Consolidated Release Notes for Release 21.1
- Last updated
- Save as PDF
Versa Analytics Release Notes for Release 21.1
This document describes features, enhancements, fixes, and known issues in Versa Analytics Software Release 21.1, for Releases 21.1.0 through 21.1.4. Release 21.1.1 and later are general available (GA) releases and are supported for use in production networks.
April 27, 2022
Revision 5
Install the Versa Analytics Software
To install the Versa Analytics software, see the Deployment and Initial Configuration articles.
Upgrade to Release 21.1
You can upgrade Versa Analytics nodes to Release 21.1 from any service release of Release 16.1R2, that is, from Releases 16.1R2(Sx).
Before You Upgrade
Before you upgrade the Analytics software to Releases 21.1 or later, upgrade the OS SPack on all Analytics nodes to the version in the latest subfolder at https://versanetworks.app.box.com/v/osspack or https://upload.versa-networks.com/index.php/s/nEkF9xOO3e7BA9Z. If you do not upgrade the OS SPack, the Analytics upgrade may fail.
Upgrade to Release 21.1
To upgrade to Release 21.1:
- Copy the appropriate binary package file to the /home/versa/packages/ directory on the Versa Analytics node. Ensure that the file has +x execute permission. Alternatively, use the following command, which copies the file to the /home/versa/packages directory:
versa@versa-Analytics> request system package fetch uri uri
- Install the new software package:
versa@Versa-Analytics> request system package upgrade filename.bin
- Check the status of the services from the shell:
% vsh status
- If the Versa services have not started, start them from the shell:
% vsh start
- After the upgrade completes, a message may display indicating that you should reboot the system. Even if a message does not display, it is recommended that you reboot the system to account for any GRUB or kernel parameter changes. To reboot the system:
% sudo reboot
After the reboot completes, the Versa services automatically restart.
Prerequisites for Upgrade to Releases 21.1.1 and Later
Before you upgrade to Releases 21.1.1 and later from Releases 16.1R2 or 20.2.x, check for the following:
- The database must be DataStax Enterprise (DSE) 4.8 or Fusion.
- To check whether the database uses the DSE or Fusion package, go to Administration > Version. If the Database Version string ends with F, the database is Fusion. If it ends with E or does not display any character, the database is DSE.
- If the database is DSE, SSH to any of the analytics/search nodes and issue the following command:
versa@versa-analytics:~$ dse -v 4.5.2
- If the database is DSE 4.5.x, upgrade to DSE 4.8 using the DSE migration scripts at the following link:
https://support.versa-networks.com/support/solutions/articles/23000019690 - After you successfully upgrade to DSE 4.8, upgrade the Versa Analytics application to Release 21.1.1, as described in Upgrade to Release 21.1.
After the upgrade, ensure the following:
- Search node IP addresses are listed under Search Hosts
- Analytics node IP addresses are listed under Analytics Hosts
- All log collector or forwarder IP addresses are listed under Driver Hosts
Checks To Perform after Upgrading to Releases 21.1.1 or Later
If you are upgrading your system from Release 20.2.4 to Releases 21.1.1 or later, issue the following commannds from the shell:
% sudo rm -rf /opt/versa_van/apps/apache-tomcat/webapps/versa* % vsh restart
In Releases 21.1.1 and later, you cannot access the Versa Analytics application using port 8080. This is to avoid any security vulnerabilities. By default, only secure ports 443/8443 are enabled in Analytics. For Director-to-Analytics communication, port 8443 is used. The upgrade on Director nodes ensures that the northbound interface port automatically changes from 8080 to 8443. Certificates required for SSL communication from Analytics to Director nodes are also automatically synched.
If there is no communication between Versa Director and Versa Analytics nodes, perform the following steps:
- Check whether any firewall rule is blocking Versa Director to Versa Analytics communication on port 8443.
- Connect to Versa Analytics directly at the URL https://analytics-ip-address to determine whether the portal is accessible. This ensures that the application is reachable using a secure port and that SSL certificate is valid.
- Log in to the Analytics node using the same username and password as the Director node. If the login is successful, this means that RBAC between the Analytics and Director nodes is working using a secure connection. If the login is not successful, install the Director certificate on the Analytics node, as described in
https://support.versa-networks.com/a/solutions/articles/23000010418 - Log in to the Director shell and issue the following command to check whether the Analytics truststore has been created on the Director node:
admin@versa-director:/var/versa/vnms/data/certs$ ls -tlr versa_analytics_truststore.ts -rw-rw---- 1 versa versa 1274 Jul 30 05:42 versa_analytics_truststore.ts
- If the truststore file does not exist or if the Versa Analytics certificates were regenerated, resynchronize and import the Analytics certificates by running the vd-van-cert-upgrade.sh script in the active Director shell This script transfers the Analytics certificates from each of the Analytics nodes configured under the connectors and then imports them. You must restart the Director node for the certificate to take effect.
admin@versa-director:~$ sudo su – versa versa@versa-director:~$ /opt/versa/vnms/scripts/vd-van-cert-upgrade.sh --pull
For example:
versa@versa-director:.../vnms/scripts$ ./vd-van-cert-upgrade.sh --pull Pulling Analytics certificates to Director key store Checking previous version config path Changing port for [Analytics] No modifications to commit. Port Migration completed VAN Clusters IPs: [ 10.48.189.23 ] Removing previous analystics cert store Getting Certificate for : 10.48.189.23 depth=0 C = US, ST = California, L = Santa Clara, O = versa-networks, OU = VersaAnalytics, CN = versa-analytics verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = California, L = Santa Clara, O = versa-networks, OU = VersaAnalytics, CN = versa-analytics verify return:1 DONE Importing Certificate for : 10.48.189.23 Certificate was added to keystore Certificates Imported... Requires restart.. Do you want to post pone restart (y/N): N [sudo] password for versa: Stopping VNMS service ------------------------------------ Stopping TOMCAT................[Stopped] Stopping REDIS.................[Stopped] Stopping NETBOX-IPAM...........[Stopped] Stopping POSTGRE...............[Stopped] Stopping SPRING-BOOT...........[Stopped] Stopping SPACKMGR..............[Stopped] Stopping NCS...................[Stopped] * Stopping daemon monitor monit Starting VNMS service ------------------------------------ Starting NCS...................[Started] Starting POSTGRE...............[Started] Starting NETBOX-IPAM...........[Started] Starting SPRING-BOOT.......... [Started] Starting REDIS.................[Started] Starting TOMCAT................[Started]
Fusion Database Upgrade Information
In Releases 20.x and later, Versa Analytics supports a new database platform called Fusion, which is based on open source technology. When you freshly install an Analytics cluster using a Release 20.x or Release 21.x ISO/QCOW2/OVA image, the Fusion database is automatically enabled. If you are upgrading from Release 16.1R2 to Release 20.x or Release 21.x, you must run additional scripts after you upgrade the software to install Fusion database and migrate the data.
The following are some of the frequently asked questions related to this database upgrade:
- Why should we upgrade the database to Fusion?
- The Fusion database uses the latest version of database software that provides better scaling and performance, and fixes many security vulnerabilities. The DSE database used in Release 16.1R2 has reached its end of life.
- Although currently there currently is feature compatibility between the DSE Analytics database and the Fusion database, it will soon be required to diverge to take advantage of newer capabilities in the Fusion database, and so newer features may be available only in Fusion database.
- Will there be any impact on reports and features after the upgrade?
- All reports and features available in Release 16.1R2 are also available in Releases 20.2 and later Releases 21.1 and later. Additionally, the new releases provide many new reports and features and vulnerability fixes.
- I am using Versa Analytics Release 16.1R2. I want to upgrade to Release 20.2 and later or Release 21.1 or later. Which image do I download and how do I upgrade?
- The first step is to upgrade the software version to Release 20.2.2 or 21.1.1, as described in Upgrade to Release 21.1, above. The software update does not automatically upgrade the database to Fusion. The underlying DSE database remains, and all functions work using DSE.
- Then upgrade the database to Fusion. To do this, you can use a cluster upgrade script to uninstall the DSE packages and install Fusion packages. This script upgrades one node at a time. Historical data is preserved and real-time search data is truncated. The upgrade scripts and related documentation are available here:
https://versanetworks.box.com/s/8pdi9ppyjzfq8cx53s10l3zbwt6k2kbw - If you are upgrading a large database or have issues while running the upgrade scripts, contact the Versa Support team.
- Is it possible to upgrade only Versa Analytics to Release 20.x or Release 21.x to use the Fusion database?
- Release 20.2.2 of Versa Analytics is backward compatible with Releases16.1R2S10 and 16.1R2S11 of Versa Director and Versa Operating SystemTM (VOSTM ) (previousy called FlexVNF).
- Release 21.1.1 of Versa Analytics is backward compatible with Releases 16.1R2S10 and 16.1R2S11, and with Release 20.2.2 of VOS. However, Versa Director and Versa Analytics must be running Release 21.1.1.
- Will there be downtime during upgrade to Release 21.1.1?
- The upgrade from Release 16.1R2 to Release 20.2.x or 21.1.x is like any other upgrade in that only the Versa application software is upgraded. During the upgrade process, data is not lost. When you upgrade the database from DSE to Fusion using the upgrade script, there will be some downtime for the database operations (approximately 1-2 hours), depending on the size of the cluster. You will not lose any logs, and streaming to third-party collectors will not be interrupted. To reduce the downtime, you can bring up a new cluster that is running Release 20.2.x or 21.1.x, and then configure the Controller to use server IP addresses of the new cluster so that logs start flowing to the new cluster. If data stored in older cluster must be migrated to the new cluster, use one of these options:
- Export the archived data from the old cluster to the new cluster, and then restore it. Depending on the number of days and size of the data, this can take some time because archive logs do not differentiate between the type of data. All the data for the specified interval is transferred and restored. The scripts to trigger log transfer and restore are available here:
https://support.versa-networks.com/a/solutions/articles/23000008970 - Export the processed data from the old cluster to the new cluster, and then restore it. Here, you can specify the type of data you want to export and restore. The script is available here:
https://versanetworks.box.com/s/vryjpluuv18dfat03hxb5a49pgws0cx5
- Export the archived data from the old cluster to the new cluster, and then restore it. Depending on the number of days and size of the data, this can take some time because archive logs do not differentiate between the type of data. All the data for the specified interval is transferred and restored. The scripts to trigger log transfer and restore are available here:
- The upgrade from Release 16.1R2 to Release 20.2.x or 21.1.x is like any other upgrade in that only the Versa application software is upgraded. During the upgrade process, data is not lost. When you upgrade the database from DSE to Fusion using the upgrade script, there will be some downtime for the database operations (approximately 1-2 hours), depending on the size of the cluster. You will not lose any logs, and streaming to third-party collectors will not be interrupted. To reduce the downtime, you can bring up a new cluster that is running Release 20.2.x or 21.1.x, and then configure the Controller to use server IP addresses of the new cluster so that logs start flowing to the new cluster. If data stored in older cluster must be migrated to the new cluster, use one of these options:
For more information, see Migrate the Versa Analytics Database from DSE to Fusion.
New Features
This section describes the new Versa Analytics features in Release 21.1.
-
Alarm settings enhancements—(In Releases 21.1.3 and later.) You can set alarms for CPU utilization, disk utilization, memory utilization, and Analytics driver stuck. You can override the low-threshold and high-threshold severities for threshold alarms. You can configure the severity for setting and clearing alarms.
-
APM statistics—(In Releases 21.1.3 and later.) You can display the APM statistics for an application. To do so, drill down on the application. For example:
-
Appliance log activity report—You can find a log activity summary for all appliances at Dashboards > System > Appliance Activity tab. For example:
Drill down to view historic appliance log activity for the configured interval. For example:
- Application performance monitoring (APM)—(In Releases 21.1.1 and later.) If you enable TCP performance monitoring on sites running SD-WAN, statistics corresponding to TCP sessions are exported to Analytics. Statistics are aggregated per tenant, appliance, application, source, destination prefix, and WAN link. The metrics include round-trip time, aborted and refused counts, session and packet counts, and retransmission counts. These metrics are used to calculate the quality of the application. The application rank is computed as a value from 1 through 100, where 1 is the best performing application and 100 is the worst. The application rank is displayed on the SD-WAN dashboard:
The following example drilldown shows that there is poor performance on some SSL sessions because of high retransmissions.
- Application uptime—(In Releases 21.1.1 and later.) You can display the amount time that has elapsed since an application started at the Administration > Version tab:
- DIA traffic rules statistics—(In Releases 21.1.3 and later.) The SD-WAN site dashboard shows statistics for DIA rules on the following screens.
- DNS proxy report enhancements—You can store DNS proxy parent and child session logs in the search engine. You can display the DNS proxy logs at Logs > DNS Proxy, and you can search one or more fields of the logs and drill down to related logs and to the parent session log. To find the parent session log, click the icon under the Parent Log column. You can view predefined reports at Logs > DNS Proxy > Charts. For example:
Drill down on the parent icon to view details about the parent session log. For example:
- GUI support for log collector exporter configuration—(In Releases 21.1.2 and later.) Log collector exporter configuration page has been enhanced to support additional configuration options:
- Configure remote collector with destination FQDN instead of destination IP address—In the remote collector, you can configure destination IP address or Fully Qualified Domain Name (FQDN). If you configure FQDN, the DNS server listed in the /etc/resolv.conf file must be reachable from the log collector to perform the name resolution. Alternately, /etc/hosts can be configured with the hostname and IP address
- Configure primary collector in remote collector group—This configuration ensures that when multiple collectors in a collector group are in the Established state, the primary collector is marked as the active collector.
- Configure exporter rules with matching log subtypes—In the exporter rules, apart from log types, you can specify subfields for a granular match. For example, to export only severity cleared, critical, or major, select the following log types:
You can match various log types with subfields as listed below:
Field Subfields Description alarm-log
alarm-type
severity
List of alarm types
List of alarm severity
bw-mon-log
sub-type
List of bandwidth monitoring statistics types
dos-log
Threattype
List of threat values
idp-log
Threattype
List of threat values
urlfLog
reputationLevel
List of URL values
mon-log
Subtype
List of monitoring statistics types
- Configure system settings—You can configure system settings for NTP and alarm from the the Analytics > Administration > Configuration > Log Collector Exporter in the left menu, then in the Log Collector Configuration window, select the System tab for the host.
- Configure remote collector with destination FQDN instead of destination IP address—In the remote collector, you can configure destination IP address or Fully Qualified Domain Name (FQDN). If you configure FQDN, the DNS server listed in the /etc/resolv.conf file must be reachable from the log collector to perform the name resolution. Alternately, /etc/hosts can be configured with the hostname and IP address
- “is not equal to” log filter—You can filter for logs by specifying “is not equal to” for any fields, as shown here:
- Kafka third-party log collector and log email notification—(In Releases 21.1.1 and later.) You can configure the Analytics log collector and exporter to send the logs to one or more third-party collectors in syslog format using TCP/UDP/SSL transport. In Releases 21.1.1 and later, you can stream logs and events to the the following interfaces:
- Apache Kafka cluster—You can configure the log collector to send the logs to a customer’s Kafka cluster. To do this, you configure the Kafka cluster as a remote collector in the log collector exporter configuration. Logs are streamed in structured syslog format to Kafka cluster. See Configure Log Collectors and Log Exporter Rules.
- Email notification service—For critical security events, e-mail alerts/notifications can be sent to users from the log collectors using a new email notification service called van-notif-agent. It can be configured to run on the log collector nodes and can send emails with summary of the events and/or detailed log information at configured intervals. See Configure Log Collectors and Log Exporter Rules.
- Log collector exporter enhancements—(In Releases 21.1.1 and later.)
- GUI support for log collector exporter configuration—Log collector exporter configuration page has been enhanced to use a new framework to add/delete/modify/clone local collector, remote template/collector/collector group, exporter rules configuration:
- GUI support for log collector exporter status and statistics display—You can display log collector status and statistics information at a global level, for a local collector, for a remote collector, or for a rule, for all log collectors or for a specific log collector:
- Alarm configuration—To generate alarms for a remote collector down event or when the queue utilization exceeds the threshold, you can enable the following configuration settings. Note that you can configure alarms only from the CLI. The generated alarms are stored in the /var/log/alarms.log file.
versa@Search1% show
[edit log-collector-exporter settings alarms]
remote-collector-queue-utilization {
low-threshold 75;
high-threshold 90;
soak-time 5;
}
remote-collector-down {
soak-time ;
}
Examples of the generated alarms are:
tail -f /var/log/alarms.log
Aug 19 09:07:57 Analytics1 versa-lced: [rem-coll] [rem-coll-down] [2020-08-19T09:07:56-0700] Remote collector RC2 down
Aug 19 09:08:01 Analytics1 versa-lced: [rem-coll] [rem-coll-down] [2020-08-19T09:08:01-0700] Remote collector RC2 up
Aug 19 09:14:28 Analytics1 versa-lced: [rem-coll] [rem-coll-q-util] [2020-08-19T09:14:27-0700] Remote collector RC1 queue has exceeded threshold value (utilization: 60%)
Aug 19 09:14:28 Analytics1 versa-lced: [rem-coll] [rem-coll-q-util] [2020-08-19T09:14:28-0700] Remote collector RC1 queue is now available (utilization: 23%)
Aug 19 09:15:26 Analytics1 versa-lced: [rem-coll] [rem-coll-q-util] [2020-08-19T09:15:25-0700] Remote collector RC1 queue near exhaustion (utilization: 75%)
Aug 19 09:15:26 Analytics1 versa-lced: [rem-coll] [rem-coll-q-util] [2020-08-19T09:15:26-0700] Remote collector RC1 queue is now available (utilization: 45%) -
Exporter rules support for match on more granular types and subtypes—Exporter rules define which logs received by the local collector to stream to a remote collector. Match criteria has been enhanced to include more log types listed, and you can match based on specific values inside the logs by configuring features with matching criteria. See Configure Log Collectors and Log Exporter Rules.
-
Operational commands to log restore and clear archive jobs—You can restore and delete archive logs from the CLI, using the request system storage archive restore and request system storage archive delete commands. See Manage Analytics Logs.
- GUI support for log collector exporter configuration—Log collector exporter configuration page has been enhanced to use a new framework to add/delete/modify/clone local collector, remote template/collector/collector group, exporter rules configuration:
- Network prefix in SD-WAN application subscriber report—The SD-WAN application subscriber report displays information about applications and their users. You can determine a username by configuring an IP address-to-user mapping. If you do not configure a mapping, the source IP address of the traffic flow is used as the username. The SD-WAN application subscriber report has been enhanced to display the network prefix, which is the destination address prefix of the traffic flow, if this information is received in the logs from the VOS devices. By default, VOS devices to not send network prefix information. To enable the sending of network prefix information, issue the following command:
admin@branch-cli(config)% set system parameters lef usage-stats-logging sdwan app-user-inc-dest-ip-prefix true
To view the network prefix information, drill down from the Application page. For example:
- Operational commands to log restore and clear archive jobs (In Releases 21.1.2 and later.)
- Logs are archived after they are processed by the log collector—You can view, restore or delete the logs from the Administration > Maintenance > Log Archives menu:
- Delete archive logs—You can delete archived files for a specific tenant or appliance within a time range to help free disk space on log collector nodes.
- Restore archive logs—Extracts archived files for a specific tenant or appliance and time range to a destination directory. If the destination directory is /var/tmp/log, the data is added back to the database.
- View archive log details—Locates the specified number of archived files and file names of the oldest and newest files per tenant or appliance and per log collector.
- Logs are archived after they are processed by the log collector—You can view, restore or delete the logs from the Administration > Maintenance > Log Archives menu:
-
Per-tenant Analytics data settings—For each tenant, you can define the data retention time, data granularity, and other data-related settings. See Analytics Datastore Limits in Versa Analytics Scaling Recommendations.
- Primary and secondary log collectors—You can configure primary and backup log collectors. From a collector group, you can choose a specific collector to be the active, or primary, collector. If the primary collector is down, the next active collector is chosen from the group. When the primary collector comes back up and remains up for a configurable interval, it becomes the active collector again. See Configure Log Export Functionality.
- Reporting enhancements—(In Releases 21.1.1 and later.) The following enhancements have been made to reporting framework:
- You can create a per-site report using a report template and apply it to other sites.
When you save the report, you can choose to copy the settings to other sites so that same report can be generated for the chosen sites.
You can view the generated reports as follows:
- You can combine data from multiple sites and appliances into a single time series chart. For example:
- You can generate reports about available bandwidth for SD-WAN access circuits. SD-WAN branches periodically export to Analytics the total available uplink and downlink bandwidth for each WAN link. If you enable a speed test to the branches, the uplink and downlink bandwidth that is reported by the speed test utility is exported. If you do not enable a speed test, the configured uplink and downlink bandwidth is exported.
- You can create a per-site report using a report template and apply it to other sites.
- Retention configuration per Analytics report type—You can set different retention values for daily and hourly time-to-live (TTL) data, as shown here:
- SD-WAN site and link availability—(In Releases 21.1.1 and later.)
- Site availability, a feature available before Release 21.1, indicated the reachability of a site from the controller point of view. If the controller lost connectivity to a branch, it sent a site disconnect message that was used to compute the availability. If all controllers lost connectivity to the branch, the site was marked down. Otherwise, it was marked up. This implementation did not work as expected in some scenarios, causing the availability computation to be inaccurate. Release 21.1.1 implements a new logic that relies on combination of SLA metrics between sites and controllers and log activity from the site to determine site availability. In addition to up/down state, a new degraded state is determined using the SLA loss metrics that indicates brownout conditions. If no SLA metrics are received for a site and if there is no log activity from the site for more than 10 minutes, the site is marked down.
- Link availability is a new feature that provides the health of the link based on the SLA metrics received from the site and controller for each WAN link of the site. SLA metric values are used to determine whether the state is up, down, degraded. If no SLA metrics logs are received for more than 10 minutes, the link is marked down. Drill down on a site to display site and link availability charts. In the charts, green represents the up state when availability is >= 98 percent, orange represents a degraded state when availability is < 98 percent, and red represents the down state when availability is < 5 percent.
You can use the reporting framework to generate site and link availability reports for a tenant or a specific appliance:
See SD-WAN Dashboard.
-
Note: If you upgrade an Analytics cluster from Release 16.1R2 or Release 20.2 to Release 21.1, availability data that was displayed before the upgrade is not available after the upgrade because of changes in the software implementation. To keep track of the previous information, use the reporting tool to create and download the availability reports before you perform the upgrade.
- Site availability summary table—You can generate a report for percentage site availability for all a tenant's sites. For example:
- Site tag report—(In Releases 21.1.1 and later.) In Versa Director, you can set one or more site tags for a VOS device, and a filter has been added to the SD-WAN dashboard that allows you to drill down to a site or a site tag. If you choose a site tag, the dashboard displays data only for sites that match the site tag, thus providing a consolidated view for all sites matching the tag.
