220AQV5C0

ZyXEL
Firmware Release Note ZyWALL USG 1000 Release 2.20(AQV.5)C0
Date: June 28, 2011 Author: Eason Lee Project Leader: Eason Lee
ZyXEL ZyWALL USG 1000 Release 2.20(AQV.5)C0 Release Note

Date: June 28, 2011
Supported Platforms:
ZyXEL ZyWALL USG 1000
Versions:
ZLD Version: V2.20(AQV.5) | 2011-06-21 11:29:50 BootModule Version: V1.15 | 2010-12-22 10:29:18
Files lists contains in the Release ZIP file

File Name : 220AQV5C0.bin Purpose: This binary firmware image file for normal system update. Note: The firmware update may take five or more minutes depending on the scale of device configuration. The more complex the configuration, the longer update time is. Do not turn off or reset the ZyWALL while the firmware update is in progress. The firmware might get damaged, if device loss power or you reset the device during the firmware upload. You might need to refer to Appendix 7 of this document to recover the firmware. File Name : 220AQV5C0.conf Purpose: This ASCII file contains default system configuration commands. File name : 220AQV5C0.db Purpose: This binary file contains default system signatures. Note: The file is only needed when doing system recovery from damage. File name : 220AQV5C0.doc
Purpose: This release file. File name : 220AQV5C0.ri Purpose: This binary firmware recovery image file is for emergent system firmware damage recovery. Note: The ZyWALL firmware could be damaged, for example by the power going off or pressing Reset button during a firmware update. Refer to ZyWALL ZLD CLI Reference Guide, Section 34.8 for details. File name: 220AQV5C0-enterprise.mib, 220AQV5C0-private.mib Purpose: The Enterprise and Private MIBs are to collect information about CPU and memory usage and VPN total throughput. The focus of the MIBs is to let administrators collect statistical data and monitor status and performance. File name : firmware.xml Purpose: This file is needed by ZyXEL Centralized Network Management (CNM) 3.0 or after. File name: 220AQV5C0-opensource-list.xls Purpose: This file lists the open source packages.
Read Me First
1. The system default configuration is summarized as below: The default device administration username is admin, password is 1234. The default LAN interface is lan1, which are P3, P4 and P5 ports on the front panel. The default IP address of lan1 is 192.168.1.1/24. By default, WWW/SSH/SNMP service can only be accessed from LAN subnet. The default WAN interface is wan1, and the secondary WAN interface is wan2. These two interfaces will automatically get IP address using DHCP by default. 2. It is recommended that user backup the startup-config.conf file first before upgrading firmware. The backup configuration file can be used if user wants to downgrade to an older firmware version. 3. If user upgrades from previous released firmware to this version, there is no need to restore to system default configuration. 4. If it is difficult to configure via GUI (popup java script error, etc). It is recommended to logout the configuration window and clear browser cache first, then try to login and configure again. 5. To reset device to system default, user can press RESET button for 5 seconds and the device will reset itself to system default configuration then reboot automatically.
Note 1: After resetting, the original configuration will be removed. It is recommended to backup the configuration before performing this operation. Note 2: After resetting, if user has subscribed to security licenses, user needs to connect to internet with myZyXEL.com and refresh license information. 6. If there is problem to reboot successfully after firmware upgrade, please refer to Appendix 3: Firmware Recovery. 7. Please first jump to Patch2 C0, Patch3 C0 or Patch4 C0 before upgrade firmware from above Patch2 C0 to Patch5 C0 and later.
Design Limitations:
Note: Design Limitations described the system behavior or limitations in current version. They will be created into knowledge base.
Anti-Virus
1. [SPR: 070813118] [Symptom] ZyWALL has the limitation on concurrent sessions for ZIP and RAR decompression. If the limitation has been reached (typically in HTTP traffic), the event would be logged and the action depends on the checkbox (Destroy compressed files that could not be decompressed) is checked or not. If checked, compressed files would be destroyed, otherwise, bypassed. [Workaround] Unchecked the option of Destroy compressed files that could not be decompressed in the AV settings. 2. [SPR:100408336 ] [Symptom] DUT cant detect Virus if the compress file includes virus file and encryption file. And the encryption file is list as first in the compress file. This is our design issue that AV will ignore detection when encounter encryption file.
Build in Service
1. [SPR: 061208575] [Symptom] If users change port for built-in services (FTP/HTTP/SSH/TELNET) and the port conflicts with other service or internal service, the service might not be brought up successfully. The internal service ports include 10443/1723/2601-2604. Users should avoid using these internal ports for built-in services. [Workaround] Users should avoid using these internal ports for built-in services. 2. [SPR: 100419981] [Symptom]DNS doesnt resolve 2nd level domain name. Example: System-DNS-Address/PTR Record, add two record a) testdomain.com 192.168.10.100 b) www.testdomain.com 192.168.10.100 DUT does NOT resolve the testdomain.com
Certificate
1. [SPR: 080509434]
[Symptom] Cannot input L(locality name) & ST(state or province name) etc when create a certificate request.
EPS (Endpoint Security)

1. [SPR: 090805245] [Symptom] PC OS is 64 bits. EPS always fail when checking Firewall, Anti-virus and Windows auto update. We current not support EPS on Windows 64bit Operation System.
GUI
1. [SPR: 100415854] [Symptom] The GUIs initial help pages behavior was wrong. This owing three layer open web-help caused this.
Interface
1. [SPR: 100105242, 100105292] Since F/W version 2.12 [Symptom] PPTP might not be able to connect successfully if it is configured via Installation Wizard/Quick Setup. This is because 1) Installation Wizard/Quick Setup only allows PPTP based interface to be configured with Static IP. 2) Installation Wizard/Quick Setup doesnt allow user to configure PPTP based interfaces Gateway IP Address. This may caused PPTP cannot connect successfully if the PPTP Server IP is not at the same subnet with PPTPs based interface [Workaround] Before dial PPTP connection, configure the Gateway IP of PPTP interfaces based interface
IPSec VPN
1. [SPR: 070814169] [Symptom] PKI does not interoperate with Windows CA server, when using SCEP. 2. [SPR: 070814168] Since F/W version 2.00 [Symptom] VPN tunnel could not be established when 1) a non ZyWALL peer gateway reboot and 2) ZyWALL has a previous established Phase 1 with peer gateway, and the Phase 1 is not yet expired. Under those conditions, ZyWALL will continue to use the previous phase 1 SA to negotiate the Phase 2 SA. It would result in phase 2 negotiation to fail. [Workaround] User could disable and re-enable phase 1 rule in ZyWALL or turn on DPD function to resolve problem. 3. [SPR: 100429119] Since F/W version 2.11 [Symptom] VPN tunnel might be established with incorrect VPN Gateway [Condition]
1. Prepare 2 ZyWALL and reset to factory default configuration on both ZyWALLs 2. On ZyWALL-A 1. Create 2 WAN interfaces and configure WAN1 as DHCP Client 2. Create 2 VPN Gateways. The My Address is configured as Interface type and select WAN1 and WAN2 respectively 3. Create 2 VPN Connections named VPN-A and VPN-B accordingly which bind on the VPN Gateways we just created 3. On ZyWALL-B Create one WAN interface Create one VPN Gateway. The Primary Peer Gateway Address is configured as WAN1 IP address of ZyWALL-A and the Secondary Peer Gateway Address is configured as WAN2 IP address of ZyWALL-A 4. Connect the VPN tunnel from ZyWALL-B to ZyWALL-A and we can see VPN-A is connected on ZyWALL-A 5. Unplug WAN1 cable on ZyWALL-A 6. After DPD triggered on ZyWALL-B, the VPN Connection will be established again 7. On ZyWALL-A, VPN-A is connected. But actually ZyWALL-B should connect to VPN-B after step 5) [Workaround] Change the WAN1 setting of ZyWALL-A to Static IP
SSL VPN
1. [SPR: 091022383] [Symptom] SSLVPN cannot work anymore if below case is true 1) Configure one SSLVPN policy and activate the Network Extension 2) Add network A into Network List 3) User login SSLVPN from network A 4) The SSLVPN cannot be established and cannot work anymore [Workaround] Reboot DUT and remove network A from Network List. 2. [SPR: 091021328] [Symptom] SecuExtender agent cannot be launched in Windows Vista and Windows 7 If the Computer Management/Services and Applications/Services/ZyWALL SecuExtender Helper is disabled on users computer before user tries to login SSLVPN. [Workaround] Enable ZyWALL SecuExtender Helper first before you try to login SSLVPN 3. [SPR: 090901070] [Symptom] Microsoft RDP Client Control may not work after user installs MS KB958469/958470/958471/956744. Using SSL VPN RDP function, after user install Remote Desktop Client Control (msrdp.cab), some PC may occur JavaScript error.
This problem caused by MS KB958469/958470/958471/956744. When user never uses RDP ActiveX control, and user install KB958469/958470/958471/956744, Windows will block the msrdp.cab installer.
[Workaround]
To solve this problem, user can reinstall the KB958469/958470/958471/956744 after user failed to install msrdp.ocx. Go to Windows Update Site, the KB958469/958470/958471/956744 will reappear on the web site. To install the RDP function could be used.
More information can see Microsoft Support Site: http://support.microsoft.com/kb/958469 http://support.microsoft.com/kb/958470 http://support.microsoft.com/kb/958471 http://support.microsoft.com/kb/956744 4. [SPR: 100413593] [Symptom] Can not login remote RDP server via SSLVPN Microsoft RDP Client Control may not work in IE7/IE8 after WinXP SP3 To use SSLVPN Portal RDP function, the web page must load the Microsoft RDP Client Control. This ActiveX control must be set to enable, or the function would not work. In IE6, we can find the option in [ToolsManage Add-ons] and set the option to enable.
After WinXP SP3 Microsoft RDP Client Control is set disable as default value. If user never used the RDP control in IE6 and set to enable. After upgrade to IE7/IE8, user may get the message:
Add-on Disabled This Webpage is requesting an add-on that is disabled. To enable the add-on click here.
Add-on Disabled.
But when click the add-on, The RDP Client Control couldnt be found in Manage Add-ons.
[Solution] Microsoft provides the solution to solve this problem in their official support website. User can follow the official to enable the RDP ActiveX control.
http://support.microsoft.com/kb/951607
1) Click Start, Run. Type Regedit.exe and press ENTER. 2) Remove the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9059 f30f-4eb1-4bd2-9fdc-36f43a218f4a} 3) Restart Internet Explorer, and try to connect to the RDP application again. For IE7 user may encounter browser always remind you to install related Active X; this owing to the security policy, you need set the value of Allow previously unused ActiveX controls to run without prompt to Enable. Please seethe following step: a) From the Tools menu, click Internet Options. b) On the Security tab, select the zone that contains the Web Interface server and click Custom level. c) Set Allow previously unused ActiveX controls to run without prompt to Enable 5. [SPR: 080430468] Since F/W version 2.11 Design [Symptom] Cannot install SSL VPN RDP web component in Vista and WIN 2000 [Workaround] Windows XP SP3/RDP 6.1 breaks RDP connection through Internet Explorer.
Following is the SSL VPN RDP limitation table.

Applications Operating System
File Sharing (Web-based Application)

Internet Explorer 8.0, 9.0 Firefox 3.6, 4.0
RDP / VNC
Internet Explorer 8.0, 9.0 Firefox 3.6@, 4.0@
Full Tunnel Mode

