RIVERBED PRODUCT RELEASE NOTES

PRODUCT: STEELHEAD CX
RELEASE DATE: 05-MAY-2016
REVISED DATE: 17-AUGUST-2016
VERSION: 9.2.0

CONTENTS
1) Supported Steelhead Models
2) New Features in RiOs 9.2.0
3) Fixed Problems
4) Known Issues
5) Upgrading the RiOs Software Version
6) SteelCentral Controller for SteelHead (SCC) Compatibility
7) Hardware and Software Dependencies
8) Contacting Riverbed Support

1) SUPPORTED STEELHEAD MODELS

Important: RiOS 9.2.0 supports Riverbed CX models xx55, and xx70.

2) NEW FEATURES IN RIOS 9.2.0

Hostname-Based Interception Policy
Logical Groups of Domain Names and Hostnames in In-Path Rules
In-path rules recognize and process logical groups of domain names and hostnames using a
single label that resolves to several IP addresses. This ability to group domain names and
hostnames simplifies in-path rule management. One in-path rule replaces many. You can
specify an Internet domain with wildcards to define a wider group. For example, a domain
label called Office365 can be configured to match *.microsoftonline.com, *.office365.com,
or *.office.com in a single in-path rule.
A single rule can target a specific service such as SharePoint—even when the same IP
address serves content for both SharePoint and Lync.

You can also use host labels to populate the in-path destination with a set of IP addresses
and subnets to the service.

Hybrid Networking
Performance and Scale Improvements
You can define up to 500 sites for increased scale and configuration responsiveness. QoS,
path selection, and secure transport can now handle up to 25 percent more optimized
connections per second without classification errors.
Uplink Probe Enhancements
The uplink probing techniques have been improved to:
 leverage the SteelHead’s traffic awareness to accelerate probing to sites that are seeing
traffic, while backing off probing for sites that are not seeing traffic. If an uplink isn’t
currently in use, it isn’t probed.
 avoid redundancy by probing only a subset of peers instead of probing all peers. For
example, if there are four peers on a path that is up and actively seeing traffic, the probe
monitors two peers instead of four. Also, the probes monitor only the uplinks referenced
in a path selection rule. Subset probing is helpful with secure uplinks where both secure
and nonsecure uplinks are created but aren’t referenced by a path selection rule.
 avoid redundancy by probing only a subset of peers instead of probing all peers. For
example, if there are four peers on a path that is up and actively seeing traffic, the probe
monitors two peers instead of four. Also, the probes monitor only the uplinks referenced
in a path selection rule. Subset probing is helpful with secure uplinks where both secure
and nonsecure uplinks are created but aren’t referenced by a path selection rule.
Path Selection Support for Transit Site Traffic
Transit traffic is traffic that is not sourced or destined locally. For example, in a hub-and-
spoke configuration with a static VPN setup, the SteelHead does not recognize traffic as
being initiated by an external site and applies path selection rules for LAN-side traffic. The
transit site path selection rules route return traffic outside the VPN tunnel, causing the
firewall to drop packets. A new CLI command, path-selection-transit-bypass, pushes general
path selection rules but selectively turns off path selection for transit site traffic. RiOS
identifies transit traffic by checking subnets to determine whether the traffic is sourced or
destined locally. This feature maintains the original path selection intent, including failure
conditions, even when the traffic is routed through a transit site.
Path Selection with Interceptor (PSIC) Automatic Channel Configuration
To communicate efficiently, PSIC requires cluster channels between the SteelHead and

2
SteelHead Interceptor appliances. Cluster channels are traditionally configured on the
SteelHead. You can enable the PSIC automatic channel configuration feature using the
SteelCentral Controller (SCC) to configure the cluster channels and then push the
configuration to the appliances. No additional configuration tasks are required .

Web Proxy
Virtual In-Path Deployment
You can now use the Web proxy with virtual in-path deployments such as Web Cache
Communication Protocol (WCCP) and policy-based routing (PBR).
Caching Enhancements:
 The cache content is persistent after reboots and service restarts.
 The individual object size limitation has been removed.
 An expanded cache storage space. The CX 555 and CX 755 models can use up to 50 GB
of cache space for Web Proxy storage.
Host Label and Domain Label Integration with Web Proxy
You can use host labels and domain labels to define more granular traffic with the Web proxy
service.
Additional Log Formats Support
An expanded request logging format improves visibility, debugging, and diagnostics.

Applications
SMB 3.1.1 Optimization
This feature includes Server Message Block (SMB) v3.1.1 dialect support when enabling
SMBv3 on a SteelHead. SMBv3.1.1 was introduced by Microsoft in Windows 10 and Windows
2016. SMB v3.1.1 is only negotiated when systems of these operating system versions are
directly connected. RiOS 9.2 supports SMB file sharing as well as Windows domain
integration.
Windows 10 and Windows 2016 SMB Support
RiOS supports SMB file sharing as well as Windows domain integration for Windows 10 and
Windows Server 2016 Technical Preview 2.
SMB Latency Optimization Support for MAC OS X 10.9 and 10.10 Client
RiOS provides SMBv2 and SMBv3 latency optimization support for Mac OS X clients.
Full MAPI over HTTP Optimization
RiOS includes application-level latency optimization for MAPI over HTTP in addition to the
bandwidth optimization introduced in RiOS 9.1. This feature accelerates and reduces the
data consumption across Microsoft Outlook and supports both cached exchange and online

3
modes.
Expanded Exchange Server 2016 and Outlook 2016 Qualifications
SSL
TLS 1.2 Support
Transport Layer Security (TLS) 1.2 is enabled by default and upon upgrade for client-side and
server-side SteelHeads for improved security.
OpenSSL 1.0.2 Support
The SteelHead support for the SSL protocol stack is based on OpenSSL 1.0.2. This version
includes support for camillia ciphers, krb5 ciphers, and ECDHE cipher negotiation.
SafeNet Hardware Security Module (HSM) Support for SSL Certificates
You can store proxy private keys and certificates on SafeNet Luna HSM devices for SSL
optimization.
SHA2 Support for Proxy Certificate
The SteelHead uses SHA-512 for proxy certificate signature hash.
Subject Alternative Name (SAN) with SSL Proxy Certificate
Includes Subject Alternative Name field checking when the SteelHead returns a proxy
certificate.

Platforms
SteelHead (Virtual Edition) KVM Image
You can deploy a SteelHead (virtual edition) using a kernel-based virtual machine (KVM)
image format. A KVM consists of a loadable kernel module that provides the core
virtualization infrastructure and a processor-specific module that provides virtualization
extensions running on a Linux kernel as a host. The support includes models up to and
including VCX 1555H and requires no licensing changes.
New Microsoft Azure-Based Larger CCX Models
An Azure cloud CCX-SUB-PERF-TIER4 license can optimize Azure workloads up to 400 Mbps to
Cloud IaaS while supporting a connection count of up to 30,000 connections per SteelHead.
The SteelHead-c CCX runs as a virtual machine hosted in Azure infrastructure services.

