Skip to main content
Versa Networks

Consolidated Release Notes for Release 21.1

Versa Analytics Release Notes for Release 21.1

This document describes features, enhancements, fixes, and known issues in Versa Analytics Software Release 21.1, for Releases 21.1.0 through 21.1.4. Release 21.1.1 and later are general available (GA) releases and are supported for use in production networks.

April 27, 2022
Revision 5

Install the Versa Analytics Software

To install the Versa Analytics software, see the Deployment and Initial Configuration articles.

Upgrade to Release 21.1

You can upgrade Versa Analytics nodes to Release 21.1 from any service release of Release 16.1R2, that is, from Releases 16.1R2(Sx).

Before You Upgrade

Before you upgrade the Analytics software to Releases 21.1 or later, upgrade the OS SPack on all Analytics nodes to the version in the latest subfolder at https://versanetworks.app.box.com/v/osspack or https://upload.versa-networks.com/index.php/s/nEkF9xOO3e7BA9Z. If you do not upgrade the OS SPack, the Analytics upgrade may fail.

Upgrade to Release 21.1

To upgrade to Release 21.1:

  1. Copy the appropriate binary package file to the /home/versa/packages/ directory on the Versa Analytics node. Ensure that the file has +x execute permission. Alternatively, use the following command, which copies the file to the /home/versa/packages directory:
    versa@versa-Analytics> request system package fetch uri uri
    
  2. Install the new software package:
    versa@Versa-Analytics> request system package upgrade filename.bin
    
  3. Check the status of the services from the shell:
     % vsh status
    
  4. If the Versa services have not started, start them from the shell:
     % vsh start
    
  5. After the upgrade completes, a message may display indicating that you should reboot the system. Even if a message does not display, it is recommended that you reboot the system to account for any GRUB or kernel parameter changes. To reboot the system:
     % sudo reboot
    

    After the reboot completes, the Versa services automatically restart.

Prerequisites for Upgrade to Releases 21.1.1 and  Later

Before you upgrade to Releases 21.1.1 and later from Releases 16.1R2 or 20.2.x, check for the following:

  1. The database must be DataStax Enterprise (DSE) 4.8 or Fusion.
  2. To check whether the database uses the DSE or Fusion package, go to Administration > Version. If the Database Version string ends with F, the database is Fusion. If it ends with E or does not display any character, the database is DSE.

    DB_Version.PNG
     
  3. If the database is DSE, SSH to any of the analytics/search nodes and issue the following command:
    versa@versa-analytics:~$ dse -v
    4.5.2
    
  4. If the database is DSE 4.5.x, upgrade to DSE 4.8 using the DSE migration scripts at the following link:
    https://support.versa-networks.com/support/solutions/articles/23000019690
  5. After you successfully upgrade to DSE 4.8, upgrade the Versa Analytics application to Release 21.1.1, as described in Upgrade to Release 21.1.

After the upgrade, ensure the following:

  • Search node IP addresses are listed under Search Hosts
  • Analytics node IP addresses are listed under Analytics Hosts
  • All log collector or forwarder IP addresses are listed under Driver Hosts

Checks To Perform after Upgrading to Releases 21.1.1 or Later

If you are upgrading your system from Release 20.2.4 to Releases 21.1.1 or later, issue the following commannds from the shell:

% sudo rm -rf /opt/versa_van/apps/apache-tomcat/webapps/versa*
% vsh restart

In Releases 21.1.1 and later, you cannot access the Versa Analytics application using port 8080. This is to avoid any security vulnerabilities. By default, only secure ports 443/8443 are enabled in Analytics. For Director-to-Analytics communication, port 8443 is used. The upgrade on Director nodes ensures that the northbound interface port automatically changes from 8080 to 8443. Certificates required for SSL communication from Analytics to Director nodes are also automatically synched.

If there is no communication between Versa Director and Versa Analytics nodes, perform the following steps:

  1. Check whether any firewall rule is blocking Versa Director to Versa Analytics communication on port 8443.
  2. Connect to Versa Analytics directly at the URL https://analytics-ip-address to determine whether the portal is accessible. This ensures that the application is reachable using a secure port and that SSL certificate is valid.
  3. Log in to the Analytics node using the same username and password as the Director node. If the login is successful, this means that RBAC between the Analytics and Director nodes is working using a secure connection. If the login is not successful, install the Director certificate on the Analytics node, as described in
    https://support.versa-networks.com/a/solutions/articles/23000010418
  4. Log in to the Director shell and issue the following command to check whether the Analytics truststore has been created on the Director node:
    admin@versa-director:/var/versa/vnms/data/certs$ ls -tlr versa_analytics_truststore.ts
    -rw-rw---- 1 versa versa 1274 Jul 30 05:42 versa_analytics_truststore.ts
    
  5. If the truststore file does not exist or if the Versa Analytics certificates were regenerated, resynchronize and import the Analytics certificates by running the vd-van-cert-upgrade.sh script in the active Director shell This script transfers the Analytics certificates from each of the Analytics nodes configured under the connectors and then imports them. You must restart the Director node for the certificate to take effect.
    admin@versa-director:~$ sudo su – versa
    versa@versa-director:~$ /opt/versa/vnms/scripts/vd-van-cert-upgrade.sh --pull
    

For example:

versa@versa-director:.../vnms/scripts$ ./vd-van-cert-upgrade.sh --pull
Pulling Analytics certificates to Director key store
Checking previous version config path
Changing port for [Analytics]
No modifications to commit.
Port Migration completed
VAN Clusters IPs: [ 10.48.189.23 ]
Removing previous analystics cert store
Getting Certificate for : 10.48.189.23
depth=0 C = US, ST = California, L = Santa Clara, O = versa-networks, OU = VersaAnalytics, CN = versa-analytics
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Santa Clara, O = versa-networks, OU = VersaAnalytics, CN = versa-analytics
verify return:1
DONE
Importing Certificate for : 10.48.189.23
Certificate was added to keystore
Certificates Imported... Requires restart.. Do you want to post pone restart (y/N): N
[sudo] password for versa:
Stopping VNMS service
------------------------------------
Stopping TOMCAT................[Stopped]
Stopping REDIS.................[Stopped]
Stopping NETBOX-IPAM...........[Stopped]
Stopping POSTGRE...............[Stopped]
Stopping SPRING-BOOT...........[Stopped]
Stopping SPACKMGR..............[Stopped]
Stopping NCS...................[Stopped]
* Stopping daemon monitor monit
Starting VNMS service
------------------------------------
Starting NCS...................[Started]
Starting POSTGRE...............[Started]
Starting NETBOX-IPAM...........[Started]
Starting SPRING-BOOT.......... [Started]
Starting REDIS.................[Started]
Starting TOMCAT................[Started]

Fusion Database Upgrade Information

In Releases 20.x and later, Versa Analytics supports a new database platform called Fusion, which is based on open source technology. When you freshly install an Analytics cluster using a Release 20.x or Release 21.x ISO/QCOW2/OVA image, the Fusion database is automatically enabled. If you are upgrading from Release 16.1R2 to Release 20.x or Release 21.x, you must run additional scripts after you upgrade the software to install Fusion database and migrate the data.

The following are some of the frequently asked questions related to this database upgrade:

  • Why should we upgrade the database to Fusion?
    • The Fusion database uses the latest version of database software that provides better scaling and performance, and fixes many security vulnerabilities. The DSE database used in Release 16.1R2 has reached its end of life.
    • Although currently there currently is feature compatibility between the DSE Analytics database and the Fusion database, it will soon be required to diverge to take advantage of newer capabilities in the Fusion database, and so newer features may be available only in Fusion database.
  • Will there be any impact on reports and features after the upgrade?
    • All reports and features available in Release 16.1R2 are also available in Releases 20.2 and later Releases 21.1 and later. Additionally, the new releases provide many new reports and features and vulnerability fixes.
  • I am using Versa Analytics Release 16.1R2. I want to upgrade to Release 20.2 and later or Release 21.1 or later. Which image do I download and how do I upgrade?
    • The first step is to upgrade the software version to Release 20.2.2 or 21.1.1, as described in Upgrade to Release 21.1, above. The software update does not automatically upgrade the database to Fusion. The underlying DSE database remains, and all functions work using DSE.
    • Then upgrade the database to Fusion. To do this, you can use a cluster upgrade script to uninstall the DSE packages and install Fusion packages. This script upgrades one node at a time. Historical data is preserved and real-time search data is truncated. The upgrade scripts and related documentation are available here:
      https://versanetworks.box.com/s/8pdi9ppyjzfq8cx53s10l3zbwt6k2kbw
    • If you are upgrading a large database or have issues while running the upgrade scripts, contact the Versa Support team.
  • Is it possible to upgrade only Versa Analytics to Release 20.x or Release 21.x to use the Fusion database?
    • Release 20.2.2 of Versa Analytics is backward compatible with Releases16.1R2S10 and 16.1R2S11 of Versa Director and Versa Operating SystemTM (VOSTM ) (previousy called FlexVNF).
    • Release 21.1.1 of Versa Analytics is backward compatible with Releases 16.1R2S10 and 16.1R2S11, and with Release 20.2.2 of VOS. However, Versa Director and Versa Analytics must be running Release 21.1.1.
  • Will there be downtime during upgrade to Release 21.1.1?
    • The upgrade from Release 16.1R2 to Release 20.2.x or 21.1.x is like any other upgrade in that only the Versa application software is upgraded. During the upgrade process, data is not lost. When you upgrade the database from DSE to Fusion using the upgrade script, there will be some downtime for the database operations (approximately 1-2 hours), depending on the size of the cluster. You will not lose any logs, and streaming to third-party collectors will not be interrupted. To reduce the downtime, you can bring up a new cluster that is running Release 20.2.x or 21.1.x, and then configure the Controller to use server IP addresses of the new cluster so that logs start flowing to the new cluster. If data stored in older cluster must be migrated to the new cluster, use one of these options:
      • Export the archived data from the old cluster to the new cluster, and then restore it. Depending on the number of days and size of the data, this can take some time because archive logs do not differentiate between the type of data. All the data for the specified interval is transferred and restored. The scripts to trigger log transfer and restore are available here:
        https://support.versa-networks.com/a/solutions/articles/23000008970
      • Export the processed data from the old cluster to the new cluster, and then restore it. Here, you can specify the type of data you want to export and restore. The script is available here:
        https://versanetworks.box.com/s/vryjpluuv18dfat03hxb5a49pgws0cx5

For more information, see Migrate the Versa Analytics Database from DSE to Fusion.

New Features

This section describes the new Versa Analytics features in Release 21.1.

  • Alarm settings enhancements—(In Releases 21.1.3 and later.) You can set alarms for CPU utilization, disk utilization, memory utilization, and Analytics driver stuck. You can override the low-threshold and high-threshold severities for threshold alarms. You can configure the severity for setting and clearing alarms.

    add-alarm-settings.png

  • APM statistics—(In Releases 21.1.3 and later.) You can display the APM statistics for an application. To do so, drill down on the application. For example:

    apm-statistics.png

  • Appliance log activity report—You can find a log activity summary for all appliances at Dashboards > System > Appliance Activity tab. For example:

    appliance-log-activity-report.png

    Drill down to view historic appliance log activity for the configured interval. For example:

    appliance-log-activity-over-time.png

  • Application performance monitoring (APM)—(In Releases 21.1.1 and later.) If you enable TCP performance monitoring on sites running SD-WAN, statistics corresponding to TCP sessions are exported to Analytics. Statistics are aggregated per tenant, appliance, application, source, destination prefix, and WAN link. The metrics include round-trip time, aborted and refused counts, session and packet counts, and retransmission counts. These metrics are used to calculate the quality of the application. The application rank is computed as a value from 1 through 100, where 1 is the best performing application and 100 is the worst. The application rank is displayed on the SD-WAN dashboard:

    application-performance-monitoring.png

    The following example drilldown shows that there is poor performance on some SSL sessions because of high retransmissions.

    apm-drilldown.png
     
  • Application uptime—(In Releases 21.1.1 and later.) You can display the amount time that has elapsed since an application started at the Administration > Version tab:

    application-uptime.png
     
  • DIA traffic rules statistics—(In Releases 21.1.3 and later.) The SD-WAN site dashboard shows statistics for DIA rules on the following screens.
    dia-rules-1.png

    dia-rules-2.png
  • DNS proxy report enhancements—You can store DNS proxy parent and child session logs in the search engine. You can display the DNS proxy logs at Logs > DNS Proxy, and you can search one or more fields of the logs and drill down to related logs and to the parent session log. To find the parent session log, click the icon under the Parent Log column. You can view predefined reports at Logs > DNS Proxy > Charts. For example:

    DNS-proxy-support-enhancements.png

    Drill down on the parent icon to view details about the parent session log. For example:

    DNS-proxy-support-enhancements-drilldown.png
     
  • GUI support for log collector exporter configuration—(In Releases 21.1.2 and later.) Log collector exporter configuration page has been enhanced to support additional configuration options:
    • Configure remote collector with destination FQDN instead of destination IP address—In the remote collector, you can configure destination IP address or Fully Qualified Domain Name (FQDN). If you configure FQDN, the DNS server listed in the /etc/resolv.conf file must be reachable from the log collector to perform the name resolution. Alternately, /etc/hosts can be configured with the hostname and IP address

      remote-collector.PNG
    • Configure primary collector in remote collector group—This configuration ensures that when multiple collectors in a collector group are in the Established state, the primary collector is marked as the active collector.

      remote-collector-group-primary-collector.PNG
    • Configure exporter rules with matching log subtypes—In the exporter rules, apart from log types, you can specify subfields for a granular match. For example, to export only severity cleared, critical, or major, select the following log types:

      exporter-rules-log-types.PNG
      You can match various log types with subfields as listed below:
       
      Field Subfields Description

      alarm-log

      alarm-type

      severity

      List of alarm types

      List of alarm severity

      bw-mon-log

      sub-type

      List of bandwidth monitoring statistics types

      dos-log

      Threattype

      List of threat values

      idp-log

      Threattype

      List of threat values

      urlfLog

      reputationLevel

      List of URL values

      mon-log

      Subtype

      List of monitoring statistics types

    • Configure system settings—You can configure system settings for NTP and alarm from the the Analytics > Administration > Configuration > Log Collector Exporter in the left menu, then in the Log Collector Configuration window, select the System tab for the host.

      log-collector-config-system-tab.PNG
  • “is not equal to” log filter—You can filter for logs by specifying “is not equal to” for any fields, as shown here:

    not-equal-to.png
     
  • Kafka third-party log collector and log email notification—(In Releases 21.1.1 and later.) You can configure the Analytics log collector and exporter to send the logs to one or more third-party collectors in syslog format using TCP/UDP/SSL transport. In Releases 21.1.1 and later, you can stream logs and events to the the following interfaces:
    • Apache Kafka cluster—You can configure the log collector to send the logs to a customer’s Kafka cluster. To do this, you configure the Kafka cluster as a remote collector in the log collector exporter configuration. Logs are streamed in structured syslog format to Kafka cluster. See Configure Log Collectors and Log Exporter Rules.
    • Email notification service—For critical security events, e-mail alerts/notifications can be sent to users from the log collectors using a new email notification service called van-notif-agent. It can be configured to run on the log collector nodes and can send emails with summary of the events and/or detailed log information at configured intervals. See Configure Log Collectors and Log Exporter Rules.
  • Log collector exporter enhancements—(In Releases 21.1.1 and later.)
    • GUI support for log collector exporter configuration—Log collector exporter configuration page has been enhanced to use a new framework to add/delete/modify/clone local collector, remote template/collector/collector group, exporter rules configuration:

      log-collector-exporter-local-collector.png
       
    • GUI support for log collector exporter status and statistics display—You can display log collector status and statistics information at a global level, for a local collector, for a remote collector, or for a rule, for all log collectors or for a specific log collector:

      log-collector-exporter-local-collector-2.png
       
    • Alarm configuration—To generate alarms for a remote collector down event or when the queue utilization exceeds the threshold, you can enable the following configuration settings. Note that you can configure alarms only from the CLI. The generated alarms are stored in the /var/log/alarms.log file.

      versa@Search1% show
      [edit log-collector-exporter settings alarms]
      remote-collector-queue-utilization {
          low-threshold 75;
          high-threshold 90;
          soak-time      5;
      }
      remote-collector-down {
          soak-time ;
      }


      Examples of the generated alarms are:

      tail -f /var/log/alarms.log
      Aug 19 09:07:57 Analytics1 versa-lced: [rem-coll] [rem-coll-down] [2020-08-19T09:07:56-0700] Remote collector RC2 down
      Aug 19 09:08:01 Analytics1 versa-lced: [rem-coll] [rem-coll-down] [2020-08-19T09:08:01-0700] Remote collector RC2 up
      Aug 19 09:14:28 Analytics1 versa-lced: [rem-coll] [rem-coll-q-util] [2020-08-19T09:14:27-0700] Remote collector RC1 queue has exceeded threshold value (utilization: 60%)
      Aug 19 09:14:28 Analytics1 versa-lced: [rem-coll] [rem-coll-q-util] [2020-08-19T09:14:28-0700] Remote collector RC1 queue is now available (utilization: 23%)
      Aug 19 09:15:26 Analytics1 versa-lced: [rem-coll] [rem-coll-q-util] [2020-08-19T09:15:25-0700] Remote collector RC1 queue near exhaustion (utilization: 75%)
      Aug 19 09:15:26 Analytics1 versa-lced: [rem-coll] [rem-coll-q-util] [2020-08-19T09:15:26-0700] Remote collector RC1 queue is now available (utilization: 45%)
    • Exporter rules support for match on more granular types and subtypes—Exporter rules define which logs received by the local collector to stream to a remote collector. Match criteria has been enhanced to include more log types listed, and you can match based on specific values inside the logs by configuring features with matching criteria. See Configure Log Collectors and Log Exporter Rules.

    • Operational commands to log restore and clear archive jobs—You can restore and delete archive logs from the CLI, using the request system storage archive restore and request system storage archive delete commands. See Manage Analytics Logs.

  • Network prefix in SD-WAN application subscriber report—The SD-WAN application subscriber report displays information about applications and their users. You can determine a username by configuring an IP address-to-user mapping. If you do not configure a mapping, the source IP address of the traffic flow is used as the username. The SD-WAN application subscriber report has been enhanced to display the network prefix, which is the destination address prefix of the traffic flow, if this information is received in the logs from the VOS devices. By default, VOS devices to not send network prefix information. To enable the sending of network prefix information, issue the following command:
admin@branch-cli(config)% set system parameters lef usage-stats-logging sdwan app-user-inc-dest-ip-prefix true

To view the network prefix information, drill down from the Application page. For example:

network-prefix-in-SD-WAN-app-subscriber-report.png
 

  • Operational commands to log restore and clear archive jobs (In Releases 21.1.2 and later.)
    • Logs are archived after they are processed by the log collector—You can view, restore or delete the logs from the Administration > Maintenance > Log Archives menu:

      log-archives.PNG
    • Delete archive logs—You can delete archived files for a specific tenant or appliance within a time range to help free disk space on log collector nodes.
    • Restore archive logs—Extracts archived files for a specific tenant or appliance and time range to a destination directory. If the destination directory is /var/tmp/log, the data is added back to the database.
    • View archive log details—Locates the specified number of archived files and file names of the oldest and newest files per tenant or appliance and per log collector.
  • Per-tenant Analytics data settings—For each tenant, you can define the data retention time, data granularity, and other data-related settings. See Analytics Datastore Limits in Versa Analytics Scaling Recommendations.

  • Primary and secondary log collectors—You can configure primary and backup log collectors. From a collector group, you can choose a specific collector to be the active, or primary, collector. If the primary collector is down, the next active collector is chosen from the group. When the primary collector comes back up and remains up for a configurable interval, it becomes the active collector again. See Configure Log Export Functionality.
  • Reporting enhancements—(In Releases 21.1.1 and later.) The following enhancements have been made to reporting framework:
    • You can create a per-site report using a report template and apply it to other sites.

      site-report-create.png
      When you save the report, you can choose to copy the settings to other sites so that same report can be generated for the chosen sites.

      site-report-save.png

      You can view the generated reports as follows:

      generated-reports.png
       
    • You can combine data from multiple sites and appliances into a single time series chart. For example:

      combined-sites.png
       
    • You can generate reports about available bandwidth for SD-WAN access circuits. SD-WAN branches periodically export to Analytics the total available uplink and downlink bandwidth for each WAN link. If you enable a speed test to the branches, the uplink and downlink bandwidth that is reported by the speed test utility is exported. If you do not enable a speed test, the configured uplink and downlink bandwidth is exported.

      available-bandwith.png
       
  • Retention configuration per Analytics report type—You can set different retention values for daily and hourly time-to-live (TTL) data, as shown here:

    retention-configuration.png
     
  • SD-WAN site and link availability—(In Releases 21.1.1 and later.)
    • Site availability, a feature available before Release 21.1, indicated the reachability of a site from the controller point of view. If the controller lost connectivity to a branch, it sent a site disconnect message that was used to compute the availability. If all controllers lost connectivity to the branch, the site was marked down. Otherwise, it was marked up. This implementation did not work as expected in some scenarios, causing the availability computation to be inaccurate. Release 21.1.1 implements a new logic that relies on combination of SLA metrics between sites and controllers and log activity from the site to determine site availability. In addition to up/down state, a new degraded state is determined using the SLA loss metrics that indicates brownout conditions. If no SLA metrics are received for a site and if there is no log activity from the site for more than 10 minutes, the site is marked down.
    • Link availability is a new feature that provides the health of the link based on the SLA metrics received from the site and controller for each WAN link of the site. SLA metric values are used to determine whether the state is up, down, degraded. If no SLA metrics logs are received for more than 10 minutes, the link is marked down. Drill down on a site to display site and link availability charts. In the charts, green represents the up state when availability is >= 98 percent, orange represents a degraded state when availability is < 98 percent, and red represents the down state when availability is < 5 percent.

      link-availability.png

      You can use the reporting framework to generate site and link availability reports for a tenant or a specific appliance:

      availability-for-specific-tenant-appliance.png

      See SD-WAN Dashboard.
  • Note: If you upgrade an Analytics cluster from Release 16.1R2 or Release 20.2 to Release 21.1, availability data that was displayed before the upgrade is not available after the upgrade because of changes in the software implementation. To keep track of the previous information, use the reporting tool to create and download the availability reports before you perform the upgrade.

