Guest

Cisco ACE GSS 4400 Series Global Site Selector Appliances

Release Note for the Cisco Global Site Selector, Release 3.1(x)

  • Viewing Options

  • PDF (282.7 KB)
  • Feedback
Release Note for the Cisco Global Site Selector, Release 3.1(x)

Table Of Contents

Release Note for the Cisco Global Site Selector, Release 3.1(x)

Contents

Upgrading or Downgrading the GSS Software

Software Upgrade Sequence for 3.1(2)

Software Upgrade Sequence for 3.1(1)

Operating Considerations for Software Version 3.1(x)

Licenses for the Integrated CNR Are No Longer Available

New Features in Software Version 3.1(2)

Internationalized Domain Name Support on GSS

Configuring GSS with IDN

Enhancements to the IDN on GSS

Limitations

Retries for KAL-AP Circuit Probes

New SNMP Features in Software Version 3.1(0)

Software Version 3.1(2) Resolved Caveats, Open Caveats, and Command Changes

Resolved Caveats for Software Version 3.1(2)

Open Caveats for Software Version 3.1(2)

Command Changes for Software Version 3.1(2)

Software Version 3.1(1) Resolved Caveats, Open Caveats, and Command Changes

Resolved Caveats for Software Version 3.1(1)

Open Caveats for Software Version 3.1(1)

Command Changes for Software Version 3.1(1)

Software Version 3.1(0) Resolved Caveats and Open Caveats

Resolved Caveats for Software Version 3.1(0)

Open Caveats for Software Version 3.1(0)

Obtaining Documentation and Submitting a Service Request


Release Note for the Cisco Global Site Selector, Release 3.1(x)


April 15, 2010


Note The most current Cisco documentation for released products is available on Cisco.com.


Contents

This release note applies to the software versions 3.1(0), 3.1(1), and 3.1(2) for the Cisco Global Site Selector (GSS).

For information on version 3.1(x) commands and features, refer to the GSS documentation located on Cisco.com. This document contains the following sections:

Upgrading or Downgrading the GSS Software

Operating Considerations for Software Version 3.1(x)

Licenses for the Integrated CNR Are No Longer Available

New Features in Software Version 3.1(2)

New SNMP Features in Software Version 3.1(0)

Software Version 3.1(2) Resolved Caveats, Open Caveats, and Command Changes

Software Version 3.1(1) Resolved Caveats, Open Caveats, and Command Changes

Software Version 3.1(0) Resolved Caveats and Open Caveats

Obtaining Documentation and Submitting a Service Request

Upgrading or Downgrading the GSS Software

Software Upgrade Sequence for 3.1(2)

Table 1 provides information about the upgrade sequence for previous software versions before you upgrade to version 3.1(2).

Table 1 GSS Software Upgrade Sequence for 3.1(2)

From version . . .
To version . . .

1.0(x) or

1.1 (prior to 1.1.(1.7.0))

1.1.(1.7.0)

1.1.(1.7.0)

1.2.(2.2.0)

1.2 (x) where x = 1 or 2

1.3(3)

1.3(3)

3.1(2)

2.0(1)

2.0(2)

2.0(3)

2.0(4)

2.0(5)

3.0(1)

3.0(2)

3.1(0)

3.1(1)


Software Upgrade Sequence for 3.1(1)

The Cisco Global Site Selector Administration Guide contains the required information to upgrade your GSS software. See Appendix A, "Performing GSS Software Upgrades and Downgrades" for information about the following topics:

Understanding Cisco-supported hardware and software compatibility for the GSS.

Understanding the software upgrade sequence to upgrade to either 3.1(0) or 3.1(1). A new feature of software version 3.1(1) is the ability to upgrade directly to this software version from version 1.3(3) or greater.

Preparing the GSS for a software upgrade.

Installing a new software image.

Preparing to downgrade from software version 3.1(x).

Downgrading software versions on GSS devices.

