Skip to main content
Versa Networks

Versa Director Release Notes for Release 21.1

These release notes describe features, enhancements, fixes, and known issues in Versa Director Software Release 21.1, for Releases 21.1.0 through 21.1.4. Release 21.1.1 and later are general available (GA) releases and are supported for use in production networks.

April 27, 2022
Revision 5

Install the Versa Director Software

To install the Versa Director software, see the Deployment and Initial Configuration articles.

Upgrade to Release 21.1

To upgrade to Release 21.1, see the Upgrade Software on Headend and Branch article.

Downgrade the Software

To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command:

Administrator@versa-director> request system rollback to snapshot-timestamp

The Versa Director configuration and image are restored to the state when the snapshot was taken. Note that any configuration changes done since the snapshot was taken are lost when you perform the rollback operation. See Upgrade Software on Headend and Branch for information about upgrading HA-enabled Director nodes.

Install the Software License for Versa Director

Versa Director is controlled by a software license. You must obtain a valid license file by contacting Versa Networks Customer Support.

Note the following:

  • Versa Director software ceases to operate after a 15-day trial period, so you must obtain a license key within that time.
  • On all newly installed Versa Directors, you must run the Versa Director startup script, /opt/versa/vnms/scripts/vnms-startup.sh, to correctly configure the Director network interfaces for their intended function (for example, interface eth0 for northbound communication towards OSS systems and for UI access, and eth1 for southbound communication towards VOS devices).

VOS Version Compatibility

Release 21.1.2 of Versa Director is compatible with the following VOS versions:

  • 21.1.2
  • 21.1.1
  • 20.2.2
  • 20.2.3
  • 16.1R2S11
  • 16.1R2S10.1
  • 16.1R2S9

Releases 21.1.3 and later of Versa Director is compatible with the following VOS versions:

  • 21.1.3
  • 21.1.2
  • 21.1.1
  • 20.2.4
  • 20.2.3
  • 20.2.2
  • 16.1R2S11
  • 16.1R2S10.1
  • 16.1R2S9

Releases 21.1.4 and later of Versa Director is compatible with the following VOS versions:

  • 21.1.4
  • 21.1.3
  • 21.1.2
  • 21.1.1
  • 20.2.4
  • 20.2.3
  • 20.2.2
  • 16.1R2S11
  • 16.1R2S10.1
  • 16.1R2S9

Release 21.1 of Versa Director is not fully configuration-compliant with other versions of VOS software. If you commit templates or make direct configuration changes in the Appliance view UI to non-compatible VOS releases, the commit or configuration changes may be rejected with an RPC error.

New Features

This section describes the new Versa Director features in Release 21.1.

  • Active Directory and LDAP support—You can configure Active Directory (AD) authentication connectors to use secure LDAP. You can connect a Director node to AD using a secure channel, and the Director node can connect to an AD global catalog server. See Configure AAA.
  • Appliance tags—(In Releases 21.1.1 and later.) On the Appliances page, you can assign tags, which allows you to easily filter appliances using their tag values. To set tags for an appliance, click the Edit icon in the Tags column.

    Appliances_Tags.png

    To filter appliances by tags, enter tag values in the Appliance Tags search box. The search filter is saved for the duration of the current session. Appliances are displayed by the selected tags even if you navigate away from the Appliances window in the Administration, Configuration, or Monitor tabs.

    Appliance_Tags_Search.png

  • Autogenerated paired site IP address for active-active HA pair—When you use device workflows to configure an active-active HA pair, the bind data variable Paired_Site__location ID is autogenerated. If the value for this bind data variable is empty, it indicates that multiple device workflows can be paired. In this case, you must enter the generated paired site ID of the other device, which must be running HA.

  • CPI 810 digital certificate compliance—To support CPI 810 digital certificate compliance, a Director node triggers an alarm when an SSL certificate has expired or is about to expire (a warning alarm for 30 days remaining, and a critical alarm for 7 days remaining. The Director node automatically clears the alarm when the certificate is renewed.
  • Device-level service templates—You can add specific device-level service templates on top of the group-level service templates, allowing you to specify a group-level service description while still being able to perform device-level customization using templates. See Configure Basic Features.
  • Encryption of sensitive information—(In Releases 21.1.1 and later.) Sensitive information, such as IPsec PSKs, OSPF passwords, and user passwords, is encrypted in templates, bind variables, and appliance configurations. The VOS device and the Director CLI display these sensitive fields in encrypted format. After you upgrade a Director node to Release 21.1.1, existing unencrypted fields are not automatically encrypted. To encrypt the keys, access the configurations and then save them.

    Encryption_Information.png

    To disable the encryption feature from the Versa Director CLI, issue the following command:

    Administrator@Director% set system settings encrypt-data enable-encrypting-sensitive-info false
    
  • IPAM overlay addressing assignment—(In Releases 21.1.1 and later.) Versa Director supports IPAM-based IP address allocation for device overlay tunnels (ESP and VXLAN) and for staging IP address pools on Controllers and hub controller nodes (HCN). IPAM is an internal service on Versa Director and runs as a container. The main features of IPAM-based addressing allocation are:
    • Organization ID and device ID are not encoded in the IP address allocated to a device.
    • You can add multiple smaller address pools in the overlay addressing configuration based on your requirements. With IPAM, you can deploy an SD-WAN network with a small overlay IP pool or pools: a /8 or /16 prefix is not required.
    • The next available address in the pool is allocated to a new device being created.
    • When you upgrade Versa Director, currently configured overlay address pools and allocated addresses are migrated automatically to the IPAM module.
    • During the upgrade process, if the validation script finds that an address is allocated to multiple devices, the upgrade process fails. You must rectify duplicate addresses before attempting an upgrade.

      Overlay_Address_Prefixes.png
  • Kafka client—Versa Director now stream high volumes of data to Kafka servers. Kafka is a TCP-based streaming protocol and API implementation. The protocol defines all APIs as request-response message pairs.
  • Layer 2 template workflows—(In Releases 21.1.1 and later.) Template workflows are enhanced with Layer 2 configuration, to allow you to configure virtual switches, Layer 2 ,and IRB interfaces. You configure organization-level virtual switches under Configuration > Objects > Virtual Switches, as shown below:

    Virtual_Switch.PNG

    When you create an organization using a workflow, a default virtual switch is automatically generated. You can configure bridge domains within each virtual switch using the bridge domain name and a VLAN ID. Bridge domains are named VLAN segments. Bridge domain names and VLAN IDs must be unique within a virtual switch.

    Bridge_Domains.PNG

    In the Workflows > Templates workflow, a new interface type, L2, is added in the Interfaces tab. To select the Layer 2 interface, click the interface icon to mark a port as a Layer 2 port.

    Templates_Interfaces.png

    Layer 2 interfaces are displayed in the Interfaces tab > Layer 2 Interfaces tab. You can configure Layer 2 workflows in Basic or Advanced mode. The following screen shows basic mode:

    L2_interfaces_basic.PNG

    In advanced mode, you can select different organizations across subunits of the same port and specify a bridge domain for line translation. The following screen shows that the virtual switch added earlier is available for the organization in the Layer 2 workflows.

    L2_interfaces.png

    You can configure IRB interfaces as LAN or WAN. The VLAN ID of the IRB must map to a VLAN ID in the Layer 2 workflow interfaces for the organization of the LAN/WAN interface. If there is a mismatch, the template workflow deployment fails.

    Templates_LAN_interfaces.png

    See Configure Layer 2 Forwarding.

