Release Notes
for OpenROUTE 5.5

These release notes are for OpenROUTE 5.5 software. They cover the following topics:

New Software Features

Known Deficiencies, Limitations, and/or Clarifications

New Software Features

This section introduces the following new software features in OpenROUTE 5.5.

Real-Time Transport Protocol Header Compression over PPP

Beginning with OpenROUTE software release 5.5, Nx Networks routers support Real-time Transport Protocol (RTP) header compression over PPP connections. As specified in RFC 2508, Compressing IP/UDP/RTP headers for Low-Speed Serial Links, the implementation on Nx Networks' routers combines compression of IP, UDP, and RTP headers on a link-by-link basis. To support RTP header compression, the router's Internet Protocol Control Protocol (IPCP) header format is expanded to include configuration parameters for IP compression as specified in RFC 2509, IP Header Compression over PPP.

Login via Telnet with RADIUS Authentication

GTSecure can now log a user into a Nx Networks router via Telnet session after RADIUS (Remote Authentication Dial-In User Service) has authenticated the user. RADIUS is a security system that uses a client-server approach to authenticate remote users.

Support for 3000 Series D Secure Gateway Router with Digital Voice System

In OpenROUTE 5.5, the 3000 Series D supports data routing, as well as up to four digital voice modules. The digital voice system is a set of features for transport of voice traffic over interfaces on the optional digital voice cards installed in a 3000 Series D chassis. OpenROUTE Release 5.5 or later is required to support the 3000 Series D Digital Voice Subsystem Release 01.01.00.

Known Deficiencies, Limitations, and/or Clarifications

This section describes known deficiencies in OpenROUTE 5.5 and indicates limitations with the software.

General

GT 60 and 70 Series and routers do not have a time of day clock chip with battery backup. For time to be meaningful, you have to get the time from a nearby host or manually set the time whenever you restart the router. Use the time commands at the Config> prompt for these operations. Enter time set at restarts or set up the time configuration to poll a nearby host.

Certificate Management

Certificates with GT60 Routers

 When GT60 routers are set up to retrieve the time from a host when you restart the router, CA certificates do not appear in listings until the GT60 receives the correct time from the host. It can take as long as three minutes before the GT60 displays CA certificates. During this time, you also see the following ELS message:

15:27:21 CERT.009: faild to insert CA CERT into cache due to 'Certificate not valid yet'
Nx Networks recommends that you wait at least 30 seconds after restarting the router before entering the list ca command. Entering list ca immediately after restarting the router can further delay the time the GT60 takes to display CA certificates.

Long Certificate Chains

The certificate management feature now allows you to configure long certificate chains. Depending on the size of the individual certificates, the size of the IKE packet may exceed the size of the router's global buffers. If this occurs, an ELS message will display the current buffer size and the size needed. An example of this ELS message is:

00:10:21  IKE.079: fld to send 5804 bytes to 162.1.1.5 on 162.1.1.1; pkt size > I/O buf size 2304
If you see this message, configure a larger packet size as follows:

1. To set the packet size on the local router so that it is larger than the size IKE is trying to send, use the Config>set PACKET-SIZE command. In this example, the IKE packet size is 5804, so 6000 or 6500 would be a good packet size.

2. If the remote router is a Nx Networks router, run the same Config>set PACKET-SIZE command. If the remote router is another vendor, configure the router to be able to handle a reassembled packet of at least the size of the IKE packet (5804 for this example).

3000 Series Secure Gateway Router

 In OpenROUTE 5.5, the 3000 Series supports data routing, as well as an optional analog voice module that provides up to four analog voice lines.

CAUTION:
The voice ports on the analog voice module have
RJ-45 (8-pin) interfaces.
Inserting an RJ-11 (4-pin) connector into an RJ-45 port can damage the pins in the port.

Using an RJ-11 connector in the voice ports voids the warranty of the analog voice module.

Analog Voice

Using NAT With Voice

 To run voice traffic and NAT over the Internet, you must assign a public IP address for the voice module, and that address must be visible to the Internet. You cannot hide the address behind a firewall.

