RIVERBED PRODUCT RELEASE NOTES PRODUCT: STEELHEAD CX

RELEASE DATE: JULY 30, 2015

RIOS VERSION: 9.1.0A

CONTENTS

1) Supported SteelHead Models

2) New Features in RiOS 9.1.0

3) Fixed Problems

4) Known Issues

5) Upgrading the RiOS Software version

6) SteelCentral Controller for SteelHead (SCC) Compatibility

7) Hardware and Software dependencies

8) Contacting Riverbed Support

1) SUPPORTED STEELHEAD MODELS Important: RiOS 9.1.0 supports Riverbed CX models xx50, xx55, and xx70.

2) New Features in RiOS 9.1.0

Web Proxy

A single-ended Web proxy transparently intercepts all traffic bound to the Internet. The Web proxy improves performance by providing optimization services such as Web object caching and SSL decryption to enable content caching and logging services. The efficient caching algorithm provides a significant advantage for video traffic. The benefit comes in the form of multiple users viewing the same video content, thereby saving significant WAN bandwidth and providing efficient network use. YouTube caching is handled as a special case given its growing popularity in the enterprise.

Enhanced Live Video Stream Splitting

RiOS improves video handling with the following enhancements:

• The stream splitting cache holds more video fragments for a longer period of time to account for clients that could be out of sync or slower to play back.

• A new report plots the cache hit count over time for a particular live video indicating the amount of video requests that were served locally from the cache instead of being fetched over the WAN. The graph also includes a plot for the number of total live video sessions intercepted.

• The ability to enable video stream splitting on a per-host basis. The ability to selectively enable stream splitting on a particular host ensures that the cache does not fill up with recreational content.

MAPI over HTTP Support

RiOS now automatically detects and enables bandwidth optimization for the MAPI over HTTP transport protocol. Microsoft implements the MAPI over HTTP transport protocol in Outlook 2010 update, Outlook 2013 SP1, and Exchange Server 2013 SP1. For details on MAPI over HTTP support with Outlook 2010, see https://support.microsoft.com/enus/kb/2878264.

Path Selection with Interceptor

New path selection functionality allows SteelHead appliances to operate with SteelHead Interceptor appliances in cluster deployments, providing high-scale and high-availability deployment options. A SteelHead Interceptor cluster is one or more SteelHead Interceptors collaborating with one or more SteelHeads to select paths dynamically in complex architectures, working together as a unified system. Path selection dynamically assigns applications and traffic types (optimized and nonoptimized TCPv4 and UDPv4 traffic) to specific network paths based on intelligent user policies.

Autonegotiate Multi-stream ICA

A new configuration option enables Citrix Multi-stream without the need to configure it on the Citrix server. This feature provides application class hints to QoS for the four priority connections when Citrix Multi-stream is negotiated. The application class hints allow configuration of true network-based QoS policies to the individual priority groups for the virtual channel traffic that they carry. This feature also provides the ability to apply path selection to the individual Citrix priority groups. Autonegotiate Multi-stream ICA provides support for non-Common Gateway Protocol (non-CGP) (plain ICA) connections with XenApp 6.5 and Citrix receiver for Windows 3.0 or later.

2

Link Aggregation Compatibility

SteelHeads are now compatible with link aggregation protocols, such as EtherChannel, for in-path deployments to allow use of multiple links in parallel through a SteelHead. Link aggregation compatibility allows easier integration into networks with preexisting link aggregation in place. Using multiple links in parallel maximizes throughput and provides higher physical redundancy.

DSCP Marking for Out-of-Band (OOB) Control Channel Traffic

An OOB connection is a TCP connection that SteelHeads establish with each other when they begin optimizing traffic. The SteelHeads use the OOB connection to exchange capabilities and feature information such as licensing, hostname, RiOS version, and so on. The SteelHeads also use control channel information to detect failures. You can now mark OOB connections with a DSCP or ToS IP value to prioritize or classify the Riverbed control channel traffic, preventing dropped packets in a lossy or congested network to guarantee control packets will get through and not be subject to unexpected tear down.

In-Path Controller Support for Secure Transport

The secure transport client can now use all available interfaces to connect to the secure transport controller and establish a secure control channel. By default, the client connects to the controller using the management interface. You can now enable another interface or select a specific interface using the Riverbed CLI command stp-client controller in-path enable.

Expanded Application Support for the Application File Engine (AFE)

The AFE was updated with significant additions to the number of popular applications it recognizes. SteelHeads can now identify more than 1,400 unique applications.

Performance and Scale Improvements to QoS and Path Selection

The improvements include:

• Increased configuration responsiveness and scale, allowing more site definitions on higher-end SteelHead models. This increase effectively provides unlimited rule configuration with scalable matching.

• QoS and path selection can now handle many more optimized connections per second without classification errors.

3

SteelHead SaaS Improvements

This release introduces a new SteelHead Universal SaaS licensing that enables customers to optimize any number of supported SaaS applications on the same license. Riverbed will continually add support for new SaaS to the Riverbed Cloud Portal, and any registered SteelHead running version 9.1.0 will be able to avail of optimization to that SaaS.

3) FIXED PROBLEMS

Problems fixed in version 9.1.0a

• 238846 Fixed an issue with SMB2 implementation on both the client and server-side SteelHead to correctly handle blacklisting of the client IP address in the presence of Windows 10 client talking to different versions of server. The fix ensures that once the blacklisting happens, future connections from that IP address gets latency bypassed. Riverbed recommends to upgrade both the client and server-side SteelHeads with this fix.

Problems fixed in version 9.1.0

• 92015 Fixed a race condition that caused the AppFlow engine classification to fail with a ‘navl_conn_init failed: 17’ error string in the syslog. This caused the affected connection to be misclassified. This race condition occurred when:

o A MFE receives a pure-SYN after the inner connection between the client and the server SteelHead fails.

o The fw-RST feature is enabled for transparent inner connections.

o Packets ricochet from one in-path interface to another.

• 100602 Eliminated the error messages which were for internal in the CLI that appeared when customers used dump commands such as, sysdump or tcpdump. These errors were harmless.

• 116348 Fixed a problem seen during stress tests when the SMB2 Client Redirector Cache is disabled on the client SteelHead. The SMB2 blade reused an old search pattern associated with a file handle, that was used during SMB2 QUERY/FIND requests in the process of reusing cached file handles. This fix clears the search pattern when the file handle is closed from the client SteelHead.

• 139998 Fixed an issue where the interface link state could go down intermittently due to spurious interrupts with the MSI-X interrupt scheme. Changed to an MSI interrupt scheme that allows the system to better handle spurious interrupts.