Operating Considerations for Software Version 3.1(x)

The operating considerations for software version 3.1(x)and higher are as follows:

Cisco LocalDirector does not reply properly to TCP keepalives sent on port 23 from a GSS device. To correct this behavior, specify a different keepalive method with LocalDirector or directly probe the servers located behind LocalDirector. Refer to the LocalDirector documentation for more information.

The GSS model 4480 cannot support all of the version 3.1(x) software functionality when it is operating as the primary GSSM; therefore, you cannot use this combination of hardware and software platforms as a primary or standby GSSM. Because the GSS 4480 is approaching its end-of-life target date, you must contact your Cisco representative regarding a hardware upgrade.

Licenses for the Integrated CNR Are No Longer Available

Prior to the release of GSS software version 3.1(0), Cisco announced the end-of-sale and end-of-life dates for the integrated version of CNR. As a result of this announcement, new SF-GSS-DNSLIC software licenses that enable the integrated CNR are no longer available. To request more information regarding this change, including guidance for migration options from the integrated version of CNR running on the GSS, send your request to ask-gss@cisco.com.

New Features in Software Version 3.1(2)

The 3.1(2) software release provides the following new features:

Internationalized Domain Name Support on GSS

Retries for KAL-AP Circuit Probes

Internationalized Domain Name Support on GSS

Software version 3.1(2) allows the GSS to support International Domain Names (IDNs), which are domain names represented by local language characters. IDNs contain letters or characters from non-ASCII scripts. A domain name consists of a series of labels separated by dots. The ASCII form of an IDN label is termed as A-label. All operations defined in the DNS protocol use A-labels. The Unicode form displayed on the application is termed as U-label.


Note As per RFC 3490, IDNA requires updates to the user applications; modifications are not required to the DNS protocols, DNS servers or the resolvers.


This section contains the following topics:

Configuring GSS with IDN

Enhancements to the IDN on GSS

Limitations

Configuring GSS with IDN

To configure IDNs on the GSS, follow these steps:

1. Convert IDN domain name U-label to ASCII string A-label using Punycode conversion tools available on the Internet.

2. Configure A-label as the domain name on the GSS as part of domain list configuration.

3. Send DNS lookup requests for the IDN to ensure that the correct VIP addresses are returned by the GSS.

Enhancements to the IDN on GSS

For better administration and management purposes, the following two GSS GUI pages are enhanced to display domain names in A-label and U-label format. All domains configured in the A-label format on GSS are converted to U-label and displayed on the following GUI pages. Figure 1 displays the domain list page and Figure 2 displays the domain monitor page.

Figure 1 Domain List GSS GUI Page

Figure 2 Statistics Monitoring GUI Page for Domains

Limitations

The following limitations apply to IDNs supported on GSS:

GSS does not support configuring domains directly in Unicode (U-label) format on GSS GUI or CLI.

IDN GUI Enhancements will not be available from CLI.

Regular expressions for the domains can only be used with respect to A-Labels.

Retries for KAL-AP Circuit Probes

With this release, KAL-AP module is enhanced to include retries for KAL-AP circuit probes. The number of retries for KAL-AP circuit probes is configurable from 0 to 5. It is configurable by global keepalive properties, with KAL-AP type standard (Figure 3) and fast (Figure 4). As well as by the shared (Figure 5) keepalive configuration. By default, the number of retries for KAL-AP circuit probes is one, that is when KAL-AP circuit probe fails, it retries one more time to get the circuit status. See Command Changes for Software Version 3.1(2) for CLI updates on KAL-AP circuit probe.

Figure 3 Standard KAL-AP Keepalive Properties

Figure 4 Fast KAL-AP Keepalive Properties

Figure 5 KAL-AP Shared Keepalive Configuration

New SNMP Features in Software Version 3.1(0)

The GSS SNMP agent has been enhanced to enable support of the following MIB functions:

CISCO-GSLB-DNS-MIB—Monitoring of DNS global statistics, GSLB answer statistics, and GSLB domain statistics.