  • Site availability summary table—You can generate a report for percentage site availability for all a tenant's sites. For example:

    site-availability-summary-table.png
     
  • Site tag report—(In Releases 21.1.1 and later.) In Versa Director, you can set one or more site tags for a VOS device, and a filter has been added to the SD-WAN dashboard that allows you to drill down to a site or a site tag. If you choose a site tag, the dashboard displays data only for sites that match the site tag, thus providing a consolidated view for all sites matching the tag.

    You set the site tags in Versa Director. For example:

    site-tags-director.png
    You choose the site tabs from the SD-WAN dashboard:

    site-tag.png

    Drill down on a site tag to display a dashboard for sites matching the site tag. The following example is for site tag “Controller”:

    site-tag-drilldown.png

  • Statistics in SD-WAN dashboard—(In Releases 21.1.1 and later.) The SD-WAN dashboard has been enhanced to include statistics blocks that provide a high-level overview of the tenant.

    sd-wan-statistics.png

    Drill down support is available for some of the reports to display information about sites with errors and anomalous conditions. For example:

    sd-wan-statistics-drilldown.png
  • Subscription lifecycle updates—(In Releases 21.1.1 and later.) A number of changes have been made to the subscription lifecycle, including the following. See Subscription Lifecyle.
    • Licenses are valid for 1, 3, or 5 years.
    • License subscriptions do not support the Created and Suspended states
    • A license is immediately activated after the device performs ZTP.
    • Manual license activation is not required.
  • TACACS+ support for Analytics nodes—You can use TACACS+-based authentication, authorization, and accounting (AAA) to provide access to Analytics nodes. You can configure up to four TACACS+ servers on each Analytics node. See Configure TACACS+.

  • Ubuntu Release 18.04—You can use Ubuntu Release 18.04 (Bionic Beaver) as the base Linux platform for running the Versa Analytics database, log collectors, and application. The release supports .iso file, which you can install on bare-metal platforms or virtual machines (VMs). Releases 21.1.1 and later support the Release 18.04.04 host OS for VOS devices.

  • Usage and session logging control default settings—In Release 20.2.2, Versa introduced system settings for usage monitoring logging control (send top-n firewall source and destination statistics and send top-n SD-WAN application user statistics) and for session monitoring logging control (include session ID in firewall logs and include session ID in SD-WAN logs). In Releases 21.1.1 and later, default values are set for the top-N values. Also, including session ID parameters in logs is enabled by default. See Configure Firewall and SD-WAN Usage Monitoring Controls.

Fixed Bugs

The following are the critical and major defects fixed in Release 21.1.

Fixed Bugs in Release 21.1

Note that fixes for all bugs found in Release 16.1R2 through Release 16.1R2S11 and in Release 20.2.0 are available in Release 21.1.

Bug ID

Summary

37786 When you export security logs from the Analytics tab in Director, filenames are the same for all types of logs.
38936 Upgrade bootstrap library used by Analytics UI to 4.1.3, to fix security vulnerabilities.
42207 Reporting framework issue: Editing a report with different chart type does not take effect.
42470 Empty data shown in Logs > Alarms > Summary screen when you drill down on some of the data points in the chart.
42471 During log filtering, if multiple search criteria are present, deleting a field in the middle removes all subsequent fields.
44354 Upgrading from Release 16.1R2 to Release 20.2 should preserve TTL global settings.
46355 Session count on the grid were incorrectly for larger values. Values were divided by 1024 instead of 1000.

Fixed Bugs in Release 21.1.1

Note that fixes for all bugs found in Release 16.1R2 through Release 16.1R2S11, Release 20.2.0, and Release 21.1 are available in Release 21.1.1.

Bug ID

Summary

50744

Allow Analytics SMTP password settings to use special characters.

52559

Display LTE interface bandwidth in the System > Interfaces > Hierarchy tab, which is consistent with what is reported in the Interfaces tab for WAN interfaces of type LTE.

55976

Application crashes because of memory exhaustion when queries retrieve large amount of data. Fix removes time series reports from the firewall source/destination tabs.

56485

Fix for uCPE guest VNF system memory load calculation error.

57010

Fix for invalid color coding for some LTE signal strength values.

57210

Breadcrumbs may not display the correct page.

58071

Add support for filtering IDP logs using signature identifier.

58597

Remove live data monitoring icon from SLA and QOS screens, because the feature is not supported.

58852

Add support for TLS v1.2 in Analytics SMTP configurations

58894

Fix display of charts and table data for paths from local site to remote site and not to both directions, because important data is not displayed at the top.

Fixed Bugs in Release 21.1.2

Note that fixes for all bugs found in Release 16.1R2 through Release 16.1R2S11, Release 20.2.0, and Release 21.1.1 are available in Release 21.1.2.

Bug ID

Summary

57948

Fix to Secure Access Map icon when clustering is required. 

59084

Support for special characters in Analytics local user password.

61878

Time series chart in dashboards must aggregate per hour for last 7 days instead of using 5 or 15 minutes of data.

61960

Fix for negative availability value shown in some scenarios after upgrade to Release 21.1 if branches are still running previous releases.

62280

In log hierarchy, rename SD-WAN SLA Violation to Traffic Steering.

62427

Fix to show MOS value in time series charts in correct range. In Release 21.1.1, the value shown was divided by 100.

Fixed Bugs in Release 21.1.3

Note that fixes for all bugs found in Release 16.1R2 through Release 16.1R2S11, Release 20.2.0, and Release 21.1.2 are available in Release 21.1.3.

Bug ID

Summary

40495

Add support to display possible values for forwarding class filter under SD-WAN SLA metrics reporting.

55976

Fix application crash caused when too many queries led to heap exhaustion. Set a maximum limit of 200,000 records for a query.

56635

Fix for site filter not displaying all the sites and unable to set a filter when there are a large number of sites.

58314

PDF file generated from data tables does not show all columns because space issue. Fix to use appropriate zoom level to fit all the table columns.

59218

On the Reporting page, metrics limit was applied for time series, table data, and summary data. Fix to display only appliance metrics limit for summary data.

62308

Log collector exporter process in busy state when there are a large number of TACACS+ CLI accounting logs. Fix to process the logs in a staggered manner to avoid process overload.

63044

Fix for SD-WAN QoE chart displaying 50% score when path is completely down.

63264

Fix for breadcrumb when a page has multiple drill-downs.

63516

Site and link availability fixes:

  • When there is a loss of SLA monitoring data, display accurate state when Analytics node is running Release 21.x and VOS devices are running Release 16.1R2 release.
  • Display availability percentage as non-negative value.
  • Display availability percentage with 1 decimal place.
  • Display link availability even if Controller connectivity is not available for the links.
  • Add availability computation to handle logs that are received a few seconds after the sampling interval to avoid incorrect computation.

63892

Allow one metric selection for summary data using pie chart in reporting and dashboard. For metrics such as Volume Tx Rx, two pie charts are displayed side by side. This causes labels to overlap because of lack of space. In such cases, you can choose column or bar chart. Fora pie chart, you can select only one metric.

64384

When tenant operator logs into Analytics node, administration page hides all tabs except for version.

64398

Add vsh command vsh monit [start | stop] to start or stop the Versa monitor service. The older command, sudo service monit start/stop, is deprecated for Ubuntu 18.04 (Bionic).

64567

Fix for setting the same tab position when user drills down with WAN link in SD-WAN site view.

64582

Fix for APM report drill-down with network prefix not working because of an incorrect field type.

64762

Add support for From User filter for all relevant logs such as firewall, SD-WAN, and threat filtering and detection.

64985

Once the admin unlocks a locked user configured through TACACS+, the unlocked user is not listed in the show system locked-users command output.

65108

Add support for offline map under Logs > Firewall > Charts if offline map is selected as the map provider.

65562

Editing a chart under reporting tab was not allowing change of chart type from PIE to LINE. Fixed to support updating chart types to any type.

66575

Vulnerability fix in Analytics application to prevent access to page with insufficient authorization.

66787

Add OS version in the show system package-info CLI command output.

66837

When you upgrade to Release 21.1.2, NTP server configuration is overwritten. This issue has been fixed.

67323

When there are multiple data tables, search filter is not showing the correct filter options. This issue has been fixed.

67399

Add missing metrics for various charts, and fix labels for the metrics to make them consistent.

68687

In Ubuntu 18.04 (Bionic), alarms raised by lced are flooding the console. This issue has been fixed.

68800

Fix for Show Domain Names setting not taking effect when the time range is changed under Logs > Firewall, SD-WAN, Threat Filtering, and Threat Detection when this option is enabled.

68986

Add support to display TCP APM table data sorted by Versa application rank.

68997

Include filters for SD-WAN rule-related table data.

69280

ETL monitoring under Administration > System Status is not displaying data for all hosts. This issue has been fixed.

Fixed Bugs in Release 21.1.4

Note that fixes for all bugs found in Release 16.1R2 through Release 16.1R2S11, Release 20.2.0, Release 21.1.2, and Release 21.1.3 are available in Release 21.1.4.

Bug ID Summary

64119

Under Administration > Configuration > Settings > System Monitoring tab, fix to reduce the input box size for various fields.

66573

Solr account password vulnerability fix.

70026

Under reporting, graph selection is not clear for the report type. Fix to highlight the selected graph.

70580

Fix to return a generic error message when Analytics portal request parameters have invalid characters.

71310

Vty command to display lced memory statistics shows negative values for used bytes for memory type LCED VMEM_ID_LCED_STOR_BUF when PCAP logging is enabled. Fix to avoid showing such values.

74842

Logs exported from log collector exporter using syslog CEF format were missing explicit applianceName field. Fix to add appliance name in logs sent using CEF format.

77477

Under Administration > System Status page, the disk load, memory used, and CPU load are sometimes not displayed. Fix to always display them.

78104

If a log connection is flapping, the logs are buffered until the connection is established. The id2Name log used for tenant/appliance identification needs to be sent before any other log after the connection is established. If logs are buffered, they are sent before the id2Name log, resulting in these buffered logs not having a tenant and appliance name. Fix is to send the id2Name log in a separate high-priority queue so that it is received before any other logs.

78900

Fix for performing autorefresh of Analytics page when configured with some interval.

80432

Fix to load all charts saved for the tenant under reporting when Load Report is enabled for users logged in with the tenant user role.

Known Issues

The following are the known issues in Release 21.1.

Known Issues in Release 21.1

Bug ID

Summary

41534 Custom role creation view box and log filter drop box closes automatically if you click outside the box.
42468 Solr collection creation failure during installation if hostname is not bound to the IP address on which solr is listening (interconnect IP address). As a workaround, place the solr interconnect IP address first in /etc/hosts.
42469 If you select an appliance is selected in a map filter, to change the appliance name, you must erase the name and then choose another appliance name.
42555 Standby Director not responding to REST API calls, and you cannot register the standby Director until a failover is performed.
46001 Maintaining accounting records stops working, but results after you restart the auditd process.
46694 Collapse functionality is not working in Analytics dashboards. It is always in expanded state.
46722, 46723

Able to access Analytics from an AAA admin user who is not registered in the local user list.

Able to access Analytics with a aaauser who is not registered in the local user list and TACACS server. For remote authentication mechanisms, such as TACACS, two users are created by default on Analytics, aaaadmin and aaauser. User may be able to ssh into the Analytics node using these two users and default password. Need to block access for these users.

46730 Filter with port is not working if you add two port fields with 'is not equal to' operator.

Known Issues in Release 21.1.1

Bug ID

Summary

41534

Custom role creation view box and log filter drop box closes automatically if you click outside the box.

42468

Creation of search collection fails during installation if the hostname is not bound to the IP address to which the search node is listening (interconnect IP address). As a workaround, use the interconnect IP address of the search node as the first IP address in the /etc/hosts file.

42469

If an appliance is selected in the map filter to change the appliance name, it has to be erased to choose another appliance name.

42555

Standby Versa Director does not respond to REST API calls. You cannot register the standby Director until a failover is performed.

46001

Maintaining accounting records might stop working. To start it again, restart auditd.

54713

Users Map in the Secure Access dashboard works only if Google map is selected as the map provider in Administrator > Settings > Display Settings >. Open Street Map is not supported.

58311

On bionic systems, the versa-lced process may not start when versa-confd does not start fully. To fix this problem, issue the vsh restart command.

58931

SD-WAN map might show all sites even when you select a site tag filter.

58938

Use sudo to run the cluster installation script from Versa Director running bionic image.

Known Issues in Release 21.1.2

Bug ID

Summary

41534 

Custom role creation view box and log filter drop box closes automatically when you click outside the box.

42468

Search collection creation fails during installation if hostname is not bound to the IP address in which the search node is listening (interconnect IP address). Workaround is to use the interconnect IP address of the Search node as the first IP address in /etc/hosts.

42469

If an appliance is selected in the map filter, to change the appliance name, it needs to be erased to choose another appliance name.

42555

Standby Director not responding to REST API calls. It is not possible to register the Standby Director until you perform a failover.

46001

Maintaining accounting records stops working and starts working after you restart the auditd process.

54713

User Map on the Secure access dashboard works only if you select Google Maps as the map provider under Administrator > Settings> Display Settings. Support for Open Street Map is not yet available.

58311

On bionic systems, the versa-lced process might not start because confd does not start fully. To fix the issue, issue the vsh restart CLI command.

58931

SD-WAN map displays all sites even when you choose the Site Tag filter.

58938

Use sudo to run the cluster installation script from a Versa Director running a bionic image.

62610

Quality of Experience between a pair of sites after SD-WAN optimization does not display correct values if there are no logs for the specific intervals.

Known Issues in Release 21.1.3

Bug ID

Summary

41534

Custom role creation view box and log filter drop box closes automatically if you click outside of the box.

42468

Search collection creation fails during installation if hostname is not bound to the IP address on which search node is listening (interconnect IP address). As a workaround, use the search node’s interconnect IP address as the first IP address in the /etc/hosts file.

42469

If you select a VOS device in the map filter, to change the appliance name, you must erase it and then choose another name.

42555

Standby Director node not responding to REST API calls. Cannot register standby Director node until a failover is performed.

46001

Maintaining accounting records stops working and and then restarts after you restart auditd.

54713

Secure access dashboard Users Map works only if you select Google Maps as the map provider under Administrator > Settings > Display Settings.

58311

On Ubuntu 18.04 (Bionic) systems, in some cases, the versa-lced process does not start because versa-confd does not fully start. To correct this problem, issue the vsh restart CLI command.

58931

SD-WAN map displays all sites even when you choose a site tag filter.

58938

Use sudo to run the cluster installation script from a Director node that is running an Ubuntu 18.04 (Bionic) image.

66297

SD-WAN site, link availability, and QOE metrics can take up to 15 minutes for to display accurate information for the latest time block, because it relies on arrival of SLA and other logs to determine the state. There may be latency during log arrival or logs may be lost. To determine the state more accurately, analyze more log data over time.

Known Issues in Release 21.1.4

Bug ID Summary

41534

Custom role creation view box and log filter drop box closes automatically if you click outside of the box.

42468

Search collection creation fails during installation if the hostname is not bound to the IP address on which the search node is listening (interconnect IP address). As a workaround, use the Search node’s interconnect IP address as the first IP address in the /etc/hosts file.

42469

If you select an appliance in map filter, to change the appliance name, you need to erase the name and then choose another appliance name.

42555

The standby Director node not responding to REST API calls, so the standby Director node cannot be registered until a failover is performed

46001

Maintaining accounting records stops working and then starts working again after an auditd restart.

54713

The Users Map on the secure access dashboard works only if you select Google map as the map provider under Administrator > Settings > Display Settings.

58311

On Ubuntu Bionic systems, in some corner cases, the versa-lced process does not start because the versa-confd has not fully started. To fix the problem, issue the vsh restart command.

58931

The SD-WAN map shows all sites even when you choose a site tag filter.

58938

Use sudo to run the cluster installation script from a Versa Director node that is running an Ubuntu Bionic image.

66297

SD-WAN site, link availability, and QoE metrics can take up to 15 minutes for the latest time block to show accurate information, because they rely on the arrival of SLA and other logs to determine the state. There could be latency during log arrival, or logs could be lost. For accurate state determination, analyze more log data over time.

Request Technical Support

To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.

Additional Information

Deployment and Initial Configuration

Revision History

Revision 1—Release 21.1, December 20, 2019
Revision 2—Release 21.1.1, August 21, 2020
Revision 3—Release 21.1.2, December 1, 2020
Revision 4—Release 21.1.3, June 6, 2021
Revision 5—Release 21.1.4, April 27, 2022

Versa Director Release Notes for Release 21.1

These release notes describe features, enhancements, fixes, and known issues in Versa Director Software Release 21.1, for Releases 21.1.0 through 21.1.4. Release 21.1.1 and later are general available (GA) releases and are supported for use in production networks.

April 27, 2022
Revision 5

Install the Versa Director Software

To install the Versa Director software, see the Deployment and Initial Configuration articles.

Upgrade to Release 21.1

To upgrade to Release 21.1, see the Upgrade Software on Headend and Branch article.

Downgrade the Software

To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command:

Administrator@versa-director> request system rollback to snapshot-timestamp

The Versa Director configuration and image are restored to the state when the snapshot was taken. Note that any configuration changes done since the snapshot was taken are lost when you perform the rollback operation. See Upgrade Software on Headend and Branch for information about upgrading HA-enabled Director nodes.

Install the Software License for Versa Director

Versa Director is controlled by a software license. You must obtain a valid license file by contacting Versa Networks Customer Support.

Note the following:

  • Versa Director software ceases to operate after a 15-day trial period, so you must obtain a license key within that time.
  • On all newly installed Versa Directors, you must run the Versa Director startup script, /opt/versa/vnms/scripts/vnms-startup.sh, to correctly configure the Director network interfaces for their intended function (for example, interface eth0 for northbound communication towards OSS systems and for UI access, and eth1 for southbound communication towards VOS devices).

VOS Version Compatibility

Release 21.1.2 of Versa Director is compatible with the following VOS versions:

  • 21.1.2
  • 21.1.1
  • 20.2.2
  • 20.2.3
  • 16.1R2S11
  • 16.1R2S10.1
  • 16.1R2S9

Releases 21.1.3 and later of Versa Director is compatible with the following VOS versions:

  • 21.1.3
  • 21.1.2
  • 21.1.1
  • 20.2.4
  • 20.2.3
  • 20.2.2
  • 16.1R2S11
  • 16.1R2S10.1
  • 16.1R2S9

Releases 21.1.4 and later of Versa Director is compatible with the following VOS versions:

  • 21.1.4
  • 21.1.3
  • 21.1.2
  • 21.1.1
  • 20.2.4
  • 20.2.3
  • 20.2.2
  • 16.1R2S11
  • 16.1R2S10.1
  • 16.1R2S9

Release 21.1 of Versa Director is not fully configuration-compliant with other versions of VOS software. If you commit templates or make direct configuration changes in the Appliance view UI to non-compatible VOS releases, the commit or configuration changes may be rejected with an RPC error.

New Features

This section describes the new Versa Director features in Release 21.1.

  • Active Directory and LDAP support—You can configure Active Directory (AD) authentication connectors to use secure LDAP. You can connect a Director node to AD using a secure channel, and the Director node can connect to an AD global catalog server. See Configure AAA.
  • Appliance tags—(In Releases 21.1.1 and later.) On the Appliances page, you can assign tags, which allows you to easily filter appliances using their tag values. To set tags for an appliance, click the Edit icon in the Tags column.

    Appliances_Tags.png

    To filter appliances by tags, enter tag values in the Appliance Tags search box. The search filter is saved for the duration of the current session. Appliances are displayed by the selected tags even if you navigate away from the Appliances window in the Administration, Configuration, or Monitor tabs.

    Appliance_Tags_Search.png

  • Autogenerated paired site IP address for active-active HA pair—When you use device workflows to configure an active-active HA pair, the bind data variable Paired_Site__location ID is autogenerated. If the value for this bind data variable is empty, it indicates that multiple device workflows can be paired. In this case, you must enter the generated paired site ID of the other device, which must be running HA.

  • CPI 810 digital certificate compliance—To support CPI 810 digital certificate compliance, a Director node triggers an alarm when an SSL certificate has expired or is about to expire (a warning alarm for 30 days remaining, and a critical alarm for 7 days remaining. The Director node automatically clears the alarm when the certificate is renewed.
  • Device-level service templates—You can add specific device-level service templates on top of the group-level service templates, allowing you to specify a group-level service description while still being able to perform device-level customization using templates. See Configure Basic Features.
  • Encryption of sensitive information—(In Releases 21.1.1 and later.) Sensitive information, such as IPsec PSKs, OSPF passwords, and user passwords, is encrypted in templates, bind variables, and appliance configurations. The VOS device and the Director CLI display these sensitive fields in encrypted format. After you upgrade a Director node to Release 21.1.1, existing unencrypted fields are not automatically encrypted. To encrypt the keys, access the configurations and then save them.

    Encryption_Information.png

    To disable the encryption feature from the Versa Director CLI, issue the following command:

    Administrator@Director% set system settings encrypt-data enable-encrypting-sensitive-info false
    
  • IPAM overlay addressing assignment—(In Releases 21.1.1 and later.) Versa Director supports IPAM-based IP address allocation for device overlay tunnels (ESP and VXLAN) and for staging IP address pools on Controllers and hub controller nodes (HCN). IPAM is an internal service on Versa Director and runs as a container. The main features of IPAM-based addressing allocation are:
    • Organization ID and device ID are not encoded in the IP address allocated to a device.
    • You can add multiple smaller address pools in the overlay addressing configuration based on your requirements. With IPAM, you can deploy an SD-WAN network with a small overlay IP pool or pools: a /8 or /16 prefix is not required.
    • The next available address in the pool is allocated to a new device being created.
    • When you upgrade Versa Director, currently configured overlay address pools and allocated addresses are migrated automatically to the IPAM module.
    • During the upgrade process, if the validation script finds that an address is allocated to multiple devices, the upgrade process fails. You must rectify duplicate addresses before attempting an upgrade.

