It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

Where can I find more information about the design limitations of the NG Firewall 5.0.0 regarding software and hardware?

  • Type: Knowledgebase
  • Date changed: 3 years ago

Solution #00004953

This solution applies to the Barracuda NG Firewall, firmware versions 5.0.x, 5.2.x.

DHCP Setting Stored Within CC/MC Repository Distracts Migration

If within the Repository on a Control Center or a management centre a configuration node for the DHCP Enterprise Configuration is applied, in which the Subnet Type is set to local and an existing local subnet was chosen and set within the dropdown below, then the migration to 5.0 will fail.
Please note that there is no specific error message generated that would point to this issue. The migration process just fails.
In case of a failed migration, Barracuda Networks recommends to verify the described condition and, if it applies, to reconfigure the setting in question by changing the Subnet Type to Explicit, followed by manually entering the subnet settings and then storing this into the Repository before restarting the migration process.
Arbitrary x86 Compatible Hardware Not Supported
Updating of arbitrary x86 compatible hardware is not supported with this firmware and therefore prohibited by default. If you still want to update x86 compatible hardware, this can be overridden. Execute the command touch /opt/phion/run/forceupdate via SSH or remote execution before executing the firmware update.

Temporary Configuration Migration on Ranges or Clusters Below 5.0

When updating an MC/CC-managed box to 5.0 while the range or cluster is still below 5.0, the configuration data of the box will be temporarily migrated. Emergency override is not possible then during the migration process, as the 5.0 configuration data cannot be handled on the box as long as the migration process for the whole cluster or range has not been finished.
No Support of Token Ring and FDDI
Support for Token Ring and FDDI cards is not available.

ReiserFS Not Supported Anymore

As ReiserFS is not supported anymore, ReiserFS partitions will cause the update to fail, generating an appropriate error message.

HA Sync Not Possible below 4.2.11

Firewall sync in an HA cluster with one box running 4.2 and the other box running Barracuda NG Firewall 5.0 does not work if the 4.2 box is running release version 4.2.10 or below. Firewall sync requires that the HA partners are running 4.2.11 or higher.

Additional Reboot Necessary in Flash Drive Mode

If Flash Drive mode is forced within the System settings, then the system must be rebooted subsequently to an upgrade to Barracuda NG Firewall 5.0 or after installing the box using a PAR file.

Custom Flash Drive Mode not supported during update

If Flash Drive mode is forced within the System settings and / or with Box Properties Storage Architecture altough the hardware is not flash-hardware the Update will fail with "File not found". Configure the Appliance temporary to "Hard Disk" and "Force Flash" to no and the update will work. The configuration can be set back to flash-based afterwards.

Alternative Driver for Donald Becker Intel 100Mbps Cards Not Supported

The alternative driver for the Intel 100Mbps cards from Donald Becker ("Intel EtherExpressPro/100 (DB)" or "eepro100" is not supported by Barracuda NG Firewall 5.0. Please replace this driver with the "Intel Pro/100" driver manually before updating or reinstalling Barracuda NG Firewall 5.0.

Control Center 5.0 Can Only Manage Barracuda NGF Boxes Running 5.0

Support for Barracuda Network Appliances on a Control Center running firmware 5.0 is only available if the respective boxes are running firmware 5.0 and the cluster configuration on the CC was migrated to firmware version 5.0 as well.
VPN Site-2-Site Rekeying may Overload Tunnel on Virtual Appliances

Excessive rekeying for VPN site-2-site may lead to tunnel teardown in VMWare setups. Reduce the rekeying interval if this happens on your VMWare installation.

No Stream Compression in Virtual Appliance HA Setups

Stream compression may not be used in a VMWare HA setup, having both VPN boxes on the same VMWare host.

SSH Client within Barracuda NG Admin May Set Wrong Terminal Size

On initial connect, the SSH client within Barracuda NG Admin occasionally sets the terminal size to an incorrect value. Subsequently, full screen applications like vi or top may be displayed incorrectly.

Authentication Client Offline Sync May Fail After Update

Authentication client offline synchronization, formerly phibs offline synchronization, with an Active Directory may fail after updating the system to firmware 5.0.0. This occurs on slow network connections, resulting in a connect timeout to the specified servers. On the next try, the synchronization process can usually be completed successfully.

