Riverbed Release Note

RIVERBED PRODUCT RELEASE NOTES
PRODUCT: STEELHEAD APPLIANCE

RELEASE DATE: JANUARY 14, 2014
REVISED: FEBRUARY 20, 2014
RIOS VERSION: 8.5.2A
CONTENTS
1)
2)
3)
4)
5)
6)
7)
8)
9)
10)
Supported Steelhead Models

New Features in RiOS 8.5.2
Fixed Problems
Known Issues
Upgrading RiOS Software
Managing RiOS 8.5.2 with a Riverbed CMC
Hardware and Software Requirements
Contacting Riverbed Support
1) SUPPORTED STEELHEAD MODELS

Important: RiOS 8.5.2 does not support any of the Steelhead xx20 models. It can only be
installed on xx50 and Steelhead CX xx55 models.
2) NEW FEATURES IN RIOS 8.5.2

SharePoint 2013 Qualification
Steelhead appliances are now fully interoperable with SharePoint 2013

(15.0.4420.1017).
Dynamic WAN Path Selection Diagnostics
Improved visibility into real-time path selection behavior, by reporting path statistics
for all in-path interfaces in the path selection status report.
NetApp ONTAP server qualification
Steelhead appliances are now fully interoperable with NetApp ONTAP server version
8.2 7-Mode.
IPv6 with IPv4 authentication
Supports latency optimization of signed-SMB, CIFS/SMB1, SMB2, and SMB3 using

IPv6 endpoint addressing. The authentication stack continues to require
IPv4 endpoint addressing.

QoS Application Flow Engine (AFE) Support for Microsoft Lync
The Riverbed AFE now recognizes the Microsoft Lync communications platform in
Steelhead appliances. For a complete list of recognized applications, see the
Steelhead Appliance Management Console Users Guide.
Common Access Card (CAC) Smartcard Authenticated Access
Supports CAC secure card access to Exchange 2010 from Outlook 2007 over Outlook
Anywhere, also known as RPC-over-HTTP. When using encrypted MAPI, Outlook
Anywhere, and Smartcards to provide client authentication, Outlook can now use the
SCHANNEL authentication protocol (auth type 14). For details, see the Riverbed
Command-Line Interface Reference Manual.
Riverbed Cryptographic Security Module (RCSM 1.0)
RiOS now includes the Riverbed Cryptographic Security Module (RCSM 1.0) to help
you comply with FIPS 140-2 Level 1 requirements. For details, see the FIPS
Administrators Guide.
Note the RCSM 1.0 has successfully passed the required Cryptographic Algorithm
Validation Program (CAVP) algorithm testing and is awaiting FIPS final validation per
the National Institute of Standards and Technology (NIST) Cryptographic Module
Validation Program (CMVP).
Dynamic WAN Path Selection Diagnostics
Provides visibility into real-time path selection behavior, by reporting path statistics
for current connections and a new path selection status report.
EMC Isilon Qualification
Steelhead appliances are now fully interoperable with EMC Isilon OneFS 7.0.2
servers.
Relaxed QoS Limits
Lifts the strict limits on the QoS maximum number of classes, rules, and sites for
Steelhead appliance models in the CX xx55 platform family. The relaxed limits let you
build the right QoS policies to more accurately achieve your service objectives and
scale your QoS deployments to cover more locations and sites.
Improved FTP Classification
Provides more effective classification for active and passive FTP connections. The
Riverbed Application Flow Engine now benefits from the work that RiOS is already
doing to identify FTP control and data flows, eliminating duplicate inspection effort,
thus freeing system resources for other tasks and services.
Virtual Steelhead v8.5. supports for five new models
VCX255U, VCX255L, VCX255M, and VCX255H
VCX555L

Transport and Traffic Control Enhancements
Dynamic WAN Path Selection - Provides a new functionality for traffic control. Path
selection is useful in environments that have multiple WAN paths at the branch
offices, such as two MPLS providers, or a MPLS link and an Internet link with a site-tosite VPN. It leverages the QoS application file engine to identify the type of
application, and then steers it out the desired Steelhead appliance interface. For
example, you can send VoIP delay-sensitive traffic over MPLS, and send video ondemand traffic over site-to-site VPN. If one path fails, you can steer traffic out another
available path.
IPv6 - Supports TCP-level optimization through SDR and latency optimization for these
protocols using IPv6: FTP, HTTP, and SSL. The integration and support includes IPv6
addressing for native IPv6 traffic, SNMP, network configuration of the in-path, and
compliance with IPv6 RFCs.
SCPS - Supports SCPS compression, which interoperates with other SCPS-compliant
devices, and rate pacing, which merges MX-TCP with a congestion avoidance method
of your choice.
Host Labels - Simplifies QoS configuration by enabling you to define a group of
hostnames or subnets into a host label for use in QoS rules, similar to using port labels
in in-path rules.
LAN Bypass for Inbound QoS - Extends bypassing LAN-bound traffic so it is not subject
to the maximum root bandwidth limit to inbound QoS as well as outbound QoS.
Packet-Mode Optimization Improvements - Supports all TCP and UDP traffic for
either IPv4 or IPv6. Also, the Current Connections report now includes packet-mode
flow reporting.
SnapMirror QoS - Leverages SnapMirror optimization. In the configuration of
SnapMirror optimization, you define the filer and the volumes, and assign a priority to
the volumes. Through QoS, you can now selectively place these different SnapMirror
priorities in different classes.
Global DSCP Marking - Simplifies integration of a Steelhead appliance into an existing
network that provides multiple classes of service based on DSCP values by enabling
selection of a global DSCP marking.
SRDF Selective Optimization - Extends configuration of EMCs SRDF enterprise SAN
replication protocol to the Management Console (in addition to the Command-Line
Interface configuration). Selective optimization delivers higher levels of performance,
visibility, and control of SRDF traffic.
Application-Specific Enhancements
HTTP - Prepositions video content during off-peak hours so there is no WAN impact
during usage. HTTP video pre-population eliminates jitter or buffering because WAN
conditions do not impact streaming video.
Apple HLS Live Stream Splitting - Supports Apple's HLS streaming format to push
high-quality live and on-demand video to users at the branch locations without
impacting bandwidth.
SharePoint Optimization - Supports application-level latency optimization for
Microsoft SharePoint protocols that run on top of HTTP. This optimization can provide
significant benefits when users are trying to open files that are hosted on remote Web
servers. The Steelhead appliance optimizes these SharePoint protocols:
o Web Distributed Authoring and Versioning (WebDAV) HTTP/1.1 extension.
The local Steelhead appliance proxies transactions, fetching information
ahead of time to serve data locally. For example, for directory browsing, the
Steelhead appliances fetch structures of subdirectories, caching them for
faster response to the client.
o FrontPage Server Extensions (FPSE), which enables the client application to
display the contents of a Web site as a file system.
Disaster Recovery - Provides NetApp SnapMirror visibility and control over the
performance of SnapMirror traffic across the WAN. This lets you control bandwidth
allocation for data replication, and also provides storage-granular visibility, selective
optimization, and storage-granular network QoS for individual volumes.
Kerberos Support for Restricted Trust Environments - Configures Kerberos with oneway trust restrictions for use in external managed services, such as Microsoft Office
365 Dedicated.
SMB3 Optimization - Supports full optimization (bandwidth and latency) for SMB3
traffic. This support includes all of the key features introduced in SMB3: encryption,
signing, secure dialect negotiation and directory leases.
CIFS Prepopulation - Extends configuration of CIFS prepopulation to the Management
Console (in addition to the CLI configuration introduced in RiOS v8.0).
Server Name Indication (SNI) Support - Improves scalability by extending SSL and TLS
to handle more than one SSL certificate on a single server.
Visibility Enhancements
New Current Connections Format - Provides a more informative layout and richer
feature set that now includes packet-mode flows, single-ended SCPS connections, and
IPv6 connections. A summary section provides an at-a-glance hierarchical overview of
the traffic. A query section narrows your search by filtering and sorting using multiple
user-defined filters.
Flow Statistics Reporting - Uses collected flow statistics for more accurate and
detailed information within Steelhead appliance reporting.
The Application Statistics and Applications Visibility reports provide insight into the
WAN bandwidth consumption and a visual record of LAN-to-WAN or WAN-to-LAN
traffic broken out by the applications running in your network.
The Applications Visibility report graphically represents the traffic statistics, based on
transport protocol (TCP/UDP), or per-application (HTTP, MAPI, and so on).
The WAN Throughput report provides a measure of the total WAN throughput of all
data the system transmits out of all WAN interfaces.
In addition, when exporting Cascade Flow information to a Profiler, the Steelhead
appliance also sends detailed QoS information.
Detailed, Granular Statistic Retention - Improves statistic reporting for many reports,
including CPU Utilization, to display statistics using more data points for more detailed
granularity over time. Instead of rolling up data into 2-hour points for a month, the
new granularity keeps 5-minute points throughout.
More Than 100 New Applications Available in the Application Flow Engine (AFE) Includes significant additions to the number of popular applications recognized by the
AFE. The AFE greatly eases the process of identifying applications in Steelhead
appliances. For a complete list of recognized applications, see the Steelhead Appliance
Management Console Users Guide.
5
Usability Enhancements
Easy Domain Config - Configures SMB, SMB2, and SMB3-signing and encrypted MAPI
on a single page, as opposed to navigating over several pages and enabling different
options.
Security Enhancements
NTP Authentication - Verifies that the Steelhead appliance obtains its time services
from an authoritative time server, and provides more control over how time services
are authenticated. NTP authentication now supports MD5-based Message-Digest
Algorithm symmetric keys and Secure Hash Algorithm (SHA1). You set the date, time,
and configure the NTP servers on the new Configure > System Settings > Date and
Time page.
Riverbed Representational State Transfer (REST) API Access - Allows exporting of
detailed QoS information to a Cascade Enterprise Profiler appliance through the
Riverbed REST API. The REST API enables communication from a Steelhead appliance
to an Enterprise Profiler through REST API calls. To authenticate communication
between appliances and authorize access to protected resources, you preconfigure an
access code on the new Configure > Security > REST API Access page.
Troubleshooting and Support Enhancements

