44-10-5200-27 5.2.6 HP ProCurve MSM7xx controllers / MSC-5xxx controllers 5.2.6 Release Notes Introduction These Release Notes apply to the HP ProCurve MSM Controllers as follows: MSM710 / MSC-5100, MSM730 / MSC-5200, MSM750 / MSC-5500. HP ProCurve Product Naming - - - - - - - - - - - - - - - 2 Release 5.2.6 - - - - - - - - - - - - - - - - - - - - - - - - 3 Release 5.2.5 - - - - - - - - - - - - - - - - - - - - - - - - 7 Release 5.2.4 - - - - - - - - - - - - - - - - - - - - - - - - 8 Release 5.2.3 - - - - - - - - - - - - - - - - - - - - - - - 11 Release 5.2.2 - - - - - - - - - - - - - - - - - - - - - - - 14 Release 5.2.1 - - - - - - - - - - - - - - - - - - - - - - - 17 Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 2 HP ProCurve Product Naming As of October 1st, 2008, Colubris Networks has been acquired by HP ProCurve. HP ProCurve has integrated the Colubris product line into its ProCurve Networking product portfolio (www.procurve.com/news/colubris-10-01-08.htm). Colubris product names have been changed to their equivalent HP ProCurve product names. In this 5.2.6 release, the management tool user interface and online help use the new HP ProCurve product names. Some of the documentation continues to use the Colubris product names. Note: SOAP and SNMP MIBs retain the Colubris naming so you do not need to change your existing SOAP and MIB usage. The Colubris Networks product names and their corresponding new HP ProCurve product names are as follows: Colubris name MSC-5100 MultiService Controller MSC-5200 MultiService Controller MSC-5500 MultiService Controller MSC-3200 MultiService Controller MSC-3200R MultiService Controller MSC-3300 MultiService Controller MSC-3300R MultiService Controller MAP-320 MultiService Access Point MAP-320R MultiService Access Point MAP-330 MultiService Access Point MAP-330R MultiService Access Point MAP-330 AP+Sensor MultiService Access Point MAP-625 MultiService Access Point MAP-630 AP+Sensor MultiService Access Point WCB-200 Wireless Client Bridge Visitor Management Tool RF Manager 1500 Enterprise RF Manager 1300 Basic RF Planner HP ProCurve name MSM710 Controller MSM730 Controller MSM750 Controller MSM313 Access Point MSM313-R Access Point MSM323 Access Point MSM323-R Access Point MSM310 Access Point MSM310-R Access Point MSM320 Access Point MSM320-R Access Point MSM325 Access Point MSM422 Access Point MSM335 Access Point M111 Client Bridge Guest Management Software RF Manager 100 S/IPS system RF Manager 50 S/IPS system RF Planner
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 3 Release 5.2.6 Contents General information - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 Fixes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5 Known issues - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5 General information Terminology The following terminology is used in these Release Notes and other 5.2.x documentation as follows: Term AP Service controller The term access point is generally abbreviated as AP. Refers to the HP ProCurve MSM7xx controllers / MSC-5xxx controllers. Updating to 5.2.6 software Update the service controller to version 5.2.6 as described in the Firmware updates section of the MSC-5000 Series Admin Guide. Once the service controller is updated, it automatically updates all of its controlled APs to 5.2.6. Note: All pre-5.2.4 devices updated to 5.2.4 or higher will use the new HP ProCurve product names in the management tool as identified in HP ProCurve Product Naming on page 2. Note: An HP ProCurve MSM7xx / MSC-5xxx controller must be upgraded to at least version 5.2.5 before it can recognize and configure the new HP ProCurve MSM410 access point. Sensors and RF Manager MSM325 / MAP-330 sensors and MSM335 / MAP-630 sensors at version 5.2.6 are ONLY compatible with RF Manager version 5.5.187. If you choose not to upgrade to RF Manager 5.5.187, DO NOT upgrade a service controller that is controlling a sensor, that will be used with RF Manager, to version 5.2.6. See also, the RF Manager 5.5 Release Notes. Documentation You can download documentation from the HP ProCurve Networking manuals Web page at: www.procurve.com/customercare/support/manuals/index.htm.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 4 Regulatory update REGULATORY NOTICE for European Union HP ProCurve MSM Controllers and MSM Access Points purchased after April 1, 2009 are subject to new ETSI radar interference requirements that limit the available channels in the 5 GHz band. The software version that is loaded on your device is compliant with these new requirements. The 5 GHz channels 120, 124, and 128 are excluded to prevent illegal operation in the 5600 to 5650 MHz band. When using this device with an HP ProCurve MSM Controller that was purchased prior to April 1, 2009, and the software version on your controller is 5.2.5 or earlier, you should perform one of the following two tasks before placing your MSM access point into service. This step is necessary to maintain compliance with the R&TTE Directive. OR Upgrade the controller software to the latest version by using the Software Upgrade Managers (SUM) utility. Customers with support contracts can obtain the latest software via the Software Upgrade Manager (SUM). For more information on this process, visit the HP Software Releases & Media website at: www.hp.com/softwarereleases/releases-media2/sum/how_to_be_a_sum_customer.htm. Customers without support contracts who wish to obtain the latest software release can purchase a software Care Pack service by contacting their local HP sales representative or authorized HP reseller. Manually add 5 GHz channels 120, 124, and 128 to the Channel Exclusions list to prevent illegal operation in the 