      Overlay_Address_Prefixes.png
  • Kafka client—Versa Director now stream high volumes of data to Kafka servers. Kafka is a TCP-based streaming protocol and API implementation. The protocol defines all APIs as request-response message pairs.
  • Layer 2 template workflows—(In Releases 21.1.1 and later.) Template workflows are enhanced with Layer 2 configuration, to allow you to configure virtual switches, Layer 2 ,and IRB interfaces. You configure organization-level virtual switches under Configuration > Objects > Virtual Switches, as shown below:

    Virtual_Switch.PNG

    When you create an organization using a workflow, a default virtual switch is automatically generated. You can configure bridge domains within each virtual switch using the bridge domain name and a VLAN ID. Bridge domains are named VLAN segments. Bridge domain names and VLAN IDs must be unique within a virtual switch.

    Bridge_Domains.PNG

    In the Workflows > Templates workflow, a new interface type, L2, is added in the Interfaces tab. To select the Layer 2 interface, click the interface icon to mark a port as a Layer 2 port.

    Templates_Interfaces.png

    Layer 2 interfaces are displayed in the Interfaces tab > Layer 2 Interfaces tab. You can configure Layer 2 workflows in Basic or Advanced mode. The following screen shows basic mode:

    L2_interfaces_basic.PNG

    In advanced mode, you can select different organizations across subunits of the same port and specify a bridge domain for line translation. The following screen shows that the virtual switch added earlier is available for the organization in the Layer 2 workflows.

    L2_interfaces.png

    You can configure IRB interfaces as LAN or WAN. The VLAN ID of the IRB must map to a VLAN ID in the Layer 2 workflow interfaces for the organization of the LAN/WAN interface. If there is a mismatch, the template workflow deployment fails.

    Templates_LAN_interfaces.png

    See Configure Layer 2 Forwarding.

  • Next-generation RBAC framework—A next-generation RBAC framework replaces the NCS RBAC framework. Versa Director has used the NCS NACM framework to provide role-based access control (RBAC), but as the number of objects grows in the system, performance degrades and a large amount of framework data is created, resulting in slowness when you create or delete appliances or create templates. The next-generation RBAC framework improves performance and allows a Director node to handle more devices. With these changes, only the Director GUI and the REST API are protected by RBAC; the CLI is not protected by RBAC. This results in two consequences:
    • Any user who has access to a Director node can see all data that is available in the CLI. Therefore, it is highly recommend that you limit access to the Director node.
    • For external authentication, only a user with the role ProviderDataCenterSystemAdmin can SSH and SCP to a Director node. Users with any other role cannot log in to the Director node. The Director node can no longer differentiate between an operator and an admin user, so all roles will have the same access to the system. This enhancement safeguards the Director node by limiting the users who can access the system.
  • Order of service templates policy rules—(In Releases 21.1.1 and later.) In previous software releases, when you applied service templates, the rules with a higher priority were inserted after rules with lower priority. In Release 21.1.1, this behavior has been changed so that the higher-priority rules precede the lower-priority rules. This change is in effect wherever you order the rules, because in the VOS software, rules with a higher priority take precedence over the rules with a lower priority. In the stack of templates (main and service templates) applied on a device, the lower the template in the order, the higher the priority the configuration in the template becomes. For policy rules, such as firewall and traffic steering rules, rules from the template in the lower order are added to the top of the rules stack.
  • Redundant authentication connector—Versa Director allows you to configure multiple redundant authentication servers for RADIUS, TACACS, LDAP, and Active Directory (AD). Authentication by external servers is based on the configured order. If the first authentication server is not reachable, authentication falls back to the next server. See Configure AAA for User Authentication.
  • Schedule automatic software upgrades—You can schedule software upgrade tasks to occur automatically. You can commit tenant-specific templates and download or upload software to one or more appliances at the same time, You can edit or cancel an automatic software upgrade at any time. See Upgrade Software on Headend and Branch.
  • Schedule template commit and appliance upgrade—(In Releases 21.1.1 and later.) You can schedule template commits to VOS devices or software upgrade. If VOS device is not reachable at the time of the scheduled job, you can set the option for the system to automatically execute the job when the VOS devices becomes reachable.

    Commit_Template_Schedule.png

    You can view the scheduled and executed jobs from the Administration > Scheduled Tasks menu:

    Edit_Scheduled_Task.png

  • SD-WAN workflows and AWS Transit Gateway integration—(In Releases 21.1.1 and later.) Versa Director fully automates the configuration of site-to-site IPsec tunnels by calling AWS APIs to create Network Manager objects such as devices, site, links, and customer gateways, and by creating a VPN connection between the transit gateway and the customer gateway. When you create an IPsec tunnel between a VOS device and an AWS transit gateway registered in the AWS global network under Network Manager, manual configuration of IPsec tunnels and VPNs is not required. You can manage and view all site-to-site tunnels from a VOS device to the AWS transit gateway, Azure Virtual WAN, and Zscaler. This support, which uses Secure SD-WAN from the Versa Secure Cloud IP Platform as the branch on-premises CPE solution, enables dynamic and secure branch-to-branch and secure branch-to-AWS connectivity, with SD-WAN application-aware intelligent traffic steering across the AWS-powered backbone.

    To configure the VPN, use the Tunnels tab in the Template workflow:

    AWS_TGW_Template.png

    To enter connector and AWS details, use the Tunnel Information tab in the Add Device workflow:

    Add_device.png

  • Signature verification for software package uploads—(In Releases 21.1.1 and later.) You can use digital signature verification to verify Versa Director and VOS software packages that are uploaded using a Versa Director node. See Configure Signature Verification for Software Package Uploads.
  • Subscription lifecycle updates—(In Releases 21.1.1 and later.) A number of changes have been made to the subscription lifecycle, including the following. See Subscription Lifecyle.
    • Licenses are valid for 1, 3, or 5 years.
    • License subscriptions do not support the Created and Suspended states
    • A license is immediately activated after the device performs ZTP.
    • Manual license activation is not required.
  • Ubuntu Release 18.04—You can use Ubuntu Release 18.04 (Bionic Beaver) as the base Linux platform for Versa Director. The specific software version is Ubuntu 18.04.4. Separate .bin and .iso software images are available for Ubuntu 18.04. Note that in Release 21.1, you cannot upgrade directly from Ubuntu Release14.04 to Release 18.04.
  • Zscaler GRE tunnels—(In Releases 21.1.1 and later.) Versa Director supports the integration of Zscaler third-party site-to-site tunnels through workflow, to simplify the deployment of large-scale secure and optimized branch connectivity. You can create secure generic routing encapsulation (GRE) tunnels between a VOS CPE device and a device hosted in the cloud, in a data center, or by Zscaler, to optimize the connectivity between the VOS and cloud devices. The VOS CPE device can be a physical device or a cloud-based SD-WAN device.

    When you create a site-to-site GRE tunnel between a VOS device and an unmanaged cloud device, you must configure network details such as the site-to-site tunnel name, the tunnel protocol (as GRE), the LAN VRF, and the WAN/LAN network to establish the connection on the unmanaged device. To do this, you create a Workflow template in which you configure a tunnel and VPN profile for the unmanaged device:

    Templates_Tunnels.PNG

    To add a VPN profile for a GRE tunnel:

    Create_VPN_Profile.PNG

Enhancements

The following table lists the enhancements in Release 21.1.

Enhancements in Release 21.1

Feature Tracking Bug

Description

44704

Director triggers an alarm if the SSL certificate has expired or if it is in the critical (Last 7 days) or warning (Last 30 days) state. The alarm is cleared automatically when the certificate is renewed.

40804 When you use device workflow to configure the active-active HA configuration, the bind data variable Paired_Site__locationID is autogenerated. If the value is empty, you can pair multiple device workflows, entering the generated paired site ID of other device.

Enhancements in Release 21.1.1

Feature Tracking Bug

Description

39771

If you enable the scheduling of security packs (SPack) downloads, Versa Director automatically installs or updates the latest SPack on the Director node. In earlier releases, SPacks were downloaded only as part of scheduled SPack download.

42136

You can set the same priority on different hubs in a spoke group, to allow spokes to use multiple equal-priority hubs and to load-balance traffic.

43272

Tasks page filtering is enhanced in the GUI and filtering is done on the backend (server side). You can filter tasks based on username and domain name (organization). A new filter, AnyField, takes a search string performs a regex search on all Task columns.

Tasks.png

45234

You can download of premium or sample version of an SPack from a cloud server to a Versa Director node and to VOS devices, based on the SPack user configuration. In earlier releases, you could download and install only premium SPacks.

47072

You can select only one of the following options from the Service Bandwidth drop-down list: 10 Mbps, 25 Mbps, 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, and 10 Gbps.

Service_Bandwidth.png

47083

Suspend and reactivate license subscription states have been deprecated, and these options have been removed from the Perform Subscription Action window. If CPEs are in the Suspended state when upgraded to Release 21.1.1, they are placed in the Activated state.

47085

License period with options 1 year (default), 3 years, and 5 years have been added in following windows:

  • Create Template > Basic tab
  • Bare Metal Appliance Creation
  • Add Device Group
  • Perform Subscription Action

License period is displayed in the entitlement reports, monthly reports, and query page. Subscription renewal is calculated based on the license period.

47086

isPrimary and isAnalyticsEnabled options are disabled in license subscription. These two options have been removed from following windows.

  • Create Template
  • Metal Appliance Creation
  • Add Device Group
  • Perform Subscription Action

These two flags have been removed from the entitlement and monthly reports.

47089

You can view details about a license to determine how many licenses are active and how the licenses are being used. The license details displayed include the start and end dates, solution tier, bandwidth, location, and serial number. To view license details in Director view, select the Administration tab in the top menu bar, and then select Entitlement Manager > License Detail View Entitlement Manager in the left menu bar.

License_Detail_View.PNG

47819

The task start and end times are displayed according to the client browser's timezone. This means that for users in different time zones, the same task is displayed based on their local time zone. For example, suppose a task with ID 6 has start time as Sat, Jun 20 2020, 16:24:14 in UTC. If a user in the India timezone logs in to Versa Director, the start time of task with ID 6 is Sat, Jun 20 2020, 21:54:14 (because IST is UTC +5:30). If a user from the U.S. PST timezone logs in to Versa Director, the start time of the same task is Sat, Jun 20 2020, 8:24:14 (because PST is UTC –8).
Note that for users from different time zones, the same task is displayed based on their local time zone.

48305

With IPAM-based overlay address allocation, cController and hub controller node template workflows now provide staging pool size for each WAN interface. You can disable the staging option on some WAN interfaces.
 

SDWAN.png

49318

Versa Director and VOS software packages (Director and VOS) have digital signatures that can be verified while the software packages are uploading to Versa Director. By default, this feature is disabled. You can enable it using the CLI or the GUI.

If you enable signature verification, you must upload the signature file while you are uploading the image. If the signature is verified, the uploaded image remains on the device. If signature verification fails, the uploaded image is deleted and the task fails.

Add_Package.png

51986

To detect any misconfiguration in Versa Director that can cause an upgrade failure, the configuration validation as part of the upgrade. For more information, see the Before You Upgrade to Release 21.1.1 section, above.

52235

In the SSO configuration, the new option sp-entity-id allows interoperation with Azure AD SAML.

53346

When a session is close to timing out, Versa Director displays a global notification. Users are provided the option to continue with their current session.

53575

SD-WAN forwarding profiles have been enhanced to support path list–based circuit priorities (path-name-list, path-type-list, path-media-list and path-tags-list), last-resort priority, and an unmatched priority. Path list–based circuit priorities provide flexibility for defining priorities using exact match for local and remote circuits, thus removing the ambiguity about when to use AND or OR in match conditions for local and remote circuit priorities.

The new path list–based priorities and the existing circuit priorities model are mutually exclusive at a specific priority level. That is, if you select path list–based priorities, the current circuit priorities model is not allowed, and vice versa. However, you can select both types of priority levels at different priority levels.

For the last-resort priority, paths configured with this priority are used when all other paths go down, thus allowing you not to use LTE paths when other paths are available.

The unmatched-priority defines the priority of the paths that are not configured explicitly. For example, if the unmatched priority is set to priority 2, any path that is not configured in the forwarding profile is considered as priority 2.

56910

To avoid users continuously sending mails for a forgotten password, you can configure the Forgot Password Request Time Interval, in seconds, to set how often users can make a request. The default interval is 900 seconds (15 minutes), and the minimum value is 60 seconds. This feature is enabled by default. If you do not require it, set a higher value for Forgot Password Request Time Interval in the User Global Settings window.

57530

Changed high availability GUI labels from Master and Slave to Active IP Address and Standby IP Address.

High_Availability.png

Fixed Bugs

The following tables lists the critical and major defects that were fixed in Release 21.1.

Fixed Bugs in Release 21.1

Tracking Bug

Description

46503

The exported summary report does not show CPEs with 10-Gbps configured bandwidth.

46336

Staging template was not showing up in device group creation for parent organization.

46256

Some sites are missing from the entitlement query report.

45603

External 2 FA is not redirecting to enter code UI page when you use SMS.

45568

NAT traversal field in Director UI was showing as undefined in the UI and was not editable.

45546

AWS geographic locations Bahrain and HongKong regions were missing when creating SD-WAN gateway in a public cloud.

45203

Velocity template now sets the MTU of PPPoE interface to 1492.

45153

Device drop-down list did not skip invalid entries when populating in UI for security packages installation.

45025

Editing adaptive shaping settings in a service template causes a remote server exception.

40664

Update vnms-startup.sh to have more meaningful settings, such as "Prompt to set new password at first time UI login (y/n)?"

38900

Add a warning popup for the Clear button in the DHCP active leases section in the Services tab.

34601

Handle link-local address for IPv6 for URL-based ZTP.

Fixed Bugs in Release 21.1.1

Tracking Bug

Description

41606

Extending the IKE SA lifetime up to 24 hours is not working in Director UI under VPN profile.

41853

In static routes, exit interface can be none and next-hop IP address both must not be mandatory.

42055

After upgrading Director to Release 20.2, if any template is modified and committed to a device running Release 20.2, diff shows configurations of Releases 16.1R2 and 20.2.

42722

Upstart does not restart postgres database process when it is killed.

44765

Versa Director had to be restarted after applying maximum CPE limit license for license information to take effect. Support is added to update required license information cache soon after applying the CPE limit license, without restarting Versa Director.

46560

Unable to perform all actions for WAN network groups for PDCO, TO, TSA, TSECA, andTDO roles.

47932

Transport domains (internet/MPLS) are not listed when creating a WAN name.

48074

Scheduled SPack download does not start based on the start time and interval configured. Now, Versa Director downloads SPack based on the scheduled time and version configured in the SPack settings. Also, you can change the time or interval to reschedule.

48243

Template commit using service templates does not work if the selected service template is added at the device level in device workflow.

48516

Versa Director Memory dashboard displays low free memory.

49145

Upgrade process must fail or stop if there is error in receiving the postgres dump during an upgrade.

49863

Upgrading Director to Release 20.2.1 fails because the sdwan_sla_loss_pct.lua and migrate.py scripts fail.

49924

After you upgrade from Release R2.10 to 20.2.1, static routes in the workflow template are not migrated to postgres and error is logged in upgrade.log.

51102

Shell In the Box does not open up and displays a HTTP Status 403 - Forbidden error.

52235

Need an option to add sp-entity-id SSO with Azure AD SAML.

52450

Versa Director does not load the list of pages if a single quotation mark (') is included in location details.

52690

Versa Director tasks for appliance UUID are not returned from REST APIs.

52791

GUI does not display Jitter, Transmit, and Receive fields in SLA Profiles.

52816

Supported character length in NGFW policy rule description is not displayed.

53318

Disk fills up because of postgres logging.

53537

Versa Director logs out automatically when another window is opened and is kept idle until the GUI idle timeout expires.

53592

uCPE guest VNF user data/custom file names configuration pushed to device with proper names to create guest VNF successfully.

54150

Add support for OpenId logout when direct link is used.

54157

Add support for selected IDP/local logout for IDP initiated SSO.

54237

Add support for GET Alarms API with data type XML.

54311

Suborganization is not displayed for a device in the Appliance and Device Monitor tab.

54432

Cannot parameterize DNS values in DNS settings.

54629

Duplicate serial number is displayed in the bind data tab of Device Workflow menu.

55139

GET APIs do not work for multiple key list element in appliance yang model, for example, static routes list

55152

SSO tenant user can log in to Versa Director, although roles are not associated with the organization.

55224

Release 20.2.2 upgrade validation script fails because of issues in the auth-connector-validation.py script.

56002

Cannot configure Versa Analytics FQDN under SAML client from GUI, even though the configuration can be done using CLI.

56030

Cannot delete controller from the UI because of issues related to user authentication token.

56111

In DNS proxy resolver, not all sites are listed in the site name drop-down list.

56131

Template commit fails randomly with error CacheLoader returned null for key Thread[TemplateService-ApplyTemplate-18,5,main].

56266

When you are creating users in User Management, First name and Last Name field do not support special characters.

56546

Logout fails with SP/IDP-initiated SSO.

56556

In the tcpdump Tools screen, Versa Director downloads previously downloaded PCAP files. Fixed to download only PCAP files of the current site.

56794

When upgrading from Release 16.1R2Sx to Release 20.2.2, the Last Modified By and Modified Date fields are not copied correctly.

56816

When you commit the master template with overwrite option, if an NGFW service template is associated at a device level, some routing instances are removed from the Available Routing Instance and Owned Routing Instances. If a shared service template is associated with a device in device workflow, the configuration is not properly merged from the service template.

56958

Analytics URL uses HTTPS when accessed using SSO after you configure a Versa Analytics client in the Versa Director SSO connector.

57121

Device is not displayed in Entitlement Query or reports, if device creation fails during ZTP.

57438

External OAUTH tokens cache issue fixed to handle concurrent Versa API requests efficiently.

57497

Second Controller deployment fails if any WAN interface on the primary Controller has only an IPv6 address.

57664

Versa Director does not fall back to local authentication when all the configured TACACS+ and RADIUS authentication servers were not reachable. Director falls back to local authentication, and authentication is successful when you enter the correct user credentials.

57677

When you change the redistribution policy, graceful restart helper mode is disabled in the BGP configuration.

57720

Validating a template with QoS service template displays the error {"response-code":"201","error-message":"com.tailf.maapi.MaapiException: A variable value has not been assigned to: v_vni-0-0_Rate__cosInterfaceRate","response-type":"error"}.

57727

In Release 20.2, the order of source and destination zones in firewall rules is different from earlier releases.

57934

Tenant users can view the resource pool of all the tenants under the provider.

58104

Memory leaks identified and fixed in ConfOperationImpl, SpackImpl, and RestProxyProcessor.

58106

You can configure the Versa Director the ping wait and timeout values for devices from the Director CLI. You might want to configure higher timeout values for devices that are reachable only over high-latency satellite links.

 nms {
     provider {
         monitoring-settings {
             appliance-monitoring-settings {
                 single-device-ping-timeout 30;
                 bulk-devices-ping-timeout 60;
             }
         }
     }
 }

58248

NTP configured with the server FDQN does not work, because the routing instance is not configured in the NTP server configuration by using the template workflow. This is fixed so that the template workflow configures routing instance in the NTP server configuration.

58340

Search function does not work in Organizations workflow list.

58393

appliance-final-configuration-completed AMQP event populates the organization in the content as "organization": "System", instead of the organization name.

58591

When TACACS+ in enabled, cannot restart services using vsh.

When external authentication is enabled, when an external user with ProviderDataCenterSystemAdmin(PDCSA) role has logged in, users cannot restart VNMS services.

58741

GUI does not allow configuration of BGP password with more than 16 characters. BGP passwords up 128 characters can be configured using the CLI.

Fixed Bugs in Release 21.1.2

Tracking Bug

Description

39617

Proxy authentication is now supported, so a user can configure the username and password of an external proxy server.

41228

Fixed vulnerabilities in UI JS libraries.

42472

Added ability to unlock user from appliance UI page.

51101

TenantSuperAdmin might not be able to view active users for their tenant.

52509

HA template workflow now has a validation check for redundant pair template name.

52621

You might not be able to set the UTC timezone on a VOS device.

52895

Add ability to clone policy configuration for site-to-site VPN profiles.

53306

Template merge might take long time.

53346

UI might log out unexpectedly.

53837

uCPE SSH might not working for tenant custom user role.

53926

Fix popup windows to fit in the screen in all tab views.

54133

If you use the request system recovery backup”command to perform a backup operation, the result is now shown.

54432

Add support to parameterize DNS values in DNS settings.

55415

Removed server and server pool type "http" configuration from UI in ADC collector configuration.

56266

Special characters in First Name and Last Name when creating users in Director User Management are now allowed.

56473

Upgrade from Release 16.1R2S9 to Release 20.x was failing if there were device groups with no associated templates after the migration.

56661

After you commit changes in build mode, a device might remain in the Southbound locked state.

57669

When you select more than one service, associating an organization with an appliance might fail.

57670

When you associate an organization on the Appliance screen and select a service node group, services should not be a required field.

57750

You might see the bearer token missing error during OAUTH-based GET calls.

58155

The local peer PSK autogenerated variable name might be incorrect and does not appear in the device bind data.

58438

The IKE Down status was misleading in the Director Monitor dashboard annd has been removed.

58710

The stateful service template now has a tab for objects.

58741

From the UI, you could not configure a BGP password longer than 16 characters.

58828

There was display issue of “Last Modified Time” in the UI for workflows.

58835

An unexpected CPE license expiry alarm might be generated.

58929

Unable to add SSO Multiple Customer Roles with Same Director role in External SSO Role Mapping.

59034

Purge was not deleting local backups.

59086

VRRP configuration might be lost when physical interface IP address is modified.

59092

You can now configure IPv6 interface mode in the UI.

59464

Sometimes, we were unable to see Devices under Monitoring, Configuration, Workflows Tabs after HA failover. This is fixed.

59751

New API added to return applianceStatus by appliance name:

https://ip-address:9183/vnms/dashboard/applianceStatusByName/organization-name/appliance-name

59919

Configuring multiple BGP peer tracking configuration in HA in a device template might fail.

59956

The OS Spack option is now visible for Tenant Super Admin users.

60042

Commit template could not to identify the configuration changes between the Configuration Template and Appliance configuration, and always shows In-Sync.

60537

The service name and access concentrator are no longer mandatory in device workflow.

60857

Director upgrade from Release 20.2.2 to Release 20.2.3 might fail because of stale entries in bind data.

60967

Added routing-instance match condition to QoS policies.

61060

When Director logged out, an error message was seen with SSO.

