Versa Director Release Notes for Release 21.1
These release notes describe features, enhancements, fixes, and known issues in Versa Director Software Release 21.1, for Releases 21.1.0 through 21.1.4. Release 21.1.1 and later are general available (GA) releases and are supported for use in production networks.
April 27, 2022
Revision 5
Install the Versa Director Software
To install the Versa Director software, see the Deployment and Initial Configuration articles.
Upgrade to Release 21.1
To upgrade to Release 21.1, see the Upgrade Software on Headend and Branch article.
Downgrade the Software
To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command:
Administrator@versa-director> request system rollback to snapshot-timestamp
The Versa Director configuration and image are restored to the state when the snapshot was taken. Note that any configuration changes done since the snapshot was taken are lost when you perform the rollback operation. See Upgrade Software on Headend and Branch for information about upgrading HA-enabled Director nodes.
Install the Software License for Versa Director
Versa Director is controlled by a software license. You must obtain a valid license file by contacting Versa Networks Customer Support.
Note the following:
- Versa Director software ceases to operate after a 15-day trial period, so you must obtain a license key within that time.
- On all newly installed Versa Directors, you must run the Versa Director startup script, /opt/versa/vnms/scripts/vnms-startup.sh, to correctly configure the Director network interfaces for their intended function (for example, interface eth0 for northbound communication towards OSS systems and for UI access, and eth1 for southbound communication towards VOS devices).
VOS Version Compatibility
Release 21.1.2 of Versa Director is compatible with the following VOS versions:
- 21.1.2
- 21.1.1
- 20.2.2
- 20.2.3
- 16.1R2S11
- 16.1R2S10.1
- 16.1R2S9
Releases 21.1.3 and later of Versa Director is compatible with the following VOS versions:
- 21.1.3
- 21.1.2
- 21.1.1
- 20.2.4
- 20.2.3
- 20.2.2
- 16.1R2S11
- 16.1R2S10.1
- 16.1R2S9
Releases 21.1.4 and later of Versa Director is compatible with the following VOS versions:
- 21.1.4
- 21.1.3
- 21.1.2
- 21.1.1
- 20.2.4
- 20.2.3
- 20.2.2
- 16.1R2S11
- 16.1R2S10.1
- 16.1R2S9
Release 21.1 of Versa Director is not fully configuration-compliant with other versions of VOS software. If you commit templates or make direct configuration changes in the Appliance view UI to non-compatible VOS releases, the commit or configuration changes may be rejected with an RPC error.
New Features
This section describes the new Versa Director features in Release 21.1.
- Active Directory and LDAP support—You can configure Active Directory (AD) authentication connectors to use secure LDAP. You can connect a Director node to AD using a secure channel, and the Director node can connect to an AD global catalog server. See Configure AAA.
- Appliance tags—(In Releases 21.1.1 and later.) On the Appliances page, you can assign tags, which allows you to easily filter appliances using their tag values. To set tags for an appliance, click the Edit icon in the Tags column.
To filter appliances by tags, enter tag values in the Appliance Tags search box. The search filter is saved for the duration of the current session. Appliances are displayed by the selected tags even if you navigate away from the Appliances window in the Administration, Configuration, or Monitor tabs.
-
Autogenerated paired site IP address for active-active HA pair—When you use device workflows to configure an active-active HA pair, the bind data variable Paired_Site__location ID is autogenerated. If the value for this bind data variable is empty, it indicates that multiple device workflows can be paired. In this case, you must enter the generated paired site ID of the other device, which must be running HA.
- CPI 810 digital certificate compliance—To support CPI 810 digital certificate compliance, a Director node triggers an alarm when an SSL certificate has expired or is about to expire (a warning alarm for 30 days remaining, and a critical alarm for 7 days remaining. The Director node automatically clears the alarm when the certificate is renewed.
- Device-level service templates—You can add specific device-level service templates on top of the group-level service templates, allowing you to specify a group-level service description while still being able to perform device-level customization using templates. See Configure Basic Features.
- Encryption of sensitive information—(In Releases 21.1.1 and later.) Sensitive information, such as IPsec PSKs, OSPF passwords, and user passwords, is encrypted in templates, bind variables, and appliance configurations. The VOS device and the Director CLI display these sensitive fields in encrypted format. After you upgrade a Director node to Release 21.1.1, existing unencrypted fields are not automatically encrypted. To encrypt the keys, access the configurations and then save them.
To disable the encryption feature from the Versa Director CLI, issue the following command:
Administrator@Director% set system settings encrypt-data enable-encrypting-sensitive-info false
- IPAM overlay addressing assignment—(In Releases 21.1.1 and later.) Versa Director supports IPAM-based IP address allocation for device overlay tunnels (ESP and VXLAN) and for staging IP address pools on Controllers and hub controller nodes (HCN). IPAM is an internal service on Versa Director and runs as a container. The main features of IPAM-based addressing allocation are:
- Organization ID and device ID are not encoded in the IP address allocated to a device.
- You can add multiple smaller address pools in the overlay addressing configuration based on your requirements. With IPAM, you can deploy an SD-WAN network with a small overlay IP pool or pools: a /8 or /16 prefix is not required.
- The next available address in the pool is allocated to a new device being created.
- When you upgrade Versa Director, currently configured overlay address pools and allocated addresses are migrated automatically to the IPAM module.
- During the upgrade process, if the validation script finds that an address is allocated to multiple devices, the upgrade process fails. You must rectify duplicate addresses before attempting an upgrade.
- Kafka client—Versa Director now stream high volumes of data to Kafka servers. Kafka is a TCP-based streaming protocol and API implementation. The protocol defines all APIs as request-response message pairs.
- Layer 2 template workflows—(In Releases 21.1.1 and later.) Template workflows are enhanced with Layer 2 configuration, to allow you to configure virtual switches, Layer 2 ,and IRB interfaces. You configure organization-level virtual switches under Configuration > Objects > Virtual Switches, as shown below:
When you create an organization using a workflow, a default virtual switch is automatically generated. You can configure bridge domains within each virtual switch using the bridge domain name and a VLAN ID. Bridge domains are named VLAN segments. Bridge domain names and VLAN IDs must be unique within a virtual switch.
In the Workflows > Templates workflow, a new interface type, L2, is added in the Interfaces tab. To select the Layer 2 interface, click the interface icon to mark a port as a Layer 2 port.
Layer 2 interfaces are displayed in the Interfaces tab > Layer 2 Interfaces tab. You can configure Layer 2 workflows in Basic or Advanced mode. The following screen shows basic mode:
In advanced mode, you can select different organizations across subunits of the same port and specify a bridge domain for line translation. The following screen shows that the virtual switch added earlier is available for the organization in the Layer 2 workflows.
You can configure IRB interfaces as LAN or WAN. The VLAN ID of the IRB must map to a VLAN ID in the Layer 2 workflow interfaces for the organization of the LAN/WAN interface. If there is a mismatch, the template workflow deployment fails.
See Configure Layer 2 Forwarding. - Next-generation RBAC framework—A next-generation RBAC framework replaces the NCS RBAC framework. Versa Director has used the NCS NACM framework to provide role-based access control (RBAC), but as the number of objects grows in the system, performance degrades and a large amount of framework data is created, resulting in slowness when you create or delete appliances or create templates. The next-generation RBAC framework improves performance and allows a Director node to handle more devices. With these changes, only the Director GUI and the REST API are protected by RBAC; the CLI is not protected by RBAC. This results in two consequences:
- Any user who has access to a Director node can see all data that is available in the CLI. Therefore, it is highly recommend that you limit access to the Director node.
- For external authentication, only a user with the role ProviderDataCenterSystemAdmin can SSH and SCP to a Director node. Users with any other role cannot log in to the Director node. The Director node can no longer differentiate between an operator and an admin user, so all roles will have the same access to the system. This enhancement safeguards the Director node by limiting the users who can access the system.
- Order of service templates policy rules—(In Releases 21.1.1 and later.) In previous software releases, when you applied service templates, the rules with a higher priority were inserted after rules with lower priority. In Release 21.1.1, this behavior has been changed so that the higher-priority rules precede the lower-priority rules. This change is in effect wherever you order the rules, because in the VOS software, rules with a higher priority take precedence over the rules with a lower priority. In the stack of templates (main and service templates) applied on a device, the lower the template in the order, the higher the priority the configuration in the template becomes. For policy rules, such as firewall and traffic steering rules, rules from the template in the lower order are added to the top of the rules stack.