Delta Image Upgrades - Downloads a delta image directly from the Riverbed Support
site to an appliance. The downloaded image includes only the incremental changes.
You no longer need to upload the entire image, which is particularly beneficial for
sites with low bandwidth or organizations that have focused timeframes for
accomplishing upgrades. The smaller file size means faster RiOS image downloads
with less load on the network.
Diagnostic System Dump Upload - Performs a system dump upload directly from a
Steelhead appliance to Riverbed Support, including the appliance and case number.
Uploading directly to Riverbed Support prevents typos and ensures the system dump
arrives correctly.
Domain Health Testing - Provides a set of utilities to help identify, troubleshoot, and
diagnose issues with Windows domain authentication relating to encrypted MAPI
optimization and SMB signing. Domain health testing was first introduced as a CLIonly feature in RiOS 7.0, and is now included in the Management Console.
TCP Dump Stop Trigger - Scans system logs for an error condition and automatically
stops a running TCP dump when it finds a match. To locate an error condition, you
create a Perl regular expression pattern. For example, if you set the pattern to Limit,
the trigger matches the line Connection Limit Reached and stops the TCP dump
after a predefined delay.
5) FIXED PROBLEMS
Problems fixed in 8.5.2a
156010 Fixed an issue where unsigned CIFS connections get blocked due to a
regression. unsigned CIFS connection will continue to get latency optimized as pre
8.5.2
Problems fixed in 8.5.2
59875 In an in-path setup, all passthrough traffic tagged with VLAN 0 will now go
through. All Steelhead-destined traffic tagged with VLAN 0 will still be explicitly
dropped to keep the same behavior as before.
78637 CLI support show ether-relay now reports entries of all relays devices.
90698 Fixed an issue which resulted in crash of server-side optimization service when
Smb2 blade's read-ahead is enabled. The crash was due to an update to read-ahead
window issued by client-side Steelhead when there was no read-ahead handle on the
server-side Steelhead. The fix gracefully handles this situation by stopping just the
application level (layer 7) optimization only on the connection that experiences this
issue.
108661 Old implementation of EPM blade could not handle NDR64 transfer syntax
and to prevent client and server from using NDR64, it nulls out NDR64 transfer syntax
during EPM bind, but some clients and servers do not like this and close the
connection resulting in disruption of service.
The EPM blade is rewritten from scratch to parse and handle different kind of
transfer syntaxes, for example NDR32 and NDR64, and now it lets the client and
server use NDR64 and correctly handles NDR64 traffic.
124033 Through multiple customer traces we've observed large numbers of HTTP
responses arent being cached because they contain a Vary header. Code was
updated to cache responses containing Vary: Accept-Encoding, if no ContentEncoding is present in the response.
127119 The file upload stop command is now available to stop an in-progress
upload.
130281 Fixed an issue that resulted in optimization service crash on the client-side
Steelhead at sunrpc::ServerCacheList::add_extent(). Fix involves corrections in
handling of failure of names encode and decode operations.
134683 Fixed an issue that affected file access on NetApp ONTAP 8.1.2+ clustermode filer due to timeouts. Fix involves handling of unchained responses to a single
chained request on the server-side Steelhead.
135671 Fixed an issue where 'show running-config' command was displaying the
mask length for snmp-server command with / prefix, which is not allowed
anymore.
136288 Added checks to avoid accessing invalid information that could cause the
optimization service crashes.
140532 The interrupt vector assignment algorithm is changed to avoid assigning

interrupts being used by RSP.
140790 Fixed an issue where Steelhead Mobile clients optimizing connections to

multiple interfaces on the same server-side Steelhead would fail to optimize
connections on certain interfaces but not others. The Steelhead Mobile client would
create an out-of-band connection for each interface on the server-side Steelhead,
but the server-side Steelhead would fail to find the correct out-of-band connection
for all but the first interface on which it received a connection. When the server-side
Steelhead failed to find the out-of-band connection, it would attempt to initiate an
out-of-band connection with the Steelhead Mobile client. Steelhead Mobile clients
are unable to accept connections, so no connections would be optimized over the
problematic interfaces. The same issue can occur on client-side Steelheads that are
behind a NAT device.
143386 Fixed an issue that caused intermittent issues during file opens. The issue
occurs when an application, especially Microsoft Office, opens a file without
acquiring necessary Oplock.
144796 Problem occurs when a URL 'learned' object becomes invalid on the server
which causes the server to close the connection. Fix is to unlearn the invalidated
URL so we dont get stuck repeatedly dropping connections to the base page
147847 Fixed a cosmetic issue that caused error messages in the system logs when
configuring an IPv6 RADIUS server AND secret key at the same time. IPv6 RADIUS
servers are not supported and these error messages occurred during the
configuration abort. These error messages were benign and did not indicate any
issues with the system.
148770 The replaced cli messages are routine event history diagnostics that
happen when CLI starts up. This fix demotes these messages from INFO to DEBUG.
150222 Fixed the handling of small requests and responses for optimized exchange
traffic.
150258 This fix addresses a page allocation failure with backtraces which may be
seen when a sysdump was initiated. This issue was due to large memory allocation
attempts while displaying tcp socket details using networking tools like netstat -al.
This happened only when the Steelhead had lots of fragmented memory.
150358 The incorrect biflow direction field value in netflow records usually manifests
itself as a Warning log on the Cascade Profiler which is receiving the netflow records.
The issue arose because internal tables on the Steelhead which store the per-flow
direction value were not updated correctly. This has been addressed and with the fix,
the value of the biFlow direction for each flow is consistent through the lifetime of
the flow.
150669 Fixed an issue that caused PFS local mode shares created pre-7.0.0
inaccessible when RiOS is upgraded to 8.5.0.
151146 Due to a complex coding issue there are times when the Citrix DSCP markings
are incorrect. These issues are now resolved.
151284 A component required for QoS was missing in the Hyper-V interface driver.
This change adds in that component.
151633 The fix is to do a complete cleanup of specific data structures involved in the
Find operation in Sport when a SMB2 Find Operation is cancelled by the client.
151920 Fixed a problem that caused a crash while processing HTTP requests using
chunked transfer encoding, if the CRLF following the chunk length and the chunk
length were split in two different tcp packets.
151943 Code has been corrected to properly generate the required ICMP
fragmentation needed when a packet is dropped due to inpath MTU setting.
152280 This fix temporarily removes SMB2 Find prefetches on encountering a

compound request containing a Create request and an unsupported find request.
152667 Fixed an issue that resulted in performance issues with CIFS clients. Microsoft
Office applications are particularly vulnerable for slowness. The issue occurs when
the server is NetApp ONTAP 8.x C-mode, only for releases prior to 8.2P3.
How to match slowness issue to this bug: if the below wireshark filter applied on
server-side Steelhead LAN trace shows one or more packets, then it's a match for this
bug:
(smb.cmd==36) && !(smb.flags2.string == 1) && (smb.lock.type.oplock_release
== 1) && (tcp.dstport == 445 or tcp.dstport == 139)
152793 CVE-2010-5107 - OpenSSHv6.1 DOS attack possible - connection-slot

exhaustion
DETAILS
------The default configuration of OpenSSH through 6.1 enforces a fixed time limit
between establishing a TCP connection and completing a login, which makes it easier
for remote attackers to cause a denial of service (connection-slot exhaustion) by
periodically making many new TCP connections.
FIX
--To reduce the risk of denial of service attacks described in CVE-2010-5107, added
"MaxStartups 10:30:100" to sshd_config file, and patched OpenSSH to have that be
the default.
153086 The optimization service crash was seen because the http module was trying
to cleanup some internal state which was already cleaned when we received end of
connection from the server.
Now if the http module receives any message from the server after the end of
connection we drop the connection.
153148 Resolved a service crash that can occur in rare cases after an HTTP request
parse failure on the server side Steelhead. This is due to an unexpected HTTP
request that is supposed to result in a connection drop, but due to a bug in the error
message formatting, it resulted in a crash.
153482 The issue occurs in the MAPI component when the client side Steelhead is
waiting for the encryption key from the server side and a request comes on the same
connection without any authentication context. The fix ensures the correct handling
of this scenario.
153762 CVE-2013-4348: skb_flow_dissect remote DoS via IHL with IPIP encapsulation
DETAILS
------The skb_flow_dissect function in net/core/flow_dissector.c in the Linux kernel
through 3.12 allows remote attackers to cause a denial of service (infinite loop) via a
small value in the IHL field of a packet with IPIP encapsulation.
FIX
--The kernel has been patched to mitigate CVE-2013-4348
67594 Fixed scenarios where the Data channel was not sent to the DPI engine
resulting in inconsistent classification behavior. This fix ensures that both Control and
Data channels are chained correctly to the DPI engine.
10
74266 When using encrypted MAPI, Outlook Anywhere and Smartcards to provide
client authentication, Outlook may use the SCHANNEL authentication protocol (auth
type 14), which is not supported with RiOS 8.5.0.
76017 This is fixed by replacing escape characters with spaces. This reverts the
behavior to logging seen pre 7.0.x.
99396 Fixed an issue that viewing Alarm Status page may encounter item
unexpectedly already exists errors when an IPMI alarm is triggered.
113802 Fixed a problem where a lock was not properly being released in the Citrix
optimization blade. This would result in other threads being blocked while trying to
acquire the lock, which would eventually cause the watchdog timer to detect the
threads as unhealthy and temporarily put the optimization service in bypass.
119520 Added the VLAN Tag ID text field to the In-Path Interface page.
124755 Fixed an issue where You must restart tcpdump-stop trigger for your
changes to take effect. warning may be seen when starting a Tcpdump stop trigger
even if the trigger is already stopped.
127721 When an URL without a trailing slash is used to upload dumps to a directory
(rather than a file in a directory) on the server, the upload will now have an error
indicated in show uploads.
136892 The QoS subsystem before this fix used to fragment all packets with higher
mtu whether Path Selection was applied or not. This fix will only avoid fragmentation
for packets which are not optimized by Path Selection.
138278 Fixed an issue that resulted in crash of client-side optimization service in

Smb2 blade. The crash occurred when LeaseBreakNotification on a connection did
not acquire proper lock before updating lease state on another connection to which
the lease belonged.
140087 The active-active sync feature does not check for memory pressure when
replicating traffic and only relies on the read/write disk pressure mechanism.
However the disk pressure mechanism is enabled only when sdr-a-a is enabled. In
turn if the I/O becomes unresponsive, the active-active sync feature can overflow the
system with read/write disk requests to a point where the Steelhead runs out of
memory.
140743 This fixes a crash in the optimization service resulting from packet corruption
on the WAN. In particular, this fix addresses the case where the packet length is
incorrectly set to 0. The fix helps avoid the crash, and ensures that the affected
connection is terminated gracefully.
11
140790 Fixed an issue where Steelhead Mobile clients optimizing connections to

multiple interfaces on the same server-side Steelhead would fail to optimize
connections on certain interfaces but not others. The Steelhead Mobile client would
create an out-of-band connection for each interface on the server-side Steelhead,
but the server-side Steelhead would fail to find the correct out-of-band connection
for all but the first interface on which it received a connection. When the server-side
Steelhead failed to find the out-of-band connection, it would attempt to initiate an
out-of-band connection with the Steelhead Mobile client. Steelhead Mobile clients
are unable to accept connections, so no connections would be optimized over the
problematic interfaces. The same issue can occur on client-side Steelheads that are
behind a NAT device.
141467 Fixed a problem where a Steelhead responds to its own auto-discovery probe
in rare cases where the probe packet is sent back to it from a connection forwarding
neighbor.
141554 When more than one hardware errors existing in a Steelhead, the trigger
reason is confusing since these errors are displayed in one line without visible
separation symbols between them. This fix adds semi colons to separate the errors to
avoid confusion.
143378 Cleaned up the old web certificates which prevented any future certificate
generation and importation.
143569 This fixes a bug in the SDR lookup function that blocks indefinitely if multiple
connections simultaneously reference the same data, leading to a crash triggered by
a watcher timeout. High CPU is also seen on multiple cores. The fix involves allowing
multiple readers to access the critical section, thus avoiding the condition that leads
to the timeout.
143807 Fixed the issue where no warning was given before shutting down for
hardware spec upgrade. A warning has been added now, and a 'confirm' flag is
needed to complete the action.
144064 144064 Fixed a problem with Citrix client mapped drive optimization where
duplicate requests for the same file offset were ignored which could lead to incorrect
data being delivered to the Citrix server. A log message like the following may
indicate that this problem has been experienced:
[/citrix/sfe/parser WARN] {10.11.0.207:49935 10.11.141.63:1494} S Req:
03 00 14 00 00 e0 02 00 00 10
........ ..
tail:
14 2a
.*
is a duplicate REQ
144144 Fixed an issue where KRB5KDC_ERR_POLICY can result in connections getting