  • Next-generation RBAC framework—A next-generation RBAC framework replaces the NCS RBAC framework. Versa Director has used the NCS NACM framework to provide role-based access control (RBAC), but as the number of objects grows in the system, performance degrades and a large amount of framework data is created, resulting in slowness when you create or delete appliances or create templates. The next-generation RBAC framework improves performance and allows a Director node to handle more devices. With these changes, only the Director GUI and the REST API are protected by RBAC; the CLI is not protected by RBAC. This results in two consequences:
    • Any user who has access to a Director node can see all data that is available in the CLI. Therefore, it is highly recommend that you limit access to the Director node.
    • For external authentication, only a user with the role ProviderDataCenterSystemAdmin can SSH and SCP to a Director node. Users with any other role cannot log in to the Director node. The Director node can no longer differentiate between an operator and an admin user, so all roles will have the same access to the system. This enhancement safeguards the Director node by limiting the users who can access the system.
  • Order of service templates policy rules—(In Releases 21.1.1 and later.) In previous software releases, when you applied service templates, the rules with a higher priority were inserted after rules with lower priority. In Release 21.1.1, this behavior has been changed so that the higher-priority rules precede the lower-priority rules. This change is in effect wherever you order the rules, because in the VOS software, rules with a higher priority take precedence over the rules with a lower priority. In the stack of templates (main and service templates) applied on a device, the lower the template in the order, the higher the priority the configuration in the template becomes. For policy rules, such as firewall and traffic steering rules, rules from the template in the lower order are added to the top of the rules stack.
  • Redundant authentication connector—Versa Director allows you to configure multiple redundant authentication servers for RADIUS, TACACS, LDAP, and Active Directory (AD). Authentication by external servers is based on the configured order. If the first authentication server is not reachable, authentication falls back to the next server. See Configure AAA for User Authentication.
  • Schedule automatic software upgrades—You can schedule software upgrade tasks to occur automatically. You can commit tenant-specific templates and download or upload software to one or more appliances at the same time, You can edit or cancel an automatic software upgrade at any time. See Upgrade Software on Headend and Branch.
  • Schedule template commit and appliance upgrade—(In Releases 21.1.1 and later.) You can schedule template commits to VOS devices or software upgrade. If VOS device is not reachable at the time of the scheduled job, you can set the option for the system to automatically execute the job when the VOS devices becomes reachable.

    Commit_Template_Schedule.png

    You can view the scheduled and executed jobs from the Administration > Scheduled Tasks menu:

    Edit_Scheduled_Task.png

  • SD-WAN workflows and AWS Transit Gateway integration—(In Releases 21.1.1 and later.) Versa Director fully automates the configuration of site-to-site IPsec tunnels by calling AWS APIs to create Network Manager objects such as devices, site, links, and customer gateways, and by creating a VPN connection between the transit gateway and the customer gateway. When you create an IPsec tunnel between a VOS device and an AWS transit gateway registered in the AWS global network under Network Manager, manual configuration of IPsec tunnels and VPNs is not required. You can manage and view all site-to-site tunnels from a VOS device to the AWS transit gateway, Azure Virtual WAN, and Zscaler. This support, which uses Secure SD-WAN from the Versa Secure Cloud IP Platform as the branch on-premises CPE solution, enables dynamic and secure branch-to-branch and secure branch-to-AWS connectivity, with SD-WAN application-aware intelligent traffic steering across the AWS-powered backbone.

    To configure the VPN, use the Tunnels tab in the Template workflow:

    AWS_TGW_Template.png

    To enter connector and AWS details, use the Tunnel Information tab in the Add Device workflow:

    Add_device.png

  • Signature verification for software package uploads—(In Releases 21.1.1 and later.) You can use digital signature verification to verify Versa Director and VOS software packages that are uploaded using a Versa Director node. See Configure Signature Verification for Software Package Uploads.
  • Subscription lifecycle updates—(In Releases 21.1.1 and later.) A number of changes have been made to the subscription lifecycle, including the following. See Subscription Lifecyle.
    • Licenses are valid for 1, 3, or 5 years.
    • License subscriptions do not support the Created and Suspended states
    • A license is immediately activated after the device performs ZTP.
    • Manual license activation is not required.
  • Ubuntu Release 18.04—You can use Ubuntu Release 18.04 (Bionic Beaver) as the base Linux platform for Versa Director. The specific software version is Ubuntu 18.04.4. Separate .bin and .iso software images are available for Ubuntu 18.04. Note that in Release 21.1, you cannot upgrade directly from Ubuntu Release14.04 to Release 18.04.
  • Zscaler GRE tunnels—(In Releases 21.1.1 and later.) Versa Director supports the integration of Zscaler third-party site-to-site tunnels through workflow, to simplify the deployment of large-scale secure and optimized branch connectivity. You can create secure generic routing encapsulation (GRE) tunnels between a VOS CPE device and a device hosted in the cloud, in a data center, or by Zscaler, to optimize the connectivity between the VOS and cloud devices. The VOS CPE device can be a physical device or a cloud-based SD-WAN device.

    When you create a site-to-site GRE tunnel between a VOS device and an unmanaged cloud device, you must configure network details such as the site-to-site tunnel name, the tunnel protocol (as GRE), the LAN VRF, and the WAN/LAN network to establish the connection on the unmanaged device. To do this, you create a Workflow template in which you configure a tunnel and VPN profile for the unmanaged device:

    Templates_Tunnels.PNG

    To add a VPN profile for a GRE tunnel:

    Create_VPN_Profile.PNG

Enhancements

The following table lists the enhancements in Release 21.1.

Enhancements in Release 21.1

Feature Tracking Bug

Description

44704

Director triggers an alarm if the SSL certificate has expired or if it is in the critical (Last 7 days) or warning (Last 30 days) state. The alarm is cleared automatically when the certificate is renewed.

40804 When you use device workflow to configure the active-active HA configuration, the bind data variable Paired_Site__locationID is autogenerated. If the value is empty, you can pair multiple device workflows, entering the generated paired site ID of other device.

Enhancements in Release 21.1.1

Feature Tracking Bug

Description

39771

If you enable the scheduling of security packs (SPack) downloads, Versa Director automatically installs or updates the latest SPack on the Director node. In earlier releases, SPacks were downloaded only as part of scheduled SPack download.

42136

You can set the same priority on different hubs in a spoke group, to allow spokes to use multiple equal-priority hubs and to load-balance traffic.

43272

Tasks page filtering is enhanced in the GUI and filtering is done on the backend (server side). You can filter tasks based on username and domain name (organization). A new filter, AnyField, takes a search string performs a regex search on all Task columns.

Tasks.png

45234

You can download of premium or sample version of an SPack from a cloud server to a Versa Director node and to VOS devices, based on the SPack user configuration. In earlier releases, you could download and install only premium SPacks.

47072

You can select only one of the following options from the Service Bandwidth drop-down list: 10 Mbps, 25 Mbps, 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, and 10 Gbps.

Service_Bandwidth.png

47083

Suspend and reactivate license subscription states have been deprecated, and these options have been removed from the Perform Subscription Action window. If CPEs are in the Suspended state when upgraded to Release 21.1.1, they are placed in the Activated state.

47085

License period with options 1 year (default), 3 years, and 5 years have been added in following windows:

  • Create Template > Basic tab
  • Bare Metal Appliance Creation
  • Add Device Group
  • Perform Subscription Action

License period is displayed in the entitlement reports, monthly reports, and query page. Subscription renewal is calculated based on the license period.

47086

isPrimary and isAnalyticsEnabled options are disabled in license subscription. These two options have been removed from following windows.

  • Create Template
  • Metal Appliance Creation
  • Add Device Group
  • Perform Subscription Action

These two flags have been removed from the entitlement and monthly reports.

47089

You can view details about a license to determine how many licenses are active and how the licenses are being used. The license details displayed include the start and end dates, solution tier, bandwidth, location, and serial number. To view license details in Director view, select the Administration tab in the top menu bar, and then select Entitlement Manager > License Detail View Entitlement Manager in the left menu bar.

License_Detail_View.PNG

47819

The task start and end times are displayed according to the client browser's timezone. This means that for users in different time zones, the same task is displayed based on their local time zone. For example, suppose a task with ID 6 has start time as Sat, Jun 20 2020, 16:24:14 in UTC. If a user in the India timezone logs in to Versa Director, the start time of task with ID 6 is Sat, Jun 20 2020, 21:54:14 (because IST is UTC +5:30). If a user from the U.S. PST timezone logs in to Versa Director, the start time of the same task is Sat, Jun 20 2020, 8:24:14 (because PST is UTC –8).
Note that for users from different time zones, the same task is displayed based on their local time zone.

48305

With IPAM-based overlay address allocation, cController and hub controller node template workflows now provide staging pool size for each WAN interface. You can disable the staging option on some WAN interfaces.
 