4

• 150590 Fixed an issue where optimization of Microsoft Office 365 connections through the SteelHead Cloud Accelerator (SCA) would cause delays when Outlook is first started on a client machine. This happened because Outlook autodiscover connections that are reset by server were re-established slower than they would have without SteelHeads, because of a difference in connection entry timeouts. A hidden command has been introduced to make this interaction with autodiscover connections better.

• 154426 Fixed a very rare issue that the caused RiOS optimization service to crash due to an infinite loop when processing CIFS reads. Please see the KB article S26688 for steps to identify this issue from process dumps.

• 156420 In rare cases, when enabling the "Object Prefetch Table" on the SteelHead, there would be page load failures caused by serving stale page data. The expiration date of cacheable response data was being reset every 12 days. In rare cases, such responses remained accessible in the cache and would be returned to clients. The timing mechanism has been corrected by this fix.

• 157376 The path history in the Connection History report did not list paths in the correct order when multiple path fail-overs occur in a fraction of a second. The previously used path was reported first followed by the most recently used path. This fix enables the path history in the Connection History report to display the paths based on most recently used at the top and least recently used path at the bottom.

• 158949 Fixed an error message so that it is clear that a timeout occurred during the download of a RiOS image using the secure copy (scp) tool. For clarity, the error message now starts with "scp timeout:".

• 159063 Fixed an issue where an internal misconfiguration in QoS shaping might result in unfairness to a flow with small packets. A large queuing delay might be observed for small packet flows. The internal misconfiguration in the SFQ quantum has been fixed.

• 106732 The Riverbed Support site was changed to display sha256 checksum value for the SteelHead images. Fixed the CLI command "show images checksum" to show SHA256 checksum value instead of MD5 checksum value.

• 161841 Fixed an issue where the heimdal module does not correctly invalidate closed socket descriptors resulting in a subsequent RiOS crash.

• 163866 Fixed a rare issue where the optimization service can crash if a MAPI connection was hitting the Admission Control limit.

5

• 163894 Fixed an issue where the QoS deep-packet inspection (DPI) setting for NetFlow required at least one CascadeFlow collector to be configured. The ‘show running-config’ CLI command listed the QoS DPI setting before the collector. If this output was used to reconfigure the SteelHead, the push for QoS DPI would have failed. The CLI command, ‘show running-config’ now recreates the QoS DPI setting after the NetFlow collector configuration to allow it to check for at least one configured CascadeFlow collector before enabling QoS DPI.

• 164769 A thread deadlock race condition has been corrected inside the live video stream splitting implementation. When encountered it resulted in the watchdog thread instigating an optimization service restart preceded by an event thread indicating "not healthy after at least 15s".

• 164780 Fixed an issue where SMB2 connections were reported as CIFS on the Current Connections report, if one of the following was also enabled: Path Selection, Quality of Service, Netflow DPI, or Application Visibility.

• 164815 Fixed an issue that caused a failure of mapping network shares with Windows login scripts when SMB2 latency optimization is enabled. With this issue, Windows machines could not run the login script that automatically maps network shares when SMB2 latency optimization is enabled. The issue is due to denying read requests when the file is opened with execute permissions.

• 165554 Fixed problem where the client-side SteelHead attempts to connect to a decommissioned Akamai Cloud SteelHead. This would result in pass through SteelHead Cloud Accelerator connections with the reason: "Inner failed to establish". Additionally, the logs contain "Peer x.x.x.x is unreachable or incomparable" or "Error connecting to the peer OOB". The fix improves the system log output when the log level is set to debug and sets the timeout for the intercept proxy table entry when the value was incorrect.

• 168012 Fixed the auto completion for host and port labels for QoS and path selection CLI commands.

• 173478 Fixed issue where the SteelHead was not properly releasing memory when the CLI, Management Console, or SteelCentral Controller (SCC) was viewing or manipulating the HTTP server/subnet configuration table.

• 173560 Fixed an issue in the SMB2 blade when handling requests that were split into multiple PDUs by the client.

• 187856 Fixed an issue where the path selection service was using stale information after optimization service was disabled for a relay on the SteelHead.

• 192781 Fixed an issue that causes an out-of-memory condition on the client-side SteelHead leading to a crash of the optimization service. The issue is due to the buffering of write requests during NFS write-behind optimization. The fix enables NFS flow control by default in the write-data path. Note: NFS clients using 1M writes might experience bug 231508

6

• 193140 Fixed an issue where the Excel file save operation fails on SMB2 connections on MAC clients. This fix disables the SMB2 idle-foi feature by default, because on alternate streams it is typically used for metadata operations.

• 193447 Fixed an issue where an encrypted MAPI connection is reported as MAPI instead of MAPI-Encrypt on the the Current Connections report when any of the following was enabled: Path Selection, Quality of Service, Netflow DPI, or Application Visibility.

• 195691 Fixed an issue where under certain conditions, TCP acknowledgement is not sent during connection kickoff. Fixed the logic that generates TCP RST packets during connection kickoff to set the TCP ACK flag when appropriate.

• 196320 When optimizing Microsoft Office 365 with SteelHead SaaS, the GeoDNS feature might not take effect. Fixed this issue by changing the SteelHead code to remain in synchronization with data delivered by the Cloud Portal, in order to avoid intermittent lack of GeoDNS.

• 196456 Fixed an issue to ensure that all compound request (specifically SetInfo requests) are appropriately released following a failed create on the SMB2 session. This prevents the RiOS crash seen on this bug

• 197755 Fixed an issue where, when configuring login security in the SteelHead Management Console, certain combinations of RADIUS authentication and remote authorization, without the presence of a RADIUS server, would cause an error messages to appear out of sequence.

• 198747 Fixed a problem where a SteelHead REST API service could query another service while it was starting up. This problem occurred under the following circumstances: - SteelHead boot or reboot - SteelHead upgrade - Start or restart of the SteelHead process that hosts the REST API service.

• 200056 Fixed an issue where in a very rare case when flow collectors are configured and the primary interface's IP address is changed during appliance boot-up, error messages, ‘[netflow.ERR] - {- -} uninitialized socket error in send,’ could be seen in the system log. The collector exports netflow records using UDP socket. The fix binds the UDP socket to the interface instead of IP address in order to export the records. With the fix, the socket bind issue is resolved, caused due to change in IP address by DHCP.

• 200222 Fixed problem where the "reset factory" CLI command does not reset configuration settings for all features on the SteelCentral Controller to their default values.

• 200780 Fixed an issue where the application options for path selection rules did not update when a new application was created in another tab or by another user.

• 201202 Fixed an issue where DSCP/VLAN rules fail to match as expected.

7

• 201550 Added an enhancement where any errors associated with the QoS migration process are printed on the Quality of Service page, after a pre-9.0.0 to 9.0.x upgrade.

• 202160 Fixed a bug where the "Internet Protocol" setting for the gateway test on the Network Health Check page was not properly processed and the test always generated an error.