Internet Explorer 8.0, 9.0 Firefox 3.6, 4.0
Windows 7 JRE 1.6
Windows XP JRE 1.4/1.5/1.6
Internet Explorer 6.0, 7.0, 8.0+ Netscape 8.1, 9.0 Mozilla 1.7 Firefox 3.6, 4.0 Opera 8.0 (Up to 9.0)+ Internet Explorer 7.0, 8.0+ Firefox 1.5, 2.0, 3.0 Internet Explorer 6.0 Firefox 3.0 Internet Explorer 6.0, 7.0, 8.0 Netscape 8.1, 9.0 Firefox 1.5, 2.0, 3.0 Nescapte 9.0 Mozilla 1.7 Firefox 1.5, 2.0, 3.0 Opera 9.0 Mozilla 1.7+ Firefox 2.0+, 3.0+ Safari 2.0 camino-1.0.4.dmg firefox 2.0.0.3.dmg
Internet Explorer 6.0, 7.0, 8.0+ Netscape 8.1, 9.0@ Mozilla 1.7 Firefox 3.6@, 4.0@ Opera 8.0 (Up to 9.0)+ Internet Explorer 7.0, 8.0+ Firefox 1.5@, 2.0@, 3.0@ Internet Explorer 6.0 Firefox 3.0@
Internet Explorer 6.0, 7.0, 8.0+ Netscape 8.1, 9.0 Mozilla 1.7 Firefox 3.6, 4.0 Opera 8.0 (Up to 9.0)+ Internet Explorer 7.0, 8.0+ Firefox 1.5, 2.0, 3.0 Internet Explorer 6.0 Firefox 3.0
Windows Vista JRE 1.6 Windows 2000 JRE 1.4/1.5/1.6 Windows 2003 JRE 1.5/1.6
Internet Explorer 6.0*, 7.0*, Internet Explorer 6.0, 7.0, 8.0 8.0* Netscape 8.1, 9.0@ Netscape 8.1*, 9.0* Firefox 1.5@, 2.0@, 3.0@ Firefox 1.5*, 2.0*, 3.0* Nescapte 9.0 Mozilla 1.7 Firefox 1.5@, 2.0@, 3.0@ Opera 9.0 Nescapte 9.0 Mozilla 1.7 Firefox 1.5, 2.0, 3.0 Opera 9.0
Linux OS
Apple MAC OS X
Firefox 1.5+@, 2.0+@, 3.0+@
Safari 2.0 / 3.0
Note: 1. "black" stand for test ok 2. "purple+" for item not tested yet 3. "green@" stand for RDP does not work, only VNC 2. "red*" for future release 5. Safari 2.0 has some problem (Need to refresh page) 6. camino-1.0.4.dmg / firefox 2.0.0.3 has to use java embedding plugin 0.9.6.2 or above 7. Mozila or Netscape in VNC always fail 8. "Gray" means not support 9. VNC can't work fine in Netscape 8.1 with JRE 1.5 10. SecuExtender can't add routing
6. [SPR: 100419034] [Symptom] SSLVPN of VNC cannot work if user connects VNC application by FQDN. 7. [SPR: 100427864] Since F/W version 2.11 [Symptom] ActiveX cannot be installed successfully when using SSLVPN RDP function [Condition]
1) PC environment: Windows XP with SP3, using IE7 as browser. 2) Edit Object>SSL Applicationadd rules - Type=Web ApplicationServer Type=RDPName=RDP_Windows 3) Create one SSLVPN policy which selects the SSL Application we created 4) Login SSL VPN but can not open RDP_Windows portal by Full Screen and 32-bit color. 5) GUI will ask user to install terminal services ActiveX Client continuously [Workaround] This is because IE7 doesnt allow previously unused ActiveX controls running by default. We need to change the default behavior to allow ActiveX controls in IE7. See below procedures 1. Click Tools > Internet Options 2. Select Security tab 3. Select Internet Zone and click Custom level 4. Enable the ActiveX option Allow previously unused ActiveX controls to run without prompt
User Aware
1. [SPR: 070813119] [Symptom] Device supports authenticating user remotely by creating AAA method which includes AAA servers (LDAP/AD/Radius). If a user uses an account which exists in 2 AAA server and supplies correct password for the latter AAA server in AAA method, the authentication result depends on what the former AAA server is. If the former server is Radius, the authentication would be granted, otherwise, it would be rejected. [Workaround] Avoid having the same account in AAA servers within a method.
USB Storage
1. [SPR: 100708070] Since F/W version 2.20 [Symptom] When rename system name, the USB storage can not work.
Known Issues:
Note: These known issues represent current release so far unfix issues. And we already plan to fix them on the future release. 1. [ITS: 59317] [Symptom] A user use his on-line backup File Server and when he starts download a lot of files (about 3.08GB), it always failed to download these files. The back-up server use HTTP protocol and java applet. [Workaround] Please contact CSO to get fixed date code.
2. [ITS: 61185] [Symptom] There have no IP/MAC binding entry displayed in the IP/MAC binding table when many entries are configured. [Workaround] Please contact CSO to get fixed date code. 3. [ITS: 61671] [Symptom] To configure PPP bind bridge then reboot DUT, you will see apply startupconfig.conf unsuccessfully and rollback to apply lastgood.conf. [Workaround] Please contact CSO to get fixed date code. 4. [ITS: 62056] [Symptom] If you use ZyWALL as DNS server and query via site-to-site VPN tunnel like the following topology and you will suffer query DNS failed issue. VPN tunnel between both USG __________________________________ | | | LAN A----------USG A -------- Internet -------- USG B PC A in LAN-A request aa.com which maintain as Address/PTR Record in remote USG-B, you will find the reply packet from USG-B cannot go back to VPN tunnel. [Workaround] Please contact CSO to get fixed date code. 5. [ITS: 63200] [Symptom] Create a virtual server rule which original IP is ANY and NAT loopback is ENABLED, there will be a warning message to describe this rule will not take effect. But this virtual server still created and user can see it on GUI. User will challenge why this rule not work. This behavior is different in 2.12. Change the behavior as 2.12 and will not created this virtual server rule in GUI. [Workaround] Please contact CSO to get fixed date code. 6. [ITS: 63517] [Symptom] Customer creates a VLAN and set up interface IP address to 192.168.200.1. After switch off/on or reboot the VLAN settings will disappear. [Workaround] Please contact CSO to get fixed date code. 7. [ITS: 64199] [Symptom] Firewall rule still block when the following condition is true.
If customer uses firewall rule to block all traffic for specific address group this rule fully works. But if he removes a member from this address group (this address group will be empty after removing), this IP is still blocked till he disable/enable this firewall rule. [Workaround] Please contact CSO to get fixed date code. 8. [ITS: 63337] [Symptom] User encounter send log/email daily report owing his mail server will drop the mail content not includes <Date> information. [Workaround] Please contact CSO to get fixed date code. 9. [ITS: 63184] [Symptom] User sometimes cannot create L2TP tunnel via iPhone(no matter what iOS version). There will be found the debug message sshipsecpm is dead printed on console and you can find core-dump file from core-dump directory. [Workaround] Please contact CSO to get fixed date code. 10. [ITS: 63953] [Symptom] User sets Daylight saving 1 hour and the email daily report setting at 0:00 but always send at 1:00 AM. [Workaround] Please contact CSO to get fixed date code. 11. [ITS: 64175] [Symptom] In specific configuration (many & many ext-group user settings), user will encounter login with ext-group user and will hang in login flow [Workaround] Please contact CSO to get fixed date code. 12. [SPR: 100818446] [Symptom] 3G status shows Device detected after disable Nailed-Up. [Workaround] Please wait about 5minutes and the 3G status will change to Device ready and can be connected again. 13. [SPR: 110105747] [Symptom] It takes five minutes to connect to cellular network when using E156G with SIM card doesnt need PIN code. [Workaround] Please wait about 5minutes and the cellular will be connected. 14. [SPR: 110621773]
[Symptom] Can not login SSL portal when using an external group user type account in Radius server. [Workaround] Please contact CSO to get fixed date code.
www.zyxel.com
Features:
Modifications in 2.20(AQV.5)C0 - 2011/06/28 1. [ENHANCEMENT] Device HA sync enhancement. 1. Device HA sync would skip head and tail white space. 2. Device HA sync error recovery behavior change to retry once and recovery twice. If all of this action fails, system would reboot. 3. Device HA sync would verify the startup configuration after applying configuration except Device HA part. 2. [ENHANCEMENT] Show PPPoE and PPTP interface on Dashboard. 3. [ENHANCEMENT] New 3G card support: E169u, E156G, E1750 and Sierra Wireless USB 305 4. [ENHANCEMENT] Add reseller information support on registration. 5. [ENHANCEMENT] Content filter re-launch 1. Update BlueCoat categories service 2. Refine content filter report and show statistics on Dashboard 3. ZSB disable by default 4. Unsafe categories default selected when creating a new CF profile 5. Daily refresh BlueCoat query server status 6. [ENHANCEMENT] Add packet flow explorer 7. [ENHANCEMENT] Add certificate auto-update 8. [ENHANCEMENT] Add French language support 9. [ENHANCEMENT] Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 17/120
www.zyxel.com
Add PPP uptime information on web GUI 10. [ENHANCEMENT] PPPoE interface supports to assign gateway address when using static IP scenario. 11. [ENHANCEMENT] Fallback sessions by passive connection disconnect: In a policy route rule with next-hop is Trunk, and interface except passive interface are disconnect. When a interface is recover to alive, connections which outgoing is passive interface, will forced to disconnected 12. [ENHANCEMENT] Support ingress traffic counting for least-load-first and spillover algorithm on trunk interface 13. [ENHANCEMENT] EPS enhancement 1. Remove OS checking from checking item. If OS is not match, it will go to check the next EPS policy. 2. More clearly mark the checking items in GUI. 14. [ENHANCEMENT] ITS#56441 Content filter daemon will pass those mime type: gif, jpg, jpe, tif, png, bmp, crl, css by default. We add 2 CLI command to control mime type check or not: 1. # [no] content-filter mimetype ignore 2. # show content-filter mimetype ignore status 15. [ENHANCEMENT] ITS#57707 Add a new CLI "[no] arp reply restricted" to turn on and off the ARP reply setting 16. [ENHANCEMENT] Add cs0~7 supported for IP Precedence in "DSCP Code" and "DSCP Marking" columns. 17. [ENHANCEMENT] Daemon auto recover for IPSec VPN and content filter daemon 18. [ENHANCEMENT] Add schedule-run support. It can configure system to run a shell script automatically. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 18/120
www.zyxel.com
It supports three modes: daily, weekly and monthly. 19. [ENHANCEMENT] Add extra debug CLI for content filter # debug show content-filter ip-queue # debug show content-filter query Add following CLI commands into diag-info # debug show content-filter server # debug show content-filter profiling # debug show content-filter ip-queue # debug show content-filter query 20. [ENHANCEMENT] Extend the maximum number of trust and forbidden list of content filter from 64 to 128 21. [ENHANCEMENT] Create two new default service objects NTP and RDP 22. [ENHANCEMENT] 101213814 ITS#56601 Add source IP and destination IP for these two content-filter debug log 1. "Cache: C: %lx M: %lx(%s) V: %s U: %s%s" 2. "C: %lx M: %lx(%s) V: %s(%d) U: %s%s" 23. [ENHANCEMENT] If 3G status runs into fail status, DUT will stop and wait to reset 3G card. Reset interval is 3 minutes. After reset 5 times, if 3G connection still can't be established, the reset interval will be set to 10 minutes 24. [ENHANCEMENT] Dump debug info to file when CPU or memory usage exceeds threshold, and compress the files to diagnostics. CLI to configure CPU usage threshold: # app-watch-dog cpu-threshold min <1..100> max <1..100> CLI to restore CPU usage threshold as default value, min 80 max 90: # no app-watch-dog cpu-threshold 25. [BUG FIX] 100518001 ITS#57141 Symptom: Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 19/120
www.zyxel.com
Device HA of backup sync has failed if master to do any setting in GUI Object/User page. Condition: 1. Please setting device HA on both device, and make sure backup sync has succeeded from master 2. Please add an account on master. 3. Master of device-ha account's password will be change and then backup sync always failed due to bad password. 26. [BUG FIX] 110325222 ITS#61356 Symptom: User could not access management IP of Backup that crosses subnet. Condition: 1. Add an Device HA environment. 2. User could not access management IP of Backup cross subnet. 27. [BUG FIX] 100318654 ITS#52494 Symptom: Changing Default Authentication Timeout Settings of ext-group-user doesnt work. Condition: 1. Goto User/Group---Settings, change the Default Authentication Timeout Settings of ext-group-user. Set Lease Time: 144; Reauthentication Time:144. 2. Add a ext-group-user testad. Make sure users in group testad can login device successfully. 3. Check the Remain lease time and remain auth. time is still 1440 min. 4. BTW, when adding a user as ext-group-user type. You cant select Use Default Settings or Use Manual Settings for Authentication Timeout Settings in the page. This is different with other user type. 28. [BUG FIX] 100415751 ITS#54390 Symptom: In Authentication configuration of VPN Gateway Pre-Shared key and Certificate can be chosen simultaneously. Condition: 1. Apply the system-default.conf 2. Configuration VPN IPSec VPN VPN Gateway, to add a only rule 3. In Authentication, choose Certificate and then choose Pre-Shared Key 4. The Certificate and Pre-Shared be chosen simultaneously as attached.
Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.
20/120
www.zyxel.com
29. [BUG FIX] 100827086 ITS#52331 Symptom: Content filter daemon is dead. Condition: We can reproduce this issue locally. Steps: 1. Add a content-filter policy rule with a group contains a user test and another user test123456789012345678901234567(The second one must be long enough.) 2. User1 test logs into the ZyWALL from computer A and then accesses some websites. 3. User2 test123456789012345678901234567 logs into the ZyWALL from computer A too. 4. User2 test123456789012345678901234567 logs out and after 1 min, content-filter daemon will die. 30. [BUG FIX] 100608525 ITS#50497 Symptom: SNMP manager can't show SNMP trap message when SNMP agent set trap message to version 1. Condition: It worked with firmware 2.12. However after firmware is upgraded to 2.20, SNMP agent behind USG100 cannot update SNMP trap messages to SNMP manager. If SNMP agent is not behind USG100, then it can update trap messages very well. 31. [BUG FIX] 100910107 ITS#54278 Symptom: The user name and password of PPTP and PPPOE don't support some special characters. Condition: USG with v2.20 patch 1 doesnt support ? in the password of ISP account for PPPoE connection. 32. [BUG FIX] 100923820 ITS#53462 Symptom: User who builds SSL VPN to USG wants to access NAS by IPSec but failed. Condition: 1. SSL-VPN PC is connected to USG-100 successfully. 2. IPSec VPN between USG-100 and ZyWALL 2 Plus is build successfully. 3. PC on USG-100 LAN can ping NSA-220. 4. SSL PC cannot access NAS by File Sharing. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 21/120
www.zyxel.com
33. [BUG FIX] 100825943 ITS#53808 Symptom: Not all interface traffic statistic can be cleared when enable "Reset counters after sending report successfully" or click button "Reset All counters" in email daily report. Condition: This issue can be reproduced with default configuration. Topology: LAN users---ZyWALL USG---WAN---Internet Step1: LAN users download big files from Internet. Step2: Enable reset counters after sending report successfully and send the email dialy report. Step3: Send the email daily report again. Step4: Compare two reports and check if interface statistics and anti-x statistics are reset. 34. [BUG FIX] 101011180 ITS#55079 Symptom: Every time customer adds a content filter police to USG 100, the error message will pop up. Condition: 1. Add a CF profile and input 123-reg.co.uk into Trusted Web Sites list. Others are default. 2. Add a CF rule using this profile. Error message will be shown. 35. [BUG FIX] 100824792 ITS#50493 Symptom: When the interface wan2_ppp falls down, all the VPN tunnels that built on wan1 will fall down. Condition: 1. WAN1: G.SHDSL line (P791R-V2); WAN2_ppp: ADSL line (P660R-D1) 2. Customer configures VPN on WAN1. (There is no VPN on WAN2). 36. [BUG FIX] 101026312 ITS#54467 Symptom: If the SSL VPN user index is not correct, the user login web page will redirect to access page. Condition: 1. Create two ext-group-user type users test-a and test-b, the index of test-a is smaller than test-b, and they both contain a user justin. 2. Configure a SSL VPN with test-b as the user. 3. Login the SSL VPN with user justin, but you will login the access page. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 22/120
www.zyxel.com
37. [BUG FIX] 101101063 ITS#56038 Symptom: In Address and Service Group, the available member list doesn't display in alphabetic order Condition: In Object Address Address Group, the available member list doesnt display in alphabetic order. The same problem is also with Service Object group. 38. [BUG FIX] 101103357 ITS#55639 Symptom: USG reboot automatically every 24 hours. Condition: The root cause is Device always crash at the turnkey when AV parse HTTP Post and copy out the URI string from http POST request, and if theres no any string after POST request, copy filename will fail.. 39. [BUG FIX] 101103356 ITS# 49591, 55289 Symptom: When user do PCI risk scan, some items fail. Condition: Website: https://www.securitymetrics.com/results_home.adp The USG has failed items while benign scanned by the PCI website. 40. [BUG FIX] 101101017 ITS#55529 Symptom: In the special topology, Content Filter fails to block web page. Condition: 1. USG is set as bridge mode. Enable CF function. 2. Access web site from PC, its fail to block any web site. 41. [BUG FIX] 100818439 ITS#53683 Symptom: On AD/LDAP edit page, it doesn't allow to type AD/LDAP domain with space in Base DN and Bind DN fields. Condition: Customer want to configure the AD server, but he encounter the issue in BaseDN and BindDN because the space.
23/120
www.zyxel.com
42. [BUG FIX] 101102159 ITS#55572 Symptom: DDNS HA doesn't work when disable interface Condition: 1. Add a DDNS rule. Primary Binding Address: ge3 interface IP; Backup Binding Address: ge2 interface IP. 2. Disable ge3 interface (turn off the lamp). 3. The DDNS will always bind with ge3 interface IP. 4. It wont change into ge2s IP, until you manually select the rule then click update. 43. [BUG FIX] 101103279 ITS#55787 Symptom: The ZySH daemon will be dead, when too many interfaces are configured as DHCP server. Condition: 1. Add a few VLAN interfaces (VLAN11 to VLAN55). From VLAN11 to VLAN47 are configured as DHCP server. 2. Enable DHCP server for VLAN48, then you cant access device anymore. But the device still works fine. 44. [BUG FIX] 101105600 ITS#56232 Symptom: There is a typo error in IKE log. Condition: Customer found a typing error on the IKE Log, USG VPN log INVALD_PALOAD_TYPE should be INVALID_PAYLOAD_TYPE. This issue exists on all the USG devices. 45. [BUG FIX] 101110159 ITS#56175 Symptom: In user edit page, the group identifier field doesn't allow space character to be entered Condition: I. Configure the AD/LDAP/RADIUS server II. Configure the ext-group-user 1. Go to Configuration Object User/Group User Add 2. Enter the user name filed with DHCP Users, choose the user type as ext-group-user 3. Enter the group identifier filed as DHCP Users, then you will see the red warning message.
24/120
www.zyxel.com
46. [BUG FIX] 101118302 ITS#56512 Symptom: ZySH daemon dead when SNMP agent use SNMP_ZYSH executed to query MIB information about CPU usage. Condition: ZySH daemon dead when SNMP agent use SNMP_ZYSH executed to query MIB information about CPU usage. 47. [BUG FIX] 100514869 ITS#50443 Symptom: If you click the Object Reference two or more times without closing the window, you will see many dropdown windows appeared in the Object Reference window. When you close the Object Reference window, it will show a black window. Condition: If you click the Object Reference two or more times without closing the window, you will see many dropdown windows appeared in the Object Reference window. When you close the Object Reference window, it will show a black window. 48. [BUG FIX] 100312997 ITS#48285 Symptom: Feature request ask to support top level domain to more than 4 in the trusted website in CF. Condition: Feature request ask to support top level domain to more than 4 in the trusted website in CF. 49. [BUG FIX] 100817270 ITS#53755 Symptom: The VPN can't be created correctly by VPN-wizard when Pre-Shared key contains reserved characters. Condition: When customer configures and saves the pre-shared key with special characters in VPNwizard. But it cannot be saved correctly in GUI setting. The phase 2 is empty, and the phase 1s pre-shared key is also empty. 50. [BUG FIX] 100907627 ITS#54353 Symptom: In WWW->Service Control, the USG-200 can't select address-group. Condition: 1. Go to Configuration System WWW Service Control. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 25/120
www.zyxel.com
2. Add one entry for Admin Service Control, we cant choose Address Group object as Address Object. 51. [BUG FIX] 100906505 ITS#53660 Symptom: AAA server can't accept '?' as password character both in GUI and CLI, and '\' is not in the acceptable character list prompt box but it can be accepted in fact. Condition: 1. Go to Configure Object AAA server, add one ad server. 2. In the password for Bind DN, ? cant be accepted as password character. 52. [BUG FIX] 101129375 ITS#56439 Symptom: RST ACK cant pass through VPN tunnel Condition: Topology: TELNET server-------(LAN)USG200(WAN)======VPN======(WAN)USG300(LAN)------PC 1. Setup a site-to-site VPN tunnel between USG200 and USG300. 2. Telnet server is a ZyWALL 5 with a firewall rule to Reject telnet traffic to itself. 3. When the PC tries to telnet access the TELNET server, you will see there is no RST ACK packet captured on the PC site which means the RST ACK cant pass through the VPN tunnel. 53. [BUG FIX] 101126180 ITS#56520 Symptom: Object subnet with a 32 bit mask (255.255.255.255) should be the same as object host. Condition: if you create an object subnet with a 32 bit mask (for example 192.168.1.33/255.255.255.255), and insert it in Outbound-SNAT of VPN connection, this VPN tunnel wont work correctly. The tunnel only works correctly when you change this address object to host: 192.168.1.33. 54. [BUG FIX] 101217563 ITS#57356 Symptom: The password of Bind DN the user configured in AD/LDAP server contains the character &. Wrong AAA test command will be shown when the user clicks the test button to test the user. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 26/120
www.zyxel.com
Condition: 1. Add an AAA server and fill in related setting. 2. The password of bind DN is setting with character &. 3. Click the button test to test user in Configuration Validation. 4. It wills pop-up Wrong AAA test command. 55. [BUG FIX] 101227167 ITS#57617 Symptom: The Auto destination option (in policy route) cant be saved. Condition: (1) Build an IPSec setting, USG50 as the site-to-site-with-dynamic-peer role and USG300 as the site-to-site role. (2) Add a policy route in USG50; change the type to vpn-tunnel with the ipsec-setting in the next-hop form. It will show the radio box of "auto-destination" (3) Check the "auto-destination and then save. It will show the "auto-destination " off when you open the setting. 56. [BUG FIX] 101228204 ITS#57095 Symptom: In Web GUI, add zone can not achieve the maximum amount. Condition: 1. Add more than 10 zones in Web GUI. 2. The page will pop an alert window which show the message " Items have reached the maximum number ". 57. [BUG FIX] 101223956 ITS#56675 Symptom: The second L2TP client will take more than 30s to establish the IPSec connection if two L2TP clients behind one NAT router. Condition: Topology: PC1 and PC2 --- NAT Router------USG 300 ----LAN (1) Enable "Use Policy Route to Override Direct Route" in policy route. (2) PC1 dials L2TP tunnel to USG300. (3) After the first connection established successfully, it will take more than 30 seconds for the second L2TP client PC2 to establish the IPSec connection. 58. [BUG FIX] 101229310 ITS#56405 Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 27/120
www.zyxel.com