SDWAN.png

49318

Versa Director and VOS software packages (Director and VOS) have digital signatures that can be verified while the software packages are uploading to Versa Director. By default, this feature is disabled. You can enable it using the CLI or the GUI.

If you enable signature verification, you must upload the signature file while you are uploading the image. If the signature is verified, the uploaded image remains on the device. If signature verification fails, the uploaded image is deleted and the task fails.

Add_Package.png

51986

To detect any misconfiguration in Versa Director that can cause an upgrade failure, the configuration validation as part of the upgrade. For more information, see the Before You Upgrade to Release 21.1.1 section, above.

52235

In the SSO configuration, the new option sp-entity-id allows interoperation with Azure AD SAML.

53346

When a session is close to timing out, Versa Director displays a global notification. Users are provided the option to continue with their current session.

53575

SD-WAN forwarding profiles have been enhanced to support path list–based circuit priorities (path-name-list, path-type-list, path-media-list and path-tags-list), last-resort priority, and an unmatched priority. Path list–based circuit priorities provide flexibility for defining priorities using exact match for local and remote circuits, thus removing the ambiguity about when to use AND or OR in match conditions for local and remote circuit priorities.

The new path list–based priorities and the existing circuit priorities model are mutually exclusive at a specific priority level. That is, if you select path list–based priorities, the current circuit priorities model is not allowed, and vice versa. However, you can select both types of priority levels at different priority levels.

For the last-resort priority, paths configured with this priority are used when all other paths go down, thus allowing you not to use LTE paths when other paths are available.

The unmatched-priority defines the priority of the paths that are not configured explicitly. For example, if the unmatched priority is set to priority 2, any path that is not configured in the forwarding profile is considered as priority 2.

56910

To avoid users continuously sending mails for a forgotten password, you can configure the Forgot Password Request Time Interval, in seconds, to set how often users can make a request. The default interval is 900 seconds (15 minutes), and the minimum value is 60 seconds. This feature is enabled by default. If you do not require it, set a higher value for Forgot Password Request Time Interval in the User Global Settings window.

57530

Changed high availability GUI labels from Master and Slave to Active IP Address and Standby IP Address.

High_Availability.png

Fixed Bugs

The following tables lists the critical and major defects that were fixed in Release 21.1.

Fixed Bugs in Release 21.1

Tracking Bug

Description

46503

The exported summary report does not show CPEs with 10-Gbps configured bandwidth.

46336

Staging template was not showing up in device group creation for parent organization.

46256

Some sites are missing from the entitlement query report.

45603

External 2 FA is not redirecting to enter code UI page when you use SMS.

45568

NAT traversal field in Director UI was showing as undefined in the UI and was not editable.

45546

AWS geographic locations Bahrain and HongKong regions were missing when creating SD-WAN gateway in a public cloud.

45203

Velocity template now sets the MTU of PPPoE interface to 1492.

45153

Device drop-down list did not skip invalid entries when populating in UI for security packages installation.

45025

Editing adaptive shaping settings in a service template causes a remote server exception.

40664

Update vnms-startup.sh to have more meaningful settings, such as "Prompt to set new password at first time UI login (y/n)?"

38900

Add a warning popup for the Clear button in the DHCP active leases section in the Services tab.

34601

Handle link-local address for IPv6 for URL-based ZTP.

Fixed Bugs in Release 21.1.1

Tracking Bug

Description

41606

Extending the IKE SA lifetime up to 24 hours is not working in Director UI under VPN profile.

41853

In static routes, exit interface can be none and next-hop IP address both must not be mandatory.

42055

After upgrading Director to Release 20.2, if any template is modified and committed to a device running Release 20.2, diff shows configurations of Releases 16.1R2 and 20.2.

42722

Upstart does not restart postgres database process when it is killed.

44765

Versa Director had to be restarted after applying maximum CPE limit license for license information to take effect. Support is added to update required license information cache soon after applying the CPE limit license, without restarting Versa Director.

46560

Unable to perform all actions for WAN network groups for PDCO, TO, TSA, TSECA, andTDO roles.

47932

Transport domains (internet/MPLS) are not listed when creating a WAN name.

48074

Scheduled SPack download does not start based on the start time and interval configured. Now, Versa Director downloads SPack based on the scheduled time and version configured in the SPack settings. Also, you can change the time or interval to reschedule.

48243

Template commit using service templates does not work if the selected service template is added at the device level in device workflow.

48516

Versa Director Memory dashboard displays low free memory.

49145

Upgrade process must fail or stop if there is error in receiving the postgres dump during an upgrade.

49863

Upgrading Director to Release 20.2.1 fails because the sdwan_sla_loss_pct.lua and migrate.py scripts fail.

49924

After you upgrade from Release R2.10 to 20.2.1, static routes in the workflow template are not migrated to postgres and error is logged in upgrade.log.

51102

Shell In the Box does not open up and displays a HTTP Status 403 - Forbidden error.

52235

Need an option to add sp-entity-id SSO with Azure AD SAML.

52450

Versa Director does not load the list of pages if a single quotation mark (') is included in location details.

52690

Versa Director tasks for appliance UUID are not returned from REST APIs.

52791

GUI does not display Jitter, Transmit, and Receive fields in SLA Profiles.

52816

Supported character length in NGFW policy rule description is not displayed.

53318

Disk fills up because of postgres logging.

53537

Versa Director logs out automatically when another window is opened and is kept idle until the GUI idle timeout expires.

53592

uCPE guest VNF user data/custom file names configuration pushed to device with proper names to create guest VNF successfully.

54150

Add support for OpenId logout when direct link is used.

54157

Add support for selected IDP/local logout for IDP initiated SSO.

54237

Add support for GET Alarms API with data type XML.

54311

Suborganization is not displayed for a device in the Appliance and Device Monitor tab.

54432

Cannot parameterize DNS values in DNS settings.

54629

Duplicate serial number is displayed in the bind data tab of Device Workflow menu.

55139

GET APIs do not work for multiple key list element in appliance yang model, for example, static routes list

55152

SSO tenant user can log in to Versa Director, although roles are not associated with the organization.

55224

Release 20.2.2 upgrade validation script fails because of issues in the auth-connector-validation.py script.

56002

Cannot configure Versa Analytics FQDN under SAML client from GUI, even though the configuration can be done using CLI.

56030

Cannot delete controller from the UI because of issues related to user authentication token.

56111

In DNS proxy resolver, not all sites are listed in the site name drop-down list.

56131

Template commit fails randomly with error CacheLoader returned null for key Thread[TemplateService-ApplyTemplate-18,5,main].

56266

When you are creating users in User Management, First name and Last Name field do not support special characters.

56546

Logout fails with SP/IDP-initiated SSO.

56556

In the tcpdump Tools screen, Versa Director downloads previously downloaded PCAP files. Fixed to download only PCAP files of the current site.

56794

When upgrading from Release 16.1R2Sx to Release 20.2.2, the Last Modified By and Modified Date fields are not copied correctly.

56816

When you commit the master template with overwrite option, if an NGFW service template is associated at a device level, some routing instances are removed from the Available Routing Instance and Owned Routing Instances. If a shared service template is associated with a device in device workflow, the configuration is not properly merged from the service template.

56958

Analytics URL uses HTTPS when accessed using SSO after you configure a Versa Analytics client in the Versa Director SSO connector.

57121

Device is not displayed in Entitlement Query or reports, if device creation fails during ZTP.

57438

External OAUTH tokens cache issue fixed to handle concurrent Versa API requests efficiently.

57497

Second Controller deployment fails if any WAN interface on the primary Controller has only an IPv6 address.

57664

Versa Director does not fall back to local authentication when all the configured TACACS+ and RADIUS authentication servers were not reachable. Director falls back to local authentication, and authentication is successful when you enter the correct user credentials.

57677

When you change the redistribution policy, graceful restart helper mode is disabled in the BGP configuration.

57720

Validating a template with QoS service template displays the error {"response-code":"201","error-message":"com.tailf.maapi.MaapiException: A variable value has not been assigned to: v_vni-0-0_Rate__cosInterfaceRate","response-type":"error"}.