5600 to 5650 MHz band. If the software on your controller is version 5.2.6 or higher, no action is required. Other regulatory information In the USA and Canada, no DFS channels are available on radio 1 of the MSM422 / MAP-625 even when operating in legacy modes. As of 5.2.6, the 802.11a Turbo mode (local mesh) is certified for use in the following countries (For the MSM422 / MAP-625, this only applies to Radio 2): Argentina Australia Azerbaijan Belgium Belize Bolivia Brazil Brunei Canada China Colombia Costa Rica Cyprus Czech Republic Denmark Dominican Republic Egypt Estonia Finland France Georgia Germany Greece Guatemala Hong Kong Hungary Iceland India Iran Ireland Italy Liechtenstein Lithuania Luxembourg Macau Malaysia Mexico Monaco Netherlands New Zealand Norway Panama Philippines Poland Portugal Puerto Rico Singapore Slovakia Slovenia Sweden Switzerland Taiwan Turkey United Kingdom United States Venezuela Local mesh in controlled mode Ignore any statements in the documentation indicating that only autonomous APs can be used for local mesh. Both autonomous and controlled APs support local mesh.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 5 Fixes The following issues have been fixed since the previous release: 18819 (Applies only to the MSM410 and the MSM422 / MAP-625 in these countries: Austria, Bulgaria, El Salvador, Indonesia, Jordan, Latvia, South Africa, Trinidad and Tobago, and South Korea.) It is not possible to configure 802.11n channels in the 5GHz range in countries that do not support 40MHz channels. Known issues The following known issues are present in this release: 3944 The RIP2 MIB does not work in this release. 6988 If accounting support is enabled on the Public Access > Access Control page after the service controller has authenticated itself to the RADIUS server, accounting is not started. To enable accounting, restart the service controller. 7668 802.1x user cannot re-authenticate in the event the RADIUS accounting STOP message is not acknowledged by the RADIUS server. 7811 On the Public Access > Access Control page, the Allow any IP address option is not supported when NAT is disabled on the Internet port. 8291 Source NAT (Allow any IP address and to use Dynamic IP) does not work with the option to support clients using an HTTP proxy. 10416 An 802.1x user logging out via the session page may not get redirected to the Goodbye page. 10535 Client stations that use static IP addresses with access control are not compatible with the Layer 3 mobility feature. 12437 If the management IP address is defined to be on the same subnet as the LAN port, changing the LAN port addressing method may cause the management IP address to be lost. The management IP address is defined on the Network > Ports > LAN port page. 13075 (Only applies to the MSM320, MSM325 / MAP-330 and MSM335 / MAP-630.) Do not attempt to change the radio 1 channel and the radio 2 channel at the same time (error message "The same frequency exists on other radios" will appear). Instead, change the radio 2 channel first and Save. Then change the radio 1 channel and Save. 13404 If you add or delete a static route or if you change the IP address of the LAN port, the RIP protocol will not announce the new routes until after the next restart. 16148 The CLI command Show radius users shows only non-access Controlled users. 16787 Traffic on the management LAN is blocked. After a reboot, the management LAN is reachable.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 6 18076 When MAC address filters are set to Allow for an access-controlled VSC, the clients that match a MAC address in the list are not able to associate with the SS and login to access the network. 18804 An undesired Suspicious state is occurring for controlled APs that are moving between service controllers or are powered off for several days. 18906 Static NAT mappings do not apply to VPN connections or VLANs on the Internet port. 19068 The default-user-one-to-one-nat site attribute is never applied to users. As a workaround, create a user account profile (Service Controller >> Users > Account profiles) and enable VPN one-to-one-nat in the profile. 19260 (Applies only when VLANs are configured.) The Network topology diagram (Service Controller >> Status > Network Topology) may display APs on the LAN port instead of the Internet port. 19829 For 802.11n APs (MSM410, MSM422 / MAP-625), setting the radio power to 0dBm actually causes the power to be set to 100% power. Instead, set the power to 1% or 1db. 19950 For 802.11n APs (MSM410, MSM422 / MAP-625)) operating in controlled mode, the auto channel feature is not working for the 2.4GHz 802.11n mode on channels 12 and 13. 20026 (Only applicable to provisioning local mesh on an MSM410 in controlled mode.) MSM410 devices cannot be provisioned for local mesh as a group. They must be provisioned individually. To do this, select an individual MSM410 from Controlled APs in the Network Tree. Then choose Provisioning > Connectivity, clear Inherited, and provision your local mesh radio settings.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 7 Release 5.2.5 Fixes The following issues have been fixed since the previous release: 13959 Trace is not available for download or viewing when tracing controlled APs that have letters in their MAC address. 17754 On page Service Controller >> Users > Account profiles, the Session time attributes > Terminate action=reauthenticate option does not work. It just terminates the client session. 19357 The SOAP Function: "GetLocalConfigDefaultUserOneToOneNAT()" is not working. 