4
3) FIXED PROBLEMS
Problems fixed in version 9.2.0
 145734 Fixed an issue so that the sport.log files are written to after performing a log
rotation. Also ensures the currently active sport.log file and all archived sport.log files
are included in the archive on a full sysdump generation.
 161036 Fixed an issue where a SteelHead connecting to the Cloud Portal through a
proxy server would present the Content-Length header, causing a failed connection. The
SteelHead now does not include Content-Length in the request. A hidden command has
been added to allow the SteelHead to revert to previous behavior, in the case of proxy
servers that require it.
 165036 Fixed a problem where the stats report sent via email for the App Visibility
feature did not contain any headers. This made it difficult to understand what each
column of data represented.
 165826 Fixed an issue where SteelHead did not support SSL elliptic curve diffie-hellman
(ECDHE) key exchange connections. Support has been added for ECDHE connections.
 167022 Fixed an issue in the SNMP service that caused the IF-MIB::ifHCInUcastPkts.*
counters when read through SNMP, to give large incorrect values that appear to
decrement instead of increment when packets go through the associated interfaces.
 167751 Fixed an issue where the optimization service on a SteelHead crashed when the
SteelHead disconnected from an optimization peer. The issue occurred when the
SteelHead was processing a large number of FTP or MAPI connections.
 197885 Fixed an issue where logs may appear similar to "[cli.ERR]: user admin:
check_if_dx(), lr_dx.c:28, build 186: Error code 14001 (unexpected NULL) returned".

No workaround is available. This error does not impact functionality and can be safely
ignored.
 198675 CVE-2013-4782 - A BMC security vulnerability was discovered that impacts
SteelHead xx50, EX560, and EX760 models.

Details:
A BMC security vulnerability was discovered that impacts SteelHead xx50, EX560, and
EX760 models.
CVE-2013-4782 - The BMC implementation allows remote attackers to bypass
authentication and execute arbitrary IPMI commands by using cipher suite 0 (aka cipher
zero) and an arbitrary password.

Recommendation:
Upgrade to patched version if applicable.

5
 218962 Fixed an issue where the SteelHead application classification engine was
classifying certain applications wrong. For example, O365 connections could be
classified as Skype. The classification engine has been upgraded to a version that
correctly classifies all supported applications.
 219716 Fixed an issue where an incomplete cleanup in one of the optimization process
components could cause the optimization service to fail during restart with errors
similar to "address in use".
 220037 Fixed an issue where a kernel panic could occur when successive IP fragments
belonging to a transparent, optimized, and locally existing connection arrived on the
optimization module and another interface (e.g. the primary interface). The fix is to
make sure that the optimization module uses its own defragmentation queue instead of
the defragmentation queue of the kernel.
 220338 Fixed a problem that prevented the "monitor" user from selecting the units to
be displayed in both the Inbound and Outbound QoS reports. Previously, the selection
drop-down list was improperly disabled.
 221778 Fixed an issue that occurs when HTTP based services use chunk encoding to
transfer large amounts of data, but at slow rates over time. One example was a stock
ticker widget that received a continuous stream of small price updates. When this
occurs over multiple connections simultaneously it can lead to out of memory
conditions. The slow data rate is significant because small packets bypass the
deduplication provided by scalable data referencing (SDR) and exacerbate memory
consumption. A chunk limit has been added to limit response data buffering. Bufferring
limits have been put into place to prevent this from leading to errors

6
 221961 SSL optimization fails with error "SSL3_GET_SERVER_HELLO:parse tlsext" when
Client Authentication is enabled on the SteelHead and the client/server negotiate use of
SSL Session Tickets. Session Tickets can be used for SSL session resumption and are
negotiated by the client and server during the SSL handshake. Both the client and the
server must advertise support for Session Tickets in order for Session Tickets to be used.
In a typical SSL optimization, the SSL handshake is terminated at the server-side
SteelHead. Since the SteelHead does not support Session Tickets, the SteelHead did not
advertise support for them and the Session Tickets were never used. However, when
Client Authentication is enabled on the SteelHead, Client Authentication must allow the
client and server to negotiate directly, which may result in a Session Ticket being
established. The SteelHead later encounters an error when parsing the SSL handshake
messages and the connection fails. To remedy this, Session Ticket support must be
enabled on the SteelHead by using the following CLI command:

[no] protocol ssl backend client session-ticket

This command allows the SteelHead to parse the SSL handshake messages containing
Session Tickets. Note that this does not imply that the SteelHead can decrypt Session
Tickets generated by another server. This means that the servers doing Client
Authentication cannot be optimized when the client uses a Session Ticket to resume a
session. (Session resumption using Session ID is still allowed). However, if the server is
not doing Client Authentication, the SteelHead retroactively terminates the connection
at the SteelHead. The only difference is that the original client handshake message was
forwarded to the server. Forwarding the handshake message, allows the SteelHead to
generate its own Session Tickets and enables SSL optimization to work in all resumption
cases. Subsequent connections to the server will terminate at the SteelHead and will
follow the typical SSL optimization model. The solution is to disable SSL Client
Authentication.
 222693 Fixed an issue when RADIUS authentication is configured, passwords longer
than 272 characters can cause the Management Console to become temporarily
unavailable. This issue is only applicable if RADIUS based authentication is used on the
appliance. A fix in the third-party PAM_Radius library was made to prevent the
Management Console from exiting and restarting when passwords longer than 272
characters are entered. A restart of the Management Console triggers the following
message in the system log, and in an email notification: "Process failure: manage.py"

Workaround:
Temporarily disable RADIUS based authentication.

Recommendation:
Upgrade to patched version if applicable.
 225191 Fixed an issue where the SteelHead optimization service could crash if sufficient
contiguous memory is not available. This issue was fixed by preallocating and reusing
adequately sized memory blocks. In addition, connection load balancing is now disabled
whenever SDR-Adaptive is enabled.

7
 225445 Fixed an issue where the optimization service could crash during the CIFS share
directory parse operation. This fix added checks to avoid accessing invalid information
that could cause the optimization service to crash.
 226757 Fixed an issue where log messages make it look like the "yarder_rbt" process
has crashed when it has actually shut down normally. The amount of time that the
system process manager waits for a process to shutdown before forcing it to exit has
been increased for "yarder_rbt".
 229753 Fixed an issue wherein the file transfers from servers to the OSX 10.9 clients are
slow. A new hidden CLI command on the client-side SteelHead has been added for faster
file transfers to OSX 10.9 clients. To enable SMB2 optimization on the OSX 10.9 clients,
use the following CLI command:
protocol smb2 mac-oplock enableÂ
To disable this feature, use the no version of the command:
no protocol smb2 mac-oplock enable
 231646 Fixed problem where packets could be corrupted when the SteelHead has DSCP
marking enabled and sees VLAN tagged broadcast packets (such as DHCP) going from
LAN to WAN. If a software upgrade is not an option, disable DSCP marking or change
specific rules.
 231991 Fixed an issue in the User Interface that made all port label names lower case
before being saved to the database.
 232738 This fix corrected the condition where accelerated responses to the Outlook
client were sent under the wrong authentication context resulting in the Outlook client's
state being corrupted.
 235715 Fixed an issue where, in rare cases, the priority detection used to label Citrix MSI
traffic for QoS fails to correctly identify the stream priority. In this case, the stream is
identified as Citrix-CGP. Additionally, SSL warnings may be seen when the connection is
closed. The Citrix optimization feature now looks for any occurrence of the priority
command, not just the first one, until it identifies a valid priority.