61244

Paired site location ID was not configured properly.

61389

A negative site ID number might be displayed for non SD-WAN CPEs in appliance listing screen.

61402

Enabling HA might fail with an error on the secondary device.

61433

Hardware replacement might fail regardless of the image on the new appliance with wrong build-type error.

61492

Missing software version in Director database for CPE might cause a hardware replacement failure.

61585

When configuration a VFP rule, the disable radio setting was not working as expected.

61717

Some screens became slower when device names were displayed in a drop-down list.

61795

Unexpected task in the stuck state during device onboarding.

61849

When templates were committed simultaneously from different user’s template, the commit might fail.

61948

Provider data center operator cannnot view unknown devices in Versa Director.

61976

Now director allows hyphen (–) and numbers in custom user role names.

62034

Disabled PostgreSQL WAL archives to reduce disk usage.

62094

CPE SLA configuration path policy was lost when upgrading from Release 16.1R2 to Release 21.1.1.

62163

UI monitor screens made API /orgs/org/{tenant}/kpi calls too often, causing slowness.

62372

In template workflow, isStaging flag was not set correctly during change from Hub Controller to Hub.

62485

Update operation not working for IDP-based SAML user.

62631

Duplicate IP address was allocated by IPAM, causing the branch reachability issues from the Director node after upgrading to Release 21.1.1.

Fixed Bugs in Release 21.1.3

Tracking Bug

Description

35962

Upgrade vulnerable outdated third-party libraries on the backend.

40157

Add support for TCP-based remote syslog connector.

41228

Remove and replace vulnerable third-party JavaScript libraries (UI).

42524

Logging out of application using Okta OpenID SSO now works.

45901

Add support for installing security pack (SPack) on Director node using CLI command.

48033

Source networks drop-down for adding NTP server now works correctly.

48431

Improve performance when loading Virtual Router page.

50423

Add REST API to fetch only WWAN status.

51101

TenantSuperAdmin users can now view active users of the tenant.

52001

Fix NCS crash with error "Internal error: Supervision terminated".

52790

Fix drop-downs for Certificate and Key Fields when editing Certificate Manager.

53967

SPack version information is displayed in appliance listing page.

54006

Director to VOS device certificate validation for Confd on port 8443.

54132

Template state in commit windows now shows correct state information all the time.

55886

File filtering in NGFW shows inconsistent display depending on navigation path.

56777

Allow display of location/map information for child organizations in a multitenant deployment.

56810

Plus (+) sign in security policy is greyed out until page loads completely.

57028

Director now displays correct free memory values.

57369

PPPoE WAN Interface network name is now added to traffic identification list.

57693

Error displayed when commit template fails is not correct if description has multiple quotation marks.

58484

Prevent change password blasting.

58698

Shared service templates now appear in the service template drop-down on the commit template screen.

58828

Last Modified Time field in UI for workflows now displays correct time in browser's local time zone.

58921

Allow exported SSO metadata to be imported into external IDP.

59034

Purge now also deletes local backups.

59050

Allow addition of firewall rule at a specific location.

59207

Fix issue where UI intermittently shows that device is out of sync.

59426

Support application location longer than 200 characters.

59751

Add REST API to return applianceStatus by appliance name: https://ip-address:9183/vnms/dashboard/applianceStatusByName/organization-name/appliance-name

59818

Fix issue where forwarding profile content in SD-WAN rule is not displayed.

59873

If you change interface IP address to be the same as the VRRP IP address, UI now displays a message asking you to set VRRP priority to 255.

59919

You can now add multiple BGP peer tracking entries in HA device template.

59956

OS Spack option is now visible for Tenant SuperAdmin users.

60042

Commit template cannot identify the configurations changes between the Configuration Template and Appliance configuration, and always shows In-Sync. This issue has been fixed.

60106

API response does not match the GUI output for SD-WAN traffic for appliance in Monitor tab. This issue has been fixed.

60857

Director node upgrade fails when upgrading because of stale entries in bind data. This issue has been fixed.

62155

AWS DescribeInstances API call fails, with error "instance ID does not exist". This issue has been fixed.

62205

uCPE VNF creation task not created if the template is committed to the device on the Diff View screen.

62352

Template state in commit windows does not reflect changes to service template or to adding or deleting service template to a device group or device workflow.

62422

Add account type Service for server-to-server communication.
62433 It is possible to inject comments by entering special characters. This vulnerability has bene fixed by adding careful handling of special characters.

62556

When you create a new notification rule condition, the name is fixed to previous one and cannot be changed. This issue has been fixed.

62557

NGFW service is not picked up from default-sng if services field is empty.

62608

TenantSuperAdmin user cannot change session timeout. This issue has been fixed.

62631

Fix issue with IPAM allocating duplicate IP addresses.

62720

Fix UI issues with firewall rules page and view more security access page.

62785

Add support for Azure GOV cloud using CMS.

62790

Audit log EXTERNAL_USER.log now displays username instead of bearer token.

62949

Add ability to configure timeout in RADIUS/TACACS+ API calls.

63142

Scheduler should not send email when commit template is scheduled for now.

63164

Link-Mode and Link-Mode settings are grayed out for PPPoE interface.

63168

Password not encrypted from browser.

63185

When you cancel creation of a new device workflow at bind data tab, system does not allow you to create same device name even though it canceled the first attempt.

63186

Change password screen header and footer logo is not using custom partner icon and instead always display Versa.

63241

After an upgrade, the bind variables of service templates are missing from device bind data tables. This issue has been fixed.

63249

When you use vnms-startup.sh in non-interactive mode, the southbound address included is the dockerip 172.17.0.1, even though the vnms.properties file has the correct southbound address. This issue has been fixed.

63397

Redistribution policy Default-Policy-To_BGP on DMZ-VR (not VRF) is not created when service template has no DIA or gateway options. This issue has been fixed.

63430

After you delete a device from a workflow, the device global site ID may not be released. This issue has been fixed.

63451

Add support for VRF ID and VRF Name as variables.

63589

HA failover operation sometimes results in an application timeout. This issue has been fixed.

63591

Allow template name to be up to 127 characters.

63597

UI does not permit adding second static route next-hop tunnel.

63656

Cannot update SNMP trap profile from GUI.

63665

Add REST API documentation for device template import and export.

63733

LTE interface is missing if PPPoE is configured first.

63736

CoS read-write rule copy attribute display as active, but when editing it shows not active.

63827

Increase length of SMTP username in UI from 16 characters to 256 characters.

63841

Allow parameterization of subinterface description for Ethernet/LTE subinterfaces.

63863

For CGNAT/SDWAN/VFP/IPS sessions in Monitor >Services, the forward/reverse byte count is not sorted correctly.

63897

Kafka message publishing should happen in async thread to handle unreachable or slow brokers.

63964

Read-only users cannot log in to Director node because of a special character used in the user role description field.

63987

Change appliance state monitoring run interval for scaled setup

64035

Subscription changes on workflow template are not reflected in Entitlement manager section of CPE and Director node.

64110

You can now configure description column in task window.

64190

Addresses configures in another address group are not displayed correctly.

64211

Task window error message is displayed as "[Object] [Object]". This issue has been fixed.

64262

Unable to delete the VLAN Unit if VRRP is configured in the unit .

64365

TCL: Separating transactions for 3 skip apply calls during ZTP.

64442

Fix vulnerability of guessing users using user enumeration attack.

64572

Controller workflow screens now validates IP subnet.

64587

Monitor > Summary tenant screen displays breakdown of interfaces.

64598

Encrypted key pushed to VOS device version that does not support it.

64652

When you choose the same network for main and standby template and you choose cross-connect port, template workflow displays warning popup.

64677

Add unique constraint for Local Organization. Also, enhance validation script to catch this constraint.

64713

Login, logout, and change password timestamp not recorded in audit logs.

64724

Monitor > Services > IPsec > SA Tab does not show complete information.

64974

Hazelcast device status API is not working.

65064

In bind data pagination, unable to display more than 100 rows.

65069

Autogenerated bind data IKE identifier is not updated.

65198

Even though disable virtual service is enabled during Controller deployment, the service is not actually disabled.

65222

IPsec type tunnel interfaces are not shown in correct drop-down in Monitor UI.

65235

OK button is not working while creating a device after filling in bind data information.

65679

In Firefox, the password field is shown in cleartext.

65692

Do not allow |,[,] characters in URL filtering.

65735

User authentication using OAuth is not work when fetching HA status from NCS.

65753

Enable suspend-backup collectors as the default in workflow templates.

65754

Change log level to Info for alarm module.

65774

SIT update CPE ports object in Controller firewall rule.

65775

Error occurs when pushing hub-and-spoke post-staging template.

65793

Workflow device deployment using CMS connector does work in Azure China region.

65818

SD-WAN policies created by workflow need add action.

65880

Cannot see more than 1024 devices in OSS selection field.

65883

Repeatedly executing the Uptime REST API call causes the subsystem to stop.

65964

UI does not return the proper error when creating a user with invalid information.

66020

User order in leaf list elements is incorrect.

66077

Cache control header is not set properly.

66107

Remove traceroute CLI command from Director node.

66416

Cannot take snapshot using external auth users.

66429

Paired location ID is not displaying in drop-down list in vertical bind data form.

66498

When template is locked by user with lock scope "Other Users", template is inaccessible for user who locked it.

66523

Device workflow update and deploy should require read privilege only for device group.

66668

CoS interface under Monitor > Service should display traffic stats per traffic class.

66741

Device deployment fails with exceptions.

66965

Log collector configuration should support parameterization of destination IP address and port number.

67008

Task owner is different from the user who triggered the task.

67048

Show selected device count on commit screen and VOS devices.

67327

CGNAT service is missing under Services when you add LAN interface for provider organization.

67531

Parsing issue in SAML formatted response.

67582

User should not be allowed to delete a subordinate organization of post-staging template if any device group having that post-staging template has a service template at that subordinate organization.

67643

Do not generate modified event if there is no change to bandwidth, solution tier, or license year in subscription plan.

67758

In general service template, need parameterization for DSL interface configuration of PPPoE username and password fields.

67763

UI does not display IPsec service for service VNF.

67874

Add missing appliance subscription tracking in upgrade flow.

67905

Maximum open file descriptors for spring boot.

67949

Customer can make changes and commit before network is loaded is LAN-VR.

67965

Standardize device name for CPU, memory, and hard disk alarms to one value.

68004

Scheduler job status is not marked as Failed when an upgrade task is deleted while an upgrade is in progress.

68006

During bootstrapping, check for release date when upgrading VOS devices.

68040

Close HTTPS appliance polling connections sooner.

68112

Add option to deselect IDP connector in SSO.

68305

Issue in post-staging template association UI view.

68358

During first-time controller deployment, Director node does not ask about using the default 10.0.0.0/8 overlay scheme or changing it.

68847

Do not push Bionic image to trustworthy VOS devices.

68914

Spoke group UI should give option to delete VRFs.

68961

Single character on local part of email address “not valid” while adding tenant user.

Fixed Bugs in Release 21.1.4

Tracking Bug

Description

13550 Update NSO to Version 4.7.10.
43606 Fix drop-down compatibility issues in Firefox browser.
45549 Raise an alarm when AMQP and Kafka connector are not reachable from Director node.

47065

Username and Password fields are autopopulated in the template configuration pages. This issue has been fixed.
48198 Monitor screen now shows appliance system and service uptime.
51488 Predefined file-filtering profile is added under Predefined categories in the Objects and Connectors.
53780 VPN instances with hub type topology now work.
56266 Accept special characters in First Name and Last Name fields when creating users in Director User Management.
56810 Users can add multiple security policies, but only one security policy is allowed on appliance. This issue has been fixed.
57028 Fix for incorrect free memory calculation for Director node on the Monitor page.

58509

If you enter any special characters in the Controller PSK, the ptvi does not come up. This issue has been fixed.
58799 Fix for incorrect appliance type for appliances created on AWS or Azure.
59131 Add support to encrypt all passwords in device configuration.
59719 Fix for provider organization creation failure when it is created from Workflows > Controller screen.
60588 Notification rules page allows you to create alarms notification rules without a tenant. This issue has been fixed.
63168 Login password string is now encrypted when sent from the browser UI.
63733 Fix for LTE Interface missing issue when PPPoE is configured first in the Workflow template creation page.
64007 Support for changing device subscription.

64061

Template configuration Services tab now shows only the services that are enabled.
64411 GUI gets stuck when navigating from the NTP screen to the Objects/Services screen. This issue has been fixed.
64521 When you choose a tenant in the Workflows > Infrastructure > Organization screen, the entire screen goes blank. This issue has been fixed.
64565 Fix for general template selection issue on device group create screen.
64885 Scheduled job for appliance upgrade now starts only if the appliance is reachable.
65578 Tenant selector does not display when user switches from one tab to another on the configuration screen. This issue has been fixed.
65650 Incorrect configuration under device context when bootstrap fails. This issue has been fixed.
66012 Support for having a CLI command to set "auto-merge" as a default option.
66074 The screen is stuck at system parameters page when you navigate from the system configuration to other tabs. This issue has been fixed.
66101 Template configuration Services tab now shows only the services that are enabled.
66259 Include timezone in the director-HA failover alarms.
66364 Fix for issues deleting a nonexistent device using APIs.
66372 Fix for issue sending SMTP email notification for alarms.
66418 Fix corner cases while taking Director snapshot.
66584 Enforce tab in policy rule configuration screen extends beyond the length of the screen because of a newly added feature.
66965 Destination IP address and port fields can now be parameterized on the log collector screen.
67226 Versa_Device_Events topic option display issue is fixed in the Kafka connector create and update screen.
67298 AWS service VNF deployment issue from appliance screen has been fixed.
67709 Bulk upgrade appliance task has been refactored to better show the task messages.
67738 Support for an option to set or customize RequestedAuthnContext value in the SSO connector screen.

67936

User creation page now properly validates the phone numbers.
67963 Fix for enabling HA failure when there are more than 500 appliances on the Director node.
68006 Honor release date in the package to select the latest image during bootstrap of VOS device.
68064 Fix cross-connect select and deselect issues in template workflow for redundant templates.
68231 Support for a GUI option to restrict routing and connectivity across regions in an organization workflow.
68271 Fix CA chain certificate expiration issue in the UI.
68363 You can now make NMS action API calls with an external OAuth token.
68537 Slowness issue is fixed for the API /vnms/dashboard/appliance/location.
68652 Get APIs are failing when APIs are run in parallel. This issue has been fixed.
68670 UI now restricts the creation of an empty app-group.
68690 Tomcat HTTP requests to Analytics now clean up or time out properly.
68923 NAT traversal configuration is added incorrectly when user modifies data on WAN Interface window.
68978 Fix HA template and Layer 2 interface configuration issue in template workflow.
69266 Switchover policy can be configured using routing peer count for appliance HA.
69303 Proper error messages are shown when multiple IPS rules are loaded on the appliance in the UI.
69404 Performance improvements for appliance monitoring.
69405 Fix for Workflow template commit failure when LDAP password is configured with double quote ' " ' in parameterized bind data.
69494 Address files and address group can now be configured from Director GUI under device or service templates.
69496 Fix for multitenant regional spoke groups issue.
69515 Read-only custom user now cannot delete appliance instance.
69553 Error occus when deleting from a template a suborganization that is not used in any device group. This issue has been fixed
69590 Add pagination for Locked User screen.

69641

Fix duplicate key sdwan-post-staging issues on Device Group screen.
69808 Workflow > Templates > Site > Subscriptions > Solution Tier > Service Bandwidth changes are now recorded in the audit log.
69827 GUI idle timeout is taking 12 more minutes than the configured value. This issue has been fixed.
69846 Encryption debug CLI commands are failing with application communication failure. This issue has been fixed.
69859 Fix issue of IKE changing on Controller node when you redeploy a device workflow.
69860 Path policy configuration now accepts free-form text.
69877 Fix for the issue with hub template workflow.
69893 Fix for Director HA reachability check through Controller nodes.
69949 After you add service chain under organization limits, service menu now shows correct options for the service chain template.
69996 Add support for mirror interface option for uCPE interfaces.
70174 Restore icon for configuration snapshots is now available in the Firebox and Chrome browsers
70303 Fix for Map View to show appliance name on the Monitor screent.
70313 Fix the sorting functionality for system summary tables on Monitor screens.
70318 Fix download merge configuration issue on commit template screen.
70319 Fix for issue with adding custom group from GUI on policy page.
70338 Add support for user type data for IP-SLAM monitor next-hop fields.
70394 Asset summary now shows count for service VNFs.
70441 Suppress unwanted logs while fetching get-vnms-ha details from the standby Director node.
70459 Fix incorrect security package information on the Monitor screen.
70490 Netbox IPAM service stays down because the docker image is deleted during an upgrade. This issue has been fixed.
70539 Fix for issues with device deploy and create appliance.

70596

Fix for issues with SD-WAN traffic graph.
70647 Fix display of overlay address schema popup if Controller node already exists in the system.
70656 Fix for template failing to add WiFi interfaces that were added when the security mode was None.
70659 Service template references are now removed from the device workflow when the service template is deleted.
70694 Fix for Director upgrade failure because of a postgres backup issue.
70752 Subtenant users can apply the service template through the diff window. This issue has been fixed.
70799 Upgrade changes the custom SLAM path policy applied to WAN interfaces to the default SLAM path policy. This issue has been fixed.
70817 PPPoE interface is not adding a non-zero VLAN ID to the base interface. This issue has been fixed.
70818 Appliance final-config-complete alarm is published after upgrade and configuration push complete.
70910 Match should not be a mandatory field when you select Objects > Address > + Create a New Rule -> Type (Dynamic Address). This issue has been fixed.
70932 Restrict TSA users so they cannot view other tenant appliances on IP SLA next-hop UI page.
70950 After you click the Commit to Device button on the commit template screen, the screen did not navigate to the next page. This issue has been fixed.
70991 Some fields are disabled on default 0 subinterface screen for LTE interface. This issue has been fixed.
71006 Add RBAC protection to the the vnms/cloud/systems/getAllApplianceNames API call.
71019 Template commit is not associating all organizations with the device for service templates. This issue has been fixed.
71021 Fix for edit icon display issue on Director high availability screen.
71051 Locked Users page now shows all the locked users.
71083 Fix for pushing default values for system parameters along with user changes in the form.
71117 Fix for GZTP Director task stuck issue.
71123 Allow user to set the bandwidth on cross-port interfaces in the template workflow.
71160 Edit button is now available to configure and modify appliance HA parameters on the Director node.
71162 Index out-of-range error occurs when running the ip-address-config-validation.py pre-upgrade script when the local IPsec interface is missing. This issue has been fixed.
71173 Recent events count on the Monitor dashboard and details tab now match.
71288 Fix for issue with creation of application group under Objects > Custom Objects.
71336 Vulnerability fix: HTTP public dey pinning (HPKP) header cannot be recognized.
71337 Vulnerability fix: HTTP strict transport security (HSTS) header cannot be recognized.
71386 Fix IP address and mask parameterized validation in service templates.
71406 Appliance goes into configuration out-of-sync state because of "" on the Configuration > SNMP > System > Contact screen. This issue has been fixed.
71471 Fix for duplicate key value that violated the unique constraint appliance_hardware_pkey error when onboarding a VOS device.
71477 TSA users can now take configuration snapshots of the common template.
71499 Enforcing static route for policy-based IPsec has been.
71522 Fix for TenantSuperAdmin failing to delete VOS device.
71530 Fix special cases in Versa Analytics cluster installation script.
71538 You can now edit Operator and Administrator users under Director User Management > Provider Users.
71613 HA postgres status on the primary Director node now shows secondary (slave) Director information.
71628 The dot1x config page becomes stuck when navigated to other tabs. This issue has been fixed.
71638 Fix spoke group bulk deletion issue.
71654 OpenID SSO logout now redirects to Logout Success Redirect URL if it is configured.
71686 Fix for scheduling template issues when VOS device not reachable and job has been triggered.
71757 Add support for the special characters {, }, and # in the SNMP manager in Workflow template.
71785 Fix for backup Director node not being able to take over as primary when port 5432 is not available.
71789 Allow hardware inventory search based on hardware serial number and site ID.
71803 Incorrect services list, which includes ervices not enabled for an organization, is displayed under the configuration services tab. This issue has been fixed.

71814

NETBOX-IPAM and SPRING-BOOT start issues, probably because of a race condition between the two processes, have been fixed.
71863 Handle automerge gracefully when preserve appliance changes is disabled.
71865 Creating new OAuth authorization client now shows the client secret and client ID in the UI.
71903 Fix for Director node loading page even after logging out of Director node.
71917 Fix Director login issue for Bionic images.
72046 Fix for custom role tenant user not being able to log in to the Analytics node from the Director node.
72068 Support deploying redundant Workflow template when the same WAN networks are configured
72070 Fix incorrect order of BGP policy terms after workflow template is redeployed.
72121 Director upgrade fails with HA Pair Validation error. This issue has been fixed.
72122 Interval now displayed as mandatory field on the Edit SPack Configuration window.
72182 Parameterization of source and destination addresses in VPN policy now works.
72183 Fix for creation of shared service and service template configuration objects.
72335 Fix for display devices issue on the Template Commit screen.
72337 Obsolete UI call for package information has been removed.
72358 Trusty backup restored on Bionic setup failed. This issue has been fixed.
72388 Huge NCS connections are not closed and are seen as Open in the customer setup. This issue has been fixed.
72406 SNMPv3 walk fails with an authorization error. This issue has been fixed.
72413 Add validation in the organiztion workflow to not allow suborganizations with the same name as the parent organization.
72507 Fix for incorrect total appliance count.
72619 LEF profile referred to in the DHCP configuration is not present. This issue has been fixed.
72637 Update APIs to upload and delete tenant-specific CA and CA chain certificates.