- Redundant authentication connector—Versa Director allows you to configure multiple redundant authentication servers for RADIUS, TACACS, LDAP, and Active Directory (AD). Authentication by external servers is based on the configured order. If the first authentication server is not reachable, authentication falls back to the next server. See Configure AAA for User Authentication.
- Schedule automatic software upgrades—You can schedule software upgrade tasks to occur automatically. You can commit tenant-specific templates and download or upload software to one or more appliances at the same time, You can edit or cancel an automatic software upgrade at any time. See Upgrade Software on Headend and Branch.
- Schedule template commit and appliance upgrade—(In Releases 21.1.1 and later.) You can schedule template commits to VOS devices or software upgrade. If VOS device is not reachable at the time of the scheduled job, you can set the option for the system to automatically execute the job when the VOS devices becomes reachable.
You can view the scheduled and executed jobs from the Administration > Scheduled Tasks menu:
- SD-WAN workflows and AWS Transit Gateway integration—(In Releases 21.1.1 and later.) Versa Director fully automates the configuration of site-to-site IPsec tunnels by calling AWS APIs to create Network Manager objects such as devices, site, links, and customer gateways, and by creating a VPN connection between the transit gateway and the customer gateway. When you create an IPsec tunnel between a VOS device and an AWS transit gateway registered in the AWS global network under Network Manager, manual configuration of IPsec tunnels and VPNs is not required. You can manage and view all site-to-site tunnels from a VOS device to the AWS transit gateway, Azure Virtual WAN, and Zscaler. This support, which uses Secure SD-WAN from the Versa Secure Cloud IP Platform as the branch on-premises CPE solution, enables dynamic and secure branch-to-branch and secure branch-to-AWS connectivity, with SD-WAN application-aware intelligent traffic steering across the AWS-powered backbone.
To configure the VPN, use the Tunnels tab in the Template workflow:
To enter connector and AWS details, use the Tunnel Information tab in the Add Device workflow:
- Signature verification for software package uploads—(In Releases 21.1.1 and later.) You can use digital signature verification to verify Versa Director and VOS software packages that are uploaded using a Versa Director node. See Configure Signature Verification for Software Package Uploads.
- Subscription lifecycle updates—(In Releases 21.1.1 and later.) A number of changes have been made to the subscription lifecycle, including the following. See Subscription Lifecyle.
- Licenses are valid for 1, 3, or 5 years.
- License subscriptions do not support the Created and Suspended states
- A license is immediately activated after the device performs ZTP.
- Manual license activation is not required.
- Ubuntu Release 18.04—You can use Ubuntu Release 18.04 (Bionic Beaver) as the base Linux platform for Versa Director. The specific software version is Ubuntu 18.04.4. Separate .bin and .iso software images are available for Ubuntu 18.04. Note that in Release 21.1, you cannot upgrade directly from Ubuntu Release14.04 to Release 18.04.
- Zscaler GRE tunnels—(In Releases 21.1.1 and later.) Versa Director supports the integration of Zscaler third-party site-to-site tunnels through workflow, to simplify the deployment of large-scale secure and optimized branch connectivity. You can create secure generic routing encapsulation (GRE) tunnels between a VOS CPE device and a device hosted in the cloud, in a data center, or by Zscaler, to optimize the connectivity between the VOS and cloud devices. The VOS CPE device can be a physical device or a cloud-based SD-WAN device.
When you create a site-to-site GRE tunnel between a VOS device and an unmanaged cloud device, you must configure network details such as the site-to-site tunnel name, the tunnel protocol (as GRE), the LAN VRF, and the WAN/LAN network to establish the connection on the unmanaged device. To do this, you create a Workflow template in which you configure a tunnel and VPN profile for the unmanaged device:
To add a VPN profile for a GRE tunnel:
Enhancements
The following table lists the enhancements in Release 21.1.
Enhancements in Release 21.1
Feature Tracking Bug |
Description |
---|---|
44704 |
Director triggers an alarm if the SSL certificate has expired or if it is in the critical (Last 7 days) or warning (Last 30 days) state. The alarm is cleared automatically when the certificate is renewed. |
40804 | When you use device workflow to configure the active-active HA configuration, the bind data variable Paired_Site__locationID is autogenerated. If the value is empty, you can pair multiple device workflows, entering the generated paired site ID of other device. |
Enhancements in Release 21.1.1
Feature Tracking Bug |
Description |
---|---|
39771 |
If you enable the scheduling of security packs (SPack) downloads, Versa Director automatically installs or updates the latest SPack on the Director node. In earlier releases, SPacks were downloaded only as part of scheduled SPack download. |
42136 |
You can set the same priority on different hubs in a spoke group, to allow spokes to use multiple equal-priority hubs and to load-balance traffic. |
43272 |
Tasks page filtering is enhanced in the GUI and filtering is done on the backend (server side). You can filter tasks based on username and domain name (organization). A new filter, AnyField, takes a search string performs a regex search on all Task columns. |
45234 |
You can download of premium or sample version of an SPack from a cloud server to a Versa Director node and to VOS devices, based on the SPack user configuration. In earlier releases, you could download and install only premium SPacks. |
47072 |
You can select only one of the following options from the Service Bandwidth drop-down list: 10 Mbps, 25 Mbps, 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, and 10 Gbps. |
47083 |
Suspend and reactivate license subscription states have been deprecated, and these options have been removed from the Perform Subscription Action window. If CPEs are in the Suspended state when upgraded to Release 21.1.1, they are placed in the Activated state. |
47085 |
License period with options 1 year (default), 3 years, and 5 years have been added in following windows:
License period is displayed in the entitlement reports, monthly reports, and query page. Subscription renewal is calculated based on the license period. |
47086 |
isPrimary and isAnalyticsEnabled options are disabled in license subscription. These two options have been removed from following windows.
These two flags have been removed from the entitlement and monthly reports. |
47089 |
You can view details about a license to determine how many licenses are active and how the licenses are being used. The license details displayed include the start and end dates, solution tier, bandwidth, location, and serial number. To view license details in Director view, select the Administration tab in the top menu bar, and then select Entitlement Manager > License Detail View Entitlement Manager in the left menu bar. |
47819 |
The task start and end times are displayed according to the client browser's timezone. This means that for users in different time zones, the same task is displayed based on their local time zone. For example, suppose a task with ID 6 has start time as Sat, Jun 20 2020, 16:24:14 in UTC. If a user in the India timezone logs in to Versa Director, the start time of task with ID 6 is Sat, Jun 20 2020, 21:54:14 (because IST is UTC +5:30). If a user from the U.S. PST timezone logs in to Versa Director, the start time of the same task is Sat, Jun 20 2020, 8:24:14 (because PST is UTC –8). |
48305 |
With IPAM-based overlay address allocation, cController and hub controller node template workflows now provide staging pool size for each WAN interface. You can disable the staging option on some WAN interfaces. |
49318 |
Versa Director and VOS software packages (Director and VOS) have digital signatures that can be verified while the software packages are uploading to Versa Director. By default, this feature is disabled. You can enable it using the CLI or the GUI. If you enable signature verification, you must upload the signature file while you are uploading the image. If the signature is verified, the uploaded image remains on the device. If signature verification fails, the uploaded image is deleted and the task fails. |
51986 |
To detect any misconfiguration in Versa Director that can cause an upgrade failure, the configuration validation as part of the upgrade. For more information, see the Before You Upgrade to Release 21.1.1 section, above. |
52235 |
In the SSO configuration, the new option sp-entity-id allows interoperation with Azure AD SAML. |
53346 |
When a session is close to timing out, Versa Director displays a global notification. Users are provided the option to continue with their current session. |
53575 |
SD-WAN forwarding profiles have been enhanced to support path list–based circuit priorities (path-name-list, path-type-list, path-media-list and path-tags-list), last-resort priority, and an unmatched priority. Path list–based circuit priorities provide flexibility for defining priorities using exact match for local and remote circuits, thus removing the ambiguity about when to use AND or OR in match conditions for local and remote circuit priorities. The new path list–based priorities and the existing circuit priorities model are mutually exclusive at a specific priority level. That is, if you select path list–based priorities, the current circuit priorities model is not allowed, and vice versa. However, you can select both types of priority levels at different priority levels. For the last-resort priority, paths configured with this priority are used when all other paths go down, thus allowing you not to use LTE paths when other paths are available. The unmatched-priority defines the priority of the paths that are not configured explicitly. For example, if the unmatched priority is set to priority 2, any path that is not configured in the forwarding profile is considered as priority 2. |
56910 |
To avoid users continuously sending mails for a forgotten password, you can configure the Forgot Password Request Time Interval, in seconds, to set how often users can make a request. The default interval is 900 seconds (15 minutes), and the minimum value is 60 seconds. This feature is enabled by default. If you do not require it, set a higher value for Forgot Password Request Time Interval in the User Global Settings window. |
57530 |
Changed high availability GUI labels from Master and Slave to Active IP Address and Standby IP Address. |
Fixed Bugs
The following tables lists the critical and major defects that were fixed in Release 21.1.