CISCO-PROCESS-MIB—Monitoring of the failure rate of GSS processes by polling SNMP MIBs.

CISCO-IMAGE-MIB—Viewing of the list of features that the software image running on the GSS supports.

ENTITY-MIB—Viewing comprehensive device information, including hardware and software details.

For additional information regarding the SNMP features that the GSS supports, see the following resources:

For an overview of the SNMP features that the GSS supports, see the Global Site Selector Administration Guide at the following URL:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/gss4400series/v3.0/administration/guide/SNMP.html#wp999649

For details about the objects that the GSS supports for each MIB type, go to the following site:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

From this site, choose GSS from the Cisco Secure and VPN Products drop-down list and then click on the associated Capability MIB. This site provides information about the supported GSS MIBs, Capability MIBs, and notifications. To find the actual MIB OIDs implemented in a MIB, see the corresponding Capability MIB, which describes both the capabilities of an agent with respect to the corresponding MIB module and the variations in the MIB implementations (if any).

Software Version 3.1(2) Resolved Caveats, Open Caveats, and Command Changes

The following sections contain the resolved caveats and open caveats, and command changes in software version 3.1(2):

Resolved Caveats for Software Version 3.1(2)

Open Caveats for Software Version 3.1(2)

Command Changes for Software Version 3.1(2)

Resolved Caveats for Software Version 3.1(2)

This section lists the resolved caveats for software version 3.1(2):

CSCta56433—When GSS sends a circuit probe after every 22 seconds to all devices configured under the shared keepalive, if the reply is not sent from both the devices during a probe cycle, the circuit is marked offline and the answers are marked as down. This becomes an issue when you use proximity and sticky. Workaround: None.

CSCtb43145—When a server response from a VIP contains more than a single packet, the GSS incorrectly reports the HTTP-HEAD keepalive as being offline. Workaround: Reduce the HTTP header size by eliminating cookies.

CSCtf02164—TACACS authentication results in error, when the user is denied of certain commands in ACS or TACACS+, for example, config command, the GSS allows that command to execute using locally configured admin user credentials. Workaround: None.

CSCtf28820—When you set the DRP authentication key greater than 127, the DRP fails and dumps the core. Workaround: Set the DRP key less than 127.

Open Caveats for Software Version 3.1(2)

This section lists the open caveats for software version 3.1(2):

CSCtc38727—When the shared keepalive KAL-AP is configured with secondary circuit IP address, you can get into a state where answers configured with manual reactivation can be in an operational suspend state. Workaround: Use KAL-AP keepalive with only primary circuit IP address or use other keepalive type instead of KAL-AP.

CSCtc39127—The GSS running-config is lost, GUI is unavailable and still passes traffic. Workaround: None.

CSCtc76185—The GSS is unable to suspend the answer from CLI. Workaround: Use GUI.

CSCtd01467—The following security update is posted at http://www.cisco.com/warp/public/707/cisco-sa-20091109-tls.shtml

An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol 
that could impact any Cisco product that uses any version of TLS and SSL. The 
vulnerability exists in how the protocol handles session renegotiation and exposes 
users to a potential man-in-the-middle attack.
 
   

CSCte43718—The DNS server cores are observed on GSS running on version 3.0.2. The cores can be traced back when an answer group change is performed on the GSS GUI. Workaround: None.

CSCte64381—If an external name server responds back with NXDOMAIN for GSS forwarded DNS requests, the GSS returns NXDOMAIN error code to D-Proxy because of following conditions:

1. GSS is authoritative for a domain. GSS is configured with A records for that domain and configured with NS answer for other record types.

2. There are no resource records configured on the external name server for the requested domain name and external name server should return NXDOMAIN error code.

Workaround: Configure resource records for the requested domain name on the external name server.

CSCtf30643—When you enter a getBulRequest command with zero maximum repetitions, SNMP fails on GSS. Workaround: Change the value to non zero for maximum repetitions on the NMS application.