19601 (Only applies to the default Windows wireless supplicant.) For domain-based computers with "Authenticate as computer" (computer authentication) enabled on the wireless interface, and authentication done via Active Directory, a user can successfully log in if they provide valid credentials to the Active Directory server, even if the user is NOT a member of a group defined on the service controller. 19672 Password fields in the management tool are not protected against the auto-complete feature in web browsers, causing existing passwords to be overwritten with incorrect values. 19681 The 802.1x supplicant time-out value fails to be applied to EAP Request Identity packets. 19786 When using HTML authentication with Active Directory, authenticating a user from an Active Directory child sub-domain does not work. 19787 On APs operating in 802.11b/g mode, if the Allowed Wireless Rates options are modified for a VSC, all supported wireless rates will be advertised as BSS Basic, which can cause problems for 802.11b-only clients attempting to connect. 19864 Setting up a firewall with an Accept rule followed by a Drop All rule drops all traffic, instead of preserving the data matched by the Accept rule. 19941 The CLI command access control which disables access control on a VSC, does not work. 19951 On the Controlled APs >> Configuration > LEDs page, controlled AP status lights can be turned off completely, or set to only show a blinking power light, or the lights can be set to function as normal, showing full status information. 19961 The CLI command to turn off the wireless security filters option for a VSC is missing on the service controller.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 8 Release 5.2.4 Fixes The following issues have been fixed since the previous release: 15469 RADIUS VLAN assignment and the optional L3 mobility feature cause a traffic loop to occur. 16138 When using EAP-TTLS, the service controller reports username as >anonymous< rather than the actual username. 17294 The accountsd process reports a query execution failure when a user session expires based on subscription plan settings. 17692 The SOAP process crashes when calling GetSatelliteListStatus. 17741 When using PPPoE and adding TCP NAT mappings on the service controller to reach a TCP server on the LAN side of the controller, the connection to the TCP server does not work due to large packets being dropped. 17776 It is not possible to manage an AP on the management subnet through NAT mapping. 17903 When enabled, One-to-One NAT blocks VPN connections. 17913 Cannot join an Active Directory domain with a username/password that contains special characters such as: & $ ( ) ; < > \ 17918 When the service controller of an AP becomes temporarily unavailable, and another service controller is available on the network, the controlled AP reboots. 17919 (Applies only to the MSM750 / MSC-5500.) When a large number of access-controlled users log in during a short time period, the MSM750 / MSC-5500 may reboot due to a memory-management issue. 17925 The service controller is unable to join an Active Directory domain when the DNS server returns very large packets. 17926 (Applies only to VPNs configured with PPTP client.) The auto-route discovery option (Service Controller >> VPN > PPTP client) is not working in this release. 17939 The User Tracking feature does not output any logging packets. 17941 Error messages related to running out of memory are appearing due to inadequate resource release. 17942 The MSM750 / MSC-5500 cannot support more than 100 APs when the optional L3 mobility feature is used. 17946 Service controllers still communicate with each other after disabling mobility controller discovery.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 9 17964 The Microsoft Zero Configuration wireless client authentication does not work with Active Directory. 17972 When NAT is enabled on the Internet port (Network > Ports > Internet port) it is also possible to enable Allow any IP address > to use Dynamic IP on page Public access > Access control. The two options should be mutually exclusive. 17981 When an implicit license is in use and connection with the service controller is lost, wireless services are stopped. 17990 It is not possible to configure Redirect-URL with local attributes because the choice is missing. 18012 Authentication using Active Directory does not work for child domains. 18018 VPN connections fail when one-to-one NAT is enabled and no alternative IP address is defined. 18022 The MSM422 / MAP-625 reverts to legacy data rates when VSC bindings are changed. 18056 A memory leak in the openvpn process causes the process to terminate. As a consequence, communication to all APs is lost momentarily while tunnels are being setup. 18084 The MTU configuration of the Internet port is not properly adjusted when the path is lower than 1500. 18135 HTML authentication using Active Directory does not work for child domains. 18173 (Applies only to 802.11n on the MSM422 / MAP-625.) A Linksys WPC600N client device sometimes loses IP connectivity. 18176 The Location-aware placeholder %G does not get assigned the Groupname value for wired users. 18180 Occasionally, a controlled AP may become de-synchronized and it then re- discovers its service controller. This occurs quickly and is effectively transparent. 18255 In the management tool, some address lists (NOC and others) are not wide enough to display the full IP address and Mask. 18287 (Applies only to the optional L3 mobility feature.) Some client devices roaming between subnets handled by the same service controller are not seen in the Visitors and Travelers tables. 18382 When using NOC authentication, if the certificate used to identify the device contains an IP address instead of a hostname, HTTP Proxy users are unable to login. 