You set the site tags in Versa Director. For example:
You choose the site tabs from the SD-WAN dashboard:
Drill down on a site tag to display a dashboard for sites matching the site tag. The following example is for site tag “Controller”:
- Statistics in SD-WAN dashboard—(In Releases 21.1.1 and later.) The SD-WAN dashboard has been enhanced to include statistics blocks that provide a high-level overview of the tenant.
Drill down support is available for some of the reports to display information about sites with errors and anomalous conditions. For example:
- Subscription lifecycle updates—(In Releases 21.1.1 and later.) A number of changes have been made to the subscription lifecycle, including the following. See Subscription Lifecyle.
- Licenses are valid for 1, 3, or 5 years.
- License subscriptions do not support the Created and Suspended states
- A license is immediately activated after the device performs ZTP.
- Manual license activation is not required.
-
TACACS+ support for Analytics nodes—You can use TACACS+-based authentication, authorization, and accounting (AAA) to provide access to Analytics nodes. You can configure up to four TACACS+ servers on each Analytics node. See Configure TACACS+.
-
Ubuntu Release 18.04—You can use Ubuntu Release 18.04 (Bionic Beaver) as the base Linux platform for running the Versa Analytics database, log collectors, and application. The release supports .iso file, which you can install on bare-metal platforms or virtual machines (VMs). Releases 21.1.1 and later support the Release 18.04.04 host OS for VOS devices.
-
Usage and session logging control default settings—In Release 20.2.2, Versa introduced system settings for usage monitoring logging control (send top-n firewall source and destination statistics and send top-n SD-WAN application user statistics) and for session monitoring logging control (include session ID in firewall logs and include session ID in SD-WAN logs). In Releases 21.1.1 and later, default values are set for the top-N values. Also, including session ID parameters in logs is enabled by default. See Configure Firewall and SD-WAN Usage Monitoring Controls.
Fixed Bugs
The following are the critical and major defects fixed in Release 21.1.
Fixed Bugs in Release 21.1
Note that fixes for all bugs found in Release 16.1R2 through Release 16.1R2S11 and in Release 20.2.0 are available in Release 21.1.
Bug ID |
Summary |
---|---|
37786 | When you export security logs from the Analytics tab in Director, filenames are the same for all types of logs. |
38936 | Upgrade bootstrap library used by Analytics UI to 4.1.3, to fix security vulnerabilities. |
42207 | Reporting framework issue: Editing a report with different chart type does not take effect. |
42470 | Empty data shown in Logs > Alarms > Summary screen when you drill down on some of the data points in the chart. |
42471 | During log filtering, if multiple search criteria are present, deleting a field in the middle removes all subsequent fields. |
44354 | Upgrading from Release 16.1R2 to Release 20.2 should preserve TTL global settings. |
46355 | Session count on the grid were incorrectly for larger values. Values were divided by 1024 instead of 1000. |
Fixed Bugs in Release 21.1.1
Note that fixes for all bugs found in Release 16.1R2 through Release 16.1R2S11, Release 20.2.0, and Release 21.1 are available in Release 21.1.1.
Bug ID |
Summary |
---|---|
50744 |
Allow Analytics SMTP password settings to use special characters. |
52559 |
Display LTE interface bandwidth in the System > Interfaces > Hierarchy tab, which is consistent with what is reported in the Interfaces tab for WAN interfaces of type LTE. |
55976 |
Application crashes because of memory exhaustion when queries retrieve large amount of data. Fix removes time series reports from the firewall source/destination tabs. |
56485 |
Fix for uCPE guest VNF system memory load calculation error. |
57010 |
Fix for invalid color coding for some LTE signal strength values. |
57210 |
Breadcrumbs may not display the correct page. |
58071 |
Add support for filtering IDP logs using signature identifier. |
58597 |
Remove live data monitoring icon from SLA and QOS screens, because the feature is not supported. |
58852 |
Add support for TLS v1.2 in Analytics SMTP configurations |
58894 |
Fix display of charts and table data for paths from local site to remote site and not to both directions, because important data is not displayed at the top. |
Fixed Bugs in Release 21.1.2
Note that fixes for all bugs found in Release 16.1R2 through Release 16.1R2S11, Release 20.2.0, and Release 21.1.1 are available in Release 21.1.2.
Bug ID |
Summary |
---|---|
57948 |
Fix to Secure Access Map icon when clustering is required. |
59084 |
Support for special characters in Analytics local user password. |
61878 |
Time series chart in dashboards must aggregate per hour for last 7 days instead of using 5 or 15 minutes of data. |
61960 |
Fix for negative availability value shown in some scenarios after upgrade to Release 21.1 if branches are still running previous releases. |
62280 |
In log hierarchy, rename SD-WAN SLA Violation to Traffic Steering. |
62427 |
Fix to show MOS value in time series charts in correct range. In Release 21.1.1, the value shown was divided by 100. |
Fixed Bugs in Release 21.1.3
Note that fixes for all bugs found in Release 16.1R2 through Release 16.1R2S11, Release 20.2.0, and Release 21.1.2 are available in Release 21.1.3.
Bug ID |
Summary |
---|---|
40495 |
Add support to display possible values for forwarding class filter under SD-WAN SLA metrics reporting. |
55976 |
Fix application crash caused when too many queries led to heap exhaustion. Set a maximum limit of 200,000 records for a query. |
56635 |
Fix for site filter not displaying all the sites and unable to set a filter when there are a large number of sites. |
58314 |
PDF file generated from data tables does not show all columns because space issue. Fix to use appropriate zoom level to fit all the table columns. |
59218 |
On the Reporting page, metrics limit was applied for time series, table data, and summary data. Fix to display only appliance metrics limit for summary data. |
62308 |
Log collector exporter process in busy state when there are a large number of TACACS+ CLI accounting logs. Fix to process the logs in a staggered manner to avoid process overload. |
63044 |
Fix for SD-WAN QoE chart displaying 50% score when path is completely down. |
63264 |
Fix for breadcrumb when a page has multiple drill-downs. |
63516 |
Site and link availability fixes:
|
63892 |
Allow one metric selection for summary data using pie chart in reporting and dashboard. For metrics such as Volume Tx Rx, two pie charts are displayed side by side. This causes labels to overlap because of lack of space. In such cases, you can choose column or bar chart. Fora pie chart, you can select only one metric. |
64384 |
When tenant operator logs into Analytics node, administration page hides all tabs except for version. |
64398 |
Add vsh command vsh monit [start | stop] to start or stop the Versa monitor service. The older command, sudo service monit start/stop, is deprecated for Ubuntu 18.04 (Bionic). |
64567 |
Fix for setting the same tab position when user drills down with WAN link in SD-WAN site view. |
64582 |
Fix for APM report drill-down with network prefix not working because of an incorrect field type. |
64762 |
Add support for From User filter for all relevant logs such as firewall, SD-WAN, and threat filtering and detection. |
64985 |
Once the admin unlocks a locked user configured through TACACS+, the unlocked user is not listed in the show system locked-users command output. |
65108 |
Add support for offline map under Logs > Firewall > Charts if offline map is selected as the map provider. |
65562 |
Editing a chart under reporting tab was not allowing change of chart type from PIE to LINE. Fixed to support updating chart types to any type. |
66575 |
Vulnerability fix in Analytics application to prevent access to page with insufficient authorization. |
66787 |
Add OS version in the show system package-info CLI command output. |
66837 |
When you upgrade to Release 21.1.2, NTP server configuration is overwritten. This issue has been fixed. |
67323 |
When there are multiple data tables, search filter is not showing the correct filter options. This issue has been fixed. |
67399 |
Add missing metrics for various charts, and fix labels for the metrics to make them consistent. |
68687 |
In Ubuntu 18.04 (Bionic), alarms raised by lced are flooding the console. This issue has been fixed. |
68800 |
Fix for Show Domain Names setting not taking effect when the time range is changed under Logs > Firewall, SD-WAN, Threat Filtering, and Threat Detection when this option is enabled. |
68986 |
Add support to display TCP APM table data sorted by Versa application rank. |
68997 |
Include filters for SD-WAN rule-related table data. |
69280 |
ETL monitoring under Administration > System Status is not displaying data for all hosts. This issue has been fixed. |
Fixed Bugs in Release 21.1.4
Note that fixes for all bugs found in Release 16.1R2 through Release 16.1R2S11, Release 20.2.0, Release 21.1.2, and Release 21.1.3 are available in Release 21.1.4.
Bug ID | Summary |
---|---|
64119 |
Under Administration > Configuration > Settings > System Monitoring tab, fix to reduce the input box size for various fields. |
66573 |
Solr account password vulnerability fix. |
70026 |
Under reporting, graph selection is not clear for the report type. Fix to highlight the selected graph. |
70580 |
Fix to return a generic error message when Analytics portal request parameters have invalid characters. |
71310 |
Vty command to display lced memory statistics shows negative values for used bytes for memory type LCED VMEM_ID_LCED_STOR_BUF when PCAP logging is enabled. Fix to avoid showing such values. |
74842 |
Logs exported from log collector exporter using syslog CEF format were missing explicit applianceName field. Fix to add appliance name in logs sent using CEF format. |
77477 |
Under Administration > System Status page, the disk load, memory used, and CPU load are sometimes not displayed. Fix to always display them. |
78104 |
If a log connection is flapping, the logs are buffered until the connection is established. The id2Name log used for tenant/appliance identification needs to be sent before any other log after the connection is established. If logs are buffered, they are sent before the id2Name log, resulting in these buffered logs not having a tenant and appliance name. Fix is to send the id2Name log in a separate high-priority queue so that it is received before any other logs. |
78900 |
Fix for performing autorefresh of Analytics page when configured with some interval. |
80432 |
Fix to load all charts saved for the tenant under reporting when Load Report is enabled for users logged in with the tenant user role. |
Known Issues
The following are the known issues in Release 21.1.
Known Issues in Release 21.1
Bug ID |
Summary |
---|---|
41534 | Custom role creation view box and log filter drop box closes automatically if you click outside the box. |
42468 | Solr collection creation failure during installation if hostname is not bound to the IP address on which solr is listening (interconnect IP address). As a workaround, place the solr interconnect IP address first in /etc/hosts. |
42469 | If you select an appliance is selected in a map filter, to change the appliance name, you must erase the name and then choose another appliance name. |
42555 | Standby Director not responding to REST API calls, and you cannot register the standby Director until a failover is performed. |
46001 | Maintaining accounting records stops working, but results after you restart the auditd process. |
46694 | Collapse functionality is not working in Analytics dashboards. It is always in expanded state. |
46722, 46723 |
Able to access Analytics from an AAA admin user who is not registered in the local user list. Able to access Analytics with a aaauser who is not registered in the local user list and TACACS server. For remote authentication mechanisms, such as TACACS, two users are created by default on Analytics, aaaadmin and aaauser. User may be able to ssh into the Analytics node using these two users and default password. Need to block access for these users. |
46730 | Filter with port is not working if you add two port fields with 'is not equal to' operator. |
Known Issues in Release 21.1.1
Bug ID |
Summary |
---|---|
41534 |
Custom role creation view box and log filter drop box closes automatically if you click outside the box. |
42468 |
Creation of search collection fails during installation if the hostname is not bound to the IP address to which the search node is listening (interconnect IP address). As a workaround, use the interconnect IP address of the search node as the first IP address in the /etc/hosts file. |
42469 |
If an appliance is selected in the map filter to change the appliance name, it has to be erased to choose another appliance name. |
42555 |
Standby Versa Director does not respond to REST API calls. You cannot register the standby Director until a failover is performed. |
46001 |
Maintaining accounting records might stop working. To start it again, restart auditd. |
54713 |
Users Map in the Secure Access dashboard works only if Google map is selected as the map provider in Administrator > Settings > Display Settings >. Open Street Map is not supported. |
58311 |
On bionic systems, the versa-lced process may not start when versa-confd does not start fully. To fix this problem, issue the vsh restart command. |
58931 |
SD-WAN map might show all sites even when you select a site tag filter. |
58938 |
Use sudo to run the cluster installation script from Versa Director running bionic image. |
Known Issues in Release 21.1.2
Bug ID |
Summary |
---|---|
41534 |
Custom role creation view box and log filter drop box closes automatically when you click outside the box. |
42468 |
Search collection creation fails during installation if hostname is not bound to the IP address in which the search node is listening (interconnect IP address). Workaround is to use the interconnect IP address of the Search node as the first IP address in /etc/hosts. |
42469 |
If an appliance is selected in the map filter, to change the appliance name, it needs to be erased to choose another appliance name. |
42555 |
Standby Director not responding to REST API calls. It is not possible to register the Standby Director until you perform a failover. |
46001 |
Maintaining accounting records stops working and starts working after you restart the auditd process. |
54713 |
User Map on the Secure access dashboard works only if you select Google Maps as the map provider under Administrator > Settings> Display Settings. Support for Open Street Map is not yet available. |
58311 |
On bionic systems, the versa-lced process might not start because confd does not start fully. To fix the issue, issue the vsh restart CLI command. |
58931 |
SD-WAN map displays all sites even when you choose the Site Tag filter. |
58938 |
Use sudo to run the cluster installation script from a Versa Director running a bionic image. |
62610 |
Quality of Experience between a pair of sites after SD-WAN optimization does not display correct values if there are no logs for the specific intervals. |
Known Issues in Release 21.1.3
Bug ID |
Summary |
---|---|
41534 |
Custom role creation view box and log filter drop box closes automatically if you click outside of the box. |
42468 |
Search collection creation fails during installation if hostname is not bound to the IP address on which search node is listening (interconnect IP address). As a workaround, use the search node’s interconnect IP address as the first IP address in the /etc/hosts file. |
42469 |
If you select a VOS device in the map filter, to change the appliance name, you must erase it and then choose another name. |
42555 |
Standby Director node not responding to REST API calls. Cannot register standby Director node until a failover is performed. |
46001 |
Maintaining accounting records stops working and and then restarts after you restart auditd. |
54713 |
Secure access dashboard Users Map works only if you select Google Maps as the map provider under Administrator > Settings > Display Settings. |
58311 |
On Ubuntu 18.04 (Bionic) systems, in some cases, the versa-lced process does not start because versa-confd does not fully start. To correct this problem, issue the vsh restart CLI command. |
58931 |
SD-WAN map displays all sites even when you choose a site tag filter. |
58938 |
Use sudo to run the cluster installation script from a Director node that is running an Ubuntu 18.04 (Bionic) image. |
66297 |
SD-WAN site, link availability, and QOE metrics can take up to 15 minutes for to display accurate information for the latest time block, because it relies on arrival of SLA and other logs to determine the state. There may be latency during log arrival or logs may be lost. To determine the state more accurately, analyze more log data over time. |
Known Issues in Release 21.1.4
Bug ID | Summary |
---|---|
41534 |
Custom role creation view box and log filter drop box closes automatically if you click outside of the box. |
42468 |
Search collection creation fails during installation if the hostname is not bound to the IP address on which the search node is listening (interconnect IP address). As a workaround, use the Search node’s interconnect IP address as the first IP address in the /etc/hosts file. |
42469 |
If you select an appliance in map filter, to change the appliance name, you need to erase the name and then choose another appliance name. |
42555 |
The standby Director node not responding to REST API calls, so the standby Director node cannot be registered until a failover is performed |
46001 |
Maintaining accounting records stops working and then starts working again after an auditd restart. |
54713 |
The Users Map on the secure access dashboard works only if you select Google map as the map provider under Administrator > Settings > Display Settings. |
58311 |
On Ubuntu Bionic systems, in some corner cases, the versa-lced process does not start because the versa-confd has not fully started. To fix the problem, issue the vsh restart command. |
58931 |
The SD-WAN map shows all sites even when you choose a site tag filter. |
58938 |
Use sudo to run the cluster installation script from a Versa Director node that is running an Ubuntu Bionic image. |
66297 |
SD-WAN site, link availability, and QoE metrics can take up to 15 minutes for the latest time block to show accurate information, because they rely on the arrival of SLA and other logs to determine the state. There could be latency during log arrival, or logs could be lost. For accurate state determination, analyze more log data over time. |
Request Technical Support
To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.
Additional Information
Revision History
Revision 1—Release 21.1, December 20, 2019
Revision 2—Release 21.1.1, August 21, 2020
Revision 3—Release 21.1.2, December 1, 2020
Revision 4—Release 21.1.3, June 6, 2021
Revision 5—Release 21.1.4, April 27, 2022
Versa Director Release Notes for Release 21.1
These release notes describe features, enhancements, fixes, and known issues in Versa Director Software Release 21.1, for Releases 21.1.0 through 21.1.4. Release 21.1.1 and later are general available (GA) releases and are supported for use in production networks.
April 27, 2022
Revision 5
Install the Versa Director Software
To install the Versa Director software, see the Deployment and Initial Configuration articles.
Upgrade to Release 21.1
To upgrade to Release 21.1, see the Upgrade Software on Headend and Branch article.
Downgrade the Software
To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command:
Administrator@versa-director> request system rollback to snapshot-timestamp
The Versa Director configuration and image are restored to the state when the snapshot was taken. Note that any configuration changes done since the snapshot was taken are lost when you perform the rollback operation. See Upgrade Software on Headend and Branch for information about upgrading HA-enabled Director nodes.
Install the Software License for Versa Director
Versa Director is controlled by a software license. You must obtain a valid license file by contacting Versa Networks Customer Support.
Note the following:
- Versa Director software ceases to operate after a 15-day trial period, so you must obtain a license key within that time.
- On all newly installed Versa Directors, you must run the Versa Director startup script, /opt/versa/vnms/scripts/vnms-startup.sh, to correctly configure the Director network interfaces for their intended function (for example, interface eth0 for northbound communication towards OSS systems and for UI access, and eth1 for southbound communication towards VOS devices).
VOS Version Compatibility
Release 21.1.2 of Versa Director is compatible with the following VOS versions:
- 21.1.2
- 21.1.1
- 20.2.2
- 20.2.3
- 16.1R2S11
- 16.1R2S10.1
- 16.1R2S9
Releases 21.1.3 and later of Versa Director is compatible with the following VOS versions:
- 21.1.3
- 21.1.2
- 21.1.1
- 20.2.4
- 20.2.3
- 20.2.2
- 16.1R2S11
- 16.1R2S10.1
- 16.1R2S9
Releases 21.1.4 and later of Versa Director is compatible with the following VOS versions:
- 21.1.4
- 21.1.3
- 21.1.2
- 21.1.1
- 20.2.4
- 20.2.3
- 20.2.2
- 16.1R2S11
- 16.1R2S10.1
- 16.1R2S9
Release 21.1 of Versa Director is not fully configuration-compliant with other versions of VOS software. If you commit templates or make direct configuration changes in the Appliance view UI to non-compatible VOS releases, the commit or configuration changes may be rejected with an RPC error.
New Features
This section describes the new Versa Director features in Release 21.1.
- Active Directory and LDAP support—You can configure Active Directory (AD) authentication connectors to use secure LDAP. You can connect a Director node to AD using a secure channel, and the Director node can connect to an AD global catalog server. See Configure AAA.
- Appliance tags—(In Releases 21.1.1 and later.) On the Appliances page, you can assign tags, which allows you to easily filter appliances using their tag values. To set tags for an appliance, click the Edit icon in the Tags column.
To filter appliances by tags, enter tag values in the Appliance Tags search box. The search filter is saved for the duration of the current session. Appliances are displayed by the selected tags even if you navigate away from the Appliances window in the Administration, Configuration, or Monitor tabs.
-
Autogenerated paired site IP address for active-active HA pair—When you use device workflows to configure an active-active HA pair, the bind data variable Paired_Site__location ID is autogenerated. If the value for this bind data variable is empty, it indicates that multiple device workflows can be paired. In this case, you must enter the generated paired site ID of the other device, which must be running HA.
- CPI 810 digital certificate compliance—To support CPI 810 digital certificate compliance, a Director node triggers an alarm when an SSL certificate has expired or is about to expire (a warning alarm for 30 days remaining, and a critical alarm for 7 days remaining. The Director node automatically clears the alarm when the certificate is renewed.
- Device-level service templates—You can add specific device-level service templates on top of the group-level service templates, allowing you to specify a group-level service description while still being able to perform device-level customization using templates. See Configure Basic Features.
- Encryption of sensitive information—(In Releases 21.1.1 and later.) Sensitive information, such as IPsec PSKs, OSPF passwords, and user passwords, is encrypted in templates, bind variables, and appliance configurations. The VOS device and the Director CLI display these sensitive fields in encrypted format. After you upgrade a Director node to Release 21.1.1, existing unencrypted fields are not automatically encrypted. To encrypt the keys, access the configurations and then save them.
To disable the encryption feature from the Versa Director CLI, issue the following command:
Administrator@Director% set system settings encrypt-data enable-encrypting-sensitive-info false
- IPAM overlay addressing assignment—(In Releases 21.1.1 and later.) Versa Director supports IPAM-based IP address allocation for device overlay tunnels (ESP and VXLAN) and for staging IP address pools on Controllers and hub controller nodes (HCN). IPAM is an internal service on Versa Director and runs as a container. The main features of IPAM-based addressing allocation are:
- Organization ID and device ID are not encoded in the IP address allocated to a device.
- You can add multiple smaller address pools in the overlay addressing configuration based on your requirements. With IPAM, you can deploy an SD-WAN network with a small overlay IP pool or pools: a /8 or /16 prefix is not required.
- The next available address in the pool is allocated to a new device being created.
- When you upgrade Versa Director, currently configured overlay address pools and allocated addresses are migrated automatically to the IPAM module.
- During the upgrade process, if the validation script finds that an address is allocated to multiple devices, the upgrade process fails. You must rectify duplicate addresses before attempting an upgrade.
- Kafka client—Versa Director now stream high volumes of data to Kafka servers. Kafka is a TCP-based streaming protocol and API implementation. The protocol defines all APIs as request-response message pairs.
- Layer 2 template workflows—(In Releases 21.1.1 and later.) Template workflows are enhanced with Layer 2 configuration, to allow you to configure virtual switches, Layer 2 ,and IRB interfaces. You configure organization-level virtual switches under Configuration > Objects > Virtual Switches, as shown below:
When you create an organization using a workflow, a default virtual switch is automatically generated. You can configure bridge domains within each virtual switch using the bridge domain name and a VLAN ID. Bridge domains are named VLAN segments. Bridge domain names and VLAN IDs must be unique within a virtual switch.
In the Workflows > Templates workflow, a new interface type, L2, is added in the Interfaces tab. To select the Layer 2 interface, click the interface icon to mark a port as a Layer 2 port.
