Release Notes for DECserver Network Access Software V2.0 BL10D-40 January 14, 1997 This document contains information about DECserver Network Access Software Version 2.0 BL10D-40. They should be distributed to the network access server manager(s), load host system manager(s), and any other individuals responsible for network access server maintenance. SOFTWARE VERSION: DECserver Network Access Software Version 2.0 SOFTWARE BASELEVELS: BL10D-40 (DS900TM, DS900GM and DS700) BL10D-40 (DS90M) The information in this document is subject to change without notice and should not be construed as a commitment by Digital Equipment Corporation. Digital Equipment Corporation assumes no responsibility for any errors that may appear in this document. Possession, use, or copying of the software described in this publication is authorized only pursuant to a valid written license from Digital or an authorized sublicensor. No responsibility is assumed for the use or reliability of software or equipment that is not supplied by Digital Equipment Corporation or its affiliated companies. Digital Equipment Corporation makes no representations that the use of its products in the manner described in this publication will not infringe on existing or future patent rights, nor do the descriptions contained in this publication imply the granting of licenses to make, use, or sell equipment or software in accordance with the description. __________ Copyright ©1997 Digital Equipment Corporation. All rights reserved. The following are trademarks of Digital Equipment Corporation: DEC, DEChub, DEChub ONE, DECnet, DECserver, DELNI, Digital, LAT, MicroVAX, MultiSwitch, OpenVMS, Q-bus, ThinWire, ULTRIX, UNIBUS, VAX, VAXcluster, VAXstation, VT220, HUBwatch, DEChub 900, and the Digital logo. AppleTalk is a registered trademark of Apple Computer, Inc. HP is a registered trademark of Hewlett-Packard Company. IBM is a registered trademark of International Business Machines, Corporation. MS-DOS is a registered trademark of Microsoft Corporation. OSF/1 is a registered trademark of Open Software Foundation, Inc. SCO is a trademark of Santa Cruz Operations, Inc. Sun is a registered trademark of Sun Microsystems, Inc. SecurID is a registered trademark of Security Dynamics Technologies INC. UNIX is a registered trademark of UNIX System Laboratories, Inc. Vitalink is a registered trademark of Vitalink Communications Corporation. Contents 1 INTRODUCTION 1 2 CORRECTIONS INTRODUCED BY THIS VERSION OF DNAS 1 2.1 Corrections for Bugchecks 1 2.1.1 Code 0002 1 2.1.2 Code 0299 1 2.1.3 Code 0500 2 2.1.4 Code 0830 2 2.1.5 Codes 0977, 0978 and 969 2 2.1.6 Code 1234 3 2.2 SET INTERNET ADDRESS Command not Privileged 3 2.3 Dialer Services Changes 3 2.3.1 Addition of Mode ANY 3 2.3.2 Correction for Unwanted Dialer Accounting Events 3 2.3.3 Correction for Hung Dialer Service Ports 4 2.3.4 Callback connections did not always Re-Authenticate 4 2.4 Authentication/Authorization Corrections 4 2.4.1 RADIUS LAT Groups Attribute Mishandled 4 2.4.2 Insufficient Resources 4 2.4.3 Hung Ports 4 2.4.4 Missing RADIUS Accounting Messages 5 2.4.5 RADIUS Host and Service Names Mishandled 5 2.4.6 Missing RADIUS Port Messages 5 2.4.7 CHAP/PAP Failure 5 2.5 Corrections for Insufficient Resource 5 2.5.1 Loss of Memory Caused by the UI 5 2.6 Corrections for PPP/SLIP Problems 6 2.6.1 Duplicate PPP Accounting Events 6 2.6.2 CONNECT PPP Command Failed 6 2.7 Corrections for Port Problems 6 2.7.1 Truncated Displays 6 2.7.2 No XON Upon Remote Session Termination 6 2.8 Corrections for User Interface Problems 6 2.8.1 Can't Hyphenate Service and Node Names 6 2.9 Corrections for Telnet problems 7 3 RAW TCP LISTENER INFORMATION NOT DISPLAYED 7 3.0.1 CLEAR/PURGE Telnet Listener Clears The ID String 7 3.0.2 Purge Telnet Listener Corrupts NVRAM 7 3.0.3 Telnet Local TCP Port is Not Traceable 7 3.0.4 Telnet Remote Console Not Accessible 8 3.0.5 TCP Port Numbers Restricted on Client Connections 8 iii Contents 3.1 Corrections for LAT problems 8 3.1.1 SHOW QUEUE PORT n Displayed Incorrect Information 8 3.1.2 Session Couldn't Reset Flow Control 8 3.1.3 Force XON Not Supported 9 3.1.4 LAT Node Selection 9 3.2 Console Redirect Problem 9 4 CHANGES SPECIFIC TO THE OPENVMS ECO KIT 9 4.1 DSV$CONFIGURE.COM 9 4.2 TSM$NA_V20_GET_CHAR.COM 10 iv 1 Introduction The Access Server load images supplied in this kit contain all the available corrections for software problems found in DNAS versions 1.0 through 2.0. 