blocked for Encrypted-MAPI or Signed-SMB. The fixed results in a connection blacklist
instead.
12
144300 Added support for DPI classification of Microsoft Lync traffic in QoS and Path
Selection rules.
144472 Updated the Mouse-over help texts for authentication types for SMB,
SMB2/3 and MAPI.
144491 This fix corrects an issue where the CLI show interfaces command does not
display all the interfaces after another interface (e.g. mgmt0_0) is disabled.
144777 Fixed an issue where the reboot reason was not retrieved correctly on
Steelhead CX 255 as HWMON driver was loaded before gathering the reboot reason.
144856 Fixed an issue that ensures temporary credential caches get destroyed
correctly to prevent Kerberos Tickets from leaking in delegation mode when
performing cross domain delegation.
145027 Fix a minor issue that would result in Unexpected NULL error messages
reported in the logs and that did not impact any functionality.
145194 This fix disallows to add recursive IPv6 routes and default gateways for inpath interfaces.
145214 A race condition with Kerberos authentication against Windows Server 2008
R2 with password replication policy enabled was fixed.
145368 On the CMC Appliance Details page, no peers get listed for any RIOS 8.5.0
systems. This has been corrected in RIOS 8.5.1.
145605 On the Applications table on Basic QoS page, changed the DSCP select list for
QoP paths from Inherit from Application to Inherit from Site to provide more
clarity.
145834 In Basic QoS mode, do not let the sum of site bandwidths exceed the
configured WAN bandwidth.
145858 In a serial cluster optimizing IPv6 traffic using enhanced auto discovery, if we
run into admission control on the first steelhead, it is possible that the second
steelhead, which is supposed to take over the optimization duties, might experience
an optimization service crash.
The issue exists because of the way we were handling WAN visibility mode settings
on middle steelheads (Its independent of what WAN visibility mode is set in the
inpath rule).
145884 BIND CVE-2013-4854: remote attackers can crash the named server
DETAILS
------The RFC 5011 implementation in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1,
9.9.x before 9.9.3-P2, and 9.9.4b1, and DNSco BIND 9.9.3-S1 before 9.9.3-S1-P1 and
9.9.4-S1b1, allows remote attackers to cause a denial of service (assertion failure and
named daemon exit) via a query with a malformed RDATA section that is not properly
handled during construction of a log message
13
FIX
--Upgraded BIND to 9.9.3-P2 to fix CVE-2013-4854, where remote attackers can crash
the caching DNS server if it is enabled.
146050 Fixed a bug where excessive amounts of memory are allocated when
transferring large files via Citrix Client Drive Mapping. This can result in out of
memory conditions which can lead to crashes of the optimization service.
146220 Fixed an issue that was causing slowness when a large number of QoS classes
were being deleted.
146316 The protocol connection * suite of CLI commands is expanded to accept

both ipv4 and ipv6 addresses. These changes could facilitate the fixed target IPv6
inpath rules and single ended optimization with IPv6 use cases.
146370 Fixed an issue in RiOS 8.5.0 where when an interface is connected but QoS
shaping is not enabled on that interface, a QoS configuration update causes the
following log message: QoS: writing tc commmands to stdin err Broken pipe.
146796 Upgraded Apache httpd to 2.4.6 and removed unneeded modules. This
addresses CVE-2013-2249.
146853 Steelhead versions 8.0.x and higher had an issue wherein the rtt field
exported in the netflow records is extremely large/incorrect for records tracking
transparent connections. The issue was in the kernel's rtt calculation logic and has
been addressed.
146983 Fixed an issue where the help string and autocomplete behavior was missing
for the Path-None option when adding paths to a QoS rule via the CLI.
147162 Fixed the counter overflow problem on 32 bit platforms that prevented
simplified routing entries update.
147302 Applied a fix, such that after a hardware upgrade the QoS bandwidth limits
are automatically updated and a reboot is not required for them to take effect.
147466 On the Current Connections page, in a given connection's detail pane, there
is a new Path Selection table, which appears when Path Selection has been used by
the given connection. Named paths have magnifying glass icons that, when clicked,
show further details for that path.
147495 This change extends the range of disks recognized by the vSH on Hyper-V.
14
147685 UI login page - Cross Site Scripting (XSS) vulnerabilities reported by Nessus
scan
Details
------Cross Site Scripting (XSS) Vulnerability is caused due to failure of a site to validate,
filter, or encode user input before returning it to another users web client.
Fix
--Fixed an XSS vulnerability on the EX platform's Software Upgrade page
147847 Fixed a cosmetic issue that caused error messages in the syslog when
configuring a IPv6 RADIUS server AND secret key at the same time. IPv6 RADIUS
servers are not supported and these error messages occurred during the
configuration abort. These error messages were benign and did not indicate any
issues with the system.
147895 This fix lowers the log level for message no nic configuration file found.
Customer will not see this message by default.
148135 Fix added to replace certain verbose HTTP 500 errors with generic ones.
148660 A code fix was made to properly classify DPI applications that rely on the port
map in the DPI library.
148816 Fixed a Cipher suite ... is not supported. log message so that the
unsupported cipher suite is correctly printed.
149174 Fixed the CLI command 'show path-selection paths stats' to report Path
statistics.
149892 Fixed a regression in RiOS 8.5.0 where the Filter by: Regular Expression
filter criterion for Current Connection was no longer available.
149926 Fixed problem where web rest-server enable causes the web server to stop
working.
150401 Resolved an issue where the CLI command 'show path-selection path * state'
logs a superfluous error in syslog.
150449 Problem was in code validating the SSL proxy certificate against the host
name presented in the SNI. This validation would erroneously fail if the proxy
certificate used wildcard characters. A specific example would be a bypass for
www.google.com if the proxy certificate contained *.google.com Code was
updated to correctly handle such wildcards
150483 Fixed a problem where emails reporting /bin/sh: /usr/lib/sa/sa1: No such

file or directory may be sent from 32-bit appliances running RiOS 8.5.0.
150592 Fixed an issue where anonymous logons for CIFS-SIGNED connections are
now correctly handled in NTLM-Delegation mode as opposed to getting blacklisted.
15
150669 Fixed an issue that caused PFS local mode shares created pre-7.0.0
inaccessible when RiOS is upgraded to 8.5.0.
150957 Fixed an issue with the http optimization service which was dropping the
beginning part of request data if bypass condition was hit when parsing the http
headers split in more than one tcp frame.

Example: # show in-path agent-intercept agents
List of discovery agents:
--------------------------------------------IP Address
Connected/Disconnected
--------------------------------------------10.4.16.154
Disconnected
10.4.17.211
Connected
10.4.17.212
Connected
121788 Removed a warning log message for models (150M, 250L/M/H, and 550M/H)
that do not support the functionality. The string, "[wdt.WARNING]: couldn't set pretimeout", incorrectly shows up repeatedly in logs starting with RiOS 8.0.x release.
DETAILS
FIX
---Upgraded Apache httpd to fix security vulnerabilities addressed by CVE-20123502, CVE-2012-0883 and CVE-2012-2687
127821 This fix reduces the rate at which log messages for i-see-you messages with
unsupported capabilities are logged to avoid filling up the system log.
128149 Fixed a linux kernel jiffies overflow problem on 32-bit Steelhead which may
lead to a kernel crash when Inbound QoS is enabled.
16
131357 Upgrade/patch OpenSSL to 1.0.1d/1.0.0k/0.9.8y for CVE-2013-0169,CVE2012-2686,CVE-2013-0166

would unexpectedly appear in the in the 'show configuration running' after upgrade
from pre-7.0.1 to 7.0.1.
DETAILS
-------The perf_swevent_init function in kernel/events/core.c in the Linux kernel before
3.8.9 uses an incorrect integer data type, which allows local users to gain
privileges via a crafted perf_event_open system call. Please note that this
security bug does not affect kernel 2.6.9 as used in CentOS 4 based builds (E.x. SH
7.0 and earlier)
FIX
---Applied kernel patch for CVE-2013-2094 security bug.
DETAILS
FIX
DETAILS
-------The mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes
data to a log file without sanitizing non-printable characters, which might allow
remote attackers to execute arbitrary commands via an HTTP request containing
an escape sequence for a terminal emulator.
FIX
---Ensured that client data written to the RewriteLog is escaped to prevent terminal
escape sequences from entering the log file.
DETAILS
17
FIX
---The update addresses the following CVEs:
CVE-2011-4576
CVE-2011-4577
CVE-2011-4619
CVE-2012-0884
CVE-2012-1165
CVE-2012-2110
CVE-2012-2333
CVE-2013-0166
CVE-2013-0169
https://rhn.redhat.com/errata/RHSA-2013-0587.html
DETAILS
------The TLS protocol 1.2 and earlier (CVE-2012-4929) can encrypt compressed data
without properly obfuscating the length of the unencrypted data, which allows
man-in-the-middle attackers to obtain plaintext HTTP headers by observing
length differences during a series of guesses in which a string in an HTTP request
potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
The SPDY protocol 3 and earlier (CVE-2012-4030), when configured to perform
TLS encryption, is similarly vulnerable.
FIX
--Disabling HTTPS compression eliminates the conditions under which this
vulnerability could be used to attack a web browser. We have patched the
affected code to disable TLS compression.
FIX
---Applied kernel patch for CVE-2011-3188.
---Curl package has been upgraded to fix CVE-2013-1944.
18
-------CVE-2012-0883: envvars: Fix insecure handling of LD_LIBRARY_PATH in Apache

versions before 2.4.2 that could lead to the current working directory to be
searched for DSOs.
CVE-2012-2687: mod_negotiation: Multiple cross-site scripting (XSS)
vulnerabilities in mod_negotiation module in the Apache HTTP Server 2.4.x
before 2.4.3, allow remote attackers to inject arbitrary web script or HTML via a
crafted filename that is not properly handled during construction of a variant list.
CVE-2012-3502: mod_proxy_http: module in the Apache HTTP Server 2.4.x before
2.4.3 does not properly determine the situations that require closing a back-end
connection, which allows remote attackers to obtain sensitive information by
reading a response that was intended for a different client.
-------Upgraded OpenSSL to RHEL / SL version 1.0.0-27.el6_4.2
DETAILS
-------The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a
modified MD4 algorithm to generate sequence numbers and Fragment
Identification values, which makes it easier for remote attackers to cause a denial
of service (disrupted networking) or hijack network sessions by predicting these
values and sending crafted packets.
Note: Version number would still indicate 1.0.0 instead of 1.0.0k. See the
following:
-------The tailMatch function in cURL and libcurl before 7.30.0 does not properly match
the path domain when sending cookies, which allows remote attackers to steal
cookies via a matching suffix in the domain of a URL.
19
DETAILS
------CVE-2013-0166. OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before
1.0.1d does not properly perform signature verification for OCSP responses,
which allows remote attackers to cause a denial of service (NULL pointer
dereference and application crash) via an invalid key.
CVE-2013-0169. The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2,
as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly
consider timing side-channel attacks on a MAC check requirement during the
processing of malformed CBC padding, which allows remote attackers to conduct
distinguishing attacks and plaintext-recovery attacks via statistical analysis of
timing data for crafted packets, aka the "Lucky Thirteen" issue.
FIX
--OpenSSL was upgraded to version 0.9.8y, which contains fixes for both.
Additional information is available at
http://www.openssl.org/news/secadv_20130205.txt.
41841 The Current Connections page has been redesigned.
59622 Fixed an issue that resulted in incomplete file transfer on a CIFS connection
that experiences Kerberos ticket expiration error. CIFS write-behind optimization
must be taking place when Kerberos ticket expires for this issue to occur.
62979 Added a Command Line Interface command to list the Discovery Agent
machines that have connected to the Cloud Steelhead and their status.
63311 Fixed the logic that tracks the time elapsed since last i-see-you message from
the WCCP router.
63648 Fixed an issue that occurred after entering admission control where if the
service port is used by some other connection in the Steelhead new connections
would not be optimized on exit from admission control. Now new connections
should be optimized after exiting admission control.
66971 Fixed the kernel error message "IPMI message handler: BMC returned
incorrect response".
69240 Fixed a non-service impacting issue that resulted in "Long dataseg" warning
messages during NFS optimization. The issue is likely to occur during bulk transfers
(like backup/replication) over NFS.
77330 Fixed an issue where the optimization service would crash when the TCP
payload is corrupted on a satellite network. When this corruption occurred during
connection establishment, the connection would use incorrect configuration options
that led to a crash. With this fix, the connection will be reset if a corruption is
detected during connection establishment.
20
83059 Upgrading to 7.0.0 will not preserve any user configured settings for the
software version mismatch alarm.
86804 Fixed a corner case where a failed disk drive stops responding to SCSI Test Unit
Ready command and as a result the Linux scsi stack may spend an extended
period(>24 mins) on error recovery. The fix drastically lower error recovery time by
10X by sending test commands once per device instead of once per bad command.
89015 Enhanced SCEP client to support chain certs received during certificate
enrollment.
91951 Added the ability to modify the name of an QoS Application via the UI and CLI.
93997 Fixed the issue to propagate alarm threshold configurations through an