Fixed Bugs in Release 21.1
Tracking Bug |
Description |
---|---|
46503 |
The exported summary report does not show CPEs with 10-Gbps configured bandwidth. |
46336 |
Staging template was not showing up in device group creation for parent organization. |
46256 |
Some sites are missing from the entitlement query report. |
45603 |
External 2 FA is not redirecting to enter code UI page when you use SMS. |
45568 |
NAT traversal field in Director UI was showing as undefined in the UI and was not editable. |
45546 |
AWS geographic locations Bahrain and HongKong regions were missing when creating SD-WAN gateway in a public cloud. |
45203 |
Velocity template now sets the MTU of PPPoE interface to 1492. |
45153 |
Device drop-down list did not skip invalid entries when populating in UI for security packages installation. |
45025 |
Editing adaptive shaping settings in a service template causes a remote server exception. |
40664 |
Update vnms-startup.sh to have more meaningful settings, such as "Prompt to set new password at first time UI login (y/n)?" |
38900 |
Add a warning popup for the Clear button in the DHCP active leases section in the Services tab. |
34601 |
Handle link-local address for IPv6 for URL-based ZTP. |
Fixed Bugs in Release 21.1.1
Tracking Bug |
Description |
---|---|
41606 |
Extending the IKE SA lifetime up to 24 hours is not working in Director UI under VPN profile. |
41853 |
In static routes, exit interface can be none and next-hop IP address both must not be mandatory. |
42055 |
After upgrading Director to Release 20.2, if any template is modified and committed to a device running Release 20.2, diff shows configurations of Releases 16.1R2 and 20.2. |
42722 |
Upstart does not restart postgres database process when it is killed. |
44765 |
Versa Director had to be restarted after applying maximum CPE limit license for license information to take effect. Support is added to update required license information cache soon after applying the CPE limit license, without restarting Versa Director. |
46560 |
Unable to perform all actions for WAN network groups for PDCO, TO, TSA, TSECA, andTDO roles. |
47932 |
Transport domains (internet/MPLS) are not listed when creating a WAN name. |
48074 |
Scheduled SPack download does not start based on the start time and interval configured. Now, Versa Director downloads SPack based on the scheduled time and version configured in the SPack settings. Also, you can change the time or interval to reschedule. |
48243 |
Template commit using service templates does not work if the selected service template is added at the device level in device workflow. |
48516 |
Versa Director Memory dashboard displays low free memory. |
49145 |
Upgrade process must fail or stop if there is error in receiving the postgres dump during an upgrade. |
49863 |
Upgrading Director to Release 20.2.1 fails because the sdwan_sla_loss_pct.lua and migrate.py scripts fail. |
49924 |
After you upgrade from Release R2.10 to 20.2.1, static routes in the workflow template are not migrated to postgres and error is logged in upgrade.log. |
51102 |
Shell In the Box does not open up and displays a HTTP Status 403 - Forbidden error. |
52235 |
Need an option to add sp-entity-id SSO with Azure AD SAML. |
52450 |
Versa Director does not load the list of pages if a single quotation mark (') is included in location details. |
52690 |
Versa Director tasks for appliance UUID are not returned from REST APIs. |
52791 |
GUI does not display Jitter, Transmit, and Receive fields in SLA Profiles. |
52816 |
Supported character length in NGFW policy rule description is not displayed. |
53318 |
Disk fills up because of postgres logging. |
53537 |
Versa Director logs out automatically when another window is opened and is kept idle until the GUI idle timeout expires. |
53592 |
uCPE guest VNF user data/custom file names configuration pushed to device with proper names to create guest VNF successfully. |
54150 |
Add support for OpenId logout when direct link is used. |
54157 |
Add support for selected IDP/local logout for IDP initiated SSO. |
54237 |
Add support for GET Alarms API with data type XML. |
54311 |
Suborganization is not displayed for a device in the Appliance and Device Monitor tab. |
54432 |
Cannot parameterize DNS values in DNS settings. |
54629 |
Duplicate serial number is displayed in the bind data tab of Device Workflow menu. |
55139 |
GET APIs do not work for multiple key list element in appliance yang model, for example, static routes list |
55152 |
SSO tenant user can log in to Versa Director, although roles are not associated with the organization. |
55224 |
Release 20.2.2 upgrade validation script fails because of issues in the auth-connector-validation.py script. |
56002 |
Cannot configure Versa Analytics FQDN under SAML client from GUI, even though the configuration can be done using CLI. |
56030 |
Cannot delete controller from the UI because of issues related to user authentication token. |
56111 |
In DNS proxy resolver, not all sites are listed in the site name drop-down list. |
56131 |
Template commit fails randomly with error CacheLoader returned null for key Thread[TemplateService-ApplyTemplate-18,5,main]. |
56266 |
When you are creating users in User Management, First name and Last Name field do not support special characters. |
56546 |
Logout fails with SP/IDP-initiated SSO. |
56556 |
In the tcpdump Tools screen, Versa Director downloads previously downloaded PCAP files. Fixed to download only PCAP files of the current site. |
56794 |
When upgrading from Release 16.1R2Sx to Release 20.2.2, the Last Modified By and Modified Date fields are not copied correctly. |
56816 |
When you commit the master template with overwrite option, if an NGFW service template is associated at a device level, some routing instances are removed from the Available Routing Instance and Owned Routing Instances. If a shared service template is associated with a device in device workflow, the configuration is not properly merged from the service template. |
56958 |
Analytics URL uses HTTPS when accessed using SSO after you configure a Versa Analytics client in the Versa Director SSO connector. |
57121 |
Device is not displayed in Entitlement Query or reports, if device creation fails during ZTP. |
57438 |
External OAUTH tokens cache issue fixed to handle concurrent Versa API requests efficiently. |
57497 |
Second Controller deployment fails if any WAN interface on the primary Controller has only an IPv6 address. |
57664 |
Versa Director does not fall back to local authentication when all the configured TACACS+ and RADIUS authentication servers were not reachable. Director falls back to local authentication, and authentication is successful when you enter the correct user credentials. |
57677 |
When you change the redistribution policy, graceful restart helper mode is disabled in the BGP configuration. |
57720 |
Validating a template with QoS service template displays the error {"response-code":"201","error-message":"com.tailf.maapi.MaapiException: A variable value has not been assigned to: v_vni-0-0_Rate__cosInterfaceRate","response-type":"error"}. |
57727 |
In Release 20.2, the order of source and destination zones in firewall rules is different from earlier releases. |
57934 |
Tenant users can view the resource pool of all the tenants under the provider. |
58104 |
Memory leaks identified and fixed in ConfOperationImpl, SpackImpl, and RestProxyProcessor. |
58106 |
You can configure the Versa Director the ping wait and timeout values for devices from the Director CLI. You might want to configure higher timeout values for devices that are reachable only over high-latency satellite links. nms { provider { monitoring-settings { appliance-monitoring-settings { single-device-ping-timeout 30; bulk-devices-ping-timeout 60; } } } } |
58248 |
NTP configured with the server FDQN does not work, because the routing instance is not configured in the NTP server configuration by using the template workflow. This is fixed so that the template workflow configures routing instance in the NTP server configuration. |
58340 |
Search function does not work in Organizations workflow list. |
58393 |
appliance-final-configuration-completed AMQP event populates the organization in the content as "organization": "System", instead of the organization name. |
58591 |
When TACACS+ in enabled, cannot restart services using vsh. When external authentication is enabled, when an external user with ProviderDataCenterSystemAdmin(PDCSA) role has logged in, users cannot restart VNMS services. |
58741 |
GUI does not allow configuration of BGP password with more than 16 characters. BGP passwords up 128 characters can be configured using the CLI. |
Fixed Bugs in Release 21.1.2
Tracking Bug |
Description |
---|---|
39617 |
Proxy authentication is now supported, so a user can configure the username and password of an external proxy server. |
41228 |
Fixed vulnerabilities in UI JS libraries. |
42472 |
Added ability to unlock user from appliance UI page. |
51101 |
TenantSuperAdmin might not be able to view active users for their tenant. |
52509 |
HA template workflow now has a validation check for redundant pair template name. |
52621 |
You might not be able to set the UTC timezone on a VOS device. |
52895 |
Add ability to clone policy configuration for site-to-site VPN profiles. |
53306 |
Template merge might take long time. |
53346 |
UI might log out unexpectedly. |
53837 |
uCPE SSH might not working for tenant custom user role. |
53926 |
Fix popup windows to fit in the screen in all tab views. |
54133 |
If you use the request system recovery backup”command to perform a backup operation, the result is now shown. |
54432 |
Add support to parameterize DNS values in DNS settings. |
55415 |
Removed server and server pool type "http" configuration from UI in ADC collector configuration. |