To do this, you set up a fixed address mapping for the voice module so that NAT does not translate the voice IP address. You need to assign the same address as the public outside address and the private inside address. This address must also be on the same subnet as the Internet connection.

The following example shows how to set up a fixed address mapping, where 128.185.2.2 is the IP address of the voice module. 

*config
Config>PROTOCOL ip
Internet protocol user configuration
IP config>nat
Network Address Translation Configuration
NAT Config>add FIXED-IP-MAPPINGS
Interface number [1]? 3
Public outside address [0.0.0.0]? 128.185.2.2
Mask [255.255.255.255]?
Private inside address [0.0.0.0]? 128.185.2.2
The IP address of the voice module must also be different from the NAT global IP address for this no-translation to work. If they are the same, explicitly configure the NAT global IP address to be the public IP address of the Internet interface, and do not let the router automatically choose the NAT global IP address.

To check the global IP address that NAT is using, enter list nat at the NAT monitoring prompt. 

*monitor
+PROTOCOL IP
IP>nat
Network Address Translation Console         
NAT>LIST NAT-INTERFACE
Interface number [1]?
NAT Enabled on interface 1
  Address is:     128.185.2.1       Service Table Used:  Global
  Current # entries: 0
  Maximum # entries: 500            Global ageout:       1800 secs
  TCP ageout (secs): 9000           TCP closed ageout:   30 secs
To explicitly set the global IP address of the NAT interface, use the following command. 

NAT Config>SET NAT-INTERFACE IP-ADDRESS
Interface number [1]?
NAT IP address (0.0.0.0 = use automatic default) [0.0.0.0]? 128.185.2.1
Note: You cannot use unnumbered IP on a NAT interface.

DHCP Client

GTX Series

Before you install a new module in your GTX Series router, be sure that you have the appropriate router software. Router software OpenROUTE 5.5 supports the GTX1500 and GTX1000T platforms and the following modules:

Expandable Memory

The GTX Series User Guide incorrectly lists the expandable memory available for the GTX Series.

The available memory upgrade modules are 8, 16, 32, and 64 MB. Therefore, you can upgrade your GTX Series from 8 MB to 16, 24, 40, or 72.

IP Filters

Note the following information about using the isprec-= and prec-= options with the add filter or set filter commands.

IPSec

Interoperability With Cisco 2524 Routers

 When running IPSec over ISDN to a Cisco 2524 router, you need to use just one B-channel.

Also, if you are using manual keys to run IPSec to a Cisco 2524 router, the Cisco console displays "hung task" and "trace" error messages. These errors do not affect operation of IPSec.

Blowfish and IPCOMP Algorithms

The OpenROUTE 5.0 and later implementations of the IPSec algorithms Blowfish and IPCOMP are not interoperable with OpenROUTE 4.0 versions of OpenROUTE IPSec software. To run the Blowfish and IPCOMP algorithms in OpenROUTE 5.5, you need to upgrade your routers from OpenROUTE 4.0 to release 5.0 or higher.

Quick Config and Unnumbered Ethernet

In Quick Config, if you assign the Ethernet interface to be unnumbered (dynamic), you cannot assign the unnumbered Ethernet interface as the default route.

When you get to the end of the IP configuration, Quick Config asks if you want to specify a default route. If you answer yes, Quick Config asks if you want to use an unnumbered or dynamic interface. If you answer yes and select a non-PPP interface, Quick Config tells you that you must use an unnumbered PPP interface, and gives the example of Interface #0 (the Ethernet) as an unnumbered PPP interface.

To work around this problem, answer no when Quick Config asks if you want to specify a default route. When you finish running Quick Config, go to the IP Config> prompt and use the add route command to set up the default route.

QuickWeb

QuickWeb allows you to add user accounts that use the challenge/response method of authentication. However, you cannot log into QuickWeb using a challenge/response. You can log into this type of account only at a CLI prompt. You can access the CLI from QuickWeb by clicking the CLI via Telnet button.

