vCloud Networking and Security Release Notes

vCloud Networking and Security | 03 OCT 2014 | Build 2174081

What's in the Release Notes

The release notes cover the following topics:

What's New

The vCloud Networking and Security release contains patches for all vCloud Networking and Security appliances. These patches address the BASH Shellshock security vulnerability. VMware recommends that you upgrade to this release.

You can upgrade to this release from versions 5.1.x and 5.1.4.x.

System Requirements and Installation

For information about system requirements and installation or upgrade instructions, see the vShield Installation and Upgrade Guide.

Known Issues

The following known issues have been discovered through rigorous testing and will help you understand some behavior you might encounter in this release.

The known issues are grouped as follows:

Upgrade Issues

SSL VPN client must be uninstalled and re-installed after upgrade
After upgrading to vShield, you must uninstall the SSL VPN client and then reinstall it. To install the latest client, go to https://ssl-vpn-ip-address where ssl-vpn-ip-address is the uplink IP address assigned to the Edge interface with which SSL VPN service is configured to listen on.

vShield Manager Issues

vShield Manager registered to vCenter using IP address instead of FQDN
vShield Manager UI does not accept fully qualified domain name (FQDN) during registration with vCenter Server.
Workaround: Use IP address instead of FQDN.

vShield Manager upgrade fails with an error
When vShield Manager has been upgraded from 4.1 to 5.0 to 5.1, vShield Manager fails to connect to the vCenter Server and the UI displays an Internal Server Error.
Workaround: Re-enter the vCenter Server credentials. If connectivity is not restored, reboot the vShield Manager.

"Invalid Data Format" error displayed in spite of ports being entered in correct format
While adding/creating a service, you may get an "Invalid Data Format" error in spite of ports being entered in correct format. This may happen when number of ports entered exceeds the maximum limit of 15 ports.
Workaround: If the service has more than 15 ports, create multiple services.

User must logout to view modified or added role
When a user adds or modifies his/her role while logged into a session, the session does not reflect the role changes.
Workaround: Log out and then log back in to view updated role assignments.

'Internal server error' displayed on deletion of a local user or role assignment for a vCenter user
Workaround: Disable the user account you want to delete.

vShield App Issues

If the vCenter Server becomes unavailable during the vShield App upgrade process, the upgrade fails and the Update link is not available
See Update link not available during vShield App upgrade.

vShield Edge Issues

Cannot modify an SSL VPN-Plus installation package
Editing an SSL VPN-Plus installation package does not apply changes to the package.
Workaround: Follow the steps below:

  1. Delete the installation package instead of editing it and create a new installation package with modified parameters.
  2. If you have an SSL VPN client on your computer, delete it.
  3. Reboot the computer.
  4. Install new installation package.

Cannot configure different certificates for two different features
Cannot configure different certificates for two different features. For example, you cannot use certificate a for IPsec and certificate b for SSL VPN.
Workaround: Use the same certificate for both features and then change the certificate for one of the features.

Cannot create CSR of size 512/1024 bit if vShield Manager is upgraded to 5.1.x but Edge version is still 5.0.2
When vShield Manager is upgraded to 5.1.x but Edge version is still 5.0.2 you cannot create a CSR of size 512/1024 bit.
Workaround: Create CSR of size 2048/3072 bit.

Resolved Issues

The following issue has been resolved in the release.

  • NSX appliances vulnerable to BASH Shellshock security vulnerability
    This patch updates Bash libraries in the NSX appliances to resolve multiple critical security issues, commonly referred to as Shellshock. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifiers CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 to these issues.
    To address this vulnerability, you must upgrade all vShield components. To upgrade, follow the instructions in the vShield Installation and Upgrade Guide.

The following issue has been resolved in the release.

  • This release contains an Edge patch that addresses a vulnerability which could result in critical information disclosure.

The following issues have been resolved in the release.

The following issues have been resolved in the 5.1.4 release.

  • OpenSSL security issue CVE-2014-0160/CVE-2014-0346 (Heartbleed) applicable to OpenSSL 1.0.1 pre-g leads to the leak of memory contents from the server to the client and vice versa
  • Virtual machines losing network connectivity
  • vShield Manager failed to come up after upgrading from 5.1.2a to 5.1.3 with Cisco N1k
  • Adding a 5.1 ESX host to a 5.5 vCenter running a NetX service fails to install fast path vib
  • NTPD running on vShield Manager discloses NTP variables
  • To support vShield Networking and Security appliance deployment on NFS or SAN, scsi block layer timeout should be increased
  • vShield 5.1.3 tries to load the 5.5 fast-path vib in a 5.1 vSphere environment
  • vShield App logs rotation failure causing 100% disc usage
  • Logs rotation failure causing 100% disc usage on secondary vShield Edge virtual machine
  • Inconsistent status of load balancer HTTP/HTTPS protocols
  • Low network throughput in vShield environment
  • ISEC 8: Encryption Keys Stored Within the Source Code
  • Possible breach in vShield Manager due to insufficient hardening of web server ciphers
  • Various XSS vulnerabilities found in vShield 5.1.2

The following issues have been resolved in the 5.1.3 release.