Symptom: Use SNMP tool scan USG WAN 161 port with high frequency will cause system hang sometimes. Condition: (1) Enable USG SNMP function. (2) Send a SNMP request from an unreachable port of WAN PC to USG WAN 161 port with high frequency, sometimes USG will hang. 59. [BUG FIX] 110111218 ITS#57068 Symptom: If the sharing file on Mac is configured to force to enter user name and password to access, after the user login the USG with SSL VPN, the sharing file cant be accessed, there is no window pop up to ask for the username and password, but an error [400]Directory Operation Failed. Condition: Topology: Desktop PC ----- Internet ------- USG 100 ---------- MacBook Pro (10.5.8 OS): 192.168.1.34 1. The sharing file on Mac is configured to force to enter user name and password to access. 2. Login the USG with SSL VPN, the sharing file cant be accessed, there is no window pop up to ask for the username and password, but an error [400]Directory Operation Failed. 60. [BUG FIX] 110127905 ITS#58713 Symptom: The Drop-down list is not in alphabetic order Condition: When editing or creating new firewall rule, list of the objects which can be used is not in alphabetic order. 61. [BUG FIX] 110223640 ITS#59239 Symptom: PPPoE connection can't be dialed up if service name is necessary. Condition: 1. Leave Service Name blank and input other fields correctly. PPPoE connection can be built up without problem. 2. Set Service Name=test, PPPoE connection still can be built up. 3. Capture packet. You can see Service Name information is ignored by device. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 28/120
www.zyxel.com
62. [BUG FIX] 110303459 ITS#59727 Symptom: USG Series External Group User Can Access Internet after Logout Condition: 1. GUI->CONFIGURATION->Auth. Policy->Authentication Policy Summary->Add one policy (just add without setting any value). 2. GUI->CONFIGURATION->Object->Auth. Method->Edit default->Add group ad. 3. Create ext-group user. 4. User login with ext-group user. 5. User logout or from the GUI force log out 6. Use ping to verify the connection to Internet or use browser (IE, Firefox, Chrome) to access Internet When an external group user (AD/LDAP/RADIUS, we tested with AD) logout from a user-aware, he can still access Internet. 63. [BUG FIX] 110225002 ITS#59121 Symptom: The customer uses USB storage to collect the packet, when the file name of the captured packets is too long, the packet files cant be neither downloaded nor deleted. Condition: 1. Configure a PPP interface named aaaaaaaaaaa. 2. Active USB storage service. 3. Capture the packets on interface aaaaaaaaaaa, save the data to USB storage and set the file suffix as -packet-capture. 4. The name of the captured file is aaaaaaaaaaa--packet-capture00-2011-0210T032651.00. 64. [BUG FIX] 110304603 ITS#59967 Symptom: Users password is shown as plain test in debug logs. Condition: 1. Add a normal user test with password 1234, and set user debug log setting "all" 2. Login user test. 3. The log of user debug will show "Auth User(test) pwd(1234) result()." 65. [BUG FIX] 110401001 ITS#61038 Symptom: Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 29/120
www.zyxel.com
Deny rule for WAN zone in Admin Service Control doesnt work. Condition: 1. In USG100, add a deny rule for WAN zone in Admin Service Control in [System -> WWW]. 2. Add a NAT rule in other device forward 2400 port to 443 ports into USG100's WAN interface. 3. PC from internet access https://NAT Route IP:2400, it will not be denied. 66. [BUG FIX] 110406245 ITS#60033 Symptom: The virtual interface packet capture does not dump in USB storage. Condition: 1. Create virtual interface. 2. Capture virtual interface in USB storage. 3. In USB storage does not have this file. 67. [BUG FIX] 110331861 ITS#55291 Symptom: 1. When the problem happens, LAN users can't browser any websites at all. Only http traffic is affected, while the other traffic remains ok. 2. The web page will show "Query limit" or the logs will contain "ip_queue full" If the FW contains the debug code 1. With debug code, the "debug show content-filter query" show many "TTL -1". Condition: 1. Enable CF, don't close ZSB. 2. When CF connect to ZSB server. 2.1 connect reduced by ZSB server or middle site. 2.2 A wait entry is freeze. Some ip_queue is freezed. 3. When wait entries are more than default, it shows "Query limit" in web page. When ip_queue are more than default, it shows "ip_queue full" in logs. 68. [BUG FIX] 110329513 ITS#60820 Symptom: USG send port traffic information to VRPT even if that port is down. Condition: Step 1: configure VRPT server and USG300. Step 2: connect the PC to USG300 Lan port 3, try to download 2 file (larger than 300M) from a ftp or web server. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 30/120
www.zyxel.com
Step 3: After download it, disconnect the cable to the USG300. Step 4: You can see at this time the VRPT still shows traffic information of port 3 even if port 3 is down. 69. [BUG FIX] 110406255 ITS#59798 Symptom: ZySH daemon crash when use "content-filter url-cache test" query a URL in local cache. Condition: 1. Anti-X -> content-filter: enable content-filter. 2. Surf some web site and let DUT cache a URL which length more than 1500. 3. Use "content-filter url-cache test" to query a URL in cache, ex : www.zyxel.com.tw 4. ZySH daemon will crash. 70. [BUG FIX] ITS#58459, 59827 Symptom: IPSec daemon is dead. Condition: IPSec daemon is dead. 71. [BUG FIX] 110331914 ITS#57470 Symptom: HTTP downloading file through VPN tunnel may fail when session include out of order packet Condition: 1. Topology PC ----- ZyWALL 35 ----VPN------USG300----- internet 2. Use attached configuration file. (ADP must enable at USG300) 3. User use browser to download Firefox binary from Firefox web site via above topology 4. Downloading may fail when session include out of order packet 72. [BUG FIX] ITS# 61520 Symptom: The customer has configured two PPPoE connections with nail-up. But when YTK-ppp connection drops, it can be reestablished manually (click the "connect" button on the Web GUI), but fails to be connected automatically, though nail-up is active. Condition:
31/120
www.zyxel.com
The customer has configured two PPPoE connections with nail-up. But when YTK-ppp connection drops, it can be reestablished manually (click the "connect" button on the Web GUI), but fails to be connected automatically, though nail-up is active. 73. [BUG FIX] 110422020 ITS#62189 Symptom: ISP account password will be cut to 6 characters after edit the object again. Condition: 1. In Object > ISP account, edit GE1_PPPoE_ACCOUNT Username = test, password = 1234567890, then apply it. 2. Edit GE1_PPPoE_ACCOUNT again without change anything and apply it. The password will be cut to 6 characters. 74. [BUG FIX] 110304557 ITS#60431 Symptom: Customer encounters a problem when manually creating a VPN and enters a Pre-Shared Key with the &-symbol, it deletes the &-symbol and every character that follows it. Condition: 1. In the VPN Connection tab click Add. 2. Give the VPN connection a name and select site-to-site. 3. Click on Create new object followed by VPN Gateway. 4. As Pre-Shared Key enter something like: IamApsk&SOMEtext. 5. Save this and select it in the VPN gateway dropdown box. 6. Configure the rest of the settings and save it. 7. Look at the Gateway settings you will only see IamApsk. 75. [BUG FIX] ITS#61166 Symptom: CF daemon dead unexpectedly Condition: CF daemon dead unexpectedly 76. [BUG FIX] 110225003 ITS#59346 Symptom: After reboot, settings for normal logs on E-mail server will be lost. Condition: 1. Go to Configuration > Log & Report > Log Setting > System Log on the Web GUI. 2. Configure the appropriate value for E-mail Server 1. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 32/120
www.zyxel.com
3. Disable all normal logs for E-mail Server 1 on Active Log and Alert. 4. Active the E-mail server 1 and reboot the device. Then, all the normal logs for E-mail server 1 are enabled shown on the GUI and CLI. 77. [BUG FIX] 110119989 ITS#54591 Symptom: iPad can't connect to device by L2TP at the second time. Condition: (1) Configure two or more IPSec tunnel and don't use the last tunnel as the L2TP IPSec tunnel. (2) Dial the L2TP tunnel from iPad and then disconnect the connection. (3) Re-connect the L2TP tunnel from iPad again and the iPad can't connect the device. 78. [BUG FIX] 110119942 ITS#42880 Symptom: Can not build up a L2TP IPSec tunnel when the policy of L2TP IPSec not in the first place. Condition: (1) Delete the default L2TP IPSec policy in VPN Gateway and VPN Connection. (2) Configure a normal IPSec tunnel for site to site static VPN and disable the policy enforcement. The IPSec tunnel should be activated. (3) Configure an IPSec tunnel for L2TP. This policy will be in the second place. (4) Configure the L2TP VPN setting. Then build the L2TP VPN from PC to device, but fail. 79. [BUG FIX] 100930143 ITS#50968 Symptom: As soon as customer connect the network cables USG1000 will crash. Condition: (1) Local Policy (0.0.0.0~255.255.255.255)--USG1000 ===IPSec===USG2000--Local Policy(192.168.1.0/24~192.168.110.0/24). (2) Configure about 100 IPSec tunnels on USG1000, and all enable Nailed-Up function. (3) As soon as customer connect the network cables USG1000 will crash. 80. [BUG FIX] 101012349 ITS#53789 Symptom: When force logout an "ext-group-user" type user, the Auth policy can't work normally. Condition: (1) Set a group in AD server, and create a user "test" in this group. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 33/120
www.zyxel.com
(2) Add an AD rule, and fill with necessary setting. (3) Set the AAA method as "group AD". (4) Enable Auth Policy, enable "Force User Authentication", and set "Source address" as "LAN_SUBNET". When LAN pc accesses an URL, it will redirect to login page. (5) Login with an "ext-grop-user" type user, and then we can access URL. (6) Force logout this user, then we can still access URL. 81. [BUG FIX] 101101013 ITS#55460 Symptom: IPSec daemon dead Condition: IPSec daemon dead regularly and there's no VPN tunnel attempt to establish until DUT is rebooted. 82. [BUG FIX] 101102158 ITS#55541 Symptom: USG300 kernel crash Condition: USG300 kernel crash 83. [BUG FIX] 101011183 ITS#54866 Symptom: The virtual server can't work when disable the virtual server rule and then enable it. Condition: (1) Create an address object of "INTERFACE IP" type named WAN_IP, and use DHCP server to get IP. (2) Use follow CLI create a virtual server rule: "ip virtual-server FTP_test interface wan1 original-ip WAN_IP map-to 192.168.1.40 map-type original-service FTP mapped-service FTP nat-loopback". The virtual server rule can't work and just rebooting the device can resolve it, but the problem will happen again if you disable the rule and then enable it. 84. [BUG FIX] 110113310 ITS#58250 Symptom: When user set a virtual server rule at wan1 and wan1 doesnt get an IP address, the DHCP daemon cant bring up. Condition: LAN1 DHCP cannot work with the attached config. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 34/120
www.zyxel.com
LAN1: IP address = 192.168.81.1, subnet mask = 255.255.255.0, DHCP setting = DHCP Server, IP pool start = 192.168.81.33, Pool size = 20, first DNS = ZYWALL, Second DNS = 168.95.1.1, lease time = 2 days, no IP/MAC binding But PC on LAN1 cannot get IP address from device. 85. [BUG FIX] 110117753 ITS#58029 Symptom: The DUT boot up will take more than 10 minutes. Condition: 1. Create more than 100 IPSec rules. 2. My Address field used FQDN format. But PC on LAN1 cannot get IP address from device. 86. [BUG FIX] 110331883 ITS#57771 Symptom: USG-1000 crashed when using IPSec with https on 100 mbit/s of internet line. Condition: Step1. Reboot USG 1000. Step2. Have a stopwatch ready. Start the timer, when the USG 1000 has finished its boot process (both LED on the left side are constantly on) Step3. After 30 seconds, start the IPSec connection on both Clients. Step4. Right after connecting successfully, start ping the Fileserver (192.168.10.10) with Client 1 (10.0.0.2) through IPSec. This should work and will give you feedback on whether the USG is still running or not (it has no direct influence on this test). Step5. After 60 seconds, start downloading a large (10 GB) file from the Fileserver (192.168.10.10) to both Clients. They should reach a transfer rate of approx. 8 MByte/s each. Step6. After 90 seconds, starts an Apache Benchmark on the Fileserver (192.168.10.10): ab -n 100000 -c 100 https://192.168.10.1/ Step7. [In most of our test cases, the USG 1000 crashed by now, but sometimes we needed the next step as well] Step8. After 100 seconds, starts an Apache Benchmark on Client 2 (10.0.0.3): ab -n 100000 -c 100 https://10.0.0.1/ Step9. After 120 seconds at the latest, the USG will automatically restart and all connections will be dropped (you can see that by watching your ping running on Client 2). 87. [BUG FIX] 110331862 ITS#59137 Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 35/120
www.zyxel.com
Symptom: Shrew VPN client will cause IPSec daemon dead. Condition: 1. Enable configure mode in Shrew VPN client. 2. Shrew VPN client connect with USG1000. 3. IPSec daemon is dead. 88. [BUG FIX] 101228201 ITS#53540 Symptom: Customer's USG2000 hang. Condition: Customer's USG2000 hang.
36/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.4)C0 2011/04/15 Modified for formal release
37/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.4)b11 2011/04/13 1. [BUG FIX] 110408808 Symptom: httpd security hole Condition: httpd security hole. 2. [BUG FIX] 110412946 Symptom: Limited-Admin issue Condition: Limited-Admin issue
38/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.3) 2010/10/28 Modified for formal release
39/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.3)b2 2010/10/28 1. [BUG FIX] 101007783 Symptom: GUI login page displayed abnormal if country code is Japan(EA). Condition: 1. It can reproduce. 2. Chahged country code to EA, and reboot DUT. 3. GUI login page displayed abnormal. 4. Please refer the attached file about captrue GUI login page
40/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.3)b1 2010/10/21 1. [BUG FIX] 100831234 ITS#: 55611 Symptom: System Default PPP interface page can't be shown if using IE. Condition: 1. Using IE, login device. Goto page CONFIGURATION-->Interface-->PPP. 2. Double click a System Default PPP interface, eg ge1_ppp. OR select aSystem Default PPP interface, then click Edit button. 3. The page will always show 'loading'. When using FireFox, this issue doesn't exist. 2. [BUG FIX] 101011243 ITS#: 55351 Symptom: Any Pass action in CF Profile changes into default after device reboot. Condition: (1) Add a new CF Profile, action is 'Pass'. (2) Reboot the device, check GUI about CF profile. (3) The configrature is changed. (Unsafe: Warm/Managed: Block/ Unrated: Warm/Server Unavailable: Warm)
41/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.2) 2010/09/25 Modified for formal release
42/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.2)b4 2010/09/15 1. [BUG FIX] 100914262 Symptom: Content Filter can not support some newer categories. Condition: 1) Enable content filter. Create a filter profile, enable Content Filter Category Service, and select all categories. 2) Visit some websites such as "http://translate.google.com". It will show the unknown or unrated result.
43/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.2)b3 2010/08/27 1. [BUG FIX] 100809473 Symptom: Click boot status hyperlink will make user logout. Condition: 1) Make DUT to Fallback to lastgood configuration. 2) Go to Dashboard page, Boot Status is Fallback to lastgood configuration. Click this hyperlink, user will be forced to logout, and Device Error message will show: Wrong CLI command, device timeout or device logout. 2. [BUG FIX] 100816131 ITS#: 52490 Symptom: USG50 use IE connect web site megaupload can't download. Condition: 1) Use system-default configuration. 2) When use IE8 to capture the file http://www.megaupload.com/?d=Y40H4FI7, file could not be downloaded. 3) This bug may not always reproduced, it may only happens on IE8 and slow PPPoE WAN. 3. [BUG FIX] 100810579 Symptom: Zone field shows wrong content and can't be edited. Condition: There are three issues about zone field. 1) Reset device, then goto Interface page. Check the pages of ervery interface, the zone field shows "none". But in Zone page, different interface belongs to different zone. 2) Add a new bridge interface br0. Select Zone=WAN. Then apply. Edit the interface br0 again, the Zone field shows blank. 3) Edit interface wlan-1-1, change Zone into DMZ (or other zone), Then apply. It will show "Zone interface is in use." It seems this Zone dorpdown list is useless. This problem also exists in bridge interface. 4. [BUG FIX] 100810540 Symptom: Configuration file will roll back to last good one when AD/LDAP bind DN password's length is over 16. Condition: 1) Go to Object>AAA server, edit AD server settings and set Bind DN password as Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 44/120
www.zyxel.com
"VPN=2010-ASDFG=1234", then apply the setting. 2) After reboot, the system can't apply the startup configuration file, it will apply last good configuration file. 5. [BUG FIX] 100803113 Symptom: Log active summary works abnormal Condition: 1) Go to Log . Log setting, click 'Active Log Summary' icon 2) Change each log action and check display in the summary table, something wrong. Example, if we enable/disable log setting with e-mail server 1 but GUI will change the USB storage's setting. Seems to be the index is wrong 6. [BUG FIX] 100809449 Symptom: Some parts of USB Storage related pages is not exact in Simplified_Chinese version. Condition: In Monitor->USB Storage page, "Device description" should be translated into "" not " ". In Maintenance-> Diagnostic ->Packet Capture page, "Available Interface" should be translated into "" not "" PLS see attachment for detail. 7. [BUG FIX] 100816168 Symptom: Always shows in USB slot 2 even it is inserted in slot 1. Condition: Insert an USB disk into USB slot 1, the extension-slot shows "2" on dashboard. 8. [BUG FIX] 100825899 Symptom: It will pop up "No need to apply" after modify the configuration in Active Log Summary. Condition: 1) Go to page Log&Report->Log Setting, click "Active Log Summary". 2) Modify the configuration of "USB Storage". 3) Click "OK" and it will pop up "No need to apply".
45/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.2)b2 2010/08/06 1. [BUG FIX] 100721123 Symptom: Disable snmp and then reboot, command "show snmp status" will show error message and GUI "System->SNMP" will always show "Loading". Condition: 1) Enter into "System->SNMP", disable snmp. 2) Reboot device. 3)Command "show snmp status" will show error message, and GUI always show "Loading", but no error message. 2. [BUG FIX] 100714577 Symptom: After reset device, Wizard will not show when first login Device. Condition: 1) Apply "system-default.conf", and then reset the device. 2) After reset, you will find the Wizard page do not be shown when first login device. 3) Compare with the files "startup-config.conf" and "system-default.conf", you will find that they are different.And this is the main reason why the Wizard page not be shown. 3. [BUG FIX] 100705370, 100716786 Symptom: 3G stress with P2P failed. Condition: 1) The 3G card was E169u, DUT add a policy route let all traffic out through 3G card. 2) DUT ADP = enable, app patrol = enable and limit the BT traffic's bandwidth. 3) After BT + clubbox download over the weekend, 3G card can't get IP and console halt, unplug the 3G card console will print oops message. 4. [BUG FIX] 100722243 Symptom: Interface Gateway IP address should be blank if you havn't configure it at "Quick Setup". Condition: 1) Click "Quick Setup" button in "CONFIGURATION" page. 2) Quick Setup->WAN Interface->next, Ethernet Selection = wan1; click "Next", WAN Type Selection = Ethernet; click "Next", IP Address Assignment = Static; click "Next", fill in the "IP Address" such as "192.168.100.10", and then click "Next". In "WAN Configuration Summary" page, you will find the Gateway IP Address is "0.0.0.0". Click "Close". Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 46/120
www.zyxel.com
3) Network->Interface->Ethernet, edit interface wan1, you will find the Gateway is "0.0.0.0", and there is warning message "The value should be an IP address". And you can not click "OK" button. 5. [BUG FIX] 100722211 Symptom: Word should be divided by space. Condition: 1) Network->Routing->Policy Route, click the button "Add" at "Configuration". 2) In the "Add Policy Route" page, "1is highest priority" should be "1 is highest priority" at "Bandwidth Shaping". 6. [BUGFIX] 100713473 Symptom: The group object cannot be removed. Condition: 1) Object->User/Group->User, add a user: User Name=test, type = user. 2) Object->User/Group->Group, add a group: Group Name = group1, member=test. 3) Network->Routing->Policy Route, add a rule: User=group1, others set default. Then apply. 4) Console: show groupname, you will find the reference count of group1 is 1. 5) Modify the policy route rule, change the User "group1" to any. 6) Console: show groupname, the reference count of group1 is still 1.And the group1 cannot be removed. 7. [BUG FIX] 100720956 Symptom: DUT crash in that PQA field trial of both master and backup. Condition: 1) Master crashes and cosole dump message continually, and console cannot print message by using magic key. 2) Backup crashes and console has dump message, and console cannot print message by using magic key. 3) Please refer to attached file for both master and backup console dump message. 8. [BUG FIX] 100706586 Symptom: We can not login the GUI because the zyshd daemon is terminated if you modify the name of a ext-group-user type of user which has a long Group ID.The Group ID of the user should be longer than 100 characters at best. Condition:
47/120
www.zyxel.com
1) Object->User/Group->User, add a user: Username=test; Type=ext-group-user; Group ID=1234567890123456789012345678901234567890123456789012345678901234567890 12345678901234567890123456789012345678901234567890(length is 127). And then apply. 2) Object->User/Group->User, change the username "test" to test1. 3) After modify the username, we can not login the GUI because the zyshd daemon is stopped. 9. [BUG FIX] 100723401 Symptom: IPsec daemon will dead in config mode Condition: Topo: PC1-------------|WAN|------DUT DUT config: phase 1 isakmp policy TEST activate local-ip interface wan1 peer-ip 0.0.0.0 0.0.0.0 authentication pre-share keystring 12345678 local-id type fqdn 11111 peer-id type any fall-back-check-interval 300 lifetime 86400 mode main group1 transform-set des-md5 xauth type server default phare 2 crypto map TEST_p2 activate ipsec-isakmp TEST scenario remote-access-server encapsulation tunnel transform-set esp-des-md5 set security-association lifetime seconds 86400 Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 48/120
www.zyxel.com
set pfs group2 local-policy LAN1_SUBNET remote-policy any no conn-check activate PC1 : ZyWALL IPSec VPN Client the config in attechment 10. [BUG FIX] 100720974 Symptom: packet-trace dump are not consistent will cause automation cases failed. Condition: 1) In console, use 'packet-trace interface wan1 ip-proto icmp' to tracert ping check packets will see '10.1.4.228 > 10.1.4.251: icmp: echo request' in 2.20patch1 2) In console, use 'packet-trace interface wan1 ip-proto icmp' to tracert ping check packets will see 'IP 10.1.4.228 > 10.1.4.251: icmp 64: echo request seq 11330' in 3.00alpha_1. 3) In automation system, it will use '10.1.4.251: icmp: echo request' to compare. In 3.00alpha_1, these cases will be failed. 11. [BUG FIX] 100727675 Symptom: Sitemap does not include the link for usb storage Condition: 1) Login the DUT via GUI 2) press sitemap 3) sitemap does not include the link for usb storage 12. [BUG FIX] 100706431 Symptom: Core Dump can not be downloaded in system space in GUI Condition: Generate a Core Dump file, goto Maintenance>Diagnostics>Core Dump>File, select the file in system space and download it. It can not be downloaded. 13. [BUG FIX] 100705337 Symptom: It allows to select two same type of server groups when configure an authentication method on GUI. Condition: 1) Configure two different AD servers correctly. 2) Add these two ad servers in an authentication method. 3) The AD server which is in the second position of Authentication Method doesn't work. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 49/120