Layer 2 interfaces are displayed in the Interfaces tab > Layer 2 Interfaces tab. You can configure Layer 2 workflows in Basic or Advanced mode. The following screen shows basic mode:
In advanced mode, you can select different organizations across subunits of the same port and specify a bridge domain for line translation. The following screen shows that the virtual switch added earlier is available for the organization in the Layer 2 workflows.
You can configure IRB interfaces as LAN or WAN. The VLAN ID of the IRB must map to a VLAN ID in the Layer 2 workflow interfaces for the organization of the LAN/WAN interface. If there is a mismatch, the template workflow deployment fails.
See Configure Layer 2 Forwarding. - Next-generation RBAC framework—A next-generation RBAC framework replaces the NCS RBAC framework. Versa Director has used the NCS NACM framework to provide role-based access control (RBAC), but as the number of objects grows in the system, performance degrades and a large amount of framework data is created, resulting in slowness when you create or delete appliances or create templates. The next-generation RBAC framework improves performance and allows a Director node to handle more devices. With these changes, only the Director GUI and the REST API are protected by RBAC; the CLI is not protected by RBAC. This results in two consequences:
- Any user who has access to a Director node can see all data that is available in the CLI. Therefore, it is highly recommend that you limit access to the Director node.
- For external authentication, only a user with the role ProviderDataCenterSystemAdmin can SSH and SCP to a Director node. Users with any other role cannot log in to the Director node. The Director node can no longer differentiate between an operator and an admin user, so all roles will have the same access to the system. This enhancement safeguards the Director node by limiting the users who can access the system.
- Order of service templates policy rules—(In Releases 21.1.1 and later.) In previous software releases, when you applied service templates, the rules with a higher priority were inserted after rules with lower priority. In Release 21.1.1, this behavior has been changed so that the higher-priority rules precede the lower-priority rules. This change is in effect wherever you order the rules, because in the VOS software, rules with a higher priority take precedence over the rules with a lower priority. In the stack of templates (main and service templates) applied on a device, the lower the template in the order, the higher the priority the configuration in the template becomes. For policy rules, such as firewall and traffic steering rules, rules from the template in the lower order are added to the top of the rules stack.
- Redundant authentication connector—Versa Director allows you to configure multiple redundant authentication servers for RADIUS, TACACS, LDAP, and Active Directory (AD). Authentication by external servers is based on the configured order. If the first authentication server is not reachable, authentication falls back to the next server. See Configure AAA for User Authentication.
- Schedule automatic software upgrades—You can schedule software upgrade tasks to occur automatically. You can commit tenant-specific templates and download or upload software to one or more appliances at the same time, You can edit or cancel an automatic software upgrade at any time. See Upgrade Software on Headend and Branch.
- Schedule template commit and appliance upgrade—(In Releases 21.1.1 and later.) You can schedule template commits to VOS devices or software upgrade. If VOS device is not reachable at the time of the scheduled job, you can set the option for the system to automatically execute the job when the VOS devices becomes reachable.
You can view the scheduled and executed jobs from the Administration > Scheduled Tasks menu:
- SD-WAN workflows and AWS Transit Gateway integration—(In Releases 21.1.1 and later.) Versa Director fully automates the configuration of site-to-site IPsec tunnels by calling AWS APIs to create Network Manager objects such as devices, site, links, and customer gateways, and by creating a VPN connection between the transit gateway and the customer gateway. When you create an IPsec tunnel between a VOS device and an AWS transit gateway registered in the AWS global network under Network Manager, manual configuration of IPsec tunnels and VPNs is not required. You can manage and view all site-to-site tunnels from a VOS device to the AWS transit gateway, Azure Virtual WAN, and Zscaler. This support, which uses Secure SD-WAN from the Versa Secure Cloud IP Platform as the branch on-premises CPE solution, enables dynamic and secure branch-to-branch and secure branch-to-AWS connectivity, with SD-WAN application-aware intelligent traffic steering across the AWS-powered backbone.
To configure the VPN, use the Tunnels tab in the Template workflow:
To enter connector and AWS details, use the Tunnel Information tab in the Add Device workflow:
- Signature verification for software package uploads—(In Releases 21.1.1 and later.) You can use digital signature verification to verify Versa Director and VOS software packages that are uploaded using a Versa Director node. See Configure Signature Verification for Software Package Uploads.
- Subscription lifecycle updates—(In Releases 21.1.1 and later.) A number of changes have been made to the subscription lifecycle, including the following. See Subscription Lifecyle.
- Licenses are valid for 1, 3, or 5 years.
- License subscriptions do not support the Created and Suspended states
- A license is immediately activated after the device performs ZTP.
- Manual license activation is not required.
- Ubuntu Release 18.04—You can use Ubuntu Release 18.04 (Bionic Beaver) as the base Linux platform for Versa Director. The specific software version is Ubuntu 18.04.4. Separate .bin and .iso software images are available for Ubuntu 18.04. Note that in Release 21.1, you cannot upgrade directly from Ubuntu Release14.04 to Release 18.04.
- Zscaler GRE tunnels—(In Releases 21.1.1 and later.) Versa Director supports the integration of Zscaler third-party site-to-site tunnels through workflow, to simplify the deployment of large-scale secure and optimized branch connectivity. You can create secure generic routing encapsulation (GRE) tunnels between a VOS CPE device and a device hosted in the cloud, in a data center, or by Zscaler, to optimize the connectivity between the VOS and cloud devices. The VOS CPE device can be a physical device or a cloud-based SD-WAN device.
When you create a site-to-site GRE tunnel between a VOS device and an unmanaged cloud device, you must configure network details such as the site-to-site tunnel name, the tunnel protocol (as GRE), the LAN VRF, and the WAN/LAN network to establish the connection on the unmanaged device. To do this, you create a Workflow template in which you configure a tunnel and VPN profile for the unmanaged device:
To add a VPN profile for a GRE tunnel:
Enhancements
The following table lists the enhancements in Release 21.1.
Enhancements in Release 21.1
Feature Tracking Bug |
Description |
---|---|
44704 |
Director triggers an alarm if the SSL certificate has expired or if it is in the critical (Last 7 days) or warning (Last 30 days) state. The alarm is cleared automatically when the certificate is renewed. |
40804 | When you use device workflow to configure the active-active HA configuration, the bind data variable Paired_Site__locationID is autogenerated. If the value is empty, you can pair multiple device workflows, entering the generated paired site ID of other device. |
Enhancements in Release 21.1.1
Feature Tracking Bug |
Description |
---|---|
39771 |
If you enable the scheduling of security packs (SPack) downloads, Versa Director automatically installs or updates the latest SPack on the Director node. In earlier releases, SPacks were downloaded only as part of scheduled SPack download. |
42136 |
You can set the same priority on different hubs in a spoke group, to allow spokes to use multiple equal-priority hubs and to load-balance traffic. |
43272 |
Tasks page filtering is enhanced in the GUI and filtering is done on the backend (server side). You can filter tasks based on username and domain name (organization). A new filter, AnyField, takes a search string performs a regex search on all Task columns. |
45234 |
You can download of premium or sample version of an SPack from a cloud server to a Versa Director node and to VOS devices, based on the SPack user configuration. In earlier releases, you could download and install only premium SPacks. |
47072 |
You can select only one of the following options from the Service Bandwidth drop-down list: 10 Mbps, 25 Mbps, 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, and 10 Gbps. |
47083 |
Suspend and reactivate license subscription states have been deprecated, and these options have been removed from the Perform Subscription Action window. If CPEs are in the Suspended state when upgraded to Release 21.1.1, they are placed in the Activated state. |
47085 |
License period with options 1 year (default), 3 years, and 5 years have been added in following windows:
License period is displayed in the entitlement reports, monthly reports, and query page. Subscription renewal is calculated based on the license period. |
47086 |
isPrimary and isAnalyticsEnabled options are disabled in license subscription. These two options have been removed from following windows.
These two flags have been removed from the entitlement and monthly reports. |
47089 |
You can view details about a license to determine how many licenses are active and how the licenses are being used. The license details displayed include the start and end dates, solution tier, bandwidth, location, and serial number. To view license details in Director view, select the Administration tab in the top menu bar, and then select Entitlement Manager > License Detail View Entitlement Manager in the left menu bar. |
47819 |
The task start and end times are displayed according to the client browser's timezone. This means that for users in different time zones, the same task is displayed based on their local time zone. For example, suppose a task with ID 6 has start time as Sat, Jun 20 2020, 16:24:14 in UTC. If a user in the India timezone logs in to Versa Director, the start time of task with ID 6 is Sat, Jun 20 2020, 21:54:14 (because IST is UTC +5:30). If a user from the U.S. PST timezone logs in to Versa Director, the start time of the same task is Sat, Jun 20 2020, 8:24:14 (because PST is UTC –8). |
48305 |
With IPAM-based overlay address allocation, cController and hub controller node template workflows now provide staging pool size for each WAN interface. You can disable the staging option on some WAN interfaces. |
49318 |
Versa Director and VOS software packages (Director and VOS) have digital signatures that can be verified while the software packages are uploading to Versa Director. By default, this feature is disabled. You can enable it using the CLI or the GUI. If you enable signature verification, you must upload the signature file while you are uploading the image. If the signature is verified, the uploaded image remains on the device. If signature verification fails, the uploaded image is deleted and the task fails. |
51986 |
To detect any misconfiguration in Versa Director that can cause an upgrade failure, the configuration validation as part of the upgrade. For more information, see the Before You Upgrade to Release 21.1.1 section, above. |
52235 |
In the SSO configuration, the new option sp-entity-id allows interoperation with Azure AD SAML. |
53346 |
When a session is close to timing out, Versa Director displays a global notification. Users are provided the option to continue with their current session. |
53575 |
SD-WAN forwarding profiles have been enhanced to support path list–based circuit priorities (path-name-list, path-type-list, path-media-list and path-tags-list), last-resort priority, and an unmatched priority. Path list–based circuit priorities provide flexibility for defining priorities using exact match for local and remote circuits, thus removing the ambiguity about when to use AND or OR in match conditions for local and remote circuit priorities. The new path list–based priorities and the existing circuit priorities model are mutually exclusive at a specific priority level. That is, if you select path list–based priorities, the current circuit priorities model is not allowed, and vice versa. However, you can select both types of priority levels at different priority levels. For the last-resort priority, paths configured with this priority are used when all other paths go down, thus allowing you not to use LTE paths when other paths are available. The unmatched-priority defines the priority of the paths that are not configured explicitly. For example, if the unmatched priority is set to priority 2, any path that is not configured in the forwarding profile is considered as priority 2. |
56910 |
To avoid users continuously sending mails for a forgotten password, you can configure the Forgot Password Request Time Interval, in seconds, to set how often users can make a request. The default interval is 900 seconds (15 minutes), and the minimum value is 60 seconds. This feature is enabled by default. If you do not require it, set a higher value for Forgot Password Request Time Interval in the User Global Settings window. |
57530 |
Changed high availability GUI labels from Master and Slave to Active IP Address and Standby IP Address. |
Fixed Bugs
The following tables lists the critical and major defects that were fixed in Release 21.1.
Fixed Bugs in Release 21.1
Tracking Bug |
Description |
---|---|
46503 |
The exported summary report does not show CPEs with 10-Gbps configured bandwidth. |
46336 |
Staging template was not showing up in device group creation for parent organization. |
46256 |
Some sites are missing from the entitlement query report. |
45603 |
External 2 FA is not redirecting to enter code UI page when you use SMS. |
45568 |
NAT traversal field in Director UI was showing as undefined in the UI and was not editable. |
45546 |
AWS geographic locations Bahrain and HongKong regions were missing when creating SD-WAN gateway in a public cloud. |
45203 |
Velocity template now sets the MTU of PPPoE interface to 1492. |
45153 |
Device drop-down list did not skip invalid entries when populating in UI for security packages installation. |
45025 |
Editing adaptive shaping settings in a service template causes a remote server exception. |
40664 |
Update vnms-startup.sh to have more meaningful settings, such as "Prompt to set new password at first time UI login (y/n)?" |
38900 |
Add a warning popup for the Clear button in the DHCP active leases section in the Services tab. |
34601 |
Handle link-local address for IPv6 for URL-based ZTP. |
Fixed Bugs in Release 21.1.1
Tracking Bug |
Description |
---|---|
41606 |
Extending the IKE SA lifetime up to 24 hours is not working in Director UI under VPN profile. |
41853 |
In static routes, exit interface can be none and next-hop IP address both must not be mandatory. |
42055 |
After upgrading Director to Release 20.2, if any template is modified and committed to a device running Release 20.2, diff shows configurations of Releases 16.1R2 and 20.2. |
42722 |
Upstart does not restart postgres database process when it is killed. |
44765 |
Versa Director had to be restarted after applying maximum CPE limit license for license information to take effect. Support is added to update required license information cache soon after applying the CPE limit license, without restarting Versa Director. |
46560 |
Unable to perform all actions for WAN network groups for PDCO, TO, TSA, TSECA, andTDO roles. |
47932 |
Transport domains (internet/MPLS) are not listed when creating a WAN name. |
48074 |
Scheduled SPack download does not start based on the start time and interval configured. Now, Versa Director downloads SPack based on the scheduled time and version configured in the SPack settings. Also, you can change the time or interval to reschedule. |
48243 |
Template commit using service templates does not work if the selected service template is added at the device level in device workflow. |
48516 |
Versa Director Memory dashboard displays low free memory. |
49145 |
Upgrade process must fail or stop if there is error in receiving the postgres dump during an upgrade. |
49863 |
Upgrading Director to Release 20.2.1 fails because the sdwan_sla_loss_pct.lua and migrate.py scripts fail. |
49924 |
After you upgrade from Release R2.10 to 20.2.1, static routes in the workflow template are not migrated to postgres and error is logged in upgrade.log. |
51102 |
Shell In the Box does not open up and displays a HTTP Status 403 - Forbidden error. |
52235 |
Need an option to add sp-entity-id SSO with Azure AD SAML. |
52450 |
Versa Director does not load the list of pages if a single quotation mark (') is included in location details. |
52690 |
Versa Director tasks for appliance UUID are not returned from REST APIs. |
52791 |
GUI does not display Jitter, Transmit, and Receive fields in SLA Profiles. |
52816 |
Supported character length in NGFW policy rule description is not displayed. |
53318 |
Disk fills up because of postgres logging. |
53537 |
Versa Director logs out automatically when another window is opened and is kept idle until the GUI idle timeout expires. |
53592 |
uCPE guest VNF user data/custom file names configuration pushed to device with proper names to create guest VNF successfully. |
54150 |
Add support for OpenId logout when direct link is used. |
54157 |
Add support for selected IDP/local logout for IDP initiated SSO. |
54237 |
Add support for GET Alarms API with data type XML. |
54311 |
Suborganization is not displayed for a device in the Appliance and Device Monitor tab. |
54432 |
Cannot parameterize DNS values in DNS settings. |
54629 |
Duplicate serial number is displayed in the bind data tab of Device Workflow menu. |
55139 |
GET APIs do not work for multiple key list element in appliance yang model, for example, static routes list |
55152 |
SSO tenant user can log in to Versa Director, although roles are not associated with the organization. |
55224 |
Release 20.2.2 upgrade validation script fails because of issues in the auth-connector-validation.py script. |
56002 |
Cannot configure Versa Analytics FQDN under SAML client from GUI, even though the configuration can be done using CLI. |
56030 |
Cannot delete controller from the UI because of issues related to user authentication token. |
56111 |
In DNS proxy resolver, not all sites are listed in the site name drop-down list. |
56131 |
Template commit fails randomly with error CacheLoader returned null for key Thread[TemplateService-ApplyTemplate-18,5,main]. |
56266 |
When you are creating users in User Management, First name and Last Name field do not support special characters. |
56546 |
Logout fails with SP/IDP-initiated SSO. |
56556 |
In the tcpdump Tools screen, Versa Director downloads previously downloaded PCAP files. Fixed to download only PCAP files of the current site. |
56794 |
When upgrading from Release 16.1R2Sx to Release 20.2.2, the Last Modified By and Modified Date fields are not copied correctly. |
56816 |
When you commit the master template with overwrite option, if an NGFW service template is associated at a device level, some routing instances are removed from the Available Routing Instance and Owned Routing Instances. If a shared service template is associated with a device in device workflow, the configuration is not properly merged from the service template. |
56958 |
Analytics URL uses HTTPS when accessed using SSO after you configure a Versa Analytics client in the Versa Director SSO connector. |
57121 |
Device is not displayed in Entitlement Query or reports, if device creation fails during ZTP. |
57438 |
External OAUTH tokens cache issue fixed to handle concurrent Versa API requests efficiently. |
57497 |
Second Controller deployment fails if any WAN interface on the primary Controller has only an IPv6 address. |
57664 |
Versa Director does not fall back to local authentication when all the configured TACACS+ and RADIUS authentication servers were not reachable. Director falls back to local authentication, and authentication is successful when you enter the correct user credentials. |
57677 |
When you change the redistribution policy, graceful restart helper mode is disabled in the BGP configuration. |
57720 |
Validating a template with QoS service template displays the error {"response-code":"201","error-message":"com.tailf.maapi.MaapiException: A variable value has not been assigned to: v_vni-0-0_Rate__cosInterfaceRate","response-type":"error"}. |
57727 |
In Release 20.2, the order of source and destination zones in firewall rules is different from earlier releases. |
57934 |
Tenant users can view the resource pool of all the tenants under the provider. |
58104 |
Memory leaks identified and fixed in ConfOperationImpl, SpackImpl, and RestProxyProcessor. |
58106 |
You can configure the Versa Director the ping wait and timeout values for devices from the Director CLI. You might want to configure higher timeout values for devices that are reachable only over high-latency satellite links. nms { provider { monitoring-settings { appliance-monitoring-settings { single-device-ping-timeout 30; bulk-devices-ping-timeout 60; } } } } |
58248 |
NTP configured with the server FDQN does not work, because the routing instance is not configured in the NTP server configuration by using the template workflow. This is fixed so that the template workflow configures routing instance in the NTP server configuration. |
58340 |
Search function does not work in Organizations workflow list. |
58393 |
appliance-final-configuration-completed AMQP event populates the organization in the content as "organization": "System", instead of the organization name. |
58591 |
When TACACS+ in enabled, cannot restart services using vsh. When external authentication is enabled, when an external user with ProviderDataCenterSystemAdmin(PDCSA) role has logged in, users cannot restart VNMS services. |
58741 |
GUI does not allow configuration of BGP password with more than 16 characters. BGP passwords up 128 characters can be configured using the CLI. |
Fixed Bugs in Release 21.1.2
Tracking Bug |
Description |
---|---|
39617 |
Proxy authentication is now supported, so a user can configure the username and password of an external proxy server. |
41228 |
Fixed vulnerabilities in UI JS libraries. |
42472 |
Added ability to unlock user from appliance UI page. |
51101 |
TenantSuperAdmin might not be able to view active users for their tenant. |
52509 |
HA template workflow now has a validation check for redundant pair template name. |
52621 |
You might not be able to set the UTC timezone on a VOS device. |
52895 |
Add ability to clone policy configuration for site-to-site VPN profiles. |
53306 |
Template merge might take long time. |
53346 |
UI might log out unexpectedly. |
53837 |
uCPE SSH might not working for tenant custom user role. |
53926 |
Fix popup windows to fit in the screen in all tab views. |
54133 |
If you use the request system recovery backup”command to perform a backup operation, the result is now shown. |
54432 |
Add support to parameterize DNS values in DNS settings. |
55415 |
Removed server and server pool type "http" configuration from UI in ADC collector configuration. |
56266 |
Special characters in First Name and Last Name when creating users in Director User Management are now allowed. |
56473 |
Upgrade from Release 16.1R2S9 to Release 20.x was failing if there were device groups with no associated templates after the migration. |
56661 |
After you commit changes in build mode, a device might remain in the Southbound locked state. |
57669 |
When you select more than one service, associating an organization with an appliance might fail. |
57670 |
When you associate an organization on the Appliance screen and select a service node group, services should not be a required field. |
57750 |
You might see the bearer token missing error during OAUTH-based GET calls. |
58155 |
The local peer PSK autogenerated variable name might be incorrect and does not appear in the device bind data. |
58438 |
The IKE Down status was misleading in the Director Monitor dashboard annd has been removed. |
58710 |
The stateful service template now has a tab for objects. |
58741 |
From the UI, you could not configure a BGP password longer than 16 characters. |
58828 |
There was display issue of “Last Modified Time” in the UI for workflows. |
58835 |
An unexpected CPE license expiry alarm might be generated. |
58929 |
Unable to add SSO Multiple Customer Roles with Same Director role in External SSO Role Mapping. |
59034 |
Purge was not deleting local backups. |
59086 |
VRRP configuration might be lost when physical interface IP address is modified. |
59092 |
You can now configure IPv6 interface mode in the UI. |
59464 |
Sometimes, we were unable to see Devices under Monitoring, Configuration, Workflows Tabs after HA failover. This is fixed. |
59751 |
New API added to return applianceStatus by appliance name: https://ip-address:9183/vnms/dashboard/applianceStatusByName/organization-name/appliance-name |
59919 |
Configuring multiple BGP peer tracking configuration in HA in a device template might fail. |
59956 |
The OS Spack option is now visible for Tenant Super Admin users. |
60042 |
Commit template could not to identify the configuration changes between the Configuration Template and Appliance configuration, and always shows In-Sync. |
60537 |
The service name and access concentrator are no longer mandatory in device workflow. |
60857 |
Director upgrade from Release 20.2.2 to Release 20.2.3 might fail because of stale entries in bind data. |
60967 |
Added routing-instance match condition to QoS policies. |
61060 |
When Director logged out, an error message was seen with SSO. |
61244 |
Paired site location ID was not configured properly. |
61389 |
A negative site ID number might be displayed for non SD-WAN CPEs in appliance listing screen. |
61402 |
Enabling HA might fail with an error on the secondary device. |
61433 |
Hardware replacement might fail regardless of the image on the new appliance with wrong build-type error. |
61492 |
Missing software version in Director database for CPE might cause a hardware replacement failure. |
61585 |
When configuration a VFP rule, the disable radio setting was not working as expected. |
61717 |
Some screens became slower when device names were displayed in a drop-down list. |
61795 |
Unexpected task in the stuck state during device onboarding. |
