Skip to main content
Versa Networks

Versa Operating System (VOS) Release Notes for Release 21.1

These release notes describe features, enhancements, fixes, known issues, and limitations in Versa Operating SystemTM (VOSTM) Software Release 21.1, for Releases 21.1.0 through 21.1.4. Release 21.1.1 and later are general available (GA) releases and are supported for use in production networks.

Note that in April 2020, Versa Networks renamed its FlexVNF devices to Versa Operating SystemTM (VOSTM) devices. The documentation uses the terms VOS device and FlexVNF device interchangeably.

April 27, 2022
Revision 5

Install the VOS Software

You can install the VOS software on a standard Intel server or as a virtual machine (VM) based on ESXi or KVM. For installation instructions, see the Deployment and Initial Configuration articles.

Versa Networks provides two versions of the VOS software:

  • *-wsm.bin—Install this image on physical CPE branch devices that use the Atom-based processor.
  • *.bin—Install this image on all VMs and high-end CPEs and on bare-metal servers with Xeon or later classes of CPU.

Upgrade to Release 21.1

You can upgrade VOS devices to Release 21.1 from Releases 16.1R2 (16.1R2S8) and later. If you are using an earlier software release, upgrade first to the latest Release 16.1R2 service release, and then upgrade to Release 21.1.

If the premium version of the security package (SPack) is already installed on the VOS device, you must upgrade to Version 1878 or later before you upgrade the VOS device. To display the version of the installed SPack, use the show security security-package information CLI command or, in the Versa Director monitor screen, view the security package information under Next-Gen Firewall.

To upgrade to Release 21.1 from the CLI:

  1. Ensure the current running package is present in the /home/versa/packages/ directory.
  2. Save the existing version of the configuration:
    admin@vnf-cli(config)% save /var/tmp/backup.cfg
    
  3. Copy the appropriate .bin package file to the /home/versa/packages/ directory on the VOS node. Ensure that the file has +x execute permission. Alternatively, use the following command, which copies the file to the /home/versa/packages directory:
    admin@vnf-cli> request system package fetch uri uri
    
  4. Install the new software package:
    admin@vnf-cli> request system package upgrade filename.bin
    
    Follow the prompts, and wait until the upgrade status shows that the upgrade is complete.
  5. Confirm that the new software was loaded:
    admin@vnf-cli> show system package-info
    

Downgrade the Software

To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command:

admin@vnf-cli> request system rollback to PRE-UPGRADE-1

Install a Software License for VOS Devices

A VOS device does not require a license if it is managed by Versa Director. If the VOS device is not subjugated to a functioning Versa Director, the software continues to operate after the initial trial period of 45 days. However, the number of data path sessions is limited to 30 sessions.

New Features

This section describes the new VOS device features in Release 21.1.

Licenses and Entitlement

  • Subscription lifecycle updates—(In Releases 21.1.1 and later.) A number of changes have been made to the subscription lifecycle, including the following. See Subscription Lifecyle.
    • Licenses are valid for 1, 3, or 5 years.
    • License subscriptions do not support the Created and Suspended states
    • A license is immediately activated after the device performs ZTP.
    • Manual license activation is not required.