2 Corrections Introduced by This Version of DNAS This section lists the corrections included in this release and gives a brief description of conditions, events and symptoms associated with the problem. The following list only includes the corrections made after the release of V2.0 BL10-40. 2.1 Corrections for Bugchecks Bugchecks are fatal errors that cause the server to abruptly cease operation and dump the contents of memory to a dump host. This sections describes the bugcheck corrections available in this release. Please note that a single bugcheck code can occur for multiple reasons. The corrections available in this release apply to the currently known causes of the codes listed. 2.1.1 Code 0002 This version of software corrects a problem whereby DS900GMs would occasionally bugcheck with a 0002 code when a modem signal such as DSR switched states. The problem would only occur on full modem control ports. 2.1.2 Code 0299 This bugcheck code indicates that the software is in a hung state and has not processed a scheduled task for at least two minutes. This release corrects several causes of this type of bugcheck. o The presence of a root nameserver in the DNS cache would sometimes cause this to happen during a DNS lookup if the ttl of at least one but not all of the learned nameservers for the default domain has expired. This problem was common to all versions of DNAS. 1 o This type of bugcheck would also happen if a RADIUS authenticated login failed and the port returned to the Idle state prior to printing the RADIUS supplied reply message. This problem was specific to DNAS V2.0 o This version of software also corrects a problem whereby the server would bugcheck with a 299 code on a 32 port server (DS900) if one of the upper 16 ports (ports 17 through 32) experienced data overruns. 2.1.3 Code 0500 This is a generic bugcheck code used in several places. This ECO corrects a situation where this type of bugcheck could occur if a PPP/SLIP port failed to establish a session due to insufficient resources, and a BREAK signal was detected while the port was in the connecting state. This problem was common to all versions of DNAS. 2.1.4 Code 0830 This release corrects a problem where the server would sometimes bugcheck with a code of 830. The bugcheck would only occur if SNMP was being used to read the accounting log and the log contained an entry with a username greater than 128 characters. This problem was common to all versions of DNAS. 2.1.5 Codes 0977, 0978 and 969 These Bugchecks occur when a problem is detected during the allocation or de-allocation of a memory buffer. This version of DNAS corrects several problems which could cause this to happen. o When a very long character string was entered at the "Help?" prompt. This could occur in any version of DNAS. o When a very long character string was entered at the "Enter phone number:" prompt. The phone number prompt is used by Dial services so it's specific to V2.0. o A RADIUS authenticated login failed and the port logged out prior to printing the RADIUS supplied reply message. This problem was specific to DNAS V2.0 and is a variation of the 299 bugcheck problem described above. o If the Kerberos realm was configured to use a SECRET, and a port logged out after a user entered a password but before the authentication completed. 2 o This type of bugcheck would sometimes occur when the CLEAR USERACCOUNT ALL command was executed. 2.1.6 Code 1234 This bugcheck code indicates that a port has received asynchronous data which needs to be sent to host but the host connection no longer exists. This version of DNAS corrects a problem which would cause this to happen on ports using authentication with framed (PPP/SLIP) callback. As part of the callback process the user is re-authenticated. If the second authentication failed the server would sometimes crash while logging out the port. This failure was specific to DNAS V2.0. 