Software

Release Notes
Version 4

Allot Operating System

AOS11.2

P/N D211092

This document details new features, known issues and clarifications concerning Allot
operating system software version AOS11.2.
Please check http://www.allot.com/support.html for any updates to this document.

Applicable Devices .................................................................................................................... 2

New Features ............................................................................................................................ 2
New Protocols and Applications ................................................................................................ 5
Resolved Issues ........................................................................................................................ 6
Known Issues ............................................................................................................................ 7
Upgrade Procedures ................................................................................................................. 9

This document contains Proprietary Trade Secrets of Allot Communications LTD and its
receipt or possession does not convey any right to reproduce, disclose its contents or to
manufacture, use or sell anything that it may describe.
Allot reserves the right to make changes, add, remove or change the schedule of any
element of this document.

Allot Operating System AOS11.2 Release Notes

Applicable Devices
AOS11.2 is available for the following devices only:

AC-1400

AC-3000

SG-Sigma

AOS compatible devices not found in the above list do not support AOS11.2 version and still
support the previous AOS version.

New Features
HTTP Redirection Enhancements
AOS11.2 allows sending additional information when redirecting to a captive portal. The
additional information available is:

The subscriber MSISDN available only when working with SMP.

The web address the subscriber tried to access

Using this information allows the portal to automatically detect the identity of the subscriber
accessing it and present him with a custom web page (for example advising him on campaigns
and showing him his account status). In addition it is now possible for the portal to automatically
redirect the subscriber to the original page he wanted to access once the portal activity has
ended.

Classification Enhancements
AOS11.2 improves the classification capabilities of the device and now allows the following
capabilities on top of the existing ones:

Subscriber classification according to XFF field of the HTTP header. This capability
allows classification of traffic to a subscriber based on the IP appearing in the XFF field
instead of the IP of the TCP connection. In non-transparent proxy environments the proxy
establishes the session with its own IP rather than the subscriber IP. If classification of
traffic to the subscriber is done according to the subscriber IP, any traffic flowing through
the proxy will not be classified correctly. In order to associate traffic flowing through the
proxy to a subscriber the traffic needs to be classified according to the XFF field of the
HTTP header that represents the actual subscriber for which the proxy established the
session. Supporting this capability allows operator to deploy subscriber management
capabilities in non-transparent proxy environments, without waving on any of the DPI
capabilities.

Classification of traffic according to physical port. This capability allows the operator
to classify traffic to a policy based on the physical port of the device from which the traffic
came from. In many environments this capability can be used in order to differentiate
domestic from international traffic as well as to differentiate traffic coming from different
network elements.

Interface classification. It is now possible to define an entity called an interface. The

interface represents a L2 or L3 encapsulation (for example GRE). When defining the
classification of traffic as interface the traffic will be classified according to the interface
type / connection rather than the encapsulated IP. For example, if GRE is defined as an
interface all traffic that is encapsulated in GRE shall be classified as GRE and not with
the encapsulated IP/application of the traffic. This capability allows the user to exclude
specific interfaces from being applied with classification and QoS mechanisms.

2010 Allot Communications. All rights reserved.

Allot Operating System AOS11.2 Release Notes

Traffic Management
AOS11.2 supports the capability to bypass traffic based on user defined subnets. Traffic meeting
the subnet criteria will be bypassed and will not go through QoS and/or monitoring mechanisms.
Up to 2000 subnets can be defined for subnet bypass.

Element Management
AOS11.2 introduced some new capabilities that allow for better management of the system
capabilities as well as management of elements within the system (such as Pipes and VCs).
The following capabilities were added in AOS11.2:

Threshold Crossing Alarms (TCAs). AOS11.2 allows definition of alarms for policy
elements (Pipes / VCs). The TCAs are based on BW and allow the user to set threshold
on the BW that will trigger an alarm when crossed. It is possible to set the threshold as
either rising (BW is above a specific value) or falling (BW is below the specific value). It is
possible to define up to 2000 elements (Pipes/VCs) to be monitored for TCAs.

Drop action on reaching CER limit. AOS11.2 allows setting a maximum CER limit for
the device. When this value is reached it is now possible to select one of two actions to
take place:
o

Drop Any session over the CER limit will be dropped.

Bypass every session above the CER limit will be bypassed and will not go
through any of the DPI mechanisms.