Platform

  • ADSL2+/VDSL2 NIC modules—(In Releases 21.1.1 and later.) You can use ADSL2+/VDSL2 NIC modules, also called xDSL NIC modules, in Versa Cloud Services Gateway (CSG) appliances. The CSG ADSL2+/VDSL2 NIC module supports a single WAN interface that allows you to connect to VDSL2 and ADSL2+ networks. See Configure Interfaces.
  • AWS transit gateway integration—(In Releases 21.1.1 and later.) Versa Director automates the process of configuring AWS transit gateway tunnels with on-premise branches. You can configure both the transit gateway and the VOS branches from Versa Director. See Configure Site-to-Site Tunnels.
  • Configuration validation—(In Releases 21.1.1 and later.) The configuration validation feature provides a cross-check and misconfiguration-highlighting mechanism for deployments that include an interchassis HA pair (active-standby stateful HA). When enabled, it cross-verifies interchassis HA-relevant configuration changes on both interchassis HA pairs and highlights if there are any differences between the two that affect the runtime function of a given inter-chassis HA branch deployment. It also allows the configuration to be changed on the active and standby devices in any order, and prevents the services from being impacted by a misconfiguration.
  • CSG300 series appliances—(In Releases 21.1.1 and later.) The Versa Cloud Services Gateway (CSG) 300 series appliances deliver highly secure site-to-site data connectivity to small businesses and to home offices. See Cloud Services Gateway 300 Series.
  • Device template workflow enhancements—(In Releases 21.1.1 and later.) Adds support for the Solution Add-On Tier and License Period fields in the Create Template > Basic tab; Switching tab (for Layer 2 interfaces) in the Create Template window; and, Service Bandwidth and License Period fields in the Add Device window > Basic tab. See Configure Basic Features.
  • Encrypt sensitive information—(In Releases 21.1.1 and later.) Versa Director encrypts all sensitive information in configurations before pushing them to VOS devices. See Commit Template Modifications.
  • Global session logging control updates—(In Releases 21.1.1 and later.) Changes have been made to the allowable range and adds default values for the Firewall Source IP Count and Destination IP Count fields, and for the SD-WAN Application User Count field. See Configure Firewall and SD-WAN Usage Monitoring Controls.
  • IP SLA monitoring enhancement—(In Releases 21.1.1 and later.) You can select a forwarding class to override the default forwarding class for an IP SLA monitor. See Configure IP SLA Monitor Objects.
  • Layer 2 forwarding—You can configure Layer 2 forwarding, including virtual switches, bridge domains, bridge interfaces, integrated routing and bridging (IRB) interfaces, media access control (MAC) functions, and STP/RSTP. See Configure Layer 2 Forwarding.
  • Layer 2 forwarding additions and enhancements—(In Releases 21.1.1 and later.) Release 21.1.1 adds support for the following Layer 2 features and enhancements. See Configure Layer 2 Forwarding.
    • EVPN over SD-WAN
    • Multiple Spanning-Tree Protocol (MSTP)
    • VLAN Translation
    • Enhanced support for MAC-related features, such as MAC aging, MAC learning, MAC move, and MAC limit.
    • Introduces different ways of determining the state of an IRB.
    • Support for configuring paired TVI interfaces (paired-tvi) as family bridge interfaces
  • LLDP—(In Releases 21.1.1 and later.) The Link Layer Discovery Protocol (LLDP) allows network devices to discover a neighbor device’s identity and capabilities on a LAN using a set of attributes, as defined in IEEE 802.1AB. See Configure LLDP.
  • Log export functionality (LEF) enhancements—You can reduce the number of firewall and SD-WAN statistics log records that CPE devices export, exporting logs only for the busiest sessions. See Configure Firewall and SD-WAN Usage Monitoring Controls.
  • Match alarm subtypes in exporter rules—(In Releases 21.1.1 and later.) You can match alarm subtypes in exporter rules. See Configure VOS Device Alarms.
  • Multiple tenants and multiple VRFs in a service chain template—(In Releases 21.1.1 and later.) You can configure multiple tenants and multiple VRFs in a service chain template. See Configure uCPE on a VOS Device.
  • Secure option with the Versa Analytics cluster installation script—(In Releases 21.1.1 and later.) You can use the secure option when running the Versa Analytics cluster installation script. See Perform Initial Software Configuration.
  • Service-chain template enhancement—(In Releases 21.1.1 and later.) You can service-chain multiple tenants and multiple VRFs. See Configure uCPE on a VOS Device.
  • SFP monitoring and management—(In Releases 21.1.1 and later.) VOS devices support digital diagnostics monitoring (DDM) monitoring and management capabilities for SFP and SFP+ interfaces. DDM provides information about the line, signal strength (optical input and output power levels), temperature, laser bias current, transceiver supply voltage, and other transceiver statistics in real time. Monitoring and management capabilities for Versa-certified SFP and SFP+ transceivers are built in. See Monitor the SFP Module.
  • Signature verification for software package uploads—(In Releases 21.1.1 and later.) You can use digital signature verification to verify Versa Director and VOS software packages that are uploaded using a Director node. See Configure Signature Verification for Software Package Uploads.
  • T1/E1 NIC module—(In Releases 21.1.1 and later.) CSG appliances support a T1/E1 NIC module. The T1/E1 NIC module supports four WAN ports, allowing you to connect to up to four T1 or E1 network connections. Each interface can configured to run PPP, HDLC, and Frame Relay encapsulations. Interfaces are software configurable to run in T1 or in E1 mode with a rich set of line and framing parameters to ensure compatibility with existing networks. See Configure Interfaces.
  • TPM 2.0—(In Releases 21.1.1 and later.) VOS devices support TPM 2.0 on Ubuntu 18.04 running on CSG and certified whitebox platforms. TPM 2.0 is enabled by default.
  • WAN propagation—(In Releases 21.1.1 and later.) You can automatically copy the WAN networks of a parent organization and propagate them to the suborganizations under the parent. See Configure Transport Domains and WAN Networks.
  • Zscaler site-to-site tunnels—(In Releases 21.1.1 and later.) You can create secure IPsec and GRE tunnels between a VOS CPE device and a device hosted by Zscaler to optimize the connectivity between the VOS device and cloud peer devices. See Configure Site-to-Site Tunnels.