www.zyxel.com
14. [BUG FIX] 100705325 Symptom: The length of group identifier for ext-group-user can be 127 only, but the warning message show the maximum is 128. Condition: 1) Object-> user/group, add an ext-group-user type user, the length of group identifier is 128. 2) Edit the user, the length of group identifier which shows in the CUI has been changed to 127. 15. [BUG FIX] 100705319 Symptom: It can't pop up warning message when allowed user is a group and the group include extgroup-user the first time after reset the device. Condition: 1) Apply system-default.conf. 2) Add a user in object->User/Group: User Name = test; User Type is ext-group-user 3) Add a group in object->User/Group: Group Name = group1; Member = test 4) In VPN->L2TP page, enable Enable L2TP Over IPSec ; VPN Connction = Default_L2TP_VPN_Connection; IP Address Pool = LAN1_Subnet; Authentication Method = default; Allowed User = group1; 5) Apply. You will find there is no warning message. But if you change the Allowed User "group1" to "admin" and apply, and then change back to "group1",the warning message will come out this time. 16. [BUG FIX] 100707829 Symptom: Active Log for USB Storage will fail. Condition: 1) Goto Configration-->Log Setting, click USB Storage. 2) Select enable normal logs 3) From No.26 Interface Statistics, all the items are Disable Logs. 4) This problem also exists when selecting enable normal and debug logs. 18. [BUG FIX] 100708104 Symptom: CLI commond and GUI have different value limitation. Condition: 1) Under configure terminal-->packet-capture configure. Input command splitsize in consle. The max value canbe 2048. Set split-size 2048, then write the setting.
50/120
www.zyxel.com
2) Check Maintenance-->Diagnostics-->Packet Capture page. It shows the max value of this field is 2000. 19. [BUG FIX] 100707821 Symptom: "Limit-admin" user can't login GUI. Condition: 1) Create a "Limit-admin" user. 2) This user try to login DUT as "Limit-admin", the page always loading, fail to login. 3) The failure reason is 'showUsbStorageStatus.getAt(...)' is null or not an object. 20. [BUG FIX] 100708130 Symptom: VPN stress test will fail with TestCenter Condition: 1) Setup a dynamic VPN in DUT 2) Use TestCenter to setup VPN with DUT and run VPN stress. 3) VPN can be established but traffic disappeared after about 15 seconds. 4) With TeraVPN, it works OK. 21. [BUG FIX] 100715659 Symptom: Certificate show incorrect time in some special case. Condition: 1) At CLI, configure date/time like following setting Router(config)# clock date 2010-01-03 time 00:00:00 2) regenerate ca by CLI command: Router# debug ca regenerate 3) The time on valid from field of default certificate will show incorrect time like following : Router# show ca category local certificate: default type: SELF subject: CN=usg300_0000AA791340 issuer: CN=usg300_0000AA791340 status: VALID ID: usg300_0000AA791340 type: EMAIL valid from: 2010-01-03 -1075961512:50364704:264499860 GMT valid to: 2029-12-29 00:01:20 GMT
51/120
www.zyxel.com
(set date/time to "2010-01-23 00:00:00" and run "debug ca regenerate" will also get the incorrect time.) 22. [BUG FIX] 100707873 Symptom: Warning message is wrong. Condition: 1) Insert USB storage, and in System>USB Storage page, Activate USB storage service. 2) In Packet Capture page, select Save data to USB storage, set File Size to 1000 (USB storage available is 982 MB), click Capture, warning message will pop up: CLI Number:12 Error Number: -75012 Error Message: Error string not find! 3) The error message should be The maximum value for this field is 982. 4) Keep former setting unchanged, select Save data to USB storage to Save data to onboard storage only, then select Save data to USB storage again. There will be warning message The maximum value for this field is 982. 5) Set File Size to 982, click capture, warning message still pops up. 24. [BUG FIX] 100715660 Symptom: USG cannot apply configuration successfully Condition: 1) Upgrade F/W to 2.20 Patch 2 B1 2) Upload USG2000 field trial configuration to USG and apply it 3) We found the configuration cannot be applied successfully and error log displayed 4) It failed on applying one NAT rule if the mapping type is Many 1-1 25. [BUG FIX] 100707871 Symptom: Customized Login Page cannot work. Condition: 1) System > WWW>Login Page, Use Customized Login Page=enable 2) Set Customized Login PAGE/TITLE 3) Click apply button.The "Apply" button is gray. Browser:Firefox 3.0,Firefox 3.6, IE8. It is OK in 2.12(XL.3) 26. [BUG FIX] 100707885 Symptom: Chinese translation of USB Storage related pages are not ready. Condition: Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 52/120
www.zyxel.com
Chinese translation of USB Storage related pages are not ready. Including Dashboard, Monitor-->USB Storage, Configuration-->System-->USB Storage, Maintenance -->Diagnostics. 27. [BUG FIX] 100705336 Symptom: Upgrade 2.12(AQQ.1) to 2.20(AQQ.1), the "Duration" of traffic log which shows in the VRPT server is always 0. Condition: 1) PC1-----(Lan)USG100(Wan) --------Kiwi SYSLOG server (PC2) 2) Enter into "CONFIGURATION->Log&Report->Log Setting", and set the remote server's address: PC2's IP, Log Format:VRPT/Syslog, Active log: enable traffic log. 3) Setup the software "Kiwi Syslog Daemon", and start the syslog daemon. 4) From PC1 access a web or download files from ftp server in usg100 Wan side, and find that the "Duration" of traffic log which shows in the "Kiwi Syslog" is always 0. 28. [BUG FIX] 100707006 ITS#: 49264 Symptom: Device sends update to DDNS server although the IP address doesnt change. Condition: 1) Configure a DDNS profile "Eurilio", set WAN1 as Primary Binding Addressand choose interface as IP Address. 2) Let this profile update successful. 3) Renew WAN1 and get the same IP, but we also find a log: "Update the profile Eurilio has succeeded. The IP address of FQDN endorse.gotdns.org has not changed.". 4) But in such case if IP doesn't change, this profile doesn't need update,and should show this log: "Update profile Eurilio has skipped due to same IP.". 29. [BUG FIX] 100121946 ITS#: 51567 Symptom: Under bridge mode, DUT build one VPN with other zywall, enable Firewall feature, PC behind DUT cannot ping VPN anoter side PC Condition: Topo: PC1----ge1-DUT(bridge mode)-ge3--internet----wan-zywall5-lan---PC2 about DUT: 1> run "system-default.conf". 2> add one bridge rule, the member is ge1-ge7, the IP "172.25.22.222/255.255.255.0", default gateway is "172.25.22.254", others keep default, apply. 3> disable Firewall from Console by inputting "no firewall activate -"write". Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.
is
53/120
www.zyxel.com
4> PC1 sets IP "172.25.22.66/255.255.255.0", the default gateway is "172.25.22.222"(DUT br0 interface IP). 5> PC1 enters into Configuration" Zone page, disale block intra-zone of all zones. 6> PC1 enters into Configutation" Firewall page, inacivate all of deny firewall rule, then, enable Firewall, apply. 7> PC1 enters into VPN page, add one VPN -ike: Local:br0; remote: zywall5 WAN ip(172.25.22.60); preshared key:12345678 -ipsec: Local policy: PC1 IP(172.25.22.66), remote policy: zywall5 LAN subnet(192.168.101.0/255.255.255.0) about Zywall5: 1> LAN subnet is "192.168.101.1/255.255.255.0", WAN ip is "172.25.22.60",disable Firewall, create opposite VPN rule for IPSec on remote security gateway zywall5. 2> PC2 IP is "192.168.101.33". result: the VPN can be built successfully, but PC1 cannot ping PC2, if disable firewall of DUT, PC1 can ping PC2. 30. [BUG FIX] 100617943 ITS#: 51177 Symptom: MIB browser gets wrong ifOperStatus and ipAdEntifindex value. Condition: 1) Enable SNMP in device. 2) Set WAN1 = port1, WAN2 = port2, LAN1 = port3~port 5, LAN2 = port6,DMZ = port7. 3) Insert the cable into port7, and use MIB Browser to get ifOperStatus node, the result shows DMZ port is down. 4) And the value of ipAdEntifindex node is mismatched with ifIndex. 31. [BUG FIX] 100705289 Symptom: named.core created after firmware upgraded Condition: 1) After firmware upgrade, a named.core will be generated at /tmp/coredupm Router> dir /tmp/coredump File Name Size Modified Time ================= 2010-07-05-05-21-05-named.core 786432 2010-07-05 05:21:06 2) It might be an issue in named 3) And it should a compressed zip file not .core file. 32. [BUG FIX] 100706426 Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 54/120
www.zyxel.com
Symptom: Incorrect txtfield label name and default value in packet capture page Condition: 1) In Diagnostics -> Packet Capture page, the "file size" textfield should be replaced by "capture pactet files" after integrated with USB Storage enhancement. 2) The textfield default value of "split threshold" shouldn't greater than "capture packet files". 33. [BUG FIX] 100628439 Symptom: The file size of diagnostics info is 0 Condition: 1) collect diagnostics info. 2) collect done and show the info 3) The file size of diagnostics info is 0 34. [BUG FIX] 100628425 Symptom: The duplication CLI in the running configuration file. Condition: 1) Enable the usb_storage and disable the the usb_storage 2) show running config 3) There have dupllication CLI command. 35. [BUG FIX] 100705272 Symptom: No USB Storage log when disk plug-in and remove Condition: From DS document, system log should log some about disk plug-in and remove. 36. [BUG FIX] 100623152 ITS#: 51716 Symptom: ZySH daemon is terminated when the AD/LDAP bind DN password's length over 16. Condition: 1) Go to Object>AAA server, edit AD server settings and set Bind DN password as "VPN=2010-ASDFG=1234", then apply the setting. 2) Try to edit the AD server again; the system ZySH daemon will be terminated. 3) After reboot, the system can't apply the startup configuration file, it will apply last good configuration file. 37. [BUG FIX] 100701016 Symptom: Unfriendly extension slot information in dashboard Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 55/120
www.zyxel.com
Condition: Unfriendly extension slot information in dashboard 38. [BUG FIX] 100628503 Symptom: Insert Huawei E220 in usb1 and usb storage in usb2 or Insert two usb storage Condition: Router> show extension-slot No. Slot Device Status ==================== 1 PC Card none none 2 USB 1 USB FLASH DRIVE -3.7GB Ready 3 USB 2 none none 39. [BUG FIX] 100115237 Symptom: The countdown using Google chrome to dial up display "NaN seconds left.." Condition: 1) Configure one IPSec VPN rule and try to dial up through Google chrome. 2) The countdown display "NaN seconds left..". 40. [BUG FIX] 100325349 Symptom: The maximum length of UserName and password for SMTP Authentication should only support 31 characters. Condition: In Log & Report > Log Settings, edit System Log, fill in E-mail Server1 or Server2. - enable SMTP Authentication, type 64 characters in UserName field and type 63 characters in password field. (It match the accepted maximum length) 2) The GUI dump the error message 'Log length has reached the maximum number.' But: 3) In 2.1x GUI, the maximum length of UserName and password only support 31 characters. 4) In CLI, it also only support maximum 31 characters. 41. [BUG FIX] 100326492 Symptom: VPN Phase 2 Settings, algorithm = SHA, but in edit page is SHA1. Condition: VPN Phase 2 Settings, in VPN configuration grid, column of algorithm is "SHA", but in edit page is SHA1. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 56/120
www.zyxel.com
The display string formate is not consistent. 42. [BUG FIX] 100407272 Symptom: On the web GUI "email daily report", if field was empty, the red "required" Condition: On the web GUI "email daily report", if field was empty, the red "required" glyphs overlaps with the text to the right. 43. [BUG FIX] 100427849 Symptom: Wrong validation result for specific subnet in static route. Condition: 1) Go to static route> add a rule 2) the following subnet mask should be allow 128.0.0.0 (not allow) 192.0.0.0(not allow) 224.0.0.0 (not allow) 240.0.0.0(not allow) 248.0.0.0(not allow) 252.0.0.0(allow) 254.0.0.0(allow) 3) The not allow item should be allow. 44. [BUG FIX] 100413573 Symptom: In CF, add a new profile , Enable Custom Service. The action of category service will all be PASS. Condition: 1) In CF, add a new profile 2) Enable Custom Service Name = CF1. Press OK 3) Edit the CF1 profile, the actions of CF category service will all be pass Action of unsafe web pages = Pass Action of Managed web pages = Pass Action of Unrated web pages = Pass Action when category server is unavailable = Pass 45. [BUG FIX] 100407267 Symptom: 1) Click NAT's hyper link "policy route", it's left tree panel don't highlight of "routing".
57/120
www.zyxel.com
2) Click Content Filter's hyper link "Apply New Registration", it's left tree panel didn't highlight of "Registration". 3) Click AppPatrol's hyper link "Apply New Registration" and "Update Signatures", it's left tree panel didn't highlight the correct node. 4) Click System/WWW/Service control's hyper link "(See Trusted CAs)", it's left tree panel didn't highlight the correct node of "Certificate". Condition: 1) Click NAT's hyper link "policy route", it's left tree panel don't highlight of "routing". 2) Click Content Filter's hyper link "Apply New Registration", it's left tree panel didn't highlight of "Registration". 47. [BUG FIX] SPR ID: N/A ITS#: 53476 Symptom: The GUI's Ethernet/VLAN/bridge DHCP IP poor size maximum value should not be 255. Condition: 1) The GUI's Ethernet/VLAN/bridge DHCP IP poor size maximum value should not be 255. 2) If the pool only on class C, it was 253. 48. [BUG FIX] 100727623 Symptom: USB disk can't be detected by USG 300/1000/2000, ZyWALL 1050 Condition: 1) An USB disk whose space is 160GB (It's divided into 4 logical partition: 32GB,32GB,32GB,32GB, their file system are all FAT32, the left space is not formatted) 2) Insert it into DUT and it can't be detected by DUT at first time. In console there will be message printed: Unknown Storage sda1 Unknown Storage sda2 Unknown Storage sda3 Unknown Storage sda4 The problem happened on USG300/1000/2000, ZyWALL1050. 3) Remove the disk and insert it again, this time the first partition can be detected. 4) If this USB disk is inserted into USG100/200, the first partition will be detected at first time, and console will print: Unknown Storage sda2 Unknown Storage sda3 Unknown Storage sda4 5) Attachment is USG1000 debug information 50. [BUG FIX] 100803121 Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 58/120
www.zyxel.com
Symptom: A policyd codedump be generated after firmware upgrade Condition: 1) Create a policy route with default arguments (all any) 2) Upgrade firmware then reboot 3) Go to diagnostics->codredump->file, then you will see a policyd coredump file be created 51. [BUG FIX] 100804198 Symptom: Change the name of "DNS" in Service Group will make device fallback to lastgood configuration after reboot. Condition: 1) Change the name of "DNS" to "DNS_GROUP" with default configuration file. 2) Reboot USG. 3) There will be an error messages "Fallback to lastgood configuration" on the console.
59/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.2)b1 2010/07/02 1. [ENHANCEMENT] Support USB storage application 2. [ENHANCEMENT ] Show PPPoE and PPTP interface on Dashboard.
3. [BUG FIX] 100211933 Symptom: Changing ge2 interface IP from static to dhcp client if the interface is in Monitored Interface Summary of Device HA with a management IP, and then reboot DUT will cause to apply configuration file failed. Condition: 1) Configure ge2 a static IP address. ex:10.1.4.39/255.255.255.0 2) Enable Device HA and activate ge2 interface and configure a management IP. ex: 10.1.4.38/255.255.255.0 3) Disable Device HA and inactive ge2 interface in Monitored Interface Summary of Device HA. 4) Change ge2 interface from static IP address to get automatically, and reboot DUT. 5) It can't reboot successfully when apply configuration file. The console show "ERROR: device-ha ap-mode ge2 manage-ip 10.1.4.38 255.255.255.0. Failed to apply startupconfig.conf. Try to apply lastgood.conf or system-default.conf. Save current startupconfig.conf to start-config-bad.conf" 6) The log show "ERROR: #configure terminal device-ha ap-mode ge2 manage-ip 10.1.4.38 255.255.255.0, Management IP should be in the same subnet" 4. [BUG FIX ] 091120871~091120875 100322927 Symptom: 1) Dashboard Widget arrangement get lost. 2) When changing the order of the widget on the dashboard, the new order is not saved when logging out. Removed and added objects are ok. Condition: 1) If the Widgets on the Dashboard are re-arranged (different position) and User Logout and Login the Widgets are back on the old position Bevon the re-arrangement. The same happens if the User goes to a different Configuration Page and then back to the Dashboard.
60/120
www.zyxel.com
2) For example, you drag the widget 'device information' to another location, then after relogin, this will not be saved. 5. [BUG FIX] 100514869 ITS#: 50443 Symptom: Click the "Object Reference" in GUI several times, there will be more select boxes in the Object Reference window. After close the Object Reference window, there will be a black window in GUI. Condition: 1) Click the "object Reference" in GUI several times, there will be more select boxes in the Object Reference window. 2) Close the object Reference window, there will show a black window in GUI. 6. [BUG FIX ] 100510421 ITS#: 49300 Symptom: Some warning information appeared on the console when reboot the device. Condition: 1) Apply default configuration file. 2) Change the interface ge1 from internal type to external, and set the ping check to active. 3) Reboot the device, there will be warning on the console. 7. [BUG FIX] 100507304 ITS#: 49771 Symptom: When use ext-group-user as SSL VPN user, if the SSL VPN license is 2, there will be only 1 user can login the device. Condition: 1) Configure a SSL VPN environment. 2) PC connects to SSL VPN. 3) In default, there are two users can login the SSL VPN, but after one user login, another can't login and the login page shows SSL VPN reach to the max account. 8. [BUG FIX] 100323038 Symptom: sshipsecpm is dead for several times during VPN test. Condition: 1) The configurations of the two DUT are not so special that only one DUT1 is used certificate signed by CHT tool, and another one is self-signed. DUT1's language is English, and another one is Simplified Chinese. The configurations are attached. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 61/120
www.zyxel.com
2) After finishing configure, DUT2 dial the VPN, then strange logs are printed continuously in its console: sshipsecpm is dead at Tue Mar 23 03:23:21 2010 sshipsecpm is dead at Tue Mar 23 03:23:26 2010 sshipsecpm is dead at Tue Mar 23 03:23:31 2010 ...... Meanwhile, the vpn tunnel can't be setup. 3) After rebooting, it works totally OK. This can't be reproduced, but happened for several times. It seems that this problem is related to certificate and language settings 9. [BUG FIX] 100423582 Symptom: When run stress about NAT + FW + IDP + AV + AS + ADP+CF+ IPSec overnight, several functions is dead. Condition: Test tool: avalanche, Tera VPN tester1. 1) When run stress about NAT + FW + IDP + AV + AS + ADP+CF+ IPSec overnight, several function is dead, like zebra, appd, and so on,detail see attached file2. 2) In second time, run about half an hour, the sshipsecpm is dead 10. [BUG FIX] 100504058 Symptom: The ZySH daemon has Segmentation fault after adding firewall rule Condition: 1) Applying system-default.conf 2) Configuration > Firewall, to remove all firewall rule 3) To add a new firewall rule, - From: WAN - To : ZyWALL - Service : Default_Allow_WAN_To_ZyWALL - Access : allow 4) The ZySH daemon will occur segmentation fault. 5) It can reproduce, the core dump file be attached. 11. [BUG FIX] 100415782 Symptom: Device will crash when collect diagnostic Information by HTTP. Condition: Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 62/120
www.zyxel.com
1) It can reproduce. 2) PC ping to 168.95.1.1 continually. 3) Login web GUI by HTTP. 4) Go to page MAINTENANCE>Diagnostics, and then click the Collect Now button, device will dump crash message. 12. [BUG FIX] 100520207 ITS#: 50590, 49660, 50580 Symptom: In customers environment, sometimes there will be ARP entries with "CM" flag, causing USG cant accept ARP update for the MAC with new IP address. Condition: 1) It only appeared in customer environment. 2) Customers environment: Clients---switch---USG | DHCP server 3) Clients get IP from the DHCP server. The ARP entries in USG for some clients will be flagged with CM and can not be updated. 13. [BUG FIX] 100121958 Symptom: User cannot delete any email from SSLVPN of OWA application by IE browser Condition: 1) Create a ssl application of ZyXEL OWA and into sslvpn policy 2) User login sslvpn and using the OWA application 3) User cannot delete any e-mail by SSLVPN OWA application 4) If user connect zyxel OWA directly it will work well. 15. [BUG FIX] 100422412 Symptom: SSLVPN with EPS can't login anymore after it's name has been changed. Condition: 1) Add an EPS object named "EPS" <Deleted> 2) Add a full tunnel SSLVPN which named "SSL", the tunnel is enabled EPS check with "EPS" 3) WAN PC login SSLVPN with "test", login can be successful. 4) Change SSLVPN policy name to "IEEE", then WAN PC login SSLVPN with "test" again, login will always fail. Reboot the DUT, the problem can be solved. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 63/120
www.zyxel.com
17. [BUG FIX] 100528711 ITS#: 50646 Symptom: SSL VPN full tunnel cant be established. The security extender breaks with internal error Condition: SSL VPN full tunnel cant be established. The security extender breaks with internal error 18. [BUG FIX] 100507305 ITS#: 49893
Symptom: Virtual server rule doesnt work correctly if the "Original IP" in that rule is a virtual IP (not real wan IP). Condition: 1) USG has two WAN interfaces so customer adds two virtual server rules to forward the FTP traffic to FTP server. 2) The "Original IP" in the two rules is virtual IP. 3) When you try to access the FTP server, you will see the virtual server rule doesnt work correctly. 19. [BUG FIX] 100602115 ITS#: 48128, 47343
Symptom: Enable AS will cause send or receive mail abnormally. Condition: 1) Only can reproduce on customer's environment. 2) Customer's environment: Mail client---Internet---WAN---LAN --SMTP server 3) If customer enable AS, sometimes mail client can not send mails to SMTP successfully.
server
20. [BUG FIX] 100623152 ITS#: 51716 Symptom: ZySH daemon is terminated when the AD/LDAP bind DN password's length over 16. Condition: 1) Go to Object>AAA server, edit AD server settings and set Bind DN password as "VPN=2010-ASDFG=1234", then apply the setting. 2) Try to edit the AD server again; the system ZySH daemon will be terminated. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 64/120
www.zyxel.com