upgrade. Certain alarm threshold configuration CLI commands from RiOS 6.5.0
changed syntax in RiOS 7.0 and later, and upgrading from 6.5.0 to a later version of
RiOS caused these configuration settings to not propagate correctly.
94005 Fixed a problem where non-RIOS images are allowed to be downloaded in the
"image fetch" command.
94455 Fixed an issue that caused the cancel operation in CIFS prepop to be
ineffective. The fix involves disabling automatic retry when sync is canceled.
94595 Fixed an issue where the log file has many messages like:
"Process host (pid 7815) tried to enable SO_TIMESTAMPS, but timestamps are
disabled!"
96214 Fixed uncommon problem where the users are unable to login via the web
interface after a system start or restart due to a race condition that caused the
system swap to fail to initialize.
96753 Upgraded net-snmp version from 5.3.1 to version 5.7.1 to pickup latest
improvements and security fixes.
97185 The Steelhead now supports configuring Kerberos replication users with
wildcard domain, such as *.riverbed.com. The steelhead will use the associated
credentials to replicate keys of resource servers from the domain and its sub
domains.
This requires that proper permissions are assigned to the replication user in the
domain and its sub domains on the Active Directory side, as it is already the case in
prior releases. This minimizes the configuration on the Steelhead side.
97273 Fixed a problem with Lotus Notes encryption optimization where some
connections were unnecessarily being put into passthrough. Such connections were
marked as TCP instead of NOTES-ENCRYPT in the Current Connections table and
resulted in the following Notice-level log message on the server-side Steelhead
appliance: Detected a connection that will not contain optimizable data. Going to
passthrough to reduce overhead.
21
97725 Fix the handling of an edge condition in RiOS application level flow control.
When RiOS hits this edge condition it will cause a process crash with the following
string in the log message preceding the stack trace.
[assert.CRIT] - {- -} ASSERTION FAILED (datalen_)
99150 Fixed an issue in the Citrix optimization blade where the optimization
overhead was comparable a small packet's size and added optimizations that provide
positive data reduction with minimal WAN overhead from our optimization.
101110 A new web page to view SnapMirror Reports has been added.
102921 The Top Talkers report, when viewing by conversation or by host, shows
Source IP and Destination IP headers. These headers were not correct. The actual
data have the numerically smaller IP to the left and the larger IP to the right, without
regard to directionality of traffic. This has now been fixed.
103410 Fixed an issue where, in rare cases, when Outlook is using Office 365
Exchange and the Outlook client uses multiple protocols during the same session,
Outlook might lose connectivity to the Exchange server.
103502 Added the "LAN Class" option to the QoS Report pages.
103582 If the IP address of the server (cloud) side Steelhead changed, the Steelhead
Cloud Acclerator still tried optimizing to the old IP address. It will now only retain this
information for 30 seconds after a MAPI session is closed.
103876 Added functionality to resolve the condition where SRV lookups return
unroutable KDCs by providing CLI commands to allow hardcoding of KDCs for
individual domains. The Steelhead will contact the hardcoded KDCs directly without
doing DNS SRV lookups.
103878 Fixed an issue where, in rare cases, when Outlook is using Office 365
Exchange and the Outlook client authenticates multiple times during the same
session, Outlook might lose connectivity to the Exchange server.
105479 Fixed an issue that would cause a crash of the optimization service during an
optimized SMB2 connection if the client or server sent a short packet. The short
packet will now be correctly detected and the connection killed and blacklisted.
105611 Fixed a message that reports a system failure when the optimization service
is restarted when no failure has occurred.
107488 Fixed an issue that would result in a crash of the optimization service if an
optimized SMB2 connection of dialect 2.1 or higher went into shutdown.
107951 Fixed a problem when CDM latency optimization feature is enabled and
simultaneous file transfers across multiple Citrix connections from the Client
mapped drive to server can crash the Optimization service.
108778 If kernel crashdump collection is enabled, upon a kernel crash/panic a kernel

crashdump and a sysdump would be collected, tar'ed together and would appear in
the 'Process Dumps' tab in the webGUI.
22
109426 Fixed a kernel panic that can happen on a server side Steelhead appliance
when broadcast support is enabled and the connection matches a in-path autodiscover rule.
109501 Currently, the RBM user roles are ignored for Steelhead Cloud Accelerator
features. RBM users with "DENY" permissions in all roles are allowed access to
Steelhead Cloud Accelerator UI pages and Steelhead Cloud Accelerator commands.
109523 Fixed an issue with the CLI command "show license-client" on a Cloud
Steelhead, this command now properly displays the correct output.
110079 Disallow DHCP on in-path interfaces in the CLI. Upon upgrade, DHCP for data
interfaces is disabled.
111097 Fixed an issue where connections optimized with Steelhead Cloud

Accelerator can be disrupted in the rare case that a client sends a TCP SYN packet
with data in the TCP payload.
113121 Fixed an intermittent issue that causes a Steelhead in a connection

forwarding cluster to remain in paused state after a neighbor is removed and added
to the cluster when multi-interface support is enabled.
113802 Fixed a problem where a lock was not properly being released in the Citrix
optimization blade. This would result in other threads being blocked while trying to
acquire the lock, which would eventually cause the watchdog timer to detect the
threads as unhealthy and temporarily put the optimization service in bypass.
113818 The bucket distribution information for each Steelhead given to router is
correct, but the CLI/UI display is incorrect. We fix this display issue by properly
calculating the bucket distribution among Steelheads.
113987 Filter out a set of known and inconsequential utility crashes so that no alerts
are created for them.
114592 Fixed a problem where auto-configured HTTP optimization rules were

appearing in the Server Subnet and Host Settings table in the web UI and in the
output of the CLI command "show protocol http server-table auto-config" when PerHost Auto Configuration was disabled.
115263 The outstanding request queue length is determined by the max_mpx_count

specified by the server. In rare cases, when a multi-threaded client is used, it is
possible to exceed the outstanding request limit. This can cause certain CIFS servers
to report a Denial-of-Service attack and reset the CIFS connection. The fix adds a
strict limit for outstanding request queue length to avoid exceeding the server's limit.
115443 Updated the way cache control headers are evaluated to ensure items
tagged as cacheable are retained for a minimum of the in-flight cache delay. The
scope of this change is limited to data content associated with HTTP stream-splitting.
23
115457 Fixed an issue where an enhanced auto discovery disabled server-side

Steelhead would continue its attempt at optimizing an asymmetric connection, after
client side Steelhead decides to pass-through. A reset triggered by the client in an
asymmetric scenario will now cause the client-side Steelhead and server-side
Steelhead to pass-through traffic due to asymmetric routing.
115844 Under the connection information, "Saas passthrough reason" has been
replaced by "Cloud Acceleration State" in both the Web UI and the Command Line
Interface. This field indicates the state of the connection for Steelhead Cloud
Accelerator optimization.
116173 Fixed an issue that caused the Steelhead WebUI to report an internal error
when running duplex tests.
116270 Fixed an issue where the CMC cannot query any information from a
Steelhead that has experienced a eUSB flash failure.
116670 Fix now will allow user config rx-buffer size to persist on a reload. Changing
mtu will also change rx-buffer size. Rx-size will now depend on last configured value
(user defined or mtu defined)
116682 Fixed a memory leak when CIFS-SIGNING and SMB2-SIGNING are configured
in Transparent Mode and Delegation Mode respectively. The leak only happens for
connections which are not allowed for delegation
117354 Fixed an issue with Steelhead Cloud Accelerator where initiating a sysdump
when there are many active SaaS optimized connections might cause high CPU usage
and generate error logs on the Steelhead.
117521 Fixed misleading error messages when enabling QoS shaping that occur when
interface is down or when the configured WAN bandwidth is greater than the
detected link rate.
118150 Fixed an issue where the inefficient processing of fragmented packets in

packet-mode could cause high CPU usage on a Steelhead.
118237 Memory leak was fixed.
118703 Corrected the book-keeping mechanism used to optimize Citrix connections