SDSL Module

At slower SDSL line speeds (160Kbps and 208Kbps), it can take several minutes for the SDSL module to come up and be available for data traffic. SDSL DSLAMs can take several minutes to begin the speed training process with the SDSL module. Once the speed training is complete, the activation process can take an additional two minutes before the interface is declared as Up. This is an inherent characteristic of the SDSL technology being deployed.

Because of the length of activation time, if the cable to the SDSL module is pulled during the activation process, it can take up to two minutes for the router to detect the pulled cable and drop out of the activation. If the DSLAM reissues its activation sequence before the SDSL module has dropped out, the SDSL module misses the activation sequence, and must wait for the DSLAM to issue its next activation sequence.

Due to the longer certificate chain, the amount of time required to compute the authentication signature will also increase. We recommend in these cases that you increment the default IKE retransmission timer from 12 to 1200.

Example: GTX-25: IPSec Config> list global 

IPSEC Globals:
--------------
 IKE Retransmission timer (in seconds)          : 12
 IKE Maximum Retransmissions                   : 4
 IPSec Phase2 SA inactivity timer (in seconds) : 60
 My ID type: IP-Address


GTX-25: IPSec Config> set global ike_retransmission_timer = 1200

Release Notes for
3000D Digital Voice r01.01.00

These release notes are for 3000D Digital Voice r01.01.00. OpenROUTE 5.5 or later is required to support digital voice. The notes cover the following topics:

New Software Features

Known Deficiencies, Limitations, and/or Clarifications

New Software Features

This section introduces the following new software features in Digital Voice r01.01.00.

Auto-Recovery of Voice Card Subsystem Following a Task Crash

The voice card subsystem resets itself following a task crash. This allows the voice card to recover from fatal conditions and allows it to continue operation with little or no administrative intervention. The subsystem keeps a crash log detailing its state prior to the crash, allowing postmortem diagnostics.

The Voice Card Auto-Recovery Mechanism allows the voice card to detect a variety of fatal exceptions and initiate a graceful shutdown and restart. This mechanism makes the voice card subsystem more robust in a stand-alone environment by automatically handling conditions that would otherwise require operator intervention. Auto-recovery on the 3000D consists of two separate mechanisms: detection of exceptional conditions and automatic recovery following the occurrence of exceptional conditions.

Detection of Exceptional Conditions

The master and slave processors on the voice card can detect processor exceptions and signals. In most cases, events that cause the voice card to crash also cause an exception or signal to be generated. Each processor on a voice card can trap these events, capture a stack trace to track what state the offending task was in just prior to the crash, and store this information to flash memory for later retrieval. This will assist in determining the root cause of the error condition.

Automatic Recovery Following the Occurrence of Exceptional Conditions

During normal operation, the master and slave processors send a "heartbeat" message to the router card at regular intervals. If the router card does not receive a heartbeat message from either master or slave processor within an allowed time period, it puts the voice card into reset. Once an exceptional condition has been detected and logged, the processor in question initiates a full voice card reboot sequence simply by terminating its heartbeat.

Note: Only a single crash occurrence can be logged by each processor. Work is in progress to extend the number of records stored by each processor. If multiple crashes occur in between deletions of the crash log, only information about the first crash will be logged. This is done deliberately so that if the voice card becomes locked into a "crash loop" (repeated crashes) then the circumstances of the original crash may be examined and a root cause determined. It is important to clear the crash log anytime a crash has occurred to prevent the loss of information about subsequent crashes.

Crash Log Commands

 Two new commands in the system menu are associated with the logging portion of the Auto-Recovery mechanism; they are detailed below.

display_crash_log <subsystem name>
clear_crash_log <subsystem name>

The display_crash_log Command

 This command displays the information that the specified subsystem has logged to flash memory following the occurrence of an exception or signal. The crash log contains information about the state of the processor at the moment of the crash, including the contents of the processor's registers and a stack trace for the task in which the exception occurred.