57727

In Release 20.2, the order of source and destination zones in firewall rules is different from earlier releases.

57934

Tenant users can view the resource pool of all the tenants under the provider.

58104

Memory leaks identified and fixed in ConfOperationImpl, SpackImpl, and RestProxyProcessor.

58106

You can configure the Versa Director the ping wait and timeout values for devices from the Director CLI. You might want to configure higher timeout values for devices that are reachable only over high-latency satellite links.

 nms {
     provider {
         monitoring-settings {
             appliance-monitoring-settings {
                 single-device-ping-timeout 30;
                 bulk-devices-ping-timeout 60;
             }
         }
     }
 }

58248

NTP configured with the server FDQN does not work, because the routing instance is not configured in the NTP server configuration by using the template workflow. This is fixed so that the template workflow configures routing instance in the NTP server configuration.

58340

Search function does not work in Organizations workflow list.

58393

appliance-final-configuration-completed AMQP event populates the organization in the content as "organization": "System", instead of the organization name.

58591

When TACACS+ in enabled, cannot restart services using vsh.

When external authentication is enabled, when an external user with ProviderDataCenterSystemAdmin(PDCSA) role has logged in, users cannot restart VNMS services.

58741

GUI does not allow configuration of BGP password with more than 16 characters. BGP passwords up 128 characters can be configured using the CLI.

Fixed Bugs in Release 21.1.2

Tracking Bug

Description

39617

Proxy authentication is now supported, so a user can configure the username and password of an external proxy server.

41228

Fixed vulnerabilities in UI JS libraries.

42472

Added ability to unlock user from appliance UI page.

51101

TenantSuperAdmin might not be able to view active users for their tenant.

52509

HA template workflow now has a validation check for redundant pair template name.

52621

You might not be able to set the UTC timezone on a VOS device.

52895

Add ability to clone policy configuration for site-to-site VPN profiles.

53306

Template merge might take long time.

53346

UI might log out unexpectedly.

53837

uCPE SSH might not working for tenant custom user role.

53926

Fix popup windows to fit in the screen in all tab views.

54133

If you use the request system recovery backup”command to perform a backup operation, the result is now shown.

54432

Add support to parameterize DNS values in DNS settings.

55415

Removed server and server pool type "http" configuration from UI in ADC collector configuration.

56266

Special characters in First Name and Last Name when creating users in Director User Management are now allowed.

56473

Upgrade from Release 16.1R2S9 to Release 20.x was failing if there were device groups with no associated templates after the migration.

56661

After you commit changes in build mode, a device might remain in the Southbound locked state.

57669

When you select more than one service, associating an organization with an appliance might fail.

57670

When you associate an organization on the Appliance screen and select a service node group, services should not be a required field.

57750

You might see the bearer token missing error during OAUTH-based GET calls.

58155

The local peer PSK autogenerated variable name might be incorrect and does not appear in the device bind data.

58438

The IKE Down status was misleading in the Director Monitor dashboard annd has been removed.

58710

The stateful service template now has a tab for objects.

58741

From the UI, you could not configure a BGP password longer than 16 characters.

58828

There was display issue of “Last Modified Time” in the UI for workflows.

58835

An unexpected CPE license expiry alarm might be generated.

58929

Unable to add SSO Multiple Customer Roles with Same Director role in External SSO Role Mapping.

59034

Purge was not deleting local backups.

59086

VRRP configuration might be lost when physical interface IP address is modified.

59092

You can now configure IPv6 interface mode in the UI.

59464

Sometimes, we were unable to see Devices under Monitoring, Configuration, Workflows Tabs after HA failover. This is fixed.

59751

New API added to return applianceStatus by appliance name:

https://ip-address:9183/vnms/dashboard/applianceStatusByName/organization-name/appliance-name

59919

Configuring multiple BGP peer tracking configuration in HA in a device template might fail.

59956

The OS Spack option is now visible for Tenant Super Admin users.

60042

Commit template could not to identify the configuration changes between the Configuration Template and Appliance configuration, and always shows In-Sync.

60537

The service name and access concentrator are no longer mandatory in device workflow.

60857

Director upgrade from Release 20.2.2 to Release 20.2.3 might fail because of stale entries in bind data.

60967

Added routing-instance match condition to QoS policies.

61060

When Director logged out, an error message was seen with SSO.

61244

Paired site location ID was not configured properly.

61389

A negative site ID number might be displayed for non SD-WAN CPEs in appliance listing screen.

61402

Enabling HA might fail with an error on the secondary device.

61433

Hardware replacement might fail regardless of the image on the new appliance with wrong build-type error.

61492

Missing software version in Director database for CPE might cause a hardware replacement failure.

61585

When configuration a VFP rule, the disable radio setting was not working as expected.

61717

Some screens became slower when device names were displayed in a drop-down list.

61795

Unexpected task in the stuck state during device onboarding.

61849

When templates were committed simultaneously from different user’s template, the commit might fail.

61948

Provider data center operator cannnot view unknown devices in Versa Director.

61976

Now director allows hyphen (–) and numbers in custom user role names.

62034

Disabled PostgreSQL WAL archives to reduce disk usage.

62094

CPE SLA configuration path policy was lost when upgrading from Release 16.1R2 to Release 21.1.1.

62163

UI monitor screens made API /orgs/org/{tenant}/kpi calls too often, causing slowness.

62372

In template workflow, isStaging flag was not set correctly during change from Hub Controller to Hub.

62485

Update operation not working for IDP-based SAML user.

62631

Duplicate IP address was allocated by IPAM, causing the branch reachability issues from the Director node after upgrading to Release 21.1.1.

Fixed Bugs in Release 21.1.3

Tracking Bug

Description

35962

Upgrade vulnerable outdated third-party libraries on the backend.

40157

Add support for TCP-based remote syslog connector.

41228

Remove and replace vulnerable third-party JavaScript libraries (UI).

42524

Logging out of application using Okta OpenID SSO now works.

45901

Add support for installing security pack (SPack) on Director node using CLI command.

48033

Source networks drop-down for adding NTP server now works correctly.

48431

Improve performance when loading Virtual Router page.

50423

Add REST API to fetch only WWAN status.

51101

TenantSuperAdmin users can now view active users of the tenant.

52001

Fix NCS crash with error "Internal error: Supervision terminated".

52790

Fix drop-downs for Certificate and Key Fields when editing Certificate Manager.

53967

SPack version information is displayed in appliance listing page.

54006

Director to VOS device certificate validation for Confd on port 8443.

54132

Template state in commit windows now shows correct state information all the time.

55886

File filtering in NGFW shows inconsistent display depending on navigation path.

56777

Allow display of location/map information for child organizations in a multitenant deployment.

56810

Plus (+) sign in security policy is greyed out until page loads completely.

57028

Director now displays correct free memory values.

57369

PPPoE WAN Interface network name is now added to traffic identification list.

57693

Error displayed when commit template fails is not correct if description has multiple quotation marks.

58484

Prevent change password blasting.

58698

Shared service templates now appear in the service template drop-down on the commit template screen.

58828

Last Modified Time field in UI for workflows now displays correct time in browser's local time zone.

58921

Allow exported SSO metadata to be imported into external IDP.

59034

Purge now also deletes local backups.

59050

Allow addition of firewall rule at a specific location.

59207

Fix issue where UI intermittently shows that device is out of sync.

59426

Support application location longer than 200 characters.

59751

Add REST API to return applianceStatus by appliance name: https://ip-address:9183/vnms/dashboard/applianceStatusByName/organization-name/appliance-name

59818

Fix issue where forwarding profile content in SD-WAN rule is not displayed.

59873

If you change interface IP address to be the same as the VRRP IP address, UI now displays a message asking you to set VRRP priority to 255.

59919

You can now add multiple BGP peer tracking entries in HA device template.

59956

OS Spack option is now visible for Tenant SuperAdmin users.

60042

Commit template cannot identify the configurations changes between the Configuration Template and Appliance configuration, and always shows In-Sync. This issue has been fixed.

60106

API response does not match the GUI output for SD-WAN traffic for appliance in Monitor tab. This issue has been fixed.