in Session Reliability mode to reduce session latency and lower Steelhead CPU usage.
118727 Fixed an issue with PFS stats not being reported correctly.
118753 Fixed the error message displayed when a duplicate network interface IP
address is configured to include the network interface that has a conflict.
24
119161 Fixed a rare issue where packets from a TCP session monitoring device (in
this case, a protocol processor for a satellite network) placed in the WAN caused the
outer connection between the SFE and server to fail resulting in a passed through
connection.
The monitoring device replied to the SYN-ACK+ probe packet from the SFE with an
ACK. The SFE passed the ACK packet through resulting in a RST packet from the
server. The RST caused the SFE to reset its state for the connection. Subsequent
outer connection packets from the SFE to the server were transmitted over the VLAN
of the in-path interface of the SFE which was different from the VLAN of the server.
The fix detects the ACK/RST condition and prevents the connection state in the SFE
from being reset."
119410 Fixed an issue that resulted in a crash of the optimization service on the
client-side Steelhead when optimizing an SMB2 connection. The crash would occur
due to a double free performed on a dangling Foi pointer.
119528 Fixed an issue where DSCP markings were not reflected on the optimized
channel until data was sent in that direction. This was visible when using
unidirectional protocols or on initial ACK packets sent before data.
119976 Fixed a thread race condition in code limiting the size of cached HTTP
authentication responses which under certain conditions could cause optimization
service to crash.
120084 Fixed an issue where the optimization service may crash if it encounters an
unrecognizable Kerberos ticket during cifs, smb2 or encrypted mapi authentication. If
such a Kerberos ticket is encountered the resulting connection will be put into
passthrough.
120097 Fixed a problem where the admission control alarm can fire after sport is
restarted.
120344 In rare circumstances, say, under high connection rates, if the client happens
to reuse a source port for a new connection, RiOS incorrectly recycles the state for
this new connection if the previous connection using the same tuple was not yet torn
down by the server.
This condition may exist if the following message is present in the system log:
[intercept.ERR] ioctl 0xc030635b (c - 91) failed: Invalid argument
125191 Upgrade Apache httpd to 2.2.23 and 2.4.3 for CVE-2012-2687
120529 Fixed an issue that caused crash of optimization service when deleted Foi
object is accessed by CIFS blade in Smb::Tree:get_foi() or
Smb::Tree::get_foi_with_server_fid().
120569 The text on the licensing page was incorrect for licenses that have future
expiration or validity dates. The system now correctly reports "Valid through" or
"Valid starting" in these cases.
25
120643 Fixed an issue that resulted in a crash of the optimization service when an
SMB2 lease break notification occurs on an optimized SMB2 connection when
another optimized SMB2 connection from the same client existed.
120684 Fixed an issue where QoS rules do not correctly match optimized traffic
specified by VLAN tag if the rule also does not specify an Application. For rules which
do specify an Application, the initial control packet sent on the optimized channel is
misclassified, after which traffic is classified correctly.
120689 Fixed an issue where a control packet sent from the client-side Steelhead
during optimized connection setup does not carry the correct DSCP value reflected
from the original client connection.
120826 Fixed an issue in the smb2 optimization module that resulted in sending
unnecessary disk threshold checks on non-disk shares.
121010 In the event of a loop being detected, all interfaces will be created but the
bridge between lan and wan will be removed.
121043 If a share or log file name contained any of the characters ".." "-" and "//",
display of the CIFS Prepop log would fail without explanation. An explanation has
been added.
121315 Made a change to imaging process for CX7055 and CX5055 appliances to
increase partition size for root partitions for future image expansion
121367 The simplified routing entry created for a MAPI control connection
corresponds to vlan 0 while packets for the data connection arrive with default vlan
0xffff. In such a case, the fix ensures that the data connection matches the entry
created by the control connection and uses the same for routing packets.
121508 Fixed a compatibility issue between a client side Steelhead running pre-7.0.4
version and a Server side Steelhead running post-7.0.4 versions, for CDM latency
optimization feature.
121725 Fixed a problem where the optimization service could enter an infinite loop
and eventually crash when processing corrupt packets while setting up an optimized
connection. This can occur when the corruption is not caught by the TCP checksum.
When a corruption is detected, the connection will be closed.
121901 Fixed a problem where optimized HTTP traffic between Steelhead appliances
was sent in more TCP frames than was necessary. This could result in hitting the
initial TCP congestion window which causes an extra round-trip delay.
121931 Fixed an issue where identical sysObjectID was returned for Steelhead and
Steelhead-ex appliances.
121997 Caching DNS feature uses BIND 9.9.2, with various security bugs fixed,
including CVE-2012-5166.
131729 SSL/TLS CRIME Vulnerability CVE-2012-4929 and CVE-2012-4930
122382 This fix resolves an issue in the revision history of file STEELHEAD-MIB.txt.
26
124446 Upgraded libxml2 to fix security vulnerability CVE-2012-2807
122438 This condition may occur if a Steelhead is ungracefully shutdown and a

different one with the same IP address is brought up.
In this case, neighboring Steelheads may hit a condition that causes their
optimization service to fail.
122637 When the managed appliance is connected to the CMC using an rbm user
and the customer changes the connection to use an admin user, all CLI commands
sent by the CMC would fail authorization until either the appliance is rebooted or
rgpd is forcibly restarted. This has been fixed.
122722 Fixed a bug where older versions of PCoIP lacking priority information are
misclassified into the default site class. Such traffic is now classified into the default
class for the PCoIP rule.
122738 Fixed an issue where logging into the CLI on system startup will display
"System initializing..." for up to 3 minutes when the appliance is not licensed before
accepting commands. Now, the CLI will no longer wait on startup for the optimization
process to start if service cannot start due to lack of license.
122741 Fixed an issue where sport was crashing with reference to

krb5_set_max_time_skew due to a malformed /etc/krb5.conf file
122778 A configuration change was made to improve performance of the CX5055

model. Data reduction may improve with a reduced chance of disk write pressure at
maximum connection count.
122871 Fixed an issue where users with an unknown terminal type set prevented
them from logging into the CLI.
122903 Connection tracking logic now resets DPI engine state on FINs allowing for
better utilization of DPI engine resources
123015 This fix increases number of segments held in memory on CX5055. Data
reduction may improve with a reduced chance of disk write pressure at maximum
connection count.
123076 inpathX_X MTU was incorrectly propagated to lanX_X and wanX_X interfaces.
With the fix, if interface mtu-override is enabled, after upgrade or reload of
steelhead, the inpathX_X mtu will not be propagated.
123131 Increased the limit on the number of subnets configurable for each site in the
QoS configuration from 5 to 50.
123178 Fixed an issue that caused incorrect local write responses due to NFS
optimization. Fix involves performing permissions check prior to optimizing write
requests.
123341 Optimized connection counts for EX1160VH, EX1260VH_2 and EX1260VH_4

appliances are increased from 4,000 to 6,000.
27
123376 The MAPI encryption-only feature has been enhanced to only require
configuration on the client-side Steelhead. The server-side Steelhead will now
automatically match the client-side configuration.
123421 Fixed the issue where the user configured mail hub settings were getting
ignored and defaults were always being used. After this fix user configured mail hub
settings are used as expected.
123553 Fixed a bug wherein the priority of PCoIP traffic was incorrectly updated by
the classification engine when the dynamic priority of the traffic remained
unchanged. This occurs when the QoS rule is configured to match a specific source or
destination port.
123555 Fixed problem on CX7055 model where a few appliances were created with a
partition that was too small to hold crash dumps in the event of an optimization
service failure. Most units are unaffected by this problem.
123580 Fixed an issue in Smb2-Signing where auto-delegation updates for EMC and
Netapp filers fail by ensuring that the auto-delegation updates do not contain the
trailing '$' character.
123649 Shrink the time spent on compressing snapshot of optimization process by

switching to fastest LZ compression method and utilizing compression hardware on
Steelhead models where it is present.
123788 Rare instances where page content is misinterpreted as an SSL session

handshake. This may lead to dropped data for small transfers, and is likely linked to a
specific web application.
123857 Fixed an issue that resulted in crash of server-side optimization service with
SMB2 optimization. Crash is seen at Smb::ServerParser::read_ahead_action_cancel().
The issue occurs when the client issues a close request while read-ahead is in
progress on the server-side Steelhead.
123933 Previously, the HTTP OPT optimization would only store objects that
contained "ETag" or "Last-Modifed" HTTP headers. This restriction used to prevent
the OPT feature from storing a significant amount of content, resulting in sub-optimal
performance. This fix removes this restriction, so more objects can be stored in the
OPT.
123998 In certain cases, the CIFS server returns a query response(find, query_path
etc.) that has additional bytes at the end of the response which causes the CIFS blade
to access invalid data causing the sport process to crash. This fix adds read checks to
make sure that we access only valid data.
124224 Problem may unpredictably occur in a cluster environment where neighbor

Steelheads exchange cluster information.
Message handling may fail with a Sport process crash depending on timing of TCP
data arrival. There is no work around for this crash problem. Code changed to
address the issue and avoid the crash problem in such condition.
28
124312 Enabling or disabling of SCPS rule table now generates a message to restart
optimization service.
124324 Fixed the graphs to correctly display data points that were recorded at a
different time offset.
124355 A kernel crash was fixed which would manifest under the following scenarios:
(a) Inter-operating with a SCPS device like XPEP which negotiate SNACK (Selective
Negative Acknowledgements) with the Steelhead, (b) If the first packet sent by the
SCPS device is not received by the Steelhead and (c) If the subsequent packet that is
received by the Steelhead is a FIN packet.
The symptoms of the kernel crash includes a log message "divide error: 0000 [1]
SMP" when the Steelhead is rebooted.
124441 Steelhead will no longer fail to optimize some connections with the error
"Cannot assign requested address messages" when there are either a large number
of connections and/or a high rate of connections to a same destined server IP
address and port
125003 Fixed the issue where old report of CPU utilization was displayed. Now it
shows the current report.
125577 The specs for IPv6 allow IPv4 addresses to be wrapped in a mapped or
compatible form, ::ffff:x.x.x.x and ::x.x.x.x respectively.
These formats are not supported and are disallowed on the appliance.
125582 Fixed an issue that may cause the Virtual Steelhead to accept a different
number of inpath interface pairs with the Riverbed network bypass cards than the
actual limit.
126002 Fixed an issue on ESX Cloud Steelheads using the Steelhead Cloud
Accelerator feature, where expiration of the Cloud Steelhead license resulted in the
Steelhead Cloud Accelerator feature being disabled.
126069 Removed triggering Optimization Service alarm when a timeout error occurs
during communication between internal processes. An error is logged instead.
126135 Fixed an issue where certain SMART query may trigger a bug in a SSD with
certain versions of firmware, resulting in the Steelhead storage controller getting into
a FAULT state and the appliance becoming unresponsive. The fix works around the
problem by monitoring the state of storage adapter and hard-reseting the adapter if
it is stuck in the FAULT state.
126222 Fixed a problem by adding proper error checking to prevent management

process error message from showing up in syslog
29
126613 Fixed an issue where sending attachments of certain sizes would result in the
error message "Network protocol error: message from server too small". This error
message could appear as a pop-up message when sending an attachment from the
Notes client or as an error on the Domino server during server-to-server push
replication.
126653 Fixed an issue where Steelhead cannot reboot.
127099 Fixed an issue that resulted in a crash of the optimization service when a
short name hint was received by the client-side steelhead while in shutdown state.
127206 Upgrading now preserves the HSTCP congestion control setting.
127335 When the system panics, it should reboot quickly after saving all the
important data. There was a problem that the system waited for about extra 5
minutes without doing anything. This is fixed in this version. This applies to following
models: 5050L/M/H, 6050, 7050L/M, CX1555L/M/H, CX5055M/H, CX7055L/M/H,
EX1160L/H, EX1260L/M/H, CAG2260, CAP2260, CAP4260-UI/DB/DP, CAP4260-AN/EX,
CAS2260, CAX360, CAX460, GC2000.
127345 Fixed an issue where optimization of SaaS connections through Steelhead

Cloud Accelerator (SCA) could be blocked if time on the Steelhead has drifted more
than 60 seconds. After the fix these connections will no longer be blocked and will be
made SCA-passthrough instead. To re-establish Steelhead Cloud Accelerator
optimization, please ensure at least 2 working NTP servers are configured on the
Steelhead.
127372 Fixed an issue so that Kerberos errors generate an appropriate error message
instead of printing a numerical code.
127443 Fixed an issue where after pushing a policy from the CMC containing alarm
configuration, a Steelhead would raise its Disk Full alarm but not show which specific
partition was full on the alarm reports page.
127459 Fixed a problem where running RSP or tcpdump on the aux interface caused
a kernel memory leak when VLAN tagged packets are received on the aux interface.
127624 Fixed a problem where log files downloaded as Plain Text through the web UI
are truncated.
127675 Bandwidth limitations are now properly enforced on a standalone Steelhead.
127738 Fixed a crash in the optimization service that occurred when an optimized
SMB 2.1 client attempted to perform a DFS operation on a file while requesting a
lease.
127749 Fixed an issue where Smb2-Signed connections can get blacklisted if

