PRODUCT RELEASE NOTES

PRODUCT: ARRAY OPERATING SYSTEM

RELEASE DATE: 15 DEC 2017
VERSION: 8.4.3 – 7312 TECHNOLOGY

CONTENTS
1) New Features
2) Fixed Problems
3) Known Issues
4) Limitations and Conditions
5) Hardware and Software Requirements
6) Contacting Support

1) NEW FEATURES
• Fix for KRACK vulnerability.
On October 16, 2017, a research paper was made public by Dr. Mathy Vanhoef from the
IMEC-DistriNet Research Group of KU Leuven in Belgium that uncovered security
vulnerabilities in key negotiations in both the Wi-Fi Protected Access (WPA) and Wi-Fi
Protected Access II (WPA2) protocols. The vulnerabilities, most commonly known as
KRACK, are associated with the process used for negotiating encryption keys used by the
client and access point and may allow reinstallation of these keys.

For more details, please refer to STATEMENT ON WPA2 KEY RE-USE “KRACK ATTACK”.

• Removed SN/Community String account to prevent unwanted access to access points

• For location reporting, added the ability to filter out devices for which the reported MAC
address was randomized
2) FIXED PROBLEMS
• 26635 - L3 Roaming – Layer 3 roaming using Spectralink 8440 and WPA2-PSK is not
working on 802.11n and 802.11ac wave1 APs. However, L3 roaming works properly with
WPA2 Enterprise.
• 29675 - An Application Control deny filter for the application hotspot shield is unable to
block the app traffic.
• 26788 - XR400 Series APs with Device ID groups and VLAN SSIDs defined, drop clients
onto the untagged network instead of the VLAN tagged network of the SSID.
• 31464 - ARP requests are occasionally not responded to, by clients in power save state.
• 31670 - AP with ARP filter set to off is filtering some ARP traffic.
• 31682 - 802.11ac wave1 APs occasionally restarts.
• 32095 - With ARP filter set to proxy, error message is seen in AP kernel messaging for
IPv6 traffic.
• 32119 - When using WPR on an SSID with login via Radius, Session-Timeout is not
honored on station roam.
• 32332 - Connecting an Intermec Scanner device in 802.11g only mode does not work on
802.11ac wave2 APs.
• 32333 - With ARP filter set to pass-through on the AP, a laptop on the wired side is
unable to ping associated clients.
• 32373 - WMI would get a certificate error with Chrome version 58 or higher.
• 32394 - Deny filter for VPN tunneling applications is unable to block the ExpressVPN
application running on an iPad.
• 32508 - Creating a global layer 3 filter to restrict station bandwidth limit to 10Kbps,
causes AP to become unusable from SSH.
• 32565 - When using Open/Radius MAC authentication on an SSID, Internal Radius
doesn’t work.
• 32590 - Creating a global filter that changes QoS to 2, breaks connectivity to XMS-Cloud
and WMI.
• 32611 - CLI is displaying the subnet mask incorrectly when using IP DHCP on a VLAN
interface.
• 32622/32623 - When 802.11r is enabled, the AP creates high amounts of AP
management traffic.
• 32659 - For Location Reporting, some APs report using Gig1 mac address and some with
radio base mac address.
• 32717 - Chromebooks sometimes have poor performance.
• 32774 - Filter for WhatsApp does not block connection from phone to server.

2
• 32941 - WDS doesn’t work on 802.11ac wave1 APs.
• 32946 - WDS client side XD2-240 AP would sometimes crash.
• 32951 - All APs are missing channel 165 when set to Russia country code.
• 32952 - All outdoor APs are missing lower UNII-1 band channels for Russia country code.
• 32992 - Cannot pass wireless station to station traffic when ARP filtering set to Proxy
and SSIDs set to have a VLAN ID.
• 33239 - DHCP and DNS application statistics reporting is inaccurate.