3) After reboot, the system can??t apply the startup configuration file, it will apply last good configuration file. 21. [BUG FIX] 100426614 Symptom: CPU utilization keeps in 98% when access file from server on DUT's LAN via IPsec VPN. Condition: 1) Disable Firewall and ADP. 2) Using IPSec VPN Client 2.4.204.61.61 to establish IPSec VPN tunnel between host and remote file server. 3) When access files from remote server, cpu utilization keeps in high rate, throughput is about 4.3M Bytes/Sec. 4) When cpu utilization keeps in high rate, other client is hard to establish another tunnel. 5) If there were two tunnels established and access remote file server at the same time, one of tunnel will be terminated. 6) In firmware version 2.20(AQQ.0)C0 has same issue. 7) In firmware version 2.12 patch 1 C0, throughput is about 3M Bytes/Sec, cpu utilization keeps on 70%. 22. [BUG FIX] 100504102 Symptom: After Port Stealth testing, the status of port 0 and port 1 are closed. Condition: Do stealth testing on www.grc.com. 23. [BUG FIX] 100617944 ITS#: 50991 Symptom: 1) Test an external user in "ext-group-user" type user GUI page, it will fail when group identifier length is longer than 68. 2) When add an "ext-group user" type user, if group identifier length is longer than 128, there will be an error message "Wrong CLI command, device timeout or device logout". But there is no statement about the length of group identifier in help page. Condition: 1) Set a group in AD server, the group identifier should be longer than 68, such as "CN=female123456789012345678901234567890123,CN=Users,DC=pqatest,DC=com". Then add a user in this group, such as test. 2) Enter into "Object->User/Group", add an user with type "ext-group-user", set group identifier the same as AD server group's group identifier. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 65/120
www.zyxel.com
3) Enter into "AAA Server->Active Directory", add an AD rule and fill the necessary setting. 4) Enter into "ext-group-user" type user, test user "test" in "Test" field. It will show "test do not belong to the group". 5) Add an "ext-group-user" type user with group identifier length longer than 128. There will be an error message "Wrong CLI command, device timeout or device logout". 24. [BUG FIX] 100619026 ITS#: 51686 Symptom: Standby device still reply the interface ARP request. Condition: 1) Setup a HA environment with default configuration, use ge1(192.168.1.1) as the HA 2) In LAN side, use PC 192.168.1.33 ping 192.168.1.1. 3) The two device both reply the ARP request, Master use virtual MAC, Standby use interface MAC. 25. [BUG FIX] 100623181 Symptom: L2TP vpn can't be established with an AD group user when set "allowed user" as an "extgroup-user" type user. This AD group user has the same group identifier as the "ext-groupuser" type user. Condition: 1) Add an "ext-group-user" type user "vpn". 2) Set a group in AD server with the same group identifier as user "vpn", and then add an user in this group, such as "Judy". 3) Enter into "Object>>AAA Server>>AD", fill the necessary fields. 4) Enter into "VPN>>L2tp", set "allowed user" as user "vpn" and fill other necessary fields. 5) Establish L2tp with user "Judy". It will fail with error "invalid username password". 26. [BUGFIX] 100222084 Symptom: Firefox 3.6 can't open the SSLVPN web server and OWA server, but Firefox 3.5.8 can Condition: 1) PC = XP SP3 + Firefox 3.6 + JRE 1.6.0_18-b07 2) User login the SSLVPN from WAN then open the web server and OWA server link will be fail in Full Tunnel Mode and Reverse Proxy Mode
66/120
www.zyxel.com
27. [BUG FIX] Symptom: Inline object creation cause previous configuration lost.
Features:
Modifications in 2.20(AQV.1) - 2010/05/06 Modified for formal release
67/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.1)b3 - 2010/05/05 1. [BUG FIX] 100504064 Symptom: ZyWALL will be crashed while collecting diagnostic info sometimes Condition: 1) Update IDP signature to the latest 2) Collect diagnostic info 3) Sometimes ZyWALL will be crashed 2. [BUG FIX] 100422392 Symptom: ZyWALL SecuExtender cannot be terminated automatically by closing the SSLVPN portal window Condition: 1) Login SSLVPN with Full Tunnel mode using Windows 7 2) Close the SSLVPN Portal window by clicking X on right corner of the window 3) The ZyWALL SecuExtender wont be terminated automatically
68/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.1)b2 - 2010/04/16 1. [BUG FIX] 100119485 Symptom: Under certain condition, connectivity check cannot work on cellular interface Condition: 1. Insert AC880 card, edit the cellular1 interface in Interface> Cellular page, enable Nailed up, filling APN option into CMNET, Dial string option into *99#, others keep default 2. The 3G can connect correctly 3. Edit cellular1 interface, enable Connectivity check, check method is icmp, check period is 5, check timeout is 2, check fail tolerance is 3, and enable check this address 1.1.1.1, apply 4. Ping check can work, and the 3G interface is inactive 5. Edit the 3G rule second time, Enable Budget Control=enable ; Time Budget=enable ; hours per month=30 ; Reset time and data budget counters=15 ; Actions when over budget/Log=log-alert ; Enable recurring every 1 minutes ; New 3G connection=Disallow ; Current 3G connection=Drop ; Actions when over 10 % of time budget or 10 % of data budget ; Log=log-alert ; Enable recurring every 1 minutes 6. Edit the Cellular1 interface third time, disable Connectivity check, and in Device setting field, select Device Selection as Sierra Wireless AC880, Band Selection as Auto, apply, the rule can be saved without warning 7. But the connectivity check function still works, capture the packets from Cellular1 interface, there are lots of packets about ping 1.1.1.1 request, and the traffic from LAN to Cellular1 cannot walk through 2. [BUG FIX] 100121946 Symptom: Under bridge mode, traffic cannot pass through the VPN tunnel if Firewall is activated Condition: 1. Configure ZyWALL with one bridge interface 2. Configure one IPSec tunnel which uses the bridge interface to build the IPSec tunnel 3. Configure one remote VPN gateway which WAN interface is not at the same network with the ZyWALLs WAN interface which is used to build up the IPSec tunnel 4. Enable Firewall on ZyWALL 5. Establish the IPSec tunnel between the ZyWALL and remote VPN gateway 6. The traffic cannot pass through the IPSec tunnel and dropped by Firewall 3. [BUG FIX] 100204388 Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 69/120
www.zyxel.com
Symptom: Error message displayed on GUI after enabling Redirect HTTP to HTTPS Condition: 1. Disable Redirect HTTP to HTTPS 2. Login ZyWALL GUI via HTTP service 3. Enter WWW page and enable Redirect HTTP to HTTPS 4. Click other page and the error message URL request timeout. (3 minutes limit) displayed 4. [BUG FIX] 100310758 Symptom: Incorrect CLI commands applied under certain condition Condition: 1. Create one Authentication Policy via GUI. Authentication = required and Force User Authentication is selected 2. Edit the Auth. Policy again and change the Authentication from required to unnecessary. Do not apply 3. Change the Authentication from unnecessary to required and apply 4. The Authentication field in summary page should be force instead of required 5. [BUG FIX] 100312072 Symptom: SNMP cannot work through IPSec tunnel Condition: 1. Create one IPSec tunnel between ZyWALLs 2. Enable SNMP service on remote ZyWALL 3. PC under local ZyWALLs LAN cannot query remote ZyWALLs LAN IP via SNMP 6. [BUG FIX] 100315140 Symptom: After language changed, Site Map cannot be displayed anymore Condition: 1. Change the language from English to Traditional Chinese 2. Click Site Map but it cannot be displayed 7. [BUG FIX] 100315227 Symptom: The On Top icons cannot work after language changed Condition: 1. Using FireFox 3.5 or 2.6 to login ZyWALL 2. Change the language from English to Traditional Chinese or Simplified Chinese 3. The On Top icons like Help, About, Site Map cannot work anymore Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 70/120
www.zyxel.com
8. [BUG FIX] 100315275 Symptom: SSL VPNs File Sharing menu bars up button translate to a strange meaning in Traditional Chinese and Simplified_Chinese Condition: 1. Login DUT via SSLVPN 2. Change the SSLVPN language from English to Traditional Chinese or Simplified Chinese 3. The translation of menu bars up is 4. It should be translated to more readable wording like or 9. [BUG FIX] 100316425 Symptom: DHCP Service cannot work anymore after frequently modifying the DHCP server configuration Condition: 1. Reset to default configuration 2. Connect one PC to LAN interface 3. Configure the DHCP lease time on LAN interface 4. Renew IP on the PC and check if the IP can be renewed 5. Repeat step 3~4 several times and the IP of the PC cannot be renewed anymore 10. [BUG FIX] 100317503 Symptom: Incorrect Default Gateway Address displayed when configuring PPPoE interfaces Connectivity Check Condition: 1. Configure one PPPoE interface and make it connected 2. Edit the PPPoE interface again 3. Enable Connectivity Check and select Check Default Gateway 4. The Gateway IP address displayed is incorrect 11. [BUG FIX] 100317568 Symptom: Session number cannot be queried via SNMP Condition: 1. Session number cannot be queried via SNMP 2. Error log ERROR: #configure terminal show _zldmib session status, file not found! found 12. [BUG FIX] 100319791 Symptom: Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 71/120
www.zyxel.com
Port Grouping page will disappear after language being changed to Simplified-Chinese. Condition: 1. Reset DUT to default configure file. Change language from English to Simplified_Chinese 2. Go to Interface page, click tag, the page will disappear. Only click Interface page again, the tag can show 13. [BUG FIX] 100322908 Symptom: Translation is incorrect about MAC Address in interface page Condition: 1. Change DUTs language to Simplified_Chinese 2. Go to page, edit ge1 interface, in DHCP , MAC Address has been translated to , it should be MAC 14. [BUG FIX] 100323027 Symptom: The translation about i note in certificate adding page is totally wrong Condition: 1. Change language from English to Simplified_Chinese, go to Certificate page to add a certificate 2. Theres an i note about , its translation is totally wrong 15. [BUG FIX] 100323045 Symptom: The translation of Mapped Port Start is wrong in VPN connection Condition: 1. Change language from English to Simplified_Chinese, 2. in VPN Connection page, add a rule, the Mapped Port Start has been translated to , it should be . 16. [BUG FIX] 100323106 Symptom: In Simplified_Chinese environment, some translation are still Traditional_Chinese. Condition: 1. Change language to Simplified_Chinese. 2. In page, click button, Import Trusted Certificates window will pop up, the button of Browser has been translated into Traditional_Chinese instead of Simplified_Chinese 3. The same problem happens in the page of , and Shell 17. [BUG FIX] 100323139 Symptom: Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 72/120
www.zyxel.com
ZySH daemon will be terminated while issue CLI no radius-server host Condition: ZySH daemon will be terminated while issue CLI no radius-server host 18. [BUG FIX] 100325377 Symptom: Translation is incorrect about Host Port in Packet Capture page Condition: Change language to Simplified_Chinese. Go to Packet Capture page, Host Port has been translated to , it should be 19. [BUG FIX] 100326493 Symptom: EPS check will be failed when PC cannot pass the EPS object which is at the first priority Condition: 1. Create 2 EPS objects they have different passing criteria 2. Create one SSLVPN rule with below EPS configuration 1) Enable EPS check 2) Select the 2 EPS objects we just created 3) Login SSLVPN from a PC that will fail to pass the first EPS object we selected in previous setting but pass the 2nd EPS object 3. The EPS check will be failed due to EPS check failed on the first EPS object checking 4. Bug actually it should be successful because the PC will pass the 2nd EPS object checking 20. [BUG FIX] 100329625 Symptom: VPN traffic related logs cannot be displayed on VRPT 3.5 server correctly Condition: VPN traffic related logs cannot be displayed on VRPT 3.5 server correctly 21. [BUG FIX] 100331777 Symptom: ZySH daemon will be crashed when doing Content Filter URL testing Condition: 1. Enter Anti-X > Content Filter > Filter Profile 2. Create one filter profile and enter http://~@ in URL to test 3. After trying to test this special URL, ZySHwill be crashed 22. [BUG FIX] 100401010 Symptom: The outgoing interface of reply traffic is not the same as the incoming interface of the originated traffic Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 73/120
www.zyxel.com
Condition: 1. Create multiple WAN interfaces, said WAN1 and WAN2 2. Create one Virtual Server rule and set its incoming interface as WAN1 interface 3. Access the Virtual Server via the WAN1 interface sometimes will be failed because the reply traffic from the Virtual Server will go back via WAN2 interface sometimes 23. [BUG FIX] 100302129 Symptom: The object reference of the bridge interface will include Device HA even it is not monitored by Device HA Condition: 1. Create one bridge interface 2. Add this bridge interface to DMZ zone 3. Click the object reference for the bridge interface we just created 4. We will find that Device HA is in the reference list but actually it is not monitored by Device HA 24. [BUG FIX] 100324212 Symptom: The interface name cannot be displayed completely if the length of the interface name is more than 9 characters Condition: 1. Rename one of the interfaces to have the length which is more than 9 characters 2. In interface summary table in Dashboard, the related interface name can be only displayed with the first 9 characters 25. [BUG FIX] 100401004 Symptom: Incorrect login behavior when pressing Enter with Username and Password are correctly inputted in SSLVPN login page Condition: 1. Configure SSLVPN Login Domain Name 2. Enter SSLVPN login page with SSLVPN Login Domain Name 3. Input correct Username and Password and press Enter key directly 4. The GUI will enter User Login page instead of SSLVPN login portal 5. The default behavior of pressing Enter key in SSLVPN login page should do the SSLVPN login process instead of normal user login 26. [BUG FIX] 100402137 Symptom: PPTP tunnel cannot be connected successfully Condition: Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 74/120
www.zyxel.com
1. Connect PPTP tunnel from PC to PPTP server like below topology PC ----- (LAN)ZyWALL(WAN) ----- Internet ----- PPTP Server 2. The PPTP tunnel cannot be connected successfully 27. [BUG FIX] 100402124 Symptom: The ZyWALL generated ICMP Redirect packet will be dropped by Firewall Condition: 1. Reset to default configuration 2. Configure one Policy Route with Next Hop as Gateway Type and the Gateway address is in the LAN subnet 3. PC in LAN subnet sends ping traffic which will match the Policy Route we just created 4. The ZyWALL should generate one ICMP Redirect packet to tell the PC that there is another Gateway which we configured in Policy Route rule has faster path to reach the destination. But actually not 28. [BUG FIX] 100407319 Symptom: Change the user type from limited-admin to ext-user or ext-group-usr will be fail and popup the Error message Condition: 1. Create one user with Limited-Admin user type 2. Change the user type of the Limited-Admin user we just created to ext-user or extgroup user 3. GUI will return error message CLI Number: 0, Error number: -3014, Error Message: Add external type user has failed. 29. [BUG FIX] 100318683 Symptom: In CF, add a new profile without enabling anything. The action of category service will all be PASS Condition: 1. In CF, add a new profile. Name = CF1 without enable anything.(By default, Action of unsafe web pages = Warn, Action of Managed web pages = Block, Action of Unrated web pages = Warn, Action when category server is unavailable = Warn) Then click OK 2. Edit the CF1 profile, the actions of CF category service will all be pass, Action of unsafe web pages = Pass, Action of Managed web pages = Pass, Action of Unrated web pages = Pass, Action when category server is unavailable = Pass 30. [BUG FIX] 100121930 Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 75/120
www.zyxel.com
Symptom: Dashboard display abnormal if using IE browser from Packet Capture page to DASHBOARD page. Condition: 1. Use IE browser to login device 2. Go to page MAINTENANCE Diagnostics Packet Capture page, then go to DASHBOARD page 3. DASHBOARD page display abnormal on Virtual Device and Interface Status Summary widget 31. [BUG FIX] 100407320 Symptom: PC with Windows 7 installed can pass EPS check when the OS type is set to Windows 2008 or Windows 2008R2 Condition: 1. Create one EPS object to check the Window OS type as Windows 2008 or Windows 2008 or Windows 2008R2 2. Create one SSLVPN rule with EPS check as previous configured 3. Use a PC with Windows 7 installed to login SSLVPN 4. It should be failed to pass the EPS check due to OS type but passed 32. [BUG FIX] 100322989 Symptom: Device HA Backup cannot dial up IPSec tunnel successfully after taking over Condition: 1. Configure Device HA on Master and Backup properly and its monitored interface is an Ethernet interface 2. Configure VPN tunnel with FQDN type as its My Address 3. Configure the Mapped IP of the FQDN of step 2 as one of DUTs ethernet interfaces IP address 4. Once Master is down, Backup cannot dial up the VPN tunnel successfully 33. [BUG FIX] 100113950 Symptom: When the Mac Address format is XX-XX-XX-XX-XX, the MAC clone function doesnt work Condition: 1. Edit one specified interface 2. Click Show Advanced Settings 3. In Mac Address Setting section, select Overwrite Default Mac Address and configure the Mac Address with the format as XX-XX-XX-XX-XX-XX Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 76/120
www.zyxel.com
4. Capture the packets on the specified interface, the Mac address of the specified interface is not changed to XX-XX-XX-XX-XX-XX 34. [BUG FIX] 100407322 Symptom: If Group Identifier field hava space , GUI will pop out a error message Wrong CLI command device timeout or device logout Condition: 1. Go to Configuration -> User/Group ->Add an ext-group-user 2. Group Identifier field input DC=xxx,[space]DC=xxx -> press OK 3. GUI will pop out error message Wrong CLI command device timeout or device logout 35. [BUG FIX] 100315249 Symptom: Test special URL in Test Web Site Category causes GUI keeps loading Condition: 1. Create one Content Filter Profile 2. Enter this profile and input http:// in URL to test field, click the Test against content filter category server 3. GUI will keep loading 36. [BUG FIX] 100409424 Symptom: ZyWALL cannot be logged in Condition: 1. Reset to default configuration 2. Enable SNMP service 3. Do SNMP Bulk request 1.3.6.1.1.890.1.6.22.1.4 4. Running for a while, ZyWALL cannot logged in and error message Too files in system occurred 37. [BUG FIX] 100409426 Symptom: The SSLVPN tunnel will be disconnected unexpectedly
many open
Condition: 1. Create one user and set its lease time to 1 minute 2. Create one SSLVPN rule with Full tunnel mode and allow the user we just created to access the SSLVPN tunnel 3. Enable Allow renewing lease time automatically in Configuration > Object > User/Group > Setting page 4. Establish the SSLVPN Full tunnel Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 77/120
www.zyxel.com
5. Keep pinging ZyWALLs interface from the SSLVPN client 6. The SSLVPN tunnel will be disconnected after one minute 38. [BUG FIX] 100413635 Symptom: When login SSL VPN and open RDP_Windows on portal to remote control server, remote server login GUI pops out very slow Condition: 1. Create one SSL Application with RDP Web Application 2. Create one SSLVPN rule with the SSL Application object 3. Login SSLVPN with Windows 7(32-bit) + IE8 4. Open RDP on the SSLVPN portal and the response is very slow 39. [BUG FIX] 100325342 Symptom: SecuExtender cannot install by ActiveX when using Windows 7 and IE 8 to login SSL VPN. Condition: 1. Prepare a PC which is installed Windows 7 and make sure SecuExtender have not installed on this PC before 2. Login ZyWALL via SSLVPN using IE8 from the PC we prepared 3. The SecuExtender cannot be installed successfully and logout immediately 40. [BUG FIX] 090828851 Symptom: ZySH daemon will be crashed when frequently refreshing Dashboard Condition: 1. Reset to default configuration 2. Attached many PC on LAN subnet and get the IP addresses dynamically 3. Login ZyWALL via GUI and sometimes ZySH daemon will be crashed
78/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.1)b1 - 2010/03/12 1. [BUG FIX] 091020199 Symptom: One log of IDP custom signature displays incorrectly Condition: The IDP log content is not the same with the content when mouse over 2. [BUG FIX] 091022419 Symptom: When change system name, user needs to reboot DUT to get correct system name by SNMP. Condition: 1. Modify system name 2. Load ZLD private MIB file into MG-SOFT software and compile them 3. Use MG-SOFT to query DUT, got wrong system name which is not modified by step 1 4. If reboot DUT, MG-SOFT can query correct system name 3. [BUG FIX] 091029777 Symptom: Under certain condition, the static DHCP record cant be released from DHCP Table. Condition: 1. Reset to default configuration 2. PC get IP from LAN and reserve it via Dashboard > DHCP Table 3. Configure DMZ to be a DHCP server and disable Firewall 4. Connect the same PC to DMZ and get another IP 5. Reserve the IP got from DMZ DHCP server and the error message popped up 6. Release the DHCP record got from LAN will success but release the DHCP record got from DMZ will be fail 4. [BUG FIX] 091102056 Symptom: DDNS HA didnt work if pull out Cellular card Condition: 1. Interface Ethernet edit WAN interface 1) Enable Interface: active 2. Interface Cellularedit cellular2 1) Enable Interface: active Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 79/120
www.zyxel.com
2) Zone: WAN 3) Profile Selection: Device; Profile1 4) PIN Code: 0000 3. Network DDNSadd a rule 1) Profile Name: ddns1 2) DDNS type: DynDNS 3) Username: xxxx 4) Password: xxxx 5) Domain name: test.dyndns.org 6) Primary Binding Address: Interface(cellular2) ; IP address (Interface) 7) Backup Binding Address: Interface(wan1) ; IP address (Interface) 4. When cellular2 up and the WAN interface up, DUT update the ddns with Cellular2s IP address 5. When pull out cellular2, DUT didnt update the ddns with WAN interfaces IP address 5. [BUG FIX] 091105437 Symptom: The log of VPN ping check is not right Condition: 1. Configure IPSec Connectivity Check with ICMP method 2. We can see one incorrect IPSec Ping Check log in log page like below - Receive an ICMP IPSec connectivity check packet request... 3. request should be reply 6. [BUG FIX] 091118561 Symptom: 3G pin code unlock from dashboard and monitor page cant be saved to configuration Condition: 1. When pin code locked, go to dashboard or monitor page to unlock pin code 2. Once pin code unlocked successfully, reboot the device. But you will find the pin code is locked again 3. The unlock action on dashboard and monitor should saved the configuration to cellular 7. [BUG FIX] 091126359 Symptom: PPTP and PPPoE Authentication Type cant be saved via Wizard Condition: 1. In Wizard, interface Encapsulation is PPTP, click Next button. Authentication type is PAP 2. Configure other fields with necessary fieds and finish the wizard
80/120
www.zyxel.com