 

SD-WAN

  • DIA and DCA (SaaS) traffic optimization—VOS devices support ICMP monitor probes to track next hops for a given SaaS application, and they now also support TCP and HTTP monitor probes. TCP and HTTP monitor probes are often more reliable probes for determining the optimal path for internet traffic. See Configure SaaS Application Monitoring.
  • NetBox IP address management (IPAM) service—(In Releases 21.1.1 and later.) Versa Director uses the NetBox IP address management (IPAM) service to allocate the IP addresses from the configured overlay prefixes. See Configure the Overlay Addressing Scheme.
  • SaaS application detection using endpoints—For SD-WAN edge devices, detecting applications starting with the first packet is critical for optimum path selection. If an application is not known with the first packet and a non-optimal path is selected for the TCP session, the session's performance will be degraded. In earlier software releases, the VOS software used an application cache to cache the application detected for a session associated with a specific IP address and port. However, the application cache cannot assist the first session to a given destination. Because SaaS vendors are now using many IP addresses to serve applications, this limitation has become an issue. The first-packet identification feature addresses this limitation. It allows the SaaS application to be identified starting with the first packet of a session. First-packet identification is also used to identify applications that are making DNS requests, which means that DNS requests can use the same WAN path selection as data sessions.

    The first-packet identification feature performs WAN path selection for specific applications, both for the DNS sessions and the data sessions, and it allows users to configure firewall rules to create allow lists of SaaS applications using the published IP prefixes and domain names.

    Several SaaS providers publish the IP prefixes and domain name patterns for their service endpoints, and these lists are available to VOS devices so that they can identify applications on the first packet. The latest application endpoint information is updated in Versa Security Package (SPack) updates. VOS devices map the IP prefixes and domain names to the predefined applications for the SaaS application. For example, Microsoft Office 365 endpoints are mapped to the application OFFICE365. The applications are the same predefined applications that you use to configure policies (for example, Office 365 and Zoom), so you do not need to modify the policy configuration. The following are examples of endpoint information published by SaaS providers:

    • Microsoft Office 365—https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
    • Zoom—https://support.zoom.us/hc/en-us/articles/201362683-Network-Firewall-or-Proxy-Server-Settings-for-Zoom