• 202581 Fixed a script-execution vulnerability that could be exploited by special tools that sent specific kinds of URLs to the appliance.

• 202583 Management Console denial of service with malicious requests Details: A logged-in SteelHead user, using special tooling can make the Management Console unavailable. The attack requires that a valid login and that a specific request be altered by an external packet-modification tool. Fix: Implemented better exception handling to prevent denial of service attacks due to malformed requests. Recommendation: Upgrade to patched version if applicable.

• 202809 RiOS v9.1 includes additional log messages and a counter to identify the delay between connection forwarding neighbors.

• 203006 Fixed an issue where the connection between the new Windows v10 client and servers could be black-holed if it is using the new SMB v3.1 dialect and the feature called Pre-authentication integrity. The SMB2-signing blade, when enabled, now detects if the client is sending the SMB v3.1 dialect and removes itself out of the splice, allowing the connection to continue in pass through without latency optimization.

• 203283 The size limit for video fragments is no longer incorrectly driven off the Object Prefetch Table cache limit. This fix restores the higher video fragment limit.

• 203756 Some users thought that the system time in the upper right-hand corner of each Web page always reflected the current time on the SteelHead. However, the time was actually static and never changed. With this fix, the SteelCentral Controller now keeps the system time current by updating it periodically.

• 204223 The secure transport client service (stp_client) is designed to retry on such failures. These are innocuous log messages and their severity level has been reduced.

8

• 204247 In a heterogeneous environment of Windows 2003 and 2008 domain controllers (DCs), a problem where the SteelHead connects to the Windows 2003 DC instead of the Windows 2008 DCs to complete NTLM-transparent authentication in ADI-2k8 mode was fixed.

• 204386 Fixed an issue where while starting the Virtual SteelHead, a system log warning might be displayed stating, ‘MSPEC license has expired or been removed. Terminating sport.’ This warning is invalid and can be ignored. The fix removes a redundant licensing check at startup which might cause confusing log messages about license expiration.

• 205238 Fixed an issue where the Path Selection page makes a large request every 10 seconds when idle. The information retrieval process was modified to request the list of application options for path selection rules asynchronously after the initial page load every 30 seconds instead of every 10 seconds.

• 205330 RiOS has changed the way it computes output buffer lengths requested in find requests generated by the client SteelHead. RiOS always requests either 512K or finds a prefetch window size, whichever is the minimum, thereby ensuring that the output buffer length is never too small.

• 205471 Fixed an issue where when WCCP is used to redirect traffic to on a SteelHead and the encapsulation scheme is set to ‘Either’ on the SteelHead, packets could be GRE redirected to a router even though the WCCP redirection was negotiated to be Layer2 only. The fix addresses when multiple service groups are configured and either GRE or Layer2 redirects could be the negotiated method for WCCP.

• 205495 Fixed an issue so that existing system event log entries are now cached in RiOS and only new entries need be retrieved through the IPMI. Prior to the fix the SteelHead Management Console or CLI might become slow and unresponsive and the following message would appear in the logs: [mgmtd.NOTICE]: Waited [x] secs for [query request], Bindings (1 of 1):{/hw/hal/ipmi/query/allevents,N/A,N/A}

• 205588 Fixed a bug were some role-based management users (that is, users who had "Read-Only" permissions for in-path rules and "Deny" for all other roles) encountered an error message when viewing the In-Path Rules page.

• 205609 Fixed an issue that caused SteelHead CX250 models to hit a low memory condition when datastore encryption is enabled. Fix adjusts memory Admission Control values for CX250 series to account for datastore encryption.

• 205796 Fixed an issue where the "Uplink None not defined" error appears when the path-selection CLI command prevents a user from resetting the path choice in a path selection rule.

• 205942 The kernel statistics API has been patched to handle the invalid sockets gracefully and will no longer crash.

9

• 206144 Fixed an issue that caused increased memory usage on repeated accesses to the Path Selection page on Web3. The information retrieval process was modified to request the list of application options for path selection rules asynchronously after the initial page load every 30 seconds.

• 206287 Fixed an issue where certain CLI commands such as ‘no stp-client controller’ and ‘show stp-client status’ would hang and eventually timeout with an error. The timeout was due to an unhandled error condition. The error conditions leading to this timeout are gracefully handled now.

• 206552 Correctly suppress the inbound QoS bandwidth for the primary interface since inbound QoS is not supported on it.

• 206555 Fixed an issue where a monitor user could navigate certain Web pages from which they are restricted.

• 206620 Fixed an issue where pass through connections can lead to incorrect asymmetry warning messages in the system logs, similar to, ‘ITSEELM-WA0008 kernel:[intercept.WARN] it appears as though probes from 10.0.0.1 to 10.10.2.9 are being filtered. Passing through connections between these two hosts.’ The warning has no negative impact on the functioning of the SteelHead. The spurious warning message is fixed.

• 206905 QoS rules are fixed to match both application name and description fields.

• 216469 A memory leak occurs when the SteelHead adds an SSL server to the bypass table. Over time this can lead to premature admission control. Corrected code that was failing to deallocate X509 certificate information.

• 216769 Fixed an issue where the font size on the log pages of the SteelHead Management Console are sometimes too small or too large for the user. Now on the SteelHead Management Console Log page, users can adjust the font size of the logs. This functionality is not available on Internet Explorer v8 or earlier.

• 216839 Fixed a problem with Current Connections report in the SteelHead Management Console and the CLI, neither of which showed the per-connection QoS information in v9.0.0. RiOS v9.0 changed the internal architecture of the QoS feature. The Current Connections report in the Management Console and the "show connection/flow" CLI commands were missed in the conversion to the new architecture.

• 216980 Fixed an issue where the tooltip for the alarm icon on the header of the SteelHead Management Console did not change along with the health of the appliance. The redundant "System Health" text was also removed.

• 216985 Fixed an issue where the output of the "show running full" CLI command fails to apply when the Default Profile QoS class names differ from the stock defaults.

• 217019 Fixed an issue that caused live video stream splitting functionality to not work correctly if the video URLs have query parameters.

10

• 217309 Fixed an issue where entries in the simplified routing table became stale when the IP address of a SteelHead peer on the same subnet changed. This fix identifies stale entries and invalidates them.

• 217580 We have addressed the scenario where large site configurations are being made with shaping enabled. The improvements should avoid the page swapping and the memory requirements.

• 217650 CVE-2014-4877: Wget FTP symbolic link, arbitrary file system access. Details: A flaw was found in the way Wget handled symbolic links. A malicious FTP server could allow Wget running in the mirror mode (using the '-m' command line option) to write an arbitrary file to a location writable to by the user running Wget possibly leading to code execution. Fix: The Wget package has been upgraded to address CVE-2014-4877. Recommendation: Upgrade to patched version if applicable.