PAR Setup of WiFi Box Requires Additional Step

Setting up a WiFi box using a PAR file (recovery) requires a dummy change of the WiFi module and subsequently a network activation in order to get WiFi up and running.

64bit Barracuda NG Admin May Display Negative Time Values

Barracuda NG Admin may display certain time values with negative values on 64bit platforms. This may occur within the firewall status, firewall history or VPN status UIs and usually happens if firewall or VPN sessions are older than 24 days. It does not affect Barracuda NG Firwall operation by any means. This visualization issue will be fixed with a future firmware update.

Disconnecting in NG Admin Audit GUI Breaks All NG Admin Connections

Pressing Disconnect within the Firewall Audit GUI causes all Barracuda NG Admin connections to disconnect. Barracuda NG Admin has to be restarted in order to reestablish the connections. This will be fixed with a future firmware update.

No VMWare Tools on Virtual Appliances

VMWare tools can not be installed within the virtual machines of the virtual appliances. This issue will be fixed with the upcoming patch to Barracuda NG Firewall 5.0.

VMWare Network Drivers Setting

VMWare emulates different network cards depending on VMWares Guest Operating System settings setting. If you select Other Linux (32-bit), the network drivers in NGF must be set to AMD PCnet32. If you select Other Linux (64-bit), the network drivers in NGF must be set to Intel Pro/1000 PCI and PCI-X.

Active Recovery Technology (ART)

ART is slated to be a replacement to the existing SDR technology that was available on some appliances. Please note that during USB thumdrive installation unlike SDR, ART does not write an installation log onto the USB thumb drive.
On flash-only boxes, such as e.g. nf-edge, nf-sintegra XS, F10, F100, or F101, clicking Control -> Box -> Save current Config for ART will generate an error message saying No ART available on this box.
Actually, ART is available on flash based appliances, however, it is not possible to save the current configuration.

On appliances with LCD display it is intentionally not possible to save and load a PAR file. This function was provided by third-party SDR technology before the 5.0 release on some appliances.

ART Not Supported on C610

Active Recovery Technology (ART) is not available on the C610 Control Center Appliance.

No LED Support on C610 and nf-780

The C610 and nf-780 appliances do not have LED support to visualize the appliance status.

Erroneous BIOS in Certain Hewlett-Packard Servers

Certain servers by Hewlett-Packard are equipped with an erroneous BIOS. Therefore, they require a special boot parameter. If the installation of Barracuda NG Firewall 5.0 on an HP server fails, then use the following kernel parameter: intel_iommu=off

CPUs Not Supporting TSC and MOV Not Supported

Barracuda NG Firewall 5.0 will only install on hardware based on i686 compatible CPUs supporting the TSC and MOV instructions. Any attempt to install or update on a system with older CPUs will exit with an error. Type rpm -q kernel --qf %{ARCH}\\n within the shell in order to find out which kernel is present.

Irrelevant Error Message on Systems with Floppy Controller

Installation on systems with an integrated floppy controller may take longer. Furthermore, on such systems the log entry I/O read error on fd0 will be logged. The same error will be logged on every kernel or initrd update. This error results from the device mapping detection and can safely be ignored.

Crypto Accelerator Cards Not Supported

Barracuda NG Firewall 5.0 provides higher VPN throughput without accelerator cards. Therefore, crypto accelerator cards from Broadcom or Hifn are not supported anymore.

S.M.A.R.T. Monitoring Not Supported on 3ware RAID Controllers

S.M.A.R.T. monitoring does currently not work on 3ware RAID controllers. This affects L2000 and C610 appliances.

GTI repository is not updated on moving of a VPN Service

When moving or deleting a VPN service, perform the following instructions to prevent an inconsistency of the range/cluster VPN GTI Editor. Therefor, open the VPN GTI Editor:
-> right click the according VPN service (lower section) and choose Delete VPN Service from Group
-> right click the Group the service belongs to (upper section), and choose Delete VPN Service from GTI-Editor...

timer handler process consume an increasing amount of memory

In certain cases the timer handler process starts to consume an increasing amount of memory if the box has a long period of uptime.

trans7 process consumes an increasing amount of RAM with enabled Resolve IP Addresses in History

If the parameter "Resolve IP Addresses in History" is enabled, the trans7 process consumes an increasing amount of RAM. Disabling this parameter frees the allocated memory immediately.