56266 |
Special characters in First Name and Last Name when creating users in Director User Management are now allowed. |
56473 |
Upgrade from Release 16.1R2S9 to Release 20.x was failing if there were device groups with no associated templates after the migration. |
56661 |
After you commit changes in build mode, a device might remain in the Southbound locked state. |
57669 |
When you select more than one service, associating an organization with an appliance might fail. |
57670 |
When you associate an organization on the Appliance screen and select a service node group, services should not be a required field. |
57750 |
You might see the bearer token missing error during OAUTH-based GET calls. |
58155 |
The local peer PSK autogenerated variable name might be incorrect and does not appear in the device bind data. |
58438 |
The IKE Down status was misleading in the Director Monitor dashboard annd has been removed. |
58710 |
The stateful service template now has a tab for objects. |
58741 |
From the UI, you could not configure a BGP password longer than 16 characters. |
58828 |
There was display issue of “Last Modified Time” in the UI for workflows. |
58835 |
An unexpected CPE license expiry alarm might be generated. |
58929 |
Unable to add SSO Multiple Customer Roles with Same Director role in External SSO Role Mapping. |
59034 |
Purge was not deleting local backups. |
59086 |
VRRP configuration might be lost when physical interface IP address is modified. |
59092 |
You can now configure IPv6 interface mode in the UI. |
59464 |
Sometimes, we were unable to see Devices under Monitoring, Configuration, Workflows Tabs after HA failover. This is fixed. |
59751 |
New API added to return applianceStatus by appliance name: https://ip-address:9183/vnms/dashboard/applianceStatusByName/organization-name/appliance-name |
59919 |
Configuring multiple BGP peer tracking configuration in HA in a device template might fail. |
59956 |
The OS Spack option is now visible for Tenant Super Admin users. |
60042 |
Commit template could not to identify the configuration changes between the Configuration Template and Appliance configuration, and always shows In-Sync. |
60537 |
The service name and access concentrator are no longer mandatory in device workflow. |
60857 |
Director upgrade from Release 20.2.2 to Release 20.2.3 might fail because of stale entries in bind data. |
60967 |
Added routing-instance match condition to QoS policies. |
61060 |
When Director logged out, an error message was seen with SSO. |
61244 |
Paired site location ID was not configured properly. |
61389 |
A negative site ID number might be displayed for non SD-WAN CPEs in appliance listing screen. |
61402 |
Enabling HA might fail with an error on the secondary device. |
61433 |
Hardware replacement might fail regardless of the image on the new appliance with wrong build-type error. |
61492 |
Missing software version in Director database for CPE might cause a hardware replacement failure. |
61585 |
When configuration a VFP rule, the disable radio setting was not working as expected. |
61717 |
Some screens became slower when device names were displayed in a drop-down list. |
61795 |
Unexpected task in the stuck state during device onboarding. |
61849 |
When templates were committed simultaneously from different user’s template, the commit might fail. |
61948 |
Provider data center operator cannnot view unknown devices in Versa Director. |
61976 |
Now director allows hyphen (–) and numbers in custom user role names. |
62034 |
Disabled PostgreSQL WAL archives to reduce disk usage. |
62094 |
CPE SLA configuration path policy was lost when upgrading from Release 16.1R2 to Release 21.1.1. |
62163 |
UI monitor screens made API /orgs/org/{tenant}/kpi calls too often, causing slowness. |
62372 |
In template workflow, isStaging flag was not set correctly during change from Hub Controller to Hub. |
62485 |
Update operation not working for IDP-based SAML user. |
62631 |
Duplicate IP address was allocated by IPAM, causing the branch reachability issues from the Director node after upgrading to Release 21.1.1. |
Fixed Bugs in Release 21.1.3
Tracking Bug |
Description |
---|---|
35962 |
Upgrade vulnerable outdated third-party libraries on the backend. |
40157 |
Add support for TCP-based remote syslog connector. |
41228 |
Remove and replace vulnerable third-party JavaScript libraries (UI). |
42524 |
Logging out of application using Okta OpenID SSO now works. |
45901 |
Add support for installing security pack (SPack) on Director node using CLI command. |
48033 |
Source networks drop-down for adding NTP server now works correctly. |
48431 |
Improve performance when loading Virtual Router page. |
50423 |
Add REST API to fetch only WWAN status. |
51101 |
TenantSuperAdmin users can now view active users of the tenant. |
52001 |
Fix NCS crash with error "Internal error: Supervision terminated". |
52790 |
Fix drop-downs for Certificate and Key Fields when editing Certificate Manager. |
53967 |
SPack version information is displayed in appliance listing page. |
54006 |
Director to VOS device certificate validation for Confd on port 8443. |
54132 |
Template state in commit windows now shows correct state information all the time. |
55886 |
File filtering in NGFW shows inconsistent display depending on navigation path. |
56777 |
Allow display of location/map information for child organizations in a multitenant deployment. |
56810 |
Plus (+) sign in security policy is greyed out until page loads completely. |
57028 |
Director now displays correct free memory values. |
57369 |
PPPoE WAN Interface network name is now added to traffic identification list. |
57693 |
Error displayed when commit template fails is not correct if description has multiple quotation marks. |
58484 |
Prevent change password blasting. |
58698 |
Shared service templates now appear in the service template drop-down on the commit template screen. |
58828 |
Last Modified Time field in UI for workflows now displays correct time in browser's local time zone. |
58921 |
Allow exported SSO metadata to be imported into external IDP. |
59034 |
Purge now also deletes local backups. |
59050 |
Allow addition of firewall rule at a specific location. |
59207 |
Fix issue where UI intermittently shows that device is out of sync. |
59426 |
Support application location longer than 200 characters. |
59751 |
Add REST API to return applianceStatus by appliance name: https://ip-address:9183/vnms/dashboard/applianceStatusByName/organization-name/appliance-name |
59818 |
Fix issue where forwarding profile content in SD-WAN rule is not displayed. |
59873 |
If you change interface IP address to be the same as the VRRP IP address, UI now displays a message asking you to set VRRP priority to 255. |
59919 |
You can now add multiple BGP peer tracking entries in HA device template. |
59956 |
OS Spack option is now visible for Tenant SuperAdmin users. |
60042 |
Commit template cannot identify the configurations changes between the Configuration Template and Appliance configuration, and always shows In-Sync. This issue has been fixed. |
60106 |
API response does not match the GUI output for SD-WAN traffic for appliance in Monitor tab. This issue has been fixed. |
60857 |
Director node upgrade fails when upgrading because of stale entries in bind data. This issue has been fixed. |
62155 |
AWS DescribeInstances API call fails, with error "instance ID does not exist". This issue has been fixed. |
62205 |
uCPE VNF creation task not created if the template is committed to the device on the Diff View screen. |
62352 |
Template state in commit windows does not reflect changes to service template or to adding or deleting service template to a device group or device workflow. |
62422 |
Add account type Service for server-to-server communication. |
62433 | It is possible to inject comments by entering special characters. This vulnerability has bene fixed by adding careful handling of special characters. |
62556 |
When you create a new notification rule condition, the name is fixed to previous one and cannot be changed. This issue has been fixed. |
62557 |
NGFW service is not picked up from default-sng if services field is empty. |
62608 |
TenantSuperAdmin user cannot change session timeout. This issue has been fixed. |
62631 |
Fix issue with IPAM allocating duplicate IP addresses. |
62720 |
Fix UI issues with firewall rules page and view more security access page. |
62785 |
Add support for Azure GOV cloud using CMS. |
62790 |
Audit log EXTERNAL_USER.log now displays username instead of bearer token. |
62949 |
Add ability to configure timeout in RADIUS/TACACS+ API calls. |
63142 |
Scheduler should not send email when commit template is scheduled for now. |
63164 |
Link-Mode and Link-Mode settings are grayed out for PPPoE interface. |
63168 |
Password not encrypted from browser. |
63185 |
When you cancel creation of a new device workflow at bind data tab, system does not allow you to create same device name even though it canceled the first attempt. |
63186 |
Change password screen header and footer logo is not using custom partner icon and instead always display Versa. |
63241 |
After an upgrade, the bind variables of service templates are missing from device bind data tables. This issue has been fixed. |
63249 |
When you use vnms-startup.sh in non-interactive mode, the southbound address included is the dockerip 172.17.0.1, even though the vnms.properties file has the correct southbound address. This issue has been fixed. |
63397 |
Redistribution policy Default-Policy-To_BGP on DMZ-VR (not VRF) is not created when service template has no DIA or gateway options. This issue has been fixed. |
63430 |
After you delete a device from a workflow, the device global site ID may not be released. This issue has been fixed. |
63451 |