3. Go to ISP Account page, check corresponding account: the value of Authentication Type is still Chap/PAP, not PAP 4. PPPoE has the same problem 8. [BUG FIX] 091201110 Symptom: Error string not found after issuing a debug CLI command Condition: 1. Do not turn Boot Module debug flag 2. Enter CLI command debug service-register erase service all 3. ZySH return error message ERROR: Error string not found 4. It should return a meaningful error message 9. [BUG FIX] 091204287 Symptom: Strange log triggered when logout from SSH connection Condition: 1. Login DUT via SSH service 2. Logout SSH 3. There are some strange logs triggered in log page 10. [BUG FIX] 091215063 Symptom: Left panel doesnt expand when linking to system name page from Dashboard. Condition: 1. Change system language to Traditional Chinese 2. Left panel doesnt expand when linking to system name page from Dashboard 3. This issue doesnt happen when system language is English 11. [BUG FIX] 091223729 Symptom: GUI will pop up error message when displaying the cache of content filter Condition: 1. Enable Content Filter 2. Add one profile 3. Create on Content Filter policy rule with the profile 4. Access the web sites and make the number of cache grow to the Max number 5. Try to display the last page of the cache 6. GUI returns the error message like Wrong CLI 12. [BUG FIX] 091224805 Symptom: In QuickSetup, the title name is wrong in summary page. Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 81/120
www.zyxel.com
Condition: 1. Click Quick Setup Web Help and select the VPN setup 2. Select the Advanced type of VPN policy 3. Anyone Scenario and go to next page, and setup phase1 and phase2 accordingly 4. In Summary page, the title shows Express Settings 13. [BUG FIX] 091224807 Symptom: Invalid validation error message in log mail subject field Condition: 1. Enter Configuration > Log & Report > Log Setting 2. Edit the System Log item 3. In E-mail Server 1, input more than 60 characters 4. The invalid field error message displays incorrect content 14. [BUG FIX] 091224808 Symptom: VPN connection should not be able to dialed out when it is configured as Manual Key Condition: 1. Enter Configuration > VPN > IPSec VPN 2. Create one VPN connection with Manual Key configured 3. The Connect icon of the VPN Connection table can be click 4. Actually the Connect icon should not be able to click when VPN Connection is configured as Manual Key 15. [BUG FIX] 091225951 Symptom: Error message popped up when modifying the ADP profile name Condition: 1. Change the default ADP profile name then press Save button 2. GUI will pop up error message like CLI number :0 Error number: -32034, Error message: Show flood- detection failed 16. [BUG FIX] 091228032 Symptom: Mouse Over on HOST type address cannot show the basic content in NAT page. Condition: 1. Create one NAT rule and assign Host Type address object to Original IP or Mapped IP 2. Mouse over on the address object but nothing displayed 17. [BUG FIX] 091228990 Symptom:
82/120
www.zyxel.com
There is no invalid field error message to remind user what is the max characters that user can input Condition: 1. Enter Configuration > Object > Certificate page 2. Click Add icon to create a certificate 3. Input more than 31 characters in the Name field 4. There is no invalid field error message to remind user what is the max characters that user can input 18. [BUG FIX] 091229084 Symptom: Some wordings are not translated properly Condition: 1. Change the system language to Simplified Chinese 2. Enter --the button need translate to 3. Enter -Anti-X -the table need use Simplified Chinese, its use Traditional Chinese 19. [BUG FIX] 091229109 Symptom: The warning message is incorrect in certificate import page. Condition: 1. Enter Configuration > Object > Certificate page 2. Import a certificate 3. Select one PKCS#12 type certificate you want import from your disk 4. Leave the password empty and click OK 5. Error message popped up errno:-17030; errmsg: Invalid PKI PKCS#12 password. This is correct and click OK to close the error message window 6. GUI will mark the Password field invalid but there is no description for it 7. There is no need to mark the Password field invalid 20. [BUG FIX] 091229148 Symptom: Incorrect summary content when adding PPPoE via installation wizard Condition: 1. Reset to default configuration 2. Login to GUI and the installation wizard popped up 3. Select I have Two ISP and continue the configuration 4. Configure the first WAN as Ethernet interface 5. Configure the second WAN as PPPoE interface 1) Service Name: aaa Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 83/120
www.zyxel.com
2) User Name: aaa 3) Enable nail-up 6. In the summary page of Internet Access Configuration page, the content is incorrect 21. [BUG FIX] 091229169 Symptom: There is no field error message to remind user when inputting more than 255 characters Condition: 1. Enter System > DNS page 2. Create one A record with FQDN content more than 255 characters 3. Click OK but system cannot save the configuration successfully 4. GUI should have field invalid error message to remind user and cannot allow user to click OK button 22. [BUG FIX] 091230289 Symptom: The custom signature still works even it was deleted Condition: 1. Create one custom signature like below 1) Severity: Low 2) Platform: All 3) Service: ICMP 4) Policy Type: Scan 5) Header Option: Transport Protocol = ICMP, Type = 8, Code = 0 2. Activate this custom signature in the related IDP profile and make sure this custom signature works 3. Delete the custom signature 4. We found the custom signature still works and it could be found in the IDP profile 23. [BUG FIX] 091230303 Symptom: The error message for the invalid field is incorrect for some fields Condition: 1. Try to add a NAT or DDNS rule 2. In rule name field, input more than 31 characters 3. There will be an error message for indicating the invalid field and remind the constraint of that field 4. The content of the error message is wrong that it said the max characters we can input is 30 but actually it should be 31 24. [BUG FIX] 091230376 Symptom: Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 84/120
www.zyxel.com
The wording of the error message of the invalid field is incorrect Condition: 1. Edit an Ethernet interface 2. Configure its Connectivity Check and assign the invalid IP address format to Check this address 3. The error message for this invalid field will be popped up and displays The value should be an IP address or an FQDN 4. an FQDN should be changed to a FQDN 25. [BUG FIX] 100104012 Symptom: IP/MAC Binding cannot reset to default after applying system default configuration Condition: 1. Apply default configuration file. Connect PC to LAN port and connect WAN port to Internet 2. Activate IP/MAC Binding for LAN and WAN 3. Apply system default configuration 4. We found the IP/MAC Binding for WAN are still activated 26. [BUG FIX] 100104093 Symptom: The default value is different when adding a user object from different place Condition: 1. Add a user object via Configuration > Object > User/Group > User page, GUI will assign default value for Description field 2. Add a user object via Configuration > VPN > SSL VPN > Access Policy Summarys policy edit page, GUI wont assign the default value for Description field 27. [BUG FIX] 100104124 Symptom: The Force User Authentication is disabled when changing the Authentication status Condition: 1. Add a EPS object dd 2. Add a Authentication policy tt,enable Enable EPS Checking,enable Periodical checking time=3, add dd to slected EPS object.do not apply 3. Change Authentication status from required to unnecessary, do not apply. 4. Change Authentication status from unnecessary to required again, you will find the checkbox of Force User Authentication change from enable to disable, the others setting are reserved 28. [BUG FIX] 100106345 Symptom: Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 85/120
www.zyxel.com
Wording issue: the Warning Message: Default L2TP crypto map is goiong to be deleted. You can recover it via L2TP CLI command. has wrong word goiong, it should be going Condition: 1. Enter into Configuration VPN connection page 2. Remove the default VPN connection rule 3. The warning sentence Warning Message: Default L2TP crypto map is goiong to be deleted. You can recover it via L2TP CLI command. pops up 4. It has one wrong word goiong, it should be going 29. [BUG FIX] 100106358 Symptom: Under certain condition, adding user object in L2TP VPN page is not right Condition: 1. Enter into Configuration L2TP VPN page 2. Add one user by clicking Create new object 1) User name is aa 2) Password is 1234, Retype is 1234 3) Authentication Timeout Settings is Use manual Settings 4) Lease time is 22 5) Reauthentication time is 22 3. This rule can be saved without any warning, but checking this user, the Authentication Timeout Setting option is still Use Default Settings 30. [BUG FIX] 100106400 Symptom: Extension Slot display issue for Huawei 3G card. Condition: 1. Insert Huawei E220 3G crad 2. 3Gs Status displayed error in Extension Slot as below # Slot Device Status ====================================================== 2 USB 1 Huawei E220/E270/E800/E18 0Inactive 31. [BUG FIX] 100107482 Symptom: AV White/Black List cannot allow more than 80 characters filled in Condition: 1. Enter into Configuration Anti-Virus Black/White list Black list page 2. Add one rule, filling log characters (more than 80 characters) in File Pattern field, there is no any warning Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 86/120
www.zyxel.com
3. Click OK button, one window Wrong CLI command, device timeout or device logout pops up 32. [BUG FIX] 100107487 Symptom: Display setting change will affect Priority setting. Condition: 1. In Monitor View Log page, Show Filter. Display=Anti-Spam, Priority=alert, click search 2. Change Display=Anti-Virus, you will find that the Priority has been changed to any t the meanwhile 33. [BUG FIX] 100108579 Symptom: In AV Black/white list page, add one rule, under certain condition, the rule saved is not right Condition: 1. Enter into Configuration Anti-virus Black/White list page 2. Add one black list rule (or white list rule), in adding window, uncheck Enable checkbox, fill in 1 in File Pattern, apply 3. Check the rule saved, this rule is still enabled 34. [BUG FIX] 100111680 Symptom: Under certain condition, user cant login DUT Condition: 1. Create one Auth. Method including Radius Server(first), and Local(second) 2. Make the Radius Server cant be reachable by DUT 3. Login DUT via GUI with a local user in DUT cannot be successful 35. [BUG FIX] 100111699 Symptom: Under certain condition, ADP profile rule cannot be edited successfully Condition: 1. Enter into Configuration Anti-x ADP Profile page 2. Edit one profile 3. In Scan Detection field, select all rules, inactive them, the log option is log alert, the Action option is block, click OK button 4. One error message Wrong CLI command, device timeout or device logout pops up, and checking the rule saved, it is not right 36. [BUG FIX] 100112841 Symptom: Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 87/120
www.zyxel.com
Under certain condition, PCs behind DUT cannot get IP address Condition: 1. Reset to default configuration 2. Configure different DHCP Server setting on ge4 and ge5 3. Join Port 4 and Port 5 into ge4 4. Join Port 4 and Port 5 into ge5 5. PC connected to Port 4 and Port 5 cannot get the IP address from DUT 37. [BUG FIX] 100112888 Symptom: When adding two user defined trunk into DUT which have long name, the name showed in Default WAN Trunk field is incomplete Condition: 1. Enter into Configuration Interface Trunk page 2. In User Configuration, add two user defined trunks, SYSTEM_DEFAULT_WAN_TRUNK1 and SYSTEM_DEFAULT_WAN_TRUNK2 3. These two trunks name showed in Default WAN Trunk field is incomplete 38. [BUG FIX] 100113962 Symptom: 3G budget will be reset when 3G interface disconnected because of idle time out. Condition: 1. Insert one 3G card, add a 3G interface. 1) Disable Nailed-Up 2) Configure the idle timeout value 3) Configure the Time Budget 2. After the 3G interface disconnected due to idle timeout, the Time Budget will be reset also 39. [BUG FIX] 100113972 Symptom: Wording issue, one log about ping check has wrong word an, it should be a Condition: One log about TCP mode ping check Receive an TCP IPSec Connectivity check packet request has wrong word an, it should be a 40. [BUG FIX] 100114086 Symptom: Use MG-Soft Software look CPU information , log have Error Message #configure terminal show _zldmib session status, file not found Condition: 1. Enable SNMP Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 88/120
www.zyxel.com
2. Server Port=161, Get Community=public, Set Community=private, Trap/Community=blank, Destination=blank 3. Use MG-Soft Software look CPU information 4. Log have Error Message #configure terminal show _zldmib session status, file not found 41. [BUG FIX] 100114100 Symptom: Configure static PPPoE based on ge3 via Quick Setup, the dns order is incorrect in DNS page Condition: 1. Configure PPPoE interface via Quick Setup 2. Configure this PPPoE interface with static IP Address 3. Configure two DNS servers for its first and second DNS server 4. Configure other settings accordingly 5. After finish the setup, the DNS order is incorrect 42. [BUG FIX] 100114134 Symptom: Outgoing traffic from DUT itself cannot follow Policy Route configuration Condition: 1. Configure two WAN interfaces, one is Ethernet and another is 3G interface 2. Add one Policy Route, from ZyWALL to Any, next hop is the 3G interface 3. Configure Syslog Email Server properly and click E-mail Now 4. We found sometimes the mail traffic goes out via the Ethernet interface or goes out via the 3G interface but carry the incorrect interface IP address 43. [BUG FIX] 100118397 Symptom: Sometimes HTTPS cannot follow Firewall configuration Condition: 1. Reset to default configuration 2. Create Firewall rule to allow some services from WAN to ZyWALL without HTTPS 3. Change the default Firewall rule to be deny 4. Accessing ZyWALL via HHTPS should not work but sometimes it works after reboot DUT several times 44. [BUG FIX] 100119445 Symptom: There is not content displayed when mouse over the Local/Remote Policy in VPN Connection Condition: Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 89/120
www.zyxel.com
1. Create one VPN Connection Local/Remote Policy assigned 2. Move mouse over the Local/Remote Policy but there is not object content displayed 45. [BUG FIX] 100119492 Symptom: The Window Size item cant be saved correctly when editing a custom signature Condition: 1. Anti-xIDPCustom Signatures, add a new signature 1) name = Test 2) Severity = low 3) Platform = all 4) Service = ICMP 5) Policy Type = Scan 6) Transport Protocol = TCP, Window Size equals to 16190, other settings are default 2. Edit this signature again, in Window Size item, the equal is not selected 46. [BUG FIX] 100119517 Symptom: Interface Status Summary at Dashboard always displays Dialing Condition: 1. Configure one PPP interface and activate it 2. Click the dial icon of the PPP interface in Interface Status Summary table in Dashboard 3. The pop up window always display Dialing 47. [BUG FIX] 100120705 Symptom: There is no warning message when user intends to upload the startup-config.conf Condition: 1. There is no warning message when user intends to upload the startup-config.conf 2. There is one warning message popped up when user intends to upload the startupconfig.conf in before 2.20 48. [BUG FIX] 100120721 Symptom: Static DHCP IP/MAC binding cannot work for bridge interface Condition: 1. Create one bridge interface with all interfaces joined 2. Configure this bridge interface as a DHCP server 3. Connect one PC to DUT and can get the IP address A from DUT correctly 4. Create one Static DHCP IP/MAC binding IP-B<->PCs MAC in the bridge interface 5. Renew the IP address on the PC but the PC still gets IP address A 49. [BUG FIX] 100120740 Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 90/120
www.zyxel.com
Symptom: The sorting result is not correct in AppPatrol Statistics Condition: 1. Enable Application Patrol and make some traffic through DUT 2. Enter MONITOR > AppPatrol Statistics 3. In Protocol Statistics, sorting result is not correct 50. [BUG FIX] 100120784 Symptom: Test one empty URL in Test Web Site Category causes GUI keeps loading Condition: 1. Create one Content Filter Profile 2. Enter this profile and input nothing in URL to test field 3. GUI will keep loading 51. [BUG FIX] 100121844 Symptom: When add a pppoe account in ISP Account, the Service Name cant be saved correctly Condition: 1. Add one ISP account as below 1) Profile Name = pppoe 2) Protocol = pppoe 3) Authentication Type = Chap/PAP 4) User Name = testzywall 5) Password = 1234 6) Service Name = pppoe 7) Idle timeout = 0 2. Check this pppoe account just you added, you will find the Service name is blank, not pppoe. 52. [BUG FIX] 100121849 Symptom: In PPTP interface , the ISP Setting did not show the corresponding content of pptp account Condition: 1. Create one ISP account with PPTP protocol 2. Create one PPP interface with this PPTP ISP account 3. The ISP Setting in the PPP interface edit page does not display the corresponding configuration 53. [BUG FIX] 100121930 Symptom:
91/120
www.zyxel.com
Dashboard display abnormal if using IE browser from Packet Capture page to DASHBOARD page Condition: 1. Use IE browser to login device 2. Go to page MAINTENANCE Diagnostics Packet Capture page, then go to DASHBOARD page 3. DASHBOARD page display abnormal on Virtual Device and Interface Status Summary widget 54. [BUG FIX] 100125239 Symptom: DHCP configuration could not be saved when DHCP relay has a wrong value Condition: 1. Edit DMZ interface 2. Set it as DHCP Relay and server is 192.168.8.2. Apply it 3. Edit the DMZ interface again 4. Change the DHCP Relay server IP to 192.168 first 5. Change the DHCP setting to DHCP Server. Start Address is 192.168.2.33 and pool size is 25. Apply it 6. Edit the DMZ interface again 7. The DHCP setting is still DHCP Relay instead of DHCP server 55. [BUG FIX] 100126382 Symptom: IPSec SA wont be removed in remote gateway when IPSec Fallback successfully Condition: 1. Create one VPN Connection with Primary and Secondary gateway and IPSec Fallback is activated 2. Make DUT Fail Over and Fallback once 3. Check the secondary gateway and found the SA on remote secondary gateway was not removed 56. [BUG FIX] 100201066 Symptom: The configuration wont be saved correctly when configuring PPPoE via Quick Setup Condition: 1. Configuring PPPoE interface via Quick Setup and sets its service name including % character 2. After finishing the PPPoE configuration via Quick Setup, the PPP interface setting is not correct when editing that PPP interface 57. [BUG FIX] 100203203 Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 92/120
www.zyxel.com
Symptom: Device will apply lastgood.conf or system-default.conf after reboot Condition: 1. Create one user named abcde via GUI 2. Create one user named abcd which user type is ext-user or ext-group-user via GUI 3. Reboot DUT 4. DUT will try to apply lastgood.conf or system-default.conf 58. [BUG FIX] 100204340 Symptom: Site Map window might be closed when clicking a specific area in the Site Map window Condition: 1. Open Site Map window 2. Click some empty area in the Site Map window 3. The Site Map window might be closed 59. [BUG FIX] 100205425 Symptom: The signature version of IDP/AV in License Service Status table in Dashboard is abnormal Condition: 1. Login DUT via GUI 2. Refresh the table of License Service Status 3. The signature version of IDP/Av displayed abnormally 60. [BUG FIX] 100205463 Symptom: Some characters are overlapped when using Traditional Chinese or Simplified Chinese Condition: 1. Add a Static DHCP rule for LAN interface 2. Edit the LAN interface again and found the wording of the grid of the DHCP static setting is overlapped 61. [BUG FIX] 100207588 Symptom: VLAN interface cannot be applied successfully in a specific case Condition: 1. Create one VLAN interface called vlan0 with a Static DHCP setting record 2. Remove the VLAN interface vlan0 3. Create one VLAN interface called vlan3 with the same setting as vlan0 we just removed 4. The VLAN interface vlan3 cannot be applied successfully with one warning message popped up 62. [BUG FIX] 100207599 Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 93/120
www.zyxel.com
Symptom: 3G Budget will be reset every 30 seconds in a specific case Condition: 1. Create one 3G interface with below setting 1) Enable Budget Control 2) Enable Time Budget and Data Budget 3) Reset time and data budget counters on the 5th day of each month 2. Configure the system date to the date which is configured in item 3 of step 1 3. 3G Budget will be reset every 30 seconds 63. [BUG FIX] 100208653 Symptom: Device will apply lastgood.conf or system-default.conf after reboot Condition: 1. Create maximum number of DNS MX records 2. Create additional one DNS MX record and it should be failed 3. Reboot DUT 4. DUT will try to apply lastgood.conf or system-default.conf 64. [BUG FIX] 100209721 Symptom: The release date of the EPS signature is wrong Condition: 1. The release date of EPS signature in 2.20 B4 is 2009/11/19 2. The release date of EPS signature in 2.20 B5 is 2009/1/21. It is incorrect 65. [BUG FIX] 100209767 Symptom: EPS check with Avira_Antivir_Personal_v2009 traditional Chinese edition will always fail Condition: 1. Configure one EPS object with checking Avira_Antivir_Personal_v2009 2. PC installs Avira_Antivir_Personal_v2009 Traditional Chinese version 3. Create one SSLVPN policy with checking this EPS object 4. PC logins to SSLVPN will always fail due to EPS checking 66. [BUG FIX] 100210895 Symptom: EPS checking will be still performed even the Auth. Policy is not in the schedule Condition: 1. Create one Auth. Policy with EPS checking required and schedule assigned 2. Login DUT via GUI at the time which is not in the schedule 3. The EPS checking will be still performed Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 94/120
www.zyxel.com
67. [BUG FIX] 100222079 Symptom: SSL VPNs File Sharing menu bars up button to translate wrong Traditional Chinese word Condition: 1. Login DUT via SSLVPN 2. Change the SSL VPN GUI language to Traditional Chinese, the menu bars up was to translate wrong Traditional Chinese word = 68. [BUG FIX] 100224215 Symptom: 3G interface cannot be activated in a specific case Condition: 1. Create one 3G interface via GUI and disable it at first 2. Edit this 3G interface again 3. Activate this interface and click Apply 4. GUI will return No need to apply and this is not correct 69. [BUG FIX] 100301012 Symptom: PC can PING Internet host even PING service is removed from Exceptional Service table in Auth. Policy page Condition: 1. Reset to default configuration 2. Enable Authentication Policy 3. Create one Auth. Policy rule. From LAN_SUBNET to ANY, Authentication = force 4. Remove all rules in Exceptional Service table 5. Add PING service first then DNS Service 6. Remove PING service from Exceptional Service table 7. We found PC under LAN_SUBNET can still PING Internet hosts
95/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.0) - 2010/02/25 Modify for formal release
96/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.0)b6 - 2010/02/23 1. [BUG FIX] 100211949 Symptom: In Device-HA mode, Backup cannot build up VPN tunnels successfully after it tool over Condition: 1. Configure Device HA properly on Master and Backup and its monitored interface is a bridge interface 2. Configure one VPN rule on both Master and Backup with My Address configured as FQDN type 3. Make sure the VPN tunnel can be dialed up in Master 4. Make Backup take over but the VPN tunnel on Backup cannot be dialed up successfully 2. [BUG FIX] 100211954 Symptom: In Device-HA mode, Master cannot build up the VPN tunnel successfully if the My Address in VPN Gateway is configured as IP address Condition: 1. Configure Device HA AP Mode properly on Master 2. Configure one VPN rule properly and My Address in VPN Gateway is configured as IP address 3. The interface which owned the My Address is monitored by Device HA 4. The VPN tunnel cannot be dialed up