    SaaS application detection using endpoints includes the following features:
    • Identify applications for DNS requests and data sessions—For DNS sessions, the database containing the published domain names is used to resolve the domain name and published IP prefixes are used to identify the application for data sessions. Note that the applications that are identified are the same predefined applications that you use when configuring policies. For example, the published Microsoft published Office365 endpoints include the following: outlook.office.com, outlook.office365.com, and 13.107.6.152/31, 13.107.18.10/31, and 13.107.128.0/22 (and more) with TCP ports 80 and 443. Using this information, a DNS request for outlook.office365.com and a TCP session destined to 13.107.128.1 is mapped to the application OFFICE365.
    • WAN path selection—To select a WAN path for applications, you need to configure SD-WAN policy rules. Because both the DNS requests and the data sessions are mapped to the same applications (on the first packet of session) using the published endpoint information, they both receive the same path selection treatment. To use path selection for DNS requests, you must enable DNS proxy on the VOS device.
    • Allow lists for applications using endpoint information—You can create allow lists (sometimes called whitelists) for the SaaS applications using the predefined applications. Identifying applications on the first packet of the session helps to finalize the firewall policy to use for the session without waiting for the application to be detected by deep-packet inspection. In the application for which application identification is to be finalized (for the purpose of firewall policy) based on the published endpoint-based match, the application-specific app-final-with-endpoint option must be set to TRUE.
  • SaaS endpoint definitions in SPacks—(In Releases 21.1.1 and later.) VOS devices dynamically query and download the FQDNs and IP addresses advertised by SaaS providers. These FQDNs and IP addresses are installed as part of security packages (SPacks), and they are updated dynamically. See Use Security Packages.
  • SD-WAN traffic-steering forwarding profile enhancements—(In Releases 21.1.1 and later.) SD-WAN forwarding profiles are enhanced to support circuit tag–based path priorities and path list–based path priorities (path-name-list, path-type-list, path-media-list and path-tags-list), last-resort priority, and unmatched-priority.
    • Circuit tags—You can label each SD-WAN interface with up to four circuit tags, which are user-defined free-form strings. You can use circuit tags, just as you do circuit names and circuit media, as match conditions in forwarding profiles in order to define path priorities.
    • Path list–based path priorities—You can define priorities using an exact match for local and remote circuits, which removes the ambiguity in grammar around when to use AND versus OR in match conditions. The new path list–based priorities and the existing circuit priorities model are mutually exclusive at a specific priority level. That is, if you select path list–based priorities, the current circuit priorities model is not allowed, and vice versa. However, you can select both types of priority levels at different priority levels.
    • Last-resort priority—Paths that you configure with this priority are used when all other paths go down, thus allowing you not to use LTE paths when other paths are available.
    • Unmatched priority—You can define the priority of the paths that are not configured explicitly. For example, if the unmatched priority is set to priority 2, any path that is not configured in the forwarding profile is considered as priority 2.
      See Configure SD-WAN Traffic Steering.
  • TCP optimizations—TCP optimizations mitigate the effects of high latency and packet loss on the performance of TCP-based applications. In Releases 21.1.1 and later, the maximum send and receive buffer sizes are increased from 8M to 16M, and you can configure forward proxy and reverse proxy TCP optimization modes.See Configure TCP Optimizations.

Security

  • Caching of the URL filtering history—(In Releases 21.1.1 and later.) You can configure the caching of the URL filtering history. See Configure URL Filtering.
  • FIPS 140-2 Level 1 compliance—(In Releases 21.1.1 and later.) You can run VOS devices in FIPS mode in VOS images that are FIPS 140-2 Level 1 compliant. FIPS 140-2 Level 1 compliance covers production-grade and externally tested encryption algorithms. See FIPS Compliance.
  • Microsoft NDES and SCEP network access control—A VOS device can use certificate-based network device authentication and certificate management using Microsoft Network Device Enrollment Service (NDES), which is based on Simple Certificate Enrollment Protocol (SCEP) and which provides certificate-based network device authentication and certificate management. See Configure Certificate Servers.
  • Remote access server (RAS) support—A VOS device can act as a remote server, allowing remote users to connect to the VOS device by establishing a VPN connection. See Configure the Versa Secure Access Service.
  • TLS/SSL for remote collectors—Transport Layer Security (TLS) has been added to the existing connection mechanisms (TCP and UDP) to enable you to stream logs securely. See Configure Log Collectors and Log Exporter Rules.
  • URL filtering enhancement—(In Releases 21.1.1 and later.) You can enable or disable the caching of the URL filtering history. See Configure URL Filtering.
  • Versa Secure Access Service—(In Releases 21.1.1 and later.) Versa Secure Access Client for Windows 10 and MacOS, which are installed on end devices, Versa Secure Access Server functionality developed on Versa OS. See Configure the Versa Secure Access Service.

Fixed Bugs

The following tables list the critical and major defects that were fixed in Release 21.1.

Fixed Bugs in Release 21.1

Bug ID

Summary

43383

Enhanced the SIP ALG to bypass ALG processing if no CGNAT or stateful or NGFW is configured in the service chain.

44188

SSHD logs in Syslog triggered by Director reachability checks are now suppressed.

45073

SD-WAN SLA last flapped time value that was displayed was incorrect.

45305

Added the ability to select the download of the sample or premium SPack from the VOS device.

42979

Attempting to change the RIPv2 interval crashed the routing process in Release 20.2.0 FRS.

43608

Changing the OSPF MD5 authentication key from plain text to MD5-based hash was not persistent.

43869

Versa Services process crashes when you enable the packet capture option in the LEF profile.

45098

sdwan-datapath-sla-not-met alarm was not sent to SNMP server, but it was sent to all other configured destinations.