18387 (Applies only to the MSM710 / MSC-5100.) The Service Controller >> Network > Ports page now provides an option to swap the LAN and Internet ports. This makes it possible to use PoE on the Internet port. 18484 Wireless neighborhood information (Service Controller > Controlled APs > Overview > Neighborhood) for APs in controlled mode is missing from the service controller GUI.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 10 18676 Users cannot establish a PPTP connection through the service controller using a VPN client. 19004 The built-in RADIUS server crashed due to lack of memory under certain circumstances. 19040 The following invalid error message is seen in the log when a DNS packet that is larger than 512 bytes is received by the service controller: assert: masquerade.c HandleMasqueradeTimeoutEvent 384 (MAX_DNS_PACKET_SIZE >= (masqueradeentry->mpacketlength + sizeof(struct CompressedResourceRecord)+ sizeof(in_addr))) 19282 Authentication via an Active Directory server does not work with Windows Server 2008-based domain controllers (Active Directory servers). 19505 The MSM7xx / MSC-5000 series controllers were limited to five simultaneous HTML logins. The limits are now as follows: MSM710 / MSC-5100=25, MSM730 / MSC-5200=50, MSM750 / MSC-5500=100.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 11 Release 5.2.3 Fixes The following issues have been fixed since the previous release: 10463 If administrator authentication for the management tool is set to use a RADIUS server, the failover to a secondary RADIUS server does not occur when the primary server does not respond. 12813 The following default public access attributes are now configurable via the management tool: default-user-max-output-rate, default-user-max-input-rate, default-bandwidth-level, default-use-access-list, default-welcome-url, default-goodbye-url. 12856 DFS on Local Mesh is supported on 802.11a/b/g radios (no DFS support is provided on 802.11n radios). Previous workarounds are no longer required. 12969 If a user authenticates with 802.1x/RADIUS (e.g., WPA Enterprise) and the RADIUS server is down or sends no response, and then the client disassociates, the AP continuously retries the RADIUS request at the configured interval. 15391 In a controlled mode local mesh network, if there was a large amount of data going through the mesh, the service controller would not always be able to retrieve the state of APs, or push configuration changes. 15867 The Fast Reconnect option of 802.1X supplicants was not honored when WPA2 Opportunistic Key caching was enabled. 15906 Users authenticated through Active Directory were wrongly shown to be authenticated through RADIUS. 16070 If you change a VSC from Access Controlled to Non-Access Controlled and you do not re-synchronize the AP, unexpected behavior may occur. 16250 (Applies only to the MAP-630.) The MAP-630 includes internal antennas in its flaps and it supports the connection of external antennas. However, only the internal antennas can be selected when provisioning an AP to operate over local mesh. Affects page Controlled APs >> Provisioning > Connectivity on the service controller and page Provisioning > Connectivity on the MAP-630. 16307 (Applies only to a MAP-630 in controlled mode.) Editing the Radio page of a controlled MAP-630 will not place the MAP-630 into an unsynchronized state (as it should). After making your changes, Synchronize the MAP-630 to make the changes take affect. 16347 The system name is now displayed in the management tool top banner. It is configured by the System name item on the Management > SNMP page. It defaults to the device serial number.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 12 16348 When performing a configuration backup, the default file name is now named config_(system name).txt, where (system name) is configured by the System name item on the Management > SNMP page. It defaults to the device serial number. 16349 The X.509 certificate for controlled mode authentication between the AP and the service controller was too short with a lifetime of three days. It now has a lifetime of 60 days when first created, and seven days thereafter. 16350 Shared secret configuration changes only apply after a restart. 16368 (Applies only to the WPA2 Opportunistic Key Caching option.) WPA2 Opportunistic Key Caching (previously called L2 Fast Authentication) can only be enabled when the Mode is set to WPA2 or (WPA or WPA2) and the key source is set to RADIUS. Previous releases allowed this feature to be configured without validation of the key source. When upgrading from a previous release (such as 5.1.3) to 5.2.1, certain configurations can cause MAPs to fail to establish a management tunnel after the upgrade. 16387 Active Directory authentication did not work if the service controller was unable to create its binding at boot time 16536 If the shared secret for the service controller's RADIUS server was considered to be a weak secret, no error would appear but APs would no longer be able to synchronize with the controller. 16572 It is not possible to start a packet trace from the SNMP TOOLS MIB. 16650 The service controller attempts to configure unsupported Colubris APs (controlled mode) instead of reporting them as being unsupported. 16708 After a date change on the service controller, some APs could not recover from a secure management connection failure. The only workaround was to power-cycle the AP. 16772 On the local mesh configuration page, the preshared key for TKIP and AES is no longer displayed in clear text. 16981 A radio could not be switched to sensor mode if its mode was set to 802.11a Turbo. 