97/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.0)b5 - 2010/01/29 1. [ENHANCEMENT] PPTPLG supports PPTP Server at LAN 2. [ENHANCEMENT] Update Java certificate expiration date to 2012/1/20 3. [BUG FIX] 091222674 Symptom: Login DUT with a normal user will be fail after Login DUT over 50 times with different users Condition: 1. Use different users to login DUT over 50 times 2. Login DUT with a new user and cannot login successfully 4. [BUG FIX] 091229192 Symptom: Webpage will stay in loading status after special operation. Condition: 1. Reset DUT to system-default configuration file 2. Go to Log Setting page, edit Remote Server 1: Server Address=172.25.22.36, Active Log=enable normal logs, apply 3. Go to Object Schedule page, the webpage will stay in loading status 5. [BUG FIX] 091229204 Symptom: DUT will apply system-default configuration when F/W from v2.12 upgrade to 2.20b4 and then reboot DUT. Condition: 1. Upgrade to 2.20 B4 2. Downgrade to 2.12 3. Apply system-default configuration, and change system name via GUI 4. Upgrade to 2.20 B4 5. Reboot DUT 6. Failed to apply starup-config.conf, Because ERROR: force-auth default-rule authentication allow no log . 6. [BUG FIX] 091230324 Symptom: Under certain condition, Ping Check doesnt work Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 98/120
www.zyxel.com
Condition: PC --- LAN(DUT)WAN--- Internet 1. Use system default configuration 2. Leave WAN port unplug 3. Enable Ping Check on WAN interface, the check period is 5, others keep default 4. Plug back the WAN interface 5. The PC can access Internet but there is no Ping packet sent out via WAN interface 7. [BUG FIX] 091231492 Symptom: EPS check of KAV 2009/2010 always fail in Windows 2000 Condition: 1. Create EPS object to check KAV 2009 or KAV 2010 2. Create one Auth. Policy to check the EPS 3. Login DUT from host which runs Windows 2000 and always fail 8. [BUG FIX] 100104033 Symptom: EPS Failure for checking Kaspersky_Internet_Security_v2009 Condition: 1. Add a EPS rule for check Kaspersky_Internet_Security_v2009 1) Endpoint Operating System : Windows 2) Window Version : Windows XP2 3) Endpoint must have Personal Firewall installed : Enable 4) Allowed Personal Firewall List : Kaspersky_Internet_Security_v2009 5) Endpoint must have Anti-Virus software installed : Enable 6) Allowed Anti-Virus Software List : Kaspersky_Internet_Security_v2009 2. Install KIS v8.0.0.523 on Windows XP2, and login device will always checking failure 9. [BUG FIX] 100104076 Symptom: All button of File Sharing cant work via SSL VPN Condition: 1. Edit ObjectUser/GroupUseradd a test1 2. Edit ObjectSSL Applicationadd rules 1) Name=Filesharing_NASShared Path=\\172.25.25.240\sic 3. Edit web eWC/SSL VPN/Access Privilegeadd rules 1) Name=File_shareUser / Group Member=test1SSL Application List / Member=Filesharing_NAS 4. test1 can browse Windows file sharing folder but cant use all of button: New Floder,renam,upload,remove,download,up Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 99/120
www.zyxel.com
10. [BUG FIX] 100104109 Symptom: AUX cannot work. Condition: 1. Enable aux interface 2. Click the connect icon, but nothing happened 11. [BUG FIX] 100105162 Symptom: If the quick setup PPPoEs username include symbol % will cant save the setting. Condition: 1. Press the Quick setup button to setup PPPoE with username = az%99 then press next to finish 2. Check the interface- PPP interfaces setting is not saved 12. [BUG FIX] 100113049 Symptom: Dial up L2TP over IPSec tunnel cause DUT crazily sends hello packets to client. Condition: 1. Reset to default configuration 2. Create 2nd VPN connection 3. L2TP client dials up the L2TP tunnel and found there are lots of L2TP hello packet sends to L2TP client
100/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.0)b4 - 2009/12/25 8. [ENHANCEMENT] GUI Web Help is ready 9. [ENHANCEMENT] Multi-Language is ready 10. [ENHANCEMENT] New CLI command policy-route controll-virtual-server-rules. Below is the short description for the CLI command 1) In the past, 2.1x firmware, NAT 1-1 and NAT-Loopback functionality is achieved by creating additional Policy Route rules on TOP of Policy Route table automatically. The content of Policy Route table is possibly like below (1) From LAN_SERVER1 to any, nexthop is WAN1, SNAT: outgoing interface (2) From LAN_SERVER2 to any, nexthop is WAN2, SNAT: outgoing interface (3) From LAN to any, nexthop is WAN_TRUNK, SNAT: outgoing interface 2) In 2.20 release, the Routing and Source NAT priority of NAT 1-1 and NAT-Loopback is lower than Policy Route 3) If user configured several NAT 1-1 and NAT-Loopback rules in 2.1x firmware, there is one possibility to let the new created NAT 1-1 and NAT-Loopback cannot work anymore after upgrading to 2.20 firmware. When creating a new NAT 1-1 or NAT-Loopback NAT rule in 2.20 firmware, DUT wont create the related Policy Route rule for that NAT rule but create the accordingly NAT 1-1 or NAT-Loopback Routing/SNAT rules automatically with lower priority than Policy Route. But it might not work because some OLD Policy Route Rule created in 2.1x firmware might overwrite its functionality like 1) (3) above 4) We create one CLI command to make the Routing/SNAT priority of NAT rule higher than Policy Route to avoid this situation 5) policy-route controll-virtual-server-rules activate Make the priority of Routing/SNAT of NAT rules lower than Policy Route 6) no policy-route controll-virtual-server-rules activate Make the priority of Routing/SNAT of NAT rules higher than Policy Route 7) If system detects firmware upgrading from those before 2.20, system will make the priority of Routing/SNAT of NAT rules higher than Policy Route 8) System will make the priority of Routing/SNAT of NAT rules lower than Policy Route by default configuration 11. [ENHANCEMENT] Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 101/120
www.zyxel.com
Add i-note to tell user that creating a certificate with DSA-2048 will take long time
12. [ENHANCEMENT] Remove two obsolete categories and automatically maps them to related new categories 1) sexuality-alternative-lifestyles alternative-sexuality-lifestyles 2) alcohol-tobacco alcohol and tobacco 13. [FEATURE CHANGE] WAS Japanese is one of the supported languages IS Japanese is not supported anymore If user uses Japanese in former firmware, it will be set to English automatically after upgrading to 2.20 B4 firmware 14. [BUG FIX] 090827638 Symptom: IDP custom signatures can be exported, but cannot imported by default name: custom.rules Condition: 1. Anti-xIDPCustom Signatures, click the checkbox of Export, then Export it which filename called custom.rules 2. Anti-xIDPCustom Signatures, delete all custom signatures 3. Anti-xIDPCustom Signatures, add a new signature 4. Anti-xIDPCustom Signatures, import the custom Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 102/120
www.zyxel.com
5. All custom signatures are disappeared 15. [BUG FIX] 090828859 Symptom: VPN of PFS group behavior is incorrect. Condition: 1. Setting the PFS use DH1 group on DUT1 phase2 rule 2. Setting the PFS use none on DUT2 phase2 rule 3. VPN tunnel still can establish between DUT1 and DUT2 16. [BUG FIX] 090901031 Symptom: Manual key VPN of policy enforcement function cannot work. Condition: PC1 --- DUT1 --- VPN --- DUT2 --- PC2 1. Add a manual key rule on DUT1, and enable policy enforcement by CLI command 2. Add a policy route on DUT1 from Any to Remote Subnet 3. Add a manual key rule on DUT2 4. The policy enforcement cannot work. because the PC1 still can ping to PC2 17. [BUG FIX] 091124142 Symptom: GUI service object of ICMP protocol cannot see User Defined ICMP type ICMP type. Condition: 1. Go to page Configuration Object Service, add a service object 2. In ICMP protocol does not see that User Defined ICMP type type 18. [BUG FIX] 091124212 Symptom: The encryption ESP packet always send wrong interface if the DUT have two WAN interfaces. Condition: 1. This issue happens on PQA gateway 2. PQA gateway has two wan interfaces that pppoe1 and pppoe2 3. Establish IPSecVPN tunnel by pppoe1 interface 4. Make sure IPSecVPN tunnel established, but the encryption ESP packet always send out from pppoe2 interface 5. The issue cannot solve by any method (e.g. policy route or metric). 19. [BUG FIX] 091126385 Symptom: When address range ip more than three ,SNAT dont work Condition: Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 103/120
www.zyxel.com
1. Create one address object with Range Type and over three IP addresses 2. Configure one Policy Route rule which do the SNAT with the Range Type address object just created 3. PC on LAN cannot access Internet 20. [BUG FIX] 091203243 Symptom: After enable AS, sending Mail via VPN cannot work Condition: Mail Server --- DUT1 --- VPN --- DUT2 --- Mail Client 1. Build on Site-To-Site VPN between DUT1 and DUT2 2. Create one Any to Any AS rule 3. Send mail via this VPN tunnel cannot success
104/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.0)b3 - 2009/11/20 1. [ENHANCEMENT] EPS Signature Update to 1.0.0.1 for supporting more AV/Firewall signatures The new supported signatures are listed as below 1) Norton_AntiVirus 2010 2) Norton_Internet_Security 2010 3) Norton_360 Version, version 3 4) TrendMicro_PC-Cillin_Internet_Security 2010 5) TrendMicro_PC-Cillin_Internet_Security_Pro 2010 6) TrendMicro_PC-Cillin_AntiVirus 2010 7) Avria AntiVir Personal 2009 8) Microsoft_Security_Center 9) Windows_Firewall To update EPS signature to 1.0.0.1, please enter below CLI command after firmware upgrade Router> debug eps signature load-def And you will find the EPS signature is updated via below CLI command Router> show eps signature status EPS signature information: Current version : 1.0.0.1 Release date : 2009-11-19 Signature numbers : 18 41. [ENHANCEMENT] Synchronize the system default configuration for all models. This enhancement will make the system default configurations between all models similar with the common policies 1) User guest is removed 2) The default lease time for admin is set to 30 minutes 3) Add default PPPoE ISP accounts for each default PPP interfaces 4) 5) 6) 7) Bind the default PPPoE ISP accounts to the default PPP intetrfaces Add GRE service object by default Remove default user customized trunks Remove default user configurable service control rules for HTTP/HTTPS/SSH/TELNET/FTP/DNS/SNMP 8) Synchronized the default firewall rules for all models
105/120
www.zyxel.com
9) Remove LAN_ADP, DMZ_ADP and ZyWALL_ADP anomaly profiles from default configuration 10) Add ADP_PROFILE into default configuration and bind to default anomaly rules 11) Bind ADP_PROFILE to default anomaly rules 12) Add default AV rules 13) Activate BWM by default(For performance testing, please turn off BWM first) 42. [ENHANCEMENT] There are some GUI enhancements for GUI 1) Mouse Over Enhancement When moving the mouse pointer on an object, GUI will display the basic content of that object. Supported objects are User Goup/Address/Address Group/Service/Service Group/Zone/Schedule 2) Invalid Field Error Message Description Enhancement When user enters an invalid value checked by accordingly GUI pages, the error messages describing why they are invalid will be more user-readable. 3) Add State(Province) and Town(City) fields when creating a new certificate 4) Configuration Apply enhancement. When applying a configuration via GUI, GUI will pops up a window with 4 options for selecting (1) Immediately stop applying the configuration file (2) Immediately stop applying the configuration file and roll back to the previous configuration (3) Ignore errors and finish applying the configuration file (4) Ignore errors and finish applying the configuration file and then roll back to the previous configuration 43. [ENHANCEMENT] There will a log generated when interface renamed 44. [ENHANCEMENT] Add Object reference for OSPF 45. [ENHANCEMENT] Add CLI command to display URL Cache by range Example Router# show content-filter url-cache begin 1 end 5 No. Category TTL URL =================================================================== 1 Computers/Internet 4320 http://sales.liveperson.net/hc/74453203/?&visitor=4180599234632&msessionkey=300356931 3150301289&site=74453203&cmd=mTagInPage&lpCallId=958684555889 Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 106/120
www.zyxel.com
7231948013&protV=20&lpjson=1&page=http%3A//wwweurope.cisco.com/cisco/web/solutions/small_business/cisco_small_business_pro/index.html&i d=6323223163&javaSupport=true&visitorStatus=INSITE_STATUS&defInvite=chat-sambasales-english&activePlugin=none&cobrowse=true&pageWindowName=seq 2 Social Networking 4235 http://www.plurk.com/Poll/getResponseCount/159975383 3 Social Networking 3910 http://www.plurk.com/Poll/getResponsesN/3178044 4 Search Engines/Portals 4295 http://www.baidu.com/ 5 Proxy Avoidance 4320 http://teuchi.net/browse.php?b=5&u=Oi8vd3d3LmZhY2Vib29rLmNvbQ%3D%3D 46. [ENHANCEMENT] Support IPSec ESP ALG The peer GWs have no need to enable NATT if ZyWALL in between. Below is an example scenario ZyWALL-A(WAN)DUT(LAN)ZyWALL-B (Acts as an NAT Router) ZyWALL-A and ZyWALL-B can establish the VPN tunnel because DUT has IPSec ESP ALG supported (IPSec Pass Through) 47. [ENHANCEMENT] SSLVPN Windown 7 Support for both 32-bit and 64-bit 48. [FEATURE CHANGE] WAS User can't set empty string in eWC->Content Filter->Denied Access Message. IS User can set empty string in eWC->Content Filter->Denied Access Message When user set Denied Access Message empty and access the internet, if the URL matches the category which should be blocked, web browser would redirect to the Redirect URL directly without showing any Denied Access Message and category. 49. [FEATURE CHANGE] WAS In GUI, Maintenance > Diagnostics > Packet Capture > Capture > Interface The left side interface list named Interfaces and the right side interface list named Allowed interface IS In GUI, Maintenance > Diagnostics > Packet Capture > Capture > Interface The left side interface list named Available Interfaces and the right side interface list named Capture Interfaces Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 107/120
www.zyxel.com
50. [FEATURE CHANGE] WAS In GUI page, Configuration > Auth. Policy > Authentication Policy Summary The default rule displays action with allow, drop and deny IS In GUI page, Configuration > Auth. Policy > Authentication Policy Summary The default rule displays Authentication with required and unnecessary And Log with no, log and log alert 51. [FEATURE CHANGE] WAS Via CLI, default mode of the interface group is normal when creating a new interfacegroup IS Via CLI, default mode of the interface group is trunk when creating a new interfacegroup 52. [BUG FIX] 090814172 Symptom: Ping Check section cannot be configured anymore after enabling Ping Check Condition: 1. Enter VPN/ IPsec/ VPN connection 2. Add or Edit a rule 3. Enable the ping check section and apply 4. Edit the rule again 5. Cannot disable Ping Check anymore 53. [BUG FIX] 090915152 Symptom: SIP phone register FAIL when SIP ALG use port 5070 Condition: 1. Edit Configuration NetworkALGEnable SIP ALG 2. Set SIP Signaling Port = 5070 3. V300 use 5070 port register to SIP server FAIL 54. [BUG FIX] 090929397 Symptom: IP/Mac Binding cannot work properly Condition: 1. Apply default configuration 2. Create/enable a correct IP/MAC binding item on ge1 and make sure the host can access Internet Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 108/120
www.zyxel.com
3. Edit the IP/MAC binding item and replace a wrong MAC 4. The host shouldnt access Internet but it could 55. [BUG FIX] 091020246 Symptom: The Customized Access Page setting cant be apply correctly. Condition: 1. Apply default configuration 2. ConfigurationSystemWWWLogin Page, use Use Customized Login Page 3. Upload a picture as Customized Access Page and apply the setting after upload successfully 4. Exit this page and then enter this page again,you will see the setting of Customized Access Page is color not picture. 56. [BUG FIX] 091020250 Symptom: 3G interface in Default WAN Trunk sometime works incorrcet. Condition: 1. Enable AUX interface 2. Insert E270 3G card in USB 1 slot 3. Configuration Network Interface Cellular, ebable cellular2 and Fill in necessary setting, then dial up 3G connection 4. Unplug WAN1 & WAN2 physical line 5. Configuration Network Interface Trunk, check SYSTEM_DEFAULT_WAN_TRUNK have cellular2 interface, but LAN hosts traffic cant out to internet 57. [BUG FIX] 091021311 Symptom: The button Show Advance Settings/Hide Advance Settings in Vlan page is abnormal. Condition: 1. In VLAN page, add a new vlan interface 2. Click Show Advance Settings button. You will see advanced settings is shown on page and the button Show Advance Settings is changed into Hide Advance Settings 3. Click the Hide Advance Settings. Advanced settings is hiden on page but the button is not changed into Show Advance Settings again 4. Then the button is useless. Click it, nothing will change 58. [BUG FIX] 091021313 Symptom: after enabling Auto Destination Address checkbox, the policy rule saved is not right Condition: Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 109/120
www.zyxel.com
1. Add one policy rule in Routing page, select Next-Hop to dynamic VPN(except Default L2tp vpn rule), enable Auto Destination Address, save it 2. check this policy again, the Auto Destination Address checkbox disappears, it is not right 59. [BUG FIX] 091022366 Symptom: After dial L2TP successfully, PC cannot ping(or ftp) DUT through its LAN IP address Condition: 1. Build one L2TP VPN successfully 2. Add one Policy Route rule, the source is DUT LAN subnet, the destination is L2TP pool, next hop is Default_L2TP_VPN tunnel 3. PC can ping LAN hosts, but cannot ping (or ftp) DUT LAN IP address 60. [BUG FIX] 091023471 Symptom: PPP interface of PPTP protocol cannot work. Condition: 1. In 2.20 default configuration, the PPTP connection always fails 2. If will firmware downgrade to 2.12 and apply 2.12 default configuration will work fine 3. If running 2.12 configuration on 2.20 firmware, it will work fine 61. [BUG FIX] 091026533 Symptom: Click Dashboard twice, the GUI will hang Condition: 1. Enter into GUI of DUT, the default page will be Dashboard 2. Click Dashboard Tab 3. The GUI will keep loading and have no response 62. [BUG FIX] 091027644 Symptom: L2TP over IPSec with NAT-T doesnt work Condition: 1. Connect L2TP from a host which is under a NAT Router 2. The L2TP tunnel will not connect successfully
110/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.0)b2 - 2009/10/17 1. [ENHANCEMENT] Turn on NAT Loopback when creating NAT rules via GUI 2. [ENHANCEMENT] GUI Site Map is ready 3. [ENHANCEMENT] GUI Login Page Customization is ready 4. [ENHANCEMENT] EPS signature KAV 2009/2010 is ready. For updating the new EPS signature, please enter below CLI command after upgrading to 2.20 b2 firmware Router> debug eps signature load-def Router> show eps signature anti-virus No. Name Detection =================================================================== 1 Kaspersky_Anti-Virus_v2009 yes 2 Kaspersky_Anti-Virus_v2010 yes 5. [ENHANCEMENT] New 3G card support for Huawei E180 and E800 6. [ENHANCEMENT] In VLAN edit page, add Zone selection for user quick configuration 7. [ENHANCEMENT] There will be a log messages for Interface renaming 8. [ENHANCEMENT] There is some enhancement for App.Patrol rules in GUI 1) In policy summary page, the BWM In/Out/Priority field will show no/no/7 if Inbound and outbound BWM of the policy are disabled(0 is disable) 2) In policy edit page, the Priority field and Maximize Bandwidth Usage selection will be hidden if both Inbound and Outbound BWM setting are disabled 3) In policy edit page, the default Priority will be 4 for configuring BWM 9. [ENHANCEMENT] GUI I-Note is ready 10. [ENHANCEMENT] In GUI dashboard, add Interface status and Extension slot information 11. [ENHANCEMENT] For L2TP authentication, supports special characters !@#$%^&*() as password Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 111/120
www.zyxel.com
12. [FEATURE CHANGE] WAS There is help page in GUI right panel and old GUI link IS Remove the GUI right panel help page and old GUI link 13. [FEATURE CHANGE] WAS In GUI configuration page, click Show All Setting and Show Basic Setting will display advanced setting and hide advanced setting accordingly IS In GUI configuration page, click Show Advanced Setting and Hide Advanced Setting will display advanced setting and hide advanced setting accordingly 14. [BUG FIX] 090818327 Symptom: User Group cannot be edited via GUI Condition: 1. add on user which name is user1 2. add one user group which name is group1 3. edit the group1 rule, add the user user1 to this rule, click apply 4. the rule cannot be saved, one error messeage showed Wrong CLI command, device timeout or device logout 15. [BUG FIX] 090819548 Symptom: System time is not correct after rebooting the DUT Condition: 1. In system Date/Time page 2. set the time and date setup is manual 3. set time zone is GMT+8 4. reboot DUT 5. DUT system time will be added more 8 hours compared with original time 16. [BUG FIX] 090819549 Symptom: The first login wizard cannot be completed Condition: 1. Reset to system default configuration 2. Login to DUT and the wizard will be popped up 3. Configure WAN as Ethernet or PPPpE mode 4. It always failed and error messages displayed Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 112/120
www.zyxel.com
17. [BUG FIX] 090819699 Symptom: IPSec tunnel cannot be built up again using IxVPN Condition: 1. Build one IPSec tunnel using IxVPN 2. Disconnect the IPSec tunnel and the tunnel cannot be built up again 3. Reboot DUT and the IPSec tunnel can be built up again 18. [BUG FIX] 090820772 Symptom: External group user cannot work Condition: 1. Add a external group type user 2. Relate the external group user to AD server 3. Add the AD server object to the default Auth Method 4. Login DUT from GUI with the external group user 5. Browser shows Internal Server Error 19. [BUG FIX] 090820784 Symptom: Test external group user will always fail Condition: 1. Add an external group user 2. Test this external group user in Configuration Validation will always fail 20. [BUG FIX] 090820819 Symptom: Modem common comand & cant be saved in Initial String. Condition: 1. Edit Configuration Network Interface Auxiliary, Initial String= AT&Fl0m0, Apply 2. Check Configuration Network Interface Auxiliary, Initial String= AT 21. [BUG FIX] 090820940 Symptom: If the checking failure message includes `, the web page cannot be opened successfully when EPS check failed
113/120
www.zyxel.com
Features:
Modifications in 2.20(AQV.0)b1 - 2009/08/17 1. [ENHANCEMENT] ZLD Packet Flow 2.0 2. [ENHANCEMENT] Web GUI 2.0 3. [ENHANCEMENT] SSLVPN Portal for Web GUI 2.0 4. [ENHANCEMENT] Customized Log Page for Web GUI 2.0 5. [ENHANCEMENT] 6. 7. 8. 9. Object Reference Query [ENHANCEMENT] SIP ALG 1.2 [ENHANCEMENT] Disable According Policy Route Rule while Interface Link Down or Ping Check Failed [ENHANCEMENT] Block non-SNATed Packet by Firewall [ENHANCEMENT]
Device DNS Query Bind with Specific Interface 10. [ENHANCEMENT] Unified Interface Enhancement 11. [ENHANCEMENT] Packet Capture using GUI 12. [ENHANCEMENT] Cellular Budget Support 13. [ENHANCEMENT] Device HA Bridge Interface Support 14. [ENHANCEMENT] Device HA Easy Configuration for VLAN Interface 15. [ENHANCEMENT] Bypass Content Filter for VPN Traffic 16. [ENHANCEMENT] RIP & OSPF VLAN Interface Support 17. [ENHANCEMENT] MSN Loin/Logout Log Support Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 114/120
www.zyxel.com
18. [ENHANCEMENT] EPS (End Point Security) 19. [ENHANCEMENT] Authentication Policy 20. [ENHANCEMENT] IPSec Fall Back Support 21. [ENHANCEMENT] AAA Enhancement for External Group User 22. [FEATURE CHANGE] MAX VLAN Number is enlarged from 32 to 128
115/120
www.zyxel.com
Appendix 1. Firmware Recovery