44827

VOS CPE was unable to fetch certificate using CMP from a PKI server.

44138

When an IPsec peer is configured as a fully qualified domain name (FQDN) instead of an IP address, IPsec flaps continuously during the initial bringup.

43706

SD-WAN traffic coming over PPPoE links was processed by a single CPU core. Traffic is now processed by all available cores.

44793

ARP responses for VRRP virtual IP addresses were not consistently responding with a virtual MAC address.

45334

Geolocation-based match was added in QoS policy rules.

46707

FEC module crashes while processing out-of-range packets, specifically when more than 300,000 packets are sent by two different branches (in active-active configuration) and link between the two branches is flapping.

Fixed Bugs in Release 21.1.1

Bug ID

Summary

40206 DNS server listening and serving requests on the WAN interfaces. This issue has been fixed.
44055 Changing an existing BGP prefix-list address object’s IP address using just the greater-than mask value without changing the less-than mask value would fail to commit the configuration. This issue has been fixed.
47161

The request security security-package download check-for-updates CLI command has been fixed to indicate the appropriate message in case of any error.

49983 VOS software processes transit DHCP ACK packets going from DHCP server to the client as if they were destined locally and incorrectly drops them. Also, VOS software processes transit DHCP acknowledgments for DHCP Inform [ unicast ] from server to the client via relay, and when traversing a VOS device, they are intercepted incorrectly and dropped. This issue has been fixed.
53374 Flapping of WAN link causes a memory leak and so memory was freed in the account manage module when an SD-WAN path object is deleted. This issue has been fixed.
54067 For a session for which the application is not known on the first packet, if the packet hits a SD-WAN policy deny rule, it makes progress until application is identified. At that point, upon policy reevaluation, if it still matches the deny rule, it denies the session. This is a change in behavior where a packet matching a SD-WAN policy rule that contains application as a match condition and if the application cache did not match the current destination IP and port, it would deny this session.
54565 When twice-basic-nat-44/twice-dynamic-nat-44/twice-napt-44 is configured, with active FTP traffic, the application of FTP data session is identified as unknown_tcp instead of ftp_data, and file transferred in this data session is not inspected by the antivirus module. This issue has been fixed.
55130 VOS vmod process restart is observed on the CPE when user tries to fetch IP SLA from Versa Director UI under Monitor Dashboard and no IP SLA (monitor) is configured on the CPE device. This issue has been fixed.
55792

The CoS shaping rate on a logical interface was not updated when the autonegotiated rate of the underlying physical interface changed from 10M to 1G. Because the VOS software caps the logical interface at the autonegotiated rate, the logical interface remained at a shaping rate of 10M. This update allows for the proper propagation of the link speed to all logical interfaces.

55993

An ARP request from the VRRP active node may be sent with the interface MAC address instead of virtual MAC address. This issue has been fixed.

56501 Versa services processes may crash because it cannot handle any packet with three or more VLAN tags for a transit packet. This issue has been fixed.
56721 Added channel width in the output of the show wlan AP-status command.
56970 During the upgrade process, the older package may not be removed. This issue has been fixed.
57146 A VOS DHCP server configured with more than one next-server IP address may fail to activate the entire DHCP configuration. The same may also happen when the next server IP address is a FQDN name instead of an IP address. For example, the following configuration causes DHCP server to not get activated:
set orgs org-services Pepsi dhcp dhcp4-options-profiles DHCP_OP_TOIP next-server 10.158.142.180,10.1.20.115,10.158.142.179
The workaround is to configure a single IP address in the next-server IP address. This issue has been fixed.
57442 Issuing the show org session extensive command crashes and cause a service restart if the session to be displayed has qos-policies or app-qos-policies applied to the session *and* there have been 5 or more configuation changes to qos-policy or app-qos-policy rules since the session was created. This issue has been fixed.
57500 Versa services process may crash when an entire organization is deleted. This issue has been fixed.
57655 versa-vmod may restart when trying to clear specific session via Director API. This issue has been fixed.
57787 versa-mod process may restart after repeated SNMP polling of CGNAT MIB or show cgnat pool statistics command is issued and there are CGNAT pools defined and not referenced in any CGNAT rule configuration. As a workaround, delete any CGNAT pools that are not used or skip SNMP polling of CGNAT. This issue has been fixed.

