1999/10/7 (revised 10/11) ComOS 3.9b22 Open Beta Release Note ________________ Introduction The new Lucent Technologies ComOS(R) 3.9b22 software release is now available for open beta for the PortMaster(R) 3 Integrated Access Server. This open beta release is provided at no charge to all Lucent customers, but is recommended only for customers who wish to test the new functionality before the general availability (GA) release of ComOS 3.9. Command syntax for new commands might change between this open beta release and the general availability release of ComOS 3.9. This release note documents commands and features added between ComOS 3.9b12 and ComOS 3.9b22 on the PortMaster 3. The modem code in ComOS 3.9b22 is an upgrade to the modem code included in ComOS 3.9b12 for the PortMaster 3. This release note applies only to the PortMaster 3. Before upgrading, thoroughly read "Limitations" and "Upgrade Instructions." WARNING! The amount of nonvolatile RAM (NVRAM) available for saving configurations has been reduced from 128KB to 64KB. PortMaster products with configurations greater that 64KB will lose some of their configuration. For this reason, be sure to back up your PortMaster configuration before upgrading to this release. WARNING! The PortMaster 3 must be running ComOS 3.5 or later to upgrade to ComOS 3.9b22. If you are running an earlier release of ComOS, upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9b22. NOTE: Any PortMaster running ComOS 3.9b22 requires 4MB of dynamic RAM (DRAM). Use 16MB if you are running the Border Gateway Protocol (BGP). _______________ Export Restrictions Although this open beta release of ComOS 3.9b22 is available to any Lucent customer worldwide, it does not include support for the Data Encryption System (DES) and Triple DES (3DES) encryption methods. However, the Authentication Header (AH) RSA Data Security, Inc. MD5 Message-Digest Algorithm (MD5) authentication feature of the IPSec encryption ("coprocessor") card is available worldwide and is included in ComOS 3.9b22. Because of export restrictions, the DES and 3DES features for ComOS 3.9b22 will be handled on a case-by-case basis outside the standard beta release process. Any US-owned or Canadian-owned company wishing to participate in the beta release of this feature must call Cary Hayward at 1-925-730-2637. The restricted release ComOS 3.9b22enc168, which supports DES and 3DES, is available in open beta form to Lucent customers in the United States and Canada. To use DES or 3DES for encrypting data payloads, you must install the IPSec ("coprocessor") card (PM3-VPN). Versions of ComOS 3.9 supporting DES and 3DES on the IPSec encryption card will be made available to customers in other countries as export licensing permits. Licensing approval is being sought at this time. For more information, see the sections "IP Security(IPSec)" and "Coprocessor Card for PortMaster 3" in the ComOS 3.9b8 release note. _______________ Contents Introduction Export Restrictions New Features Bugs Fixed in ComOS 3.9b22 Limitations Troubleshooting Modems Upgrade Instructions Technical Support _______________ New Features This release includes two new features, which are explained in the following text : * RADIUS Authentication failover * RADIUS Accounting failover _____RADIUS Authentication Failover This feature is supported for the PortMaster 3 in ComOS 3.9b20 and later releases. Authentication failover allows the PortMaster to dynamically switch primary and alternate RADIUS authentication servers according to their response. Use the following commands: set authentication interval Seconds set authentication failover on | off The first command sets the response interval. The PortMaster sends a RADIUS access-request packet every "interval" number of seconds. If no response is received from the primary RADIUS server, the PortMaster switches or "fails over" to the secondary authentication server. The secondary RADIUS server then is treated as the primary, and is marked with an asterisk (*) in "show global"output. set authentication interval Seconds Seconds A value between 1 and 255. The number of seconds that must elapse between RADIUS access-request retransmissions if the PortMaster receives no response. The default is 3 seconds, and 0 resets the value to the default. If the primary server does not respond, failover occurs after two times the Seconds value. For example, if "set authentication interval 6" is used, failover occurs in 12 seconds. The second command enables the failover feature on the PortMaster 3: set authentication failover on | off on If the primary server fails to respond three times in a row, the PortMaster sends the packet to both the primary and secondary servers for the next seven retransmissions. If the secondary server replies before the primary server, the PortMaster switches the primary and secondary servers. Then on the next login attempt, the PortMaster tries the secondary server first. If the secondary server fails to respond three times in a row, the PortMaster sends the packet to both servers and designates the server that replies first as the new primary server. off The PortMaster 3 always tries the primary server first, same as the current behavior. This is the default. _____RADIUS Accounting Failover This feature is new to the PortMaster 3 in ComOS 3.9b22. The PortMaster attempts to send each RADIUS accounting packet every "interval" seconds, and sends it the "count" number of times before giving up. If an acknowledgement is received from the RADIUS accounting server, the PortMaster no longer tries to resend the accounting packet. If no acknowledgment is sent from the primary server in response to the first packet, the PortMaster sends the packet to both the primary and secondary RADIUS accounting servers. set accounting count Number set accounting interval Seconds Number A decimal number between 1 and 99. The number of times the PortMaster sends a