• 217689 Fixed an issue with the output of the "show running full" CLI command when the QoS configuration items contain space in their names. The output is now properly escaped for input.

• 217700 Made the screen scrollable to allow access to all profiles in the Sites and Networks page.

• 217835 Fixed an issue where the kernel throws a warning message when a connection is not in an established state and it receives a packet with SNACK options set. This message is harmless as the received packet is handled safely. This fix suppresses this innocuous message.

• 218734 In Internet Explorer v8 (IE8), when editing an application that has metadata fields (such as those for HTTP), a field no longer disappears after opening and closing the drop-down list. Additional checks are made for IE8 to prevent the problem.

• 218794 Auto refresh logic was implemented so that CLI changes are reflected on the Path Selection page of the Management Console without refreshing the page.

• 218799 The SteelHead now parses authenticated EPM connections and optimizes related MAPI connections. Note: When Outlook is using authenticated EPM connections to the SteelHead you cannot use the MAPI port remapping feature.

• 218996 Fixed an issue where receiving jumbo packets on the SteelHead in a connection forwarding or WCCP deployment can lead to kernel traces in the logs. The SteelHead now properly handles jumbo frames received in connection forwarding or WCCP setups. This no longer causes kernel traces in the logs.

11

• 219085 Fixed an issue that was causing fragment reassembly to fail leading to packet drops. Reassembly failures are recorded with the following error message in system log: "kernel:[intercept.ERR] ip_defrag failed with -12".

• 219137 Fixed an issue with database connection management that can lead to a crash of the collectord process when the system is under high load.

• 219485 Fixed an issue where a user without QoS read permissions, instead of being taken to the My Accounts page, sees an error in the SteelHead Management Console when attempting to view the Inbound or Outbound QoS reports.

• 215931 Tcpdump: Multiple denial of service attacks caused by malformed PPP, AODV & OLSR packets. Details: CVE-2014-8767: Integer underflow in the olsr_print function in tcpdump 3.9.6 through 4.6.2, when in verbose mode allows remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame. CVE-2014-8769: Tcpdump 3.8 through 4.6.2 might allow remote attackers to obtain sensitive information from memory or cause a denial of service (packet loss or segmentation fault) via a crafted Ad hoc On-Demand Distance Vector (AODV) packet which triggers an out-of-bounds memory access. CVE-2014-9140: Buffer overflow in the ppp_hdlc function in print-ppp.c in tcpdump 4.6.2 and earlier allows remote attackers to cause a denial of service (crash) cia a crafted PPP packet. Fix: The Tcpdump library has been updated to fix CVE-2014-8767, CVE-2014-8769, and CVE-2014-9140. Note that RiOS is not impacted by CVE-2014-8768, a related issue which affects GeoNet frames. Recommendation: Upgrade to patched version if applicable.

• 219670 Fixed an issue with a specific QoS workflow, when adding the same rule twice, the system no longer displays "ValueError" errors when subsequent, valid actions are attempted.

• 219678 The reset button removes the red error popup bubble.

• 219870 The failure handling mechanism for GeoDNS for SteelHead SaaS Office 365 optimization has been enhanced so that unreachable IP addresses are temporarily blacklisted instead of being permanently purged.

12

• 221108 The CLI command "configuration write to" triggers a restart of the SteelHead internal service. In some cases, that are timing specific, the restart request is intercepted and discarded by the SteelFlow Web transaction analysis (WTA) feature. Because the internal service never restarts, further attempts to write the configuration file to memory fail. This issue can occur even if SteelFlow WTA is not enabled. This fix prevents restarts by preventing SteelFlow WTA from intercepting this request.

• 221252 Fixed an issue where the RiOS optimization service might crash when the SMB2 servers send asynchronous responses to synchronous read-ahead requests from the client-side SteelHead. This is more likely to happen when the server is under high load.

• 221435 After the fix, starting the secure transport controller succeeds even if the management system is unresponsive. Thus, secure transport clients are able to connect to the secure transport controller and no controller connectivity alarms are triggered on the SteelHead.

• 221489 Fixed an issue where the MAC header size is not accounted for during inbound QoS shaping, leading to higher than expected inbound throughput.

• 221492 CVE-2014-8500 BIND library: Delegation handling denial of service attack. Details: A denial of service flaw was found in the way BIND followed DNS delegations. A remote attacker could use a specially crafted zone containing a large number of referrals which, when looked up and processed would cause those named to use excessive amounts of memory or crash. Fix: The BIND library has been patched for CVE-2014-8500. Recommendation: Upgrade to patched version if applicable.

• 221576 The optimization service no longer crashes if a network error results in the closure of an optimized MAPI connection.

• 221793 The SteelHead uses the same authentication information for the HTTPS connections to the SCC and the secure transport controller. Thus, when the HTTPS connection between the SteelHead and the SCC is renewed, any failed HTTPS connection between the SteelHead and the secure transport controller is now renewed with the updated authentication information. As a result, the SteelHead now attempts to connect to the secure transport controller when the connection to the SCC is established.

13

• 222156 When Citrix optimization is enabled on the SteelHead, it no longer leaks memory for each Citrix connection using secure ICA and RC5 encryption. The memory leak occurred once during the Citrix connection while parsing the ICA packet with Diffie-Hellman parameters sent by the Citrix server.

• 222333 Cross-Frame Scripting (XFS) vulnerabilities in path selection and QoS pages. Details: Some of the new path selection and QoS pages were vulnerable to Cross-Frame Scripting (XFS) vulnerabilities by logged-in users. Fix: Sanitized user input on path selection and QoS pages, preventing scripting tags from being rendered. Recommendation: Upgrade to patched version if applicable.

• 222718 NTP: Network Time Protocol cumulative security update RHSA-2014:2024-1 Details: This security update addresses the following issues: CVE-2014-9293: It was found that the ntpd protocol automatically generated weak keys for internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker, able to match the configured IP restrictions, could guess the generated key and possibly use it to send an ntpdc query or configuration requests. CVE-2014-9294: It was found that the ntp-keygen program used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. CVE-2014-9295: Multiple buffer overflow flaws were discovered in the ntpd crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd, or potentially, execute arbitrary code with the privileges of the NTP user. CVE-2014-9296: A missing return statement in the receive() function could potentially allow a remote attacker to bypass the NTP authentication mechanism. Fix: RiOS, in its default setting, is not impacted by any of the above issues. However, the NTP module has been upgraded to a version that addresses these issues. Recommendation: Upgrade to a v9.1 of RiOS that has the updated NTP module.