8
 235947 cURL cumulative security update for security advisories adv_20150422A,
adv_20150422B, adv_20150422C, and adv_20150422D

Details:
CVE-2015-3143 NTLM-authenticated connections could be wrongly reused for requests
without any credentials set, leading to HTTP requests being sent over the connection
authenticated as a different user. This is similar to the issue fixed in DSA-2849-1.
CVE-2015-3144 When parsing URLs with a zero-length hostname (such as "http://:80"),
libcurl would try to read from an invalid memory address. This could allow remote
attackers to cause a denial of service (crash). This issue only affects the upcoming stable
(jessie) and unstable (sid) distributions.
CVE-2015-3145 When parsing HTTP cookies, if the parsed cookie's "path" element
consists of a single double-quote, libcurl would try to write to an invalid heap memory
address. This could allow remote attackers to cause a denial of service (crash). This issue
only affects the upcoming stable (jessie) and unstable (sid) distributions.
CVE-2015-3148 When doing HTTP requests using the Negotiate authentication method
along with NTLM, the connection used would not be marked as authenticated, making it
possible to reuse it and send requests for one user over the connection authenticated as
a different user.

Not Applicable:
CVE-2015-3144, and CVE-2015-3145

Fix:
Upgraded cURL utility to 7.44.0

Recommendation:
Upgrade to patched version if applicable.
 236318 Fixed an issue to update the Path Selection page to properly show all sections of
the page as disabled but visible when the logged in user has read-only permissions to
everything.
 236378 Fixed an issue where under heavy load conditions, SteelHeads in a Connection
Forwarding cluster would fail to send control messages to their connection forwarding
neighbors, resulting in the neighbors failing to remove stale entries leading to an out-of-
memory condition. An enhancement has been made that reduces control-message
failures on the SteelHead so that out-of-memory conditions and process failures on
neighboring Steelheads and Interceptors no longer occurs.

9
 237568 Fixed an issue where the Path Selection engine would log an INFO level message
once for every flow based on customer policies. This issue could overwhelm the logs in
cases where there are a large number of relayed flows. The fix ensures that RiOS does
not log the message for any relayed flows.

Example message:
[rbtqos.INFO] 172.29.81.103:61919 -> 10.3.5.60:445 proto 6 now being relayed
Excessive logging of this message could leave to rate limiting, indicated by a
'kernel:__ratelimit' messages.
 237772 Fixed an issue where, on SteelHead models CX255, CX570, and CX770, the LAN
and WAN interface links can go down briefly during an optimization service restart. This
issue existed on all previous RiOS releases.
 238050 Fixed an issue where SNMP access might be very slow (an hour or so) when
there is a large number (tens of thousands) of connections due to an insert-and-sort-
each-time procedure. Tools like snmpwalk time out. The SNMP server has been
changed to build its internal array of connections more quickly so that an snmpwalk or
snmpbulkwalk query to an appliance with tens of thousands of connections will take a
few minutes instead of a few hours. The use of the -t option in snmpwalk or other tools
might still be necessary to increase the timeout, but a more reasonable value like "-t
200" can be used.
 238512 Fixed an issue with GeoDNS for SteelHead SaaS Office 365 optimization causing
high CPU overhead. This could happen either when a large number of clients are being
GeoDNS optimized or when clients are using a different DNS server than those
configured on the SteelHead appliance.
 238925 Fixed an issue where QoS-related processes crash repeatedly after reboot when
a new in-path interface is added after configuring remote sites.
 239153 Updated Web-Proxy cache to support HTTP/1.1 so that HTTP Pre-population can
be utilized.
 239271 Fixed an issue where the optimization service could crash when LAN or WAN
cables were removed and/or reconnected while the appliance was optimizing
connections.
 239757 Fixed a bug where a certificate, created using a CSR from the SteelHead, could
not be used to "replace" the current certificate through the Web Settings page.
 240007 Fixed an issue with CIFS Prepopulation Web UI and CLI interface showing
incorrect next full synchronization time.
 240539 Fixed an issue in SteelHead version 8.6.x and later where a path-selection policy
push from the SCC to SteelHead would fail.
 240730 Fixed a problem by correctly honoring the metadata cache timeout, even for
timeout values less than 1000 ms. With this fix, the cache timeout can be set to an
appropriate value to suit a specific scenario. A timeout of 0 ms would stop CFE from
answering the GetInfo requests locally and forward them to the server.

10
 240747 Fixed an issue where a kernel panic could occur in certain configurations using
full address transparency in-path rules, leading to an optimization service restart. This
issue impacts RiOS v8.6.2 and later, v9.0.x, and v9.1.x.
 240843 Fixed an issue where a false positive redundant power supply alarm would raise
and clear intermittently. A symptom of this bug is seeing the alarm consistently clear
one minute after it was raised.
 240976 Fixed an issue where a kernel crash could occur affecting appliances running
traffic across an interface with an e1000e driver, which is commonly used by several
models on the on-board in-path interface. Messages such as these can be seen:
Jun 20 08:53:57 localhost kernel:IP: [<ffffffff8144dfe1>]
e1000_xmit_frame+0xd51/0x1000
 241025 Fixed an issue where out-of-memory conditions on the CX555 appliance model
could lead to restarts of optimization and other vital services. This fix adjusted memory
handling of the CX555 appliance to reduce the likelihood of hitting an out-of-memory
condition. Out-of-memory conditions can lead to restarts of optimization and other
vital services.
 241055 Fixed an issue where disabling the public facing REST API server would prevent
the SteelCentral Controller from pushing the configuration to an appliance.
 241099 Fixed an issue in the Management Console's handling of Unicode characters
wherein the use of special characters or accented letters in the 'login message' banner
could break some pages or prevent login. This fix does not address a similar issue with
the MOTD banner, where the same characters can break some pages or prevent login.
 241120 Fixed an issue where a UI page load error appears when trying to open pages
such as QoS and 'Sites and Networks.' This error occurs when a SteelHead appliance has
an interface card installed in slot 6. Messages like the following appear in the system
logs: Jul 8 09:19:19 sv-sh202 lumberjack_rbt[35484]: [sh.appflow.INFO] The wan6_0
interface ifindex is not available
 241231 Fixed an issue where the SteelHead could become unresponsive if the Secure
Peering gray list grew too quickly. With this fix, the rate at which peers are added to the
Secure Peering gray list is limited to once every 5 seconds.
 241246 Fixed an issue where the optimization service would crash or large numbers of
error messages stated, “Unable to construct frame from …,― by changing the
way the SteelHead parses traffic so that newer Citrix protocol variants are bypassed.
 241291 Fixed an issue where packets decrypted using Secure Transport were not sent
out with the configured VLAN of the optimization interface when the connection-based
VLAN feature is enabled. Decapsulated packets would need to pick up the VLAN
configured on the optimization interface even if the connection-based VLAN feature is
enabled.

11
 241333 OpenSSL cumulative security update for advisory - secadv_20150709

Details:
This update addresses the following issues:
CVE-2015-1793: Alternative chains certificate forgery
For more information, see: https://www.openssl.org/news/secadv_20150709.txt

Fix:
The OpenSSL library in RiOS management has been updated to version 1.0.1p to patch
the above issue.