60857

Director node upgrade fails when upgrading because of stale entries in bind data. This issue has been fixed.

62155

AWS DescribeInstances API call fails, with error "instance ID does not exist". This issue has been fixed.

62205

uCPE VNF creation task not created if the template is committed to the device on the Diff View screen.

62352

Template state in commit windows does not reflect changes to service template or to adding or deleting service template to a device group or device workflow.

62422

Add account type Service for server-to-server communication.
62433 It is possible to inject comments by entering special characters. This vulnerability has bene fixed by adding careful handling of special characters.

62556

When you create a new notification rule condition, the name is fixed to previous one and cannot be changed. This issue has been fixed.

62557

NGFW service is not picked up from default-sng if services field is empty.

62608

TenantSuperAdmin user cannot change session timeout. This issue has been fixed.

62631

Fix issue with IPAM allocating duplicate IP addresses.

62720

Fix UI issues with firewall rules page and view more security access page.

62785

Add support for Azure GOV cloud using CMS.

62790

Audit log EXTERNAL_USER.log now displays username instead of bearer token.

62949

Add ability to configure timeout in RADIUS/TACACS+ API calls.

63142

Scheduler should not send email when commit template is scheduled for now.

63164

Link-Mode and Link-Mode settings are grayed out for PPPoE interface.

63168

Password not encrypted from browser.

63185

When you cancel creation of a new device workflow at bind data tab, system does not allow you to create same device name even though it canceled the first attempt.

63186

Change password screen header and footer logo is not using custom partner icon and instead always display Versa.

63241

After an upgrade, the bind variables of service templates are missing from device bind data tables. This issue has been fixed.

63249

When you use vnms-startup.sh in non-interactive mode, the southbound address included is the dockerip 172.17.0.1, even though the vnms.properties file has the correct southbound address. This issue has been fixed.

63397

Redistribution policy Default-Policy-To_BGP on DMZ-VR (not VRF) is not created when service template has no DIA or gateway options. This issue has been fixed.

63430

After you delete a device from a workflow, the device global site ID may not be released. This issue has been fixed.

63451

Add support for VRF ID and VRF Name as variables.

63589

HA failover operation sometimes results in an application timeout. This issue has been fixed.

63591

Allow template name to be up to 127 characters.

63597

UI does not permit adding second static route next-hop tunnel.

63656

Cannot update SNMP trap profile from GUI.

63665

Add REST API documentation for device template import and export.

63733

LTE interface is missing if PPPoE is configured first.

63736

CoS read-write rule copy attribute display as active, but when editing it shows not active.

63827

Increase length of SMTP username in UI from 16 characters to 256 characters.

63841

Allow parameterization of subinterface description for Ethernet/LTE subinterfaces.

63863

For CGNAT/SDWAN/VFP/IPS sessions in Monitor >Services, the forward/reverse byte count is not sorted correctly.

63897

Kafka message publishing should happen in async thread to handle unreachable or slow brokers.

63964

Read-only users cannot log in to Director node because of a special character used in the user role description field.

63987

Change appliance state monitoring run interval for scaled setup

64035

Subscription changes on workflow template are not reflected in Entitlement manager section of CPE and Director node.

64110

You can now configure description column in task window.

64190

Addresses configures in another address group are not displayed correctly.

64211

Task window error message is displayed as "[Object] [Object]". This issue has been fixed.

64262

Unable to delete the VLAN Unit if VRRP is configured in the unit .

64365

TCL: Separating transactions for 3 skip apply calls during ZTP.

64442

Fix vulnerability of guessing users using user enumeration attack.

64572

Controller workflow screens now validates IP subnet.

64587

Monitor > Summary tenant screen displays breakdown of interfaces.

64598

Encrypted key pushed to VOS device version that does not support it.

64652

When you choose the same network for main and standby template and you choose cross-connect port, template workflow displays warning popup.

64677

Add unique constraint for Local Organization. Also, enhance validation script to catch this constraint.

64713

Login, logout, and change password timestamp not recorded in audit logs.

64724

Monitor > Services > IPsec > SA Tab does not show complete information.

64974

Hazelcast device status API is not working.

65064

In bind data pagination, unable to display more than 100 rows.

65069

Autogenerated bind data IKE identifier is not updated.

65198

Even though disable virtual service is enabled during Controller deployment, the service is not actually disabled.

65222

IPsec type tunnel interfaces are not shown in correct drop-down in Monitor UI.

65235

OK button is not working while creating a device after filling in bind data information.

65679

In Firefox, the password field is shown in cleartext.

65692

Do not allow |,[,] characters in URL filtering.

65735

User authentication using OAuth is not work when fetching HA status from NCS.

65753

Enable suspend-backup collectors as the default in workflow templates.

65754

Change log level to Info for alarm module.

65774

SIT update CPE ports object in Controller firewall rule.

65775

Error occurs when pushing hub-and-spoke post-staging template.

65793

Workflow device deployment using CMS connector does work in Azure China region.

65818

SD-WAN policies created by workflow need add action.

65880

Cannot see more than 1024 devices in OSS selection field.

65883

Repeatedly executing the Uptime REST API call causes the subsystem to stop.

65964

UI does not return the proper error when creating a user with invalid information.

66020

User order in leaf list elements is incorrect.

66077

Cache control header is not set properly.

66107

Remove traceroute CLI command from Director node.

66416

Cannot take snapshot using external auth users.

66429

Paired location ID is not displaying in drop-down list in vertical bind data form.

66498

When template is locked by user with lock scope "Other Users", template is inaccessible for user who locked it.

66523

Device workflow update and deploy should require read privilege only for device group.

66668

CoS interface under Monitor > Service should display traffic stats per traffic class.

66741

Device deployment fails with exceptions.

66965

Log collector configuration should support parameterization of destination IP address and port number.

67008

Task owner is different from the user who triggered the task.

67048

Show selected device count on commit screen and VOS devices.

67327

CGNAT service is missing under Services when you add LAN interface for provider organization.

67531

Parsing issue in SAML formatted response.

67582

User should not be allowed to delete a subordinate organization of post-staging template if any device group having that post-staging template has a service template at that subordinate organization.

67643

Do not generate modified event if there is no change to bandwidth, solution tier, or license year in subscription plan.

67758

In general service template, need parameterization for DSL interface configuration of PPPoE username and password fields.

67763

UI does not display IPsec service for service VNF.

67874

Add missing appliance subscription tracking in upgrade flow.

67905

Maximum open file descriptors for spring boot.

67949

Customer can make changes and commit before network is loaded is LAN-VR.

67965

Standardize device name for CPU, memory, and hard disk alarms to one value.

68004

Scheduler job status is not marked as Failed when an upgrade task is deleted while an upgrade is in progress.

68006

During bootstrapping, check for release date when upgrading VOS devices.

68040

Close HTTPS appliance polling connections sooner.

68112

Add option to deselect IDP connector in SSO.

68305

Issue in post-staging template association UI view.

68358

During first-time controller deployment, Director node does not ask about using the default 10.0.0.0/8 overlay scheme or changing it.

68847

Do not push Bionic image to trustworthy VOS devices.

68914

Spoke group UI should give option to delete VRFs.

68961

Single character on local part of email address “not valid” while adding tenant user.

Fixed Bugs in Release 21.1.4

Tracking Bug

Description

13550 Update NSO to Version 4.7.10.
43606 Fix drop-down compatibility issues in Firefox browser.
45549 Raise an alarm when AMQP and Kafka connector are not reachable from Director node.

47065

Username and Password fields are autopopulated in the template configuration pages. This issue has been fixed.
48198 Monitor screen now shows appliance system and service uptime.
51488 Predefined file-filtering profile is added under Predefined categories in the Objects and Connectors.
53780 VPN instances with hub type topology now work.
56266 Accept special characters in First Name and Last Name fields when creating users in Director User Management.
56810 Users can add multiple security policies, but only one security policy is allowed on appliance. This issue has been fixed.
57028 Fix for incorrect free memory calculation for Director node on the Monitor page.

