Cisco
Login
Search
Software Multicloud Defense
Activity Cloud Deployment

Multicloud Defense Gateway Fixes and Enhancements Version 24.06 Version 24.06-03 October 20, 2024

Last updated: May 29, 2025

Version 24.06-03 October 20, 2024

Enhancements

The following enhancements are inlcuded in this release:

  • Provides an enhanced gateway image that supports the BoringCrypto required for use for gateways deployed in a FedRamp environment. This is a continued effort towards Multicloud Defense being FedRamp compliant.

  • Adds support for a custom banner to be displayed when an SSH session to the gateway is established through Teleport.

Fixes

The following fixes are inlcuded in this release:

  • Fixes an issue where a TLS session that contains Kyber cipher suites could cause increased CPU usage resulting in the inability to process traffic.

  • Fixes an issue where the connection drain time was not being honored when a gateway instance was replaced.

  • Fixes a stability issue where the gateway datapath could self-heal when proxied sessions are actively terminated during policy change or gateway instance replacement.

  • Fixes an issue where the generation of a Diagnostic Bundle could fail.

  • Fixes an issue where a proxy policy could not retrieve the SNI from a TLS Client Hello message causing the gateway to close the connection with a TCP RST. This is caused by a change made in Chrome in April 2024 to shift to Post-Quantum Cryptography. With this change, the Client Hello is larger than 1415 bytes, which can result in an inability to retrieve the Server Name Indication (SNI), which is used by the proxy to determine what certificate to issue. The fix ensures the proxy policy can support Client Hello sizes greater than 1415 bytes.

  • Fixes an issue where a change to DNS for a domain used in an FQDN-based address object would be received by the gateway datapath agent, but not applied to the datapath workers. This would result in the DNS change not being applied to the dynamic nature of the address object, impacting proper traffic processing.

  • Fixes an issue where a decryption profile that is configured differently than the default configuration would not properly apply to the gateway, resulting in TLS negotiation failures due to cipher suite mismatches between the client and the gateway.

  • Fixes an issue where the gateway-side cipher suites used in a gateway SSH session were potentially flagged as weaker cipher suites. The fix accommodates only the most secure GCM-based cipher suite.

  • Fixes various stability issues.

Previous topic Version 24.06-04 October 25, 2024 Next topic Version 24.06-02-a2 October 2, 2024