Recommendation:
Upgrade to patched version if applicable.
 241382 Fixed an issue where upgrading a SteelHead CX1555H to RiOS 9.1.0 or later fails
if the upgrade encounters an unexpected partition layout on the management drives.
 241422 Fixed an issue where accented characters or special symbols in the Message of
the Day (MOTD) banner could cause logins to fail or rendering problems in the
Management Console.
 241573 Fixed an issue where the Outlook Anywhere auto-detect mechanism could
misinterpret HTTP payload and cause an optimization service crash. The fix allows
identification of unexpected source responses, the connection is passed though, and a
message is logged: "enable pass-thru: unexpected data after headers." Disable Outlook
Anywhere auto-detect and add an in-path rule to use Outlook Anywhere latency
optimization only for Microsoft CAS servers.
 241773 Fixed a crash that can occur while optimizing MAPI RPCH traffic caused by
negative Content-Length headers. Although it is not allowed by the HTTP specification,
Microsoft servers can return negative Content-Length header values, which trigger an
ASSERT in the RPCH code. Instead of crashing, with this fix the software passes through
the traffic and logs an INFO level log: "enable pass-thru: Content-Length header is
negative: -1".

12
 241917 CVE-2015-4620 - ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before
9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows
remote attackers to cause a denial of service.

Details:
name.c named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-
P2, when configured as a recursive resolver with DNSSEC validation, allows remote
attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by
constructing crafted zone data and then making a query for a name in that zone.

Fix:
The ISC BIND named daemon for the DNS cache feature has been upgraded to address
CVE-2015-4620.

Recommendation:
Upgrade to patched version if applicable.
 241918 CVE-2015-1819 - The xmlreader in libxml allows remote attackers to cause a
denial of service

Details:
A denial-of-service (DOS) flaw was found in the way the libxml2 library parsed certain
XML files. An attacker could provide a specially crafted XML file (related to an XML
Entity Expansion (XEE) attack) that, when parsed by an application using libxml2, could
cause that application to use an excessive amount of memory.

Fix:
The libxml2 has been updated to patch CVE-2015-1819.

Recommendation:
Upgrade to patched version if applicable.
 241998 Fixed and issue where the Application Statistics REST API "resolution" and
"rollup_function" parameters were incorrectly exposed. Setting these values may result
in inaccurate data. Do not set these unsupported parameters.
 242060 Fixed an issue where the optimization service would crash or large numbers of
error messages stated, “Unable to construct frame from …,― by changing the
way the SteelHead parses traffic so that newer Citrix protocol variants are bypassed.
 242237 Fixed a problem where the reset of TCP connections on 32-bit appliances failed
due to mismatched library versions. Fixed by using the appropriate library for 32-bit
appliances.
 242318 Fixed an issue where "image fetch" times out after 5 minutes for scp:// URLs.
This behavior could occur if the link that image was transferred over was slow, resulting
in the file transfer taking more than 5 minutes. The timeout handler has been updated
to monitor transfer progress, instead of closing the connection if a transfer cannot
complete under 5 minutes.

13
 242330 Fixed an issue where importing SSL certificates that have commas in their
hostname would cause an error in the Administration -> Security -> Web Settings UI
page.
 242633 Enhancement: Improved the size allocations for SSL encryption buffers. This
change reduces the amount of memory allocated for small SSL alert messages.

Additional Info: This change is not a solution to SSL sizing constrains and will not
increase the secure connection capacity on a SteelHead.
 242661 Fixed an issue where a message "[rpch/csh.NOTICE] 1019415 {10.1.2.3:20000
10.4.5.6:80} HTTP headers > 64KB, passing through connection" appears in the log.
Under certain conditions, this message appears while examining an HTTP connection for
Outlook-Anywhere traffic to a web server that is not an Exchange server. No
workaround is needed. To prevent this message, you can disable Outlook Anywhere
auto-detect and add an in-path rule to use Outlook Anywhere latency optimization only
for Microsoft Client Access Servers (CAS).
 242979 Fixed an issue where persistently high CPU utilization can occur when the
system attempts to send very large files, such as a large system dump, via email. Failure
events, such as process crashes, send email notifications accompanied with sysdumps
and can trigger the high CPU.
 243000 Fixed an issue where the Outlook Anywhere optimization service was incorrectly
intercepting non-MAPI traffic. This issue was fixed by changing the behavior of HTTP
parsing to allow for case-insensitive searching of the HTTP header for the content length
field.
 243171 Fixed a problem where a race condition corrupts the connections map data and
causes the optimization service to crash when Outlook Anywhere is enabled. Applied
fixes to improve management of strings and reduce race conditions so the connection
map would not be corrupted.
 243604 Fixed an issue on the Web Proxy that caused intermittent access to certain Web
pages. This behavior occurs when the Web server that the client is connecting to sends a
Keep-Alive header in the HTTP response. As a result, the connection between the client
and the proxy, and the connection between the Web proxy and the server are kept
alive. If the server sees no data for some time, it closes the socket on its side (generally
after a short timeout). The client, during this time, initiates a new HTTP request on the
kept alive connection to the proxy. The Web proxy then sends a "Service Unavailable"
error and also closes the connection to the client because it cannot guarantee that the
configured network rules for the client-side connection can be applied on a new server-
side connection. To fix this issue, when the server closes the connection, the SteelHead
propagates the connection close to the client. This ensures that the client does not
reuse a connection that has the corresponding server connection closed.
 243632 Fixed a issue where a kernel crash could occur crash when the system was low
on available memory. The signature of the crash is a message like the following:
Aug 22 02:16:15 localhost kernel: [<f9287d03>] hnbi_delete_init_data+0x2b/0x50 [nbt]

14
 243748 Fixed an issue where when the IP packet has Ethernet trailer bytes, resulting in a
RiOS kernel crash. The packet processing modules have been updated to handle IP
packets with Ethernet trailer bytes properly.
 244078 Fixed an issue, introduced in RiOS 9.0, that prevented the "web http redirect"
command from automatically routing Management Console traffic to the secure HTTPS
port. When this command was executed access to the Management Console failed in a
redirect loop.

Workaround:
Use https:// instead of http:// to access the web UI.

Additional Information:
When connecting to fixed versions, the browser cache may still need to be cleared in
some cases.
 244238 Fixed and issue where the MIBs hrSWRunPerfCPU and hrSWRunPerfMem were
not reporting the correct values by the SNMP server. The SNMP server no longer
improperly parses the /proc/$pid/stat, causing incorrect values to be returned.
 244832 CVE-2015-5986 - openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3
allows remote attackers to cause a denial of service
CVE-2015-5722 - buffer.c in named in ISC BIND 9.x before 9.9.7-P3 allows remote
attackers to cause a denial of service

Details:
CVE-2015-5986: openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 allows
remote attackers to cause a denial of service (REQUIRE assertion failure and daemon
exit) via a crafted DNS response.
CVE-2015-5722: buffer.c in named in ISC BIND 9.x before 9.9.7-P3 allows remote
attackers to cause a denial of service (assertion failure and daemon exit) by creating a
zone containing a malformed DNSSEC key and issuing a query for a name in that zone.

Fix:
The ISC BIND named daemon for the DNS cache feature has been upgraded to 9.9.7-P3.

Recommendation:
Upgrade to patched version if applicable.