72829

Appliance system informational Kafka message now includes appliance ping and sync state.
72909 Appliance upgrade failed from Director node because of an OS check. This issue has been fixed.
72963 Performance improvement for appliance dashboard APIs.
73026 TDF screen is spinning when trying to access the GUI for a uCPE. This issue has been fixed.
73063 Director upgrade failed because of database backup and restore issues. This issue has been fixed.
73076 Performance improvements for AMQP and KAFKA object change notifications.
73077 Committing configuration to a template or device generates object change notifications only for the top-level path and does not send notifications for each changed path.
73104 Avoid running validation scripts on standby Director nodes.
73108 Error while adding community options for a spoke group is fixed
73122 Fix for Analytics cluster installer issues.
73183 Fix for incorrect date and time in the All Traffic Live data graph.
73186 OAuth refresh token API now returns the proper roles in the response.
73423 Director node is not initiating a connection to the Analytics node because of too many close_wait state to Analytics IP:Port. This issue has been fixed.
73501 Director GUI unreachable because of cookie issue with atmosphere. This issue has been fixed.
73537 Whne you click the refresh button on the Services > Sessions screen, it displays "No data to display”. This issue has been fixed.
73546 Adding a new tenant in the existing post-staging template through workflows API returns error. This issue has been fixed.
73813 Appliance upgrade from Director node fails during ZTP. This issue has been fixed.
73854 Save device workflow continues to spin when you try to save without the value for some variables. This issue has been fixed.
73856 Bulk import of devices from a CSV file fails because of a concurrency issue. This issue has been fixed.
73899 After you run the appliance status brief API call, appliances disappears from the appliances listing page. This issue has been fixed.
73974 Authentication type and Auth-Context-Required fields can be configured in the SSO SAML connector page.

74213

SSO login fails after running import-key-cert.sh script because the SSO certificatess are moved to the backup folder after running this script. This issue has been fixed.
74578 Service template bind data variables are not populated when the device workflow is redeployed from the Basic tab. This issue has been fixed.
74614 Fix for Get Director services status API issue
74629 Director UI not reachable because of java heap space out-of-memory issue. This issue has been fixed.
74838 Fix for issue with checking Service Template bind data.
75052 Update ha_pair_validation script to check whehter appliance is present in the inventory table.
75069 Template commit error message on Director node is now sent to Concerto over Kafka.
75100 UI does not load intermittently shows blank screen on multiple tabs, displaying the error "Failed to load data from server". This issue has been fixed.
75117 Director upgrade fails at ip-sla-monitor under redistribution policy configuration. This issue has been fixed.
75133 Uploading the certificate for secure LDAP from the GUI now works.
75236 WAL files do not clean up automatically, causing high disk usage. This issue has been fixed.
75273 Device bind data in the workflows throws a remote server exception when saving or deploying the device. This issue has been fixed.
75389 Issue with setting isStatingController flag has been fixed.
75471 Director node does not copy the uCPE custom data file if only the custom data file option is configured in the service chain template. This issue has been fixed.
75527 Monitor Tab > Associate Templates shows duplicates even though the device group has unique templates. This issue has been fixed.
75544 Director upgrade failed when executing the WorkflowsUpgrade script. This issue has been fixed.
75547 Kafka and AMQP messages now contain the Director identifier, which you can configure for Kafka and AMQP connectors.
75880 Fix for deploying template failure because of a nested SQL exception.
75925 Vulnerability fix: HTTP strict transport security (HSTS) policy not enabled (Port 443).
75951 Migration scripts now start after spring boot is fully up.
75963 SQL error occurs when creating a spoke template. This issue has been fixed.

76122

Fix for failures when simultaneously deploying multiple organizations.
76316 Director upgrade fails because spring boot not going to running state. This issue has been fixed.
76427 Versa Director vulnerability issue fixed for CVE-2021-44228, which is related to Apache Log4j2.
76487 Site-to-site local interface for HA cannot have quotes when using Active-Active workflow template. This issue has been fixed.
76613 Add available-routing-instances under the organization in the service chain template generated through Workflows.
76667 Fix template commit issue by incorporating bind data validation for route prefix.
76710 Template commit window fetches only the first 1000 templates. This issue has been fixed.
77103 Onboard tenant to gateway is failing with INTERNAL_SQL_ERROR. This issue has been fixed.
77119 fetch=count in the NCS APIs returns the count.
77120 Patterns with characters after the $ are now accepted on the template configuration UI screens.
77233 Appliances might disappear if the owner organization is missing for some appliances. This issue has been fixed.
77246 Fix commit template task failure issue because of Concurrent lock.
77249 Spoke group validation is now optional for the provider organization in the Workflow template for multitenant scenarios.
77285 Director services status vsh status command output issue has been fixed
77324 View profile under classified profile is not working for Edit DoS Rule > Enforce > DDoS profile. This issue has been fixed.
77353 System organization is no longer displayed on the Add Notification Rules screen when you log in as the TenantSuperAdmin user.
77379 Search works now on the card view of the Appliances screen.
77616 Fix for Boolean word truncation issue on Add DHCP Option Profiles screen.
77647 Adding duplicate Controller nodes is no longer allowed now under Controllers in the Workflow template.
77771 Opening the S-WAN System Site Configuration screen now works.
77896 Fix for customer snapshot upgrade failure.

77897

Issue with the Director patch script and validation script has been fixed.
78172 When you delete a device workflow, the remote PSK authentication client entry is now deleted now from the Controller node.
78218 Fix OutOfMemoryError issue that occurred because of metaspace.
78240 The site-to-site tunnel in the workflow was throwing an error when you parameterized a WAN or LAN interface.
78340 Commit template fails because of an issue with setting skip-apply. This issue has been fixed.
78434 WAN link monitor configuration for redundant WAN links over a cross-connect link was not updated as expected for HA devices. This issue has been fixed.
78662 Fix tooltip text display issue in Director UI.
78681 Fix for the slowness issue in the diff view page when it is opened from the Template commit page.
78683 Provide scroll in Associated templates page, which is launched from the template commit page.
78686 Deleting a dynamic VOS service template when throws an exception "Public cloud instance should have minimum 3 interfaces". This issue has been fixed.
78801 Associating Organization throws an exception when onboarding a workflow device in a public cloud deployment. This issue has been fixed.
80030 Push-keys-To-Device shell script now escapes special characters in the password.
80085 Director UI inaccessible because of a kernel out-of-memory issue. This issue has been fixed.
80168 Allow static IP address configuration on LTE interfaces.
80172 NCS transaction leak issue has been fixed
80278 Director UI > Device >Monitor > Services and Tools screens are now working.
80279 Fix an issue with the appliances list page in Administration tab.
80326 Fix issue with template configuration SD-WAN system site configuration edit screen.
80328 TenantSuperAdmin user can now see the saved organizations on the Workflows > Infrastructure > Organization screen.
80420 The Workflows, Templates, Tunnels, and Site-to-Site Tunnel screens go blank you select a few initial options. This issue has been fixed.
80441 When you click the Edit icon, the wheel spins in an infinite loop on the OS SPack > Appliance screen. This issue has been fixed.

80448

Upgrade Apache Tomcat to 9.0.60 to fix multiple vulnerabilities.
80543 Remote server exception seen when you click any tab on the secure access screen. This issue has been fixed.
80581 Organization list displayed on Object >TCP Profile screen should be associated with the template. This issue has been fixed.

80618

For some screens, the selected column filter is not shown. This issue has been fixed.

Limitations

The following are limitations in Release 21.1.

Limitations in Release 21.1.1

  • When you attach a service template to a device in a device workflow but do not attach it to the device group, the device is not displayed after you commit the service template.
  • The Director UI may not open in Safari and MacOS 10.15, because the previous self-signed certificates are not compatible with the new security requirements of the Apple Safari browser. To regenerate a self-signed certificate, issue the following commands:
sudo su - versa
cd /opt/versa/vnms/scripts/
./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "<password>"

To regenerate CA-signed certificates:

  1. Regenerate the CA signed certificates to honor the new security requirements:

sudo su - versa
cd /var/versa/vnms/data/certs/
keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass <password>
  1. Synchronize the new certificate to all the Analytics nodes:

cd /opt/versa/vnms/scripts 
./vnms-cert-sync.sh –sync
  • In Release 21.1.1, the Director web server (Apache Tomcat) has been upgraded to support HTTP/2. If you do not enable proxies with HTTP 2.0 and TLS 1.2, browsers automatically fall back to using the HTTP 1.1 protocol. In the newer version of Tomcat, HTTP 1.1–based REST API calls with very large payloads fail intermittently because not all the payload is provided to the backend server. This issue is observed with configuration differences windows in template workflow and template commit to appliances. For more information, see Enable HTTP 2.0 on Proxies, below.
  • DNS Proxy configuration in templates: When DNS proxy configuration is present in a template, applyTemplate to 161R2 based devices fail, because DNS Proxy configuration is also pushed to the 16R2 device where it is not applicable. As a workaround, you can delete this configuration in the template before you pust it to to 161R2-based devices. This is issue does not occur on devices on Release 21.1 (bug ID - 57783).
  • Error is displayed during template commit when a text field, for example an interface description, contains multiple quotes. (Bug IDs: 57693, 58568)
  • After upgrading from Release 20.2 to Release 21.1.1, the EVPN configuration is not loaded on Controllers nodes for old organizations. (Bug ID: 59355)

Limitations in Release 21.1.2

  • The Director UI may not open in Safari and MacOS 10.15, because the previous self-signed certificates are not compatible with the new security requirements of the Apple Safari browser. To regenerate a self-signed certificate, issue the following commands:
sudo su - versa
cd /opt/versa/vnms/scripts/
./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "<password>"

To regenerate CA-signed certificates:

  1. Regenerate the CA signed certificates to honor the new security requirements:

sudo su - versa
cd /var/versa/vnms/data/certs/
keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass <password>
  1. Synchronize the new certificate to all the Analytics nodes:

cd /opt/versa/vnms/scripts 
./vnms-cert-sync.sh –sync
  • If proxies are not enabled with HTTP 2.0 and TLS 1.2 as given above, browsers automatically fall back to using the HTTP 1.1 protocol. In the newer version of Tomcat, HTTP 1.1 based REST API calls with huge payload fails intermittently as not all the payload is provided to the backend server. This issue is observed intermittently with configuration diff windows in template workflow and template commit to appliances.

  • DNS proxy configuration in templates—When a template contains a DNS proxy configuration, applying the template to devices running Release 16.1R2 will fail. This happens because the DNS proxy configuration is also pushed to the Release 16.1R2 device, where it is not supported. As a workaround, delete the DNS proxy configuration from the template before pushing it to Release 16.1R2-based appliances. However, we will not see this issue if devices are running 21.1 version. (Bug ID: 57783)

  • An error is thrown by Versa Director during commit template when one of the text fields say like description of an interface contains multiple quotes. (Bug IDs: 57693, 58568)

Limitations in Release 21.1.3

  • The Director UI may not open in Safari and MacOS 10.15, because the previous self-signed certificates are not compatible with the new security requirements of the Apple Safari browser. To regenerate a self-signed certificate, issue the following commands:
sudo su - versa
cd /opt/versa/vnms/scripts/
./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "password"

To regenerate CA-signed certificates:

  1. Regenerate the CA signed certificates to honor the new security requirements:

sudo su - versa
cd /var/versa/vnms/data/certs/
keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass password
  1. Synchronize the new certificate to all the Analytics nodes:

cd /opt/versa/vnms/scripts 
./vnms-cert-sync.sh –sync
  • If you do not enable proxies with HTTP 2.0 and TLS 1.2, as described below, browsers automatically fall back to using HTTP 1.1. In the newer version of Tomcat, HTTP 1.1–based REST API calls with very large payloads fail intermittently, because not all the payload is provided to the backend server. This issue is observed intermittently with configuration diff windows in template workflows and template commits to VOS devices.
  • DNS proxy configuration in templates—When a template contains a DNS proxy configuration, applying the template to devices running Release 16.1R2 fails. This happens because the DNS proxy configuration is also pushed to VOS devices running Release 16.1R2, which do not support DNS proxy. As a workaround, delete the DNS proxy configuration from the template before pushing it to VOS devices running Release 16.1R2. Note that this issue does not occur if VOS devices are running Release 21.1. (Bug ID: 57783)

Enable HTTP 2.0 on Proxies

In Release 21.1.1, the Director web server (Apache Tomcat) has been upgraded to support HTTP 2.0, also called HTTP/2 or H2. Newer versions of Chrome and Firefox browsers automatically take advantage of the HTTP/2 protocol when supported by the web servers.

If an HTTP proxy, such as Load Balancer, HA Proxy, and NGINX, is deployed between web clients (browsers) and a Director node, you must enable HTTP/2 with TLS 1.2 on them with the following cipher set:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

When users access the Director node using secure proxies, such as ZScaler, inspection done by the proxy of the sessions to the Director node must be bypassed or the proxy must be enabled with HTTP/2 and TLS 1.2 protocols with the above cipher set.

After you update the configuration on the proxy to enable HTTP/2, use the browser's Dev/Inspect tools to verify that the browser is using the HTTP/2 protocol:

  1. On the Director login page, right click and select Inspect to display the Dev/Inspect tools. The following screenshot shows how to do this in Google Chrome:

    Director_Login_Inspect.PNG
     
  2. In the Inspect window, select the Network tab.

    Network_Tab.PNG
     
  3. Right-click the column selector and select Protocol to display the Protocol column.

    Column_Selector_Protocol.PNG
     
  4. Reload the portal page and check the Protocol column for the H2 protocol (for the API calls made to the server).

    Protocol_H2.PNG

Request Technical Support

To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.

Revision History

Revision 1—Release 21.1, December 20, 2019
Revision 2—Release 21.1.1, August 21, 2020
Revision 3—Release 21.1.2, December 1, 2020
Revision 4—Release 21.1.3, June 6, 2021
Revision 5—Release 21.1.4, April 27, 2022

Versa Operating System (VOS) Release Notes for Release 21.1

These release notes describe features, enhancements, fixes, known issues, and limitations in Versa Operating SystemTM (VOSTM) Software Release 21.1, for Releases 21.1.0 through 21.1.4. Release 21.1.1 and later are general available (GA) releases and are supported for use in production networks.

Note that in April 2020, Versa Networks renamed its FlexVNF devices to Versa Operating SystemTM (VOSTM) devices. The documentation uses the terms VOS device and FlexVNF device interchangeably.

April 27, 2022
Revision 5

Install the VOS Software

You can install the VOS software on a standard Intel server or as a virtual machine (VM) based on ESXi or KVM. For installation instructions, see the Deployment and Initial Configuration articles.

Versa Networks provides two versions of the VOS software:

  • *-wsm.bin—Install this image on physical CPE branch devices that use the Atom-based processor.
  • *.bin—Install this image on all VMs and high-end CPEs and on bare-metal servers with Xeon or later classes of CPU.

Upgrade to Release 21.1

You can upgrade VOS devices to Release 21.1 from Releases 16.1R2 (16.1R2S8) and later. If you are using an earlier software release, upgrade first to the latest Release 16.1R2 service release, and then upgrade to Release 21.1.

If the premium version of the security package (SPack) is already installed on the VOS device, you must upgrade to Version 1878 or later before you upgrade the VOS device. To display the version of the installed SPack, use the show security security-package information CLI command or, in the Versa Director monitor screen, view the security package information under Next-Gen Firewall.

To upgrade to Release 21.1 from the CLI:

  1. Ensure the current running package is present in the /home/versa/packages/ directory.
  2. Save the existing version of the configuration:
    admin@vnf-cli(config)% save /var/tmp/backup.cfg
    
  3. Copy the appropriate .bin package file to the /home/versa/packages/ directory on the VOS node. Ensure that the file has +x execute permission. Alternatively, use the following command, which copies the file to the /home/versa/packages directory:
    admin@vnf-cli> request system package fetch uri uri
    
  4. Install the new software package:
    admin@vnf-cli> request system package upgrade filename.bin
    
    Follow the prompts, and wait until the upgrade status shows that the upgrade is complete.
  5. Confirm that the new software was loaded:
    admin@vnf-cli> show system package-info
    

Downgrade the Software

To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command:

admin@vnf-cli> request system rollback to PRE-UPGRADE-1

Install a Software License for VOS Devices

A VOS device does not require a license if it is managed by Versa Director. If the VOS device is not subjugated to a functioning Versa Director, the software continues to operate after the initial trial period of 45 days. However, the number of data path sessions is limited to 30 sessions.

New Features

This section describes the new VOS device features in Release 21.1.

Licenses and Entitlement

  • Subscription lifecycle updates—(In Releases 21.1.1 and later.) A number of changes have been made to the subscription lifecycle, including the following. See Subscription Lifecyle.
    • Licenses are valid for 1, 3, or 5 years.
    • License subscriptions do not support the Created and Suspended states
    • A license is immediately activated after the device performs ZTP.
    • Manual license activation is not required.

Platform

  • ADSL2+/VDSL2 NIC modules—(In Releases 21.1.1 and later.) You can use ADSL2+/VDSL2 NIC modules, also called xDSL NIC modules, in Versa Cloud Services Gateway (CSG) appliances. The CSG ADSL2+/VDSL2 NIC module supports a single WAN interface that allows you to connect to VDSL2 and ADSL2+ networks. See Configure Interfaces.
  • AWS transit gateway integration—(In Releases 21.1.1 and later.) Versa Director automates the process of configuring AWS transit gateway tunnels with on-premise branches. You can configure both the transit gateway and the VOS branches from Versa Director. See Configure Site-to-Site Tunnels.
  • Configuration validation—(In Releases 21.1.1 and later.) The configuration validation feature provides a cross-check and misconfiguration-highlighting mechanism for deployments that include an interchassis HA pair (active-standby stateful HA). When enabled, it cross-verifies interchassis HA-relevant configuration changes on both interchassis HA pairs and highlights if there are any differences between the two that affect the runtime function of a given inter-chassis HA branch deployment. It also allows the configuration to be changed on the active and standby devices in any order, and prevents the services from being impacted by a misconfiguration.
  • CSG300 series appliances—(In Releases 21.1.1 and later.) The Versa Cloud Services Gateway (CSG) 300 series appliances deliver highly secure site-to-site data connectivity to small businesses and to home offices. See Cloud Services Gateway 300 Series.
  • Device template workflow enhancements—(In Releases 21.1.1 and later.) Adds support for the Solution Add-On Tier and License Period fields in the Create Template > Basic tab; Switching tab (for Layer 2 interfaces) in the Create Template window; and, Service Bandwidth and License Period fields in the Add Device window > Basic tab. See Configure Basic Features.
  • Encrypt sensitive information—(In Releases 21.1.1 and later.) Versa Director encrypts all sensitive information in configurations before pushing them to VOS devices. See Commit Template Modifications.
  • Global session logging control updates—(In Releases 21.1.1 and later.) Changes have been made to the allowable range and adds default values for the Firewall Source IP Count and Destination IP Count fields, and for the SD-WAN Application User Count field. See Configure Firewall and SD-WAN Usage Monitoring Controls.
  • IP SLA monitoring enhancement—(In Releases 21.1.1 and later.) You can select a forwarding class to override the default forwarding class for an IP SLA monitor. See Configure IP SLA Monitor Objects.
  • Layer 2 forwarding—You can configure Layer 2 forwarding, including virtual switches, bridge domains, bridge interfaces, integrated routing and bridging (IRB) interfaces, media access control (MAC) functions, and STP/RSTP. See Configure Layer 2 Forwarding.
  • Layer 2 forwarding additions and enhancements—(In Releases 21.1.1 and later.) Release 21.1.1 adds support for the following Layer 2 features and enhancements. See Configure Layer 2 Forwarding.
    • EVPN over SD-WAN
    • Multiple Spanning-Tree Protocol (MSTP)
    • VLAN Translation
    • Enhanced support for MAC-related features, such as MAC aging, MAC learning, MAC move, and MAC limit.
    • Introduces different ways of determining the state of an IRB.
    • Support for configuring paired TVI interfaces (paired-tvi) as family bridge interfaces
  • LLDP—(In Releases 21.1.1 and later.) The Link Layer Discovery Protocol (LLDP) allows network devices to discover a neighbor device’s identity and capabilities on a LAN using a set of attributes, as defined in IEEE 802.1AB. See Configure LLDP.
  • Log export functionality (LEF) enhancements—You can reduce the number of firewall and SD-WAN statistics log records that CPE devices export, exporting logs only for the busiest sessions. See Configure Firewall and SD-WAN Usage Monitoring Controls.
  • Match alarm subtypes in exporter rules—(In Releases 21.1.1 and later.) You can match alarm subtypes in exporter rules. See Configure VOS Device Alarms.
  • Multiple tenants and multiple VRFs in a service chain template—(In Releases 21.1.1 and later.) You can configure multiple tenants and multiple VRFs in a service chain template. See Configure uCPE on a VOS Device.
  • Secure option with the Versa Analytics cluster installation script—(In Releases 21.1.1 and later.) You can use the secure option when running the Versa Analytics cluster installation script. See Perform Initial Software Configuration.
  • Service-chain template enhancement—(In Releases 21.1.1 and later.) You can service-chain multiple tenants and multiple VRFs. See Configure uCPE on a VOS Device.
  • SFP monitoring and management—(In Releases 21.1.1 and later.) VOS devices support digital diagnostics monitoring (DDM) monitoring and management capabilities for SFP and SFP+ interfaces. DDM provides information about the line, signal strength (optical input and output power levels), temperature, laser bias current, transceiver supply voltage, and other transceiver statistics in real time. Monitoring and management capabilities for Versa-certified SFP and SFP+ transceivers are built in. See Monitor the SFP Module.
  • Signature verification for software package uploads—(In Releases 21.1.1 and later.) You can use digital signature verification to verify Versa Director and VOS software packages that are uploaded using a Director node. See Configure Signature Verification for Software Package Uploads.
  • T1/E1 NIC module—(In Releases 21.1.1 and later.) CSG appliances support a T1/E1 NIC module. The T1/E1 NIC module supports four WAN ports, allowing you to connect to up to four T1 or E1 network connections. Each interface can configured to run PPP, HDLC, and Frame Relay encapsulations. Interfaces are software configurable to run in T1 or in E1 mode with a rich set of line and framing parameters to ensure compatibility with existing networks. See Configure Interfaces.
  • TPM 2.0—(In Releases 21.1.1 and later.) VOS devices support TPM 2.0 on Ubuntu 18.04 running on CSG and certified whitebox platforms. TPM 2.0 is enabled by default.
  • WAN propagation—(In Releases 21.1.1 and later.) You can automatically copy the WAN networks of a parent organization and propagate them to the suborganizations under the parent. See Configure Transport Domains and WAN Networks.
  • Zscaler site-to-site tunnels—(In Releases 21.1.1 and later.) You can create secure IPsec and GRE tunnels between a VOS CPE device and a device hosted by Zscaler to optimize the connectivity between the VOS device and cloud peer devices. See Configure Site-to-Site Tunnels.