RADIUS accounting packet without acknowledgement from a RADIUS server. Seconds A decimal number between 1 and 255. The number of seconds that must elapse between RADIUS accounting packet retransmissions if not acknowledged by the accounting server. The default is 30 seconds. Use the "show global" command to view the Accounting Count and the Accounting Interval settings. Examples: Command> set accounting count 45 Accounting retry count changed from 23 to 45 Command> set accounting interval 60 Accounting retry interval changed from 30 to 60 sec _______________ Bugs Fixed in ComOS 3.9b22 * The "set maximum pmconsole" command now takes effect immediately. Previously, active connections on port 1643 had to be reset before changes would take effect. * Output for the "set debug ?" command has been enhanced. * The command "set user protocol ppp" no longer deletes the Point-to- Point Protocol (PPP) asynchronous map. * A RADIUS Login-User with the telnet login service no longer generates a Framed-User start record erroneously. * The AH and Encapsulating Security Payload (ESP) protocols now work together. * An administrative reset of a Layer 2 Tunneling Protocol (L2TP) session now generates only one stop record instead of two. * Accounting records for a RADIUS Administrative-User logging in to port S0 now show the correct service type. * Administrative logins logged to syslog no longer have the password sent in clear text. * Modem code fixes: - 3Com modem connections are now more reliable. - U.S. Robotics (USR) Telepath V.34 modems can now establish Link Access Procedure for Modems (LAPM) error correction. Previously under certain conditions, the modem was choosing too high a connection rate and was unable to establish LAPM error correction. The modem code now detects these conditions and forces the connection speed down by one rate to allow LAPM to be negotiated. - For modems with Rockwell Semiconductor Systems (RSS) K56flex chipsets, fast rate changes now work properly. Previously, a retrain was forced after a rate change. (RSS is now Conexant Systems Inc.) - For all modems, retrain detection has been improved to prevent some client disconnections. - In the presence of LAPM retransmission errors, the modem code retrains to allow the link to adjust to a lower speed and improve throughput. - The modem code now suspends LAPM transactions during any rate changes or retrains and thereby eliminates some connection failures, connections without error control, and some disconnections. * The authentication packet sent for telnet logins now reports the correct user type to the access log. Previously, the authentication packet erroneously reported a user type of Outbound-User. * Startup and shutdown accounting packets are now resent like other accounting packets. * When the PortMaster 3 receives an incoming V.110 setup request, it now returns the message "Cause 88 Incompatible Destination". Previously, the message "Release Complete with the Cause 17 User Busy" was erroneously returned. * The "show session" command no longer returns garbage characters at the end of a 12-character location name. * When the call-check feature has been enabled ("set call-check on"), callback users specified through RADIUS are now authenticated. * If a RADIUS menu user fails over a telnet connection, an administrative user is now allowed to telnet in. Previously, the administrative user was rejected until the PortMaster 3 was rebooted. * RADIUS accounting records for the L2TP access concentrator (LAC) now include the Tunnel-Server-Endpoint information. This information was not provided in previous releases. * When routing is disabled on a WAN port, the port status now reflects this condition. * BGP summarization settings that are configured with the "set bgp summarization" command are now saved after you enter "save all" and "reset bgp." Previously, only settings configured with the "add bgp summarization" command were saved. * Subnets included as part of an OSPF area range are now advertised as internal OSPF routes. If not included as part of the range, they are advertised as OSPF/E2 or external routes. In previous releases, the Portmaster 3 advertised routes this way when they were part of an assigned address pool, but not if they were subnets used to assign static ip addresses. * OSPF configuration information is now saved during an upgrade from ComOS 3.7 to ComOS 3.9. _______________ Limitations * The PortMaster 3 must be running ComOS 3.5 or later to upgrade to ComOS 3.9b22. If you are running an earlier release of ComOS, upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9b22. * Lucent is still fixing some problems with Rockwell HCF and Cirrus Logic modems. If you experience any difficulties with modems, verify that the client modem is running the latest firmware, and then refer to http://www.livingston.com/tech/bulletin/comos-modem.html. If these instructions do not help, contact Lucent NetCare(R) technical support. * An L2TP network server (LNS) can support only 94 L2TP sessions in this release. * Support for the obsolete "True Digital V.34 Card" (MDM-PM3-8 and MDM-PM3-10) has been removed from this release, except for support of the V.110 protocol. The "True Digital 56K Card" (MDM-56K-8 and MDM-56K-10) is still supported. * Downgrading a PortMaster 3 from ComOS 3.9b22 to a previous release requires two successful downgrades. After the first successful downgrade the PortMaster is operational, but without system messages. The second downgrade applies the system messages. * The PortMaster 3 can support either the Stac compression card or the IPSec encryption ("coprocessor") card, but not both. Both cards use the same interface on the PortMaster 3 motherboard. * Neither the Internet Key Exchange (IKE) protocol nor the Internet Security Association Key Management Protocol (ISAKMP) is supported in this release. * IPSec passive profiles are not supported in this release. * The