Add support for VRF ID and VRF Name as variables. |
63589 |
HA failover operation sometimes results in an application timeout. This issue has been fixed. |
63591 |
Allow template name to be up to 127 characters. |
63597 |
UI does not permit adding second static route next-hop tunnel. |
63656 |
Cannot update SNMP trap profile from GUI. |
63665 |
Add REST API documentation for device template import and export. |
63733 |
LTE interface is missing if PPPoE is configured first. |
63736 |
CoS read-write rule copy attribute display as active, but when editing it shows not active. |
63827 |
Increase length of SMTP username in UI from 16 characters to 256 characters. |
63841 |
Allow parameterization of subinterface description for Ethernet/LTE subinterfaces. |
63863 |
For CGNAT/SDWAN/VFP/IPS sessions in Monitor >Services, the forward/reverse byte count is not sorted correctly. |
63897 |
Kafka message publishing should happen in async thread to handle unreachable or slow brokers. |
63964 |
Read-only users cannot log in to Director node because of a special character used in the user role description field. |
63987 |
Change appliance state monitoring run interval for scaled setup |
64035 |
Subscription changes on workflow template are not reflected in Entitlement manager section of CPE and Director node. |
64110 |
You can now configure description column in task window. |
64190 |
Addresses configures in another address group are not displayed correctly. |
64211 |
Task window error message is displayed as "[Object] [Object]". This issue has been fixed. |
64262 |
Unable to delete the VLAN Unit if VRRP is configured in the unit . |
64365 |
TCL: Separating transactions for 3 skip apply calls during ZTP. |
64442 |
Fix vulnerability of guessing users using user enumeration attack. |
64572 |
Controller workflow screens now validates IP subnet. |
64587 |
Monitor > Summary tenant screen displays breakdown of interfaces. |
64598 |
Encrypted key pushed to VOS device version that does not support it. |
64652 |
When you choose the same network for main and standby template and you choose cross-connect port, template workflow displays warning popup. |
64677 |
Add unique constraint for Local Organization. Also, enhance validation script to catch this constraint. |
64713 |
Login, logout, and change password timestamp not recorded in audit logs. |
64724 |
Monitor > Services > IPsec > SA Tab does not show complete information. |
64974 |
Hazelcast device status API is not working. |
65064 |
In bind data pagination, unable to display more than 100 rows. |
65069 |
Autogenerated bind data IKE identifier is not updated. |
65198 |
Even though disable virtual service is enabled during Controller deployment, the service is not actually disabled. |
65222 |
IPsec type tunnel interfaces are not shown in correct drop-down in Monitor UI. |
65235 |
OK button is not working while creating a device after filling in bind data information. |
65679 |
In Firefox, the password field is shown in cleartext. |
65692 |
Do not allow |,[,] characters in URL filtering. |
65735 |
User authentication using OAuth is not work when fetching HA status from NCS. |
65753 |
Enable suspend-backup collectors as the default in workflow templates. |
65754 |
Change log level to Info for alarm module. |
65774 |
SIT update CPE ports object in Controller firewall rule. |
65775 |
Error occurs when pushing hub-and-spoke post-staging template. |
65793 |
Workflow device deployment using CMS connector does work in Azure China region. |
65818 |
SD-WAN policies created by workflow need add action. |
65880 |
Cannot see more than 1024 devices in OSS selection field. |
65883 |
Repeatedly executing the Uptime REST API call causes the subsystem to stop. |
65964 |
UI does not return the proper error when creating a user with invalid information. |
66020 |
User order in leaf list elements is incorrect. |
66077 |
Cache control header is not set properly. |
66107 |
Remove traceroute CLI command from Director node. |
66416 |
Cannot take snapshot using external auth users. |
66429 |
Paired location ID is not displaying in drop-down list in vertical bind data form. |
66498 |
When template is locked by user with lock scope "Other Users", template is inaccessible for user who locked it. |
66523 |
Device workflow update and deploy should require read privilege only for device group. |
66668 |
CoS interface under Monitor > Service should display traffic stats per traffic class. |
66741 |
Device deployment fails with exceptions. |
66965 |
Log collector configuration should support parameterization of destination IP address and port number. |
67008 |
Task owner is different from the user who triggered the task. |
67048 |
Show selected device count on commit screen and VOS devices. |
67327 |
CGNAT service is missing under Services when you add LAN interface for provider organization. |
67531 |
Parsing issue in SAML formatted response. |
67582 |
User should not be allowed to delete a subordinate organization of post-staging template if any device group having that post-staging template has a service template at that subordinate organization. |
67643 |
Do not generate modified event if there is no change to bandwidth, solution tier, or license year in subscription plan. |
67758 |
In general service template, need parameterization for DSL interface configuration of PPPoE username and password fields. |
67763 |
UI does not display IPsec service for service VNF. |
67874 |
Add missing appliance subscription tracking in upgrade flow. |
67905 |
Maximum open file descriptors for spring boot. |
67949 |
Customer can make changes and commit before network is loaded is LAN-VR. |
67965 |
Standardize device name for CPU, memory, and hard disk alarms to one value. |
68004 |
Scheduler job status is not marked as Failed when an upgrade task is deleted while an upgrade is in progress. |
68006 |
During bootstrapping, check for release date when upgrading VOS devices. |
68040 |
Close HTTPS appliance polling connections sooner. |
68112 |
Add option to deselect IDP connector in SSO. |
68305 |
Issue in post-staging template association UI view. |
68358 |
During first-time controller deployment, Director node does not ask about using the default 10.0.0.0/8 overlay scheme or changing it. |
68847 |
Do not push Bionic image to trustworthy VOS devices. |
68914 |
Spoke group UI should give option to delete VRFs. |
68961 |
Single character on local part of email address “not valid” while adding tenant user. |
Fixed Bugs in Release 21.1.4
Tracking Bug |
Description |
---|---|
13550 | Update NSO to Version 4.7.10. |
43606 | Fix drop-down compatibility issues in Firefox browser. |
45549 | Raise an alarm when AMQP and Kafka connector are not reachable from Director node. |
47065 |
Username and Password fields are autopopulated in the template configuration pages. This issue has been fixed. |
48198 | Monitor screen now shows appliance system and service uptime. |
51488 | Predefined file-filtering profile is added under Predefined categories in the Objects and Connectors. |
53780 | VPN instances with hub type topology now work. |
56266 | Accept special characters in First Name and Last Name fields when creating users in Director User Management. |
56810 | Users can add multiple security policies, but only one security policy is allowed on appliance. This issue has been fixed. |
57028 | Fix for incorrect free memory calculation for Director node on the Monitor page. |
58509 |
If you enter any special characters in the Controller PSK, the ptvi does not come up. This issue has been fixed. |
58799 | Fix for incorrect appliance type for appliances created on AWS or Azure. |
59131 | Add support to encrypt all passwords in device configuration. |
59719 | Fix for provider organization creation failure when it is created from Workflows > Controller screen. |
60588 | Notification rules page allows you to create alarms notification rules without a tenant. This issue has been fixed. |
63168 | Login password string is now encrypted when sent from the browser UI. |
63733 | Fix for LTE Interface missing issue when PPPoE is configured first in the Workflow template creation page. |
64007 | Support for changing device subscription. |
64061 |
Template configuration Services tab now shows only the services that are enabled. |
64411 | GUI gets stuck when navigating from the NTP screen to the Objects/Services screen. This issue has been fixed. |
64521 | When you choose a tenant in the Workflows > Infrastructure > Organization screen, the entire screen goes blank. This issue has been fixed. |
64565 | Fix for general template selection issue on device group create screen. |
64885 | Scheduled job for appliance upgrade now starts only if the appliance is reachable. |
65578 | Tenant selector does not display when user switches from one tab to another on the configuration screen. This issue has been fixed. |
65650 | Incorrect configuration under device context when bootstrap fails. This issue has been fixed. |
66012 | Support for having a CLI command to set "auto-merge" as a default option. |
66074 | The screen is stuck at system parameters page when you navigate from the system configuration to other tabs. This issue has been fixed. |
66101 | Template configuration Services tab now shows only the services that are enabled. |
66259 | Include timezone in the director-HA failover alarms. |
66364 | Fix for issues deleting a nonexistent device using APIs. |
66372 | Fix for issue sending SMTP email notification for alarms. |
66418 | Fix corner cases while taking Director snapshot. |
66584 | Enforce tab in policy rule configuration screen extends beyond the length of the screen because of a newly added feature. |
66965 | Destination IP address and port fields can now be parameterized on the log collector screen. |
67226 | Versa_Device_Events topic option display issue is fixed in the Kafka connector create and update screen. |