1GE Copper Ports Support (SG-Sigma Only)

AOS11.2 upgrades the switch fabric software of the SG-Sigma and allows the Sigma to support
16X1GE Copper interfaces. Fiber 1GE ports are already supported with AOS11.1.
Please note, upgrading the switch fabric software requires down time of the Sigma and requires
specific procedure. Please contact customer support at support@allot.com for further details.
Switch fabric upgrade is only needed for support of 1GE copper ports and is not included in the
generic upgrade procedure of AOS11.2. In case 1GE copper ports are not needed please follow
the generic upgrade procedure.

New Host Blade Support (SG-Sigma Only)

AOS11.2 supports the new host blade for SG-Sigma. The new blade is more powerful than the
old one with more CPU power and memory. New Sigma units are now delivered with the new
version of the host blade.
AOS11.2 is backward compatible to the old blade and fully supports all capabilities with both new
and old blades.
Please note that the new host blade is supported from AOS11.2 and above. Previous versions do
not support the new blade.

Hanging of a Router Deployment (AC-1400/3000 Only)

AOS11.2 allows AC-1400/3000 devices to be deployed in configuration usually referred to as
hanging of a router configuration. This configuration connects the device to a router and uses the
router PBR to route traffic to the DPI device and from the device back to the router.

Codec Identification
AOS11.2 is now capable of detecting the VoIP codec in use by RTP stream. This capability
allows for a more accurate QoS control for VoIP allowing guaranteeing of the exact BW needed
by every codec, as well as providing the operator the ability to block unwanted / BW consuming
codecs.
2010 Allot Communications. All rights reserved.

Allot Operating System AOS11.2 Release Notes

Supported codecs are G723, G729, GSM and G711A/U. Codecs are identified over UDP RTP for
SIP and/or H.323 VoIP protocols.

MediaSwift Enhancements
AOS11.2 can identify traffic as cache out traffic coming from the MSW service allowing the
operator to control it differently than P2P and/or streaming traffic not generated by the cache.
This allows the operator to limit non-cached traffic while at the same time allowing cache out
traffic to flow maintaining the QoE of his subscribers.

2010 Allot Communications. All rights reserved.

Allot Operating System AOS11.2 Release Notes

New Protocols and Applications

This version supports Allot Protocol Updates package version 3.11 and above.
For a complete list of the supported protocols and applications and for details on upgrading your
protocols identification with the recent protocol pack go to:
https://c.eu1.visual.force.com/apex/KB?KBID=11895137.
Please also find in this location the latest release notes for the protocol pack and its
predecessors, in which youll find detailed information about the supported applications, as well
as information on resolved and known issues.

2010 Allot Communications. All rights reserved.

Allot Operating System AOS11.2 Release Notes

Resolved Issues

Fixed an issue that could cause the SG- Sigma to shape media traffic served by a
MediaSwift cache and apply maximum QoS settings to P2P and/or streaming traffic.

Fixed an issue that could cause policy updates to take a very long time when defining
asymmetry configurations.

Fixed an issue that could cause up to 3 seconds of traffic loss when changing action on
failure configuration in the device from fail pair to bypass. Configuration change no longer
results in packet loss.

Fixed an issue that could cause the device to remain in bypass mode after disconnecting
a bypass cable and connecting it again. The device no longer stays in bypass upon reconnecting the bypass cable.

Fixed an issue that could cause ServiceProtector to fail if a device with ServiceProtector
is migrated from one NX server to another.

Fixed an issue that could cause the device to fail to report the reason for bypass when
bypass was entered due to link failure (AC-3000/1400 only).

Fixed an issue that could prevent WebSafe blacklists from loading correctly after the
device reboots.

IWF blacklists are no longer accessible by the system admin.

Fixed an issue that prevented using Drop Precedence while using percentage QoS.

2010 Allot Communications. All rights reserved.

Allot Operating System AOS11.2 Release Notes

Known Issues

When upgrading from previous AOS versions the statistics collection profile is not
maintained. This can cause graph inaccuracies.
Allot Recommends: Following installation make sure the collection profile is identical to
the defined profile prior to installation. Update the profile manually if not matching the
previously defined profile. In case assistance with this procedure is required please refer
to the following KB item https://c.eu1.visual.force.com/apex/KB?KBID=13697339

In some cases when performing an upgrade and the action on failure defined prior to
upgrading was not the default setting, after the upgrade the system may remain in
bypass state due to the inconsistency.
Allot Recommends: Prior to installation set the action on failure settings to default. After
installation change the action on failure settings to the required settings. . In case
assistance with this procedure is required please contact customer support at
support@allot.com

In some rare cases following an upgrade, the failure to automatically boot a blade may
result in the device remaining in bypass state.
Allot Recommends: If the device remains in bypass state after reboot, access every
blade separately via the SMC and perform ac_reboot for any blade that did not boot. In
case assistance with this procedure is required please contact customer support at
support@allot.com.