58509

If you enter any special characters in the Controller PSK, the ptvi does not come up. This issue has been fixed.
58799 Fix for incorrect appliance type for appliances created on AWS or Azure.
59131 Add support to encrypt all passwords in device configuration.
59719 Fix for provider organization creation failure when it is created from Workflows > Controller screen.
60588 Notification rules page allows you to create alarms notification rules without a tenant. This issue has been fixed.
63168 Login password string is now encrypted when sent from the browser UI.
63733 Fix for LTE Interface missing issue when PPPoE is configured first in the Workflow template creation page.
64007 Support for changing device subscription.

64061

Template configuration Services tab now shows only the services that are enabled.
64411 GUI gets stuck when navigating from the NTP screen to the Objects/Services screen. This issue has been fixed.
64521 When you choose a tenant in the Workflows > Infrastructure > Organization screen, the entire screen goes blank. This issue has been fixed.
64565 Fix for general template selection issue on device group create screen.
64885 Scheduled job for appliance upgrade now starts only if the appliance is reachable.
65578 Tenant selector does not display when user switches from one tab to another on the configuration screen. This issue has been fixed.
65650 Incorrect configuration under device context when bootstrap fails. This issue has been fixed.
66012 Support for having a CLI command to set "auto-merge" as a default option.
66074 The screen is stuck at system parameters page when you navigate from the system configuration to other tabs. This issue has been fixed.
66101 Template configuration Services tab now shows only the services that are enabled.
66259 Include timezone in the director-HA failover alarms.
66364 Fix for issues deleting a nonexistent device using APIs.
66372 Fix for issue sending SMTP email notification for alarms.
66418 Fix corner cases while taking Director snapshot.
66584 Enforce tab in policy rule configuration screen extends beyond the length of the screen because of a newly added feature.
66965 Destination IP address and port fields can now be parameterized on the log collector screen.
67226 Versa_Device_Events topic option display issue is fixed in the Kafka connector create and update screen.
67298 AWS service VNF deployment issue from appliance screen has been fixed.
67709 Bulk upgrade appliance task has been refactored to better show the task messages.
67738 Support for an option to set or customize RequestedAuthnContext value in the SSO connector screen.

67936

User creation page now properly validates the phone numbers.
67963 Fix for enabling HA failure when there are more than 500 appliances on the Director node.
68006 Honor release date in the package to select the latest image during bootstrap of VOS device.
68064 Fix cross-connect select and deselect issues in template workflow for redundant templates.
68231 Support for a GUI option to restrict routing and connectivity across regions in an organization workflow.
68271 Fix CA chain certificate expiration issue in the UI.
68363 You can now make NMS action API calls with an external OAuth token.
68537 Slowness issue is fixed for the API /vnms/dashboard/appliance/location.
68652 Get APIs are failing when APIs are run in parallel. This issue has been fixed.
68670 UI now restricts the creation of an empty app-group.
68690 Tomcat HTTP requests to Analytics now clean up or time out properly.
68923 NAT traversal configuration is added incorrectly when user modifies data on WAN Interface window.
68978 Fix HA template and Layer 2 interface configuration issue in template workflow.
69266 Switchover policy can be configured using routing peer count for appliance HA.
69303 Proper error messages are shown when multiple IPS rules are loaded on the appliance in the UI.
69404 Performance improvements for appliance monitoring.
69405 Fix for Workflow template commit failure when LDAP password is configured with double quote ' " ' in parameterized bind data.
69494 Address files and address group can now be configured from Director GUI under device or service templates.
69496 Fix for multitenant regional spoke groups issue.
69515 Read-only custom user now cannot delete appliance instance.
69553 Error occus when deleting from a template a suborganization that is not used in any device group. This issue has been fixed
69590 Add pagination for Locked User screen.

69641

Fix duplicate key sdwan-post-staging issues on Device Group screen.
69808 Workflow > Templates > Site > Subscriptions > Solution Tier > Service Bandwidth changes are now recorded in the audit log.
69827 GUI idle timeout is taking 12 more minutes than the configured value. This issue has been fixed.
69846 Encryption debug CLI commands are failing with application communication failure. This issue has been fixed.
69859 Fix issue of IKE changing on Controller node when you redeploy a device workflow.
69860 Path policy configuration now accepts free-form text.
69877 Fix for the issue with hub template workflow.
69893 Fix for Director HA reachability check through Controller nodes.
69949 After you add service chain under organization limits, service menu now shows correct options for the service chain template.
69996 Add support for mirror interface option for uCPE interfaces.
70174 Restore icon for configuration snapshots is now available in the Firebox and Chrome browsers
70303 Fix for Map View to show appliance name on the Monitor screent.
70313 Fix the sorting functionality for system summary tables on Monitor screens.
70318 Fix download merge configuration issue on commit template screen.
70319 Fix for issue with adding custom group from GUI on policy page.
70338 Add support for user type data for IP-SLAM monitor next-hop fields.
70394 Asset summary now shows count for service VNFs.
70441 Suppress unwanted logs while fetching get-vnms-ha details from the standby Director node.
70459 Fix incorrect security package information on the Monitor screen.
70490 Netbox IPAM service stays down because the docker image is deleted during an upgrade. This issue has been fixed.
70539 Fix for issues with device deploy and create appliance.

70596

Fix for issues with SD-WAN traffic graph.
70647 Fix display of overlay address schema popup if Controller node already exists in the system.
70656 Fix for template failing to add WiFi interfaces that were added when the security mode was None.
70659 Service template references are now removed from the device workflow when the service template is deleted.
70694 Fix for Director upgrade failure because of a postgres backup issue.
70752 Subtenant users can apply the service template through the diff window. This issue has been fixed.
70799 Upgrade changes the custom SLAM path policy applied to WAN interfaces to the default SLAM path policy. This issue has been fixed.
70817 PPPoE interface is not adding a non-zero VLAN ID to the base interface. This issue has been fixed.
70818 Appliance final-config-complete alarm is published after upgrade and configuration push complete.
70910 Match should not be a mandatory field when you select Objects > Address > + Create a New Rule -> Type (Dynamic Address). This issue has been fixed.
70932 Restrict TSA users so they cannot view other tenant appliances on IP SLA next-hop UI page.
70950 After you click the Commit to Device button on the commit template screen, the screen did not navigate to the next page. This issue has been fixed.
70991 Some fields are disabled on default 0 subinterface screen for LTE interface. This issue has been fixed.
71006 Add RBAC protection to the the vnms/cloud/systems/getAllApplianceNames API call.
71019 Template commit is not associating all organizations with the device for service templates. This issue has been fixed.
71021 Fix for edit icon display issue on Director high availability screen.
71051 Locked Users page now shows all the locked users.
71083 Fix for pushing default values for system parameters along with user changes in the form.
71117 Fix for GZTP Director task stuck issue.
71123 Allow user to set the bandwidth on cross-port interfaces in the template workflow.
71160 Edit button is now available to configure and modify appliance HA parameters on the Director node.
71162 Index out-of-range error occurs when running the ip-address-config-validation.py pre-upgrade script when the local IPsec interface is missing. This issue has been fixed.
71173 Recent events count on the Monitor dashboard and details tab now match.
71288 Fix for issue with creation of application group under Objects > Custom Objects.
71336 Vulnerability fix: HTTP public dey pinning (HPKP) header cannot be recognized.
71337 Vulnerability fix: HTTP strict transport security (HSTS) header cannot be recognized.
71386 Fix IP address and mask parameterized validation in service templates.
71406 Appliance goes into configuration out-of-sync state because of "" on the Configuration > SNMP > System > Contact screen. This issue has been fixed.
71471 Fix for duplicate key value that violated the unique constraint appliance_hardware_pkey error when onboarding a VOS device.
71477 TSA users can now take configuration snapshots of the common template.
71499 Enforcing static route for policy-based IPsec has been.
71522 Fix for TenantSuperAdmin failing to delete VOS device.
71530 Fix special cases in Versa Analytics cluster installation script.
71538 You can now edit Operator and Administrator users under Director User Management > Provider Users.
71613 HA postgres status on the primary Director node now shows secondary (slave) Director information.
71628 The dot1x config page becomes stuck when navigated to other tabs. This issue has been fixed.
71638 Fix spoke group bulk deletion issue.
71654 OpenID SSO logout now redirects to Logout Success Redirect URL if it is configured.
71686 Fix for scheduling template issues when VOS device not reachable and job has been triggered.
71757 Add support for the special characters {, }, and # in the SNMP manager in Workflow template.
71785 Fix for backup Director node not being able to take over as primary when port 5432 is not available.
71789 Allow hardware inventory search based on hardware serial number and site ID.
71803 Incorrect services list, which includes ervices not enabled for an organization, is displayed under the configuration services tab. This issue has been fixed.