2.2 SET INTERNET ADDRESS Command not Privileged This version of software corrects a problem which allowed non- privileged users to execute the SET INTERNET ADDRESS command. 2.3 Dialer Services Changes 2.3.1 Addition of Mode ANY The keyword ANY has been added to the {SET | DEFINE | CHANGE} DIALER SERVICE command as another way of specifying the type of session the Dialer service will create after the callback. ANY has the same definition as '*' meaning no specific mode is required. It should be whatever is imposed by the authentication realm or port characteristics. {SET | DEFINE | CHANGE} DIALER SERVICE foo MODE * {SET | DEFINE | CHANGE} DIALER SERVICE foo MODE ANY To maintain backward compatibility the SHOW DIALER SERVICE display will contain an '*' in Mode field to indicate a mode of ANY. 2.3.2 Correction for Unwanted Dialer Accounting Events This release corrects the behavior of the Dialer feature so that an accounting event of "Dial Session Failure" will no longer be generated if a user enters a ^Z (Control-Z) at the "Enter phone number:" prompt. 3 2.3.3 Correction for Hung Dialer Service Ports This version of software corrects a problem which would cause a port to hang if it was configured for AUTOCONNECT, a default protocol of DIAL, and had an undefined DIALER service as a preferred service. Prior to this change the port would display a "Local -711- Service not known" message and would not allow the user access to the local prompt. With this change the same error message will be printed followed immediately by the local prompt. 2.3.4 Callback connections did not always Re-Authenticate This release corrects a problem which occasionally caused the re-authentication of a callback user to be skipped. 2.4 Authentication/Authorization Corrections 2.4.1 RADIUS LAT Groups Attribute Mishandled This version of software corrects a problem which caused the server to mishandle LAT group codes supplied by a RADIUS server during authentication. The group codes applied to the port following authentication did not always match the value specified by the RADIUS server. 2.4.2 Insufficient Resources This release corrects several authentication problems which would eventually cause failures due to insufficient resources. 2.4.3 Hung Ports This version of DNAS corrects a problem whereby a user with an access authorization of LOGIN could hang a port if the port was configured with a default protocol setting other than LAT, Telnet, or ANY. With this change the user will now be logged out with the local message "-1100- login protocol not specified". The problem was specific to DNAS V2.0. 4 2.4.4 Missing RADIUS Accounting Messages This release corrects a problem which would sometimes prevent the access server from supplying RADIUS accounting messages in situations where callback was mandatory for the authenticated user and the callback failed. The problem mainly affected the STOP message but would sometimes also inhibit the START message. The problem was specific to DNAS V2.0. 2.4.5 RADIUS Host and Service Names Mishandled This ECO corrects a problem which would cause LAT service names and Telnet host names supplied by a RADIUS server to be misread by the Access Server. This would prevent authenticated Login users from being able to access the service or host. 2.4.6 Missing RADIUS Port Messages This ECO corrects a problem which sometimes prevented RADIUS supplied port access reject messages from being displayed on the port. This problem could also cause Bugchecks with codes 299 and 978 as described above. 2.4.7 CHAP/PAP Failure This ECO corrects a problem which would occur when an authentication realm didn't specify an access type. The default authorization access type is NONE which is supposed to mean "None specified, allow any". The access server interpreted it to mean "None specified don't allow any. As a result if the user was configured for framed access the authentication attempt would fail and user's client would report "CHAP/PAP failure". 2.5 Corrections for Insufficient Resource This release plugs several memory leaks which would eventually cause the server to respond to user requests with insufficient resource errors. 