Syntax: display_crash_log <subsystem name>

subsystem name The name of the interface for which the crash log is to be displayed.

Here is an example crash log:

Got an exception(0x200).

MON FEB 05 16:06:48 2001

The register values:
gpr[0x0] = 0xf0000000
gpr[0x1] = 0x1831848
gpr[0x2] = 0x0
gpr[0x3] = 0x16
gpr[0x4] = 0xa266c0
gpr[0x5] = 0x16
gpr[0x6] = 0x1
gpr[0x7] = 0x0
gpr[0x8] = 0x0
gpr[0x9] = 0x1ff7c90
gpr[0xa] = 0x1ff8138
gpr[0xb] = 0x880000
gpr[0xc] = 0x0
gpr[0xd] = 0x0
gpr[0xe] = 0x0
gpr[0xf] = 0x0
gpr[0x10] = 0x0
gpr[0x11] = 0x0
gpr[0x12] = 0x0
gpr[0x13] = 0x0
gpr[0x14] = 0x0
gpr[0x15] = 0x0
gpr[0x16] = 0x0
gpr[0x17] = 0x0
gpr[0x18] = 0x0
gpr[0x19] = 0x0
gpr[0x1a] = 0x0
gpr[0x1b] = 0x0
gpr[0x1c] = 0x0
gpr[0x1d] = 0x0
gpr[0x1e] = 0x0
gpr[0x1f] = 0xa26048
msr = 0x40009002
lr = 0xa2629c
ctr = 0x0
cr = 0x42000000
xer = 0x0

Stack Trace (bottom to top):
0xa26290
0xa2624c
0xa261c0
0xa26134
0xa260a8
0x4fcc84
The contents of the crash log, the stack trace in particular, will assist engineering in determining the root cause of the problem.

The clear_crash_log Command

This command erases the contents of the crash log from the specified subsystem's flash memory.

Note: A subsystem retains its crash log until it has been cleared using this command. Therefore, once a subsystem crashes, no information about subsequent crashes are logged to flash until the log is cleared.

Syntax: clear_crash_log <subsystem name>
subsystem name The name of the interface for which the crash log is to be cleared.

Enhanced Protocol Tracing

The voice card for the Series 3000D has greatly enhanced protocol tracing capabilities that provide the administrator more in-depth visibility into the voice card's operation. A tracing submenu under the /system menu allows you to trace the internal details of an interface. Each interface (or subsystem) may have one or more components that are traceable. For example, an ISDN interface has Q931, Protocol eXchange (PX), Timeslot (TS), and Answer Supervision (AS) components. In addition, each component may be traced with varying levels of detail, from level 1 (least detail) to level 4 (most detail). All components support all tracing levels. Below are lists of the components that are traceable.

For all telephony interfaces:

For PRI/CAS/RBS (All Telenetworks-based interfaces):

For CAS/RBS (these traces have millisecond timestamps on them because without these the traces are pretty useless):

For H.323, all RADVision "ms" traces are available. Twenty different components may be traced, all only level 1. The most useful are:

Protocol Tracing CLI Summary

 Four commands in the /system tracing menu control protocol tracing.

enable_subsystem <interface name> <component name> <level> 
disable_subsystem <interface name> <component name> 
list
trace 
The syntax of each command is detailed below.

The enable_subsystem Command

This command enables tracing for the specified interface and component at the specified level.

Syntax: enable_subsystem <interface name> <component name> <level>

interface name The name of the interfaceon which the component to be traced exists.

component name The name of the component to be traced. If the component does not exist, the system will not report an error, and the interface and component will appear in the results of a /system tracing list command, but the command will have no effect.

level The level of tracing to be enabled on the specified component. The greater the level of tracing, the more information will be displayed. Acceptable values for level range from 1 to 4 inclusive; any invalid number will be rejected. The CLI will accept a number in the range 1-4 even if the specified component does not support the full range of levels.

The disable_subsystem Command

This command disables tracing for the specified interface and component. If the component for the specified interface had not been previously enabled, the system returns an error message.

