vCloud Networking and Security 5.5.2 Release Notes

vCloud Networking and Security 5.5.2 | 16 APR 2014 | Build 1740418

The vCloud Networking and Security 5.5.2 release replaces the 5.5.1 release.

What's in the Release Notes

The release notes cover the following topics:

What's New

The vCloud Networking and Security 5.5.2 release includes a fix for the OpenSSL security issue CVE-2014-0160/CVE-2014-0346 (Heartbleed) bug. For details, see Response to OpenSSL security issue CVE-2014-0160/CVE-2014-0346.

Customers using vCloud Networking and Security 5.5.1 must immediately upgrade to 5.5.2.

System Requirements and Installation

For information about system requirements and installation instructions, see the vShield Installation and Upgrade Guide.

To upgrade to this release, follow the steps below.

  1. Upgrade vShield Manager and all vShield App and vShield Edge virtual machines in your environment to the vCloud Networking and Security 5.5.2 release. For instructions, see Upgrading vShield in the vShield Installation and Upgrade Guide.
  2. If you are using SSL VPN, change the certificates and keys used by SSL VPN by following the steps below.
    1. Add a new server certificate.
      1. In the vSphere Client, select Inventory > Hosts and Clusters.
      2. Select a datacenter resource from the inventory panel.
      3. Click the Network Virtualization tab and click the Edges link.
      4. Double-click a vShield Edge and click the Configure tab.
      5. Click the Certificates link.
      6. Click the Add icon and select Certificate.
      7. Paste the certificate contents and private key.
      8. Click OK
    2. Delete the old server certificate.
      1. Select the old certificate and click the Delete icon.
      2. Click OK.
    3. Configure SSL VPN to work with the new certificate.
      1. Click the SSL VPN-Plus tab.
      2. In the Configure panel, click Server Settings. and click Change.
      3. From the Server Certificates table, select the new server certificate and click OK.
    4. Contact your certificate provider to get the old certificate revoked.
  3. Remove trust to the old certificate from your browser and OS. Also, ensure that revocation checking is enabled for your system.
  4. Change the SSL VPN passwords. For instructions, see Managing VPN Services in the vShield Administration Guide.

Known Issues

The following known issues have been discovered through rigorous testing and will help you understand some behavior you might encounter in this release.

The known issues are grouped as follows:

General Issues

Cannot add or edit role for logged in user
If you add or edit a role for a logged in user, the user session times out.
Workaround: After making any role changes for a logged in user, the user must logout and then log back in.

SVMs deployment on physical ESXi-5.x fails if nested ESX support on physical host is enabled
If nested ESX support on physical host is enabled, a virtualised Intel VT/EPT error is displayed for vShield SVM.
Workaround: None.

Data is not backed up if specified backup directory does not exist
If you specify an invalid directory while backing up vShield Manager data, the backup file is not created.
Workaround: Ensure that the backup directory exists on the FTP server.

vShield Manager Issues

vShield Manager upgrade fails with an error
When vShield Manager has been upgraded from 4.1 to 5.0 to 5.1, vShield Manager fails to connect to the vCenter Server and the UI displays an Internal Server Error.
Workaround: Re-enter the vCenter Server credentials. If connectivity is not restored, reboot the vShield Manager.

"Invalid Data Format" error displayed in spite of ports being entered in correct format
While adding/creating a service, you may get an "Invalid Data Format" error in spite of ports being entered in correct format. This may happen when number of ports entered exceeds the maximum limit of 15 ports.
Workaround: If the service has more than 15 ports, create multiple services.

User must logout to view modified or added role
When a user adds or modifies his/her role while logged into a session, the session does not reflect the role changes.
Workaround: Log out and then log back in to view updated role assignments.

vShield App Issues

Cannot add firewall rule from Flow Monitoring table after reverting to an older firewall configuration
After you load an older firewall configuration, you cannot add a rule from the Flow Monitoring table. This is because the rule for which the flow was detected may no longer be part of the current firewall configuration.

If the vCenter Server becomes unavailable during the vShield App upgrade process, the upgrade fails and the Update link is not available
See Update link not available during vShield App upgrade.

Clusters cannot be prepared when vShield App is installed on a host
Preparing a cluster for VXLAN does not succeed as the host cannot enter maintenance mode when vShield App is installed.
Workaround: Manually enter the host(s) into maintenance mode. When manually triggered, the vShield App appliances are shut down and the cluster preparation is allowed to proceed. Once completed, the host(s) exit maintenance mode and vShield App appliances continue to operate as normal.

Firewall rules with source/destination as virtual wire does not get applied if new VM is added to existing virtual wire
If pre-configured firewall rules contains virtual wire in source/destination, those rules do not get applied to new VM added to that virtual wire
Workaround: After adding the new VM to the virtual wire, republish the firewall configuration on that virtual wire.

vShield Edge Issues

Password change for SSL user does not work
If you have vShield Manager 5.5.1 and vShield Edge 5.5.0 in your environment, the Change password on next login option does not change the password for a user. No error is displayed, but the user cannot login with the new password.
Workaround: Upgrade vShield Edge to 5.5.1.

Cannot create CSR/Certificate if vShield Manager is upgraded to 5.1.3 and Edge is still on 5.0.2
When vShield Manager is upgraded to 5.1.3 and Edge is of a lower version, you cannot create a CSR of size 512/1024 bit
Workaround: None.

Service Insertion Issues

Unable to bind service profile to network
Cannot bind a service profile to any available network.
Workaround: Reboot vShield Manager.

Resolved Issues

The following issue has been resolved in the 5.5.2 release.

OpenSSL security issue CVE-2014-0160/CVE-2014-0346 (Heartbleed) applicable to OpenSSL 1.0.1 pre-g leads to the leak of memory contents from the server to the client and vice versa

The following issues have been resolved in the 5.5.1 release.

  • UI does not indicate that the vCenter password has expired
  • Backup/Restore functionality does not work after a restore operation failure
  • DNS settings remain unchanged on a restore operation
  • Unable to provision firewall when vnic is used in ethernet rules
  • Cannot add multiple services to an existing firewall rule with a single service
  • Cannot configure different certificates for two different features
  • VXLAN virtual wire names cannot include special characters
  • Reboot required after ESX upgrade to 5.5
  • Cannot add VXLAN virtual wire after the host is upgraded to version 5.5
  • Using Certificates displays an error
  • An error is displayed while creating an application profile using certificates and the UI session is terminated. However, the user settings are applied successfully and there is no functional impact on application profile configuration
  • NetX 5.1 services are not a compatible with vCloud Networking and Security 5.5