67298 | AWS service VNF deployment issue from appliance screen has been fixed. |
67709 | Bulk upgrade appliance task has been refactored to better show the task messages. |
67738 | Support for an option to set or customize RequestedAuthnContext value in the SSO connector screen. |
67936 |
User creation page now properly validates the phone numbers. |
67963 | Fix for enabling HA failure when there are more than 500 appliances on the Director node. |
68006 | Honor release date in the package to select the latest image during bootstrap of VOS device. |
68064 | Fix cross-connect select and deselect issues in template workflow for redundant templates. |
68231 | Support for a GUI option to restrict routing and connectivity across regions in an organization workflow. |
68271 | Fix CA chain certificate expiration issue in the UI. |
68363 | You can now make NMS action API calls with an external OAuth token. |
68537 | Slowness issue is fixed for the API /vnms/dashboard/appliance/location. |
68652 | Get APIs are failing when APIs are run in parallel. This issue has been fixed. |
68670 | UI now restricts the creation of an empty app-group. |
68690 | Tomcat HTTP requests to Analytics now clean up or time out properly. |
68923 | NAT traversal configuration is added incorrectly when user modifies data on WAN Interface window. |
68978 | Fix HA template and Layer 2 interface configuration issue in template workflow. |
69266 | Switchover policy can be configured using routing peer count for appliance HA. |
69303 | Proper error messages are shown when multiple IPS rules are loaded on the appliance in the UI. |
69404 | Performance improvements for appliance monitoring. |
69405 | Fix for Workflow template commit failure when LDAP password is configured with double quote ' " ' in parameterized bind data. |
69494 | Address files and address group can now be configured from Director GUI under device or service templates. |
69496 | Fix for multitenant regional spoke groups issue. |
69515 | Read-only custom user now cannot delete appliance instance. |
69553 | Error occus when deleting from a template a suborganization that is not used in any device group. This issue has been fixed |
69590 | Add pagination for Locked User screen. |
69641 |
Fix duplicate key sdwan-post-staging issues on Device Group screen. |
69808 | Workflow > Templates > Site > Subscriptions > Solution Tier > Service Bandwidth changes are now recorded in the audit log. |
69827 | GUI idle timeout is taking 12 more minutes than the configured value. This issue has been fixed. |
69846 | Encryption debug CLI commands are failing with application communication failure. This issue has been fixed. |
69859 | Fix issue of IKE changing on Controller node when you redeploy a device workflow. |
69860 | Path policy configuration now accepts free-form text. |
69877 | Fix for the issue with hub template workflow. |
69893 | Fix for Director HA reachability check through Controller nodes. |
69949 | After you add service chain under organization limits, service menu now shows correct options for the service chain template. |
69996 | Add support for mirror interface option for uCPE interfaces. |
70174 | Restore icon for configuration snapshots is now available in the Firebox and Chrome browsers |
70303 | Fix for Map View to show appliance name on the Monitor screent. |
70313 | Fix the sorting functionality for system summary tables on Monitor screens. |
70318 | Fix download merge configuration issue on commit template screen. |
70319 | Fix for issue with adding custom group from GUI on policy page. |
70338 | Add support for user type data for IP-SLAM monitor next-hop fields. |
70394 | Asset summary now shows count for service VNFs. |
70441 | Suppress unwanted logs while fetching get-vnms-ha details from the standby Director node. |
70459 | Fix incorrect security package information on the Monitor screen. |
70490 | Netbox IPAM service stays down because the docker image is deleted during an upgrade. This issue has been fixed. |
70539 | Fix for issues with device deploy and create appliance. |
70596 |
Fix for issues with SD-WAN traffic graph. |
70647 | Fix display of overlay address schema popup if Controller node already exists in the system. |
70656 | Fix for template failing to add WiFi interfaces that were added when the security mode was None. |
70659 | Service template references are now removed from the device workflow when the service template is deleted. |
70694 | Fix for Director upgrade failure because of a postgres backup issue. |
70752 | Subtenant users can apply the service template through the diff window. This issue has been fixed. |
70799 | Upgrade changes the custom SLAM path policy applied to WAN interfaces to the default SLAM path policy. This issue has been fixed. |
70817 | PPPoE interface is not adding a non-zero VLAN ID to the base interface. This issue has been fixed. |
70818 | Appliance final-config-complete alarm is published after upgrade and configuration push complete. |
70910 | Match should not be a mandatory field when you select Objects > Address > + Create a New Rule -> Type (Dynamic Address). This issue has been fixed. |
70932 | Restrict TSA users so they cannot view other tenant appliances on IP SLA next-hop UI page. |
70950 | After you click the Commit to Device button on the commit template screen, the screen did not navigate to the next page. This issue has been fixed. |
70991 | Some fields are disabled on default 0 subinterface screen for LTE interface. This issue has been fixed. |
71006 | Add RBAC protection to the the vnms/cloud/systems/getAllApplianceNames API call. |
71019 | Template commit is not associating all organizations with the device for service templates. This issue has been fixed. |
71021 | Fix for edit icon display issue on Director high availability screen. |
71051 | Locked Users page now shows all the locked users. |
71083 | Fix for pushing default values for system parameters along with user changes in the form. |
71117 | Fix for GZTP Director task stuck issue. |
71123 | Allow user to set the bandwidth on cross-port interfaces in the template workflow. |
71160 | Edit button is now available to configure and modify appliance HA parameters on the Director node. |
71162 | Index out-of-range error occurs when running the ip-address-config-validation.py pre-upgrade script when the local IPsec interface is missing. This issue has been fixed. |
71173 | Recent events count on the Monitor dashboard and details tab now match. |
71288 | Fix for issue with creation of application group under Objects > Custom Objects. |
71336 | Vulnerability fix: HTTP public dey pinning (HPKP) header cannot be recognized. |
71337 | Vulnerability fix: HTTP strict transport security (HSTS) header cannot be recognized. |
71386 | Fix IP address and mask parameterized validation in service templates. |
71406 | Appliance goes into configuration out-of-sync state because of "" on the Configuration > SNMP > System > Contact screen. This issue has been fixed. |
71471 | Fix for duplicate key value that violated the unique constraint appliance_hardware_pkey error when onboarding a VOS device. |
71477 | TSA users can now take configuration snapshots of the common template. |
71499 | Enforcing static route for policy-based IPsec has been. |
71522 | Fix for TenantSuperAdmin failing to delete VOS device. |
71530 | Fix special cases in Versa Analytics cluster installation script. |
71538 | You can now edit Operator and Administrator users under Director User Management > Provider Users. |
71613 | HA postgres status on the primary Director node now shows secondary (slave) Director information. |
71628 | The dot1x config page becomes stuck when navigated to other tabs. This issue has been fixed. |
71638 | Fix spoke group bulk deletion issue. |
71654 | OpenID SSO logout now redirects to Logout Success Redirect URL if it is configured. |
71686 | Fix for scheduling template issues when VOS device not reachable and job has been triggered. |
71757 | Add support for the special characters {, }, and # in the SNMP manager in Workflow template. |
71785 | Fix for backup Director node not being able to take over as primary when port 5432 is not available. |
71789 | Allow hardware inventory search based on hardware serial number and site ID. |
71803 | Incorrect services list, which includes ervices not enabled for an organization, is displayed under the configuration services tab. This issue has been fixed. |
71814 |
NETBOX-IPAM and SPRING-BOOT start issues, probably because of a race condition between the two processes, have been fixed. |
71863 | Handle automerge gracefully when preserve appliance changes is disabled. |
71865 | Creating new OAuth authorization client now shows the client secret and client ID in the UI. |
71903 | Fix for Director node loading page even after logging out of Director node. |
71917 | Fix Director login issue for Bionic images. |
72046 | Fix for custom role tenant user not being able to log in to the Analytics node from the Director node. |
72068 | Support deploying redundant Workflow template when the same WAN networks are configured |
72070 | Fix incorrect order of BGP policy terms after workflow template is redeployed. |
72121 | Director upgrade fails with HA Pair Validation error. This issue has been fixed. |
72122 | Interval now displayed as mandatory field on the Edit SPack Configuration window. |
72182 | Parameterization of source and destination addresses in VPN policy now works. |
72183 | Fix for creation of shared service and service template configuration objects. |
72335 | Fix for display devices issue on the Template Commit screen. |
72337 | Obsolete UI call for package information has been removed. |
72358 | Trusty backup restored on Bionic setup failed. This issue has been fixed. |