17012 When doing html RADIUS authentication and site authentication is disabled, the "nasid" placeholder is empty on the redirect URL. 17110 With APs in controlled mode, communicating with the service controller through a VLAN, the CDP information sent by the AP did not contain the correct IP address of the AP. 17256 For Access controllers, when using the DNAT-SERVER action in an access- list attribute, the domain name can now be a wildcard, for example: *.colubris.com 17299 (Applies only to the MAP-630.) In some cases, when connected to a gigabit switch, the Ethernet receiver can get stuck at boot up, causing communication to fail. 17314 In controlled mode, the secure control tunnel between an AP and the service controller depends on the path MTU discovery (PMTU) to set the tunnel MTU. In some networks, the PMTU did not work due to other network elements. This caused large frames inside the control tunnel to be lost and eventually led to the AP losing its connectivity with the service controller.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 13 17335 The Source IP of RIP packets sent over the LAN port could be incorrect if the Management subnet, DHCP Server, or DHCP Relay per VSC were enabled. 17350 Non-access-controlled VSCs generate false errors related to the egress VLAN. 17410 Malicious network traffic can cause the service controller to reboot. 17411 The public access portal stops due to a memory limit being reached and is unable to restart due to a socket being still in use. 17510 If the SOAP management interface is disabled and then re-enabled, it will no longer start automatically on power up. 17632 Using a wildcard in an access-control list may not work on first try, but it does work on subsequent tries. 17639 When changing local mesh encryption of a local-mesh-provisioned MAP, a reboot of the slave is required to recover. 17653 (Applies to the SNMP Maintenance MIB.) Object certificateexpirydate returns the wrong date.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 14 Release 5.2.2 Fixes The following issues have been fixed since the previous release: 14804 (Applies only to the L3 Mobility option.) DHCP renew requests coming from a traveler were not always forwarded to the home network, causing the client to fall back to a DHCP discover. The user would then get an IP address on the foreign network and current connections would be lost. 15896 Signal and Noise information is now displayed in controlled mode, for local mesh nodes and wireless clients. 16008 When a VSC uses the Rate Limit feature and a user leaves the network before terminating their authentication, some rules are left in the access controller blocking the user from logging in again. 16385 When WPA2 Opportunistic Key Caching (previously called L2 Fast Authentication) is enabled in a VSC and the service controller is used for RADIUS local authentication, APs will consistently fail to synchronize. As soon as WPA2 Opportunistic Key Caching is disabled or the service controller is not used for local authentication, the APs can again be synchronized. You can use WPA2 Opportunistic Key Caching with a remote RADIUS server. 16393 When DHCP is turned off on the service controller, the service controller is unable to route DHCP traffic, even if access lists are configured to permit this. 16403 Traffic coming in on either an IPSec tunnel, or directly on the Internet port if NAT is turned off, is not allowed to reach the management subnet on the LAN port. 16410 Initiating a TCP/UDP connection from the Internet port toward a station on the LAN side would fail. 16426 (Applies only to controlled mode, when a MAP-330 is in the same group as a threeradio product such as the MAP-630.) When a third radio is configured (for the MAP- 630), the MAP-330 can appear to be in license violation if a license has been installed locally on the MAP-330. As a work around, create separate MAP-330 and MAP-630 groups and ensure that sensors are configured only at the group level. 16458 The System log showed many recurring errors such as: ConnectToPGSQLDatabase: Connection to database failed: could not connect to server: No such file or directory. This affected the access control service and RADIUS server, effectively disabling them. 16464 The DNAT polling URL only supports port 80 and the polling does not work or go through the DNAT server polling when set to a different port.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 15 16525 An XML deserialization problem causes an interoperability problem with Microsoft.NET 2.0, and possibly all other versions of.net. 16541 DNS responses larger than 512 bytes were being dropped. One visible consequence was that the query for getting the LDAP information for Active Directory could fail in large AD domains. 16556 The codevicewirelessassociationnotification trap of COLUBRIS-DEVICE- WIRELESS-MIB.my is not generated. 16578 Interim updates are not sent for access-list entries with accounting support. 16650 The service controller attempts to configure unsupported Colubris APs (controlled mode) instead of reporting them as being unsupported. 16673 (Applies only to the MSC-5200.) The MSC-5200 may restart if it receives an Ethernet frame larger than 1518 bytes. 16697 Changing allowed wireless rates causes AP errors when syncing, causing the AP to restart and mapconf errors to appear in the system log. 16720 Using the web-management tool, it is not possible to replace the X.509 certificate with another certificate that has the same certificate subject or name (DN). 16739 IPSec interfaces were not available in the Network Trace tool. 16767 The MAP-320R and MAP-330R were not displayed in the Autonomous AP list of the Network Tree. 16777 A local mesh slave node may stop trying to connect to a master node if it had been previously refused. 