2.5.1 Loss of Memory Caused by the UI This ECO corrects the following UI related memory leaks Command Bytes Lost ================================== ========== PURGE DIALER SCRIPT script-name 168 PURGE DIALER SERVICE service-name 168 PURGE USERACCOUNT user-name 96 LIST USERACCOUNT user-name 36 DEFINE DIALER SERVICE service-name 84 DEFINE USERACCOUNT user-name 48 5 The loss of memory could be tracked via the SHOW SERVER STATUS or SHOW MEMORY STATUS commands. 2.6 Corrections for PPP/SLIP Problems 2.6.1 Duplicate PPP Accounting Events This release corrects a situation where a successfully authenticated login using PPP would result in two login accounting events: one without a username and one with a fully qualified username. 2.6.2 CONNECT PPP Command Failed This release corrects a problem which would cause the CONNECT PPP command to fail. The command would generate a Local -503- error message the first time the command was executed. Subsequent connection attempts would fail without generating any error messages. If the command was executed often enough the server would enter a state where it would not permit Telnet access to the remote console. 2.7 Corrections for Port Problems 2.7.1 Truncated Displays This version of software corrects a problem where setting a port's TYPE characteristic to Hard or Soft would cause some displays to be truncated. For example setting a port's type to HARD would cause the SHOW SECURITY command to output only the first two lines of the normal display. This problem was common to all versions of DNAS. 2.7.2 No XON Upon Remote Session Termination Prior to V1.5 BL95C-34 terminating a remote connection would cause the asynch. port to transmit an XON (if XON flow control was enabled). BL95C-34 contained a software correction which inadvertently inhibited this from working. This ECO restores the lost functionality. 2.8 Corrections for User Interface Problems 2.8.1 Can't Hyphenate Service and Node Names Prior to this release hostnames could not include hyphens or underscores. For example the hostname ppp-stud could not be used since the command CONNECT PPP-STUD would cause the port to attempt a PPP connection. This release corrects this problem. 6 2.9 Corrections for Telnet problems 3 RAW TCP Listener Information Not Displayed This version of software corrects a problem which prevented TCP listeners from appearing in the SHOW TELNET LISTENER ALL display. Prior to this change the command would only display information on TELNET Listeners. 3.0.1 CLEAR/PURGE Telnet Listener Clears The ID String The command {CLEAR | PURGE} TELNET LISTENER 23 would clear the identification field. With this ECO the field will now be set to "Telnet Console". 3.0.2 Purge Telnet Listener Corrupts NVRAM Starting with DNAS V2.0 BL10-40 the PURGE TELNET LISTENER {tcp- port-id | ALL} command corrupted the NVRAM copy of the listener's port list causing subsequent DEFINE TELNET LISTENER commands to add unwanted ports to the list. This problem also affected the PURGE TCP LISTENER and DEFINE TCP LISTENER commands. 3.0.3 Telnet Local TCP Port is Not Traceable Prior to this ECO DNAS did not supply any local TCP port information in it's SHOW PORT STATUS or SHOW SESSIONS displays making it difficult to trace a process from a host back to a specific port on an access server. This ECO modifies the following commands to supply this information. Local> SHOW PORT STATUS Port 3: Server: LAT_08002BA67C38 Access: Local Current Service: 16.20.10.3 Status: Connected Current Node: 16.20.10.3 Sessions: 1 Current Port: 23 Current Source Port: 1024 Input XOFFed: No Output Signals: DTR RTS Output XOFFed: No Input Signals: None Local> SHOW SESSIONS ALL Port 3: Session Mode Current Session: Session 1 - Session 1: Connected TELNET 16.20.10.3 (23) 16.20.48.1 (1024) Local> Note that the SHOW PORT STATUS command now displays a new field, Current Source Port:, which in the example is set to 1024. This is local TCP port used by the Telnet connection. In the SHOW 7 SESSIONS ALL display both the local IP address and Local TCP port are displayed. The IP address is 16.20.48.151 and the local TCP port is again 1024. The new fields are only displayed for Telnet client and server sessions. 3.0.4 Telnet Remote Console Not Accessible This version of software corrects several problems which would cause the remote console to become inaccessible via Telnet. 