72388 | Huge NCS connections are not closed and are seen as Open in the customer setup. This issue has been fixed. |
72406 | SNMPv3 walk fails with an authorization error. This issue has been fixed. |
72413 | Add validation in the organiztion workflow to not allow suborganizations with the same name as the parent organization. |
72507 | Fix for incorrect total appliance count. |
72619 | LEF profile referred to in the DHCP configuration is not present. This issue has been fixed. |
72637 | Update APIs to upload and delete tenant-specific CA and CA chain certificates. |
72829 |
Appliance system informational Kafka message now includes appliance ping and sync state. |
72909 | Appliance upgrade failed from Director node because of an OS check. This issue has been fixed. |
72963 | Performance improvement for appliance dashboard APIs. |
73026 | TDF screen is spinning when trying to access the GUI for a uCPE. This issue has been fixed. |
73063 | Director upgrade failed because of database backup and restore issues. This issue has been fixed. |
73076 | Performance improvements for AMQP and KAFKA object change notifications. |
73077 | Committing configuration to a template or device generates object change notifications only for the top-level path and does not send notifications for each changed path. |
73104 | Avoid running validation scripts on standby Director nodes. |
73108 | Error while adding community options for a spoke group is fixed |
73122 | Fix for Analytics cluster installer issues. |
73183 | Fix for incorrect date and time in the All Traffic Live data graph. |
73186 | OAuth refresh token API now returns the proper roles in the response. |
73423 | Director node is not initiating a connection to the Analytics node because of too many close_wait state to Analytics IP:Port. This issue has been fixed. |
73501 | Director GUI unreachable because of cookie issue with atmosphere. This issue has been fixed. |
73537 | Whne you click the refresh button on the Services > Sessions screen, it displays "No data to display”. This issue has been fixed. |
73546 | Adding a new tenant in the existing post-staging template through workflows API returns error. This issue has been fixed. |
73813 | Appliance upgrade from Director node fails during ZTP. This issue has been fixed. |
73854 | Save device workflow continues to spin when you try to save without the value for some variables. This issue has been fixed. |
73856 | Bulk import of devices from a CSV file fails because of a concurrency issue. This issue has been fixed. |
73899 | After you run the appliance status brief API call, appliances disappears from the appliances listing page. This issue has been fixed. |
73974 | Authentication type and Auth-Context-Required fields can be configured in the SSO SAML connector page. |
74213 |
SSO login fails after running import-key-cert.sh script because the SSO certificatess are moved to the backup folder after running this script. This issue has been fixed. |
74578 | Service template bind data variables are not populated when the device workflow is redeployed from the Basic tab. This issue has been fixed. |
74614 | Fix for Get Director services status API issue |
74629 | Director UI not reachable because of java heap space out-of-memory issue. This issue has been fixed. |
74838 | Fix for issue with checking Service Template bind data. |
75052 | Update ha_pair_validation script to check whehter appliance is present in the inventory table. |
75069 | Template commit error message on Director node is now sent to Concerto over Kafka. |
75100 | UI does not load intermittently shows blank screen on multiple tabs, displaying the error "Failed to load data from server". This issue has been fixed. |
75117 | Director upgrade fails at ip-sla-monitor under redistribution policy configuration. This issue has been fixed. |
75133 | Uploading the certificate for secure LDAP from the GUI now works. |
75236 | WAL files do not clean up automatically, causing high disk usage. This issue has been fixed. |
75273 | Device bind data in the workflows throws a remote server exception when saving or deploying the device. This issue has been fixed. |
75389 | Issue with setting isStatingController flag has been fixed. |
75471 | Director node does not copy the uCPE custom data file if only the custom data file option is configured in the service chain template. This issue has been fixed. |
75527 | Monitor Tab > Associate Templates shows duplicates even though the device group has unique templates. This issue has been fixed. |
75544 | Director upgrade failed when executing the WorkflowsUpgrade script. This issue has been fixed. |
75547 | Kafka and AMQP messages now contain the Director identifier, which you can configure for Kafka and AMQP connectors. |
75880 | Fix for deploying template failure because of a nested SQL exception. |
75925 | Vulnerability fix: HTTP strict transport security (HSTS) policy not enabled (Port 443). |
75951 | Migration scripts now start after spring boot is fully up. |
75963 | SQL error occurs when creating a spoke template. This issue has been fixed. |
76122 |
Fix for failures when simultaneously deploying multiple organizations. |
76316 | Director upgrade fails because spring boot not going to running state. This issue has been fixed. |
76427 | Versa Director vulnerability issue fixed for CVE-2021-44228, which is related to Apache Log4j2. |
76487 | Site-to-site local interface for HA cannot have quotes when using Active-Active workflow template. This issue has been fixed. |
76613 | Add available-routing-instances under the organization in the service chain template generated through Workflows. |
76667 | Fix template commit issue by incorporating bind data validation for route prefix. |
76710 | Template commit window fetches only the first 1000 templates. This issue has been fixed. |
77103 | Onboard tenant to gateway is failing with INTERNAL_SQL_ERROR. This issue has been fixed. |
77119 | fetch=count in the NCS APIs returns the count. |
77120 | Patterns with characters after the $ are now accepted on the template configuration UI screens. |
77233 | Appliances might disappear if the owner organization is missing for some appliances. This issue has been fixed. |
77246 | Fix commit template task failure issue because of Concurrent lock. |
77249 | Spoke group validation is now optional for the provider organization in the Workflow template for multitenant scenarios. |
77285 | Director services status vsh status command output issue has been fixed |
77324 | View profile under classified profile is not working for Edit DoS Rule > Enforce > DDoS profile. This issue has been fixed. |
77353 | System organization is no longer displayed on the Add Notification Rules screen when you log in as the TenantSuperAdmin user. |
77379 | Search works now on the card view of the Appliances screen. |
77616 | Fix for Boolean word truncation issue on Add DHCP Option Profiles screen. |
77647 | Adding duplicate Controller nodes is no longer allowed now under Controllers in the Workflow template. |
77771 | Opening the S-WAN System Site Configuration screen now works. |
77896 | Fix for customer snapshot upgrade failure. |
77897 |
Issue with the Director patch script and validation script has been fixed. |
78172 | When you delete a device workflow, the remote PSK authentication client entry is now deleted now from the Controller node. |
78218 | Fix OutOfMemoryError issue that occurred because of metaspace. |
78240 | The site-to-site tunnel in the workflow was throwing an error when you parameterized a WAN or LAN interface. |
78340 | Commit template fails because of an issue with setting skip-apply. This issue has been fixed. |
78434 | WAN link monitor configuration for redundant WAN links over a cross-connect link was not updated as expected for HA devices. This issue has been fixed. |
78662 | Fix tooltip text display issue in Director UI. |
78681 | Fix for the slowness issue in the diff view page when it is opened from the Template commit page. |
78683 | Provide scroll in Associated templates page, which is launched from the template commit page. |
78686 | Deleting a dynamic VOS service template when throws an exception "Public cloud instance should have minimum 3 interfaces". This issue has been fixed. |
78801 | Associating Organization throws an exception when onboarding a workflow device in a public cloud deployment. This issue has been fixed. |
80030 | Push-keys-To-Device shell script now escapes special characters in the password. |
80085 | Director UI inaccessible because of a kernel out-of-memory issue. This issue has been fixed. |
80168 | Allow static IP address configuration on LTE interfaces. |
80172 | NCS transaction leak issue has been fixed |
80278 | Director UI > Device >Monitor > Services and Tools screens are now working. |
80279 | Fix an issue with the appliances list page in Administration tab. |
80326 | Fix issue with template configuration SD-WAN system site configuration edit screen. |
80328 | TenantSuperAdmin user can now see the saved organizations on the Workflows > Infrastructure > Organization screen. |
80420 | The Workflows, Templates, Tunnels, and Site-to-Site Tunnel screens go blank you select a few initial options. This issue has been fixed. |
80441 | When you click the Edit icon, the wheel spins in an infinite loop on the OS SPack > Appliance screen. This issue has been fixed. |
80448 |
Upgrade Apache Tomcat to 9.0.60 to fix multiple vulnerabilities. |
80543 | Remote server exception seen when you click any tab on the secure access screen. This issue has been fixed. |
80581 | Organization list displayed on Object >TCP Profile screen should be associated with the template. This issue has been fixed. |
80618 |
For some screens, the selected column filter is not shown. This issue has been fixed. |
Limitations
The following are limitations in Release 21.1.