Windows 7 clients are using NTLM and LM authentication instead of the default
NTLMv2 when the steelhead is joined to the domain as an RODC or BDC
30
127843 This fix corrects the linklocal address of in-path interfaces when virtual inpath is enabled. Now the linklocal address of inpath interfaces can be bound to the
correct interfaces
SMB2 client sent an oplock break chained to a create request.
128128 Fixed an issue that would cause a management interface or an in-path

interface to come up with the wrong mac address (lan0_0 rather than wan0_0 for
example).
128402 Fixed an issue involving pointer misuse in the memory allocator which used
to cause process failures involving TCMallocImplementation::GetAllocatedSize.
128414 Fixed an issues where Kerberos Tickets were not getting correctly released
causing the appliance to run out of memory when certain conditions were
encountered when delegation is enabled
128416 This fix corrects the timeout setting for the peer reachability test.
128629 MD5 checksum files for process dumps may be incorrect in SH 8.0.2. This has
been fixed in 8.0.3.
128715 Fixed an issue in processing Smb2 create request while the connection is
going down due to blacklisting. The crash happens due to an attempt to store a
duplicate create file handle, failing which results in a dangling file handle.
128783 Ability to run "show running" command is restored to the 'monitor' user. This
stopped working and there was no output from the "show running" command for the
monitor user.
128844 Fixed an issue where management daemon may log errors when shutting or
restarting down e.g. after an upgrade.
128888 Fixed an issue where the End-End-Kerberos was not using the correct
replication-epoch version when attempting replication. This could cause Encrypted
MAPI or Smb1/2 Signing to fail with End-End-Kerberos enabled if the domain name
has ever been renamed
129025 SSLv2 is no longer supported by the web interface. TLSv1 and SSLv3 are
supported. Use the "web ssl protocol" command to enable the desired protocols.
129083 Fixed a crash of optimization service on client side steelhead. The crash was
happening because the entry being iterated over in std::map was deleted.
129103 Fixed a problem where exception handling wasn't properly done when
running mdreq. When this occurs it would show up as "Unable to connect to the
management daemon" in system log files.
129298 Fixed a data type inconsistency issue in the statistics subsystem thatcould
cause exceptions.
31
129334 Fixed a bug where older versions of PCoIP lacking priority information are
misclassified into the default site class. Such traffic is now classified into the default
class for the PCoIP rule.
129371 For single ended SCPS optimized connection, 'show connection' command
now lists LAN and WAN side connection statistics.
129512 Fixed the issue where packets sourced from the In-path management
interface were dropped by an external device because of a wrong VLAN tag. In-path
management interface will now always send out packets with the configured VLAN
tag.
129570 Fix a bug where an optimized connection reported incorrect number of TCP
packets sent to the network
129598 The e1000e driver was updated to a version which makes packet drops much
less likely.
129656 Fixed a problem where modifying a port label can cause QoS errors if that
label is used in a QoS rule with an output DSCP value specified.
129704 Fixed the leak in Winbindd when PFS is enabled.
129769 Added support for literal IPv6 addresses per RFC2732. Now, square brackets
around the literal address are allowed in URLs.
129784 This fix clears admission control alarms when optimization service is disabled.
These alarms should not be triggered since there is no optimized traffic.
129802 Fixed an out of bound memory access by a kernel driver. This bug only
impacts the 7050 L/M and 7055 M/H models. When the Steelhead hits this bug, it
will show as kernel panic followed by system reboot.
129837 The VLAN to be used to reach a particular destination is learned based on

packets seen destined to that IP, using the simplified routing feature. When the SH
sends a packet over the correct VLAN to the gateway, the gateway might ricochet it
back over a second VLAN. Unless the packet originates from the Steelhead, the
second VLAN will be learned and used for subsequent packets. This will cause the
gateway to drop all subsequent packets.
The only other set of packets that might wrongly update the vlan include packets
exchanged between CF neighbors in the transparency case, which is the problem in
this customer scenario.
The fix in this case included extending the check from local stack to also include
packets exchanged between CF neighbors.
129885 Fixed alarmed process crash under high load conditions.
129891 Fixed an issue that resulted in client-side optimization service crash when
multiple callbacks on the same waiting smb2 request are executed.
32
130046 Fixed an issue with SMB3 sessions that prevented them from connecting
through Steelheads by detecting unsupported SMB3 dialects and passing through the
connections.
128575 For Citrix connections on port 1494, the Secure Peering module on the
server-side Steelhead was fixed to complete setup of the SSL connection with the
client-side Steelhead before initiating Citrix optimization.
130204 Fixed a kernel crash that could occur while using jumbo frames with 10G NICs
(Riverbed part numbers 410-00302-02 and 410-00301-02) by improving the way that
data is placed into packet buffers.
130403 Fixed a sport process crash that could occur in rare cases in the GCL
connection handling subsystem.
130590 Excluded HTTP user cookies from being factored into stream identification.
130630 Corrected incorrect memory usage calculation for HTTP optimization that led
to new responses not being cached, and improved OPT caching policy.
130631 Fixed an issue that caused unbounded growth of CIFS prepopulation logs. Fix
involves rotating logs when they exceed configured size limit.
130673 Fixed an issue that caused SMB Signing and Encrypted MAPI optimization to
fail for users who belong to a domain that is related to the Steelhead domain via a
transitive trust that goes across an external forest trust.
130678 Fixed the SSL, TLS and DTLS vulnerability to the timing attacks described by
CVE-2013-0169, known as Lucky 13, by upgrading OpenSSL to v1.0.0k.
130780 Fixed an issue where the winbindd process excessively consumes CPU on
upgrade to 8.0.1+ and when there are communication errors between the Steelhead
and configured Domain Controllers
130840 Made changes to allow punctuation characters along with alphanumeric

characters in SNMP community strings.
130863 In Steelhead 8.0.2a, there may be SSL errors accompanied by log messages
"Missing global_exportable file" and "No such file or directory: Exec of
/usr/bin/c_rehash failed". This has been fixed in Steelhead 8.0.2b.
SMB2 connection from Windows 7 or higher client was established to Mac OS X 10.9
server.
131382 After a successful upgrade from 6.5.6a to 8.0.2, the fix allows configuration
switch between different configuration files that were created before the upgrade.
131504 An optimization error on Outlook Anywhere connections could crash the

optimization service. The fix will correctly close the Outlook Anywhere connection
and prevent the crash.
33
131688 Fixed an uninitialized pointer issue which may lead to CLI crash when using
the "show clock" command.
131721 AP_REP_DECRYPT_ERROR Kerberos errors should blacklist the client, not the
server. The fix correctly blacklists the client on AP_REP_DECRYPT_ERROR and
exchange server on all other errors/
131730 The optimization service can crash if a EPM response for the MAPI protocol
contains TCP port 0 as the Exchange service port. The crash is now fixed.
131839 Fixed an issue that causes a crash of the optimization service when an
optimized SMB2 client sent a create request with incorrectly formatted create
contexts.
131954 Fixed an issue that could cause incorrect checksums to be generated on

outgoing packets when Connection Forwarding was in use. This problem occurred
only on 10G network bypass cards used in Steelhead xx55 models such as the CX5055
and cX7055.
131955 Fixed an issue in CIFS optimization module which could result in crash of
optimization service when a connection is closed.
131977 Fixed an issue that prevented optimization of SMB2 clients that engaged in
signing if a connection was established before signing support was correctly
configured. SMB3 clients that engage in secure protocol negotiation will still be
blacklisted.
132027 Fixed an issue where Web UI became inaccessible after image upgrade.
132285 Fixed a problem with the way NAT'd flows and their direction (CFE vs SFE) are
identified. This prevents the leaking of NAT entries which over time can cause
memory exhaustion and application performance problems.
132314 Fixed an issue that resulted in file copy failure. The fix ensures that the server
side Steelhead handles the SMB2 server responses correctly. Additionally, the fix
makes sure to separate out the client requests and the Steelhead-generated
requests, so that the SMB2 server responds to these requests correctly.
132387 Fixed an issue where additional configured gateways are displayed

incorrectly as "internal set modify" commands while executing "show runningconfig".
132519 Fixed the "show running" command output, which did not display the
commands "ssh server listen interface" and "web httpd listen interface " correctly.
132559 Fixed an issue where incoming fragmented packets that were reassembled
then fragmented again could result in memory leaks. This could more easily happen
in a virtual-inpath deployment with WCCP GRE redirect and return, where the GRE
packets got fragmented by the WCCP router before being redirected to the
Steelhead.
34
132574 Fixed an issue where permissions for the Citrix Optimization and Replication
Optimization Role-Based Management roles were lost when upgrading the RiOS
version on the Steelhead.
132641 Office365 service with Exchange Wave 15 uses an HTTP data transfer mode
that causes Steelhead optimization of the desktop version of Outlook to end up with
an "Unknown SSL error code: 202" error.
This is now fixed and the desktop version of Outlook can be optimized with Office365
wave 15. Prior versions of Office365 are not affected.
132979 Fixed an issue where the cli command does not exist in RiOS 8.0.x but exists
in RiOS 7.0.5. CLI has been added back in RiOS 8.0.4 and subsequent releases.
133206 Removed the restriction that an interface must be up and connected in order
to configure the WAN link rate and enable QoS on it. If the interface is down, an
alarm is raised indicating that the WAN bandwidth is greater than the detected link
rate.
133611 IPv6 traffic will not be secured if IPSec secure peering is configured and Fixed
target inpath rule is used to optimize traffic. However, IPv6 traffic will be secured if
IPSec secure peering is configured and Auto-Discovery inpath rule is used to optimize
traffic.
133651 The optimization service failed to optimize MAPI connections to Exchange

365 if the user's password contained the characters ':', '\', or '@'.
133784 Fixed an issue that would result in a crash of the optimization service if a
branch warming connection is attempted from a Steelhead Mobile Client.
133815 Fixed HTTP cache to correctly assume ownership of memory from SDR
encoded items.
133822 Fixed an issue where some models were continually trying to write back dirty
pages, which are causing CPU core(s) to become 100% consumed.
133924 Fixed an issue where expired or invalid licenses can be installed, which can
put an appliance into a degraded state.
134006 Sanity checks were added to appropriately remove invalid snack blocks in a
TCP packet.
134049 Corrected reverse mapping function for commands "ip/ipv6 in-pathgateway" which led to the generation of "Couldn't eat binding" errors after executing
the "show running-config" command.
134132 Fixed the sysdumps generation to include samba logs under the "pfs"
directory.
134218 Added a CLI command to disable trap receiver. The command is: no snmpserver host <host-ip> enable
134252 Fixed an issue that caused crash of optimization service when print server
returns an error. Fix includes appropriate error handling.
35
134309 This fix resolves the in-path default gateway test failure issue caused by using
invalid interface.
134547 Fixed an issue where a user might be unable to change the time period on
the Traffic Summary report.
134654 Steelheads are now less strict about the expected Outlook Anywhere
connection setup order to support newer versions of both on-premise and Office 365
Exchange.
134666 Fixed an issue where transparent inner connection packets were not being
parsed correctly and therefore being classified into the default class for inbound QoS
treatment
134977 Currently, the print job fails on an optimized smb2 connection. The fix is not
to optimize handles on print shares.
134987 Corrected unexpected reboot caused by kernel panic on fragmented

multicast traffic with the string "pt_conntrack_frag_non_tcpv4" in logs upon bootup.
135008 Fixed "datastore wipe" CLI command, it now works correctly.
139466 CVE-2013-2094 kernel security bug
135379 mgmtd will not crash when an invalid URL is specified to the autolicense
fetch command like below:
autolicense fetch location <http:fake.url>
This operation will now fail gracefully with the following message:
# license autolicense fetch location http://fake.url
% Unable to download autolicense request file http://fake.url.
135699 An IPv4 address must be present on an inpath interface before specifying an