Note: the DNS cache feature which utilizes BIND is turned off by default, and does not
use DNSSEC.
 244916 Fixed an issue where HTTP responses could drop during the transition from
optimized individual transactions to bypassed pipelined requests.
 244961 Enhancement: TLSv1.2 support is enabled by default beginning with RiOS 9.2.
This affects both new installations as well as upgrades. Compatibility issues with older
versions of RiOS have been addressed and the SteelHead will automatically down
negotiate as necessary.

15
 245069 Fixed an issue where the optimization service was mishandling an oplock break
response from an optimized SMB3 encrypted connection from the server, resulting in a
failed file download. With this fix, the oplock break responses are correctly handled and
the client is able to read or download the file.
 245223 Fixed an issue where the optimization service might crash when the system
recycles an Outlook Anywhere connection in a way that is not permitted by the
protocol.
 245362 Fixed an issue where an IPMI alarm could be triggered by a false power supply
predictive failure state.
 245876 Fixed an issue to ensure a state reset of the red triangle indicating an error
whenever the user opens the site Add or Edit panel. The error symbol will disappear
upon the next successful Add or Edit of a site or upon page refresh.
 246054 Fixed an issue in RiOS 9.0.0 and later where system service issues could lead to
symptoms such as a database configuration switch errors like the following: "Config
change has not completed successfully" An additional symptoms is the Secure Transport
service not starting properly. A condition that makes this failure more likely is a DNS
server being unreachable (such as a network failure). To work around this issue, switch
away from the configuration, and then switch back to the desired one. If the error
persists, restore DNS reachability and re-attempt the configuration switch.
 246073 Fixed an issue where optimized HTTP connections could fail due to the
interaction of HTTP Prefetch optimization, Outlook Anywhere optimization, and the use
of chunked encoding by the HTTP server. With this fix, the two optimizations now
interact correctly and client HTTP connections are no longer blocked.
 246124 Fixed an issue where the SNMP ifindex for wan6_1 could differ between an
upgraded and factory defaulted appliance. The index value, introduced in RiOS 9.1.1,
could be 109 or 114 depending on which version the appliance was upgraded from and
to, and whether a factory default was applied. The fix ensures that the index value is
109 in both the upgraded and factory default cases.
 246275 Fixed an issue where the optimization service could crash while processing an
SMB2 getinfo response from the server. This fix added checks to avoid accessing invalid
information that could cause the optimization service to crash.
 246865 Fixed an issue where a 10 Gigabit interface is configured to support jumbo
frames (MTU > 1500), there are several pause frames generated by the interface. The
large number of pause frames caused Cisco switches to drop packets.

16
 246966 CVE-2015-7871: Crypto-NAK packets can be used to cause ntpd to accept time
from unauthenticated ephemeral symmetric peers by bypassing the authentication
required to mobilize peer associations

Details:
NTP has security vulnerabilities described in
http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vul
ner
Only CVE-2015-7871 is applicable:
Crypto-NAK packets can be used to cause ntpd to accept time from unauthenticated
ephemeral symmetric peers by bypassing the authentication required to mobilize peer
associations.
The following vulnerabilities are not applicable:
CVE-2015-7855
CVE-2015-7854
CVE-2015-7853
CVE-2015-7852
CVE-2015-7851
CVE-2015-7850
CVE-2015-7849
CVE-2015-7848
CVE-2015-7701
CVE-2015-7703
CVE-2015-7704, CVE-2015-7705
CVE-2015-7691, CVE-2015-7692, CVE-2015-7702

Fix:
Upgraded NTP to 4.2.8p4 to address the security vulnerabilities described in
http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vul
ner, notably CVE-2015-7871.

Recommendation:
Upgrade to patched version if applicable

17
 247050 CVE-2015-3238: An attacker able to supply large passwords to the unix_pam
module could use this flaw to enumerate valid user accounts or cause a denial of service
on the system.

Details:
The PAM module has been upgraded to fix the vulnerability caused by CVE-2015-3238,
where an attacker able to supply large passwords to the unix_pam module could use
this flaw to enumerate valid user accounts or cause a denial of service on the system.

Fix:
The PAM module in RiOS has been updated to a patched version to address the CVE.

Recommendation:
Upgrade to a patched version.
 247382 Fixed a problem in SteelHead SaaS backhauled deployment mode that could
cause a loss of connectivity on long-lived optimized SaaS connections. This issue can
happen if the SteelHead performing SteelHead SaaS redirection of optimized SaaS
connections has a high number of pass-through connections going through it. Under
such load the SteelHead might stop performing SteelHead SaaS UDP redirection of the
connection, leading to a loss of connectivity for those flows.
 247443 Fixed Datakeg error and warning messages related to the SCA component.
These messages did not affect appliance functionality.

Example messages:
Nov 4 01:36:53 csh datakeg[6085]: [datakeg_lib.ERROR] Error running
/sbin/sca_datakeg.py acshs: No such executable /sbin/sca_datakeg.py
Nov 4 01:36:53 csh datakeg[6085]: [datakeg.WARNING] Problem with collecting metric
sca.acshs.
 247489 Fixed on issue where under certain specific scenarios, SteelHeads with a 1
Gigabit add on NICs might suffer higher-packet drop rates when using inbound QoS. This
fix provides better configuration support of inbound QoS to avoid such issues.
 247522 Fixed an issue where the optimization service crashed with Outlook Anywhere
enabled when a client did not have anymore connections to the Exchange Server or
during client connect. During the tracking of Outlook Anywhere connections associated
with a client and server pair, a table would, at times, become corrupted. This fix corrects
the way RiOS does comparisons on this table.
 247560 Corrected an issue where the web inactivity timeout was not being honored in
the web UI. After this correction, web UI sessions will get logged out after the amount
of time specified by the user in the "web inactivity timeout" setting. To work around this
issue, the CLI command "web session timeout" can be used to enforce a timeout period.

18
 247748 Fixed an issue where the optimization service could crash when both HTTP
optimization and Outlook-Anywhere auto-detection are both enabled, and certain types
of unexpected HTTP traffic is processed. The RPCH HTTP header parsing state machine
would into a state in which it was expecting headers but could not find any. This change
verifies that headers exist before trying to access them.
 247821 Fixed an issue where the CLI command "arp <ipaddr> <macaddr>" returned the
error "% The interface <ipaddress> does not exist." Instead, use the command
"interface <interface> arp <ipaddr> <macaddr>" to configure static arp entries.
 248345 Fixed an issue where the optimization service crashes by adding logic to
correctly identify freed memory in the store.
 248606 OpenSSL prior to 1.0.2e or 1.0.1q has security vulnerabilities CVE-2015-3193,
CVE-2015-3194, CVE-2015-3195. These are moderate vulnerabilities described in
https://www.openssl.org/news/secadv/20151203.txt.

Details:
OpenSSL prior to 1.0.2e or 1.0.1q has security vulnerabilities CVE-2015-3193, CVE-2015-
3194, CVE-2015-3195. These are moderate vulnerabilities described in
https://www.openssl.org/news/secadv/20151203.txt.

Fix:
Upgraded OpenSSL to 1.0.2e or 1.0.1q to fix CVE-2015-3193, CVE-2015-3194, CVE-2015-
3195.