3.0.5 TCP Port Numbers Restricted on Client Connections This version of software corrects a problem which caused Telnet connect requests to be limited by the number of TCP listener's supported on the server. For example, users on an 8 port server could only connect to Telnet host using TCP ports 23 or 2001 through 2008. 3.1 Corrections for LAT problems 3.1.1 SHOW QUEUE PORT n Displayed Incorrect Information The command, SHOW QUEUE PORT n, did not work for 32 port servers on any versions of DNAS starting with version 1.0. Instead of displaying the LAT requests queued for port n the command would either display nothing or it would display requests queued for a different port. 3.1.2 Session Couldn't Reset Flow Control This release corrects a problem which prevented LAT sessions from restoring the port's input and output flow control modes following a session switch. For example if a user had an active Telnet and a dormant LAT session and the Telnet host disabled output flow, switching to the LAT session would not restore the session's flow control state. As a result LAT data would start to overrun the terminal's input buffer causing odd characters to be displayed on the screen. This problem was common to all versions of DNAS. 8 3.1.3 Force XON Not Supported LAT provides a force XON capability which allows a host to force the access server to resume output on a port in the XOFF state. This release adds the support for this feature under the following conditions. o The port is configured for XON/XOFF flow control. o The targeted session is active. It's important to note that the Force XON feature will clear the output flow control state and set it to enabled. The previous state of output flow control will be lost. 3.1.4 LAT Node Selection This version of software corrects a problem whereby the server would not select the next highest rated node when a service was offered on multiple nodes and the highest rated node rejected the connect request for a reason other than password failure. 3.2 Console Redirect Problem This version of software corrects a problem which prevented the DS900 servers from responding to a console redirect when installed in slot 1 of a DEChub 900. Prior to this version of software the console redirect command would cause console data to be redirected to asynchronous port 1 of the server instead of the console port of the HUB. 4 Changes Specific to the OpenVMS ECO Kit 4.1 DSV$CONFIGURE.COM DSV$CONFIGURE.COM is a DCL script supplied in the OpenVMS kit. It facilitates the maintenance of DECservers in the DECnet database by converting simple add, delete, and modify commands into the appropriate NCP or NCL commands which it then adds to DSV$SERVER_ DEFINE.COM. DSV$SERVER_DEFINE.COM is DCL script normally invoked at system startup time to refresh the DECnet database with the node information generated via DSV$CONFIGURE. A version of DSV$SERVER_ DEFINE created on a system running DECnet Phase 4 will not work on a system running DECnet OSI since one system uses NCP and the 9 other uses NCL. The version of DSV$CONFIGURE.COM included with this ECO kit will verify that DSV$SERVER_DEFINE.COM is compatible with the version of DECnet currently being used by the operating system. If the check fails a sequence of messages similar to the following example will be displayed. %DSV-W-NCPCMD, SYS$MANAGER:DSV$SERVER_DEFINE.COM contains NCL commands but the current version of DECnet requires NCP %DSV-W-RENAME, SYS$MANAGER:DSV$SERVER_DEFINE.COM has been renamed to SYS$MANAGER:DSV$SERVER_DEFINE.COM_NCL. As the messages indicate DSV$SERVER_DEFINE.COM was not compatible with the version of DECnet currently in use. Since it's not valid old versions will be purged and the current version will be renamed to DSV$SERVER_DEFINE.COM_NCL. A new version of the file will be created the first time DSV$CONFIGURE.COM is used to add a node. 4.2 TSM$NA_V20_GET_CHAR.COM The new version of TSM$NA_V20_GET_CHAR.COM supplied in the OpenVMS ECO kit corrects problems which prevented the script from restoring the saved values of the: o Telnet client terminal type o Telnet server PPP hot key o Telnet server SLIP hot key o dialer services o dialer scripts 10