IPv6 address for this interface.
135821 Fixed an issue that caused the CLI to crash whenever TACACS+ per-command
accounting was configured, the TACACS+ server was unreachable, and a user entered
any command.
135828 Added a new CLI command, "alarms reset-all", which will reset all alarms to
their default settings. This will remove all alarm configuration commands from the
output of "show running-config".
135916 Fixed an issue where the command 'stats settings top-talkers override activeto "60"' would appear in the 'show configuration running' after upgrade. The activeto default value was changed from 60 to 30. However devices with the old default
set in their configuration were not migrated to the new default. Upon upgrade, this
caused the active-to value of 60 to appear in the configuration as if it was a nondefault value configured by the user.
135917 Fixed an issue where the command

'rbm role mapi_acceleration primitive
/role_primitive/acceleration/service_protocols/mapi_admission'
36
135935 If a small MTU on the path between a host running the Riverbed Discovery
Agent and the Cloud Steelhead results in fragmenting the UDP packets to the Cloud
Steelhead, the Steelhead can get into a kernel crash.
135942 This fixes a bug in the decoder that triggers an optimization service crash
when handling corrupt packets. The fix will ensure that sport gracefully handles
corrupt packets by attempting recovery and closing the connection if recovery fails.
136072 Fixed an issue that caused the command 'protocol ms-sql default-rule queryrule rule-id * action-id 1 arg-offset 1 enable' to appear multiple times in the full
running configuration.
136170 Fixed an issue that resulted in crash of client-side optimization service when
a signed session setup request came in during connection start up if the Smb2 signing
blade was in the process of shutting down.
136357 Changed join-type options, in the domain join/rejoin CLI commands, from
"rodc" to "win2k8-mode" (Windows 2008) and from "bdc" to "win2k3-mode"
(Windows 2003) to better reflect the Steelhead's joined functionality
136717 Fixed a rare issue where an AWS Cloud Steelhead may hit a kernel crash
during shutdown or reboot because of a race condition. The problem does not affect
the ESX Cloud Steelhead.
136835 Reduce the memory footprint of a few RiOS processes to avoid paging
activity.
136843 Treating all reparse points as DFS links resulted in failure of a CIFS prepop full
sync action. Fix involves correctly identifying DFS links.
136844 This fix prevents use of the IPv6 in-path default gateway as IPv6 default
gateway in the net-gateway test when the IPv6 default gateway is not set.
140940 Patch cURL library for CVE-2013-1944
137030 This fix grants RBM users with Report only permission to access the current
connections report.
137068 Fixed an issue where outbound packets had incorrect source MAC addresses
when Steelheads were in a virtual In-Path configuration
137167 This fix allows customer to specify interfaces for IPv6 routes in CLI. This is
required for configuring IPv6 routes using link-local addresses.
137372 Link sharing between packet order queues did not work correctly prior 8.5.0.
For example, two independent UDP flows going to different packet order queues
won't be able to share the excessive bandwidth based on configured link share ratio.
Instead, they just share bandwidth equally. With the fix, the excessive bandwidth
will be shared according to the link share ratio that user configured.
137559 This fix removes the errors seen in the logs when running "show interface
configured" from the CLI.
37
137582 Fixed a problem where the optimization service would unnecessarily abort if
its logging thread took too long to complete. This can occur when the Steelhead is
under heavy load, but it does not affect optimized connections. The optimization
service will now raise an alarm instead of aborting, and optimized connections will
continue to be unaffected.
142832 CVE-2011-3188 IPv4 & IPv6 Linux kernel MD4 sequence numbers and
Fragment Identification remote DoS
137696 Fixed an issue where with 8.0.x software, certain load is not evenly
distributed among the available cores on models with an SDR card (7050M,
7055M/H), and may trigger CPU utilization alarms under certain traffic conditions.
137696 Fixed an issue where with 8.0.x software, certain load is not evenly
distributed among the available cores on models with an SDR card (7050M,
7055M/H), and may trigger CPU utilization alarms under certain traffic conditions.
137837 Fixed an issue where SSD Write Cycle Level Exceeded alarm was registered
for non-SSD disk.
137959 Fix an issue which will result in crash of rcud process when DFS referral is
disabled.
138208 Fix added to strengthen security around Riverbed customer support

diagnostic access.
138307 Fixed an issue that would cause a crash of the optimization service during an
optimized SMB2-Signed connection if the client sent an incomplete packet. The
incomplete packet will now be correctly detected and the connection terminated and
blacklisted.
142423 CVE-2013-1862 Apache 2.2.x mod_rewrite improper sanitizing of nonprintable characters allows remote arbitrary command execution
138701 Fixed an issue that would cause a crash of the optimization service when a
server on an optimized SMB2 connection sent a response to a change notification
request with bad length values by detecting the situation and logging.
138704 Fix allows image reinstall of 8.0.2b when running 8.5.0 or higher releases.
Currently, image reinstall of 8.0.2 while running 8.5.0+ will fail.
138884 Fixed an issue that would cause a kernel panic when processing fragmented
multicast packets.
138920 This fix removes and reapplies configured routes after an interface is brought
up.
139017 if the Outlook profile is configured to use Negotiate authentication for

encrypted MAPI and the Exchange server chooses NTLM authentication, the
optimization service could not correctly set up the optimized encrypted MAPI
connection.
38
139250 Before this fix, only one IPv6 default gateway can be specified from CLI. Now
configuration of multiple IPv6 default gateways is allowed from CLI.
139707 Fixed an issue that resulted in client-side optimization service crash at

Smb2::CompoundRequest::merge_fegen_reqs() with SMB2 optimization enabled.
The crash occurs while attempting to forward a read request that is waiting for
decode when server eof is received. Fix involves setting the server eof flag at the
right place to avoid forwarding waiting requests.
138588 IPv6 requires MTU on an interface to be at least 1280. If the MTU is lower
than 1280, kernel will throw a message "No buffer space available" since an IPv6
linklocal address will be assigned automatically to this interface. Removed generating
linklocal IPv6 address for interfaces with MTU value lower than 1280 to avoid this
error message.
139897 This fix prevents a condition that IPv6 linklocal addresses may be added into
the routing rule table incorrectly.
140186 Fixed the interpretation of Citrix Client Drive Mapped file transfer packets
from a Citrix server to a Citrix client that could result in a file corruption.
This occurred when certain kinds of files are transferred from the Citrix server to the
Citrix client during an optimized Citrix session with CDM latency optimization turned
on.
140303 The Software Version Mismatch alarm has been renamed to Software
Compatibility alarm.
140673 Fixed a problem in 8.0.2a and 8.0.2b where the installation or re-installation
of RSP 8.0.0 can fail, and synchronization of a Proxy File Service (PFS) share can fail.
142998 Upgrade OpenSSL to 1.0.0k (or latest) per CVE-2013-0169
140835 Sysdump generation has been fixed to include the Domain Join log files.
141024 Fix a bug where the Steelhead incorrectly assumes high memory pressure
and throttles the traffic.
141106 The fix prevents Steelhead from getting into degraded state.
141276 Fixed a problem where a counting error on the server-side Steelhead

appliance during optimized Citrix Client Drive Mapping transfers from the client to
the server could cause memory corruption which would frequently cause a failure of
the optimization service. This error would occur with file sizes that are 1 to 11 bytes
larger than an even multiple of 4096 bytes.
141368 The client-side optimization service can crash during MAPI pre-population.
This crash is observed if MAPI pre-population was started on a connection, when the
MAPI connection has not been fully set up prior to pre-population.
141707 Fixed an issue where optimization service may crash when losing
communication channel to management system
39
141746 Fixed an issue where sar data may take too much disk space by deleting sar
file that are older than 3 weeks.
141793 Fixed an issue where optimization of SaaS connections through Steelhead
Cloud Accelerator (SCA) would not work if the hidden config probe-tcp-opt was set to
any value other than its default of 76. In direct-branch SCA mode, the Steelhead can
continue to use the non-default probe TCP option value to peer with other customer
Steelheads and it will also peer properly with SCA Steelheads. In backhauled mode,
the fix will only work if the Branch Steelhead and Datacenter Steelhead use the same
non-default probe TCP option.
141890 Added some checks to Steelhead initialization scripts related to mdinit.
141947 Fixed the issue where the data sets for stats represented in the UI did not
match the exported stats data. Now the exported data matches the UI.
142382 Fixed an issue where detailed Steelhead Mobile branch warming connection
information can't be displayed on the Branch Steelhead
142473 Prior to this fix the HTTP OPT optimization would ignore the port number
used to request objects from the web server. The fix adds the port number to the
OPT cache key. This ensures that data from different servers on the same host are
differentiated.
142835 This fix resolves an issue that CLI command show packet-mode ip-channel
cannot filter ip-channel by srcip and destip.
143508 With this fix, RSP service alarm will be cleared when user disables RSP
service.
144064 Fixed a problem with Citrix client mapped drive optimization where duplicate
requests for the same file offset were ignored which could lead to incorrect data
being delivered to the Citrix server. A log message like the following may indicate
that this problem has been experienced:
[/citrix/sfe/parser WARN] {10.11.0.207:49935 10.11.141.63:1494} S Req: 03 00 14 00
00 e0 02 00 00 10 tail: 14 2a is a duplicate REQ
144217 The optimization service can crash if the first two Outlook Anywhere
connections are optimized within a very close timespan.
144397 Fixed an issue that occurred when CITRIX blade was enabled and QoS
disabled. The issue caused packets belonging to a CITRIX connection, and carrying a
non-null CITRIX ICA priority tag, to be marked with the ECN field in the IP header set
to CE (binary 11 or Congestion Experienced). This could result in the packets being
dropped by an intermediate device in the network.
144568 When a rule is configured to classify Citrix ICA traffic based on per-packet ICA
priority values, misclassification may occur if the ICA rule is moved from the 1st
position in the rule list.
146057 After this fix, when the image is upgraded from 7.0.x, traffic matching the
newly added default MxTCP class does not get black holed.
40
146250 Fixed an issue that caused failure to connect to CIFS shares when CIFS qpathallinfo squash is enabled on the client-side Steelhead and the client is Mac running
OS X 10.7 or later versions.
6) KNOWN ISSUES
114373 The optimization service can crash if optimizing end to end Kerberos
encrypted MAPI from Blackberry server. The Blackberry server can send a MAPI
response which is not encrypted which will lead to a crash.
Workaround: Disable encrypted MAPI or prevent the Blackberry server from being
optimized by specifying a pass through In-Path rule.
122430 Steelhead domain join fails against a win12 sever if the server has global
encryption enabled
Workaround: Disable global encryption to perform domain join against a Windows
2012 Server
130008 Packet mode connections are not shown in Connection History report
Workaround: Packet mode connections are not shown on the Connection History
report. Their throughput statistics are, however, included on other reports, such as
Bandwidth Optimization and Optimized Throughput.
130660 When traffic is going through an interface without IP address configured,

classification gives incorrect results when QoS is enabled.
Workaround: Make sure proper IP addresses are configured on interfaces where
QoS is enabled.
138442 Current Connections web report no longer uses regular expressions

Workaround: The Current Connections report no longer provides a regularexpression filter. Filters for application and source/destination subnet and port are
available using the [add filter] link.
139333 Path Selection does not handle the failure of the local gateway
Workaround: Implement VRRP or HSRP like solutions for the gateways of the paths.
139917 When QoS DPI is performed, a few of the initial packets on each connection
may not match the correct rule while QoS classification is ongoing.
Workaround: When QoS DPI is performed, a few of the initial packets on each
connection may not match the correct rule while QoS classification is ongoing. This is
expected behavior. Until Layer 7 protocol classification completes, packets will be
classified using the best match against Layer 3 and 4 header attributes.
140226 RSP cannot be enabled while Path Selection is enabled

Workaround: Turn off Path Selection before enabling RSP, or if Path Selection is
necessary, do not enable RSP.
141879 The reported number of active optimized connections may be inaccurate

Workaround: There is no workaround, but the problem only affects reporting. It
does not reflect a problem with the optimization service.
41
141985 IE slower than Firefox on Current Connections page

Workaround: IE has a slower display engine than Firefox, which can impact the
performance of the Current Connections page. Using Firefox will yield performance
that's twice as fast or better.
143193 Packet-mode optimized connections are not accounted for via SNMP
143433 CLI output says upgrade from CX1555L to CX1555H is not possible despite
having upgraded the required HW
Workaround: Upgrades from CX1555L to CX1555H are possible, once the
appropriate hardware is installed. Upon power down of CX1555L, the two hard drives
are replaced with corresponding SSDs. Upon boot up, the CX1555H license is
installed, and ready for utilization as an H model. The CLI command, 'show hardware
spec' displays the message that "activation requires hardware replacement".
However, this can be safely ignored.
144136 peerAddress SNMP OID does not return IPv6 addresses.