  • vShield Manager did not come up after upgrading from 5.1.2a to 5.1.3 with CiscoN1k
  • Adding a 5.1 ESX host to a 5.5 vCenter running a NetX service fails to install fast path vib from vShield
  • Virtual machines protected by vShield App don't have network connectivity after moving between vApps
  • Low network throughput in vShield environment with large number of L2 rules, each rule containing MAC security groups
  • Cannot import two intermediate root CA certificates in vShield Manager version 5.1.1
  • Increase in rule provisioning since upgrade to version 5.1.2a
  • vShield Manager CPU is at 90+ percent utilization since all DCN threads are stuck on flushing the objects in the transaction for large inventory
  • Edge TCP idle timeout value can be configured using REST APIs in 5.1.3
  • vShield Manager kernel panics after the storage which it is running on has problems or is unavailable due to low disk timeout value. New value is set to 120 seconds.
  • Updates of Mac Address grouping (mac-set) do not happen for port groups that are members of security groups
  • Certificate Signing Requests are generated with NULL in the City Name and State Name fields
  • If vCloud Director license "vCloud Networking and Security - Networking for VCD" is used, new Isolation Org VDC Network cannot be created and fails with the error: "VSM response error (214): Not licensed for Entity : vcloud-netsec feature : vxlan : add on :".
  • Virtual machines lose network connectivity after being migrated using vMotion from an ESXi host with no vShield App to an ESXi host with vShield App
  • vShield App installation fails due to the vShield Manager sending invalid VNIC UUIDs in VMInfo message
  • Virtual machines are not able to get on the network and/or get a DHCP address shortly after being migrated using vMotion. A force sync is required to allow them to get a DHCP address
  • Connectivity to third-party antivirus offloading products is affected when vShield App is installed on the same ESXi host
  • Virtual machines are not able to get on the network in some cases shortly after being migrated using vMotion
  • Provisioning of firewall rules takes a long time
  • Traffic blocked for virtual machines that have packets with shortened Ethernet trailers
  • vShield App blocks traffic despite having no rules or all rules set to allow after the vSA is not able to communicate between key infrastructure components due to an end user mis configuration such as combining powering off the vSM and/or vSA, disconnecting the vSA vnics and/or powering off the ESXi host which will cause an out of sync condition
  • vSA kernel panics after the storage where it runs has problems, or it is unavailable due to a low disk timeout value. New disk timeout value is set to 180 seconds.
  • Virtual machines on a vDS lose network connectivity as a result of moving an ESXi host between clusters
  • Virtual machines moved from one vCenter Server object to another, such as vApp, Cluster, or Resource Pool, do not inherit the firewall rules applied on the target object
  • vShield App appliance reboots when a large IP range (for example, entire class A) is used to define a rule
  • Traffic is dropped due to sessions timing out at incorrect intervals
  • Flow Monitoring reports reversed source and destination for some types of traffic originating from physical sources
  • Security Groups may be inadvertently deleted by publishing a firewall rule after this rule has been re-published a certain number of times
  • Publishing of Ethernet (L2) firewall rules fail when large MACsets are used
  • Unable to add a load balancer Virtual IP (VIP) to a vShield Edge if RSA ACE server is also running
  • RSA authentication fails after applying vShield Edge configuration changes such as a redeploy, upgrade, HA event
  • Mac client for SSL VPN is not able to log in when password is about to reach the expiration timeout configured in the password policy
  • vShield Edges configured in HA mode kernel panic simultaneously
  • vShield Edge DHCP does not work on a VNIC on which two separate IP addresses and subnets are defined with one subnet as
  • Both vShield Edges in an HA pair go into Active mode
  • vShield Edge is not able to re-establish IPSEC VPN tunnels that have been dropped after hitting an Out of Memory (OoM) condition
  • vShield Edge upgrade fails if a resource pool on which the vShield Edge was initially deployed is no longer available
  • HA enabled vShield Edges utilizing SSL VPN services show high CPU utilization and fail over multiple times in a small window of time
  • DHCP static binding configuration in the UI shows blank for vShield Edges that are connected to a Virtual Wire
  • Low throughput and performance seen with vShield Edge
  • Added an option for deploying 4-vCPU vShield Edge
  • Datapath issues when going through an SSL L2 VPN tunnel
  • SNAT rule over a vSE L2VPN tunnel prevents VMs behind vSE to reach public IPs
  • vShield Edge appliance has no support for saving core dumps. Added debug crashdump command to the CLI
  • IPsec tunnels get dropped frequently when PFS is enabled
  • Setting or changing the Load Balancer Persistence Method from the UI fails to commit the changes
  • Load Balancer crashes when the Persistence Method is set to SSL_SESSION_ID
  • SSL VPN Client fails to install on OSX 10.9 (Mavericks)
  • Inconsistent behavior between the UI and REST when using Security Groups in firewall rules
  • vShield Edge configuration/installation/upgrade workflows report these errors
  • An invalid response was received from VIX agent
  • VIX agent is not connected to VC
  • IPsec tunnels with certificate mode cannot be established