CSCtf78828—KAL-AP probes update keepalive status & load information at different time intervals. Sometimes, due to timing issues, if there is a DNS request between these two updates & CSM real server bounces in and out of service, GSS will not return valid online CSM answer. The GSS does not hand out the CSM answer even if the answer is online. Workaround: Restart the GSS.

CSCtz88393—In GSS 3.x and earlier versions, if an AAAA query hits the GSS box and if the NS Forward DNS clause is selected, the AAAA queries will not be forwarded to the corresponding Name Server. Instead, an NOERROR will be returned by GSS.

Workaround: None

Command Changes for Software Version 3.1(2)

Table 2 lists the commands and options that have been changed in software version 3.1(2).

Table 2 CLI Commands Changed in Version 3.1(2)

Mode
Command and Syntax
Description

GSLB configuration mode

keepalive-properties kalap [standard/fast] circuit-retry-count <0-5>

Added the following new attribute:

circuit-retry-count <0-5>—When KAL-AP circuit probe fails, the circuit probes will be retried for the configured circuit-retry-count value to find the circuit status.

GSLB configuration mode

shared-keepalive kalap <IP Address> circuit-retry-count <0-5>

Added the following new attribute:

circuit-retry-count <0-5>—When KAL-AP circuit probe fails, the circuit probes will be retried for the configured circuit-retry-count value to find the circuit status.


Software Version 3.1(1) Resolved Caveats, Open Caveats, and Command Changes

The following sections contain the resolved caveats and open caveats, and command changes in software version 3.1(1):

Resolved Caveats for Software Version 3.1(1)

Open Caveats for Software Version 3.1(1)

Command Changes for Software Version 3.1(1)

Resolved Caveats for Software Version 3.1(1)

This section lists the resolved caveats for software version 3.1(1).

CSCsy76748—When you hard code the GSS 4490 Ethernet port and then reboot the GSS, the port configuration settings change. For example, if you hard code the port for 100 Mbps and full-duplex operation and then reboot the 4490, the port will operate at 100 Mbps and half-duplex operation. The GSS running configuration, however, will still show the port as being configured for 100 Mbps and full-duplex operation. Workaround: After a reboot, reconfigure the Ethernet port to its correct settings.

CSCsy98600—When using TLSv1 or SSLv3, the GSS supports the following weak ciphers on port 3009:

DES-CBC-SHA

EDH-RSA-DES-CBC-SHA

EXP-DES-CBC-SHA

EXP-EDH-RSA-DES-CBC-SHA

Workaround: The GSS uses port 3009 for Cisco Application Networking Manager (ANM) connectivity only. Use an access control list (ACL) or a firewall to ensure that only authorized ANM devices access this port. If you are not using ANM to manage the GSS, use an ACL to prevent this issue.

CSCsz70369—When a GSS 4492 is using version 3.1(0) software, the SNMP daemon does not start. The SNMP agent parses information available in the "/tmp/udi" file to return EntitiyMib OID values which were added in version 3.1(0). When the SNMP agent parses this information on GSS 4492 platforms with a VID of GSS-4492R-K9 V01, it becomes unresponsive.

CSCta02427—When the running configuration contains a large number of ACLs or SNMP configurations, the TACACS configuration may not load when the GSS is rebooted, preventing the user from logging in to the GSS after the reboot. Workaround: Optimize the ACLs or SNMP configurations to reduce the number of configurations required.

CSCta11321—When the GSS is configured for name server (NS) forwarding and it receives a TCP zone transfer request, it forwards the request to the name server and does not respond to other requests on other rules until it receives a response from the name server.

CSCta35984—When TACACS+ authentication is enabled for SSH, the GSS file system may run out of inodes after repeated SSH login attempts because the GSS does not periodically purge the mailboxes it creates in /var/spool/mail that contain user password entries.