Recommendations:
Upgrade to a software version with this fix.
 248633 Fixed an issue that caused reverting to RiOS 9.0.1 or later to fail. This occurred
when an appliance's configuration database of a given name was deleted, and then later
another configuration of the same name was added. For some databases, only the
database for the current RiOS was deleted, while with others, all databases including
backed up versions for previous RiOS versions were deleted. On revert, those databases
where all previous versions were deleted could not properly revert, causing the image
revert to fail.
 248683 Fixed an issue in parsing HTTP packets within the SteelFlow WTL blade so that it
does not keep buffering data after encountering a NULL byte. This issue may be
accompanied by logs similar to ""[pm.ERR]: Output from sport:
src/central_freelist.cc:480] tcmalloc: allocation failed 24576 ( 6 pages) for sizeclass 57
upto 4352"". Issue may also result in Admission Control alerts and optimization service
process crashes.
 248790 Fixed an issue where the SteelHead 'config-save needed' flag may light up on
the SteelCentral Controller for SteelHead every 24 hours when it receives an update
from the Riverbed Cloud Portal and the SteelHead has the SteelHead SaaS/Cloud
Accelerator feature and GeoDNS optimization enabled.

19
 248870 Fixed an issue where /config became full after thousands of logins to the web UI
and CLI occurred. This caused a flash_error alarm to be raised and errors in the syslog,
indicating many system services were unable to start.
 249088 Fixed an issue where the CLI command "interface [interface] dhcp renew" does
not execute when DHCP is disabled. In addition the system did not inform the user. The
behavior was changed to print an error message if this command is executed while
DHCP is disabled.
 249243 Fixed an issue so that users can now select parent classes when viewing traffic
reports for QoS.
 249269 CVE-2015-8000: bind denial of service by remote attacker via a malformed class
attribute.

Details:
CVE-2015-8000: A remote attacker can cause a denial of service in BIND via a malformed
class attribute. This impacts the SteelHead DNS cache feature. However, this feature is
disabled by default.

Fix:
Upgraded BIND named for the DNS cache feature to 9.9.8-P2 to fix CVE-2015-8000.

Recommendation:
Upgrade to a software version with this fix.
 249289 Fixed an issue to make sure that RiOS does not crash during shutdown when an
active splice requests domain information and the domain-auth config global has
already been destroyed.
 249472 Fixed an issue where the help documentation pages in the Management
Console could report a clickjack vulnerability during a Nessus scan of the appliance, even
though there was no risk to the Management Console. Added some HTTP headers which
prevent the clickjack vulnerability according to Nessus to all pages including help
documentation, instead of just the interactive pages.
 249764 Fixed an issue where self-signed SSL certificates were using RSA-SHA1 instead of
RSA-SHA512 with a key size of 2048 bits or higher. Support for SHA1 certificates is being
deprecated by web browsers, which eventually leads to them not accepting RSA-SHA1
certificates.
 249863 Fixed an issue where user identity might be reassigned by SharePoint
optimization. Found that "Set-Cookie" headers were being saved and redistributed by
the SharePoint blade. These cookies may consist of user authentication credentials and
might cause a client to assume the identity of a prior user. This has been corrected so
credentials are not cached.
 249939 Fixed an issue where a configuration policy push from an SCC to a SteelHead
containing a large number of host or port labels, caused the entire push to fail.

20
 250228 Fixed an issue where an authentication request to the ACS server failed if the
authentication policy required a remote IP address along with the username and
password.
 250249 CVE-2016-0777: An information leak (memory disclosure) in OpenSSH client
related to the roaming connection feature.

Details:
CVE-2016-0777: An information leak (memory disclosure) can be exploited by a rogue
SSH server to trick a client into leaking sensitive data from the client memory, such as
private keys.
CVE-2016-0778: A buffer overflow (leading to file descriptor leak), can also be exploited
by a rogue SSH server, but due to another bug in the code is possibly not exploitable,
and only under certain conditions (not the default configuration), when using
ProxyCommand, ForwardAgent, or ForwardX11.
Note: CVE-2016-0778 does not apply to Riverbed appliances, because the specified
configuration options are not used. Both vulnerabilities apply only to client use, not
server use.

Fix:
We have upgraded OpenSSH to 7.1p2 to fix the above vulnerabilities.

Recommendation:
Upgrade to a version with this fix. Otherwise, avoid using the "ssh slogin" command to
log in to untrusted servers.
 250484 Fixed an issue wherein clicking a connection type on the Current Connections
page of the Management Console would behave incorrectly on appliances not licensed
for Space Communications Protocol Specifications (SCPS) protocol.
 250562 Disabled a potential vulnerability where a user could visit a specific URL path in
the appliance's web user interface, and see some technical details about the web server
environment.
 250611 CVE-2015-8704 bind: specific APL data could trigger an INSIST in apl_42.c.

Details:
When the caching DNS server is enabled, it is vulnerable to a denial of service attack. A
remote authenticated attacker can cause the DNS server to exit by sending a malformed
Address Prefix List (APL) record.
CVE-2015-8705 is not applicable, as this applies to BIND 9.10.x, and the version currently
used on appliances is 9.9.x.

Fix:
BIND named has been upgraded to 9.9.8-P3.

Recommendation:
Upgrade to patched version if applicable.

21
 250951 CVE-2015-8138, CVE-2015-7973, and CVE-2015-7979: NTP security update.

Details:
NTP server before 4.2.8p6 has the following security vulnerabilities:
CVE-2015-8158: Potential Infinite Loop in ntpq
CVE-2015-8138: origin: Zero Origin Timestamp Bypass
CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast
mode
CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list
CVE-2015-7977: reslist NULL pointer dereference
CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames
CVE-2015-7975: nextvar() missing length check
CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between
authenticated peers
CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode
Of these, CVE-2015-8138, CVE-2015-7973, and CVE-2015-7979 are applicable. CVE-
2015-7973, and CVE-2015-7979, are only applicable when authenticated NTP is used.
More details of the CVEs can be found at
http://support.ntp.org/bin/view/Main/SecurityNotice

Fix:
We have upgraded the NTP server to 4.2.8p6 to fix these security vulnerabilities.

Recommendation:
Upgrade to a software version with the fix. If this is not possible, use multiple time
sources and avoid placing appliances on untrusted networks to minimize the
vulnerability to CVE-2015-8138.
 251033 Fixed an issue where accented or other special characters in Application names
or descriptions caused the Current Connections page to stop loading and display "Error
Building Table".
 251297 CVE-2016-0701: OpenSSL 1.0.2 through 1.0.2e is vulnerable to DH small
subgroups

Details:
OpenSSL 1.0.2 through 1.0.2e has vulnerability CVE-2016-0701, which is described at
https://www.openssl.org/news/secadv/20160128.txt
This vulnerability does not impact Riverbed appliances as no releases include the
vulnerable version of the OpenSSL 1.0.2 library.

Fix:
Upgraded OpenSSL to 1.0.2f to fix CVE-2016-0701 and CVE-2015-3197.

Recommendation:
No action required.