14

• 222800 CVE-2014-3583: Apache HTTP Server v2.4.10 FastCGI Denial of service. The the Apache HTTP Server v2.4.10 allows remote FastCGI servers to cause a denial of service via long response headers. Details: The handle_headers function in mod_proxy_fcgi.c and the mod_proxy_fcgi module in the Apache HTTP Server v2.4.10 allows remote FastCGI servers to cause a denial of service (buffer over-read and daemon crash) via long response headers. Fix: Apache v2.4.10 in RiOS has been patched for CVE-2014-3583. Recommendation: Upgrade to patched version if applicable.

• 222888 A new winbind integrity task for processes count has been added to check the number of running processes against a limit. This task runs once a day and restarts the winbind process automatically if the threshold is exceeded. The existing memory check of the winbind integrity task has also been enhanced to check the total memory consumption (sum of the memory usage of all winbind processes) against a limit.

• 223129 Fixed an issue where a kernel crash could occur on systems with a 10 gigabit interface card, when the system in the process of shutting down. The adapter is now declared down immediately entering the shutdown process so that all other threads can bypass the down adapter.

• 223187 Unzip utility: Multiple buffer overflows and out-of-bounds vulnerabilities. Details: Multiple buffer overflows and out-of-bounds vulnerabilities were reported in the 'Unzip' utility. CVE-2014-8139: Heap overflow condition in the CRC32 verification of Unzip which might result in arbitrary code execution. CVE-2014-8140: Out-of-bounds write in Unzip's test_compr_eb() function due to bad uncompressed size value. CVE-2014-8141: Out-of-bounds read in Unzip's getZip64Data() function due to lack of error detection and reporting. Fix: 'Unzip' utility has been updated to patch the following vulnerabilities: CVE-2014-8139, CVE-2014-8140 & CVE-2014-8141. Recommendation: Upgrade to patched version if applicable.

15

• 223242 Fixed an issue where the help pages on the SteelHead dashboard were returning a 401 unauthorized error.

• 223254 Fixed an issue where a SteelHead CX255L/M/H running RiOS v8.6.2 raised a fan speed alarm, when there is no fan or fan speed failure. This problem impacts the CX255 running RiOS v8.6.2 only. No other products are impacted when running RiOS v8.6.2. The CX255 is not impacted if it is running a different RiOS version.

• 223474 Outlook uses regular HTTP requests (for example, for Exchange Web Services) on an optimized HTTP(S) connection. If the SteelHead has enabled Outlook Anywhere optimization for these connections, the SteelHead failed to start Outlook Anywhere optimization if the HTTP connection did not start with Remote Procedure Call (RPC) over HTTP requests. The fix in RiOS v9.1 allows the optimization service to start Outlook Anywhere MAPI optimization on HTTP connections at any time.

• 223624 RiOS now correctly handles prefetch requests larger than 1 MB. In RIOS 8.5.3 or later, HTTP connections would go into a bypass state after seeing a response larger than 1 MB. In newer versions the SteelHead only stops buffering response data, and this results in prefetches of the larger object missing content when requested by the client.

• 223760 CVE-2014-6272 libevent: Multiple integer overflow flaws were found in the evbuffer API of Libevent. Details: Multiple integer overflow flaws were found in the evbuffer API of libevent. An attacker, able to make an application pass on an excessively long input to the libevent via evbuffer API, could use this flaw to make the application enter an infinite loop crash, and, possibly, execute arbitrary code. Fix: The Libevent library has been removed from RiOS. Prior to this fix, RiOS was not impacted by this vulnerability since the Libevent library was not being used. Recommendation: Upgrade to a RiOS version that does not have the libevent library.

• 223798 This defect in the QoS rule matching logic is resolved and now correctly matches the expected QoS rule.

16

• 223897 CVE-2014-8150 Libcurl: HTTP response splitting attacks via a CRLF injection vulnerability. Details: A CRLF injection vulnerability in libcurl v6.0-7.x and before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL. Fix: The Curl library has been patched for CVE-2014-8150. Recommendation: Upgrade to patched version if applicable.

• 223930 An alarm flash error was triggered on the SteelHead after 3 days. For certain models of SteelHead (SHxx50, CX1555, EX1160, EX1260), RiOS uses a system to have a redundant copy of the contents of the flash device. This fix addresses an issue wherein errors while writing to the flash device would trigger faulty error handling in the data synchronization code.

• 224044 Fixed an issue where a rare error in reading hardware sensors was not handled properly and might cause a sysdump not to complete on the SteelHead models 3070, 5070, and 7070.

• 224081 Fixed the handling of port label updates during SteelCentral Controller (SCC) pushes of hybrid network policies to prevent "DP_SETUP_ERROR" messages from occurring when the SCC pushes QoS policies to the SteelHead.

• 224128 Fixed an issue where HTTP cache statistics displayed in the Management Console and CLI are incorrect. The root cause was inaccurate counts for total HTTP requests. This resulted in a bad denominator in the rate computation that has been corrected with this fix.

• 224439 The message is for information only and does not impact system operation. Request to get a system event log (SEL) entry during a system shutdown is handled by dropping the command.

• 224505 Fixed a problem with Current Connections in both Management Console and CLI, neither of which showed per-connection QoS information in v9.0.0. This release changed the internal architecture of the QoS feature. The Current Connections report in the Management Console and the "show connection/flow" CLI commands were missed in the conversion to the new architecture.

• 224536 Fixed the CLI output for "show application" CLI command when the DSCP value is set to 0.

• 224580 Fixed a crash by ensuring that the initial connection validation routine for signed SMB connections in delegation mode does not make repeated IO checks for availability of the secure vault.

17

• 224738 OpenSSL cumulative security update for advisory - secadv_20150108. Details: This update addresses the following issues: CVE-2014-3571: DTLS segmentation fault in the dtls1_get_record. CVE-2015-0206: DTLS memory leak in thedtls1_buffer_record. CVE-2014-3569: no-ssl3 configuration sets method to NULL. CVE-2014-3572: ECDHE silently downgrades to ECDH [Client]. CVE-2015-0204: RSA silently downgrades to EXPORT_RSA [Client]. CVE-2015-0205: DH client certificates accepted without verification [Server]. CVE-2014-8275: Certificate fingerprints can be modified. CVE-2014-3570: Bignum squaring might produce incorrect results. For more information, see: https://www.openssl.org/news/secadv_20150108.txt Fix: Of the issues listed above, RiOS management is not impacted by CVE-2014-3571, CVE-2015-0206, CVE-2014-3572 and CVE-2015-0204. However, the OpenSSL library has been updated to a version that patches all of the above issues. Recommendation: Upgrade to patched version if applicable.

• 224739 Fixed an issue when inbound QoS is enabled where QoS migration calculates the upstream bandwidth for all remote sites by dividing the local downstream bandwidth by the number of remote sites. This might result in unduly constrained bandwidth from each remote site.

• 224747 Fixed a bug where a certificate, created using a CSR from the SteelHead, could not be used to "replace" the current certificate through the Secure Peering (SSL) page.