61849 |
When templates were committed simultaneously from different user’s template, the commit might fail. |
61948 |
Provider data center operator cannnot view unknown devices in Versa Director. |
61976 |
Now director allows hyphen (–) and numbers in custom user role names. |
62034 |
Disabled PostgreSQL WAL archives to reduce disk usage. |
62094 |
CPE SLA configuration path policy was lost when upgrading from Release 16.1R2 to Release 21.1.1. |
62163 |
UI monitor screens made API /orgs/org/{tenant}/kpi calls too often, causing slowness. |
62372 |
In template workflow, isStaging flag was not set correctly during change from Hub Controller to Hub. |
62485 |
Update operation not working for IDP-based SAML user. |
62631 |
Duplicate IP address was allocated by IPAM, causing the branch reachability issues from the Director node after upgrading to Release 21.1.1. |
Fixed Bugs in Release 21.1.3
Tracking Bug |
Description |
---|---|
35962 |
Upgrade vulnerable outdated third-party libraries on the backend. |
40157 |
Add support for TCP-based remote syslog connector. |
41228 |
Remove and replace vulnerable third-party JavaScript libraries (UI). |
42524 |
Logging out of application using Okta OpenID SSO now works. |
45901 |
Add support for installing security pack (SPack) on Director node using CLI command. |
48033 |
Source networks drop-down for adding NTP server now works correctly. |
48431 |
Improve performance when loading Virtual Router page. |
50423 |
Add REST API to fetch only WWAN status. |
51101 |
TenantSuperAdmin users can now view active users of the tenant. |
52001 |
Fix NCS crash with error "Internal error: Supervision terminated". |
52790 |
Fix drop-downs for Certificate and Key Fields when editing Certificate Manager. |
53967 |
SPack version information is displayed in appliance listing page. |
54006 |
Director to VOS device certificate validation for Confd on port 8443. |
54132 |
Template state in commit windows now shows correct state information all the time. |
55886 |
File filtering in NGFW shows inconsistent display depending on navigation path. |
56777 |
Allow display of location/map information for child organizations in a multitenant deployment. |
56810 |
Plus (+) sign in security policy is greyed out until page loads completely. |
57028 |
Director now displays correct free memory values. |
57369 |
PPPoE WAN Interface network name is now added to traffic identification list. |
57693 |
Error displayed when commit template fails is not correct if description has multiple quotation marks. |
58484 |
Prevent change password blasting. |
58698 |
Shared service templates now appear in the service template drop-down on the commit template screen. |
58828 |
Last Modified Time field in UI for workflows now displays correct time in browser's local time zone. |
58921 |
Allow exported SSO metadata to be imported into external IDP. |
59034 |
Purge now also deletes local backups. |
59050 |
Allow addition of firewall rule at a specific location. |
59207 |
Fix issue where UI intermittently shows that device is out of sync. |
59426 |
Support application location longer than 200 characters. |
59751 |
Add REST API to return applianceStatus by appliance name: https://ip-address:9183/vnms/dashboard/applianceStatusByName/organization-name/appliance-name |
59818 |
Fix issue where forwarding profile content in SD-WAN rule is not displayed. |
59873 |
If you change interface IP address to be the same as the VRRP IP address, UI now displays a message asking you to set VRRP priority to 255. |
59919 |
You can now add multiple BGP peer tracking entries in HA device template. |
59956 |
OS Spack option is now visible for Tenant SuperAdmin users. |
60042 |
Commit template cannot identify the configurations changes between the Configuration Template and Appliance configuration, and always shows In-Sync. This issue has been fixed. |
60106 |
API response does not match the GUI output for SD-WAN traffic for appliance in Monitor tab. This issue has been fixed. |
60857 |
Director node upgrade fails when upgrading because of stale entries in bind data. This issue has been fixed. |
62155 |
AWS DescribeInstances API call fails, with error "instance ID does not exist". This issue has been fixed. |
62205 |
uCPE VNF creation task not created if the template is committed to the device on the Diff View screen. |
62352 |
Template state in commit windows does not reflect changes to service template or to adding or deleting service template to a device group or device workflow. |
62422 |
Add account type Service for server-to-server communication. |
62433 | It is possible to inject comments by entering special characters. This vulnerability has bene fixed by adding careful handling of special characters. |
62556 |
When you create a new notification rule condition, the name is fixed to previous one and cannot be changed. This issue has been fixed. |
62557 |
NGFW service is not picked up from default-sng if services field is empty. |
62608 |
TenantSuperAdmin user cannot change session timeout. This issue has been fixed. |
62631 |
Fix issue with IPAM allocating duplicate IP addresses. |
62720 |
Fix UI issues with firewall rules page and view more security access page. |
62785 |
Add support for Azure GOV cloud using CMS. |
62790 |
Audit log EXTERNAL_USER.log now displays username instead of bearer token. |
62949 |
Add ability to configure timeout in RADIUS/TACACS+ API calls. |
63142 |
Scheduler should not send email when commit template is scheduled for now. |
63164 |
Link-Mode and Link-Mode settings are grayed out for PPPoE interface. |
63168 |
Password not encrypted from browser. |
63185 |
When you cancel creation of a new device workflow at bind data tab, system does not allow you to create same device name even though it canceled the first attempt. |
63186 |
Change password screen header and footer logo is not using custom partner icon and instead always display Versa. |
63241 |
After an upgrade, the bind variables of service templates are missing from device bind data tables. This issue has been fixed. |
63249 |
When you use vnms-startup.sh in non-interactive mode, the southbound address included is the dockerip 172.17.0.1, even though the vnms.properties file has the correct southbound address. This issue has been fixed. |
63397 |
Redistribution policy Default-Policy-To_BGP on DMZ-VR (not VRF) is not created when service template has no DIA or gateway options. This issue has been fixed. |
63430 |
After you delete a device from a workflow, the device global site ID may not be released. This issue has been fixed. |
63451 |
Add support for VRF ID and VRF Name as variables. |
63589 |
HA failover operation sometimes results in an application timeout. This issue has been fixed. |
63591 |
Allow template name to be up to 127 characters. |
63597 |
UI does not permit adding second static route next-hop tunnel. |
63656 |
Cannot update SNMP trap profile from GUI. |
63665 |
Add REST API documentation for device template import and export. |
63733 |
LTE interface is missing if PPPoE is configured first. |
63736 |
CoS read-write rule copy attribute display as active, but when editing it shows not active. |
63827 |
Increase length of SMTP username in UI from 16 characters to 256 characters. |
63841 |
Allow parameterization of subinterface description for Ethernet/LTE subinterfaces. |
63863 |
For CGNAT/SDWAN/VFP/IPS sessions in Monitor >Services, the forward/reverse byte count is not sorted correctly. |
63897 |
Kafka message publishing should happen in async thread to handle unreachable or slow brokers. |
63964 |
Read-only users cannot log in to Director node because of a special character used in the user role description field. |
63987 |
Change appliance state monitoring run interval for scaled setup |
64035 |
Subscription changes on workflow template are not reflected in Entitlement manager section of CPE and Director node. |
64110 |
You can now configure description column in task window. |
64190 |
Addresses configures in another address group are not displayed correctly. |
64211 |
Task window error message is displayed as "[Object] [Object]". This issue has been fixed. |
64262 |
Unable to delete the VLAN Unit if VRRP is configured in the unit . |
64365 |
TCL: Separating transactions for 3 skip apply calls during ZTP. |
64442 |
Fix vulnerability of guessing users using user enumeration attack. |
64572 |
Controller workflow screens now validates IP subnet. |
64587 |
Monitor > Summary tenant screen displays breakdown of interfaces. |
64598 |
Encrypted key pushed to VOS device version that does not support it. |
64652 |
When you choose the same network for main and standby template and you choose cross-connect port, template workflow displays warning popup. |
64677 |
Add unique constraint for Local Organization. Also, enhance validation script to catch this constraint. |
64713 |
Login, logout, and change password timestamp not recorded in audit logs. |
64724 |
Monitor > Services > IPsec > SA Tab does not show complete information. |
64974 |
Hazelcast device status API is not working. |
65064 |
In bind data pagination, unable to display more than 100 rows. |
65069 |
Autogenerated bind data IKE identifier is not updated. |
65198 |
Even though disable virtual service is enabled during Controller deployment, the service is not actually disabled. |
65222 |
IPsec type tunnel interfaces are not shown in correct drop-down in Monitor UI. |
65235 |
OK button is not working while creating a device after filling in bind data information. |
65679 |
In Firefox, the password field is shown in cleartext. |
65692 |
Do not allow |,[,] characters in URL filtering. |
65735 |
User authentication using OAuth is not work when fetching HA status from NCS. |
65753 |
Enable suspend-backup collectors as the default in workflow templates. |
65754 |
Change log level to Info for alarm module. |
65774 |
SIT update CPE ports object in Controller firewall rule. |
65775 |
Error occurs when pushing hub-and-spoke post-staging template. |
65793 |
Workflow device deployment using CMS connector does work in Azure China region. |
65818 |
SD-WAN policies created by workflow need add action. |
65880 |
Cannot see more than 1024 devices in OSS selection field. |
65883 |
Repeatedly executing the Uptime REST API call causes the subsystem to stop. |
65964 |
UI does not return the proper error when creating a user with invalid information. |
66020 |
User order in leaf list elements is incorrect. |
66077 |
Cache control header is not set properly. |
66107 |
Remove traceroute CLI command from Director node. |
66416 |
Cannot take snapshot using external auth users. |
66429 |
Paired location ID is not displaying in drop-down list in vertical bind data form. |
66498 |
When template is locked by user with lock scope "Other Users", template is inaccessible for user who locked it. |
66523 |
Device workflow update and deploy should require read privilege only for device group. |
66668 |
CoS interface under Monitor > Service should display traffic stats per traffic class. |
66741 |
Device deployment fails with exceptions. |
66965 |
Log collector configuration should support parameterization of destination IP address and port number. |
67008 |
Task owner is different from the user who triggered the task. |
67048 |
Show selected device count on commit screen and VOS devices. |
67327 |
CGNAT service is missing under Services when you add LAN interface for provider organization. |
67531 |
Parsing issue in SAML formatted response. |
67582 |
User should not be allowed to delete a subordinate organization of post-staging template if any device group having that post-staging template has a service template at that subordinate organization. |
67643 |
Do not generate modified event if there is no change to bandwidth, solution tier, or license year in subscription plan. |
67758 |
In general service template, need parameterization for DSL interface configuration of PPPoE username and password fields. |
67763 |
UI does not display IPsec service for service VNF. |
67874 |
Add missing appliance subscription tracking in upgrade flow. |
67905 |
Maximum open file descriptors for spring boot. |
67949 |
Customer can make changes and commit before network is loaded is LAN-VR. |
67965 |
Standardize device name for CPU, memory, and hard disk alarms to one value. |
68004 |
Scheduler job status is not marked as Failed when an upgrade task is deleted while an upgrade is in progress. |
68006 |
During bootstrapping, check for release date when upgrading VOS devices. |
68040 |
Close HTTPS appliance polling connections sooner. |
68112 |
Add option to deselect IDP connector in SSO. |
68305 |
Issue in post-staging template association UI view. |
68358 |
During first-time controller deployment, Director node does not ask about using the default 10.0.0.0/8 overlay scheme or changing it. |
68847 |
Do not push Bionic image to trustworthy VOS devices. |
68914 |
Spoke group UI should give option to delete VRFs. |
68961 |
Single character on local part of email address “not valid” while adding tenant user. |
Fixed Bugs in Release 21.1.4
Tracking Bug |
Description |
---|---|
13550 | Update NSO to Version 4.7.10. |
43606 | Fix drop-down compatibility issues in Firefox browser. |
45549 | Raise an alarm when AMQP and Kafka connector are not reachable from Director node. |
47065 |
Username and Password fields are autopopulated in the template configuration pages. This issue has been fixed. |
48198 | Monitor screen now shows appliance system and service uptime. |
51488 | Predefined file-filtering profile is added under Predefined categories in the Objects and Connectors. |
53780 | VPN instances with hub type topology now work. |
56266 | Accept special characters in First Name and Last Name fields when creating users in Director User Management. |
56810 | Users can add multiple security policies, but only one security policy is allowed on appliance. This issue has been fixed. |
57028 | Fix for incorrect free memory calculation for Director node on the Monitor page. |
58509 |
If you enter any special characters in the Controller PSK, the ptvi does not come up. This issue has been fixed. |
58799 | Fix for incorrect appliance type for appliances created on AWS or Azure. |
59131 | Add support to encrypt all passwords in device configuration. |
59719 | Fix for provider organization creation failure when it is created from Workflows > Controller screen. |
60588 | Notification rules page allows you to create alarms notification rules without a tenant. This issue has been fixed. |
63168 | Login password string is now encrypted when sent from the browser UI. |
63733 | Fix for LTE Interface missing issue when PPPoE is configured first in the Workflow template creation page. |
64007 | Support for changing device subscription. |
64061 |
Template configuration Services tab now shows only the services that are enabled. |
64411 | GUI gets stuck when navigating from the NTP screen to the Objects/Services screen. This issue has been fixed. |
64521 | When you choose a tenant in the Workflows > Infrastructure > Organization screen, the entire screen goes blank. This issue has been fixed. |
64565 | Fix for general template selection issue on device group create screen. |
64885 | Scheduled job for appliance upgrade now starts only if the appliance is reachable. |
65578 | Tenant selector does not display when user switches from one tab to another on the configuration screen. This issue has been fixed. |
65650 | Incorrect configuration under device context when bootstrap fails. This issue has been fixed. |
66012 | Support for having a CLI command to set "auto-merge" as a default option. |
66074 | The screen is stuck at system parameters page when you navigate from the system configuration to other tabs. This issue has been fixed. |
66101 | Template configuration Services tab now shows only the services that are enabled. |
66259 | Include timezone in the director-HA failover alarms. |
66364 | Fix for issues deleting a nonexistent device using APIs. |
66372 | Fix for issue sending SMTP email notification for alarms. |
66418 | Fix corner cases while taking Director snapshot. |
66584 | Enforce tab in policy rule configuration screen extends beyond the length of the screen because of a newly added feature. |
66965 | Destination IP address and port fields can now be parameterized on the log collector screen. |
67226 | Versa_Device_Events topic option display issue is fixed in the Kafka connector create and update screen. |
67298 | AWS service VNF deployment issue from appliance screen has been fixed. |
67709 | Bulk upgrade appliance task has been refactored to better show the task messages. |
67738 | Support for an option to set or customize RequestedAuthnContext value in the SSO connector screen. |
67936 |
User creation page now properly validates the phone numbers. |
67963 | Fix for enabling HA failure when there are more than 500 appliances on the Director node. |
68006 | Honor release date in the package to select the latest image during bootstrap of VOS device. |
68064 | Fix cross-connect select and deselect issues in template workflow for redundant templates. |
68231 | Support for a GUI option to restrict routing and connectivity across regions in an organization workflow. |
68271 | Fix CA chain certificate expiration issue in the UI. |
68363 | You can now make NMS action API calls with an external OAuth token. |
68537 | Slowness issue is fixed for the API /vnms/dashboard/appliance/location. |
68652 | Get APIs are failing when APIs are run in parallel. This issue has been fixed. |
68670 | UI now restricts the creation of an empty app-group. |
68690 | Tomcat HTTP requests to Analytics now clean up or time out properly. |
68923 | NAT traversal configuration is added incorrectly when user modifies data on WAN Interface window. |
68978 | Fix HA template and Layer 2 interface configuration issue in template workflow. |
69266 | Switchover policy can be configured using routing peer count for appliance HA. |
69303 | Proper error messages are shown when multiple IPS rules are loaded on the appliance in the UI. |
69404 | Performance improvements for appliance monitoring. |
69405 | Fix for Workflow template commit failure when LDAP password is configured with double quote ' " ' in parameterized bind data. |
69494 | Address files and address group can now be configured from Director GUI under device or service templates. |
69496 | Fix for multitenant regional spoke groups issue. |
69515 | Read-only custom user now cannot delete appliance instance. |
69553 | Error occus when deleting from a template a suborganization that is not used in any device group. This issue has been fixed |
69590 | Add pagination for Locked User screen. |
69641 |
Fix duplicate key sdwan-post-staging issues on Device Group screen. |
69808 | Workflow > Templates > Site > Subscriptions > Solution Tier > Service Bandwidth changes are now recorded in the audit log. |
69827 | GUI idle timeout is taking 12 more minutes than the configured value. This issue has been fixed. |
69846 | Encryption debug CLI commands are failing with application communication failure. This issue has been fixed. |
69859 | Fix issue of IKE changing on Controller node when you redeploy a device workflow. |
69860 | Path policy configuration now accepts free-form text. |
69877 | Fix for the issue with hub template workflow. |
69893 | Fix for Director HA reachability check through Controller nodes. |
69949 | After you add service chain under organization limits, service menu now shows correct options for the service chain template. |
69996 | Add support for mirror interface option for uCPE interfaces. |
70174 | Restore icon for configuration snapshots is now available in the Firebox and Chrome browsers |
70303 | Fix for Map View to show appliance name on the Monitor screent. |
70313 | Fix the sorting functionality for system summary tables on Monitor screens. |
70318 | Fix download merge configuration issue on commit template screen. |
70319 | Fix for issue with adding custom group from GUI on policy page. |
70338 | Add support for user type data for IP-SLAM monitor next-hop fields. |
70394 | Asset summary now shows count for service VNFs. |
70441 | Suppress unwanted logs while fetching get-vnms-ha details from the standby Director node. |
70459 | Fix incorrect security package information on the Monitor screen. |
70490 | Netbox IPAM service stays down because the docker image is deleted during an upgrade. This issue has been fixed. |
70539 | Fix for issues with device deploy and create appliance. |
70596 |
Fix for issues with SD-WAN traffic graph. |
70647 | Fix display of overlay address schema popup if Controller node already exists in the system. |
70656 | Fix for template failing to add WiFi interfaces that were added when the security mode was None. |
70659 | Service template references are now removed from the device workflow when the service template is deleted. |
70694 | Fix for Director upgrade failure because of a postgres backup issue. |
70752 | Subtenant users can apply the service template through the diff window. This issue has been fixed. |
70799 | Upgrade changes the custom SLAM path policy applied to WAN interfaces to the default SLAM path policy. This issue has been fixed. |
70817 | PPPoE interface is not adding a non-zero VLAN ID to the base interface. This issue has been fixed. |
70818 | Appliance final-config-complete alarm is published after upgrade and configuration push complete. |
70910 | Match should not be a mandatory field when you select Objects > Address > + Create a New Rule -> Type (Dynamic Address). This issue has been fixed. |
70932 | Restrict TSA users so they cannot view other tenant appliances on IP SLA next-hop UI page. |
70950 | After you click the Commit to Device button on the commit template screen, the screen did not navigate to the next page. This issue has been fixed. |
70991 | Some fields are disabled on default 0 subinterface screen for LTE interface. This issue has been fixed. |
71006 | Add RBAC protection to the the vnms/cloud/systems/getAllApplianceNames API call. |
71019 | Template commit is not associating all organizations with the device for service templates. This issue has been fixed. |
71021 | Fix for edit icon display issue on Director high availability screen. |
71051 | Locked Users page now shows all the locked users. |
71083 | Fix for pushing default values for system parameters along with user changes in the form. |
71117 | Fix for GZTP Director task stuck issue. |
71123 | Allow user to set the bandwidth on cross-port interfaces in the template workflow. |
71160 | Edit button is now available to configure and modify appliance HA parameters on the Director node. |
71162 | Index out-of-range error occurs when running the ip-address-config-validation.py pre-upgrade script when the local IPsec interface is missing. This issue has been fixed. |
71173 | Recent events count on the Monitor dashboard and details tab now match. |
71288 | Fix for issue with creation of application group under Objects > Custom Objects. |
71336 | Vulnerability fix: HTTP public dey pinning (HPKP) header cannot be recognized. |
71337 | Vulnerability fix: HTTP strict transport security (HSTS) header cannot be recognized. |
71386 | Fix IP address and mask parameterized validation in service templates. |
71406 | Appliance goes into configuration out-of-sync state because of "" on the Configuration > SNMP > System > Contact screen. This issue has been fixed. |
71471 | Fix for duplicate key value that violated the unique constraint appliance_hardware_pkey error when onboarding a VOS device. |
71477 | TSA users can now take configuration snapshots of the common template. |
71499 | Enforcing static route for policy-based IPsec has been. |
71522 | Fix for TenantSuperAdmin failing to delete VOS device. |
71530 | Fix special cases in Versa Analytics cluster installation script. |
71538 | You can now edit Operator and Administrator users under Director User Management > Provider Users. |
71613 | HA postgres status on the primary Director node now shows secondary (slave) Director information. |
71628 | The dot1x config page becomes stuck when navigated to other tabs. This issue has been fixed. |
71638 | Fix spoke group bulk deletion issue. |
71654 | OpenID SSO logout now redirects to Logout Success Redirect URL if it is configured. |
71686 | Fix for scheduling template issues when VOS device not reachable and job has been triggered. |
71757 | Add support for the special characters {, }, and # in the SNMP manager in Workflow template. |
71785 | Fix for backup Director node not being able to take over as primary when port 5432 is not available. |
71789 | Allow hardware inventory search based on hardware serial number and site ID. |
71803 | Incorrect services list, which includes ervices not enabled for an organization, is displayed under the configuration services tab. This issue has been fixed. |
71814 |
NETBOX-IPAM and SPRING-BOOT start issues, probably because of a race condition between the two processes, have been fixed. |
71863 | Handle automerge gracefully when preserve appliance changes is disabled. |
71865 | Creating new OAuth authorization client now shows the client secret and client ID in the UI. |
71903 | Fix for Director node loading page even after logging out of Director node. |
71917 | Fix Director login issue for Bionic images. |
72046 | Fix for custom role tenant user not being able to log in to the Analytics node from the Director node. |
72068 | Support deploying redundant Workflow template when the same WAN networks are configured |
72070 | Fix incorrect order of BGP policy terms after workflow template is redeployed. |
72121 | Director upgrade fails with HA Pair Validation error. This issue has been fixed. |
72122 | Interval now displayed as mandatory field on the Edit SPack Configuration window. |
72182 | Parameterization of source and destination addresses in VPN policy now works. |
72183 | Fix for creation of shared service and service template configuration objects. |
72335 | Fix for display devices issue on the Template Commit screen. |
72337 | Obsolete UI call for package information has been removed. |
72358 | Trusty backup restored on Bionic setup failed. This issue has been fixed. |
72388 | Huge NCS connections are not closed and are seen as Open in the customer setup. This issue has been fixed. |
72406 | SNMPv3 walk fails with an authorization error. This issue has been fixed. |
72413 | Add validation in the organiztion workflow to not allow suborganizations with the same name as the parent organization. |
72507 | Fix for incorrect total appliance count. |
72619 | LEF profile referred to in the DHCP configuration is not present. This issue has been fixed. |
72637 | Update APIs to upload and delete tenant-specific CA and CA chain certificates. |
72829 |