Syntax: disable_subsystem <interface name> <component name>

interface name The name of the interface upon which the component that is being traced exists.

component name The name of the of the component that is being traced.

The list Command

This command lists all currently active component traces.

Example: 

nx3000-1] /system tracing > enable_subsystem isdn.1.1 q931 2 


nx3000-1] /system tracing > enable_subsystem isdn.1.1 ts 1 


nx3000-1] /system tracing > enable_subsystem isdn.1.1 tpktchan 1 


nx3000-1] /system tracing > list 


Module Name        Component          Level
---------------    ---------------    ---------------
isdn.1.1           q931               2
isdn.1.1           ts                 1
voip.1.1           tpktchan           1

The trace Command

 This command shows the output from the current traces. All components for which tracing has been enabled display tracing information at whatever level they have been enabled.

New Format for Voice Card Configuration Data

Voice card configuration data is now stored in .INI text file format. This allows configuration data to retain backward and forward compatibility. Currently there is no operational difference between the old and the new formats; the initial implementation contained in this release is mainly an internal structural change. Future releases will make use of this structural change to perform functions such as dumping the current configuration to the CLI or uploading configuration to the voice card from a .INI-formatted file.

Command Line Interface (CLI) Enhancements

Parameter Completion

Most CLI command parameters now auto-complete and are listed below:

Important exceptions to this feature are:

Multi-Line Command Editing

 It is now possible to edit commands that wrap around past 80 columns. All control keys used for command line editing allow the administrator to navigate across multiple display lines as if a command (both the command itself and the system prompt) that is longer than 80 characters occupied a single line.

T1/E1 ISDN Interfaces No Longer Send SETUP_CONF Improperly in Response to SETUP_IND

In previous releases, some ISDN peers send SETUP_CONF in response to SETUP_IND, ahead of ALERTING/PROCEEDING/etc. Since the CHANNEL_ID_IE is carried by whatever message first responds to the SETUP_IND, and since the system was ignoring SETUP_CONF, it was never hooking up a bearer channel in this situation. This release corrects the problem.

Configurable H.323 Maximum Jitter Buffer Size

A new parameter is in the new_config command that lets you set the maximum jitter buffer size as well as the nominal/minimal buffer size.

Syntax: new_config <name> <codec> <frame-size> <suppress-silence?> <min-jutter> <max-jitter>

max-jitter Valid values for the maximum jitter are 1-160. The default value is 160, which is the same default value in prior releases. This allows the jitter buffer to grow up to 160 msec, which is the maximum value allowed by the code.

Note: frame-size and suppress-silence have swapped positions in the command.

Known Deficiencies, Limitations, and/or Clarifications

 This section describes known deficiencies in Digital Voice r01.01.00 and indicates limitations with the software.

Fixes for Problem Tickets

Ticket Priority Description Comments/Status
1583 Minor

 Need to type two <CR>s after entering config to get a new line.

 Complete.

1596 Serious

 Command completion does not work below a certain level in CLI.

 Complete.

1598 Enh.

 CLI insert function doesn't extend beyond end of current line.

 Complete.

1647 Minor

 "MGR-SMC-Queue" exception during startup

Complete.

1664 Enh.

 Bogus error from CLI when editing line longer than one line

 Complete.

1665 Enh.

 Shorten parameter names to improve user friendliness

Most parameters now auto-complete to eliminate the need for the user to key in long or awkward commands; see Parameter Completion for a list of exclusions.

1725
INX003
INX017
INX018 		Critical

Voice card can lock up requiring power cycle

 Complete.

1746
INX020 		Enh.

 Nx3000D needs additional troubleshooting tools

Complete; see Protocol Tracing CLI Summary

1747
INX028 		Enh.

 Capability to fix the jitter buffer size (disable dynamic resizing)

 Can now specify the maximum jitter buffer size. See Configurable H.323 Maximum Jitter Buffer Size.