• 224982 Fixed an issue where long HTTP headers were not being handled correctly. This error corresponds to the 'HTTP_ERR_LINE_TOO_LARGE' message in the log.

• 225109 Fixed an issue where the QoS scheduler is not automatically updated when the interface MTU changes. Added logic to automatically update the SFQ quantum value when an interface MTU changes.

• 225250 Fixed a CLI freeze when showing connections on a SteelHead with 130,000 or more connections. The "show connections" command now displays a maximum of 50,000 connections. Filters can be used to ensure that desired connections are shown.

• 225257 Added validation to prevent configuring a peer IP address that is already configured as a /32 subnet in an existing site.

18

• 225301 Fixed an issue where the SteelHead Management Console would not be accessible after upgrading to a RiOS v8.6.2 and v9.0.0, if an optical 1 Gig add-on NIC was installed. This problem occurs only if the configuration is set to Auto speed and duplex.

• 225347 Fixed a memory leak in the SSL certificate expiring alarm function.

• 225488 CVE-2015-0235 - The glibc gethostbyname buffer overflow (GHOST vulnerability). A heap-based buffer overflow was found in the glibc __nss_hostname_digits_dots()function that is used by the gethostbyname() and gethostbyname2() glibc function calls. Details: A heap-based buffer overflow was found in the glibc__nss_hostname_digits_dots() function that is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker, able to make an application call to either of these functions, could use this flaw to execute arbitrary code with the permissions of the user running the application. (that is, a GHOST vulnerability) Fix: The glibc library has been updated to patch the GHOST vulnerability. Recommendation: Upgrade to patched version if applicable. See knowledge base article S25833 for more details.

• 225828 CVE-2014-9130: Libyaml: Denial of service when processing wrapped strings. Details: An assertion failure was found in the way the libyaml library parsed wrapped strings. An attacker able to load specially crafted YAML input into an application using libyaml could cause the application to crash. Fix: Libyaml module has been patched for CVE-2014-9130 Recommendation: Upgrade to patched version if applicable.

• 225712 Fixed incorrect optimized flows and WAN capacity configuration for CX570, CX770, and CX3070 models.

• 226206 Fixed the issue so that ‘SteelCentral Controller (SCC) Communication Service’ comes back up once the network error on the SteelHead recovers, reestablishing the communication channel between the SteelHead and the SCC. The following error appeared in the logs [yarder.services.ERROR] Failed to load service module lumberjack-svc-ocd

19

• 227550 Fixed an issue where GeoDNS for SteelHead SaaS would have failed to find the optimum SteelHead against certain destinations of Office 365 Exchange server regions, potentially causing degradation in performance.

• 227734 Fixed an issue that ensures that the RiOS optimization service does not crash while processing lease notification if the lease has already been deleted from the lease store while notification is being processed.

• 227878 The time zone data has been upgraded to 2015a to properly handle the leap second at 2015/06/30 23:59:60 UTC.

• 228019 Fixed an issue where the QoS profile options would stay hidden when adding or editing a nonlocal site after editing the local site. The local site does not have any QoS profiles, but every other site does.

• 228262 Fixed an issue where setting the maximum domain child processes for the winbind daemon, with "domain settings max-children" set to less than the total number of trusted domains, results in high CPU utilization in the winbindd process. The algorithm to release idle processes in the winbind daemon had an issue that could, in some situations, lead to looping indefinitely over the list of child processes, causing 100% CPU utilization. The fix consists of rewriting the stop condition of the iteration to break the loop when all processes have been looked at.

• 229673 Security update for the glibc functions getaddrinfo() and gethostbyname_r(). Details: CVE-2013-7423: It was discovered that, under certain circumstances, the glibc getaddrinfo() function would send DNS queries to random file descriptors. An attacker could potentially use this flaw to send DNS queries to unintended recipients, resulting in information disclosure or data loss due to the application encountering corrupted data. CVE-2015-1781: A buffer overflow flaw was found in the way glibc's gethostbyname_r() and other related functions computed the size of a buffer when passed a misaligned buffer as input. An attacker able to make an application call any of these functions with a misaligned buffer could use this flaw to crash the application, or potentially, execute arbitrary code with the permissions of the user running the application. Fix: The glibc library has been updated to patch CVE-2013-7423 and CVE-2015-1781. Recommendation: Upgrade to patched version if applicable.

20

• 229846 CVE-2015-1349: BIND trust anchor management remote DoS. Details: A flaw was found in the way BIND handled trust anchor management. A remote attacker could use this flaw to cause the BIND daemon (named) to crash under certain conditions. Fix: The BIND library has been updated to patch CVE-2015-1349. Recommendation: Upgrade to patched version if applicable.

• 230034 Fixed an issue where QoS and path selection classification is bypassed for optimized connections after a configuration push from the SteelCentral Controller (SCC) occurs, while the SteelHead is experiencing a high number of new connections per second. This fix improves the handling of configuration updates while traffic is running to avoid classification bypass for optimized connections.

• 230154 OpenSSL cumulative update for security advisory secadv_20150319. Details: The OpenSSL security advisory https://www.openssl.org/news/secadv_20150319.txt identifies several vulnerabilities of which the following impact RiOS: CVE-2015-0204: RSA silently downgrades to EXPORT_RSA (Severity: High) CVE-2015-0286: Segmentation fault in ASN1_TYPE_cmp (Severity: Moderate) Fix: OpenSSL has been upgraded to patch the vulnerabilities identified in the security advisory secadv_20150319. Recommendation: Upgrade to patched version if applicable.

• 230606 The Quality of Service feature does not support IPv6. This fix suppresses the display of QoS information for IPv6 traffic.

• 230912 RIOS was making a legal, but optimistic interpretation of HTTP cache guidelines. Evaluation of the cache validator headers has been reverted to more conservative guidelines to avoid the conflict.

• 230982 Fixed an issue where a redundant power supply failure was not raising an alarm.

• 231397 Fixed an issue preventing the creation of applications using host labels for which DNS resolution is still pending.

21

• 231500 Fixed an issue when signing is negotiated on a CIFS/SMB session using the MAC OS 10.9 or 10.10 as a client, the connection might be terminated during server access. However, the client transparently reconnected without impacting the user. Connection termination on a signed CIFS/SMB connection as a client has been fixed. This issue was happening because of the incorrect calculation of the SMB signing value.

• 231508 Fixed an issue in NFS implementation of client-side SteelHead which was slowing down large-sized (1MB) writes to server. The slowness was due to SteelHead taking too long to prepare the packet to send over the WAN and then starving to get next packet from all the way back from client as part of fix for bug 192781. The fix ensures storing a packet for future processing while actively processing a packet so the starving does not happen.