Workaround: peerAddress SNMP OID is defined to return only IPv4 addresses. For
compatibility reasons, it won't return IPv6 Addresses. In future releases, new OIDs
shall be added which will return both IPv4 and IPv6 addresses.
144372 ICMPv6 redirect messages are not supported

Workaround: Steelhead does not honor ICMPv6 redirect if a static route is
configured with global IPv6 address.
144601 CPU Utilization report can load incomplete data

Workaround: In rare cases, after interacting with the time range, the CPU Utilization
report can remain on "Loading" with incomplete data. Reloading the screen will clear
the problem, as will changing the time range again.
145177 Connections initiated while Path Selection is enabled at only one end may
cause asymmetry
Workaround: When enabling or disabling Path Selection, care must be taken to
configure both sides in concert. If possible, schedule a maintenance window to
accommodate the change.
146422 Long lived connections like file transfers from NetApp Ontap 8.x C-Mode
filers may experience connection resets owing to TCP zero windows. Depending on
the client's behavior, the file transfers may resume and succeed, or result in an error.
151996 Path selection: incorrect history of paths displayed

Background:
Starting in RiOS release SH.8.5.1, the Current Connections report displays Pathselection statistics. This table reports the history of paths applicable to the traffic for
a given connection. Each entry in the Path history table describes the different paths
the connection used, the current status of the path, a timestamp denoting the time
the connection last started using a path (if the path changes its status multiple times,
then the timestamp will show when the path came Up and the connection started
using it), and the total number of bytes sent over the path.
42
Issue:
There is a case, for a given connection, when the path history table could report a
last started time that is earlier than the time the connection was
established/optimized.
Explanation:
Consider a scenario where Path-Selection is applied on optimized TCP connections,
on a client side Steelhead using Correct Addressing. For the first inner connection
formed between the client side Steelhead and server side Steelhead, if the Client
Steelhead has connection pooling enabled, then a group of TCP inner connections are
created in advance between the Client and Server Steelheads. These new inner
connections use the same QoS policy (containing the path order) that was applied on
the first inner connection. These inner connections remain idle until a request to
optimize a particular client to server connection is received. Until then these
connections continue to send keep-alive messages to check the connection status on
the path, based on the QoS policy. Once a new outer connection request is received
(created by client Steelhead to optimize the traffic between a Client and a Server)
one of the connections from the pool is used. If the same QoS policy is continued on
the Client-Server traffic then the path history will now report the earlier timestamp
that it applied during the creation of the Inner connection pool. If the inner
connection sends its control messages such as keep-alives, over different paths (due
to paths going down and coming Up again) before using one path to optimize traffic,
then those paths will also be reported as a part of the connection history.
153043 NetApp 8.2 C-mode filer exposes its shares as "DFS shares" by default. This is
due to their global DFS namespace implementation with the C-mode architecture.
We do not optimize any SMB2 DFS traffic today for various reasons. One of the main
concern with DFS optimization is the DFS referral which happens to another server
for the same share. Without DFS optimization added in the blade, NetApp C-mode
shares will not see SMB2 latency optimization benefits when client uses UNC paths to
access the share. This is not a problem with Mapped drive shares since they do not
use DFS.
153379 NTLM-delegation mode does not work with Netapp C-mode 8.2 resulting in
protocol errors for smb1/2 signing as the filer does not appear to support Kerberos
constrained delegation
Workaround: Enable End-End-Kerberos optimization support with Netapp C-Mode
8.2 for optimization for signed smb1 and smb2 connections
154295 Optimization service could crash in MAPI pre-population during the closing
operation.
Workaround: disable MAPI pre-population.
43
7) UPGRADING RIOS SOFTWARE

What upgrades are allowed?
You can upgrade this version of RiOS to another version that is both higher in version
number and chronologically newer.
For detailed information about upgrading and downgrading, see the article RiOS Upgrade
and Downgrade Rules.
Steps to upgrade RiOS Software

Download the software image from the Software tab of the support site to a location such as
your desktop.
1. Log in to the Management Console using the Administrator account (admin).
2. Navigate to the Setup: Software Upgrade page and choose one of the following
options:
3. From URL. Type the URL that points to the software image in the text box
4. From Local File. Browse your file system and select the software image
5. Click Install Upgrade.
The software image is quite large; uploading the image will take a few minutes. Do not press
Ctrl-C, unplug, or otherwise shut down the system during this first boot. There is no
indication displayed during system boot that the recovery flash device is being configured.
After the upload is complete, you are reminded to reboot the appliance in order to switch to
the new version of the software. After reboot, the software version is displayed on the
Home page of the Management Console.
8) MANAGING RIOS 8.5.2 WITH A RIVERBED CMC

Riverbed recommends managing RiOS version 8.5.2 with Riverbed Central Management
Console (CMC) version 8.5. (For a complete table of CMC to Steelhead compatibility, see the
Steelhead Appliance Installation and Configuration Guide.)
9) HARDWARE AND SOFTWARE REQUIREMENTS

Steelhead Appliance
The appliance is designed to be installed in a 19 inch (483 mm) two-post or four-post rack.
44
WARNING: The system must be properly grounded (earthed) to reduce the risk of electrical
shock. On European systems, the Green/Yellow tab on the power cord must be grounded
(earthed).
Steelhead Management Console
Any computer that supports a Web browser with a color image display.
The Management Console has been tested with Mozilla Firefox versions 1.0.x
through 3.6.x and Microsoft Internet Explorer versions 6, 7 and 8.
NOTE: Javascript and cookies must be enabled in your Web browser.
Steelhead Command-Line Interface
An ASCII terminal or emulator that can connect to the serial console (9600 baud, 8
bits, no parity, 1 stop bit, and no flow control)
or
A computer with a Secure Shell (ssh) client that is connected by an IP network to the
Steelhead appliance Primary interface. Free ssh clients include PuTTY for Windows
computers, OpenSSH for many Unix and Unix-like operating systems, or Cygwin.
10) CONTACTING RIVERBED SUPPORT

Visit the Riverbed Support site to download software updates and documentation, browse
our library of Knowledge Base articles and manage your account. To open a support case,
choose one of the options below.
Phone
Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). Outside the U.S. dial
+1 415 247 7381.
Online
You can also submit a support case online
Email
Send email to support@riverbed.com. A member of the support team will reply as quickly as
possible.
2014 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo
used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their
respective owners. The trademarks and logos displayed herein may not be used without the prior written
consent of Riverbed Technology or their respective owners.
45

Riverbed Release Note

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Riverbed Release Note

Caricato da

Copyright:

Formati disponibili

RIVERBED PRODUCT RELEASE NOTES

PRODUCT: STEELHEAD APPLIANCE

Supported Steelhead Models

1) SUPPORTED STEELHEAD MODELS

2) NEW FEATURES IN RIOS 8.5.2

Steelhead appliances are now fully interoperable with SharePoint 2013

Dynamic WAN Path Selection Diagnostics

NetApp ONTAP server qualification

IPv6 with IPv4 authentication

Supports latency optimization of signed-SMB, CIFS/SMB1, SMB2, and SMB3 using

3) NEW FEATURES IN RIOS 8.5.1

Common Access Card (CAC) Smartcard Authenticated Access

Riverbed Cryptographic Security Module (RCSM 1.0)

Dynamic WAN Path Selection Diagnostics

EMC Isilon Qualification

Relaxed QoS Limits

Improved FTP Classification

Virtual Steelhead v8.5. supports for five new models

VCX255U, VCX255L, VCX255M, and VCX255H

4) NEW FEATURES IN RIOS 8.5.0

Troubleshooting and Support Enhancements

Problems fixed in 8.5.2

140532 The interrupt vector assignment algorithm is changed to avoid assigning

140790 Fixed an issue where Steelhead Mobile clients optimizing connections to

152280 This fix temporarily removes SMB2 Find prefetches on encountering a

152793 CVE-2010-5107 - OpenSSHv6.1 DOS attack possible - connection-slot

Problems fixed in 8.5.1

138278 Fixed an issue that resulted in crash of client-side optimization service in

140790 Fixed an issue where Steelhead Mobile clients optimizing connections to

144144 Fixed an issue where KRB5KDC_ERR_POLICY can result in connections getting

146316 The protocol connection * suite of CLI commands is expanded to accept

150483 Fixed a problem where emails reporting /bin/sh: /usr/lib/sa/sa1: No such

Problems fixed in 8.5.0

131357 Upgrade/patch OpenSSL to 1.0.1d/1.0.0k/0.9.8y for CVE-2013-0169,CVE2012-2686,CVE-2013-0166

-------CVE-2012-0883: envvars: Fix insecure handling of LD_LIBRARY_PATH in Apache

41841 The Current Connections page has been redesigned.

93997 Fixed the issue to propagate alarm threshold configurations through an

108778 If kernel crashdump collection is enabled, upon a kernel crash/panic a kernel

111097 Fixed an issue where connections optimized with Steelhead Cloud

113121 Fixed an intermittent issue that causes a Steelhead in a connection

114592 Fixed a problem where auto-configured HTTP optimization rules were

115263 The outstanding request queue length is determined by the max_mpx_count

115457 Fixed an issue where an enhanced auto discovery disabled server-side

118150 Fixed an issue where the inefficient processing of fragmented packets in

118237 Memory leak was fixed.

118703 Corrected the book-keeping mechanism used to optimize Citrix connections

125191 Upgrade Apache httpd to 2.2.23 and 2.4.3 for CVE-2012-2687

131729 SSL/TLS CRIME Vulnerability CVE-2012-4929 and CVE-2012-4930

124446 Upgraded libxml2 to fix security vulnerability CVE-2012-2807

122438 This condition may occur if a Steelhead is ungracefully shutdown and a

122741 Fixed an issue where sport was crashing with reference to

122778 A configuration change was made to improve performance of the CX5055

123341 Optimized connection counts for EX1160VH, EX1260VH_2 and EX1260VH_4

123649 Shrink the time spent on compressing snapshot of optimization process by

123788 Rare instances where page content is misinterpreted as an SSL session

124224 Problem may unpredictably occur in a cluster environment where neighbor

126222 Fixed a problem by adding proper error checking to prevent management

126653 Fixed an issue where Steelhead cannot reboot.

127206 Upgrading now preserves the HSTCP congestion control setting.

127345 Fixed an issue where optimization of SaaS connections through Steelhead

127675 Bandwidth limitations are now properly enforced on a standalone Steelhead.

127749 Fixed an issue where Smb2-Signed connections can get blacklisted if

128128 Fixed an issue that would cause a management interface or an in-path