Appliance system informational Kafka message now includes appliance ping and sync state. |
72909 | Appliance upgrade failed from Director node because of an OS check. This issue has been fixed. |
72963 | Performance improvement for appliance dashboard APIs. |
73026 | TDF screen is spinning when trying to access the GUI for a uCPE. This issue has been fixed. |
73063 | Director upgrade failed because of database backup and restore issues. This issue has been fixed. |
73076 | Performance improvements for AMQP and KAFKA object change notifications. |
73077 | Committing configuration to a template or device generates object change notifications only for the top-level path and does not send notifications for each changed path. |
73104 | Avoid running validation scripts on standby Director nodes. |
73108 | Error while adding community options for a spoke group is fixed |
73122 | Fix for Analytics cluster installer issues. |
73183 | Fix for incorrect date and time in the All Traffic Live data graph. |
73186 | OAuth refresh token API now returns the proper roles in the response. |
73423 | Director node is not initiating a connection to the Analytics node because of too many close_wait state to Analytics IP:Port. This issue has been fixed. |
73501 | Director GUI unreachable because of cookie issue with atmosphere. This issue has been fixed. |
73537 | Whne you click the refresh button on the Services > Sessions screen, it displays "No data to display”. This issue has been fixed. |
73546 | Adding a new tenant in the existing post-staging template through workflows API returns error. This issue has been fixed. |
73813 | Appliance upgrade from Director node fails during ZTP. This issue has been fixed. |
73854 | Save device workflow continues to spin when you try to save without the value for some variables. This issue has been fixed. |
73856 | Bulk import of devices from a CSV file fails because of a concurrency issue. This issue has been fixed. |
73899 | After you run the appliance status brief API call, appliances disappears from the appliances listing page. This issue has been fixed. |
73974 | Authentication type and Auth-Context-Required fields can be configured in the SSO SAML connector page. |
74213 |
SSO login fails after running import-key-cert.sh script because the SSO certificatess are moved to the backup folder after running this script. This issue has been fixed. |
74578 | Service template bind data variables are not populated when the device workflow is redeployed from the Basic tab. This issue has been fixed. |
74614 | Fix for Get Director services status API issue |
74629 | Director UI not reachable because of java heap space out-of-memory issue. This issue has been fixed. |
74838 | Fix for issue with checking Service Template bind data. |
75052 | Update ha_pair_validation script to check whehter appliance is present in the inventory table. |
75069 | Template commit error message on Director node is now sent to Concerto over Kafka. |
75100 | UI does not load intermittently shows blank screen on multiple tabs, displaying the error "Failed to load data from server". This issue has been fixed. |
75117 | Director upgrade fails at ip-sla-monitor under redistribution policy configuration. This issue has been fixed. |
75133 | Uploading the certificate for secure LDAP from the GUI now works. |
75236 | WAL files do not clean up automatically, causing high disk usage. This issue has been fixed. |
75273 | Device bind data in the workflows throws a remote server exception when saving or deploying the device. This issue has been fixed. |
75389 | Issue with setting isStatingController flag has been fixed. |
75471 | Director node does not copy the uCPE custom data file if only the custom data file option is configured in the service chain template. This issue has been fixed. |
75527 | Monitor Tab > Associate Templates shows duplicates even though the device group has unique templates. This issue has been fixed. |
75544 | Director upgrade failed when executing the WorkflowsUpgrade script. This issue has been fixed. |
75547 | Kafka and AMQP messages now contain the Director identifier, which you can configure for Kafka and AMQP connectors. |
75880 | Fix for deploying template failure because of a nested SQL exception. |
75925 | Vulnerability fix: HTTP strict transport security (HSTS) policy not enabled (Port 443). |
75951 | Migration scripts now start after spring boot is fully up. |
75963 | SQL error occurs when creating a spoke template. This issue has been fixed. |
76122 |
Fix for failures when simultaneously deploying multiple organizations. |
76316 | Director upgrade fails because spring boot not going to running state. This issue has been fixed. |
76427 | Versa Director vulnerability issue fixed for CVE-2021-44228, which is related to Apache Log4j2. |
76487 | Site-to-site local interface for HA cannot have quotes when using Active-Active workflow template. This issue has been fixed. |
76613 | Add available-routing-instances under the organization in the service chain template generated through Workflows. |
76667 | Fix template commit issue by incorporating bind data validation for route prefix. |
76710 | Template commit window fetches only the first 1000 templates. This issue has been fixed. |
77103 | Onboard tenant to gateway is failing with INTERNAL_SQL_ERROR. This issue has been fixed. |
77119 | fetch=count in the NCS APIs returns the count. |
77120 | Patterns with characters after the $ are now accepted on the template configuration UI screens. |
77233 | Appliances might disappear if the owner organization is missing for some appliances. This issue has been fixed. |
77246 | Fix commit template task failure issue because of Concurrent lock. |
77249 | Spoke group validation is now optional for the provider organization in the Workflow template for multitenant scenarios. |
77285 | Director services status vsh status command output issue has been fixed |
77324 | View profile under classified profile is not working for Edit DoS Rule > Enforce > DDoS profile. This issue has been fixed. |
77353 | System organization is no longer displayed on the Add Notification Rules screen when you log in as the TenantSuperAdmin user. |
77379 | Search works now on the card view of the Appliances screen. |
77616 | Fix for Boolean word truncation issue on Add DHCP Option Profiles screen. |
77647 | Adding duplicate Controller nodes is no longer allowed now under Controllers in the Workflow template. |
77771 | Opening the S-WAN System Site Configuration screen now works. |
77896 | Fix for customer snapshot upgrade failure. |
77897 |
Issue with the Director patch script and validation script has been fixed. |
78172 | When you delete a device workflow, the remote PSK authentication client entry is now deleted now from the Controller node. |
78218 | Fix OutOfMemoryError issue that occurred because of metaspace. |
78240 | The site-to-site tunnel in the workflow was throwing an error when you parameterized a WAN or LAN interface. |
78340 | Commit template fails because of an issue with setting skip-apply. This issue has been fixed. |
78434 | WAN link monitor configuration for redundant WAN links over a cross-connect link was not updated as expected for HA devices. This issue has been fixed. |
78662 | Fix tooltip text display issue in Director UI. |
78681 | Fix for the slowness issue in the diff view page when it is opened from the Template commit page. |
78683 | Provide scroll in Associated templates page, which is launched from the template commit page. |
78686 | Deleting a dynamic VOS service template when throws an exception "Public cloud instance should have minimum 3 interfaces". This issue has been fixed. |
78801 | Associating Organization throws an exception when onboarding a workflow device in a public cloud deployment. This issue has been fixed. |
80030 | Push-keys-To-Device shell script now escapes special characters in the password. |
80085 | Director UI inaccessible because of a kernel out-of-memory issue. This issue has been fixed. |
80168 | Allow static IP address configuration on LTE interfaces. |
80172 | NCS transaction leak issue has been fixed |
80278 | Director UI > Device >Monitor > Services and Tools screens are now working. |
80279 | Fix an issue with the appliances list page in Administration tab. |
80326 | Fix issue with template configuration SD-WAN system site configuration edit screen. |
80328 | TenantSuperAdmin user can now see the saved organizations on the Workflows > Infrastructure > Organization screen. |
80420 | The Workflows, Templates, Tunnels, and Site-to-Site Tunnel screens go blank you select a few initial options. This issue has been fixed. |
80441 | When you click the Edit icon, the wheel spins in an infinite loop on the OS SPack > Appliance screen. This issue has been fixed. |
80448 |
Upgrade Apache Tomcat to 9.0.60 to fix multiple vulnerabilities. |
80543 | Remote server exception seen when you click any tab on the secure access screen. This issue has been fixed. |
80581 | Organization list displayed on Object >TCP Profile screen should be associated with the template. This issue has been fixed. |
80618 |
For some screens, the selected column filter is not shown. This issue has been fixed. |
Limitations
The following are limitations in Release 21.1.
Limitations in Release 21.1.1
- When you attach a service template to a device in a device workflow but do not attach it to the device group, the device is not displayed after you commit the service template.
- The Director UI may not open in Safari and MacOS 10.15, because the previous self-signed certificates are not compatible with the new security requirements of the Apple Safari browser. To regenerate a self-signed certificate, issue the following commands:
sudo su - versa cd /opt/versa/vnms/scripts/ ./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "<password>"
To regenerate CA-signed certificates:
-
Regenerate the CA signed certificates to honor the new security requirements:
sudo su - versa cd /var/versa/vnms/data/certs/ keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass <password>
-
Synchronize the new certificate to all the Analytics nodes:
cd /opt/versa/vnms/scripts ./vnms-cert-sync.sh –sync
- In Release 21.1.1, the Director web server (Apache Tomcat) has been upgraded to support HTTP/2. If you do not enable proxies with HTTP 2.0 and TLS 1.2, browsers automatically fall back to using the HTTP 1.1 protocol. In the newer version of Tomcat, HTTP 1.1–based REST API calls with very large payloads fail intermittently because not all the payload is provided to the backend server. This issue is observed with configuration differences windows in template workflow and template commit to appliances. For more information, see Enable HTTP 2.0 on Proxies, below.
- DNS Proxy configuration in templates: When DNS proxy configuration is present in a template, applyTemplate to 161R2 based devices fail, because DNS Proxy configuration is also pushed to the 16R2 device where it is not applicable. As a workaround, you can delete this configuration in the template before you pust it to to 161R2-based devices. This is issue does not occur on devices on Release 21.1 (bug ID - 57783).
- Error is displayed during template commit when a text field, for example an interface description, contains multiple quotes. (Bug IDs: 57693, 58568)
- After upgrading from Release 20.2 to Release 21.1.1, the EVPN configuration is not loaded on Controllers nodes for old organizations. (Bug ID: 59355)
Limitations in Release 21.1.2
- The Director UI may not open in Safari and MacOS 10.15, because the previous self-signed certificates are not compatible with the new security requirements of the Apple Safari browser. To regenerate a self-signed certificate, issue the following commands:
sudo su - versa cd /opt/versa/vnms/scripts/ ./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "<password>"
To regenerate CA-signed certificates:
-
Regenerate the CA signed certificates to honor the new security requirements:
sudo su - versa cd /var/versa/vnms/data/certs/ keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass <password>
-
Synchronize the new certificate to all the Analytics nodes:
cd /opt/versa/vnms/scripts ./vnms-cert-sync.sh –sync
-
If proxies are not enabled with HTTP 2.0 and TLS 1.2 as given above, browsers automatically fall back to using the HTTP 1.1 protocol. In the newer version of Tomcat, HTTP 1.1 based REST API calls with huge payload fails intermittently as not all the payload is provided to the backend server. This issue is observed intermittently with configuration diff windows in template workflow and template commit to appliances.
-
DNS proxy configuration in templates—When a template contains a DNS proxy configuration, applying the template to devices running Release 16.1R2 will fail. This happens because the DNS proxy configuration is also pushed to the Release 16.1R2 device, where it is not supported. As a workaround, delete the DNS proxy configuration from the template before pushing it to Release 16.1R2-based appliances. However, we will not see this issue if devices are running 21.1 version. (Bug ID: 57783)
-
An error is thrown by Versa Director during commit template when one of the text fields say like description of an interface contains multiple quotes. (Bug IDs: 57693, 58568)
Limitations in Release 21.1.3
- The Director UI may not open in Safari and MacOS 10.15, because the previous self-signed certificates are not compatible with the new security requirements of the Apple Safari browser. To regenerate a self-signed certificate, issue the following commands:
sudo su - versa cd /opt/versa/vnms/scripts/ ./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "password"
To regenerate CA-signed certificates:
-
Regenerate the CA signed certificates to honor the new security requirements:
sudo su - versa cd /var/versa/vnms/data/certs/ keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass password
-
Synchronize the new certificate to all the Analytics nodes:
cd /opt/versa/vnms/scripts ./vnms-cert-sync.sh –sync
- If you do not enable proxies with HTTP 2.0 and TLS 1.2, as described below, browsers automatically fall back to using HTTP 1.1. In the newer version of Tomcat, HTTP 1.1–based REST API calls with very large payloads fail intermittently, because not all the payload is provided to the backend server. This issue is observed intermittently with configuration diff windows in template workflows and template commits to VOS devices.
- DNS proxy configuration in templates—When a template contains a DNS proxy configuration, applying the template to devices running Release 16.1R2 fails. This happens because the DNS proxy configuration is also pushed to VOS devices running Release 16.1R2, which do not support DNS proxy. As a workaround, delete the DNS proxy configuration from the template before pushing it to VOS devices running Release 16.1R2. Note that this issue does not occur if VOS devices are running Release 21.1. (Bug ID: 57783)
Enable HTTP 2.0 on Proxies
In Release 21.1.1, the Director web server (Apache Tomcat) has been upgraded to support HTTP 2.0, also called HTTP/2 or H2. Newer versions of Chrome and Firefox browsers automatically take advantage of the HTTP/2 protocol when supported by the web servers.
If an HTTP proxy, such as Load Balancer, HA Proxy, and NGINX, is deployed between web clients (browsers) and a Director node, you must enable HTTP/2 with TLS 1.2 on them with the following cipher set:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
When users access the Director node using secure proxies, such as ZScaler, inspection done by the proxy of the sessions to the Director node must be bypassed or the proxy must be enabled with HTTP/2 and TLS 1.2 protocols with the above cipher set.
After you update the configuration on the proxy to enable HTTP/2, use the browser's Dev/Inspect tools to verify that the browser is using the HTTP/2 protocol:
- On the Director login page, right click and select Inspect to display the Dev/Inspect tools. The following screenshot shows how to do this in Google Chrome:
- In the Inspect window, select the Network tab.
- Right-click the column selector and select Protocol to display the Protocol column.
- Reload the portal page and check the Protocol column for the H2 protocol (for the API calls made to the server).
Request Technical Support
To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.
Additional Information
Deployment and Initial Configuration
Upgrade Software on Headend and Branch
Use OS Security Packages
Use Security Packages
Revision History
Revision 1—Release 21.1, December 20, 2019
Revision 2—Release 21.1.1, August 21, 2020
Revision 3—Release 21.1.2, December 1, 2020
Revision 4—Release 21.1.3, June 6, 2021
Revision 5—Release 21.1.4, April 27, 2022
Versa Operating System (VOS) Release Notes for Release 21.1
These release notes describe features, enhancements, fixes, known issues, and limitations in Versa Operating SystemTM (VOSTM) Software Release 21.1, for Releases 21.1.0 through 21.1.4. Release 21.1.1 and later are general available (GA) releases and are supported for use in production networks.
Note that in April 2020, Versa Networks renamed its FlexVNF devices to Versa Operating SystemTM (VOSTM) devices. The documentation uses the terms VOS device and FlexVNF device interchangeably.
April 27, 2022
Revision 5
Install the VOS Software
You can install the VOS software on a standard Intel server or as a virtual machine (VM) based on ESXi or KVM. For installation instructions, see the Deployment and Initial Configuration articles.
Versa Networks provides two versions of the VOS software:
- *-wsm.bin—Install this image on physical CPE branch devices that use the Atom-based processor.
- *.bin—Install this image on all VMs and high-end CPEs and on bare-metal servers with Xeon or later classes of CPU.
Upgrade to Release 21.1
You can upgrade VOS devices to Release 21.1 from Releases 16.1R2 (16.1R2S8) and later. If you are using an earlier software release, upgrade first to the latest Release 16.1R2 service release, and then upgrade to Release 21.1.
If the premium version of the security package (SPack) is already installed on the VOS device, you must upgrade to Version 1878 or later before you upgrade the VOS device. To display the version of the installed SPack, use the show security security-package information CLI command or, in the Versa Director monitor screen, view the security package information under Next-Gen Firewall.
To upgrade to Release 21.1 from the CLI:
- Ensure the current running package is present in the /home/versa/packages/ directory.
- Save the existing version of the configuration:
admin@vnf-cli(config)% save /var/tmp/backup.cfg
- Copy the appropriate .bin package file to the /home/versa/packages/ directory on the VOS node. Ensure that the file has +x execute permission. Alternatively, use the following command, which copies the file to the /home/versa/packages directory:
admin@vnf-cli> request system package fetch uri uri
- Install the new software package:
admin@vnf-cli> request system package upgrade filename.bin
Follow the prompts, and wait until the upgrade status shows that the upgrade is complete. - Confirm that the new software was loaded:
admin@vnf-cli> show system package-info
Downgrade the Software
To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command:
admin@vnf-cli> request system rollback to PRE-UPGRADE-1
Install a Software License for VOS Devices
A VOS device does not require a license if it is managed by Versa Director. If the VOS device is not subjugated to a functioning Versa Director, the software continues to operate after the initial trial period of 45 days. However, the number of data path sessions is limited to 30 sessions.
New Features
This section describes the new VOS device features in Release 21.1.
Licenses and Entitlement
- Subscription lifecycle updates—(In Releases 21.1.1 and later.) A number of changes have been made to the subscription lifecycle, including the following. See Subscription Lifecyle.
- Licenses are valid for 1, 3, or 5 years.
- License subscriptions do not support the Created and Suspended states
- A license is immediately activated after the device performs ZTP.
- Manual license activation is not required.
Platform
- ADSL2+/VDSL2 NIC modules—(In Releases 21.1.1 and later.) You can use ADSL2+/VDSL2 NIC modules, also called xDSL NIC modules, in Versa Cloud Services Gateway (CSG) appliances. The CSG ADSL2+/VDSL2 NIC module supports a single WAN interface that allows you to connect to VDSL2 and ADSL2+ networks. See Configure Interfaces.
- AWS transit gateway integration—(In Releases 21.1.1 and later.) Versa Director automates the process of configuring AWS transit gateway tunnels with on-premise branches. You can configure both the transit gateway and the VOS branches from Versa Director. See Configure Site-to-Site Tunnels.
- Configuration validation—(In Releases 21.1.1 and later.) The configuration validation feature provides a cross-check and misconfiguration-highlighting mechanism for deployments that include an interchassis HA pair (active-standby stateful HA). When enabled, it cross-verifies interchassis HA-relevant configuration changes on both interchassis HA pairs and highlights if there are any differences between the two that affect the runtime function of a given inter-chassis HA branch deployment. It also allows the configuration to be changed on the active and standby devices in any order, and prevents the services from being impacted by a misconfiguration.
- CSG300 series appliances—(In Releases 21.1.1 and later.) The Versa Cloud Services Gateway (CSG) 300 series appliances deliver highly secure site-to-site data connectivity to small businesses and to home offices. See Cloud Services Gateway 300 Series.
- Device template workflow enhancements—(In Releases 21.1.1 and later.) Adds support for the Solution Add-On Tier and License Period fields in the Create Template > Basic tab; Switching tab (for Layer 2 interfaces) in the Create Template window; and, Service Bandwidth and License Period fields in the Add Device window > Basic tab. See Configure Basic Features.
- Encrypt sensitive information—(In Releases 21.1.1 and later.) Versa Director encrypts all sensitive information in configurations before pushing them to VOS devices. See Commit Template Modifications.
- Global session logging control updates—(In Releases 21.1.1 and later.) Changes have been made to the allowable range and adds default values for the Firewall Source IP Count and Destination IP Count fields, and for the SD-WAN Application User Count field. See Configure Firewall and SD-WAN Usage Monitoring Controls.
- IP SLA monitoring enhancement—(In Releases 21.1.1 and later.) You can select a forwarding class to override the default forwarding class for an IP SLA monitor. See Configure IP SLA Monitor Objects.
- Layer 2 forwarding—You can configure Layer 2 forwarding, including virtual switches, bridge domains, bridge interfaces, integrated routing and bridging (IRB) interfaces, media access control (MAC) functions, and STP/RSTP. See Configure Layer 2 Forwarding.
- Layer 2 forwarding additions and enhancements—(In Releases 21.1.1 and later.) Release 21.1.1 adds support for the following Layer 2 features and enhancements. See Configure Layer 2 Forwarding.
- EVPN over SD-WAN
- Multiple Spanning-Tree Protocol (MSTP)
- VLAN Translation
- Enhanced support for MAC-related features, such as MAC aging, MAC learning, MAC move, and MAC limit.
- Introduces different ways of determining the state of an IRB.
- Support for configuring paired TVI interfaces (paired-tvi) as family bridge interfaces
- LLDP—(In Releases 21.1.1 and later.) The Link Layer Discovery Protocol (LLDP) allows network devices to discover a neighbor device’s identity and capabilities on a LAN using a set of attributes, as defined in IEEE 802.1AB. See Configure LLDP.
- Log export functionality (LEF) enhancements—You can reduce the number of firewall and SD-WAN statistics log records that CPE devices export, exporting logs only for the busiest sessions. See Configure Firewall and SD-WAN Usage Monitoring Controls.
- Match alarm subtypes in exporter rules—(In Releases 21.1.1 and later.) You can match alarm subtypes in exporter rules. See Configure VOS Device Alarms.
- Multiple tenants and multiple VRFs in a service chain template—(In Releases 21.1.1 and later.) You can configure multiple tenants and multiple VRFs in a service chain template. See Configure uCPE on a VOS Device.
- Secure option with the Versa Analytics cluster installation script—(In Releases 21.1.1 and later.) You can use the secure option when running the Versa Analytics cluster installation script. See Perform Initial Software Configuration.
- Service-chain template enhancement—(In Releases 21.1.1 and later.) You can service-chain multiple tenants and multiple VRFs. See Configure uCPE on a VOS Device.
- SFP monitoring and management—(In Releases 21.1.1 and later.) VOS devices support digital diagnostics monitoring (DDM) monitoring and management capabilities for SFP and SFP+ interfaces. DDM provides information about the line, signal strength (optical input and output power levels), temperature, laser bias current, transceiver supply voltage, and other transceiver statistics in real time. Monitoring and management capabilities for Versa-certified SFP and SFP+ transceivers are built in. See Monitor the SFP Module.
- Signature verification for software package uploads—(In Releases 21.1.1 and later.) You can use digital signature verification to verify Versa Director and VOS software packages that are uploaded using a Director node. See Configure Signature Verification for Software Package Uploads.
- T1/E1 NIC module—(In Releases 21.1.1 and later.) CSG appliances support a T1/E1 NIC module. The T1/E1 NIC module supports four WAN ports, allowing you to connect to up to four T1 or E1 network connections. Each interface can configured to run PPP, HDLC, and Frame Relay encapsulations. Interfaces are software configurable to run in T1 or in E1 mode with a rich set of line and framing parameters to ensure compatibility with existing networks. See Configure Interfaces.
- TPM 2.0—(In Releases 21.1.1 and later.) VOS devices support TPM 2.0 on Ubuntu 18.04 running on CSG and certified whitebox platforms. TPM 2.0 is enabled by default.
- WAN propagation—(In Releases 21.1.1 and later.) You can automatically copy the WAN networks of a parent organization and propagate them to the suborganizations under the parent. See Configure Transport Domains and WAN Networks.
- Zscaler site-to-site tunnels—(In Releases 21.1.1 and later.) You can create secure IPsec and GRE tunnels between a VOS CPE device and a device hosted by Zscaler to optimize the connectivity between the VOS device and cloud peer devices. See Configure Site-to-Site Tunnels.
