Cisco SSL Appliance 1500 インストールガイド
3
Release Notes for Sourcefire SSL Appliances SSL1500, SSL2000, and SSL8200 v3.7.3
Known Issues
•
A half-duplex connection is negotiated if the SSL Appliance is connected to a 1000 Mbps port that
is forced to operate at 100 Mbps. Note that a full-duplex connection is negotiated if connected to a
100 Mbps port or a 1000 Mbps port running at full speed.
is forced to operate at 100 Mbps. Note that a full-duplex connection is negotiated if connected to a
100 Mbps port or a 1000 Mbps port running at full speed.
•
DER-formatted keys and certificates cannot be used as web UI certificate/keys.
•
The SSL Appliance may sporadically not send
ClientHello
messages of cut-through flows to the
attached appliance.
•
The
Replace Certificate and Key
rule action is not supported for SSL flows using ECDSA
authentication.
•
TCP connections with a small receive window may fail when a large amount of data is added to the
flow.
flow.
•
SSL sessions to the ThreatPulse service may occasionally be rejected due to cryptographic operation
errors.
errors.
•
Maximum throughput performance of UDP traffic is affected when a small number of UDP flows is
used.
used.
•
SSL Inspection is not supported for SSL flows using some experimental TLS protocol extensions.
Refer to Important Information section for more details.
Refer to Important Information section for more details.
•
The SSL Appliance SSL8200 model will try to boot from a USB stick if you insert into the front
USB port.
USB port.
•
Deactivating an Active Inline segment may cause some packets to be received and re-transmitted on
the device ports in an endless loop. Workaround: Pull out and re-insert the cable on the deactivated
segment.
the device ports in an endless loop. Workaround: Pull out and re-insert the cable on the deactivated
segment.
•
DER-encoded PKCS#8 keys cannot be imported into the PKI store.
•
The SSL Appliance cannot process SSL renegotiation on inspected SSL flows and will terminate
such flows. Cut-through policy rules must be used to prevent flow termination.
such flows. Cut-through policy rules must be used to prevent flow termination.
•
Policy activation failure on single segment causes policy activation failure on all other segments.
Furthermore, policy errors in rulesets not used by active segments will also prevent policy
activation.
Furthermore, policy errors in rulesets not used by active segments will also prevent policy
activation.
•
The default list of external certificate authorities includes CA certificates signed using the
deprecated MD5 hash algorithm.
deprecated MD5 hash algorithm.
•
Timestamps in remote system log entries have one-second resolution and do not include fractions
of seconds.
of seconds.
•
SSL error counts and invalid certificate information is cleared when the appliance policy is
reactivated.
reactivated.
•
All platform configuration changes require rebooting the SSL Appliance to take effect.
•
The SSL session log may show sessions with harmless
Alert[C]: unknown (0)
error messages.
•
The SSL appliance does not correctly match policy rules to SSL flows that contain non-ASCII
characters in the
characters in the
Subject
and
Issuer
server certificate fields.
•
Disabling a Remote Logging entry causes the options configured in the entry to be lost.
•
The command line diagnostic interface cannot be used during the bootstrap phase to set IP
configuration on the management network interface. Use the front panel LCD instead.
configuration on the management network interface. Use the front panel LCD instead.
•
System log files are rotated once per-day regardless of the size of the file and only removed after a
month.
month.
•
SNMP traps for link loss may not be generated if the link is recovered within 30 seconds.