• 231669 Changed the Management Console Current Connections report to not highlight 100% reduction with the same red border as 0% reduction. This erroneously suggested that near-100% reduction was bad. The red highlight for 0% is retained.

• 231844 Fixed an issue causing periodic transient CPU usage spikes, leading to CPU alarms on lower-end models.

• 232047 Fixed an issue that caused the following WARNING messages, which are harmless, to appear on the message log: [rgpd.WARNING]: ‘Binding /rbt/support/config/sfp-branding/enable not consumed during reverse mapping’ [rgpd.WARNING]: ‘Binding /sfp/config/branding/supported not consumed during reverse mapping’

• 232178 Fixed an issue where the QoS bottleneck bandwidth calculated to each remote site might be incorrect.

• 232476 Fixed and issue where high traffic load would lead to an incomplete QoS daemon to shutdown, leading to a process core. The shutdown will now complete gracefully without a process core.

• 232526 Because MAC OSX clients with SMB2 optimization use alternate streams problems occur while saving Excel files. This fix provides a hidden CLI command to disable optimization for alternate streams. This is the default behavior.

• 232561 The change fixes the handling of short invalid kerberos request packets on HTTP connections.

• 232630 Fixed an issue where path selection details would disappear from the Current Connections page during a path failover. This issue was due to a new variable (i.e., the least recently used path index) that was not accounted for in the Management Console code.

• 232692 Fixed potential vulnerabilities in the Linux kernel for 2015 leap second adjustment.

22

• 233913 This error message "[pm.ERR]: Output from yarder_core: svc-upgrader: error: argument -y/--yaml_dir is required." is harmless and does not impact the functionality of the system.

• 234195 Fixed an issue preventing the QoS feature from being enabled after the optimization service is disabled.

• 234833 When upgrading from 8.6.0, 9.0.0 or 9.0.1 to 9.1.0, the QoS configuration is now migrated successfully without error.

• 235961 Fixed an issue where a role-based management user with read-only permissions was allowed to click the "Save" and "Revert" buttons on the Configuration page, even though the functionality did not work. These buttons are now disabled for role-based management users with read-only permissions.

• 236287 Fixed an issue where QoS statistics would not be collected when the SteelHead has limited memory and is configured with a very large number of sites.

• 236335 The Optimization Service was intermittently crashing while users were accessing Sharepoint services through the SteelHead. Identified and fixed a problem related to the parsing of HTTP WebDAV responses with a status code of 207 (Multi-Status). Multi-Status responses lacking XML-namespace prefixes were causing the optimization service to terminate improperly.

• 236443 Fixed an issue so that CLI commands for QoS or path selection rules with spaces in the "application" or "apptag" names no longer fail.

• 236486 Fixed an issue that caused RiOS optimization service to halt unnecessarily for a recoverable connection error. This issue occurs when an optimized connection is aborted during connection set up. With this fix, the aborted connection is dropped but the optimization service keeps running.

• 236548 Fixed an issue where copying a QoS profiles did not set the default class properly. If the default rule had been changed from its original value, the new profile properly copies this change into the new profile. The new profile previously copied the original default rule.

• 236863 The RiOS optimization failure no longer occurs with an error message saying "Content-Length exceeded, but in a non-expected HTTP state." The MAPI optimization service was changed to drop the problematic connection instead of crashing in the event that it encounters the unexpected condition that the content length is exceeded but it is not in the expected HTTP state.

23

• 236995 Fixed an issue where in a rare cases, the optimization service could crash where an Outlook Anywhere (OA) connection would send a message to the other virtually connected OA connection that had already been deleted. A Virtual Connection (VC) object is used to handle Request and Responses from two half duplex OA connections, and it has definite knowledge of the OA connection existence. The message sent by one OA connection to another is now routed through the VC, and the VC makes sure that the message is not forwarded to the deleted OA connection.

• 237070 Fixed a scrolling issue with "Edit Sites" option on the Sites page. Now the option remains in the same place whereas previously it could scroll off the screen.

• 237637 Fixed problem where role-based management users were unable to run scheduled jobs, seeing log errors "Permission denied: mkdir(/var/opt/tms/sched/3, 755)".

• 237820 Fixed an issue where the creation and deletion of many sites can lead to failures when enabling QoS shaping. The following log message is seen when this issue occurs: "Could not parse tc error: Error: argument "invalid class ID" is wrong: 1:10000:".

• 237939 On a SteelHead with path selection enabled it slowly leaks memory in cases where the customer has a Layer2 network with a high number of unreachable paths. As a result, the SteelHead requires a restart every few days. This bug addresses the memory leak issue.

• 238607 Fixed an issue where cached authentication cookies could lead to data leakage between O365 SharePoint users. Identified and corrected a problem where authentication cookies were being cached.

• 238925 Fixed an issue where QoS-related processes crash repeatedly after reboot when a new in-path interface is added after configuring remote sites.

• 239117 Fixed and issue where the "show flows" and "show connections" CLI commands would show pass through traffic before optimized traffic. Optimized traffic is now displayed before pass-through traffic.

4) KNOWN ISSUES • 161036 SteelHead fails to connect to the Cloud Portal through a proxy server for

SteelHead SaaS service if the proxy disallows 'Content-Length' header added to the CONNECT request. When connecting to the Cloud Portal through a proxy server for SteelHead SaaS, the SteelHead adds a ‘Content-Length’ header to the CONNECT request. Some proxy services will fail the CONNECT request with a 400 status. SteelHead will not be able to register/connect with the Cloud Portal. Configure the proxy server to allow requests with a ‘Content-Length’ header.

24

• 165137 The SteelHead peer-version string might be displayed incorrectly in the Current Connections page. This issue occurs if the SteelHead being monitored is connected to multiple SteelHead peers that have the same public IP address. No known workaround.

• 195507 A SteelHead is not reachable for Path Selection from remote peers if its optimization service is disabled. No known workaround.

• 198015 The SteelHead cannot be managed by the SteelCentral Controller for SteelHead (versions 9.0.0 and above) when requisite management channels are not established. SCC versions 9.0.0 and above require two channels to the appliance - an SSH channel and an HTTPS channel. The status of these channels can be viewed on the SteelHead terminal with the command: show scc A sample output of this command is shown below: amnesiac > show scc Auto-registration: Enabled HTTPS connection (to the CMC): Status: Connected Hostname: bravo-sh378 SSH connection (from the CMC): Status: Connected Hostname: bravo-sh378 (10.5.39.87) When the host for the HTTPs and SSH connection are different or both the channels do not have “Connected” status, the appliance cannot be fully managed by the SCC. In order to connect a SteelHead to the SCC, you can use the command: scc hostname <hostname> in configure mode to establish the connections. If both connections show “Connected” to two different SCC's, please remove the appliance from the Manage -> Appliances page on the SCC which is incorrect and update the appliance username and password on the correct SCC. If the SCC hostname was never configured on the appliance, the appliance will try to connect to the host riverbedcmc. Please make sure to update your DNS to point the hostname riverbedcmc to the correct SCC which is managing the appliance.