 

SD-WAN

  • DIA and DCA (SaaS) traffic optimization—VOS devices support ICMP monitor probes to track next hops for a given SaaS application, and they now also support TCP and HTTP monitor probes. TCP and HTTP monitor probes are often more reliable probes for determining the optimal path for internet traffic. See Configure SaaS Application Monitoring.
  • NetBox IP address management (IPAM) service—(In Releases 21.1.1 and later.) Versa Director uses the NetBox IP address management (IPAM) service to allocate the IP addresses from the configured overlay prefixes. See Configure the Overlay Addressing Scheme.
  • SaaS application detection using endpoints—For SD-WAN edge devices, detecting applications starting with the first packet is critical for optimum path selection. If an application is not known with the first packet and a non-optimal path is selected for the TCP session, the session's performance will be degraded. In earlier software releases, the VOS software used an application cache to cache the application detected for a session associated with a specific IP address and port. However, the application cache cannot assist the first session to a given destination. Because SaaS vendors are now using many IP addresses to serve applications, this limitation has become an issue. The first-packet identification feature addresses this limitation. It allows the SaaS application to be identified starting with the first packet of a session. First-packet identification is also used to identify applications that are making DNS requests, which means that DNS requests can use the same WAN path selection as data sessions.

    The first-packet identification feature performs WAN path selection for specific applications, both for the DNS sessions and the data sessions, and it allows users to configure firewall rules to create allow lists of SaaS applications using the published IP prefixes and domain names.

    Several SaaS providers publish the IP prefixes and domain name patterns for their service endpoints, and these lists are available to VOS devices so that they can identify applications on the first packet. The latest application endpoint information is updated in Versa Security Package (SPack) updates. VOS devices map the IP prefixes and domain names to the predefined applications for the SaaS application. For example, Microsoft Office 365 endpoints are mapped to the application OFFICE365. The applications are the same predefined applications that you use to configure policies (for example, Office 365 and Zoom), so you do not need to modify the policy configuration. The following are examples of endpoint information published by SaaS providers:

    • Microsoft Office 365—https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
    • Zoom—https://support.zoom.us/hc/en-us/articles/201362683-Network-Firewall-or-Proxy-Server-Settings-for-Zoom

    SaaS application detection using endpoints includes the following features:
    • Identify applications for DNS requests and data sessions—For DNS sessions, the database containing the published domain names is used to resolve the domain name and published IP prefixes are used to identify the application for data sessions. Note that the applications that are identified are the same predefined applications that you use when configuring policies. For example, the published Microsoft published Office365 endpoints include the following: outlook.office.com, outlook.office365.com, and 13.107.6.152/31, 13.107.18.10/31, and 13.107.128.0/22 (and more) with TCP ports 80 and 443. Using this information, a DNS request for outlook.office365.com and a TCP session destined to 13.107.128.1 is mapped to the application OFFICE365.
    • WAN path selection—To select a WAN path for applications, you need to configure SD-WAN policy rules. Because both the DNS requests and the data sessions are mapped to the same applications (on the first packet of session) using the published endpoint information, they both receive the same path selection treatment. To use path selection for DNS requests, you must enable DNS proxy on the VOS device.
    • Allow lists for applications using endpoint information—You can create allow lists (sometimes called whitelists) for the SaaS applications using the predefined applications. Identifying applications on the first packet of the session helps to finalize the firewall policy to use for the session without waiting for the application to be detected by deep-packet inspection. In the application for which application identification is to be finalized (for the purpose of firewall policy) based on the published endpoint-based match, the application-specific app-final-with-endpoint option must be set to TRUE.
  • SaaS endpoint definitions in SPacks—(In Releases 21.1.1 and later.) VOS devices dynamically query and download the FQDNs and IP addresses advertised by SaaS providers. These FQDNs and IP addresses are installed as part of security packages (SPacks), and they are updated dynamically. See Use Security Packages.
  • SD-WAN traffic-steering forwarding profile enhancements—(In Releases 21.1.1 and later.) SD-WAN forwarding profiles are enhanced to support circuit tag–based path priorities and path list–based path priorities (path-name-list, path-type-list, path-media-list and path-tags-list), last-resort priority, and unmatched-priority.
    • Circuit tags—You can label each SD-WAN interface with up to four circuit tags, which are user-defined free-form strings. You can use circuit tags, just as you do circuit names and circuit media, as match conditions in forwarding profiles in order to define path priorities.
    • Path list–based path priorities—You can define priorities using an exact match for local and remote circuits, which removes the ambiguity in grammar around when to use AND versus OR in match conditions. The new path list–based priorities and the existing circuit priorities model are mutually exclusive at a specific priority level. That is, if you select path list–based priorities, the current circuit priorities model is not allowed, and vice versa. However, you can select both types of priority levels at different priority levels.
    • Last-resort priority—Paths that you configure with this priority are used when all other paths go down, thus allowing you not to use LTE paths when other paths are available.
    • Unmatched priority—You can define the priority of the paths that are not configured explicitly. For example, if the unmatched priority is set to priority 2, any path that is not configured in the forwarding profile is considered as priority 2.
      See Configure SD-WAN Traffic Steering.
  • TCP optimizations—TCP optimizations mitigate the effects of high latency and packet loss on the performance of TCP-based applications. In Releases 21.1.1 and later, the maximum send and receive buffer sizes are increased from 8M to 16M, and you can configure forward proxy and reverse proxy TCP optimization modes.See Configure TCP Optimizations.

Security

  • Caching of the URL filtering history—(In Releases 21.1.1 and later.) You can configure the caching of the URL filtering history. See Configure URL Filtering.
  • FIPS 140-2 Level 1 compliance—(In Releases 21.1.1 and later.) You can run VOS devices in FIPS mode in VOS images that are FIPS 140-2 Level 1 compliant. FIPS 140-2 Level 1 compliance covers production-grade and externally tested encryption algorithms. See FIPS Compliance.
  • Microsoft NDES and SCEP network access control—A VOS device can use certificate-based network device authentication and certificate management using Microsoft Network Device Enrollment Service (NDES), which is based on Simple Certificate Enrollment Protocol (SCEP) and which provides certificate-based network device authentication and certificate management. See Configure Certificate Servers.
  • Remote access server (RAS) support—A VOS device can act as a remote server, allowing remote users to connect to the VOS device by establishing a VPN connection. See Configure the Versa Secure Access Service.
  • TLS/SSL for remote collectors—Transport Layer Security (TLS) has been added to the existing connection mechanisms (TCP and UDP) to enable you to stream logs securely. See Configure Log Collectors and Log Exporter Rules.
  • URL filtering enhancement—(In Releases 21.1.1 and later.) You can enable or disable the caching of the URL filtering history. See Configure URL Filtering.
  • Versa Secure Access Service—(In Releases 21.1.1 and later.) Versa Secure Access Client for Windows 10 and MacOS, which are installed on end devices, Versa Secure Access Server functionality developed on Versa OS. See Configure the Versa Secure Access Service.

Fixed Bugs

The following tables list the critical and major defects that were fixed in Release 21.1.

Fixed Bugs in Release 21.1

Bug ID

Summary

43383

Enhanced the SIP ALG to bypass ALG processing if no CGNAT or stateful or NGFW is configured in the service chain.

44188

SSHD logs in Syslog triggered by Director reachability checks are now suppressed.

45073

SD-WAN SLA last flapped time value that was displayed was incorrect.

45305

Added the ability to select the download of the sample or premium SPack from the VOS device.

42979

Attempting to change the RIPv2 interval crashed the routing process in Release 20.2.0 FRS.

43608

Changing the OSPF MD5 authentication key from plain text to MD5-based hash was not persistent.

43869

Versa Services process crashes when you enable the packet capture option in the LEF profile.

45098

sdwan-datapath-sla-not-met alarm was not sent to SNMP server, but it was sent to all other configured destinations.

44827

VOS CPE was unable to fetch certificate using CMP from a PKI server.

44138

When an IPsec peer is configured as a fully qualified domain name (FQDN) instead of an IP address, IPsec flaps continuously during the initial bringup.

43706

SD-WAN traffic coming over PPPoE links was processed by a single CPU core. Traffic is now processed by all available cores.

44793

ARP responses for VRRP virtual IP addresses were not consistently responding with a virtual MAC address.

45334

Geolocation-based match was added in QoS policy rules.

46707

FEC module crashes while processing out-of-range packets, specifically when more than 300,000 packets are sent by two different branches (in active-active configuration) and link between the two branches is flapping.

Fixed Bugs in Release 21.1.1

Bug ID

Summary

40206 DNS server listening and serving requests on the WAN interfaces. This issue has been fixed.
44055 Changing an existing BGP prefix-list address object’s IP address using just the greater-than mask value without changing the less-than mask value would fail to commit the configuration. This issue has been fixed.
47161

The request security security-package download check-for-updates CLI command has been fixed to indicate the appropriate message in case of any error.

49983 VOS software processes transit DHCP ACK packets going from DHCP server to the client as if they were destined locally and incorrectly drops them. Also, VOS software processes transit DHCP acknowledgments for DHCP Inform [ unicast ] from server to the client via relay, and when traversing a VOS device, they are intercepted incorrectly and dropped. This issue has been fixed.
53374 Flapping of WAN link causes a memory leak and so memory was freed in the account manage module when an SD-WAN path object is deleted. This issue has been fixed.
54067 For a session for which the application is not known on the first packet, if the packet hits a SD-WAN policy deny rule, it makes progress until application is identified. At that point, upon policy reevaluation, if it still matches the deny rule, it denies the session. This is a change in behavior where a packet matching a SD-WAN policy rule that contains application as a match condition and if the application cache did not match the current destination IP and port, it would deny this session.
54565 When twice-basic-nat-44/twice-dynamic-nat-44/twice-napt-44 is configured, with active FTP traffic, the application of FTP data session is identified as unknown_tcp instead of ftp_data, and file transferred in this data session is not inspected by the antivirus module. This issue has been fixed.
55130 VOS vmod process restart is observed on the CPE when user tries to fetch IP SLA from Versa Director UI under Monitor Dashboard and no IP SLA (monitor) is configured on the CPE device. This issue has been fixed.
55792

The CoS shaping rate on a logical interface was not updated when the autonegotiated rate of the underlying physical interface changed from 10M to 1G. Because the VOS software caps the logical interface at the autonegotiated rate, the logical interface remained at a shaping rate of 10M. This update allows for the proper propagation of the link speed to all logical interfaces.

55993

An ARP request from the VRRP active node may be sent with the interface MAC address instead of virtual MAC address. This issue has been fixed.

56501 Versa services processes may crash because it cannot handle any packet with three or more VLAN tags for a transit packet. This issue has been fixed.
56721 Added channel width in the output of the show wlan AP-status command.
56970 During the upgrade process, the older package may not be removed. This issue has been fixed.
57146 A VOS DHCP server configured with more than one next-server IP address may fail to activate the entire DHCP configuration. The same may also happen when the next server IP address is a FQDN name instead of an IP address. For example, the following configuration causes DHCP server to not get activated:
set orgs org-services Pepsi dhcp dhcp4-options-profiles DHCP_OP_TOIP next-server 10.158.142.180,10.1.20.115,10.158.142.179
The workaround is to configure a single IP address in the next-server IP address. This issue has been fixed.
57442 Issuing the show org session extensive command crashes and cause a service restart if the session to be displayed has qos-policies or app-qos-policies applied to the session *and* there have been 5 or more configuation changes to qos-policy or app-qos-policy rules since the session was created. This issue has been fixed.
57500 Versa services process may crash when an entire organization is deleted. This issue has been fixed.
57655 versa-vmod may restart when trying to clear specific session via Director API. This issue has been fixed.
57787 versa-mod process may restart after repeated SNMP polling of CGNAT MIB or show cgnat pool statistics command is issued and there are CGNAT pools defined and not referenced in any CGNAT rule configuration. As a workaround, delete any CGNAT pools that are not used or skip SNMP polling of CGNAT. This issue has been fixed.

Fixed Bugs in Release 21.1.2

Bug ID Description
45535 When you select a remote branch, theTCP optimization policy statistics do not reflect the actual statistics. This issue has been fixed.
47904 For some network ports that use the Intel i40e driver, receipt of LLDP/DCBX packets causes i40e initialization failure. Added the LLDP persistence flag to keep the firmware LLDP agent in the Disabled state after it is set.
48598 Added the ability to attach one IP SLA monitor group to multiple VR redistribution policies.
51394, 51411 Fixed a process restart in the Versa-VMOD configuration handling process when you commit multiple captive portal profiles with CA certificates.
53372 Routing SNMP traps now include the tenant/organization name in them.
54538 The show pim neighbor CLI command displays the incorrect PIM mode. This issue has been fixed.
54723

Extend the show route command to include multicast RPF information:

show route multicast-rpf {{ipv4_addr | ipv4_prefix} | 
routing-instance name {ipv4_addr | ipv4_prefix}}
56568 When a site-to-site IPsec tunnel goes down, the tunnel down alarm is not generated consistently. This issue has been fixed.
56623 When you delete a tenant, a service restart might occur. This issue has been fixed.
58471 For an Aggregated Ethernet (AE) interface whose member interfaces are operationally and administratively down, they remain down even after being made operationally and administratively up. This issue has been fixed.
58497 For VEP-4600-xxx and CSG1500 devices, the VOS device was unable to report data about SFP optical modules connected to X722 MAC Ethernet controller ports, because reading the module EEPROM memory was not supported. The fix requires that you upgrade the NIC firmware to the specific NVM firmware release version, to allow the SFP data to be read.
58602 Added custom-header option to the wget CLI command to be able to pass authentication information and other options.
58975 The passwd binary on the base OS sometimes had incorrect permissions, thus preventing users from changing their passwords. This issue has been fixed.
58976 The DHCP lease database cleanup might not happening periodically, causing the DHCP lease file to grow to a large size. This issue has been fixed.
59026 When an interface is marked up momentarily by a monitor before bringing it down, the SLA is marked as Up and the SLA state machine is not executed before the interface is again marked as down. The result is that the ptvi interface remains in the proto Up state.
59035 Special characters such as $ in the RADIUS secret key for the WiFi access point configuration might not work. You can now include special characters in the password.
59164 A very long-lived TCP session might create a condition where the TCP stream module in the Versa service process may create a very large reassembly queue, leading to a delay in the packet processing times. If the affected worker is Worker 0, the SLA and the control plane would also go down. The workaround is to disable the stream module for the affected flow. This issue has been fixed.
59206 When you configure the all alarm, the CPU alarm thresholds might be reset to 0 for both high and low. This issue has been fixed.
59357 Service restart seen on Controller nnode because of a non-standard configuration on the branch devices. This issue has been fixed.
59377 Issuing the show bgp neighbor org might cause the routing process to restart, but other services are not affected. This issue has been fixed.
59410 Multiple policy configuration changes (more than four) might cause an old session that was created before the changes to access an invalid memory location and cause service restart. This issue has been fixed.
59416 Have the system load statistics computation consistent with the htop command, by not taking I/O wait times into consideration.
59651 When the same monitor object is attached to multiple static routes, any change in the configuration of a single static route might affect other routes. For example, deletion of a static route would install other static routes even if the monitor state was down. This issue has been fixed.
59801 The show system load-stats command output has been modified to not include the io-wait time in the calculations, to reflect the numbers shown by top or htop command.
59950 Quick Assist Technology (QAT) decrypt session contexts were not getting cleaned when IPsec tunnels flapped, causing session context to leak. Eventually we run out of session contexts are used up, and SD-WAN/IPsec traffic blackholes. This issue was present only in Releases 20.2.x and 21.1.x. This issue has been fixed.
60128 Stopping the tcpdump command would sometimes cause BFD to flap if it was configured with a very low timeout value. This issue has been fixed.
60178 Sometimes, SLA from a spoke site to a Hub-Controller-Node (HCN) might not come up if the HCN WAN interface is behind a static NAT. A spoke branch detects the remote branch personality based on the site ID range and then tries to send SLA packets via the private or public IP address. For an HCN, whose site type is hub-controller, there is a need to add additional logic to detect the remote branch based on site type and not the site ID so that the SLA packets are always sent only on the public IP address. This issue has been fixed.
60510 Buffer management issue caused an EBGP multipath route in a VRF to not get announced in a Layer 3 VPN if one of the next-hop interfaces in LAN VRF is shut down. This issue has been fixed.
60594 For TCP optimization, upon receiving TCP options containing padding bytes after the EOL option in a TCP SYN packet, the VOS peer closest to the client ignores these padding bytes, which were added for byte alignment, resulting in a TCP SYN packet whose TCP options are not properly byte aligned. Because of this, the TCP options in the SYN packet are not being processed by the VOS peer closest to the server. This results in connection not being TCP optimized and is getting stalled. This issue has been fixed.
60595 TCP optimization is not functional when security features are turned on, which also causes a TCP session to be proxied, such as IPS.
60672 Mod16 group support in IKE was defective and not supported. This issue has been fixed.
61257 PIM neighbor down alarm was not getting generated. This issue has been fixed.
61267 DSCP rewrite was not working for reverse traffic when traffic is originated from WAN to LAN. This issue has been fixed.
61282 URL-based ZTP was not working on VOS device running Release 21.1.1 version because of an expired CA certificate. This issue has been fixed.
61526 Default route received through Layer 3 VPN was not getting installed in the forwarding plane if there was more than one Layer 3 VPN route received with different route distinguishers with same next hop address. (This happens if an SD-WAN hub originates the default route from an import VRF as well as export VRF.). This issue has been fixed.
61584 The Versa services process might crash because of missing sanity checks on the ICMP port unreachable error packet. This issue has been fixed.
61737 Fixed an issue with enabling uCPE hypervisor which can occur when hypervisor is enabled on Release 21.1.1, only when it is upgraded from 16.1R2S8 after updating OS Spack.
61828

Versa Service process might crash in the IKE ALG module in a rare timing condition when the ESP packets land in a different thread than IKE control packets and before IKE-ALG object is created. This issue has been fixed.

61851 Fixed a package dependency issue in OS Spack installation by allowing it to overwrite ESM package with higher version binaries. This issue has been fixed.
61873 Versa services process might crash while processing SIP traffic when a packet contains incomplete Replaces header. This issue has been fixed.
61950 Versa Service process might crash while processing GRE traffic over IPsec tunnel. This issue has been fixed.
61957 When OSPF and VRRP are both configured on the same interface, the backup router might redistribute routes without setting the configured metric when using direct protocol redistribution. This issue has been fixed.
61998 Versa service process might crash when receiving IPv6 multicast listener discovery (MLD) packets. This issue has been fixed.
62002 Versa service process might crash while processing SIP traffic when the received SIP packet has more than four bandwidth parameters. This issue has been fixed.
62075 TCP splicer might drop some ICMP unreachable messages of type MTU exceeded, fragmentation needed when DF bit it set. This issue has been fixed.
62126 SSH key authorization might fail because of incorrect handling of ssh-public-key configuration. This issue has been fixed.
62161 In an active standby interchassis redundant CPE configuration, a timing issue might cause Versa services to restart on the standby CPE node.
62268 A branch-to-branch IPsec tunnel might fail to come up when you reboot the branch. This issue has been fixed.
62429 Traceroute command had a command Injection vulnerability. This issue has been fixed.

Fixed Bugs in Release 21.1.3

Bug ID Description

20557

When you commit a VOS device configuration from the Director node, the VOS device now waits up to 10 minutes to determine whether it has connectivity to at least one Controller node. If it does not, it performs a rollback operation after that 10-minute window. Previously, the VOS device would perform a rollback operation only immediately after the commit operation if it had no connectivity to any Controller nodes.

30728

When a VOS device is a DHCP client, DHCP Renew should be a unicast packet to the DHCP server and not a broadcast packet.

33184

When a Controller node has only internet connectivity and branches have both internet and MPLS connectivity, whenever the internet link goes down at the Branch1 device, all the Branch1 routes may be removed from other remote branches by the Controller node even though the SLA is up between Branch1 and the remote branches.

35738

Upgrade numerous third-party and open source packages that VOS devices use to address vulnerabilities

36851

In staging.py script, you can now specify a Controller node as an FQDN name. Previously, you could specify only an IP address.

37411

In rare occurrences, an incorrect reference count in the IPsec IP address object may cause Versa services to restart. This issue has been fixed.

38310

A defect in the IPsec module may cause the versa-service process to crash, causing a service restart. This issue has been fixed.

40160

Add support to fetch VOS device and OS SPack packages with the path-query option.

43497, 66215

When you reference an address group is referenced before it is defined, a commit operation fails. Support has been added to handle this gracefully.

45615

Cannot move an OSPF network between OSPF areas of the same routing instance within a single commit. This issue has been fixed.

48993

CPU load statistics sometimes show values greater than 100%. This issue has been fixed.

50689

Issuing the show orgs org-services organization-name dhcp statistics dhcp interface CLI command sometimes may cause a timing issue, leading the versa-infngr process to restart and then causing all services to restart. This issue has been fixed.

52361

Depending on how many address families and capabilities are exchanged, the BGP neighbor alarms may not show the full name of the site. This issue has been fixed to show the complete site name.

52860

The request system package download-status CLI command, which was to be used by a Director node issuing an asynchronous package download command, is now deprecated.

52874

IPsec alarm configuration is not being honored, and the destination and soak intervals are not activated. This issue has been fixed.

54479

Python binary may have the incorrect permissions or capabilities set, which prevents the SPACKMGR process from starting. This has been fixed. The permissions and capabilities are now forcibly set.

54808

Certificate constantly renews after renewal interval is exceeded. Two days before renewal, the VOS device generates a CSR and applies to the CMP responder for renewal. The VOS node constantly sends CSRs to the PKI server instead of waiting for next renewal period. This issue has been fixed.

56464

After the following error message, VOS SD-WAN CPE does not re-attempt to resolve the IP address of public CA server, causing global ZTP to fail because the certificate download fails:

2020-12-17 09:45:36.652 ERROR ../usr/sbin/certd/certd_cfg_hdlr.c:514: CMP: Tnt 1, Srvr versa-public-ca, FQDN ‘public-ca.versa-networks.com’ resolve-request send failed for CMP URL url. Will retry.

This issue has been fixed.