16786 The SNMP trap State change is not always issued by the service controller when an AP goes down. 16813 (Applies only to the MSC-5500 and MSC-5200.) When an SNMP Heartbeat trap is sent, the IP address is presented in reverse order. 16851 Many consecutive 802.1X RADIUS requests from one user can cause RADIUS requests from other users to be ignored. 16906 When removing RADIUS Accounting from a non-access-controlled VSC, an entry similar to this may appear in the log: log: Dec 26 19:55:04 crit iprulesmgr assert: radiususer.c SendAccountingRequest 2653 (UpTime()!= user->maccountingeventuptime) 16912 The RADIUS proxy can stop accepting RADIUS Authentication or Accounting requests after a large number of such requests go unanswered by the RADIUS server. 16914 (Applies only to non-access-controlled clients being authenticated through the service controller (external RADIUS server).) In some cases, 802.1x authentications will never time out if the client sends retries. 16918 The Active Directory domain name maximum length was 24 characters. It has been increased to 240 characters.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 16 16945 L2 and L3 Mobility fails when more than 32 APs using the same VSC are active on a service controller. 16948 (Applies only to MSC-5500.) With a very large number of synchronized APs, a configuration change on the service controller can cause all APs to be temporarily lost, requiring a new discovery/configuration cycle. (When testing, this was seen with greater than 188 synchronized APs.) 16950 L3 Mobility on the service controller can fail after an AP reboot. 16993 In access lists, a wildcard character can be used in front of a domain name, for example, *www.colubris.com. When this syntax is used, the access list will match the resolved IP address dynamically, instead of refreshing it upon every site authentication cycle. 16998 If the default certificate was replaced by one signed by an intermediate certificate authority (CA), some browsers would complain that the site was not trusted when opening the login page. 17009 In some rare cases, after login, a user could see a web page indicating "Attribute not found." 17034 The group name in the %G placeholder was truncated to 16 characters. The group name can now contain up to 64 characters. 17052 The HTML NOC Logout function sometimes fails with error: err webauth Cannot get peer certificate- denying access. 17065 The default NTP time servers have been changed to 0.colubris.pool.ntp.org and 1.colubris.pool.ntp.org. 17138 Getting sysinfo from the service controller for an AP in controlled mode sometimes fails. 17252 The service controller could become unstable after a number of AP authentications if Controlled AP authentication was enabled and the Use file authentication list method was selected.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 17 Release 5.2.1 Contents New features and enhancements - - - - - - - - - - - - - - - - - - - - - 17 Fixes - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18 New features and enhancements Software version 5.2.1 contains new features and enhancements as described here. For information on major new features and enhancements, see the New in this release section of the MSC-5000 Series Admin Guide. Here is a brief sampling: Embedded RADIUS server Local termination of 802.1X users Local termination of MAC users Active Directory integration Enhanced local-user accounts Subscription plans Local mesh in controlled mode Enhanced autonomous AP support These other new features and enhancements also apply to this release: 10604 Access lists processing has been enhanced allowing for more rules to exist without compromising performance. 12104 A controlled AP can now be provisioned locally using its management tool. 13272 The DHCP server is now configurable on a per-vsc basis, making it possible to serve different DHCP ranges or subnets for each VSC. 13471 The ability to discover controlled APs on the LAN port is now configurable by selecting Service controller >> Management > Device discovery. Previously discovery was always enabled on the LAN port. 14143 It is now possible to configure a different RADIUS server for authentication and for accounting, when using 802.1X or MAC based authentication. 14229 ACCEPT rules have been added to the firewall. When a packet is accepted by the firewall, it must go through the access controller rules, if applicable. 14303 A new option enables automatic logout of users upon receiving a DHCP Discover request. This is applicable only to HTML-based authentication. One possible use for this feature is to automatically logout a remote terminal or thin client user when the terminal session is closed. By default, this parameter is disabled. To enable it, select Network > Address allocation > DHCP server > Settings. 14305 The public access interface Login page can now optionally be presented via HTTP instead of HTTPS, avoiding the client browser warning when using the default product certificate. For security purposes, HTTPS remains the default setting. To configure this option, select Public access > Access control > Service controller.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 18 14314 The NOC authentication mechanism has been enhanced to allow simultaneous use of HTML authentication and NOC authentication, provided that the [USER-SPACE].HMTL.noc-client-validation configuration setting is set to DISABLED. 