• 204204 After a report has been viewed for a long time without being refreshed, an error dialog "Unable to parse response" can appear. On a heavily loaded appliance, this could happen in 1-2 hours, but may not at all. Refresh the report to clear the dialog.

• 217457 On a heavily loaded SteelHead, clicking the "after waiting, click here" link does not work. Log in appears successful, but there are errors in the Management Console after log in. Log out and log in to clear the issue.

• 218352 When class names are manually selected for display in a Web QoS report in a version lower than v9.0 and the SteelHead is upgraded to v9.0 or later, the report data might appear to be missing because the class names can change during migration. Reselect the desired classes using their post-migration names.

25

• 220338 Since v8.5.0, the "monitor" user has been unable to select the units to be displayed in the QoS reports. No known workaround.

• 225148 Importing a configuration will fail if the user's password contains an at sign (@). During configuration import, this is erroneously read as a user@host pair and the import will not succeed. Avoid using the at-sign (@) in passwords.

• 227509 Under some circumstances, a customer's explicitly defined configurations for admission control, datastore, MAPI prepopulation, SSL bypass table, HTTP stream splitting inflight cache will be overwritten with default values upon upgrade to Baffin. If changes have been made to admission control, datastore, MAPI prepopulation, SSL bypass table configurations or HTTP stream splitting inflight cache, note their values prior to an upgrade to Baffin and reconfigure them if not correct after upgrade.

• 229980 When the Web proxy feature is enabled, eligible traffic is handled using Web Proxy, ignoring transparency options on the applicable in-path rule. If transparency options are set on the in-path rule, they are ignored. No workaround is available. You should be aware that transparency options do not apply to traffic optimized by Web Proxy.

• 232641 In some situations, as part of system reboot, the application stats service fails to properly initialize. Error level log messages reporting AppStats service start-up failure are logged in this situation. Workaround: system restart.

• 233903 On Virtual SteelHead xx50 models, the configuration partition may become full, resulting in errors similar to [mgmtd.ERR]: lf_write_bytes_tbuf(), file_utils.c:1077, build (null): Error code 14014 (generic IO error) returned. If errors occur in the logs after attempting to save the configuration, manually delete the saved configuration backup files that are no longer required from the Management Console or CLI.

• 235131 EtherChannel does not support bundling of management in-path interfaces along with in-path interfaces. Since there is no bundling of management in-paths, link failover between the management interfaces is not supported when EtherChannel is enabled. No known workaround.

• 236023 When 'Auto-Negotiation of MultiStream ICA' is enabled on a SteelHead, a Citrix XA/XD 7.6 server is used and a priority 0/2/3 connection is broken, the 'Auto Client Reconnect' on the Citrix Receiver will not automatically reconnect the Citrix session. The user can manually restart and resume the Citrix session if the session was saved on the Citrix server.

• 236824 Occasionally, the SteelHead might log "Connection reset by peer" error message when connection between SteelHead and SteelCentral Controller is interrupted. The errors can be safely ignored since the connection will be re-established immediately.

26

• 237024 Disabling REST API access on SH will cause hybrid networking, QoS, Secure Transport and SEPIA policy push from SCC to fail. Enable 'REST API' access on SH. This configuration is on the Configure › Security › REST API Access page.

• 237223 Intermittently Citrix multi-stream applications are not identified and tracked by the application stats service. No known workaround.

• 237772 For SteelHead models CX255, CX570, and CX770, the LAN and WAN interface links can go down briefly during an optimization service restart. This issue currently exists with all versions of RiOS. No workarounds exist.

• 238175 For connections optimized by Web Proxy, the table on the Current Connections report will always show 'W' for Connection Type even if the connection is opening or closing. Open the connection detail, which shows the correct icon.

• 238497 Menu commands are hidden, not disabled, for "monitor" users. This is a change from v8.6, where the commands were visible but disabled. In a future release, the original behavior will be restored. No known workaround.

• 238599 When the SteelHead is an Interceptor cluster, but no cluster channels are configured, the Current Connections report may incorrectly show that Path Selection is occurring. The report will show correct information once channels are configured but will continue to show erroneous Path Selection information as long as they are not.

• 238799 An RBM user with no read or read-write roles assigned is denied access to the WebUI with the following error "Unable to sign in: Failed obtaining authorization data for user." Ensure that RBM users have at least one read or read-write role assigned to their account.

• 238959 The Current Connections report in the Web UI may not always report path usage in the correct order, as the timestamp is not always indicative of the most recent path usage. When knowledge of path order is critical, use the corresponding CLI command, which will always show correct information.

• 240317 Application statistics is missing from appliance's configuration restore procedure. This happens when downgrading from 9.1.0 to an earlier release, and then upgrading to 9.1.0. Upon configuration restore completion explicitly enable application statistics if needed.

5) UPGRADING THE RIOS SOFTWARE VERSION

UPGRADING ALERT

• Path Selection: Upon upgrading a SteelHead from RiOS version 8.6.x or earlier to 9.0.0 and later, existing path selection rules are not automatically migrated. Please refer to Knowledge Base article S25533 for details.

27

• QoS: RiOS version 9.0.0 and later uses a completely new QoS management and syntax compared to RiOS version 8.6.x and earlier. Please refer to Knowledge Base article S25532 for details prior to upgrading to RiOS version 9.0.0 and later.

Review the SteelHead CX Installation and Configuration Guide for information on upgrading the RiOS software version on SteelHead appliances. For Virtual SteelHeads, see the Virtual SteelHead CX Installation Guide. If running Cloud SteelHeads, see the Riverbed Cloud Services User's Guide.

6) STEELCENTRAL CONTROLLER FOR STEELHEAD (SCC) COMPATIBILITY

SCC was formally known as Central Management Console (CMC). Review the SteelHead CX Installation and Configuration Guide for information on SCC compatibility.

7) HARDWARE AND SOFTWARE DEPENDENCIES Review the SteelHead CX Installation and Configuration Guide for information on hardware and software dependencies. For Virtual SteelHeads, see the Virtual SteelHead CX Installation Guide. If running Cloud SteelHeads, see the Riverbed Cloud Services User's Guide.

8) CONTACTING RIVERBED SUPPORT Visit the Riverbed Support site to download software updates and documentation, browse our library of Knowledge Base articles and manage your account. To open a support case, choose one of the options below.

Phone Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). Outside the U.S. dial +1 415-247-7381.

Online You can also submit a support case online

Email Send email to support@riverbed.com. A member of the support team will reply as quickly as possible.

28

©2015 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.

29