network address translator (NAT) and IPSec cannot be configured to work together on the same port in this release. * This release does not support mixing of non-facility associated signaling (NFAS) and non-NFAS ISDN Primary Rate Interfaces (PRIs) in the same chassis. If one line is used for NFAS, the other line must be used for NFAS or left empty. * NFAS operates only on National ISDN-2 (NI-2) switch types. * Configuring NFAS settings on a line that is not configured for ISDN or is unable to perform ISDN functions makes the line behave strangely. * When you are using NFAS and a problem occurs on the physical PRI line with the D channel, the line sometimes does not return to service until you reset the D channel. * When a PortMaster running NFAS is rebooted, you must sometimes reset the D channel to return the PRI to service. * You must NOT downgrade from ComOS 3.9b10 to any other ComOS 3.9 version without first disabling IPX and OSPF. To do so, enter the following commands: set ospf disable set ipx off save all reboot * Downgrading from ComOS 3.9b10 to ComOS 3.5 might change the Ether0 IP address. * You cannot use Inverse Address Resolution Protocol (ARP) on a Frame Relay interface with subinterfaces. The primary Frame Relay interface does not automatically map IP addresses to data link connection identifiers (DLCIs). When you enter a "show arp frm1" command, no ARP tables appear, and the PortMaster cannot ping across the Frame Relay cloud. * Inbound NAT maps are restricted to static address maps and/or static TCP/UDP port maps only. Outbound NAT maps do not have this limitation. * A ComOS online help file is not included. The "help" command is not supported. _______________ Troubleshooting Modems As part of modem troubleshooting, confirm that the client modem is running the latest firmware before submitting a modem trouble report. When making a report of a new modem problem, send the following information to Lucent NetCare technical support: * ComOS version * Client modem manufacturer * Client modem model * Results on the client modem of commands ATI0 through ATI11 * Whether the problem is reproducible Lucent might want to monitor your PortMaster while the client modem reproduces the problem. _______________ Upgrade Instructions You can upgrade your PortMaster 3 using PMVision 1.6 or later, or pmupgrade 4.0 or later from PMTools. Alternatively, you can upgrade using the older programs pminstall 3.5.3, PMconsole 3.5.3, or PMconsole for Windows 3.5.1.4, or later releases. You can also upgrade using TFTP with the "tftp get comos" command from the PortMaster command line interface. See ftp://ftp.livingston.com/pub/le/software/java/pmvision17.txt for installation instructions for PMVision 1.7. *** CAUTION! If the upgrade fails, do NOT reboot! Contact *** Lucent NetCare technical support without rebooting. The upgrade process on the PortMaster 3 erases the configuration area from nonvolatile memory and saves the current configuration into nonvolatile memory. Never interrupt the upgrade process, or loss of configuration information can result. WARNING! The amount of NVRAM available for saving configurations has been reduced from 128KB to 64KB. PortMaster products with configurations greater than 64KB will lose some of their configuration. For this reason, be sure to back up your PortMaster configuration before upgrading to this release. You can check the amount of memory used for your configuration with the "show files" command. Ignore any files that also include an uncompressed size. WARNING! The PortMaster 3 must be running ComOS 3.5 or later to upgrade to ComOS 3.9b22. If you are running an earlier release of ComOS, upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9b22. IMPORTANT: Any PortMaster running ComOS 3.9b22 requires 4MB of RAM. If you are running BGP, 16MB of RAM is required. The installation software can be retrieved by FTP from ftp://ftp.livingston.com/pub/le/software/, and the upgrade image can be found at ftp://ftp.livingston.com/pub/le/upgrades: ComOS Upgrade Image Product _________ _____________ _____________________________________ 3.9b22 pm3_3.9b22 PortMaster 3 ________________________________________________________________________ Copyright and Trademarks Copyright 1999 Lucent Technologies. All rights reserved. PortMaster, ComOS, ChoiceNet, and NetCare are registered trademarks of Lucent Technologies. PMVision, IRX, and PortAuthority are trademarks of Lucent Technologies. PolicyFlow is a service mark of Lucent Technologies. All other marks are the property of their respective owners. Notices Lucent Technologies makes no representations or warranties with respect to the contents or use of this publication, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Lucent Technologies reserves the right to revise this publication and to make changes to its content, any time, without obligation to notify any person or entity of such revisions or changes. Contacting Lucent NetCare Technical Support Lucent NetCare Professional Services provides PortMaster technical support via voice or electronic mail, or through the World Wide Web at http://www.livingston.com/. Specify that you are running ComOS 3.9b22 when reporting problems with this release. Internet service providers (ISPs) and other end users in Europe, the Middle East, Africa, India, and Pakistan should contact their authorized Lucent sales channel partner for technical support; see http://www.livingston.com/International/EMEA/distributors.html. For North America, the Caribbean and Latin America (CALA), and Asia Pacific customers, technical support is available Monday through Friday from 7 a.m. to 5 p.m. U.S. Pacific Time (GMT -8). Dial 1-800-458-9966 within the United States (including Alaska and Hawaii), Canada, and CALA, or 1-925-737-2100 from elsewhere, for voice support. Otherwise, send email to support@livingston.com (asia-support@livingston.com for Asia Pacific customers).