71814

NETBOX-IPAM and SPRING-BOOT start issues, probably because of a race condition between the two processes, have been fixed.
71863 Handle automerge gracefully when preserve appliance changes is disabled.
71865 Creating new OAuth authorization client now shows the client secret and client ID in the UI.
71903 Fix for Director node loading page even after logging out of Director node.
71917 Fix Director login issue for Bionic images.
72046 Fix for custom role tenant user not being able to log in to the Analytics node from the Director node.
72068 Support deploying redundant Workflow template when the same WAN networks are configured
72070 Fix incorrect order of BGP policy terms after workflow template is redeployed.
72121 Director upgrade fails with HA Pair Validation error. This issue has been fixed.
72122 Interval now displayed as mandatory field on the Edit SPack Configuration window.
72182 Parameterization of source and destination addresses in VPN policy now works.
72183 Fix for creation of shared service and service template configuration objects.
72335 Fix for display devices issue on the Template Commit screen.
72337 Obsolete UI call for package information has been removed.
72358 Trusty backup restored on Bionic setup failed. This issue has been fixed.
72388 Huge NCS connections are not closed and are seen as Open in the customer setup. This issue has been fixed.
72406 SNMPv3 walk fails with an authorization error. This issue has been fixed.
72413 Add validation in the organiztion workflow to not allow suborganizations with the same name as the parent organization.
72507 Fix for incorrect total appliance count.
72619 LEF profile referred to in the DHCP configuration is not present. This issue has been fixed.
72637 Update APIs to upload and delete tenant-specific CA and CA chain certificates.

72829

Appliance system informational Kafka message now includes appliance ping and sync state.
72909 Appliance upgrade failed from Director node because of an OS check. This issue has been fixed.
72963 Performance improvement for appliance dashboard APIs.
73026 TDF screen is spinning when trying to access the GUI for a uCPE. This issue has been fixed.
73063 Director upgrade failed because of database backup and restore issues. This issue has been fixed.
73076 Performance improvements for AMQP and KAFKA object change notifications.
73077 Committing configuration to a template or device generates object change notifications only for the top-level path and does not send notifications for each changed path.
73104 Avoid running validation scripts on standby Director nodes.
73108 Error while adding community options for a spoke group is fixed
73122 Fix for Analytics cluster installer issues.
73183 Fix for incorrect date and time in the All Traffic Live data graph.
73186 OAuth refresh token API now returns the proper roles in the response.
73423 Director node is not initiating a connection to the Analytics node because of too many close_wait state to Analytics IP:Port. This issue has been fixed.
73501 Director GUI unreachable because of cookie issue with atmosphere. This issue has been fixed.
73537 Whne you click the refresh button on the Services > Sessions screen, it displays "No data to display”. This issue has been fixed.
73546 Adding a new tenant in the existing post-staging template through workflows API returns error. This issue has been fixed.
73813 Appliance upgrade from Director node fails during ZTP. This issue has been fixed.
73854 Save device workflow continues to spin when you try to save without the value for some variables. This issue has been fixed.
73856 Bulk import of devices from a CSV file fails because of a concurrency issue. This issue has been fixed.
73899 After you run the appliance status brief API call, appliances disappears from the appliances listing page. This issue has been fixed.
73974 Authentication type and Auth-Context-Required fields can be configured in the SSO SAML connector page.

74213

SSO login fails after running import-key-cert.sh script because the SSO certificatess are moved to the backup folder after running this script. This issue has been fixed.
74578 Service template bind data variables are not populated when the device workflow is redeployed from the Basic tab. This issue has been fixed.
74614 Fix for Get Director services status API issue
74629 Director UI not reachable because of java heap space out-of-memory issue. This issue has been fixed.
74838 Fix for issue with checking Service Template bind data.
75052 Update ha_pair_validation script to check whehter appliance is present in the inventory table.
75069 Template commit error message on Director node is now sent to Concerto over Kafka.
75100 UI does not load intermittently shows blank screen on multiple tabs, displaying the error "Failed to load data from server". This issue has been fixed.
75117 Director upgrade fails at ip-sla-monitor under redistribution policy configuration. This issue has been fixed.
75133 Uploading the certificate for secure LDAP from the GUI now works.
75236 WAL files do not clean up automatically, causing high disk usage. This issue has been fixed.
75273 Device bind data in the workflows throws a remote server exception when saving or deploying the device. This issue has been fixed.
75389 Issue with setting isStatingController flag has been fixed.
75471 Director node does not copy the uCPE custom data file if only the custom data file option is configured in the service chain template. This issue has been fixed.
75527 Monitor Tab > Associate Templates shows duplicates even though the device group has unique templates. This issue has been fixed.
75544 Director upgrade failed when executing the WorkflowsUpgrade script. This issue has been fixed.
75547 Kafka and AMQP messages now contain the Director identifier, which you can configure for Kafka and AMQP connectors.
75880 Fix for deploying template failure because of a nested SQL exception.
75925 Vulnerability fix: HTTP strict transport security (HSTS) policy not enabled (Port 443).
75951 Migration scripts now start after spring boot is fully up.
75963 SQL error occurs when creating a spoke template. This issue has been fixed.

76122

Fix for failures when simultaneously deploying multiple organizations.
76316 Director upgrade fails because spring boot not going to running state. This issue has been fixed.
76427 Versa Director vulnerability issue fixed for CVE-2021-44228, which is related to Apache Log4j2.
76487 Site-to-site local interface for HA cannot have quotes when using Active-Active workflow template. This issue has been fixed.
76613 Add available-routing-instances under the organization in the service chain template generated through Workflows.
76667 Fix template commit issue by incorporating bind data validation for route prefix.
76710 Template commit window fetches only the first 1000 templates. This issue has been fixed.
77103 Onboard tenant to gateway is failing with INTERNAL_SQL_ERROR. This issue has been fixed.
77119 fetch=count in the NCS APIs returns the count.
77120 Patterns with characters after the $ are now accepted on the template configuration UI screens.
77233 Appliances might disappear if the owner organization is missing for some appliances. This issue has been fixed.
77246 Fix commit template task failure issue because of Concurrent lock.
77249 Spoke group validation is now optional for the provider organization in the Workflow template for multitenant scenarios.
77285 Director services status vsh status command output issue has been fixed
77324 View profile under classified profile is not working for Edit DoS Rule > Enforce > DDoS profile. This issue has been fixed.
77353 System organization is no longer displayed on the Add Notification Rules screen when you log in as the TenantSuperAdmin user.
77379 Search works now on the card view of the Appliances screen.
77616 Fix for Boolean word truncation issue on Add DHCP Option Profiles screen.
77647 Adding duplicate Controller nodes is no longer allowed now under Controllers in the Workflow template.
77771 Opening the S-WAN System Site Configuration screen now works.
77896 Fix for customer snapshot upgrade failure.