Omissions from r01.00.02 Release Notes

Clock Source

 It is now possible to specify a T1 or E1 span as a clock source for clock synchronization. The command resides in the /interfaces (t1|e1) menu.

Without argument the command shows the current clock source configured as follows:

Example:

] > /interfaces t1 clock_source Clock
source = system

With a valid T1/E1 interface as an argument, or the word system, the command changes the clock source accordingly.

Example: 

] > /interfaces t1 clock_source t1.1.1
] > /interfaces t1 clock_source

Clock source = t1.1.1
If the configuration is saved, the clock source is persisted. If the interface specified is not present at boot time (for example, a board was removed), the clock source reverts to system, and a new interface must be specified to return to recovering the clock from a span rather than generating a clock.

T1 Line Buildout

For T1, the property line_length is replaced by line_buildout. Better mnemonic values are provided, and those values now correspond to correct settings. For E1, the property is entirely eliminated in favor of a hardwired value that's appropriate for Nx Networks hardware.

Example: 

line_buildout				         -7.5db, -15db,       Line length is the build out
                      -22.5db, 0db_133ft   of the T1 line.
                      0db_266ft,
                      0db_399ft,
                      0db_533ft,
                       0db_655ft

Changes in Operational Status

 The Dormant state is now entirely eliminated, as it is useful only for PPP links (which we don't support at this time). Operational Status now works correctly.

Starting and Stopping T1 Interfaces

The start/stop command for T1 interfaces is now meaningful. stop t1* does not actually kill any tasks, but it tells the framer to stop doing certain things, and results in a BLUE (AIS) alarm being transmitted.

Improved Fax and Modem Relay Speeds

Fax and Modem Relay speeds have been improved

All connections less than 14.4K were tested with the higher speeds and NMP handshaking disabled in the modems.

Known Issues

The following tickets track known issues at the time of this release:

Ticket Priority Description Comments/Status
1586 Critical

 Voice shutdown process doesn't save configuration.

1622 Critical

 Gateway re-registration isn't working

1649 Serious

 Duplicate IP Addr with voice addrs either hangs or exits CLI for good

1681 Critical

 E1/CAS_R2 doesn't appear to work

1706 Serious

 CLI sometimes hangs upon
/interfaces voip stop * all

1719
INX002 		Critical

 RTP traffic streaming between voice cards - no connection

1727
INX029 		Serious

 Sometimes have to reset card after changing codec profile

 (Possibly) related to #1736

1736 Critical

 Voice Card crashed on
/interfaces stop * now, then interfaces operationally not present

 (Possibly) related to #1727; originally scheduled for r01.00.02. St. Paul has been unable to reproduce this problem under similar circumstances as reported by SQA in Westborough. This needs more investigation.

1737 Critical

 If number of calls exceeds what codec supports - errors, need reset

 May be related to #1756; load shedding numbers may need to be changed

1753 Serious

 Cannot update voice card software when >= 5 hops away from server

 FTP timeout issue?

1756 Critical

 Exception in "NWAT" task during G711A 24 call benchmark test

 May be related to #1737; load shedding benchmark numbers may need to be changed

1757 Serious

 T1 payload loopback running with Fireberd Up/Down loop: down loop doesn't appear to work

1758 Serious

 Handling of heartbeat reply message from router is not interrupt-safe

 Temporary work-around: Router does NOT send a reply to the heartbeat messages from the master and slave.

1765 Critical

 With receive bandwidth limited, voice card crashes

 Related to #1727, #1736. Voice card seems to get into degraded state as a result of bandwidth limitation, then, depending upon user action, further operations either do not complete or hang the box further.

1767 Critical

 /system ping and /system tracing trace can hang CLI

 This is a voice card call load-related issue; work-around is to disable all traces and pings while under heavy call load

1770 Critical

 crashes from upgrade from v01.00.00, then errors

 Enhancements to boot loading (single file wrap, CRC checking, etc.), which will be in the next release, will address this


Copyright © 2001, Nx Networks. All rights reserved.