RTP codecs are only identified if a policy element is associated with a Codec. It is
enough to associate a single policy element with one Codec in order for all the codecs to
be identified and reported.
Allot Recommends: If reporting per codec is needed define a dummy policy element
with no QoS that is associated with a Codec. If you policy already includes codecs there
is no need for this definition.

When setting QoS max on Pipe level to value of X, the minimum at the VC level needs to
be set to X-1 in order to achieve the correct behavior and avoid admission by priority
situations.
Example:
Correct: Pipe Max = 2048kbps, VC Min = 2047kbps
Incorrect: Pipe Max = 2048kbps, VC Min = 2048kbps

SG-Sigma will not reject an invalid key and will overwrite the current key definitions.
Allot Recommends: Following an upgrade make sure (via the NX GUI) that all key
definitions are correct. In case key definitions are incorrect, re-enter the key.

The Asymmetry port (the port used to connect to other devices for asymmetry purposes)
is not configurable and is set as follows:

SG-Sigma: SFC-200 blade in slot 7, Port 3

All other AOS devices: Port 3

Host name and MAC definitions in Host catalog are not supported.

Most Active URL report needs to be activated from NetXplorer. Please refer to the
NetXplorer Operations Guide for instructions on how to activate the feature. Please note
that report information starts appearing about 20min after activation of the feature.

Provisioning of large host catalogs (over 4000 entries) may take a few minutes.

2010 Allot Communications. All rights reserved.

Allot Operating System AOS11.2 Release Notes

The number of packets (packets in / packets out) is not reported or presented in

NetXplorer.

When setting a DOS (Denial of Service) catalog entry option to Reject, the actual
behavior will be identical to Drop on TCP traffic.

DOS catalog entries in the policy are enforced in the Pipe/VC level only, not on the Line
level.

Cisco ISL encapsulation is currently not supported the device only sees the tunnel and
not the encapsulated traffic inside the tunnel.

In scenarios in which the devices Quality of Service engine is configured for high
buffering on large portions of the traffic, the device might suffer from significant
performance degradation.

When changing the devices software key, a "rebooting the box message may appear.
This should be ignored since no reboot will occur unless the software version is changed.

Packets with destination MAC of zero (0) are dropped by the device.

When some of the VCs under a specific Pipe are defined with priority settings and some
without it is possible that the VCs that do not have priority settings will not be allowed to
transmit data.
Allot recommends: Make sure all elements under a specific Pipe either have priority
definitions or all of the elements do not have priority definitions at all.

2010 Allot Communications. All rights reserved.

Allot Operating System AOS11.2 Release Notes

Upgrade Procedures
Service Gateway SG-Sigma
NOTES

A new license key is required when upgrading to AOS11.2. Please

make sure you have a valid license for AOS11.2 before starting the
upgrade. Allot strongly recommends that after upgrading, you keep
the previous license key in a safe place in case you must rollback to
the previous version.
If you are upgrading the SG-Sigma from a version prior to AOS10.1.1,
please upgrade first to AOS10.1.1 (follow the SG-Sigma upgrade
instructions which were documented in the release notes for
AOS10.1.1), and only then upgrade to AOS11.2.

1. Make sure the version currently installed is AOS10.1.1 or above and confirm the M1 port
of SFC1 (the SFC-200 blade inserted in slot 7 of the SG-Sigma chassis) is connected to
your management network.
2. Connect a terminal to the SGSV-110 Console port (to be used in case SSH access is lost
during the upgrade). The terminal speed is 19200.

SFC1 Blade

SGSV Blade

Console Port

M1 Port

M1 Port on the SFC1 blade (slot 7) and the Console Port on the SGSV blade (slot 1)

2010 Allot Communications. All rights reserved.

Allot Operating System AOS11.2 Release Notes

3. Log into the system via SSH as User Name sysadmin, Password sysadmin
4. Create a directory called AOS11.2. To do this, type the following command:
mkdir AOS11.2
5. Move to the newly created directory. To do this, type the following command:
cd AOS11.2
6. Download the version files.

From the AOS11.2 directory enter the following command:

ftp ftp.allot.com (the IP address is 209.62.76.11)

Log into the ftp site as an anonymous user.

