying 4-vCPU vShield Edge
  • Datapath issues when going through an SSL L2 VPN tunnel
  • SNAT rule over a vSE L2VPN tunnel prevents VMs behind vSE to reach public IPs
  • vShield Edge appliance has no support for saving core dumps. Added debug crashdump command to the CLI
  • IPsec tunnels get dropped frequently when PFS is enabled
  • Setting or changing the Load Balancer Persistence Method from the UI fails to commit the changes
  • Load Balancer crashes when the Persistence Method is set to SSL_SESSION_ID
  • SSL VPN Client fails to install on OSX 10.9 (Mavericks)
  • Inconsistent behavior between the UI and REST when using Security Groups in firewall rules
  • vShield Edge configuration/installation/upgrade workflows report these errors
  • An invalid response was received from VIX agent
  • VIX agent is not connected to VC
  • IPsec tunnels with certificate mode cannot be established