SD-WAN
- DIA and DCA (SaaS) traffic optimization—VOS devices support ICMP monitor probes to track next hops for a given SaaS application, and they now also support TCP and HTTP monitor probes. TCP and HTTP monitor probes are often more reliable probes for determining the optimal path for internet traffic. See Configure SaaS Application Monitoring.
- NetBox IP address management (IPAM) service—(In Releases 21.1.1 and later.) Versa Director uses the NetBox IP address management (IPAM) service to allocate the IP addresses from the configured overlay prefixes. See Configure the Overlay Addressing Scheme.
- SaaS application detection using endpoints—For SD-WAN edge devices, detecting applications starting with the first packet is critical for optimum path selection. If an application is not known with the first packet and a non-optimal path is selected for the TCP session, the session's performance will be degraded. In earlier software releases, the VOS software used an application cache to cache the application detected for a session associated with a specific IP address and port. However, the application cache cannot assist the first session to a given destination. Because SaaS vendors are now using many IP addresses to serve applications, this limitation has become an issue. The first-packet identification feature addresses this limitation. It allows the SaaS application to be identified starting with the first packet of a session. First-packet identification is also used to identify applications that are making DNS requests, which means that DNS requests can use the same WAN path selection as data sessions.
The first-packet identification feature performs WAN path selection for specific applications, both for the DNS sessions and the data sessions, and it allows users to configure firewall rules to create allow lists of SaaS applications using the published IP prefixes and domain names.
Several SaaS providers publish the IP prefixes and domain name patterns for their service endpoints, and these lists are available to VOS devices so that they can identify applications on the first packet. The latest application endpoint information is updated in Versa Security Package (SPack) updates. VOS devices map the IP prefixes and domain names to the predefined applications for the SaaS application. For example, Microsoft Office 365 endpoints are mapped to the application OFFICE365. The applications are the same predefined applications that you use to configure policies (for example, Office 365 and Zoom), so you do not need to modify the policy configuration. The following are examples of endpoint information published by SaaS providers:
• Microsoft Office 365—https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
• Zoom—https://support.zoom.us/hc/en-us/articles/201362683-Network-Firewall-or-Proxy-Server-Settings-for-Zoom
SaaS application detection using endpoints includes the following features:- Identify applications for DNS requests and data sessions—For DNS sessions, the database containing the published domain names is used to resolve the domain name and published IP prefixes are used to identify the application for data sessions. Note that the applications that are identified are the same predefined applications that you use when configuring policies. For example, the published Microsoft published Office365 endpoints include the following: outlook.office.com, outlook.office365.com, and 13.107.6.152/31, 13.107.18.10/31, and 13.107.128.0/22 (and more) with TCP ports 80 and 443. Using this information, a DNS request for outlook.office365.com and a TCP session destined to 13.107.128.1 is mapped to the application OFFICE365.
- WAN path selection—To select a WAN path for applications, you need to configure SD-WAN policy rules. Because both the DNS requests and the data sessions are mapped to the same applications (on the first packet of session) using the published endpoint information, they both receive the same path selection treatment. To use path selection for DNS requests, you must enable DNS proxy on the VOS device.
- Allow lists for applications using endpoint information—You can create allow lists (sometimes called whitelists) for the SaaS applications using the predefined applications. Identifying applications on the first packet of the session helps to finalize the firewall policy to use for the session without waiting for the application to be detected by deep-packet inspection. In the application for which application identification is to be finalized (for the purpose of firewall policy) based on the published endpoint-based match, the application-specific app-final-with-endpoint option must be set to TRUE.
- SaaS endpoint definitions in SPacks—(In Releases 21.1.1 and later.) VOS devices dynamically query and download the FQDNs and IP addresses advertised by SaaS providers. These FQDNs and IP addresses are installed as part of security packages (SPacks), and they are updated dynamically. See Use Security Packages.
- SD-WAN traffic-steering forwarding profile enhancements—(In Releases 21.1.1 and later.) SD-WAN forwarding profiles are enhanced to support circuit tag–based path priorities and path list–based path priorities (path-name-list, path-type-list, path-media-list and path-tags-list), last-resort priority, and unmatched-priority.
- Circuit tags—You can label each SD-WAN interface with up to four circuit tags, which are user-defined free-form strings. You can use circuit tags, just as you do circuit names and circuit media, as match conditions in forwarding profiles in order to define path priorities.
- Path list–based path priorities—You can define priorities using an exact match for local and remote circuits, which removes the ambiguity in grammar around when to use AND versus OR in match conditions. The new path list–based priorities and the existing circuit priorities model are mutually exclusive at a specific priority level. That is, if you select path list–based priorities, the current circuit priorities model is not allowed, and vice versa. However, you can select both types of priority levels at different priority levels.
- Last-resort priority—Paths that you configure with this priority are used when all other paths go down, thus allowing you not to use LTE paths when other paths are available.
- Unmatched priority—You can define the priority of the paths that are not configured explicitly. For example, if the unmatched priority is set to priority 2, any path that is not configured in the forwarding profile is considered as priority 2.
See Configure SD-WAN Traffic Steering.
- TCP optimizations—TCP optimizations mitigate the effects of high latency and packet loss on the performance of TCP-based applications. In Releases 21.1.1 and later, the maximum send and receive buffer sizes are increased from 8M to 16M, and you can configure forward proxy and reverse proxy TCP optimization modes.See Configure TCP Optimizations.
Security
- Caching of the URL filtering history—(In Releases 21.1.1 and later.) You can configure the caching of the URL filtering history. See Configure URL Filtering.
- FIPS 140-2 Level 1 compliance—(In Releases 21.1.1 and later.) You can run VOS devices in FIPS mode in VOS images that are FIPS 140-2 Level 1 compliant. FIPS 140-2 Level 1 compliance covers production-grade and externally tested encryption algorithms. See FIPS Compliance.
- Microsoft NDES and SCEP network access control—A VOS device can use certificate-based network device authentication and certificate management using Microsoft Network Device Enrollment Service (NDES), which is based on Simple Certificate Enrollment Protocol (SCEP) and which provides certificate-based network device authentication and certificate management. See Configure Certificate Servers.
- Remote access server (RAS) support—A VOS device can act as a remote server, allowing remote users to connect to the VOS device by establishing a VPN connection. See Configure the Versa Secure Access Service.
- TLS/SSL for remote collectors—Transport Layer Security (TLS) has been added to the existing connection mechanisms (TCP and UDP) to enable you to stream logs securely. See Configure Log Collectors and Log Exporter Rules.
- URL filtering enhancement—(In Releases 21.1.1 and later.) You can enable or disable the caching of the URL filtering history. See Configure URL Filtering.
- Versa Secure Access Service—(In Releases 21.1.1 and later.) Versa Secure Access Client for Windows 10 and MacOS, which are installed on end devices, Versa Secure Access Server functionality developed on Versa OS. See Configure the Versa Secure Access Service.
Fixed Bugs
The following tables list the critical and major defects that were fixed in Release 21.1.
Fixed Bugs in Release 21.1
Bug ID |
Summary |
---|---|
43383 |
Enhanced the SIP ALG to bypass ALG processing if no CGNAT or stateful or NGFW is configured in the service chain. |
44188 |
SSHD logs in Syslog triggered by Director reachability checks are now suppressed. |
45073 |
SD-WAN SLA last flapped time value that was displayed was incorrect. |
45305 |
Added the ability to select the download of the sample or premium SPack from the VOS device. |
42979 |
Attempting to change the RIPv2 interval crashed the routing process in Release 20.2.0 FRS. |
43608 |
Changing the OSPF MD5 authentication key from plain text to MD5-based hash was not persistent. |
43869 |
Versa Services process crashes when you enable the packet capture option in the LEF profile. |
45098 |
sdwan-datapath-sla-not-met alarm was not sent to SNMP server, but it was sent to all other configured destinations. |
44827 |
VOS CPE was unable to fetch certificate using CMP from a PKI server. |
44138 |
When an IPsec peer is configured as a fully qualified domain name (FQDN) instead of an IP address, IPsec flaps continuously during the initial bringup. |
43706 |
SD-WAN traffic coming over PPPoE links was processed by a single CPU core. Traffic is now processed by all available cores. |
44793 |
ARP responses for VRRP virtual IP addresses were not consistently responding with a virtual MAC address. |
45334 |
Geolocation-based match was added in QoS policy rules. |
46707 |
FEC module crashes while processing out-of-range packets, specifically when more than 300,000 packets are sent by two different branches (in active-active configuration) and link between the two branches is flapping. |
Fixed Bugs in Release 21.1.1
Bug ID |
Summary |
---|---|
40206 | DNS server listening and serving requests on the WAN interfaces. This issue has been fixed. |
44055 | Changing an existing BGP prefix-list address object’s IP address using just the greater-than mask value without changing the less-than mask value would fail to commit the configuration. This issue has been fixed. |
47161 |
The request security security-package download check-for-updates CLI command has been fixed to indicate the appropriate message in case of any error. |
49983 | VOS software processes transit DHCP ACK packets going from DHCP server to the client as if they were destined locally and incorrectly drops them. Also, VOS software processes transit DHCP acknowledgments for DHCP Inform [ unicast ] from server to the client via relay, and when traversing a VOS device, they are intercepted incorrectly and dropped. This issue has been fixed. |
53374 | Flapping of WAN link causes a memory leak and so memory was freed in the account manage module when an SD-WAN path object is deleted. This issue has been fixed. |
54067 | For a session for which the application is not known on the first packet, if the packet hits a SD-WAN policy deny rule, it makes progress until application is identified. At that point, upon policy reevaluation, if it still matches the deny rule, it denies the session. This is a change in behavior where a packet matching a SD-WAN policy rule that contains application as a match condition and if the application cache did not match the current destination IP and port, it would deny this session. |
54565 | When twice-basic-nat-44/twice-dynamic-nat-44/twice-napt-44 is configured, with active FTP traffic, the application of FTP data session is identified as unknown_tcp instead of ftp_data, and file transferred in this data session is not inspected by the antivirus module. This issue has been fixed. |
55130 | VOS vmod process restart is observed on the CPE when user tries to fetch IP SLA from Versa Director UI under Monitor Dashboard and no IP SLA (monitor) is configured on the CPE device. This issue has been fixed. |
55792 |
The CoS shaping rate on a logical interface was not updated when the autonegotiated rate of the underlying physical interface changed from 10M to 1G. Because the VOS software caps the logical interface at the autonegotiated rate, the logical interface remained at a shaping rate of 10M. This update allows for the proper propagation of the link speed to all logical interfaces. |
55993 |
An ARP request from the VRRP active node may be sent with the interface MAC address instead of virtual MAC address. This issue has been fixed. |
56501 | Versa services processes may crash because it cannot handle any packet with three or more VLAN tags for a transit packet. This issue has been fixed. |
56721 | Added channel width in the output of the show wlan AP-status command. |
56970 | During the upgrade process, the older package may not be removed. This issue has been fixed. |
57146 | A VOS DHCP server configured with more than one next-server IP address may fail to activate the entire DHCP configuration. The same may also happen when the next server IP address is a FQDN name instead of an IP address. For example, the following configuration causes DHCP server to not get activated: set orgs org-services Pepsi dhcp dhcp4-options-profiles DHCP_OP_TOIP next-server 10.158.142.180,10.1.20.115,10.158.142.179 The workaround is to configure a single IP address in the next-server IP address. This issue has been fixed. |
57442 | Issuing the show org session extensive command crashes and cause a service restart if the session to be displayed has qos-policies or app-qos-policies applied to the session *and* there have been 5 or more configuation changes to qos-policy or app-qos-policy rules since the session was created. This issue has been fixed. |
57500 | Versa services process may crash when an entire organization is deleted. This issue has been fixed. |
57655 | versa-vmod may restart when trying to clear specific session via Director API. This issue has been fixed. |
57787 | versa-mod process may restart after repeated SNMP polling of CGNAT MIB or show cgnat pool statistics command is issued and there are CGNAT pools defined and not referenced in any CGNAT rule configuration. As a workaround, delete any CGNAT pools that are not used or skip SNMP polling of CGNAT. This issue has been fixed. |
Fixed Bugs in Release 21.1.2
Bug ID | Description |
---|---|
45535 | When you select a remote branch, theTCP optimization policy statistics do not reflect the actual statistics. This issue has been fixed. |
47904 | For some network ports that use the Intel i40e driver, receipt of LLDP/DCBX packets causes i40e initialization failure. Added the LLDP persistence flag to keep the firmware LLDP agent in the Disabled state after it is set. |
48598 | Added the ability to attach one IP SLA monitor group to multiple VR redistribution policies. |
51394, 51411 | Fixed a process restart in the Versa-VMOD configuration handling process when you commit multiple captive portal profiles with CA certificates. |
53372 | Routing SNMP traps now include the tenant/organization name in them. |
54538 | The show pim neighbor CLI command displays the incorrect PIM mode. This issue has been fixed. |
54723 |
Extend the show route command to include multicast RPF information: show route multicast-rpf {{ipv4_addr | ipv4_prefix} | routing-instance name {ipv4_addr | ipv4_prefix}} |
56568 | When a site-to-site IPsec tunnel goes down, the tunnel down alarm is not generated consistently. This issue has been fixed. |
56623 | When you delete a tenant, a service restart might occur. This issue has been fixed. |
58471 | For an Aggregated Ethernet (AE) interface whose member interfaces are operationally and administratively down, they remain down even after being made operationally and administratively up. This issue has been fixed. |
58497 | For VEP-4600-xxx and CSG1500 devices, the VOS device was unable to report data about SFP optical modules connected to X722 MAC Ethernet controller ports, because reading the module EEPROM memory was not supported. The fix requires that you upgrade the NIC firmware to the specific NVM firmware release version, to allow the SFP data to be read. |
58602 | Added custom-header option to the wget CLI command to be able to pass authentication information and other options. |
58975 | The passwd binary on the base OS sometimes had incorrect permissions, thus preventing users from changing their passwords. This issue has been fixed. |
58976 | The DHCP lease database cleanup might not happening periodically, causing the DHCP lease file to grow to a large size. This issue has been fixed. |
59026 | When an interface is marked up momentarily by a monitor before bringing it down, the SLA is marked as Up and the SLA state machine is not executed before the interface is again marked as down. The result is that the ptvi interface remains in the proto Up state. |
59035 | Special characters such as $ in the RADIUS secret key for the WiFi access point configuration might not work. You can now include special characters in the password. |
59164 | A very long-lived TCP session might create a condition where the TCP stream module in the Versa service process may create a very large reassembly queue, leading to a delay in the packet processing times. If the affected worker is Worker 0, the SLA and the control plane would also go down. The workaround is to disable the stream module for the affected flow. This issue has been fixed. |
59206 | When you configure the all alarm, the CPU alarm thresholds might be reset to 0 for both high and low. This issue has been fixed. |
59357 | Service restart seen on Controller nnode because of a non-standard configuration on the branch devices. This issue has been fixed. |
59377 | Issuing the show bgp neighbor org might cause the routing process to restart, but other services are not affected. This issue has been fixed. |
59410 | Multiple policy configuration changes (more than four) might cause an old session that was created before the changes to access an invalid memory location and cause service restart. This issue has been fixed. |
59416 | Have the system load statistics computation consistent with the htop command, by not taking I/O wait times into consideration. |
59651 | When the same monitor object is attached to multiple static routes, any change in the configuration of a single static route might affect other routes. For example, deletion of a static route would install other static routes even if the monitor state was down. This issue has been fixed. |
59801 | The show system load-stats command output has been modified to not include the io-wait time in the calculations, to reflect the numbers shown by top or htop command. |
59950 | Quick Assist Technology (QAT) decrypt session contexts were not getting cleaned when IPsec tunnels flapped, causing session context to leak. Eventually we run out of session contexts are used up, and SD-WAN/IPsec traffic blackholes. This issue was present only in Releases 20.2.x and 21.1.x. This issue has been fixed. |
60128 | Stopping the tcpdump command would sometimes cause BFD to flap if it was configured with a very low timeout value. This issue has been fixed. |
60178 | Sometimes, SLA from a spoke site to a Hub-Controller-Node (HCN) might not come up if the HCN WAN interface is behind a static NAT. A spoke branch detects the remote branch personality based on the site ID range and then tries to send SLA packets via the private or public IP address. For an HCN, whose site type is hub-controller, there is a need to add additional logic to detect the remote branch based on site type and not the site ID so that the SLA packets are always sent only on the public IP address. This issue has been fixed. |
60510 | Buffer management issue caused an EBGP multipath route in a VRF to not get announced in a Layer 3 VPN if one of the next-hop interfaces in LAN VRF is shut down. This issue has been fixed. |
60594 | For TCP optimization, upon receiving TCP options containing padding bytes after the EOL option in a TCP SYN packet, the VOS peer closest to the client ignores these padding bytes, which were added for byte alignment, resulting in a TCP SYN packet whose TCP options are not properly byte aligned. Because of this, the TCP options in the SYN packet are not being processed by the VOS peer closest to the server. This results in connection not being TCP optimized and is getting stalled. This issue has been fixed. |
60595 | TCP optimization is not functional when security features are turned on, which also causes a TCP session to be proxied, such as IPS. |
60672 | Mod16 group support in IKE was defective and not supported. This issue has been fixed. |
61257 | PIM neighbor down alarm was not getting generated. This issue has been fixed. |
61267 | DSCP rewrite was not working for reverse traffic when traffic is originated from WAN to LAN. This issue has been fixed. |
61282 | URL-based ZTP was not working on VOS device running Release 21.1.1 version because of an expired CA certificate. This issue has been fixed. |
61526 | Default route received through Layer 3 VPN was not getting installed in the forwarding plane if there was more than one Layer 3 VPN route received with different route distinguishers with same next hop address. (This happens if an SD-WAN hub originates the default route from an import VRF as well as export VRF.). This issue has been fixed. |
61584 | The Versa services process might crash because of missing sanity checks on the ICMP port unreachable error packet. This issue has been fixed. |
61737 | Fixed an issue with enabling uCPE hypervisor which can occur when hypervisor is enabled on Release 21.1.1, only when it is upgraded from 16.1R2S8 after updating OS Spack. |
61828 |
Versa Service process might crash in the IKE ALG module in a rare timing condition when the ESP packets land in a different thread than IKE control packets and before IKE-ALG object is created. This issue has been fixed. |
61851 | Fixed a package dependency issue in OS Spack installation by allowing it to overwrite ESM package with higher version binaries. This issue has been fixed. |
61873 | Versa services process might crash while processing SIP traffic when a packet contains incomplete Replaces header. This issue has been fixed. |
61950 | Versa Service process might crash while processing GRE traffic over IPsec tunnel. This issue has been fixed. |
61957 | When OSPF and VRRP are both configured on the same interface, the backup router might redistribute routes without setting the configured metric when using direct protocol redistribution. This issue has been fixed. |
61998 | Versa service process might crash when receiving IPv6 multicast listener discovery (MLD) packets. This issue has been fixed. |
62002 | Versa service process might crash while processing SIP traffic when the received SIP packet has more than four bandwidth parameters. This issue has been fixed. |
62075 | TCP splicer might drop some ICMP unreachable messages of type MTU exceeded, fragmentation needed when DF bit it set. This issue has been fixed. |
62126 | SSH key authorization might fail because of incorrect handling of ssh-public-key configuration. This issue has been fixed. |
62161 | In an active standby interchassis redundant CPE configuration, a timing issue might cause Versa services to restart on the standby CPE node. |
62268 | A branch-to-branch IPsec tunnel might fail to come up when you reboot the branch. This issue has been fixed. |
62429 | Traceroute command had a command Injection vulnerability. This issue has been fixed. |
Fixed Bugs in Release 21.1.3
Bug ID | Description |
---|---|
20557 |
When you commit a VOS device configuration from the Director node, the VOS device now waits up to 10 minutes to determine whether it has connectivity to at least one Controller node. If it does not, it performs a rollback operation after that 10-minute window. Previously, the VOS device would perform a rollback operation only immediately after the commit operation if it had no connectivity to any Controller nodes. |
30728 |
When a VOS device is a DHCP client, DHCP Renew should be a unicast packet to the DHCP server and not a broadcast packet. |
33184 |
When a Controller node has only internet connectivity and branches have both internet and MPLS connectivity, whenever the internet link goes down at the Branch1 device, all the Branch1 routes may be removed from other remote branches by the Controller node even though the SLA is up between Branch1 and the remote branches. |
35738 |
Upgrade numerous third-party and open source packages that VOS devices use to address vulnerabilities |
36851 |
In staging.py script, you can now specify a Controller node as an FQDN name. Previously, you could specify only an IP address. |
37411 |
In rare occurrences, an incorrect reference count in the IPsec IP address object may cause Versa services to restart. This issue has been fixed. |
38310 |
A defect in the IPsec module may cause the versa-service process to crash, causing a service restart. This issue has been fixed. |
40160 |
Add support to fetch VOS device and OS SPack packages with the path-query option. |
43497, 66215 |
When you reference an address group is referenced before it is defined, a commit operation fails. Support has been added to handle this gracefully. |
45615 |
Cannot move an OSPF network between OSPF areas of the same routing instance within a single commit. This issue has been fixed. |
48993 |
CPU load statistics sometimes show values greater than 100%. This issue has been fixed. |
50689 |
Issuing the show orgs org-services organization-name dhcp statistics dhcp interface CLI command sometimes may cause a timing issue, leading the versa-infngr process to restart and then causing all services to restart. This issue has been fixed. |
52361 |
Depending on how many address families and capabilities are exchanged, the BGP neighbor alarms may not show the full name of the site. This issue has been fixed to show the complete site name. |
52860 |
The request system package download-status CLI command, which was to be used by a Director node issuing an asynchronous package download command, is now deprecated. |
52874 |
IPsec alarm configuration is not being honored, and the destination and soak intervals are not activated. This issue has been fixed. |
54479 |
Python binary may have the incorrect permissions or capabilities set, which prevents the SPACKMGR process from starting. This has been fixed. The permissions and capabilities are now forcibly set. |
54808 |
Certificate constantly renews after renewal interval is exceeded. Two days before renewal, the VOS device generates a CSR and applies to the CMP responder for renewal. The VOS node constantly sends CSRs to the PKI server instead of waiting for next renewal period. This issue has been fixed. |
56464 |
After the following error message, VOS SD-WAN CPE does not re-attempt to resolve the IP address of public CA server, causing global ZTP to fail because the certificate download fails: 2020-12-17 09:45:36.652 ERROR ../usr/sbin/certd/certd_cfg_hdlr.c:514: CMP: Tnt 1, Srvr versa-public-ca, FQDN ‘public-ca.versa-networks.com’ resolve-request send failed for CMP URL url. Will retry. This issue has been fixed. |
56492 |
When a deleted interface is added back, the interface-up alarm that corresponds to the earlier interface-down alarm is not generated. This issue has been fixed. |
58693 |