Type cd /DPI_device/SG-Sigma/GA/AOS.SGS.11.2.0_B7

Type hash.

Type bin.

Type prompt.

Type mget *

All required files will be downloaded automatically.

When the download finishes, type bye. This will close the ftp site but leave Telnet open.
7. You should now have the following files in the AOS11.2directory:

sigma-instl.sh

sigma-11.2.0-7.tgz

8. Type the following command:

chmod u+x sigma-instl.sh
9. Switch the SG-Sigma to bypass mode by running the following command:
go config network -dev_mode system:bypass
Output Example:
host-blade:~$ go config view network

==== Network ====

Redundancy Mode

standalone

Bypass Unit Configuration

Bypass Unit Detection
System Status

enable
primary

bypass

Minimum number of Core Controllers 1

Number of active Core Controllers 3
Minimum number of Switch Fabrics

Minimum number of Flow Balancers

Cards list :
|Slot |Card Type |SMC State |Card Status
2010 Allot Communications. All rights reserved.

10

Allot Operating System AOS11.2 Release Notes

-------------------------------------------|1

|HOST

|ON

|ACTIVE

-------------------------------------------|2

|CC

|ON

|BYPASS

-------------------------------------------|4

|CC

|ON

|BYPASS

-------------------------------------------|6

|FB

|ON

|ACTIVE

-------------------------------------------|7

|SFC

|ON

|ACTIVE

-------------------------------------------|8

|SFC

|ON

|ACTIVE

-------------------------------------------|9

|FB

|ON

|ACTIVE

-------------------------------------------|10 |CC

|ON

|BYPASS

-------------------------------------------|12 |VAS

|ON

-------------------------------------------Request completed successfully.

10. Start the installation by running the following command:
./sigma-instl.sh
11. Wait for the upgrade to complete successfully.
Output Example:
Test:~/AOS11.2$ ./sigma-instl.sh
Please wait, extracting package...
...........
Installing Flow Balancer Blade located on slot 6.
Installing Flow Balancer Blade located on slot 9.
Installing core controller located in slot 2.
Installing core controller located in slot 4.
Installing core controller located in slot 10.
Installing Switch Fabric Blade located in slot 8.
........
Installation on slot 2 finished.
....................
Installation on slot 4 finished.
....

2010 Allot Communications. All rights reserved.

11

Allot Operating System AOS11.2 Release Notes

Installation on slot 10 finished.

................................................................................
Installation on slot 6 finished.
Installation on slot 9 finished.
Installation on slot 8 finished.
Installing Host controller.
Please wait...
<<<<<Your current key is invalid.>>>>>
<<<<<New key must be entered after restart in order to activate the device
features.>>>>>
..............................................................................................................................................
...............
The installation of sigma-host-11.2.0-7.tgz finished.
Installing Switch Fabric Blade located in slot 7.
Connection to 11.11.11.70 closed by remote host.
Installation summary:
--------------------Successfully installed slots: 2 4 10 6 9 8 7
Empty slots: 12
System will automatically reboot.
Broadcast message from dev (pts/0) (Mon Sep 20 14:42:10 2010):
The system is going down for reboot NOW!
Test:~/AOS11.2$
The following message appears at the end of the upgrade and may vary depending on
the SG-Sigma chassis population:

Installation summary:
--------------------Successfully installed slots: 2 4 10 6 9 8 7
Empty slots: 12
System will automatically reboot.
The device will reboot automatically when the installation completes.

Broadcast message from dev (pts/2) (Tue Sep

Wait for2010):
the device to be reachable again after the reboot and log into the system again
1412.
10:59:34
via SSH as User Name sysadmin, Password sysadmin

13. Add the new key by running the following command:

go config
key
<KEY>
The system
is going
down
for reboot NOW!
Output
Example:
System
will automatically
reboot.
host-blade:~$ go config key SGSigma-123456ABCDEFGHIJ2020HYK1U1P1MK2U1P1MK3U1P1MK7U1P1MK9U1P1MK10U1P1MH

Broadcast message from dev (pts/2) (Tue Sep

2010
14 10:59:34
Allot Communications.
2010): All rights reserved.
The system is going down for reboot NOW!