Limitations in Release 21.1.1
- When you attach a service template to a device in a device workflow but do not attach it to the device group, the device is not displayed after you commit the service template.
- The Director UI may not open in Safari and MacOS 10.15, because the previous self-signed certificates are not compatible with the new security requirements of the Apple Safari browser. To regenerate a self-signed certificate, issue the following commands:
sudo su - versa cd /opt/versa/vnms/scripts/ ./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "<password>"
To regenerate CA-signed certificates:
-
Regenerate the CA signed certificates to honor the new security requirements:
sudo su - versa cd /var/versa/vnms/data/certs/ keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass <password>
-
Synchronize the new certificate to all the Analytics nodes:
cd /opt/versa/vnms/scripts ./vnms-cert-sync.sh –sync
- In Release 21.1.1, the Director web server (Apache Tomcat) has been upgraded to support HTTP/2. If you do not enable proxies with HTTP 2.0 and TLS 1.2, browsers automatically fall back to using the HTTP 1.1 protocol. In the newer version of Tomcat, HTTP 1.1–based REST API calls with very large payloads fail intermittently because not all the payload is provided to the backend server. This issue is observed with configuration differences windows in template workflow and template commit to appliances. For more information, see Enable HTTP 2.0 on Proxies, below.
- DNS Proxy configuration in templates: When DNS proxy configuration is present in a template, applyTemplate to 161R2 based devices fail, because DNS Proxy configuration is also pushed to the 16R2 device where it is not applicable. As a workaround, you can delete this configuration in the template before you pust it to to 161R2-based devices. This is issue does not occur on devices on Release 21.1 (bug ID - 57783).
- Error is displayed during template commit when a text field, for example an interface description, contains multiple quotes. (Bug IDs: 57693, 58568)
- After upgrading from Release 20.2 to Release 21.1.1, the EVPN configuration is not loaded on Controllers nodes for old organizations. (Bug ID: 59355)
Limitations in Release 21.1.2
- The Director UI may not open in Safari and MacOS 10.15, because the previous self-signed certificates are not compatible with the new security requirements of the Apple Safari browser. To regenerate a self-signed certificate, issue the following commands:
sudo su - versa cd /opt/versa/vnms/scripts/ ./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "<password>"
To regenerate CA-signed certificates:
-
Regenerate the CA signed certificates to honor the new security requirements:
sudo su - versa cd /var/versa/vnms/data/certs/ keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass <password>
-
Synchronize the new certificate to all the Analytics nodes:
cd /opt/versa/vnms/scripts ./vnms-cert-sync.sh –sync
-
If proxies are not enabled with HTTP 2.0 and TLS 1.2 as given above, browsers automatically fall back to using the HTTP 1.1 protocol. In the newer version of Tomcat, HTTP 1.1 based REST API calls with huge payload fails intermittently as not all the payload is provided to the backend server. This issue is observed intermittently with configuration diff windows in template workflow and template commit to appliances.
-
DNS proxy configuration in templates—When a template contains a DNS proxy configuration, applying the template to devices running Release 16.1R2 will fail. This happens because the DNS proxy configuration is also pushed to the Release 16.1R2 device, where it is not supported. As a workaround, delete the DNS proxy configuration from the template before pushing it to Release 16.1R2-based appliances. However, we will not see this issue if devices are running 21.1 version. (Bug ID: 57783)
-
An error is thrown by Versa Director during commit template when one of the text fields say like description of an interface contains multiple quotes. (Bug IDs: 57693, 58568)
Limitations in Release 21.1.3
- The Director UI may not open in Safari and MacOS 10.15, because the previous self-signed certificates are not compatible with the new security requirements of the Apple Safari browser. To regenerate a self-signed certificate, issue the following commands:
sudo su - versa cd /opt/versa/vnms/scripts/ ./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "password"
To regenerate CA-signed certificates:
-
Regenerate the CA signed certificates to honor the new security requirements:
sudo su - versa cd /var/versa/vnms/data/certs/ keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass password
-
Synchronize the new certificate to all the Analytics nodes:
cd /opt/versa/vnms/scripts ./vnms-cert-sync.sh –sync
- If you do not enable proxies with HTTP 2.0 and TLS 1.2, as described below, browsers automatically fall back to using HTTP 1.1. In the newer version of Tomcat, HTTP 1.1–based REST API calls with very large payloads fail intermittently, because not all the payload is provided to the backend server. This issue is observed intermittently with configuration diff windows in template workflows and template commits to VOS devices.
- DNS proxy configuration in templates—When a template contains a DNS proxy configuration, applying the template to devices running Release 16.1R2 fails. This happens because the DNS proxy configuration is also pushed to VOS devices running Release 16.1R2, which do not support DNS proxy. As a workaround, delete the DNS proxy configuration from the template before pushing it to VOS devices running Release 16.1R2. Note that this issue does not occur if VOS devices are running Release 21.1. (Bug ID: 57783)
Enable HTTP 2.0 on Proxies
In Release 21.1.1, the Director web server (Apache Tomcat) has been upgraded to support HTTP 2.0, also called HTTP/2 or H2. Newer versions of Chrome and Firefox browsers automatically take advantage of the HTTP/2 protocol when supported by the web servers.
If an HTTP proxy, such as Load Balancer, HA Proxy, and NGINX, is deployed between web clients (browsers) and a Director node, you must enable HTTP/2 with TLS 1.2 on them with the following cipher set:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
When users access the Director node using secure proxies, such as ZScaler, inspection done by the proxy of the sessions to the Director node must be bypassed or the proxy must be enabled with HTTP/2 and TLS 1.2 protocols with the above cipher set.
After you update the configuration on the proxy to enable HTTP/2, use the browser's Dev/Inspect tools to verify that the browser is using the HTTP/2 protocol:
- On the Director login page, right click and select Inspect to display the Dev/Inspect tools. The following screenshot shows how to do this in Google Chrome:
- In the Inspect window, select the Network tab.
- Right-click the column selector and select Protocol to display the Protocol column.
- Reload the portal page and check the Protocol column for the H2 protocol (for the API calls made to the server).
Request Technical Support
To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.
Additional Information
Deployment and Initial Configuration
Upgrade Software on Headend and Branch
Use OS Security Packages
Use Security Packages
Revision History
Revision 1—Release 21.1, December 20, 2019
Revision 2—Release 21.1.1, August 21, 2020
Revision 3—Release 21.1.2, December 1, 2020
Revision 4—Release 21.1.3, June 6, 2021
Revision 5—Release 21.1.4, April 27, 2022