CSCta61980—When using the GSS with the integrated version of CNR and the traffic pattern frequently uses the same trans ID to make several queries to different domains, the GSS does not clear the query entries. The query entries eventually consume all of the available space in the memory pool and the GSS becomes unresponsive.

CSCtb09595—When the GSS receives an MX or PTR request to a DNS rule that is configured with a query type of "A" and there is no forwarding rule configured, the GSS response contains the request with the request bit set instead of an answer.

Open Caveats for Software Version 3.1(1)

This following open caveat is for software version 3.1(1):

CSCtb43145—When a server response from a VIP contains more than a single packet, the GSS incorrectly reports the HTTP-HEAD keepalive as being offline. Workaround: Reduce the HTTP header size by eliminating cookies.

CSCtz88393—In GSS 3.x and earlier versions, if an AAAA query hits the GSS box and if the NS Forward DNS clause is selected, the AAAA queries will not be forwarded to the corresponding Name Server. Instead, an NOERROR will be returned by GSS.

Workaround: None

Command Changes for Software Version 3.1(1)

Table 3 shows the command that has been added in software version 3.1(1).

Table 3 CLI Command Change in Version 3.1(1)

Mode
Command and Syntax
Description

Global configuration

tacacs-server callerid-info-type {hostname | ipaddress}

Per CSCta39689, this new command enables you to instruct the GSS to insert either the client hostname or the client source IP address into the remote address header when the GSS makes an authentication request to a TACACS+ server. Prior to the introduction of this command, the GSS was capable of inserting the client hostname only.

The keywords for this command are as follows:

hostname—Instructs the GSS to insert the client hostname in the rem_addr field of the TACACS+ authentication packet which gets displayed in the CallerId field on the access control server (ACS). This is the default setting.

ipaddress—Instructs the GSS to insert the client source IP address in the rem_addr field of the TACACS+ authentication packet which gets displayed in the CallerId field on the ACS.


Note When you use the hostname keyword and the GSS cannot resolve the client source IP address to the client hostname, the GSS inserts the client source IP address.


The no form of this command is not permitted.

The output of the show tacacs, show running-config, and show startup-config commands contain the tacacs-server callerid-info-type command setting.


Software Version 3.1(0) Resolved Caveats and Open Caveats

The following sections contain the resolved and open caveats in software version 3.1(0):

Resolved Caveats for Software Version 3.1(0)

Open Caveats for Software Version 3.1(0)

Resolved Caveats for Software Version 3.1(0)

This section lists the resolved caveats for software version 3.1(0).

CSCsw14463—The SNMP location and contact strings do not accept quotation marks.

CSCsw40167—When the License Manager did not reply to the Config manager, the Config Manager entered a deadlock state.

CSCsw98396—When the number of stale entries in the GSS-CNR interface memory pool exceeds 100, the cleanup manager does not remove all of the stale entries, which leads to memory pool depletion. When this problem occurs, new DNS requests are dropped.

CSCsx66994—When installing an ISO image on the GSS 4490 hardware, the installation fails.

CSCsu83379—Modifying a shared KAL-AP causes the answers to go offline.

CSCsw16817—When user data containing improper quoting of shell metacharacters is passed to the GSS, shell access is allowed.

Open Caveats for Software Version 3.1(0)

This section describes the following open caveats for software version 3.1(0):

CSCsy76748—When you hard code the GSS 4490 Ethernet port and then reboot the GSS, the port configuration settings change. For example, if you hard code the port for 100 Mbps and full-duplex operation and then reboot the 4490, the port will operate at 100 Mbps and half-duplex operation. The GSS running configuration, however, will still show the port as being configured for 100 Mbps and full-duplex operation.

Workaround: After a reboot, reconfigure the Ethernet port to its correct settings.

CSCtz88393—In GSS 3.x and earlier versions, if an AAAA query hits the GSS box and if the NS Forward DNS clause is selected, the AAAA queries will not be forwarded to the corresponding Name Server. Instead, an NOERROR will be returned by GSS.

Workaround: None

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html