56492

When a deleted interface is added back, the interface-up alarm that corresponds to the earlier interface-down alarm is not generated. This issue has been fixed.

58693

The versa-certd process may crash when handling the USER certificate. This issue has been fixed. VOS devices now handle the USER certificate in addition to handing the SIGN (signing) and ENCR (encryption) certificates.

59117

IPv6 on LTE interfaces is not fully functional. This issue has been fixed.

59161

The rule name of a session in the Analytics log may be called "implicit-rule”. This happens only when the session expires and the rule corresponding to the session has been removed from the configuration. This issue has been fixed. Now, the rule name is empty.

59618

When the versa-infmgr process incorrectly handles a stale link-update message, it may crash, causing services to restart. This issue has been fixed.

59972

When upgrading a security pack (SPack), Versa services may restart because of a race condition while accessing an internal data structure. This issue has been fixed.

60526

New branch staging may fail if IKE flaps or if the WAN IP address keeps changing. The result is that the IP address pool runs out of addresses, because older IKE connections linger on, and because of this, the staging of a new device to fail. This issue has been fixed. Now, the DPD process is more aggressive.

60879

When multiple CoS OIDs are passed in the same snmpget request, the versa-vmod process does not clear some internal tables, causing this process to restart. This issue has been fixed.

60968

When you upgrade the software, a redistribution policy term that has DHCP as the match protocol might the match protocol, and the term ends up matching all protocols. This issue has been fixed.

61851

Package dependency issue in OS SPack installation. This issue has been fixed. Now, the OS SPack installation overwrites ESM packages with higher binaries versions.

62268

When services start, the branch-to-branch IPsec tunnel might not be set up because of a race condition between two threads completing initialization at startup. This issue has been fixed.

62505

The application route cache (ARC) implementation has been enhanced to remove entries that after not been used for 1 hour. This optimizes the memory usage for this cache and has no impact on the system behavior, because ARC entries older than 1 hour were always considered to be stale.

62586

GRE and PPPoE interface MTU is not set to the default value, 1492. This issue has been fixed.

62758

The IPsec history CLI command output sometimes displays an incorrect error or reason. This issue has been fixed.

62793

Static ARP entries might not be activated in the data path. This issue has been fixed. The entries are now resilient to all timing conditions (for example, whether an interface is not up).

62800

A versa service crash might occur because of invalid memory access in the SD-WAN module. This issue has been fixed.

62805

During the upgrade process, MPLS tenant ID changes may be lost, leading to a tenant ID mismatch for VPN label and causing the packet to be blackholed. The workaround was to updated the mplsvpnentry tenant ID and restart the services. This issue has been fixed.

62806

A site-to-site IPSec connection between a branch and Azure Virtual WAN does not come up first time unless IKE is cleared. This issue has been fixed.

62856

When you configure the out-of-band management interface, eth0, for speed and duplex, extra commands might be appended to the network configuration file. This issue has been fixed.

62883

Issuing the show orgs org-services organizaton lef collectors collector status CLI command might cause the versa-vmod process to restart. One cause was a leak of a resources under certain error conditions: A slow leak eventually causes the process to restart but does not cause a service restart. Another cause was when the Versa Director dashboard triggered this command to fetch LEF statistics. This issue has been fixed.

62931

The sdwan-datapath-up alarm may not be generated. This issue has been fixed. Now, the alarm is triggered unconditionally when a path to a remote site is removed for any reason.

62955

When QoS policy rules were being evaluated, services might restart because the versa-service process crashes. The versa-service process crashes after repeated crashes of the versa-vmod process, and it is the result of a race condition in the security and policy rule compilation and data path. This issue has been fixed.

62978

SLA metrics are not displayed when the interval is greater than 150 seconds. This issue has been fixed.

63104

Sporadic packet latency is observed in Azure virtual instance of VOS devices. This issue has been fixed.

62955

When evaluating a QoS policy rule, the Versa services process may crash and services may restart. This is observed after versa-vmod repeatedly crashes, which is because of a race condition in the security and policy rule compilation and data path. This issue has been fixed.

63354

The memory consumption of the zone protection logic has been optimized to consume less memory without affecting performance.

63356, 63381

The software-upgrade-success alarm is not raised after you upgrade a device. Sometimes the alarm is incorrectly deferred until the next service restart. This issue has been fixed.

63442

Versa CPE uses a 4-digit host-uniq value, and if a DSLAM is non-compliant with RFC 2516 (such as Nokia ISAM7353), this causes an issue of interoperability. This issue has been fixed. The PPPoE PADI has been increased to 5 digits.

63481, 63543

When a large volume of IKE SA init traffic arrives at a VOS device, a memory leak is observed in the versa-service process. This issue has been fixed.

63506

When a configuration is pushed to create system users, user creation is noticeably slow. This issue has been fixed. Now, user creation is faster.

63593

When a user's group membership changes in Active Directory, this information might not be updated on the VOS device, and so the VOS device applies group-based policies based on previous membership details. This issue has been fixed. Now, when membership details are refreshed at the configured refresh interval, the details are updated in the live-user table and the new group-based policy is applied.

63594

When you configure IPS detection and IPS-based application identification reporting, a recursion might cause Versa services to crash and restart. This issue has been fixed. Now, the IPS-based application ID reporting is separated from IPS detection.

63612

For traffic monitoring policies, you could not configure a match destination for zone information. This issue has been fixed in the Director GUI and VOS CLI.

63647

Option-82 is not stripped by a VOS device functioning as a DHCP relay agent, causing clients to drop the DHCP response packets from the server. This issue has been fixed.

63699

Jumbo frame packets larger than 1686 bytes are not forwarded over the SD-WAN. This issue has been fixed.

63755

A memory leak is observed in the IKE-ESP ALG. This issue has been fixed.

63777, 63902

In the GUI, when you delete all the terms of redistribution policy, the VOS devices deletes the policy itself, causing the configurations on Director node and the VOS device to be out of sync. This issue has been fixed.

63839

Web proxy rule match does not work with HTTP PATCH method. This issue has been fixed.

63949

Having a large number of FQDN address objects might lead to a memory leak in the versa-certd and versa-addrmgr processes. This leak causes these processes to bloat in size, and eventually they terminate and restart. However, there was no service disruption. This issue has been fixed.

63976

This issue occurs when two Controller nodes each have at least two WAN interfaces with disjoint transport domains (such as one for internet and a second for MPLS) and a branch device connects to the Controller node using only one of the transport domains. If one of the Controller WAN interfaces goes down and comes back up, and if during the time when the Controller interface is down, the branch's WAN interface for the other transport domain goes down and stays down even after the Controller's WAN interface comes back up, the branch device may retain stale state for the Controller node's MP-BGP information until the configured graceful-restart time expires. The result is that the branch cannot establish MP-BGP peering with the Controller node until the graceful-restart time expires. This issue has been fixed to ensure that that when underlay connectivity from branch to the Controller node is restored, that branch can re-establish MP-BGP peering with the Controller node.

64049

When the SD-WAN connection selection method is set as high-available bandwidth but no interface uplink or downlink bandwidth is configured, the available bandwidth cannot be calculated, causing the VOS device to select random paths instead of priority ones. This issue has been fixed so that the weighted round-robin (WRR) method is used.

64067

After the routing process restarts because of a core, the SD-WAN Controller may not install the host routes for the branches in a scaled environment. This issue has been fixed.

64144

When service chaining with Riverbed WAN-OPT in Full Transparency with RS”, TCP reset packets sent for the inner connection from WAN-OPT are processed locally by the VOS device, which closes the outer connection as well. This issue has been fixed.

64148

The sulogin binary process may be triggered and may then crash, causing the system to reboot. This issue has been fixed. The sulogin binary has been replaced with one that does not crash.

64333

The show alarms CLI command displays a truncated timezone offset. This issue has been fixed. Now, the full timezone offset information is displayed.

64391

Some set of static route addition and deletion followed by disabling the interface associated with the static route may cause the Versa services process to restart. This issue has been fixed.

64400

The packet TX counter does not increment to indicate an issue on the Versa CPE device specific to the driver (i40e) of the port. The TX operation gets stuck because of the multisegment packets that were pushed to the NIC. The maximum segments supported by i40e is 8. Sending more than 8 segments causes the NIC TX ring to enter this state. This issue is a problem for the V1000, V1800, V1500, V930, V810 (FWA-3260), and CSG1300 platforms.

64444

When a destination is reachable through two or more remote SD-WAN sites and all the paths to at least one of the sites are in SLA-violated state, the Versa services daemon may experience a segmentation fault and restart. The workaround is to switch to active/standby routing instead of equal cost SD-WAN routes to the destination. This issue has been fixed.

64513

Core in the routing CLI transformer process may occur when an external peer group does not have peer AS configured and when the peer AS configuration is removed from a neighbor belonging to this group. This issue has been fixed.

64514

If you set up a site-to-site IPsec tunnel with a non-Versa peer and an aggressive DPD timeout (1-2 seconds) in configured on the peer (which is not a typical use case), the tunnel on the Versa side might go down. This issue has been fixed.

64527

If per-CPU QAT initialization fails even though global QAT initialization succeeds, the Versa services process may restart during data processing. This issue has been fixed. Now, it falls back to software-based cryptography.

64685

For the first packet of session that is evaluated by a rule that matches a source user or group, NGFW policy evaluation does not complete and therefore the rule action is not taken even though the source user and group information for the session is known.

64733, 64826

When LEF establishes a TCP connection to the destination collector, during overloaded conditions, if the server is slow, the connection moves to a write-blocked state. During this time, logs queued to the collector are dropped instead of being held until the connection is unblocked. This issue has been fixed.

64745

During IP fragmentation reassembly, if the packet header length does not match the actual packet length, packet buffers may get lost. This issue has been fixed.

64790

The memory footprint of the security and policy contexts increases with each commit ,causing memory load issues on firewalls with large configurations. This issue has been fixed. Now, the increase is capped at one older context.

64811

Having a large number of FQDN objects (more than 100) slows the versa-service process and causes high CPU usage and failure of some show commands. This issue has been fixed.

64844

The .ncconnect file has invalid permissions, which might prevent the recognition of a successful connection between a Director node and a VOS device. This issue causes the trial period countdown to begin and eventually degrades VOS services. This issue has been fixed.

64988

The VOS device reassembles IP fragments received with DF bit, but after reassembly it retains the DF bit before transmitting reassembled, larger packets. This may cause downstream routers to drop the packets with DF bit set. This issue has been fixed. Now, the software resets the DF bit, allowing any router to fragment the packets.

65115

When an IPv6 destination is reachable using multiple remote SD-WAN sites (for example, if there are equal-cost routes using multiple sites), the circuit priorities specified in the SD-WAN forwarding profile may not be honored. Also, an SD-WAN or PBF policy rule that is used to override routing and enforce a specific next hop does not work for IPv6. This issue has been fixed.

65292

When you upgrade from an older release such as Release 16.1R2Sx to a newer release, if the address object contains an invalid wildcard FQDN object, the versa-vmod process might crash. This issue has been fixed. Now, a misconfigured FQDN object is ignored.

65294

When you perform an IPv6 traceroute between a source and a destination, a VOS device might drop IPv6 traceroute response packets, because it incorrectly parsing the length of the ICMP time exceeded in transit. This issue has been fixed.

65310

Issuing the debug command to display session extensive details causes a service restart. This issue has been fixed.

65319

A QoS rewrite with a service function chaining (SFC) configuration (with Layer 3 rewrite for inner, Layer 3 rewrite for outer, copy from outer, copy from inner) is not working as expected. This issue has been fixed.

65373

On a VOS device, if you manually edit the /etc/ssh/sshd_config file, for example, to add match commands, if you then use the CLI to change the SSH keepalive and timeout values, you are unable to access the device using SSH. This issue has been fixed.

65435

When an SD-WAN route flaps, the DIA traffic switches to the SD-WAN. This issue has been fixed.

65501

TCP evasion check may incorrectly drop 1-byte payload TCP keepalive packets assuming it is an overlapping segment. This issue has been fixed.

65502

Croatian Telecom LTE does not detect the correct APN. This issue has been fixed.

65505

Intermittent packet loss may occur when packet replication is enabled for large packets that need fragmentation. This issue has been fixed.

65536

For PPPoE, the VNI interface displays the correct RX BPS value, but the TVI interface does not. This issue has been fixed.

65643

When you configure twice-napt-44, it does not take effect the first time. You must configure it a second time to make it active.

65809

The show route table ipv4.unicast CLI command does not display the desired output when you specify both the detail and prefix options. This issue has been fixed.

65823

The IP TOS value in the outer tunnel header for host originated packets is set incorrectly, instead of being copied from the inner packet. This issue has been fixed.

65826

When you add a vni interface enabled with family DHCP to vnf-manager, it does not populate the local interface route in global space. This issue has been fixed.

65843

The versa-vmod process may restart during a Qualys scan directed at a VOS device. This occurs because the Qualys client tries to connect to servers running inside the VOS device. This issue has been fixed. The software has been enhanced and is now resilient to any clients that connect to internal Versa services.

65904

Top-N application computation every 5 minutes may cause increased packet latency and loss for traffic processed by worker thread 0. This issue has been fixed.

65926

In SLA alarms, the site names are truncated to 32 characters. Add support for site names up to 128 characters.

65953

In an active-active SD-WAN CPE deployment, when you change the paired-site location ID of any CPE, SLA contexts between the two CPEs are created. These SLA contexts are not deleted when the matching location ID is updated on another CPE to pair the two CPEs. This issue has been fixed.

66043

During a service package (SPack) upgrade, services may restart because the versa-vsmd process restarts. This was reported once. This issue has been fixed.

66097

Path MTU is not calculated correctly when the same source IP address and destination IP address pairs are present in two different VRFs.This issue has been fixed.

66136

The Versa services process restarts once because of an invalid timer (uninitialized value) in the application monitor module. This issue has been fixed.

66350

For a PIM-over-SD-WAN deployment, if you change the cluster ID to higher value, PIM may be disabled between the two SD-WAN sites even if they both have the same cluster ID. This issue is fixed.

66395

The show ospf neighbor brief CLI command may cause the routing CLI process to restart, causing the show command to fail. This issue has been fixed.

66583

The device model, SKU ,and serial number details are now available in an additional MIB container that does not take a serial number as a key.

66599

The output of the show orgs org organization sd-wan statistics vni command for TX BPS and RX BPS is now displayed in bits per second instead of bytes per second.

66617

The staging.py scripts writes the staging.cfg file to current directory, but some scripts look for it in the /opt/versa/scripts directory. Now, the file is saved in both directories.

66768

A memory leak in the QoS data structure may occur when the preclassified packets arrive over a cross-connect link from the peer and you have configured an App-QoS policy on the device. This issue has been fixed.

66789

Routing CLI process may crash when you delete a routing instance that uses a redistribution policy for instance import, followed by another commit that moves the terms of the same redistribution policy. This issue has been fixed.

66817

With packet replication and per-packet load balancing, packets are cached and released from the buffer to reorder out-of-order packets. Thee released packets may use the stale data, which can cause the Versa services process crash. This issue has been fixed.

67147

Changed the default behavior so that the origin of a BGP route in VRF to Layer 3 VPN, and vice versa. The origin can be overridden if it is configured in the redistribution policy.

67276

Traffic ingressing from the SD-WAN cannot be further redirected to another SD-WAN next hop on the middle hop using forwarding profile with next hop as the site. This issue has been fixed so that steering to another site on a hub is supported.

67404

Versa service process may crash when VSA is enabled with TCP optimization in auto mode. This issue has been fixed

67446

Versa 810 devices may report the incorrect power supply status “Either PSU2 cable is unplugged or PSU2 is unplugged”. This issue has been fixed.

67456

Externally authenticated users in the admin group cannot able run show alarms or other privileged commands from the CLI. This issue has been fixed.

67491

Modify the default method of defining a string in the CLI to use quotation marks instead of a backslash

67629

When you issue a CLI command to display the BGP route table for a specific routing instance and an extended community, the routing process may crash. This issue has been fixed.

67659

Enhanced the output of the show interface info command to include DSL interface information.

67707

Fixed an issue with timezone settings that can occur if /etc/localtime is not a symbolic link.

68087

When you run a CLI command to display interface status immediately after you run an SNMP query to retrieve interface status, the interface manager process may crash. This issue has been fixed.

68103, 68124

When you upgrade a VOS device from Release 16.1R2W10.4 to Release 20.2.2, the management and configuration process may crash because of an invalid tenant ID in SNMP query.

68157

Timeout error may occur when you issue the show orgs org-services organization-name dns-proxy profile-monitor CLI command. This issue has been fixed.

68198

If you modify the LEF profile in the ADC module, the Analytics node may miss ADC logs. This issue has been fixed.

68226

Versa services crash is seen due to incorrect reference counting of IP routes. This issue has been fixed.

68266

On PPPoE interfaces, some PPPoE servers may terminate the connection directly with PADT, and the LCP TermAck may not be received, so IP cleanup does not happen. This issue has been fixed.

68677

Versa services process may crash because of malformed packets recovered by the FEC module. This issue has been fixed by dropping the malformed packets.

68911

After unsuccessful attempts to ssh login as root, the root account may be disabled. This prevents changing running “sudo su” to drop to root shell. This issue has been fixed.

69080

On Advantech devices with an LCD screen, the lcd4linux service continuously invokes the command to fetch the system status if you press the menu and navigate to one of the options. On systems on which TACACS+ accounting is enabled, this issue causes to a large build up of account records, leading to memory overload of the versa-vmod process. This issue has been fixed.

69282

On systems with Rangeley (C2xxx) CPUs, if the QAT is stressed by traffic requiring cryptographic processing, the Versa service process may stop all further processing of cryptographic traffic, requiring a restart to recover the system. This issue has been fixed.

69369

When you apply a configuration change that reconfigures the Layer 3 VPN module, you may see a core in the routing process. This issue has been fixed.

Fixed Bugs in Release 21.1.4

Bug ID

Summary

43497, 66215 When you reference an address group before it is defined during a commit, it was not successful. Support has been added to handle this gracefully.

45301

Running tcpdump on the vni-0/2 interface in system with WiFi interfaces (vni-0/20*) is unsuccessful, because cleanup on previous invocations was not successful.
45840 SNMP walk fails to fetch the SD-WAN policy if address monitors are attached to the policy.
46302 Config Sync-from-Appliance performance has been improved. On systems with large routing configurations, this operation would previously take several minutes.
53277 NTP cannot resolve FQDN server names.
58454 If you enable device Identification, intermittent service disruption occurs because of a process crash and restart. As a workaround, do not enable device identification.
58509 If you include special characters in any of the encoded attribute values in the ZTP URL, such as the Controller PSK, the VOS CPE would be configured incorrectly.
60515 CA-signed certificate for device management reverts to a self-signed default certificate when you upgrade the VOS software.
61985 IPsec alarm has been enhanced to include the name of VPN profile associated with the IPsec tunnel or to include the name of the tunnel interface if it is a route-based IPsec tunnel.
63569 The IF-MIB field ifOperStatus shows as Up even if the tunnel interface is down.
64067 After the routing process restarts because of a core, the SD-WAN Controller node may not install the host routes for the branches in a scaled environment. This issue has been fixed.
64533 Fixed a memory leak in audisp-aaa plugin for VOS systems running Ubuntu 14.04 (Trusty).
65114 Certain threshold and utilization alarms are occasionally not cleared.
65168 If the SKU field is empty, the show system details command shows no data.
67751 If a redistribute policy contains a set-community attribute and is used for redistribution to OSPF, the commit fails with a cryptic message. This issue has been fixed, and the error message is now more descriptive.
69064 Becuase of a timing issue, physical interfaces may not be recognized as vni-x/x interfaces and sometimes appear as unknown-x/x interfaces.
69175 If the IP lookup database is corrupted, services do not start because the Versa services continuously restart. The process has been made more resilient and continues to run if the database is corrupted.
69188 SPack installation was reporting a failure even if it was installed successfully, because the installation took longer than five minutes. The timeout has been extended to 10 minutes to accommodate slower installations.
69517 The static source NAT and twice static NAT are bidirectional NAT policies, which means that sessions can be initiated in the server-to-client (out-to-in) direction as well. For sessions matching the NAT policy in the server-to-client direction, the reevaluation of the NAT policy was not being done correctly, and as a result, the NAT session was being torn down.
69815 Moving existing BGP neighbor addresses to a new BGP group causes a commit operation to.
69825 Setting a link speed of 10 Mbps configures the default shaping burst size to 1250. For all link speeds less than 100 Mbps, the default burst size is now 12500 bytes, to allow for jumbo packets.
69921 When you define the same application in two different organizations in a VOS instance, application reporting works correctly in one organization but not in the other.
70029 The TCP MSS on an unencrypted SD-WAN tunnel is not adjusted up, but rather it remains the same as the encrypted tunnel MSS.
70036 The show system status”CLI command crashes the vmod process because of stale status files.
70089 When you enable isolate-cpu, the Versa services process keeps restarting after a software upgrade.
70101 Provisioning a new routing Instance becomes progressively slower as the number of routing instances become very large.
70106 TVI interface type change not allowed message prevents a template deploy even if you select the reboot option.
70206 When a branch-to-branch SD-WAN tunnel goes down, the IpsecTunnelDown alarm is incorrectly generated.
70233 In an SD-WAN network with a set of hierarchical Controller nodes, if a spoke loses connectivity with T1 controller1, at the T0 Controllers, the T1 Controller1's routes are selected because the T1 Controller's IP address is lower.
70239 On a hub-controller node, when all the interfaces go down and then one of the interfaces comes up in reverse order, the SLA did not come up.
70314 In file-based actions, if you specify the file size limit, downloading any file exceeding that size is not blocked unless you also specify the deny list option.
70315 On CSG300 Series appliances, an auto-SIM detection issue may occur with the Ubuntu 18.04 (Bionic) version of the OS.
70363 The Don’t-Fragment override configuration option do not work for PIM Register packets.
70366 For Ethernet ports using i354 MAC controllers, when the remote end is running at 100M/FD with autonegotiation On, disabling the port on the local side causes the interface to hang or get stuck. In this situation, the LED on the local link is Down, whereas the LED on the remote link is still On. The only way to recover (unhang) the interface is to power cycle the device. This issue affects the following CSG and white-box appliances:
  • Advantech—FWA-1320, FWA-2320, FWA1010VC
  • Lanner—FW7525, FW7551
  • Nexcom—DTA1152AC4
  • Silicom—80500
  • Versa Networks—CSG350, CSG355, CSG365
70604

A local user for whom a ssh-public-key is configured cannot use ssh to log in to a VOS device.