The versa-certd process may crash when handling the USER certificate. This issue has been fixed. VOS devices now handle the USER certificate in addition to handing the SIGN (signing) and ENCR (encryption) certificates. |
59117 |
IPv6 on LTE interfaces is not fully functional. This issue has been fixed. |
59161 |
The rule name of a session in the Analytics log may be called "implicit-rule”. This happens only when the session expires and the rule corresponding to the session has been removed from the configuration. This issue has been fixed. Now, the rule name is empty. |
59618 |
When the versa-infmgr process incorrectly handles a stale link-update message, it may crash, causing services to restart. This issue has been fixed. |
59972 |
When upgrading a security pack (SPack), Versa services may restart because of a race condition while accessing an internal data structure. This issue has been fixed. |
60526 |
New branch staging may fail if IKE flaps or if the WAN IP address keeps changing. The result is that the IP address pool runs out of addresses, because older IKE connections linger on, and because of this, the staging of a new device to fail. This issue has been fixed. Now, the DPD process is more aggressive. |
60879 |
When multiple CoS OIDs are passed in the same snmpget request, the versa-vmod process does not clear some internal tables, causing this process to restart. This issue has been fixed. |
60968 |
When you upgrade the software, a redistribution policy term that has DHCP as the match protocol might the match protocol, and the term ends up matching all protocols. This issue has been fixed. |
61851 |
Package dependency issue in OS SPack installation. This issue has been fixed. Now, the OS SPack installation overwrites ESM packages with higher binaries versions. |
62268 |
When services start, the branch-to-branch IPsec tunnel might not be set up because of a race condition between two threads completing initialization at startup. This issue has been fixed. |
62505 |
The application route cache (ARC) implementation has been enhanced to remove entries that after not been used for 1 hour. This optimizes the memory usage for this cache and has no impact on the system behavior, because ARC entries older than 1 hour were always considered to be stale. |
62586 |
GRE and PPPoE interface MTU is not set to the default value, 1492. This issue has been fixed. |
62758 |
The IPsec history CLI command output sometimes displays an incorrect error or reason. This issue has been fixed. |
62793 |
Static ARP entries might not be activated in the data path. This issue has been fixed. The entries are now resilient to all timing conditions (for example, whether an interface is not up). |
62800 |
A versa service crash might occur because of invalid memory access in the SD-WAN module. This issue has been fixed. |
62805 |
During the upgrade process, MPLS tenant ID changes may be lost, leading to a tenant ID mismatch for VPN label and causing the packet to be blackholed. The workaround was to updated the mplsvpnentry tenant ID and restart the services. This issue has been fixed. |
62806 |
A site-to-site IPSec connection between a branch and Azure Virtual WAN does not come up first time unless IKE is cleared. This issue has been fixed. |
62856 |
When you configure the out-of-band management interface, eth0, for speed and duplex, extra commands might be appended to the network configuration file. This issue has been fixed. |
62883 |
Issuing the show orgs org-services organizaton lef collectors collector status CLI command might cause the versa-vmod process to restart. One cause was a leak of a resources under certain error conditions: A slow leak eventually causes the process to restart but does not cause a service restart. Another cause was when the Versa Director dashboard triggered this command to fetch LEF statistics. This issue has been fixed. |
62931 |
The sdwan-datapath-up alarm may not be generated. This issue has been fixed. Now, the alarm is triggered unconditionally when a path to a remote site is removed for any reason. |
62955 |
When QoS policy rules were being evaluated, services might restart because the versa-service process crashes. The versa-service process crashes after repeated crashes of the versa-vmod process, and it is the result of a race condition in the security and policy rule compilation and data path. This issue has been fixed. |
62978 |
SLA metrics are not displayed when the interval is greater than 150 seconds. This issue has been fixed. |
63104 |
Sporadic packet latency is observed in Azure virtual instance of VOS devices. This issue has been fixed. |
62955 |
When evaluating a QoS policy rule, the Versa services process may crash and services may restart. This is observed after versa-vmod repeatedly crashes, which is because of a race condition in the security and policy rule compilation and data path. This issue has been fixed. |
63354 |
The memory consumption of the zone protection logic has been optimized to consume less memory without affecting performance. |
63356, 63381 |
The software-upgrade-success alarm is not raised after you upgrade a device. Sometimes the alarm is incorrectly deferred until the next service restart. This issue has been fixed. |
63442 |
Versa CPE uses a 4-digit host-uniq value, and if a DSLAM is non-compliant with RFC 2516 (such as Nokia ISAM7353), this causes an issue of interoperability. This issue has been fixed. The PPPoE PADI has been increased to 5 digits. |
63481, 63543 |
When a large volume of IKE SA init traffic arrives at a VOS device, a memory leak is observed in the versa-service process. This issue has been fixed. |
63506 |
When a configuration is pushed to create system users, user creation is noticeably slow. This issue has been fixed. Now, user creation is faster. |
63593 |
When a user's group membership changes in Active Directory, this information might not be updated on the VOS device, and so the VOS device applies group-based policies based on previous membership details. This issue has been fixed. Now, when membership details are refreshed at the configured refresh interval, the details are updated in the live-user table and the new group-based policy is applied. |
63594 |
When you configure IPS detection and IPS-based application identification reporting, a recursion might cause Versa services to crash and restart. This issue has been fixed. Now, the IPS-based application ID reporting is separated from IPS detection. |
63612 |
For traffic monitoring policies, you could not configure a match destination for zone information. This issue has been fixed in the Director GUI and VOS CLI. |
63647 |
Option-82 is not stripped by a VOS device functioning as a DHCP relay agent, causing clients to drop the DHCP response packets from the server. This issue has been fixed. |
63699 |
Jumbo frame packets larger than 1686 bytes are not forwarded over the SD-WAN. This issue has been fixed. |
63755 |
A memory leak is observed in the IKE-ESP ALG. This issue has been fixed. |
63777, 63902 |
In the GUI, when you delete all the terms of redistribution policy, the VOS devices deletes the policy itself, causing the configurations on Director node and the VOS device to be out of sync. This issue has been fixed. |
63839 |
Web proxy rule match does not work with HTTP PATCH method. This issue has been fixed. |
63949 |
Having a large number of FQDN address objects might lead to a memory leak in the versa-certd and versa-addrmgr processes. This leak causes these processes to bloat in size, and eventually they terminate and restart. However, there was no service disruption. This issue has been fixed. |
63976 |
This issue occurs when two Controller nodes each have at least two WAN interfaces with disjoint transport domains (such as one for internet and a second for MPLS) and a branch device connects to the Controller node using only one of the transport domains. If one of the Controller WAN interfaces goes down and comes back up, and if during the time when the Controller interface is down, the branch's WAN interface for the other transport domain goes down and stays down even after the Controller's WAN interface comes back up, the branch device may retain stale state for the Controller node's MP-BGP information until the configured graceful-restart time expires. The result is that the branch cannot establish MP-BGP peering with the Controller node until the graceful-restart time expires. This issue has been fixed to ensure that that when underlay connectivity from branch to the Controller node is restored, that branch can re-establish MP-BGP peering with the Controller node. |
64049 |
When the SD-WAN connection selection method is set as high-available bandwidth but no interface uplink or downlink bandwidth is configured, the available bandwidth cannot be calculated, causing the VOS device to select random paths instead of priority ones. This issue has been fixed so that the weighted round-robin (WRR) method is used. |
64067 |
After the routing process restarts because of a core, the SD-WAN Controller may not install the host routes for the branches in a scaled environment. This issue has been fixed. |
64144 |
When service chaining with Riverbed WAN-OPT in Full Transparency with RS”, TCP reset packets sent for the inner connection from WAN-OPT are processed locally by the VOS device, which closes the outer connection as well. This issue has been fixed. |
64148 |
The sulogin binary process may be triggered and may then crash, causing the system to reboot. This issue has been fixed. The sulogin binary has been replaced with one that does not crash. |
64333 |
The show alarms CLI command displays a truncated timezone offset. This issue has been fixed. Now, the full timezone offset information is displayed. |
64391 |
Some set of static route addition and deletion followed by disabling the interface associated with the static route may cause the Versa services process to restart. This issue has been fixed. |
64400 |
The packet TX counter does not increment to indicate an issue on the Versa CPE device specific to the driver (i40e) of the port. The TX operation gets stuck because of the multisegment packets that were pushed to the NIC. The maximum segments supported by i40e is 8. Sending more than 8 segments causes the NIC TX ring to enter this state. This issue is a problem for the V1000, V1800, V1500, V930, V810 (FWA-3260), and CSG1300 platforms. |
64444 |
When a destination is reachable through two or more remote SD-WAN sites and all the paths to at least one of the sites are in SLA-violated state, the Versa services daemon may experience a segmentation fault and restart. The workaround is to switch to active/standby routing instead of equal cost SD-WAN routes to the destination. This issue has been fixed. |
64513 |
Core in the routing CLI transformer process may occur when an external peer group does not have peer AS configured and when the peer AS configuration is removed from a neighbor belonging to this group. This issue has been fixed. |
64514 |
If you set up a site-to-site IPsec tunnel with a non-Versa peer and an aggressive DPD timeout (1-2 seconds) in configured on the peer (which is not a typical use case), the tunnel on the Versa side might go down. This issue has been fixed. |
64527 |
If per-CPU QAT initialization fails even though global QAT initialization succeeds, the Versa services process may restart during data processing. This issue has been fixed. Now, it falls back to software-based cryptography. |
64685 |
For the first packet of session that is evaluated by a rule that matches a source user or group, NGFW policy evaluation does not complete and therefore the rule action is not taken even though the source user and group information for the session is known. |
64733, 64826 |
When LEF establishes a TCP connection to the destination collector, during overloaded conditions, if the server is slow, the connection moves to a write-blocked state. During this time, logs queued to the collector are dropped instead of being held until the connection is unblocked. This issue has been fixed. |
64745 |
During IP fragmentation reassembly, if the packet header length does not match the actual packet length, packet buffers may get lost. This issue has been fixed. |
64790 |
The memory footprint of the security and policy contexts increases with each commit ,causing memory load issues on firewalls with large configurations. This issue has been fixed. Now, the increase is capped at one older context. |
64811 |
Having a large number of FQDN objects (more than 100) slows the versa-service process and causes high CPU usage and failure of some show commands. This issue has been fixed. |
64844 |
The .ncconnect file has invalid permissions, which might prevent the recognition of a successful connection between a Director node and a VOS device. This issue causes the trial period countdown to begin and eventually degrades VOS services. This issue has been fixed. |
64988 |
The VOS device reassembles IP fragments received with DF bit, but after reassembly it retains the DF bit before transmitting reassembled, larger packets. This may cause downstream routers to drop the packets with DF bit set. This issue has been fixed. Now, the software resets the DF bit, allowing any router to fragment the packets. |
65115 |
When an IPv6 destination is reachable using multiple remote SD-WAN sites (for example, if there are equal-cost routes using multiple sites), the circuit priorities specified in the SD-WAN forwarding profile may not be honored. Also, an SD-WAN or PBF policy rule that is used to override routing and enforce a specific next hop does not work for IPv6. This issue has been fixed. |
65292 |
When you upgrade from an older release such as Release 16.1R2Sx to a newer release, if the address object contains an invalid wildcard FQDN object, the versa-vmod process might crash. This issue has been fixed. Now, a misconfigured FQDN object is ignored. |
65294 |
When you perform an IPv6 traceroute between a source and a destination, a VOS device might drop IPv6 traceroute response packets, because it incorrectly parsing the length of the ICMP time exceeded in transit. This issue has been fixed. |
65310 |
Issuing the debug command to display session extensive details causes a service restart. This issue has been fixed. |
65319 |
A QoS rewrite with a service function chaining (SFC) configuration (with Layer 3 rewrite for inner, Layer 3 rewrite for outer, copy from outer, copy from inner) is not working as expected. This issue has been fixed. |
65373 |
On a VOS device, if you manually edit the /etc/ssh/sshd_config file, for example, to add match commands, if you then use the CLI to change the SSH keepalive and timeout values, you are unable to access the device using SSH. This issue has been fixed. |
65435 |
When an SD-WAN route flaps, the DIA traffic switches to the SD-WAN. This issue has been fixed. |
65501 |
TCP evasion check may incorrectly drop 1-byte payload TCP keepalive packets assuming it is an overlapping segment. This issue has been fixed. |
65502 |
Croatian Telecom LTE does not detect the correct APN. This issue has been fixed. |
65505 |
Intermittent packet loss may occur when packet replication is enabled for large packets that need fragmentation. This issue has been fixed. |
65536 |
For PPPoE, the VNI interface displays the correct RX BPS value, but the TVI interface does not. This issue has been fixed. |
65643 |
When you configure twice-napt-44, it does not take effect the first time. You must configure it a second time to make it active. |
65809 |
The show route table ipv4.unicast CLI command does not display the desired output when you specify both the detail and prefix options. This issue has been fixed. |
65823 |
The IP TOS value in the outer tunnel header for host originated packets is set incorrectly, instead of being copied from the inner packet. This issue has been fixed. |
65826 |
When you add a vni interface enabled with family DHCP to vnf-manager, it does not populate the local interface route in global space. This issue has been fixed. |
65843 |
The versa-vmod process may restart during a Qualys scan directed at a VOS device. This occurs because the Qualys client tries to connect to servers running inside the VOS device. This issue has been fixed. The software has been enhanced and is now resilient to any clients that connect to internal Versa services. |
65904 |
Top-N application computation every 5 minutes may cause increased packet latency and loss for traffic processed by worker thread 0. This issue has been fixed. |
65926 |
In SLA alarms, the site names are truncated to 32 characters. Add support for site names up to 128 characters. |
65953 |
In an active-active SD-WAN CPE deployment, when you change the paired-site location ID of any CPE, SLA contexts between the two CPEs are created. These SLA contexts are not deleted when the matching location ID is updated on another CPE to pair the two CPEs. This issue has been fixed. |
66043 |
During a service package (SPack) upgrade, services may restart because the versa-vsmd process restarts. This was reported once. This issue has been fixed. |
66097 |
Path MTU is not calculated correctly when the same source IP address and destination IP address pairs are present in two different VRFs.This issue has been fixed. |
66136 |
The Versa services process restarts once because of an invalid timer (uninitialized value) in the application monitor module. This issue has been fixed. |
66350 |
For a PIM-over-SD-WAN deployment, if you change the cluster ID to higher value, PIM may be disabled between the two SD-WAN sites even if they both have the same cluster ID. This issue is fixed. |
66395 |
The show ospf neighbor brief CLI command may cause the routing CLI process to restart, causing the show command to fail. This issue has been fixed. |
66583 |
The device model, SKU ,and serial number details are now available in an additional MIB container that does not take a serial number as a key. |
66599 |
The output of the show orgs org organization sd-wan statistics vni command for TX BPS and RX BPS is now displayed in bits per second instead of bytes per second. |
66617 |
The staging.py scripts writes the staging.cfg file to current directory, but some scripts look for it in the /opt/versa/scripts directory. Now, the file is saved in both directories. |
66768 |
A memory leak in the QoS data structure may occur when the preclassified packets arrive over a cross-connect link from the peer and you have configured an App-QoS policy on the device. This issue has been fixed. |
66789 |
Routing CLI process may crash when you delete a routing instance that uses a redistribution policy for instance import, followed by another commit that moves the terms of the same redistribution policy. This issue has been fixed. |
66817 |
With packet replication and per-packet load balancing, packets are cached and released from the buffer to reorder out-of-order packets. Thee released packets may use the stale data, which can cause the Versa services process crash. This issue has been fixed. |
67147 |
Changed the default behavior so that the origin of a BGP route in VRF to Layer 3 VPN, and vice versa. The origin can be overridden if it is configured in the redistribution policy. |
67276 |
Traffic ingressing from the SD-WAN cannot be further redirected to another SD-WAN next hop on the middle hop using forwarding profile with next hop as the site. This issue has been fixed so that steering to another site on a hub is supported. |
67404 |
Versa service process may crash when VSA is enabled with TCP optimization in auto mode. This issue has been fixed |
67446 |
Versa 810 devices may report the incorrect power supply status “Either PSU2 cable is unplugged or PSU2 is unplugged”. This issue has been fixed. |
67456 |
Externally authenticated users in the admin group cannot able run show alarms or other privileged commands from the CLI. This issue has been fixed. |
67491 |
Modify the default method of defining a string in the CLI to use quotation marks instead of a backslash |
67629 |
When you issue a CLI command to display the BGP route table for a specific routing instance and an extended community, the routing process may crash. This issue has been fixed. |
67659 |
Enhanced the output of the show interface info command to include DSL interface information. |
67707 |
Fixed an issue with timezone settings that can occur if /etc/localtime is not a symbolic link. |
68087 |
When you run a CLI command to display interface status immediately after you run an SNMP query to retrieve interface status, the interface manager process may crash. This issue has been fixed. |
68103, 68124 |
When you upgrade a VOS device from Release 16.1R2W10.4 to Release 20.2.2, the management and configuration process may crash because of an invalid tenant ID in SNMP query. |
68157 |
Timeout error may occur when you issue the show orgs org-services organization-name dns-proxy profile-monitor CLI command. This issue has been fixed. |
68198 |
If you modify the LEF profile in the ADC module, the Analytics node may miss ADC logs. This issue has been fixed. |
68226 |
Versa services crash is seen due to incorrect reference counting of IP routes. This issue has been fixed. |
68266 |
On PPPoE interfaces, some PPPoE servers may terminate the connection directly with PADT, and the LCP TermAck may not be received, so IP cleanup does not happen. This issue has been fixed. |
68677 |
Versa services process may crash because of malformed packets recovered by the FEC module. This issue has been fixed by dropping the malformed packets. |
68911 |
After unsuccessful attempts to ssh login as root, the root account may be disabled. This prevents changing running “sudo su” to drop to root shell. This issue has been fixed. |
69080 |
On Advantech devices with an LCD screen, the lcd4linux service continuously invokes the command to fetch the system status if you press the menu and navigate to one of the options. On systems on which TACACS+ accounting is enabled, this issue causes to a large build up of account records, leading to memory overload of the versa-vmod process. This issue has been fixed. |
69282 |
On systems with Rangeley (C2xxx) CPUs, if the QAT is stressed by traffic requiring cryptographic processing, the Versa service process may stop all further processing of cryptographic traffic, requiring a restart to recover the system. This issue has been fixed. |
69369 |
When you apply a configuration change that reconfigures the Layer 3 VPN module, you may see a core in the routing process. This issue has been fixed. |
Fixed Bugs in Release 21.1.4
Bug ID |
Summary |
---|---|
43497, 66215 | When you reference an address group before it is defined during a commit, it was not successful. Support has been added to handle this gracefully. |
45301 |
Running tcpdump on the vni-0/2 interface in system with WiFi interfaces (vni-0/20*) is unsuccessful, because cleanup on previous invocations was not successful. |
45840 | SNMP walk fails to fetch the SD-WAN policy if address monitors are attached to the policy. |
46302 | Config Sync-from-Appliance performance has been improved. On systems with large routing configurations, this operation would previously take several minutes. |
53277 | NTP cannot resolve FQDN server names. |
58454 | If you enable device Identification, intermittent service disruption occurs because of a process crash and restart. As a workaround, do not enable device identification. |
58509 | If you include special characters in any of the encoded attribute values in the ZTP URL, such as the Controller PSK, the VOS CPE would be configured incorrectly. |
60515 | CA-signed certificate for device management reverts to a self-signed default certificate when you upgrade the VOS software. |
61985 | IPsec alarm has been enhanced to include the name of VPN profile associated with the IPsec tunnel or to include the name of the tunnel interface if it is a route-based IPsec tunnel. |
63569 | The IF-MIB field ifOperStatus shows as Up even if the tunnel interface is down. |
64067 | After the routing process restarts because of a core, the SD-WAN Controller node may not install the host routes for the branches in a scaled environment. This issue has been fixed. |
64533 | Fixed a memory leak in audisp-aaa plugin for VOS systems running Ubuntu 14.04 (Trusty). |
65114 | Certain threshold and utilization alarms are occasionally not cleared. |
65168 | If the SKU field is empty, the show system details command shows no data. |
67751 | If a redistribute policy contains a set-community attribute and is used for redistribution to OSPF, the commit fails with a cryptic message. This issue has been fixed, and the error message is now more descriptive. |
69064 | Becuase of a timing issue, physical interfaces may not be recognized as vni-x/x interfaces and sometimes appear as unknown-x/x interfaces. |
69175 | If the IP lookup database is corrupted, services do not start because the Versa services continuously restart. The process has been made more resilient and continues to run if the database is corrupted. |
69188 | SPack installation was reporting a failure even if it was installed successfully, because the installation took longer than five minutes. The timeout has been extended to 10 minutes to accommodate slower installations. |
69517 | The static source NAT and twice static NAT are bidirectional NAT policies, which means that sessions can be initiated in the server-to-client (out-to-in) direction as well. For sessions matching the NAT policy in the server-to-client direction, the reevaluation of the NAT policy was not being done correctly, and as a result, the NAT session was being torn down. |
69815 | Moving existing BGP neighbor addresses to a new BGP group causes a commit operation to. |
69825 | Setting a link speed of 10 Mbps configures the default shaping burst size to 1250. For all link speeds less than 100 Mbps, the default burst size is now 12500 bytes, to allow for jumbo packets. |
69921 | When you define the same application in two different organizations in a VOS instance, application reporting works correctly in one organization but not in the other. |
70029 | The TCP MSS on an unencrypted SD-WAN tunnel is not adjusted up, but rather it remains the same as the encrypted tunnel MSS. |
70036 | The show system status”CLI command crashes the vmod process because of stale status files. |
70089 | When you enable isolate-cpu, the Versa services process keeps restarting after a software upgrade. |
70101 | Provisioning a new routing Instance becomes progressively slower as the number of routing instances become very large. |
70106 | TVI interface type change not allowed message prevents a template deploy even if you select the reboot option. |
70206 | When a branch-to-branch SD-WAN tunnel goes down, the IpsecTunnelDown alarm is incorrectly generated. |
70233 | In an SD-WAN network with a set of hierarchical Controller nodes, if a spoke loses connectivity with T1 controller1, at the T0 Controllers, the T1 Controller1's routes are selected because the T1 Controller's IP address is lower. |
70239 | On a hub-controller node, when all the interfaces go down and then one of the interfaces comes up in reverse order, the SLA did not come up. |
70314 | In file-based actions, if you specify the file size limit, downloading any file exceeding that size is not blocked unless you also specify the deny list option. |
70315 | On CSG300 Series appliances, an auto-SIM detection issue may occur with the Ubuntu 18.04 (Bionic) version of the OS. |
70363 | The Don’t-Fragment override configuration option do not work for PIM Register packets. |
70366 | For Ethernet ports using i354 MAC controllers, when the remote end is running at 100M/FD with autonegotiation On, disabling the port on the local side causes the interface to hang or get stuck. In this situation, the LED on the local link is Down, whereas the LED on the remote link is still On. The only way to recover (unhang) the interface is to power cycle the device. This issue affects the following CSG and white-box appliances:
|
70604 |
A local user for whom a ssh-public-key is configured cannot use ssh to log in to a VOS device. |
70662 | When there are 200+ interfaces in the traffic-identification configuration, a commit change can take up to 3 minutes. |
70823 | Security package installation fails if there is an earlier commit that contains more than four attributes configured under “system parameters”. |
70832 | An application monitor’s last status of Up remains as Up if you disable the WAN interface and the monitoring threshold is more than 20 seconds. (The default is 3 seconds). |
70893 | If private-key decoding fails, issues with OCSP monitoring occur. |
70906 | The alarmDevice field in SNMP trap messages now includes the name of the device that originated the trap. Previously, the field had the name of the module that originated the traffic. |
71182 | When you enable a SIP ALG, in a rare scenario, SIP confirmed that dialogs were not cleaned up, which, over time, caused a memory leak in Versa service process. This issue has been fixed. |
71256 | Moving a BGP neighbor address from one BGP group to another is not reflected in the show bgp neighbor brief CLI command output and led to inconsistencies in the Director and device configurations. This issue has been fixed |
71310 | Fixed a negative value displayed in the Versa log collector’s process debug memory statistics. |
71424 | For Google Chrome browsers with CECPQ2, the SSL handshake failed for domains starting with letter "a". This issue has been fixed. |
71437 | The Versa services process consistent uses a large amount of member because of an issue in which unused memory is not released to the system. This issue has been fixed |
71485 | When multiple certificates must be OCSP validated, a port bind issue may occur, with a connect_fail issue, because of a single client side port. |
71528 | For a SASE client, when TCP SYN is not retransmitted, the client may not connect to the gateway. This issue has been fixed. |
71569 | Increase the space in the filter table to support 1K or more static BGP peers. |
71669 | When Layer 2 services with STP were enabled, a memory leak was detected in the Layer 2 control process, resulting in high memory utilization. This issue has been fixed. |
71675 | During service initialization, an SNMP request to the routing process may cause the process to restart. |
71717 | When you configure the share-aro option for a BGP instance, the Controller node may not sync some of the routes to a peer when a reconnection occurs. |
71901 | BGP does not advertise the slave local preference value configured in a redistribution policy for a static route. This can happen when you add a static route after configuring slave-local-preference. This issue has been fixed. |
71911 | When a user-defined URL category name contains a period (.), a configuration commit fails. The commit check now allows only alphanumeric characters, hyphens (-), and underscores (_). |
71992 | The Versa services daemon may occasionally get stuck in repeated attempts to select an SD-WAN path for a session. This issue has been fixed |
72189 | For an SD-WAN Controller node, continuous IKE flaps were seen towards the SD-WAN branch appliance. This occurred because of mismatch of information between the two modules. This issue has been fixed. |
72363 | When an SD-WAN network has more than six SD-WAN Controller nodes, the routing process may go in to a high CPU state when any network failures occur. |
72410 | The CGNAT module might crash and restart the services. |
72514 | Logging related to an error condition in the routing process fills up the logs. |
72610 | Add support for an additional PLMN for Verizon 311270. |
72792 | The routing process stops and restarts because of a buffer overflow caused by printing too many communities in a show command in a routing loop situation. |
72915 | In the rare scenario of a double failure, Controller-to-Controller and Controller-to-branch routes are not removed, creating stale routes. This issue has been fixed |
72953 | While handling an aggregate route with the discard option, the routing process stops and then restarts. |
73079 |
If a PPPoE interface has different subnets at the two ends, there may be a reachability issue because of improper route installation. |
73118 | If you specify a source interface in a ping or traceroute command to an FQDN destination, the command may fail because of a defect in how the dig command output is parsed. |
73234 | Fix services process crash triggered by ADC server down when load-balancing is set to WRR. |
73262 | When an FQDN object is resolved through multiple routing instances and then one of the routing instance stops resolving, the policy module cannot obtain the resolved address from other routing instances. |
73518 | Fix routing process restart when routing peer policy configuration containing a prefix list is modified |
73587 | Add support for handling 16K jumbo frames in QAT to perform fast cryptographic operations in hardware. |
73608 | Fix an issue in DNS zone transfer by allowing multiple DNS responses in a single query for AXFR/IXFR. |
73702 | Fix routing process crash that might happen when you issue the clear bgp neighbor CLI command. |
73896 | EVPN remote MAC entries are deleted when a Layer 3 interface is removed when same core virtual router instance is used for a Layer 3 and a Layer 2 VPN and L2 VPN. This issue has been fixed |
73957 | Fix a crash in Versa services process when traffic goes through the CGNAT service and an SD-WAN policy is configured with a next-hop priority. |
74333 | Fix a delay in the DHCP offer when the DHCP server profile is configured with ping settings. |
74378 | Fix an issue in which packets are dropped on a TCP SIP session after the session idle timeout is reached. |
74429 | Sometimes, when multiple rollbacks of the IPsec VPN rule configuration are performed, a services process crash is observed. This issue has been fixed. |
74936 | Automatically exclude statically mapped IP address from the DHCP server dynamic IP address pool. |
74955 | Fix private key export/preview for TPM-enabled hardware. |
74988 | Fix an issue with IKE route installation in the routing table that may occur after network disruption when the device has more than 1 million routes. |
75050 | Fix upgrade script timeout on an appliance with a large configuration. |
75283 | Fix missing CMP server entry from address manager database after services restart when OSCP is configured. |
75402 | SIP Invite confirm dialog deletion timer increased to 6 hours. |
75466 | Fix vstated process memory spike that causes service disruption when routes are removed and added frequently. |
75629 | BGP does not advertise the configured VRRP slave priority when multiple interfaces are configured as VRRP slaves. This issue has been fixed. |
75704 | Some access policy rules may be removed incorrectly from the firewall engine during an SPack update after a failed commit, if the failed commit includes any access policy rule changes. |
75967 | Monitor down with maximum threshold of 60 seconds. |
76115 | Monitor group state remains in inactive after a reboot when more than two monitor groups are configured. |
76290 | An externally authenticated user sometimes cannot execute sudo commands without passwords. |
76587 | When a circuit for a remote site, say B2, is removed, the updates are propagated and consumed by all SD-WAN sites. Let’s assume current site is B1. When the associated transport paths are being cleaned up on B1 corresponding to the deleted B2 circuit, it is important to ensure that the transport path table itself has not already cleaned up. This bug fix adds a defensive check for this purpose. This issue is seen only if all circuits for a remote site are progressively cleaned up. |
77039 | Operator-level users can no longer log in after upgrading to Release 21.1.3. |
77431 | Fix services process crash caused by an unprogrammed interface that may occur if the same interface flaps multiple times. |
77723 | Packets are dropped on the receiver when a rule switches on the sender side after the session starts. This occurs before the packet egresses, when the packet is processed through FEC and then App ID detection causes the rule that does not have FEC enabled to match. As a result, the same packet is processed again and the end notification is not sent, causing the receiver to assume that FEC is still active on sender. |
77781 | ARP entries are not cleared when the VOS device is the VRRP active node and the interface on which VRRP is configured is shut down. |
78584 | Monitor does not come up on bootup, resulting in an inactive IP SLA. |
78778 | Fix routing process crash that can occur when a routing instance is deleted. |
78817 | For data traffic, the VOS device being used as a VRRP active node uses the interface MAC address as source address in ARP request or reply for the virtual IP address. This has been fixed to use the virtual MAC address instead. |
78876 | Long-lived RTP sessions accumulate memory and cause the Versa service process memory usage to increase. |
79163 |
URL cloud lookup may fail after many days because of a memory leak. |
76913 | Do not send LEF logs for the file filter action of allow to prevent an overflow of the LEF logs. |
80011 | If you rearrange the terms of a redistribution policy while the policy is being used for redistribution to BGP for IPv6, the Versa routing transformer process may restart. |
80074 | A memory leak in the Infmgr process may occur, and stale neighbor objects are leaked slowly over time. |
80537 | Tenant QoS policer may skip policing the reverse traffic and police only the forward traffic. |
Limitations and Behavior Changes
The following are the limitations and behavior changes in Release 21.1.
Limitations and Behavior Changes in Release 21.1
- TCP optimization is designed for WANs with bottleneck bandwidth up to 300 Mbps that also experience high latency (> 50 ms) and some degree of packet loss. Using TCP optimization in other environments, such as low-latency networks or in networks with high latency but no packet loss, may be counterproductive and may instead decrease performance.
- With TCP optimization, peer discovery, or automode, is currently limited to an SD-WAN network, even though the optimization is designed to also work on Versa appliances in a non SD-WAN network.
- On Windows remote access clients connecting to a VOS RAS server, you must add static routes for remote access. Routes are not automatically installed on the Windows RAC client when it connects to the VOS RAS server.
- A VOS device does not configure a RAC client with the DNS server address. You must manually configure it on the Windows RAC client.
- You cannot configure IRB as an inter-HA link.
- The maximum number of IRB interfaces is 64.
- For bridging, you must configure Layer 2 interfaces in promiscuous mode.
- Versa Director monitor screens are not available for Layer 2 show commands.
- Class of service (CoS) and access lists are not supported for Layer 2.
- IRB interfaces support family inet only. These interfaces currently do not support IPv6.
- You should ensure that the Layer 2 interface MTU matches the IRB interface MTU to avoid any packet drops caused by MTU mismatch.
- Previously, by default, FEC sent the parity on the same link and the duplicate parity on an alternate link.This has changed. Now, the parity packet is sent on alternate link and the duplicate parity packet is disabled. This was done to reduce the overhead on already congested lists. You can enable the duplicate parity packet through configuration.
- In Releases 20.2 and later, the BGP AS path loop check behavior has been changed to prevent BGP routes that contain the local AS number of the BGP instance from being installed even when they are received from IBGP peers. (In software releases prior to Release 20.2, an AS loop check was performed only for routes received from EBGP peers). This change was made to comply with RFC 4271, to prevent loops in all cases. When you upgrade a VOS devices from Release 16.1R2 to Release 21.1, if the VOS device is configured the overlay AS number in the BGP AS path to the Controller node, the Controller node no longer installs these routes and therefore does not propagate the routes to other branches. As a result, you might encounter one the following situations:
- The local AS number configured in the branch VRF BGP group or neighbor may be same as the overlay control VR. If so, do one of the following as part of upgrade:
- Ensure that the local AS number configured for the group or neighbor in the VRF is different from the overlay BGP AS number in the control VR. If the AS numbers are different, the controller node does not receive its own overlay AS number in the AS path, and the route is installed.
- Check whether the default local AS mode to mode-2, which adds the configured local AS in the BGP group or neighbor level to the AS path when the route is imported. If so, change the mode to mode-4, which does not add the AS number to the AS path. As a result, this route passes the AS loop check on the Controller node and is installed.
- Configure the loops ;option in the BGP group corresponding to the branches in the Controller’s control VR as well as in the control VR in the branches. This option allows routes with as many loops as specified in the configuration to be installed.
- The AS path received from the BGP peers in the VRF may already contain the overlay AS number. If so, do one of the following as part of upgrade:
- Ensure that the customer network does not use the overlay BGP AS number in the control VR, with the result that the controller will not receive its own overlay AS number in the AS path and the route will be installed.
- Configure the loops option in the BGP group corresponding to the branches in the Controller’s control VR as well as in the control VR in the branches. This option allows routes with as many loops as specified in the configuration to be installed.
- The local AS number configured in the branch VRF BGP group or neighbor may be same as the overlay control VR. If so, do one of the following as part of upgrade:
- In Releases 20.2.3 and earlier, when BGP detects that a neighbor is going down, the Controller nodes reruns the best path selection for Layer 3 VPN routes, selects an alternate route from another active neighbor, and announces the route to other BGP route-reflector clients so that they can use the new route. In Release 20.2.4 and Releases 21.2.2, and later, the Controller node reruns the best path selection only for Versa private routes. This means that a stale Layer 3 VPN route from the neighbor that has gone down still remains as the best path, and subsequent best path selection for Layer 3 VPN routes occurs only if the Controller node receives an update for the route. This behavior change can cause issues when route distinguisher (RD) values are the same on different VOS devices and they are advertising the same route for the purpose of redundancy or failover. It is recommended that the route distinguisher values for a tenant LAN virtual router (tenant-LAN-VR) be unique for each VOS device so that the Controller node can reflect the same route received from multiple clients, ensuring faster failover if a client that is sending the best route fails. In Releases 21.x, during the workflow deployment, the Director node generates unique route distinguisher values for each VOS device, in the format global-vrf-idL:site-id, for both standalone and HA deployments. In Releases 20.2.3 and earlier, the route distinguisher values were not unique for standalone VOS devices.
Limitations and Behavior Changes in Release 21.1.1
- Starting with Release 20.2.x, VOS software requires the underlying Intel CPU to have RDRAND capability. To check the CPU's capability, issue the following command:
# cat /proc/cpuinfo | grep rdrand
- When you change the maximum number of tenants, you must commit the change separately, and a service restart occurs. After the restart, make any other configuration changes.
- Whenever you configure a SD-WAN or policy-based forwarding (PBF) rule to override routing (by enforcing a next hop), you must configure a source zone in addition to other match criteria in the rule in order to prevent traffic not intended for the rule from matching it inadvertently. An example of this is when you use an SD-WAN or PBF policy rule for application-based DIA. This requires a rule to identify traffic originating from the LAN (typically, some Intf-<>-LAN-zone), and then using the rule to send the traffic into the required transport VR, where a second session gets created. CGNAT rules are used to source-NAT this traffic. If the source zone is omitted in the SD-WAN/PBF rule's match condition, the second session also matches it and causes a packet loop. By adding the source zone Intf-<>-LAN-zone as a match condition, you prevent the second session from matching the PBF rule.
Limitations and Behavior Changes in Release 21.1.2
- When you change the maximum number of tenants, you must commit the change separately, and a service restart occurs. After the restart, make any other configuration changes.
- When you configure an SD-WAN or a policy-based forwarding (PBF) rule to override routing (by enforcing a next hop), you must configure a source zone in addition to other match criteria in the rule, to prevent traffic not intended for the rule from matching it inadvertently. An example of this is when you use an SD-WAN or a PBF policy rule for application-based DIA. This requires a rule to identify traffic originating from the LAN (typically, some Intf-<>-LAN-zone), and then using the rule to send the traffic into the required transport VR, where a second session gets created. CGNAT rules are used to source-NAT this traffic. If you omit the source zone n the SD-WAN/PBF rule's match condition, the second session also matches it and causes a packet loop. By adding the source zone Intf-<>-LAN-zone as a match condition, you prevent the second session from matching the PBF rule.
- For the DHCP server to provide an IP address, there must be at least one matching rule in the DHCP service profile. In earlier releases, DHCP provided an IP address even when there were no matching rules.
Limitations and Behavior Changes in Release 21.1.3
- When you change the maximum number of tenants, you must commit the change separately, and a service restart occurs. After the restart, make any other configuration changes.
- Whenever you configure an SD-WAN or a policy-based forwarding (PBF) rule to override routing (by enforcing a next hop), you must configure a source zone in addition to other match criteria in the rule in order to prevent traffic not intended for the rule from matching it inadvertently. An example of this is when you use an SD-WAN or PBF policy rule for application-based DIA. This requires a rule to identify traffic originating from the LAN (typically, some Intf-<>-LAN-zone), and then using the rule to send the traffic into the required transport VR, where a second session gets created. CGNAT rules are used to source-NAT this traffic. If the source zone is omitted in the SD-WAN/PBF rule's match condition, the second session also matches it and causes a packet loop. By adding the source zone Intf-<>-LAN-zone as a match condition, you prevent the second session from matching the PBF rule.
Known Issues
The following are the known issues in Release 21.1.
Known Issues in Release 21.1
Bug ID |
Summary |
---|---|
45578 |
Need an option to clear bridge MAC table for all instances. |
46884 |
LACP-based AE interfaces flap in a scaled setup. |
46661 |
Director monitor option for Layer 2 commands is not available. |
46967 |
IRB does not show up under router advertisement. |
45535 |
TCP optimization policy-based statistics do not reflect the actual statistics when you select a remote branch. |
45569 |
With high latency but no loss, BBR throughput is slower than that of cubic (standard TCP congestion control). |
46703 |
IPsec RAS DNS server configuration is missing for remote-vpn-client. |
45572 |
Any changes to a RADIUS authentication profile do not take effect until a restart is done. |
Known Issues in Release 21.1.1
- In multicast routing, when you enable the Anycast-RP mechanism on a first-hop router, the source information is not shared between Anycast-RP peers through PIM register packets. As a workaround, ensure that you do not enable the Anycast-RP mechanism on a first-hop router.
- If a VOS node is a part of interchassis HA pair (for active-standby stateful HA), you must first upgrade it to Release 16.1R2S11 before you upgrade it to Release 21.1.1. If the interchassis HA pair is running Release 16.1R2S9 or later, you must increase the HA probe miss threshold to 3600 seconds during the upgrade. If the interchassis HA pair is running Release 16.1R2S8 or earlier, you must set the probe type to none on both the nodes before performing the upgrade. Otherwise, the standby device restarts continuously after the upgrade. After the upgrade, you can return the HA probe miss threshold value to the originally configured value. To upgrade an interchassis HA pair from Release 20.2.2 to Release 21.1.1, it is recommended that you first upgrade the VOS device from Releases 20.2.2 to Release 20.2.3 and then upgrade to Release 21.1.1.
- Device identification may not fully identify all end devices in the network. It is recommended that you use this feature only in labs, POCs, and trials.
- A tenant-based traffic shaper expects the shaper on the physical interface to be configured on the provider organization. If this is not the case, you must perform the commit in two steps. First, delete the shaping configuration from the non-provider organization, and commit the configuration. Then, configure the shaping, and commit the configuration. You can, for instance, configure the shaper on the provider organization and the provider limit on the customer organization. This limitation applies only to multitenant CPE or hub VOS instances.
- If you want to upgrade a VOS device on which uCPE is enabled (hypervisor installed) from Release 16.1R2 to Release 21.1.1, contact Versa Network Customer Support. Also see https://support.versa-networks.com/a...es/23000021050
- If you enable information validation on a stateful HA branch deployment, and if there is a long delay in bringing up interfaces in the global VRF, the information validation client may fail to register with information validation server on the peer VNF. As a workaround, restart the versa-vmod service alone on the affected VOS device.
- The rollback x command might not work properly.
- The show commit changes x command might not show the actual CLI changes.
Known Issues in Release 21.1.2
- Device identification may not be able to fully identify all end devices in the network. It is recommended that you use this feature only in the lab, POCs, and trials.
- In multicast routing, the source information is not shared between anycast-RP peers through PIM register packets when you enable the anycast-RP mechanism on a first-hop router. As a workaround, do not enable anycast-RP on a first-hop router.
- If a VOS node is part of an inter-chassis HA pair (active-standby Stateful HA), you must first upgrade it to Release 16.1R2S11 before upgrading to Release 21.1.2. When an interchassis HA pair is running Release 16.1R2S9 or later, you must set the probe-type to none on both the nodes before the upgrade. Otherwise, the standby device continuously restarts after the upgrade. After the upgrade, you can revert the HA probe-type value to the originally configured value.
To upgrade an interchassis HA pair from Release 20.2.2 to 21.1.2, it is recommended that you upgrade VOS from Release 20.2.2 to Release 20.2.3, and then upgrade to Release 21.1.2. - A tenant-based traffic shaper expects the shaper on the physical interface to be configured on the provider organization. If this is not the case, you need to perform the commit in two steps. First, delete the shaping configuration from the non-provider organization and commit the configuration. The second commit could have the shaper configured on the provider organization and provider-limit configured on the customer organization. This limitation only applies to multitenant CPE or hub VOS instances.
- You cannot upgrade a VOS device on which uCPE enabled (hypervisor installed) from Release 16.1R2 to Release 21.1.2. Please contact the support team if you are considering the upgrade. For more information, see https://support.versa-networks.com/a/solutions/articles/23000021050
- When you enable the info-validation feature in a stateful HA branch deployment, a huge delay might occur in bringing up of interfaces in the global VRF, and the info-validation client may fail to register with the info-validation server on the peer VNF. As a workaround, restart only the versa-vmod service on the affected VOS device.
- If you configure an SLA profile at the next-hop level in conjunction with configuration application monitors, the SLA profile options to select a path based on the lowest latency and on the lowest packet loss are ignored. To utilize these best-path selection features, configure the SLA profile at the global level.
Known Issues in Release 21.1.3
- Device identification may not be able to fully identify all end devices in the network. It is recommended that you use this feature only in the lab, POCs, and trials.
- In multicast routing, when you enable the anycast-RP mechanism on a first-hop router, the source information is not shared between anycast-RP peers through PIM register packets. As a workaround, do not enable anycast-RP on a first-hop router.
- If a VOS device is part of an interchassis HA pair (active-standby stateful HA), you must first upgrade it to Release 16.1R2S11 before upgrading to Release 21.1.3. When an interchassiss HA pair is running Release 16.1R2S9 or later, you must set the probe type to none on both the nodes before the upgrade. Otherwise, the standby device continuously restarts after the upgrade. After the upgrade, you can return the HA probe-type value to the originally configured value. To upgrade an interchassis HA pair from Release 20.2.2 to 21.1.3, it is recommended that you upgrade VOS from Release 20.2.2 to Release 20.2.3, and then upgrade to Release 21.1.3.
- A tenant-based traffic shaper expects the shaper on the physical interface to be configured on the provider organization. If this is not the case, you need to perform the commit in two steps. First, delete the shaping configuration from the non-provider organization and commit the configuration. The second commit could have the shaper configured on the provider organization and provider-limit configured on the customer organization. This limitation applies only to multitenant CPE devices or hub VOS instances.
- You cannot upgrade a VOS device on which uCPE enabled (hypervisor installed) from Release 16.1R2 to Release 21.1.3. Please contact the support team if you are considering the upgrade.
https://support.versa-networks.com/a/solutions/articles/23000021050 - When you enable info-validation in a stateful HA branch deployment, a large delay might occur in bringing up interfaces in the global VRF, and the info-validation client may fail to register with the info-validation server on the peer VNF. As a workaround, restart only the versa-vmod service on the affected VOS device.
Request Technical Support
To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.
Additional Information
Revision History
Revision 1—Release 21.1, December 20, 2019
Revision 2—Release 21.1.1, August 21, 2020
Revision 3—Release 21.1.2, December 1, 2020
Revision 4—Release 21.1.3, June 6, 2021
Revision 5—Release 21.1.4, April 27, 2022