Resolve Access Cache IPs may cause a crash of the Timer Handler

In certain cases the activation of Resolve Access Cache IPs causes a crash of the Timer Handler if IP addresses are not DNS resolvable.

DNS objects are selectable in a redirect rule as "target list"

DNS objects are selectable in a redirect rule as "target list" altough the firewall engine is not designed to use DNS-objects in this field.
network objects with more than 1 IP are selectable in a redirect rule as "target list"
Network objects with more than 1 IP are selectable in a redirect rule as "target list" altough the firewall engine is not designed to use network objects like these in this field.

"auto remediation" does not work for "Symantec Endpoint Protection"

Under certain circumstances, it may happen that the NG Access health agent does not change into "healthy" state due to erreoneous auto remedation within anti-virus software installed on the client. Up to now, this has been experienced on machines having Symantec Endpoint Protection installed.

entegra client cannot verify Symantec engine 10.x

The NG Access client is not able to correctly recognize the Symantec virus scanning engine version 10.

vpn.exe crashes with a runtime error if hardcopy is installed and runs.

vpn.exe crashes with a runtime error if hardcopy is installed and runs. Close hardcopy before using the vpn-client.

Real Time Protection of Trend Micro Office Client 8.0 cannot be verified

In combination with Trend Micro Office Scan, the entegra health agent does not change into "healthy" state at once due to erreoneous auto remedation. Instead, the client will stay in "unhealthy" state until entegra starts a manual validation.

Installation of Barracuda NG Access client on Vista x32/x64 might fail and result in a rollback

Installation of the Barracuda NG Access client on Microsoft Windows Vista x32 / x64 might fail and result in a rollback. Analysis shows that 6to4svc.dll (a Microsoft service providing IPv6 connectivity over IPv4 network) is responsible. The service locks an interface, which is required for networking and installation, causing the installation routine to fail. Based on our research and experience, this can be solved by:
- deactivating the network adapter during installation
- rebooting the system

NG Access Client Update Issue: R7 without Firewall -> no firewall with NG Access Client 2.0 possible

When removing a VPN-Client R7 without installed firewall module and subsequently performing a fresh installation of any release of entegra 2.0 on the same machine (not updating from R7 to entegra 2.0!), it may happen that NG Access Client 2.0 will erroneously be installed without the firewall module, even if FW_NOTINSTALL=0 was set.
Workaround: delete the following registry-key after uninstalling VPN-Client R7: HKEY_USERS\.DEFAULT\Software\Phion\phionvpn\settings

Polling a Switch causes subsequently logged Error "SNMP: Unknown engine ID ("

In the configuration setting "Box > Infrastructure Services > Control > SNMP Switch Discovery" a list of switches to be polled by the NG Firewall control service can be configured. The switch information regarding active switch ports, assigned MAC addresses and VLAN ids are then displayed in the Control box service. This configuration is solely used for visualization and troubleshooting and is not required for NG Firewall operation.
When using SNMPv3 for polling the switch information, some switches reply with the following SNMPv3 error message: " Error +0000 Switch <IP> <IP>: SNMP: Unknown engine ID ("
This error is subsequently logged in the NG Firewall snmp log file. At the moment the only solution if this error occurs is to use SNMPv2 for switch polling.

mailgateway recognizes attachments-mime-type wrong

Mailgateway may recognize the mime-type of attached files wrong and therefore wrongly cuts these attachments. To prevent this disable "Automatically detect MIME type" in "Advanced attachment options".

Viewing large statistics may lead to a significant system slowdown due to high RAM usage

Viewing large statistics (i.e. firewall-statistics) may in certain cases lead to a significant system slowdown due to high RAM usage on appliances with less than 2 GB of RAM. It is even possible that a box crashes while trying to process such a statistics file, making it necessary to reboot. This issue especially affects hardware with less RAM (256MB to 1GB - i.e. sintegra XS, netfence S and netfence SR).
Note: If a box significantly slows down during usage of the statistics viewer, phion recommends waiting, as in most cases the memory is freed again after a while. You may also consider a RAM upgrade, which might be an option with XS and S appliances.