14376 Two new options have been added to the Network > DNS page: Logout host name and Logout IP address. These two options enable easy logout from the public access network. Users can logout by pointing their browsers to a host name or IP address. If a user that is logged in via HTML sends an HTTP request to the specified host name or IP address, the service controller will log the user out. 14404 The access list DNAT feature has been enhanced to optionally allow all traffic to bypass the DNAT rule if the DNAT server is down, or to switch to an optional secondary DNAT server if the case the primary is down. This allows for building redundancy in the DNAT (proxy) service, with a failover mechanism or a bypass in case of a problem with the DNAT server(s). 14650 Additional authentication types have been added to the SOAP/XML interface. In addition to HTTPS X.509 certificate authentication, it is now possible to use HTTP authentication, with or without SSL. 14652 The NOC HTTP API is now available under SOAP/XML as well. 14797 The SMTP proxy has been enhanced to proceed without authentication with the SMTP server if it doesn't answer as expected to the initial EHLO request. 14846 In an access controlled VSC, it is now possible to configure an egress VLAN on the LAN port. Such an egress used to be limited to the Internet port only. 15239 Added a User Tracking feature, which allows for logging user activity, such as user name, real and public (NAT) IP addresses, MAC address, protocol. This information is sent in real time to an outside syslog server. Fixes The following issues have been fixed since the previous release: 6212 With IPSec security, the Phase 1 IKE SA is deleted too quickly when the peer initiates a negotiation for a new IKE SA, confusing certain IPSec gateways, which then keep more than one tunnel (SAs) active between the peers. 7755 When DHCP relay is configured on a VSC, wired users who are not assigned to a VLAN use the global DHCP relay setting and not the VSC settings. However, these users are assigned the circuit, remote, and subnet options configured in the VSC. 10850 On the page Service Controller > VSCs >> Overview > User sessions, the number of users in the list and the stated number of users did not match. 11376 Switching between html and 802.1x failed with some third-party APs.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 19 11721 The RADIUS called-station-id attribute was still set to the LAN port MAC address, even if the configuration file token [ACCESS-CONTROLLER]/radius-called- station-id-port was set to Internet. 11948 An error message may be displayed when using drag and drop to move an AP between two groups in the Network tree while the menu is being refreshed. If this occurs, try again. 12688 The AP is unable to correctly report a priority conflict between two or more service controllers. 12762 Customer Data Rate (receive) is not enforced when all authentication methods (including HTML) are is turned off in a VSC. 12854 When the new Auto-Refresh feature is enabled, administrators are no longer automatically logged out when their session is idle for more than 10 minutes. They remain connected indefinitely. 12915 Firmware distribution feature waited indefinitely for the license agreement to be accepted on the APs. Now, firmware distribution can be used without having to accept the license agreement on the APs. 12966 When an AP operating in controlled mode is connected to a service controller using L3 connectivity or has the centralized access control option activated (Service Controller > Controlled APs >> Configuration > Access Control page), then access to the service controller s management tool (or via CLI or SOAP) from client stations connected to the AP is not possible. 12979 (Applies only to L3 Mobility in controlled mode.) If a subnet was reachable both locally (through locally controlled APs) and through another service controller, there was a race condition where the VLAN associated with the subnet was being cleared. As a result, the service controller did not perform a VLAN check as part of the shortest path capability check, and the shortest path roaming case was being executed even though the service controller did not have VLAN connectivity to the home subnet. 12997 In a VSC definition if you disable the Wireless MAC filter feature, remove all MAC addresses from the list, and then click Save, the AP will have to reassociate with the service controller and do a full configuration update when it is synchronized. To avoid this delay, do the change in two steps: 1. Disable the MAC filter feature, click Save and then synchronize the AP. 2. Delete all MAC filter addresses, click Save and then synchronize the AP. This same issue also affects the Wireless IP filters feature. 13035 Moving an AP into a new group always produces an error. This is seen when moving an AP from one group to another, and when the country is changed on the service controller. 13076 Removing an IP filter can sometimes result in an error message (in log: "Could not retrieve VSC index for <255.255.>") and AP reboot. 13078 The date returned by Time Protocol-based time servers was not rejected if suspicious (year earlier than 2007). As a result, AP configuration synchronization and certificate problems could occur.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 20 13090 When the DNS relay feature is enabled, client stations that are running Windows Vista may cause the service controller to become inoperative. 13109 Values for Signal, Noise, and SNR are not shown in the tables on the Overview > Neighborhood pages. 13227 When using a service controller to provision the discovery settings on an AP operating in controlled mode (on the Device Provisioning > Discovery page), the DNS name option is limited to 63-characters. 