22
 251649 Fixed a problem that could lead to a crash if the SteelHead SaaS/Cloud
Accelerator and GeoDNS features are enabled under a high volume of GeoDNS
optimized SaaS Office 365 connections.
 251951 Fixed an issue so that certificates and signing requests generated on SteelHead
have been upgraded to use SHA-2 signature algorithm. Self-signed SSL certificates now
use RSA-SHA512 instead of RSA-SHA1 and must be at least 2048 bits. When SSL
certificates are displayed in the web or command-line interface, the SHA256 and SHA1
fingerprints are displayed.
 252258 Fixed an issue so that HTTP to HTTPS redirection always uses the same host
name in the HTTPS URL as given in the HTTP URL. Previously, HTTP to HTTPS redirection
used the short hostname in the HTTPS URL, regardless of whether the hostname in the
HTTP URL was a fully qualified domain name or an IP address. In some DNS
configurations, this resulted in the redirection failing.
 252446 CVE-2015-7547: buffer overflow in glibc getaddrinfo call for DNS lookups.

Details:
The GNU C library (glibc) had these vulnerabilities:
CVE-2015-7547: a buffer overflow in client DNS lookups (getaddrinfo) that might allow
malicious client connections from networks with malicious DNS servers to cause crashes
or other harmful effects in server software to which these clients connect. This might
affect servers (for example, SSH) that do DNS lookups on clients connecting to them.
Malicious client connections from networks with malicious DNS servers can create the
overflow conditions.
CVE-2015-5229: the calloc() function might return a pointer to memory that is not filled
with zero bytes.

Fix:
We have upgraded glibc to a version that fixes CVE-2015-7547 and CVE-2015-5229.

Recommendation:
Upgrade the software to a version with this fix. If this is not possible, avoid placing
appliances on networks exposed to untrusted DNS clients.
 252525 Fixed locking for the RPC_IN_DATA and RPC_OUT_DATA virtual connection
registry to prevent a condition that would lead RiOS to crash with Outlook Anywhere
enabled.
 253062 Fixed a problem where log errors such as "[mgmtd.ERR]:
lrs_get_csr_property_str(), rbtssl.c:3879, build (null): Unexpected NULL" were seen
when viewing the Secure Peering (SSL) web page.

23
 253260 OpenSSL 1.0.2g/1.0.1s security update including CVE-2016-0800 SSL/TLS: Cross-
protocol attack on TLS using SSLv2 (DROWN)

Details:
A cross-protocol attack was discovered that could lead to decryption of TLS sessions by
using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA
padding oracle. Note that traffic between clients and non-vulnerable servers can be
decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a
different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-
vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800). This update
also includes patches for these lower priority CVEs: CVE-2016-0702, CVE-2016-0705,
CVE-2016-0797, CVE-2016-0798, and CVE-2016-0798.
For more details, see: https://www.openssl.org/news/secadv/20160301.txt and
https://www.openssl.org/news/vulnerabilities.html#y2016.
Note: SSLv2 is disabled on the appliances in the SteelHead and SteelFusion product line.
This vulnerability is not applicable. This includes the web interface and the optimization
service on the SteelHead appliance.

Fix:
OpenSSL upgraded to 1.0.2g or 1.0.1s where applicable. Note that the fix for CVE-2016-
0800 disables SSLv2 and "EXPORT" and "LOW" strength ciphers. See
https://www.openssl.org/news/secadv/20160301.txt.

Recommendation:
Upgrade the software to a version with this fix.
 253547 Fixed a software issue that caused model upgrades to fail. This fix fully restores
the model upgrade functionality.
 253563 Fixed an issue with client authentication where connections to a server might be
put into bypass mode when TLSv1.2 support is enabled, but server negotiates TLSv1 or
SSLv3. A code change was made to explicitly assure that for client authentication the
SteelHead must negotiate the same protocol version as the client and server.
 253661 Fixed an issue to prevent corrupting the server-side optimization service data
store page when SMB2 connection blacklisting is done. This fix applies only to when the
client negotiates SMB3.11 dialect.
 254168 Fixed an issue where a bug in RiOS version 9.1.2 caused high CPU usage by the
QoS process when using deep packet inspection for TLS traffic. This patch resolves this
issue.
 254783 Fixed an issue to handle parsing of invalid HTTP chunked payload data with
missing expected newline chars (CRLF). Fix puts the connection in bypass state instead.

24
  254970 CVE-2016-0787: libssh2 vulnerability which could cause less secure keys to be
generated for encrypted traffic.

Details:
libssh2 has CVE-2016-0787, which could cause less secure keys to be generated for
encrypted traffic.

Fix:
We have upgraded libssh2 to fix CVE-2016-0787.

Recommendation:
Upgrade the software to a version with this fix.
 255623 Fixed an issue where the HTTPS channel between the SteelCentral Controller
(SCC) and SteelHead (SH) does not establish. REST feature policy pushes such as hybrid
network, appstats, and web proxy will fail. The SCC appliance pages will show
SteelHeads as Disconnected/No HTTPS connections. The fix helps set up the HTTPS
channel between the SH and SCC and REST feature policy pushes will work correctly.
 257487 Fixed an issue in the SSL client authentication code to correct a missing SSLv3
initialization that was modified in the most recent OpenSSL upgrade. To work around
this problem, update to a RiOS version with the fix or disable SSL client authentication if
it is not necessary.

4) KNOWN ISSUES
 120109 With RADIUS authentication the "local-user" is not honored with multiple
Vendor Specific Attributes (VSA) Ensure that the Riverbed "local-user" Vendor Specific
Attribute (VSA), is the first attribute in any access-accept messages sent to a Riverbed
appliance.
 165137 SteelHead peer-version string might be displayed incorrectly in the Current
Connections page No known workaround.

25
 198015 SteelHeads cannot be managed by the SteelCentral Controller for SteelHead
when requisite management channels are not established "SCC versions 9.0.0 and above
require two channels to the appliance - an SSH channel and an HTTPS channel. The
status of these channels can be viewed on the SteelHead terminal with the command:
show scc a sample output of this command is shown below:
amnesiac > show scc
Auto-registration: Enabled
HTTPS connection (to the CMC):
Status: Connected
Hostname: bravo-sh378
SSH connection (from the CMC):
Status: Connected
Hostname: bravo-sh378 (10.5.39.87)
When the host for the HTTPs and SSH connection are different or both the channels do
not have "Connected" status, the appliance cannot be fully managed by the SCC. In
order to connect a SteelHead to the SCC, you can use the command:
scc hostname <hostname> in configure mode to establish the connections. If both
connections show "Connected" to two different SCC's, please remove the appliance
from the Manage -> Appliances page on the SCC which is incorrect and update the
appliance username and password on the correct SCC. If the SCC hostname was never
configured on the appliance, the appliance will try to connect to the host riverbedcmc.
Please make sure to update your DNS to point the hostname riverbedcmc to the correct
SCC which is managing the appliance.
 204196 Switching configuration files while the system collects a sysdump for a process
crash fails Ensure that the system is in a stable state, and not collection sysdumps
before attempting to switch configuration files.
 218352 Class names can change during migration Reselect the desired classes using
their post-migration names.
 225148 Importing a configuration fails if user password contains an "at" sign (@) Avoid
using the at-sign (@) in passwords.
 229980 Web Proxy ignores transparency options on the applicable in-path rule No
workaround is available. You should be aware that transparency options do not apply to
traffic optimized by Web Proxy.
 238175 For connections optimized by Web Proxy the Current Connections report always
shows "W" for Connection Type Open the connection detail, which shows the correct
icon.
 238497 Menu commands are hidden, not disabled, for monitor users No workaround.
 238599 Current Connections report incorrectly shows that path selection occurs when
the SteelHead is in an Interceptor cluster the report will show correct information once
channels are configured but will continue to show erroneous Path Selection information
as long as they are not.