77897

Issue with the Director patch script and validation script has been fixed.
78172 When you delete a device workflow, the remote PSK authentication client entry is now deleted now from the Controller node.
78218 Fix OutOfMemoryError issue that occurred because of metaspace.
78240 The site-to-site tunnel in the workflow was throwing an error when you parameterized a WAN or LAN interface.
78340 Commit template fails because of an issue with setting skip-apply. This issue has been fixed.
78434 WAN link monitor configuration for redundant WAN links over a cross-connect link was not updated as expected for HA devices. This issue has been fixed.
78662 Fix tooltip text display issue in Director UI.
78681 Fix for the slowness issue in the diff view page when it is opened from the Template commit page.
78683 Provide scroll in Associated templates page, which is launched from the template commit page.
78686 Deleting a dynamic VOS service template when throws an exception "Public cloud instance should have minimum 3 interfaces". This issue has been fixed.
78801 Associating Organization throws an exception when onboarding a workflow device in a public cloud deployment. This issue has been fixed.
80030 Push-keys-To-Device shell script now escapes special characters in the password.
80085 Director UI inaccessible because of a kernel out-of-memory issue. This issue has been fixed.
80168 Allow static IP address configuration on LTE interfaces.
80172 NCS transaction leak issue has been fixed
80278 Director UI > Device >Monitor > Services and Tools screens are now working.
80279 Fix an issue with the appliances list page in Administration tab.
80326 Fix issue with template configuration SD-WAN system site configuration edit screen.
80328 TenantSuperAdmin user can now see the saved organizations on the Workflows > Infrastructure > Organization screen.
80420 The Workflows, Templates, Tunnels, and Site-to-Site Tunnel screens go blank you select a few initial options. This issue has been fixed.
80441 When you click the Edit icon, the wheel spins in an infinite loop on the OS SPack > Appliance screen. This issue has been fixed.

80448

Upgrade Apache Tomcat to 9.0.60 to fix multiple vulnerabilities.
80543 Remote server exception seen when you click any tab on the secure access screen. This issue has been fixed.
80581 Organization list displayed on Object >TCP Profile screen should be associated with the template. This issue has been fixed.

80618

For some screens, the selected column filter is not shown. This issue has been fixed.

Limitations

The following are limitations in Release 21.1.

Limitations in Release 21.1.1

  • When you attach a service template to a device in a device workflow but do not attach it to the device group, the device is not displayed after you commit the service template.
  • The Director UI may not open in Safari and MacOS 10.15, because the previous self-signed certificates are not compatible with the new security requirements of the Apple Safari browser. To regenerate a self-signed certificate, issue the following commands:
sudo su - versa
cd /opt/versa/vnms/scripts/
./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "<password>"

To regenerate CA-signed certificates:

  1. Regenerate the CA signed certificates to honor the new security requirements:

sudo su - versa
cd /var/versa/vnms/data/certs/
keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass <password>
  1. Synchronize the new certificate to all the Analytics nodes:

cd /opt/versa/vnms/scripts 
./vnms-cert-sync.sh –sync
  • In Release 21.1.1, the Director web server (Apache Tomcat) has been upgraded to support HTTP/2. If you do not enable proxies with HTTP 2.0 and TLS 1.2, browsers automatically fall back to using the HTTP 1.1 protocol. In the newer version of Tomcat, HTTP 1.1–based REST API calls with very large payloads fail intermittently because not all the payload is provided to the backend server. This issue is observed with configuration differences windows in template workflow and template commit to appliances. For more information, see Enable HTTP 2.0 on Proxies, below.
  • DNS Proxy configuration in templates: When DNS proxy configuration is present in a template, applyTemplate to 161R2 based devices fail, because DNS Proxy configuration is also pushed to the 16R2 device where it is not applicable. As a workaround, you can delete this configuration in the template before you pust it to to 161R2-based devices. This is issue does not occur on devices on Release 21.1 (bug ID - 57783).
  • Error is displayed during template commit when a text field, for example an interface description, contains multiple quotes. (Bug IDs: 57693, 58568)
  • After upgrading from Release 20.2 to Release 21.1.1, the EVPN configuration is not loaded on Controllers nodes for old organizations. (Bug ID: 59355)

Limitations in Release 21.1.2

  • The Director UI may not open in Safari and MacOS 10.15, because the previous self-signed certificates are not compatible with the new security requirements of the Apple Safari browser. To regenerate a self-signed certificate, issue the following commands:
sudo su - versa
cd /opt/versa/vnms/scripts/
./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "<password>"

To regenerate CA-signed certificates:

  1. Regenerate the CA signed certificates to honor the new security requirements:

sudo su - versa
cd /var/versa/vnms/data/certs/
keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass <password>
  1. Synchronize the new certificate to all the Analytics nodes:

cd /opt/versa/vnms/scripts 
./vnms-cert-sync.sh –sync
  • If proxies are not enabled with HTTP 2.0 and TLS 1.2 as given above, browsers automatically fall back to using the HTTP 1.1 protocol. In the newer version of Tomcat, HTTP 1.1 based REST API calls with huge payload fails intermittently as not all the payload is provided to the backend server. This issue is observed intermittently with configuration diff windows in template workflow and template commit to appliances.

  • DNS proxy configuration in templates—When a template contains a DNS proxy configuration, applying the template to devices running Release 16.1R2 will fail. This happens because the DNS proxy configuration is also pushed to the Release 16.1R2 device, where it is not supported. As a workaround, delete the DNS proxy configuration from the template before pushing it to Release 16.1R2-based appliances. However, we will not see this issue if devices are running 21.1 version. (Bug ID: 57783)

  • An error is thrown by Versa Director during commit template when one of the text fields say like description of an interface contains multiple quotes. (Bug IDs: 57693, 58568)

Limitations in Release 21.1.3

  • The Director UI may not open in Safari and MacOS 10.15, because the previous self-signed certificates are not compatible with the new security requirements of the Apple Safari browser. To regenerate a self-signed certificate, issue the following commands:
sudo su - versa
cd /opt/versa/vnms/scripts/
./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "password"

To regenerate CA-signed certificates:

  1. Regenerate the CA signed certificates to honor the new security requirements:

sudo su - versa
cd /var/versa/vnms/data/certs/
keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass password
  1. Synchronize the new certificate to all the Analytics nodes:

cd /opt/versa/vnms/scripts 
./vnms-cert-sync.sh –sync
  • If you do not enable proxies with HTTP 2.0 and TLS 1.2, as described below, browsers automatically fall back to using HTTP 1.1. In the newer version of Tomcat, HTTP 1.1–based REST API calls with very large payloads fail intermittently, because not all the payload is provided to the backend server. This issue is observed intermittently with configuration diff windows in template workflows and template commits to VOS devices.
  • DNS proxy configuration in templates—When a template contains a DNS proxy configuration, applying the template to devices running Release 16.1R2 fails. This happens because the DNS proxy configuration is also pushed to VOS devices running Release 16.1R2, which do not support DNS proxy. As a workaround, delete the DNS proxy configuration from the template before pushing it to VOS devices running Release 16.1R2. Note that this issue does not occur if VOS devices are running Release 21.1. (Bug ID: 57783)

Enable HTTP 2.0 on Proxies

In Release 21.1.1, the Director web server (Apache Tomcat) has been upgraded to support HTTP 2.0, also called HTTP/2 or H2. Newer versions of Chrome and Firefox browsers automatically take advantage of the HTTP/2 protocol when supported by the web servers.

If an HTTP proxy, such as Load Balancer, HA Proxy, and NGINX, is deployed between web clients (browsers) and a Director node, you must enable HTTP/2 with TLS 1.2 on them with the following cipher set:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

When users access the Director node using secure proxies, such as ZScaler, inspection done by the proxy of the sessions to the Director node must be bypassed or the proxy must be enabled with HTTP/2 and TLS 1.2 protocols with the above cipher set.

After you update the configuration on the proxy to enable HTTP/2, use the browser's Dev/Inspect tools to verify that the browser is using the HTTP/2 protocol:

  1. On the Director login page, right click and select Inspect to display the Dev/Inspect tools. The following screenshot shows how to do this in Google Chrome:

    Director_Login_Inspect.PNG
     
  2. In the Inspect window, select the Network tab.

    Network_Tab.PNG
     
  3. Right-click the column selector and select Protocol to display the Protocol column.

    Column_Selector_Protocol.PNG
     
  4. Reload the portal page and check the Protocol column for the H2 protocol (for the API calls made to the server).

    Protocol_H2.PNG

Request Technical Support

To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.

Revision History

Revision 1—Release 21.1, December 20, 2019
Revision 2—Release 21.1.1, August 21, 2020
Revision 3—Release 21.1.2, December 1, 2020
Revision 4—Release 21.1.3, June 6, 2021
Revision 5—Release 21.1.4, April 27, 2022

  • Was this article helpful?