13289 Two IP addresses are reserved for wireless client stations, instead of one, when the service controller is configured as follows: Public access > Access control page: "Allow any IP address" and "to use Dynamic IP" options are enabled. Network > Address allocation > DHCP relay page "Allow per VSC" is enabled. 13377 When a client station uses 802.1x or MAC authentication, its browser must not be configured with an HTTP proxy. The HTTP proxy feature of the service controller works only for client stations authenticating using the HTML login page. 13843 When the Internet port IP address is changed and NAT is enabled, current UDP and TCP connections still use the old IP address. 13884 On the Maintenance menu, firmware file URLs and configuration file URLs are shown as valid even when wrong. 13897 Attempting to configure an AP which is in the "Waiting for acceptance" or "Not authorized" state fails. 13976 When configuring AP names, avoid using any of these three characters because they will not display correctly (less than, greater than, ampersand): < > & 14054 Access control: The wispr-logoff-url was not being taken into account when specified in the local site configuration. 14386 The MSC-5500 sometimes freezes during configuration upload. 14536 (Applies only to Japan.) For APs in controlled mode, some Japan channel- selection lists are wrong. 14562 If a device is configured with REDIRECT/DNAT/WARN rules and use-access-list is in the site profile, an HTTP proxy user is not be able to access the affected sites properly. 14595 MAC address authentication, using the access control attribute mac- address, would not always work when traffic would come in through a VLAN that is part of a predefined VLAN range. 14616 User performance degrades when rate limit is turned on. 14617 When using rate limit, the service controller may store and retrieve IP addresses inefficiently with certain customer IP address distributions. 14647 In the HTTP proxy, when both the client & the server are set to keep- alive, the connection will fail if a "100 Continue" reply is being used.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 21 14671 An error occurs when clearing the "Retrieved attributes override configured attributes" option. 14683 When GRE routes are defined, the management tool crashes when attempting to navigate to the IP routes page. 14732 With a large number of users, performance issues related to login time and throughput could occur. With the fix, the improvement is most apparent when the rate limit and bandwidth control options are enabled. 14764 Proxied SMTP does not count the bytes uploaded against the users. 14784 (SNMP MIB.) A walk of MIB codeviceinfotable stops at the first AP that has codevdisstate not running. 14804 (Applies only to the L3 Mobility option.) DHCP renew requests coming from a traveler were not always forwarded to the home network, causing the client to fall back to a DHCP discover. The user would then get an IP address on the foreign network and current connections would be lost. 14835 The HTTP proxy crashes and restarts after receiving certain HTTP packets. 14856 The management tool authentication process (WEBAUTH) may crash in some situations. 14967 When a user is logged out because of a duplicate IP address on the network, the cause in the system log is "Unknown cause". It has been fixed to PORT_ERROR. 15033 (Applies to SNMP MIB.) A walk of MIB COLUBRIS-VIRTUAL-AP-MIB may fail when there was more than one VSC configured. 15059 The AP sometimes cannot be synchronized if there is an ongoing and simultaneous configuration event happening, for example with the SOAP interface. 15130 In some cases, the service controller floods the network with traffic from an L3 roaming user. 15170 The Management IP address of the LAN port is being lost. 15226 DNS replies of type AAAA without an answer record are not handled properly. 15249 The NAT port range limit is not respected for proxy user traffic. A fixed limit of 50 is always used. 15283 (Access controlled users.) At the end of a user access list, there is no implicit DENY all rule, causing the default action to redirect the user to the login page. 15345 The 802.1x authentication fails in some cases. 15404 When an IPSec tunnel is built over a PPPoE connection, the default route, in some cases, can start pointing to the IPsec tunnel interface, making the Internet port interface unusable for non-ipsec related traffic. 15413 In the Bandwidth Control, if a level is set with a value lower than 80Kbits/sec, the traffic mapped to that level would instead get the full bandwidth available. 15524 When the service controller is not reachable, the AP does not turn off all accesscontrolled VSCs.
5.2.6 Release Notes: HP ProCurve MSM7xx controllers / MSC-5xxx controllers 22 15593 The page Status > IP connections does not display correctly with some Windows Vista installations. 15711 In some rare cases, the AP may send an invalid certificate request, which is then correctly refused by the service controller. But following this event, the service controller is unable to process new requests and must be restarted before new APs can come online. This has been seen only after a firmware upgrade of the service controller. 15923 Lack of additional information in the log for sessions logged out as Port-Preempted. 16243 Multiple sessions can be seen on RADIUS server even when the "Reauthenticate on location change" option is disabled. The RADIUS request is sent on a re-association, and this is sometimes undesirable. Enabling the "Reauthenticate on location change" option makes it possible for a RADIUS server to deny access based on user location. 16323 With IPSec security, once a NAT gateway has been detected between the peers, the MSC no longer accepts a IKE negotiation from its peer.