26
 239385 MAPI transparent prepopulation max connection value resets to the default
value upon upgrade after upgrading, reconfigure to the desired value.
 247441 Pages display a "Page Load Error" intermittently during a policy push from the
SCC The situation will clear itself once the push is complete.
 247807 Connection pooling when used with traffic-aware probing backoff (path
selection) can lead to suboptimal results Disable connection pooling if using traffic
aware backoff feature.
 248582 Replaced SteelHead through RMA requires manual reconnection to SCC
SteelHead needs to be reconnected from SCC with new serial number.
 253384 Current Connections report may not display detailed information for some
connections optimized by Web Proxy a workaround isn't currently known, but most
information on a Web Proxy connection is already in the table row.
 253415 When performing fetch operations for the SteelFusion Edge appliance from SCC,
an "UNKNOWN_COMP.ERR" error might be displayed No workarounds exist. When
performing fetch operations for the SteelFusion Edge appliance from the SteelCentral
Controller (SCC), an "UNKNOWN_COMP.ERR" error might be displayed. You can ignore
this error; the fetch operation is still successful even though this error is displayed.
 253725 TCP Dump snap-length setting of 0 does not result in the expected 64 KB. In the
SteelHead Management Console when you start a TCP Dump with the snap-length set to
0, this results in a 16 KB snap-length instead of the expected 64 KB. To obtain a 64 KB
snap-length, enter 65535 in the Custom field for snap-length.
 254093 When making configuration changes, the system log might include an error
message such as [pm.ERR]: Output from yarder_rbt: IOError: unexpected end of file
while reading request at position x. No workarounds exist. This does not have any
impact on functionality.
 254279 SCC push failure can result in a service restart message on SteelHead Disregard
the service restart request.
 254549 Pass-through traffic does not reflect DSCP marking from QoS rule None
 254625 Filtering large numbers of connections on the Current Connections page causes
error messages such as "Broken Pipe" or "Failed to flush CGI output to client". No
workarounds exist.
 254647 Citrix Auto-Negotiate Multi-Stream ICA connections are not classified for QoS in
certain configurations. Turn on small packets optimization with the CLI command
'protocol citrix smallpkts enable'. QoS classification will work for both ICA and CGP
connections. If only ICA is used, then the CLI 'command protocol citrix cdm enable' will
work as well.
 255099 Time exceeded message displays when REST process starts up No workaround
exists. These are INFO-level logging messages and can be ignored. This can happen on
low-end boxes/virtual boxes and when the device is under CPU load.

27
 255865 "sport listen-backlog" CLI command is not working correctly No workarounds
exist.
 258171 Entering commands immediately after the appliance has booted results in "No
route to service" errors These errors indicate that a service isn't yet ready to respond.
The command should be able to be run successfully after a few seconds.
 258439 First hybrid networking push after upgrading from the SteelCentral Controller
(SCC) 9.0 to 9.2 can be disruptive to existing path selection connections
Install 9.2 but do not reboot.
Push CLI config from SCC with these options:
Disable PS
Disable QoS
write mem
reboot into 9.2

Cli Commands for the same:

no qos outbound shaping enable
no qos inbound shaping enable
no qos dscp-marking en
 258440 First hybrid networking push after upgrading from the SteelCentral Controller
(SCC) 9.0 to 9.2 can be disruptive to existing path selection connections
Install 9.2 but do not reboot.
Push CLI config from SCC with these options
Disable PS
Disable QoS
write mem
reboot into 9.2

Cli Commands for the same:

no qos outbound shaping enable
no qos inbound shaping enable
no qos dscp-marking en
 264708 After upgrading from 9.1.3 to 9.1.3a, backup operations of the SteelHead from
the SCC can fail up to 7 days after the upgrade. As a workaround, restarting the "rpgd"
process on the SteelHead will allow the SCC to receive an unexpired login authentication
token. This can be done manually on the SteelHead via the command "pm process rgpd
restart". This can also be done remotely on the SCC using the "Send Commands"
functionality on the Appliances website when no policy push or upgrade operations are
in progress. Any tokens generated in 9.1.3 with expirations are first used by the system,
before generating fresh ones with no expiration. This means that SCC backups can
continue to fail during the first 7 days of running 9.1.3a. After 7 days any tokens from
9.1.3 will have all expired.

28
5) UPGRADING THE RIOS SOFTWARE VERSION
UPGRADING ALERT
 9.2.0 Upgrade, Path Selection and QoS: Operators must disable path selection and QoS
in SteelHead 9.0.x or SteelHead 9.1.x prior to rebooting into SteelHead 9.2.0, which uses
new path identifiers. Please refer to Knowledge Base article S28250 for detailed
instructructions. Failure to follow this process can block pre-existing connections and
render the SteelHead unreachable after the first SCC 9.2.0 Path Selection policy push.
 Path Selection: Upon upgrading a SteelHead from RiOS version 8.6.x or earlier to 9.0.0
and later, existing path selection rules are not automatically migrated. Please refer to
Knowledge Base article S25533 for details.
 QoS: RiOS version 9.0.0 and later uses a completely new QoS management and syntax
compared to RiOS version 8.6.x and earlier. Please refer to Knowledge Base article
S25532 for details prior to upgrading to RiOS version 9.0.0 and later.

Review the SteelHead CX Installation and Configuration Guide for information on upgrading
the RiOS software version on SteelHead appliances. For Virtual SteelHeads, see the Virtual
SteelHead CX Installation Guide. If running Cloud SteelHeads, see the Riverbed Cloud
Services User's Guide

6) STEELCENTRAL CONTROLLER FOR STEELHEAD (SCC)

COMPATIBILITY
If you use SteelCentral Controller for SteelHead (SCC) to manage your appliances, you must
upgrade SCC to a specific version before you upgrade your appliances to this software
version. Failure to do so will prevent communication between SCC and your appliances. See
Knowledge Base Article S27759 for complete details.

SCC was formally known as Central Management Console (CMC). Review the SteelHead CX
Installation and Configuration Guide for information on SCC compatibility.

7) HARDWARE AND SOFTWARE DEPENDENCIES

Review the SteelHead CX Installation and Configuration Guide for information on hardware
and software dependencies. For Virtual SteelHeads, see the Virtual SteelHead CX Installation
Guide. If running Cloud SteelHeads, see the Riverbed Cloud Services User's Guide.

8) CONTACTING RIVERBED SUPPORT

Visit the Riverbed Support site to download software updates and documentation, browse
our library of Knowledge Base articles and manage your account. To open a support case,
choose one of the options below.

29
Phone
Riverbed provides phone support at 1-888-RVBD-TAC (1-888-782-3822). Outside the U.S. dial
+1 415 247 7381.
Online
You can also submit a support case online
Email
Send email to support@riverbed.com. A member of the support team will reply as quickly as
possible.

©2016 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo
used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their
respective owners. The trademarks and logos displayed herein may not be used without the prior written
consent of Riverbed Technology or their respective owners.

30