SKYPE over the Secure Web Proxy causes more and more firewall sessions in LOC-CLOSE-WAIT status

When handling SKYPE traffic over the Secure Web Proxy service more and more firewall sessions remain in the LOC-CLOSE-WAIT status, so the box load increases and it can happen that the secure web proxy service can not provide its functionality any more. This happens because of SKYPE´s unusual way of forming secure connections. Our engineers have been working to find a solution to this problem; however, as of now, none exists.

broadcast address is not deleted after soft network activation

When reconfiguring a network IP address from one subnet into another and then performing a Soft Activate, the old subnet's broadcast IP address is erroneously kept within the routing table. It is necessary to either delete this broadcast address through the CLI or to perform a standard Activate. Barracuda recommends, as a workaround, to use the standard Activate instead of Soft Activate when moving subnets.

WLAN Access Point service is not selectable as Software Module on a netfence SR appliance

On a phion netfence SR appliance the Software Module "WLAN Access Point" does not appear in the "Software Module" dropdown list of the service creation wizard.
The WLAN Access Point service can be introduced by selecting the "other" checkbox, followed by a manual input of "wlan" into the Software Module field.

Box must be joined again to domain after update from versions below 4.2.10 to 4.2.10 or higher

After the update from versions below 4.2.10 (4.2.7 and lower) to NG Firewall 4.2.10 or higher a NG Firewall must be joined again to the windows domain in order to get a working MS-CHAP environment on this box.

External Boxes in control center: untrusted status is logged

Under certain circumstances, external boxes are within a control center's configuration tree displayed in "green" state even if the public key configured on the control center differs from the one on the box.

Emergency Override error at Site-to-Site VPN

Under certain circumstances, an admin user with permissions restricted to Client-to-Site and Site-to-Site configurations within the VPN-Server may experience an "Emergency Override" popup message (usually only seen when changing configuration parameters directly on a CC-administered box) when performing changes within the Client-to-Site or Site-to-Site configuration in the VPN-Server settings, followed by pressing "Send Changes" and then "Unlock". However, after clicking "No" within the popup, it is nevertheless possible to perform and save the changes in question.

ike generates wrong logentries in vpn-log and access-cache

Under certain circumstances, a configuration error may be generated into the VPN server log expressing an erroneous peer IP, exacerbating the troubleshooting process. The issue appears within star-shaped network topologies including at least one hub and two BOBs. If one of the BOB requests or configures a network that is already correctly configured on the other BOB(s) and ob the hub, the requesting BOB logs the other BOB?s IP as peer address. To avoid this problem, check for correctly configured networks and avoid duplicate networks. When encoutering the issue keep in mind that the appropriate log files on the erroneously logged peer may contain solution hints.

VPN-server password is not synced on single-box-HA-systems

When changing a user's VPN-connectpassword within ngadmin, this password change will be synched to the connected HA box. Contrary to this, a password change performed within the NG Access VPN client will not be synched to the HA box, no matter if it was performed on the primary or on the secondary box. Currently there is no fix for this issue; hence Barracuda recommends changing passwords only through ngadmin.

NTP daemon cannot create a temporary file due to insufficient permissions

In rare cases, the NTP daemon cannot create a temporary file due to insufficient permissions. In that case, the following Error is logged to the NTP log:

Error ntpd[6374]: can\'t open /var/phion/run/bntp/ntp.drift.TEMP: Permission denied

You can set the permissions manually by executing "chown ntp /var/phion/run/bntp/" which fixes the problem. This error will be fixed in the next maintainance release.

Cluster migration failure of nodes linked to a repository which were changed with "Override Link Data"

If the configuration data of a node that has been linked from Repository has been changed with the "Override Link Data" feature in the CC, migrating the cluster will destroy the configuration. To prevent this, the override has to be removed (with "Unoverride Entry") prior to migration, which will then treat the configuration correctly. This error will be fixed in one of the next maintainance releases.

No support for some D-Link cards

         D-Link network interface cards listed below are not supported any more:

         D-Link DFE-550TX FAST Ethernet 10/100 Adapter
         D-Link DFE-580TX 4 Port Server Adapter
         D-Link DL10050 based 10/100 Adapter
         Sundance ST201 based PCI Fast Ethernet
         D-Link DFE-550FX FAST Ethernet 10/100 Adapter

Link Activation issue with some phion legacy appliances
Before migrating the below mentioned appliances to 5.0.x or 5.2.x the autonegotiation parameter in the network interface configuration section must be set to "on". Also respective switches must have autonegotiation enabled, otherwise the links will not be activated. HG-S6

HG-S10, HG-S16, NF-240, NF-Cash, MR