In some rare situation, ZyWALL might not boot up successfully after firmware upgrade. The following procedures are the steps to recovery the firmware to normal condition. Please connect console cable to ZyWALL. 1. Restore the Recovery Image If one of the following cases occur, you need to restore the recovery image Booting failed, device show error code while decompressing Recovery Image
Device reboot infinitely
Nothing displays after Press any key to enter debug mode within 3 seconds. for more than1 minute.
Startup message displays Invalid Recovery Image. 116/120
www.zyxel.com
The message here could be Invalid Firmware. However, it is equivalent to Invalid Recovery Image.
Press any key to enter debug mode
Enter atuk. The console prompts warning messages and waiting for the confirmation. Answer Y and start to upload recovery image via Xmodem.
The console session might display ERROR. Please Enter atur and use Xmodem to upload the recovery image.
117/120
www.zyxel.com
Use the Xmodem feature of terminal emulation software to upload the file. Wait for about 3.5 minutes until finishing Xmodem.
Enter atkz f l 192.168.1.1 to configure FTP server IP address
Enter atgo to bring up the FTP server on port 1
2. Restore Firmware If Connect a computer to port 1 and FTP to 192.168.1.1 to upload the new file displays on the screen, you need to recover the firmware by the following procedure.
You will use FTP to upload the firmware package. Keep the console session open in order to see when the firmware recovery finishes. Set your computer to use a static IP address from 192.168.1.2 ~ 192.168.1.254. No matter how you have configured the ZyWALLs IP addresses, your computer must use a static IP address in this range to recover the firmware. Connect your computer to the ZyWALLs port 1 (the only port that you can use for recovering the firmware). Use an FTP client on your computer to connect to the ZyWALL. This example uses the ftp command in the Windows command prompt. The ZyWALLs FTP server IP address for firmware recovery is 192.168.1.1 Log in without user name (just press enter). Set the transfer mode to binary. Use bin (or just bi in the Windows command prompt). Transfer the firmware file from your computer to the ZyWALL (the command is put 2.00(AQV.0)C0.bin in the Windows command prompt).
118/120
www.zyxel.com
Wait for the file transfer to complete.
The console session displays Firmware received after the FTP file transfer is complete. Then you need to wait while the ZyWALL recovers the firmware (this may take up to 4 minutes).
The message here might be ZLD-current received. Actually, it is equivalent to Firmware received.
The console session displays done when the firmware recovery is complete. Then the ZyWALL automatically restarts.
The username prompt displays after the ZyWALL starts up successfully. The firmware recovery process is now complete and the ZyWALL is ready to use. If one of the following cases occurs, you need to do the firmware recovery process again. Note that if the process is done several time but the problem remains, please collect all the console logs and send to ZyXEL for further analysis. Refer to Step 1 Restore the Recovery Image and if there is similar case, the process must be performed again. One of the following messages appears on console, the process must be performed again. /bin/sh: /etc/zyxel/conf/ZLDconfig: No such file Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved. 119/120
www.zyxel.com
Error: no system default config file, system configuration stop!!
120/120

220AQV5C0

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

220AQV5C0

Hochgeladen von

Copyright:

Verfügbare Formate

ZyXEL

Firmware Release Note ZyWALL USG 1000 Release 2.20(AQV.5)C0

ZyXEL ZyWALL USG 1000 Release 2.20(AQV.5)C0 Release Note

Files lists contains in the Release ZIP file

EPS (Endpoint Security)

Following is the SSL VPN RDP limitation table.

File Sharing (Web-based Application)

Full Tunnel Mode

Windows 7 JRE 1.6

Windows XP JRE 1.4/1.5/1.6

Firefox 1.5+@, 2.0+@, 3.0+@

Safari 2.0 / 3.0

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Appendix 1. Firmware Recovery

Device reboot infinitely

Startup message displays Invalid Recovery Image. 116/120

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Press any key to enter debug mode

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Enter atkz f l 192.168.1.1 to configure FTP server IP address

Enter atgo to bring up the FTP server on port 1

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Wait for the file transfer to complete.

Error: no system default config file, system configuration stop!!

Copyright 1995-2011, ZyXEL Communications Corp. All rights reserved.

Das könnte Ihnen auch gefallen