3) KNOWN ISSUES
• 19319 - When Roaming between APs with Radius Accounting enabled, de-
authentication occurs before the authentication has completed.
• 20276 - Internal-Radius and Active-Directory did not start after a reboot. If the Internal
Radius SSID is disabled and you then reboot, Active-Directory will start.
• 20296 - Rogue AP – 11ac Wave 1 Radios are seeing rogue APs at higher RSSI levels.
• 25558 - Standby Mode – Enabling standby mode on an SSID could cause a General Error.
It is not recommended to use this feature with this release.
• 25764 - In noisy environments, clients may be slow connecting to 80MHz bonded
channels. A workaround is to avoid using 80 MHz channels in noisy environments.
• 26045 - Admin RADIUS is not working with IPv6 when logging on to the Web
Management Interface or the Command Line Interface
• 26222 - No RADIUS packets are sent to server from PEAP client when primary server is
using IPv6.
• 26300 - Attempting to login to AP using IPv6 address via Admin RADIUS with WMI does
not work and causes WPA Authentication Engine restart. Workaround would be to
avoid Admin RADIUS logons w/ IPv6.
• 27041 - Radio assurance feature is not functional on 802.11ac Wave 2 products. Please
refrain from using this feature.
• 27265 - XRP did not send user session timeout details to the neighboring AP on roaming.
• 27310 - Loss of IP connectivity on 11ac Wave 2 radios after a station associates to TKIP
encryption only. Changing the encryption to AES works.
• 27376 - WPR SSL Redirect - Chrome does not allow the user to accept the SSL
Certificate. Use alternative browsers such as Safari or Internet Explorer.
• 27800 - Upstream traffic on the same clients is, in general, slower on 802.11ac Wave 1
AP’s than it is on 802.11ac Wave 2 AP’s – this has been observed infrequently on Intel
7625-based client chipsets.
• 28104 - On 11ac Wave 2 APs, the QoS UP bit in QoS Control Field is always set to
whatever QoS setting is set on the SSID.

3
• 28489 - Occasionally during boot-up AP sends out a couple of XRP packets with the
default IP address of 192.168.1.3. Administrators can safely ignore this debugging
message.
• 29728 - XR600 CRC error reporting numbers may not be accurate.
• 29831 - Wave 2-capable APs sometimes show negative RSSI, SNR and Silence values
when a station is first detected. This problem goes away and can be safely ignored.
• 32871 - The 2.5G Ethernet port on the XD4-240 links at 2.5G but sometimes will not
pass more than 1G of traffic and requires reboot to fix.
• 33188 - APs running AOS version 8.3.3-7084 are categorizing Epson's EasyMP projector
application traffic as proxy, which is denied, and causing the application on the MS
Surface to crash.
• 33396 - Layer3 roaming does not work on 802.11ac wave2 AP models.

4) LIMITATIONS AND CONDITIONS

• 24598 - RADIUS – must use quotes “” to add the word “secret” as a password.
• 26606 - The Console timeout value is not respected. Workaround is to set the Xircon
timeout and the Console timeout to the same value. Working as designed.
• 28675 - Packet Counts for a DNS redirect filter may sometimes be less than the actual
number of DNS packets modified.
• 29454 - Deleting/Adding over 500 MAC addresses in Security/Access Control will give an
error.
• 30392 - Bonjour – AppleTV is not able to service a client on SSID with VLAN when
AppleTV is on the Bridged wired network. It is not recommended that you place
AppleTV on the Bridged Management LAN segment. This will cause a lot of multicast
traffic to be processed by the Array on the Management VLAN and can affect
performance of the Array. Isolation of Multicast Traffic is recommended to be handled
in VLAN’s that are not part of the Array Management VLAN.
• 30513 - Arrays with large numbers of VLANs (12 – 16+) may occasionally experience the
log message “Process Restart Required: WPA Authentication Engine, restarting process”
which indicates that the ability of clients to associate using WPA is being affected. The
recommended workaround is to reduce the number of VLANs. Hardware and Software
Requirements

5) HARDWARE AND SOFTWARE REQUIREMENTS

• XI-AC3470 is equipped with 4 Tx chains, Rx chains and 4 spatial streams. Depending on the Access Point
capacity, the AOS will automatically configure each radio module to obtain optimal functionality. The table
below lists different operating modes based on the HD modular AP and number of radios installed.