70662 When there are 200+ interfaces in the traffic-identification configuration, a commit change can take up to 3 minutes.
70823 Security package installation fails if there is an earlier commit that contains more than four attributes configured under “system parameters”.
70832 An application monitor’s last status of Up remains as Up if you disable the WAN interface and the monitoring threshold is more than 20 seconds. (The default is 3 seconds).
70893 If private-key decoding fails, issues with OCSP monitoring occur.
70906 The alarmDevice field in SNMP trap messages now includes the name of the device that originated the trap. Previously, the field had the name of the module that originated the traffic.
71182 When you enable a SIP ALG, in a rare scenario, SIP confirmed that dialogs were not cleaned up, which, over time, caused a memory leak in Versa service process. This issue has been fixed.
71256 Moving a BGP neighbor address from one BGP group to another is not reflected in the show bgp neighbor brief CLI command output and led to inconsistencies in the Director and device configurations. This issue has been fixed
71310 Fixed a negative value displayed in the Versa log collector’s process debug memory statistics.
71424 For Google Chrome browsers with CECPQ2, the SSL handshake failed for domains starting with letter "a". This issue has been fixed.
71437 The Versa services process consistent uses a large amount of member because of an issue in which unused memory is not released to the system. This issue has been fixed
71485 When multiple certificates must be OCSP validated, a port bind issue may occur, with a connect_fail issue, because of a single client side port.
71528 For a SASE client, when TCP SYN is not retransmitted, the client may not connect to the gateway. This issue has been fixed.
71569 Increase the space in the filter table to support 1K or more static BGP peers.
71669 When Layer 2 services with STP were enabled, a memory leak was detected in the Layer 2 control process, resulting in high memory utilization. This issue has been fixed.
71675 During service initialization, an SNMP request to the routing process may cause the process to restart.
71717 When you configure the share-aro option for a BGP instance, the Controller node may not sync some of the routes to a peer when a reconnection occurs.
71901 BGP does not advertise the slave local preference value configured in a redistribution policy for a static route. This can happen when you add a static route after configuring slave-local-preference. This issue has been fixed.
71911 When a user-defined URL category name contains a period (.), a configuration commit fails. The commit check now allows only alphanumeric characters, hyphens (-), and underscores (_).
71992 The Versa services daemon may occasionally get stuck in repeated attempts to select an SD-WAN path for a session. This issue has been fixed
72189 For an SD-WAN Controller node, continuous IKE flaps were seen towards the SD-WAN branch appliance. This occurred because of mismatch of information between the two modules. This issue has been fixed.
72363 When an SD-WAN network has more than six SD-WAN Controller nodes, the routing process may go in to a high CPU state when any network failures occur.
72410 The CGNAT module might crash and restart the services.
72514 Logging related to an error condition in the routing process fills up the logs.
72610 Add support for an additional PLMN for Verizon 311270.
72792 The routing process stops and restarts because of a buffer overflow caused by printing too many communities in a show command in a routing loop situation.
72915 In the rare scenario of a double failure, Controller-to-Controller and Controller-to-branch routes are not removed, creating stale routes. This issue has been fixed
72953 While handling an aggregate route with the discard option, the routing process stops and then restarts.
73079

If a PPPoE interface has different subnets at the two ends, there may be a reachability issue because of improper route installation.

73118 If you specify a source interface in a ping or traceroute command to an FQDN destination, the command may fail because of a defect in how the dig command output is parsed.
73234 Fix services process crash triggered by ADC server down when load-balancing is set to WRR.
73262 When an FQDN object is resolved through multiple routing instances and then one of the routing instance stops resolving, the policy module cannot obtain the resolved address from other routing instances.
73518 Fix routing process restart when routing peer policy configuration containing a prefix list is modified
73587 Add support for handling 16K jumbo frames in QAT to perform fast cryptographic operations in hardware.
73608 Fix an issue in DNS zone transfer by allowing multiple DNS responses in a single query for AXFR/IXFR.
73702 Fix routing process crash that might happen when you issue the clear bgp neighbor CLI command.
73896 EVPN remote MAC entries are deleted when a Layer 3 interface is removed when same core virtual router instance is used for a Layer 3 and a Layer 2 VPN and L2 VPN. This issue has been fixed
73957 Fix a crash in Versa services process when traffic goes through the CGNAT service and an SD-WAN policy is configured with a next-hop priority.
74333 Fix a delay in the DHCP offer when the DHCP server profile is configured with ping settings.
74378 Fix an issue in which packets are dropped on a TCP SIP session after the session idle timeout is reached.
74429 Sometimes, when multiple rollbacks of the IPsec VPN rule configuration are performed, a services process crash is observed. This issue has been fixed.
74936 Automatically exclude statically mapped IP address from the DHCP server dynamic IP address pool.
74955 Fix private key export/preview for TPM-enabled hardware.
74988 Fix an issue with IKE route installation in the routing table that may occur after network disruption when the device has more than 1 million routes.
75050 Fix upgrade script timeout on an appliance with a large configuration.
75283 Fix missing CMP server entry from address manager database after services restart when OSCP is configured.
75402 SIP Invite confirm dialog deletion timer increased to 6 hours.
75466 Fix vstated process memory spike that causes service disruption when routes are removed and added frequently.
75629 BGP does not advertise the configured VRRP slave priority when multiple interfaces are configured as VRRP slaves. This issue has been fixed.
75704 Some access policy rules may be removed incorrectly from the firewall engine during an SPack update after a failed commit, if the failed commit includes any access policy rule changes.
75967 Monitor down with maximum threshold of 60 seconds.
76115 Monitor group state remains in inactive after a reboot when more than two monitor groups are configured.
76290 An externally authenticated user sometimes cannot execute sudo commands without passwords.
76587 When a circuit for a remote site, say B2, is removed, the updates are propagated and consumed by all SD-WAN sites. Let’s assume current site is B1. When the associated transport paths are being cleaned up on B1 corresponding to the deleted B2 circuit, it is important to ensure that the transport path table itself has not already cleaned up. This bug fix adds a defensive check for this purpose. This issue is seen only if all circuits for a remote site are progressively cleaned up.
77039 Operator-level users can no longer log in after upgrading to Release 21.1.3.
77431 Fix services process crash caused by an unprogrammed interface that may occur if the same interface flaps multiple times.
77723 Packets are dropped on the receiver when a rule switches on the sender side after the session starts. This occurs before the packet egresses, when the packet is processed through FEC and then App ID detection causes the rule that does not have FEC enabled to match. As a result, the same packet is processed again and the end notification is not sent, causing the receiver to assume that FEC is still active on sender.
77781 ARP entries are not cleared when the VOS device is the VRRP active node and the interface on which VRRP is configured is shut down.
78584 Monitor does not come up on bootup, resulting in an inactive IP SLA.
78778 Fix routing process crash that can occur when a routing instance is deleted.
78817 For data traffic, the VOS device being used as a VRRP active node uses the interface MAC address as source address in ARP request or reply for the virtual IP address. This has been fixed to use the virtual MAC address instead.
78876 Long-lived RTP sessions accumulate memory and cause the Versa service process memory usage to increase.
79163

URL cloud lookup may fail after many days because of a memory leak.

76913 Do not send LEF logs for the file filter action of allow to prevent an overflow of the LEF logs.
80011 If you rearrange the terms of a redistribution policy while the policy is being used for redistribution to BGP for IPv6, the Versa routing transformer process may restart.
80074 A memory leak in the Infmgr process may occur, and stale neighbor objects are leaked slowly over time.
80537 Tenant QoS policer may skip policing the reverse traffic and police only the forward traffic.

Limitations and Behavior Changes

The following are the limitations and behavior changes in Release 21.1.

Limitations and Behavior Changes in Release 21.1

  • TCP optimization is designed for WANs with bottleneck bandwidth up to 300 Mbps that also experience high latency (> 50 ms) and some degree of packet loss. Using TCP optimization in other environments, such as low-latency networks or in networks with high latency but no packet loss, may be counterproductive and may instead decrease performance.
  • With TCP optimization, peer discovery, or automode, is currently limited to an SD-WAN network, even though the optimization is designed to also work on Versa appliances in a non SD-WAN network.
  • On Windows remote access clients connecting to a VOS RAS server, you must add static routes for remote access. Routes are not automatically installed on the Windows RAC client when it connects to the VOS RAS server.
  • A VOS device does not configure a RAC client with the DNS server address. You must manually configure it on the Windows RAC client.
  • You cannot configure IRB as an inter-HA link.
  • The maximum number of IRB interfaces is 64.
  • For bridging, you must configure Layer 2 interfaces in promiscuous mode.
  • Versa Director monitor screens are not available for Layer 2 show commands.
  • Class of service (CoS) and access lists are not supported for Layer 2.
  • IRB interfaces support family inet only. These interfaces currently do not support IPv6.
  • You should ensure that the Layer 2 interface MTU matches the IRB interface MTU to avoid any packet drops caused by MTU mismatch.
  • Previously, by default, FEC sent the parity on the same link and the duplicate parity on an alternate link.This has changed. Now, the parity packet is sent on alternate link and the duplicate parity packet is disabled. This was done to reduce the overhead on already congested lists. You can enable the duplicate parity packet through configuration.
  • In Releases 20.2 and later, the BGP AS path loop check behavior has been changed to prevent BGP routes that contain the local AS number of the BGP instance from being installed even when they are received from IBGP peers. (In software releases prior to Release 20.2, an AS loop check was performed only for routes received from EBGP peers). This change was made to comply with RFC 4271, to prevent loops in all cases. When you upgrade a VOS devices from Release 16.1R2 to Release 21.1, if the VOS device is configured the overlay AS number in the BGP AS path to the Controller node, the Controller node no longer installs these routes and therefore does not propagate the routes to other branches. As a result, you might encounter one the following situations:
    • The local AS number configured in the branch VRF BGP group or neighbor may be same as the overlay control VR. If so, do one of the following as part of upgrade:
      • Ensure that the local AS number configured for the group or neighbor in the VRF is different from the overlay BGP AS number in the control VR. If the AS numbers are different, the controller node does not receive its own overlay AS number in the AS path, and the route is installed.
      • Check whether the default local AS mode to mode-2, which adds the configured local AS in the BGP group or neighbor level to the AS path when the route is imported. If so, change the mode to mode-4, which does not add the AS number to the AS path. As a result, this route passes the AS loop check on the Controller node and is installed.
      • Configure the loops ;option in the BGP group corresponding to the branches in the Controller’s control VR as well as in the control VR in the branches. This option allows routes with as many loops as specified in the configuration to be installed.
    • The AS path received from the BGP peers in the VRF may already contain the overlay AS number. If so, do one of the following as part of upgrade:
      • Ensure that the customer network does not use the overlay BGP AS number in the control VR, with the result that the controller will not receive its own overlay AS number in the AS path and the route will be installed.
      • Configure the loops option in the BGP group corresponding to the branches in the Controller’s control VR as well as in the control VR in the branches. This option allows routes with as many loops as specified in the configuration to be installed.
  • In Releases 20.2.3 and earlier, when BGP detects that a neighbor is going down, the Controller nodes reruns the best path selection for Layer 3 VPN routes, selects an alternate route from another active neighbor, and announces the route to other BGP route-reflector clients so that they can use the new route. In Release 20.2.4 and Releases 21.2.2, and later, the Controller node reruns the best path selection only for Versa private routes. This means that a stale Layer 3 VPN route from the neighbor that has gone down still remains as the best path, and subsequent best path selection for Layer 3 VPN routes occurs only if the Controller node receives an update for the route. This behavior change can cause issues when route distinguisher (RD) values are the same on different VOS devices and they are advertising the same route for the purpose of redundancy or failover. It is recommended that the route distinguisher values for a tenant LAN virtual router (tenant-LAN-VR) be unique for each VOS device so that the Controller node can reflect the same route received from multiple clients, ensuring faster failover if a client that is sending the best route fails. In Releases 21.x, during the workflow deployment, the Director node generates unique route distinguisher values for each VOS device, in the format global-vrf-idL:site-id, for both standalone and HA deployments. In Releases 20.2.3 and earlier, the route distinguisher values were not unique for standalone VOS devices.

Limitations and Behavior Changes in Release 21.1.1

  • Starting with Release 20.2.x, VOS software requires the underlying Intel CPU to have RDRAND capability. To check the CPU's capability, issue the following command:
# cat /proc/cpuinfo | grep rdrand
  • When you change the maximum number of tenants, you must commit the change separately, and a service restart occurs. After the restart, make any other configuration changes.
  • Whenever you configure a SD-WAN or policy-based forwarding (PBF) rule to override routing (by enforcing a next hop), you must configure a source zone in addition to other match criteria in the rule in order to prevent traffic not intended for the rule from matching it inadvertently. An example of this is when you use an SD-WAN or PBF policy rule for application-based DIA. This requires a rule to identify traffic originating from the LAN (typically, some Intf-<>-LAN-zone), and then using the rule to send the traffic into the required transport VR, where a second session gets created. CGNAT rules are used to source-NAT this traffic. If the source zone is omitted in the SD-WAN/PBF rule's match condition, the second session also matches it and causes a packet loop. By adding the source zone Intf-<>-LAN-zone as a match condition, you prevent the second session from matching the PBF rule.

Limitations and Behavior Changes in Release 21.1.2

  • When you change the maximum number of tenants, you must commit the change separately, and a service restart occurs. After the restart, make any other configuration changes.
  • When you configure an SD-WAN or a policy-based forwarding (PBF) rule to override routing (by enforcing a next hop), you must configure a source zone in addition to other match criteria in the rule, to prevent traffic not intended for the rule from matching it inadvertently. An example of this is when you use an SD-WAN or a PBF policy rule for application-based DIA. This requires a rule to identify traffic originating from the LAN (typically, some Intf-<>-LAN-zone), and then using the rule to send the traffic into the required transport VR, where a second session gets created. CGNAT rules are used to source-NAT this traffic. If you omit the source zone n the SD-WAN/PBF rule's match condition, the second session also matches it and causes a packet loop. By adding the source zone Intf-<>-LAN-zone as a match condition, you prevent the second session from matching the PBF rule.
  • For the DHCP server to provide an IP address, there must be at least one matching rule in the DHCP service profile. In earlier releases, DHCP provided an IP address even when there were no matching rules.

Limitations and Behavior Changes in Release 21.1.3

  • When you change the maximum number of tenants, you must commit the change separately, and a service restart occurs. After the restart, make any other configuration changes.
  • Whenever you configure an SD-WAN or a policy-based forwarding (PBF) rule to override routing (by enforcing a next hop), you must configure a source zone in addition to other match criteria in the rule in order to prevent traffic not intended for the rule from matching it inadvertently. An example of this is when you use an SD-WAN or PBF policy rule for application-based DIA. This requires a rule to identify traffic originating from the LAN (typically, some Intf-<>-LAN-zone), and then using the rule to send the traffic into the required transport VR, where a second session gets created. CGNAT rules are used to source-NAT this traffic. If the source zone is omitted in the SD-WAN/PBF rule's match condition, the second session also matches it and causes a packet loop. By adding the source zone Intf-<>-LAN-zone as a match condition, you prevent the second session from matching the PBF rule.

Known Issues

The following are the known issues in Release 21.1.

Known Issues in Release 21.1

Bug ID

Summary

45578

Need an option to clear bridge MAC table for all instances.

46884

LACP-based AE interfaces flap in a scaled setup.

46661

Director monitor option for Layer 2 commands is not available.

46967

IRB does not show up under router advertisement.

45535

TCP optimization policy-based statistics do not reflect the actual statistics when you select a remote branch.

45569

With high latency but no loss, BBR throughput is slower than that of cubic (standard TCP congestion control).

46703

IPsec RAS DNS server configuration is missing for remote-vpn-client.

45572

Any changes to a RADIUS authentication profile do not take effect until a restart is done.

Known Issues in Release 21.1.1

  • In multicast routing, when you enable the Anycast-RP mechanism on a first-hop router, the source information is not shared between Anycast-RP peers through PIM register packets. As a workaround, ensure that you do not enable the Anycast-RP mechanism on a first-hop router.
  • If a VOS node is a part of interchassis HA pair (for active-standby stateful HA), you must first upgrade it to Release 16.1R2S11 before you upgrade it to Release 21.1.1. If the interchassis HA pair is running Release 16.1R2S9 or later, you must increase the HA probe miss threshold to 3600 seconds during the upgrade. If the interchassis HA pair is running Release 16.1R2S8 or earlier, you must set the probe type to none on both the nodes before performing the upgrade. Otherwise, the standby device restarts continuously after the upgrade. After the upgrade, you can return the HA probe miss threshold value to the originally configured value. To upgrade an interchassis HA pair from Release 20.2.2 to Release 21.1.1, it is recommended that you first upgrade the VOS device from Releases 20.2.2 to Release 20.2.3 and then upgrade to Release 21.1.1.
  • Device identification may not fully identify all end devices in the network. It is recommended that you use this feature only in labs, POCs, and trials.
  • A tenant-based traffic shaper expects the shaper on the physical interface to be configured on the provider organization. If this is not the case, you must perform the commit in two steps. First, delete the shaping configuration from the non-provider organization, and commit the configuration. Then, configure the shaping, and commit the configuration. You can, for instance, configure the shaper on the provider organization and the provider limit on the customer organization. This limitation applies only to multitenant CPE or hub VOS instances.
  • If you want to upgrade a VOS device on which uCPE is enabled (hypervisor installed) from Release 16.1R2 to Release 21.1.1, contact Versa Network Customer Support. Also see https://support.versa-networks.com/a...es/23000021050
  • If you enable information validation on a stateful HA branch deployment, and if there is a long delay in bringing up interfaces in the global VRF, the information validation client may fail to register with information validation server on the peer VNF. As a workaround, restart the versa-vmod service alone on the affected VOS device.
  • The rollback x command might not work properly.
  • The show commit changes x command might not show the actual CLI changes.

Known Issues in Release 21.1.2

  • Device identification may not be able to fully identify all end devices in the network. It is recommended that you use this feature only in the lab, POCs, and trials.
  • In multicast routing, the source information is not shared between anycast-RP peers through PIM register packets when you enable the anycast-RP mechanism on a first-hop router. As a workaround, do not enable anycast-RP on a first-hop router.
  • If a VOS node is part of an inter-chassis HA pair (active-standby Stateful HA), you must first upgrade it to Release 16.1R2S11 before upgrading to Release 21.1.2. When an interchassis HA pair is running Release 16.1R2S9 or later, you must set the probe-type to none on both the nodes before the upgrade. Otherwise, the standby device continuously restarts after the upgrade. After the upgrade, you can revert the HA probe-type value to the originally configured value.
    To upgrade an interchassis HA pair from Release 20.2.2 to 21.1.2, it is recommended that you upgrade VOS from Release 20.2.2 to Release 20.2.3, and then upgrade to Release 21.1.2.
  • A tenant-based traffic shaper expects the shaper on the physical interface to be configured on the provider organization. If this is not the case, you need to perform the commit in two steps. First, delete the shaping configuration from the non-provider organization and commit the configuration. The second commit could have the shaper configured on the provider organization and provider-limit configured on the customer organization. This limitation only applies to multitenant CPE or hub VOS instances.
  • You cannot upgrade a VOS device on which uCPE enabled (hypervisor installed) from Release 16.1R2 to Release 21.1.2. Please contact the support team if you are considering the upgrade. For more information, see https://support.versa-networks.com/a/solutions/articles/23000021050
  • When you enable the info-validation feature in a stateful HA branch deployment, a huge delay might occur in bringing up of interfaces in the global VRF, and the info-validation client may fail to register with the info-validation server on the peer VNF. As a workaround, restart only the versa-vmod service on the affected VOS device.
  • If you configure an SLA profile at the next-hop level in conjunction with configuration application monitors, the SLA profile options to select a path based on the lowest latency and on the lowest packet loss are ignored. To utilize these best-path selection features, configure the SLA profile at the global level.

Known Issues in Release 21.1.3

  • Device identification may not be able to fully identify all end devices in the network. It is recommended that you use this feature only in the lab, POCs, and trials.
  • In multicast routing, when you enable the anycast-RP mechanism on a first-hop router, the source information is not shared between anycast-RP peers through PIM register packets. As a workaround, do not enable anycast-RP on a first-hop router.
  • If a VOS device is part of an interchassis HA pair (active-standby stateful HA), you must first upgrade it to Release 16.1R2S11 before upgrading to Release 21.1.3. When an interchassiss HA pair is running Release 16.1R2S9 or later, you must set the probe type to none on both the nodes before the upgrade. Otherwise, the standby device continuously restarts after the upgrade. After the upgrade, you can return the HA probe-type value to the originally configured value. To upgrade an interchassis HA pair from Release 20.2.2 to 21.1.3, it is recommended that you upgrade VOS from Release 20.2.2 to Release 20.2.3, and then upgrade to Release 21.1.3.
  • A tenant-based traffic shaper expects the shaper on the physical interface to be configured on the provider organization. If this is not the case, you need to perform the commit in two steps. First, delete the shaping configuration from the non-provider organization and commit the configuration. The second commit could have the shaper configured on the provider organization and provider-limit configured on the customer organization. This limitation applies only to multitenant CPE devices or hub VOS instances.
  • You cannot upgrade a VOS device on which uCPE enabled (hypervisor installed) from Release 16.1R2 to Release 21.1.3. Please contact the support team if you are considering the upgrade.
    https://support.versa-networks.com/a/solutions/articles/23000021050
  • When you enable info-validation in a stateful HA branch deployment, a large delay might occur in bringing up interfaces in the global VRF, and the info-validation client may fail to register with the info-validation server on the peer VNF. As a workaround, restart only the versa-vmod service on the affected VOS device.

Request Technical Support

To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.

Additional Information

Deployment and Initial Configuration

Revision History

Revision 1—Release 21.1, December 20, 2019
Revision 2—Release 21.1.1, August 21, 2020
Revision 3—Release 21.1.2, December 1, 2020
Revision 4—Release 21.1.3, June 6, 2021
Revision 5—Release 21.1.4, April 27, 2022

 

  • Was this article helpful?