12

Allot Operating System AOS11.2 Release Notes

YH-6C8BD4B166
A notification that the request was completed will appear if the key was accepted
14. Verify the correct key functionalities are enabled by running the following command:
go config view key
Output Example:
host-blade:~$ go config view key

====

Global information

Product Name

====

SGSigma

Activation Key
SGSigma-123456ABCDEFGHIJ2020HYK1U1P1MK2U1P1MK3U1P1MK7U1P1MK9U1P1MK10U1P1MH
YH-6C8BD4B166
Global Expiration Date 31/12/2019
Global status

====
1)

valid

Features information

====

QoS
Status: valid
Status enable

2)

Real time reporting

Status: valid
Status enable

3)

Long term reporting

Status: valid
Status enable

4)

Allot Protocol Update

Status: valid
Status enable

5)

WebSafe update subscription

Status: valid
Status enable

6)

Traffic steering
Status: valid
Status enable

15. Change the device to Active by running the following command:

go config network -dev_mode system:active
16. Verify all cards are up and active by running the following command:
go config view network
Output Example:

2010 Allot Communications. All rights reserved.

13

Allot Operating System AOS11.2 Release Notes

host-blade:~$ go config view network

==== Network ====

Redundancy Mode

standalone

Bypass Unit Configuration

Bypass Unit Detection
System Status

enable
primary

active

Minimum number of Core Controllers 1

Number of active Core Controllers 4
Minimum number of Switch Fabrics

Minimum number of Flow Balancers

Cards list :
|Slot |Card Type |SMC State |Card Status
-------------------------------------------|1 |HOST
|ON
|ACTIVE
-------------------------------------------|2 |CC
|OFF | ACTIVE
-------------------------------------------|4 |CC
|ON
|ACTIVE
-------------------------------------------|6 |FB
|ON
|ACTIVE
-------------------------------------------|7 |SFC
|ON
|ACTIVE
-------------------------------------------|8 |SFC
|ON
|ACTIVE
-------------------------------------------|9 |FB
|ON
|ACTIVE
-------------------------------------------|10 |CC
|ON
|ACTIVE
-------------------------------------------|12 |CC
|OFF | ACTIVE
--------------------------------------------

NetEnforcer AC-3000
If the NetEnforcer being upgraded will be managed by the full NetXplorer Server along with one
or more other NetEnforcers, follow this procedure:
NOTE The Software Upgrade Procedure may fail if your NetEnforcer database is
corrupted. In such cases, please consult Allot Customer Support at
support@allot.com.
1. Download the software version from the Allot ftp site by completing the following steps:
Open Telnet and log in to the NetEnforcer as User Name: sysadmin Password:
sysadmin (default).

Type mkdir AOS112.

2010 Allot Communications. All rights reserved.

14

Allot Operating System AOS11.2 Release Notes

Type cd AOS112.

Type ftp ftp.allot.com (the IP address is 209.62.76.11)

Log into the ftp site as an anonymous user.

Type cd /DPI_device/AC-3000/GA/AOS.AC3K.11.2.0_B7

Type hash.

Type bin.

Type prompt.

Type mget *

All required files will be downloaded automatically.

When the download finishes, type bye. This will close the ftp site but leave Telnet open.
2. Type chmod u+x ac3k-instl.sh
3. Type ./ac3k-instl.sh
4. The upgrade procedure could take as long as 10 minutes. You will be prompted to enter
a new key.
5. Type ac_reboot when you see a message that states that the upgrade completed
successfully.

NetEnforcer AC-1400
If the NetEnforcer being upgraded will be managed by the full NetXplorer Server along with one
or more other NetEnforcers, follow this procedure:
NOTE The Software Upgrade Procedure may fail if your NetEnforcer database is
corrupted. In such cases, please consult Allot Customer Support at
support@allot.com.
1. Download the software version from the Allot ftp site by completing the following steps:
Open Telnet and log in to the NetEnforcer as User Name: sysadmin Password:
sysadmin (default).

Type mkdir AOS112.

Type cd AOS112.

Type ftp ftp.allot.com (the IP address is 209.62.76.11)

Log into the ftp site as an anonymous user.

Type cd /DPI_device/AC-1400/GA/AOS.AC1K.11.2.0_B7

Type hash.

Type bin.

Type prompt.

Type mget *

All required files will be downloaded automatically.

When the download finishes, type bye. This will close the ftp site but leave Telnet open.
2. Type chmod u+x ac1k-instl.sh
3. Type ./ac1k-instl.sh

2010 Allot Communications. All rights reserved.

15

Allot Operating System AOS11.2 Release Notes

4. The upgrade procedure could take as long as 10 minutes. You will be prompted to enter
a new key.
5. Type ac_reboot when you see a message that states that the upgrade completed
successfully.

2010 Allot Communications. All rights reserved.

16