4
• Wave 2 Radio Module Operating Modes

Tx Rx
Model Streams Tx power per radio
Chains Chains

XR-2247 4 4 4 No Tx power restrictions

Mon + 5G + 5G + 2.4G 13 dBm(default)

5G + 5G + 5G + Mon 12 dBm
5G + 5G + 5G + 5G 12 dBm
XR-2447 3 4 3
5G + 5G + 5G + 2.4G 13 dBm
5G + 5G + 2.4G + 2.4G 14 dBm
5G + 2.4G + 2.4G + 2.4G 15 dBm

XR-4447 4 4 4 No Tx power restrictions

XR-4847 4 4 4 No Tx power restrictions

Mon + 2 2.4G + 5 5G 18 dBm (default)

XR-6847 4 4 4 All configurations + Mon 18 dBm
All radios with no Mon No Tx power restrictions

Mon + 3 2.4G + 8 5G 18 dBm (default)

XR-7247 4 4 4 All configurations + Mon 18 dBm
All radio with no Mon No Tx power restrictions

Mon + 3 2.4G + 12 5G 12 dBm (default)

Mon + 2 2.4G + 13 5G 10 dBm
XR-7647 4 4 4
Mon + 1 2.4G + 14 5G 8 dBm
Mon + 15 5G 6 dBm

• Wave 2 Radio Module Upgrade Configurations. The table below summarize power requirements
and configurations for installing XI-AC3470 radios in an XR modular AP.

# Radios
Upgraded Which Slots to Use (RF
Model Series after Watts / Injector Models
Model No Slot #s)
Upgrade
30W, PoE+
XR-2000 XR-2247 2 0, 2 XP1-MSI-30, XP1-MSI-75M, XP8-MSI-
70M, XT-5024/5048
40W
XR-2000 XR-2447 4 All slots XP8-MSI-70M,
XP1-MSI-75/75M
75W
XR-4000 XR-4447 4 1, 3, 5, 7 XP8-MSI-70M,
XP1-MSI-75/75M

5
 # Radios
Upgraded Which Slots to Use (RF
Model Series after Watts / Injector Models
Model No Slot #s)
Upgrade
75W
XR-4000 XR-4847 8 All slots
XP1-MSI-75/75M
95W
XR-6000 XR-6847 8 0, 2, 4, 6, 8, 10, 12,14
XP2-MSI-95M (one port)
0, 1, 2, 4, 5, 6, 8, 9,10, 95W
XR-7000 XR-7247 12
12,13,14 XP2-MSI-95M (two ports)
95W
XR-7000 XR-7647 16 All Slots
XP2-MSI-95M (two ports)

6) CONTACTING SUPPORT
THE XIRRUS CUSTOMER SUPPORT WEBSITE PROVIDES ONLINE DOCUMENTS AND TOOLS FOR
TROUBLESHOOTING AND RESOLVING TECHNICAL ISSUES WITH XIRRUS PRODUCTS AND TECHNOLOGIES.
ACCESS TO ALL TOOLS ON THE XIRRUS CUSTOMER SUPPORT WEBSITE REQUIRES A LOGIN USER ID AND
PASSWORD. IF YOU HAVE A VALID SERVICE CONTRACT BUT DO NOT HAVE A USER ID OR PASSWORD, YOU CAN
REGISTER AT HTTP://SUPPORT.XIRRUS.COM.

To request additional assistance, please contact Xirrus Customer Support via

• Email at support@xirrus.com
• Live chat with one of the Xirrus Customer Support Representatives at Login
• Call Xirrus at one of the following numbers

Region Phone Numbers

+1.800.947.7871 (US Toll Free) or

United States and Canada
+1.805.262.1600 (Direct)

Europe, Middle East and Africa +44.20.3239.8644

Australia and New Zealand 1.300.947.787 (Within Australia)

Asia and Oceania +61.2.8006.0622

Latin, Central and South America +1.805.262.1600

©2017 Riverbed Technology. All rights reserved. Riverbed and any Riverbed product or service name or logo

6
 used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their
respective owners. The trademarks and logos displayed herein may not be used without the prior written
consent of Riverbed Technology or their respective owners.