Fixed Bugs in Release 21.1.2

Bug ID Description
45535 When you select a remote branch, theTCP optimization policy statistics do not reflect the actual statistics. This issue has been fixed.
47904 For some network ports that use the Intel i40e driver, receipt of LLDP/DCBX packets causes i40e initialization failure. Added the LLDP persistence flag to keep the firmware LLDP agent in the Disabled state after it is set.
48598 Added the ability to attach one IP SLA monitor group to multiple VR redistribution policies.
51394, 51411 Fixed a process restart in the Versa-VMOD configuration handling process when you commit multiple captive portal profiles with CA certificates.
53372 Routing SNMP traps now include the tenant/organization name in them.
54538 The show pim neighbor CLI command displays the incorrect PIM mode. This issue has been fixed.
54723

Extend the show route command to include multicast RPF information:

show route multicast-rpf {{ipv4_addr | ipv4_prefix} | 
routing-instance name {ipv4_addr | ipv4_prefix}}
56568 When a site-to-site IPsec tunnel goes down, the tunnel down alarm is not generated consistently. This issue has been fixed.
56623 When you delete a tenant, a service restart might occur. This issue has been fixed.
58471 For an Aggregated Ethernet (AE) interface whose member interfaces are operationally and administratively down, they remain down even after being made operationally and administratively up. This issue has been fixed.
58497 For VEP-4600-xxx and CSG1500 devices, the VOS device was unable to report data about SFP optical modules connected to X722 MAC Ethernet controller ports, because reading the module EEPROM memory was not supported. The fix requires that you upgrade the NIC firmware to the specific NVM firmware release version, to allow the SFP data to be read.
58602 Added custom-header option to the wget CLI command to be able to pass authentication information and other options.
58975 The passwd binary on the base OS sometimes had incorrect permissions, thus preventing users from changing their passwords. This issue has been fixed.
58976 The DHCP lease database cleanup might not happening periodically, causing the DHCP lease file to grow to a large size. This issue has been fixed.
59026 When an interface is marked up momentarily by a monitor before bringing it down, the SLA is marked as Up and the SLA state machine is not executed before the interface is again marked as down. The result is that the ptvi interface remains in the proto Up state.
59035 Special characters such as $ in the RADIUS secret key for the WiFi access point configuration might not work. You can now include special characters in the password.
59164 A very long-lived TCP session might create a condition where the TCP stream module in the Versa service process may create a very large reassembly queue, leading to a delay in the packet processing times. If the affected worker is Worker 0, the SLA and the control plane would also go down. The workaround is to disable the stream module for the affected flow. This issue has been fixed.
59206 When you configure the all alarm, the CPU alarm thresholds might be reset to 0 for both high and low. This issue has been fixed.
59357 Service restart seen on Controller nnode because of a non-standard configuration on the branch devices. This issue has been fixed.
59377 Issuing the show bgp neighbor org might cause the routing process to restart, but other services are not affected. This issue has been fixed.
59410 Multiple policy configuration changes (more than four) might cause an old session that was created before the changes to access an invalid memory location and cause service restart. This issue has been fixed.
59416 Have the system load statistics computation consistent with the htop command, by not taking I/O wait times into consideration.
59651 When the same monitor object is attached to multiple static routes, any change in the configuration of a single static route might affect other routes. For example, deletion of a static route would install other static routes even if the monitor state was down. This issue has been fixed.
59801 The show system load-stats command output has been modified to not include the io-wait time in the calculations, to reflect the numbers shown by top or htop command.
59950 Quick Assist Technology (QAT) decrypt session contexts were not getting cleaned when IPsec tunnels flapped, causing session context to leak. Eventually we run out of session contexts are used up, and SD-WAN/IPsec traffic blackholes. This issue was present only in Releases 20.2.x and 21.1.x. This issue has been fixed.
60128 Stopping the tcpdump command would sometimes cause BFD to flap if it was configured with a very low timeout value. This issue has been fixed.
60178 Sometimes, SLA from a spoke site to a Hub-Controller-Node (HCN) might not come up if the HCN WAN interface is behind a static NAT. A spoke branch detects the remote branch personality based on the site ID range and then tries to send SLA packets via the private or public IP address. For an HCN, whose site type is hub-controller, there is a need to add additional logic to detect the remote branch based on site type and not the site ID so that the SLA packets are always sent only on the public IP address. This issue has been fixed.
60510 Buffer management issue caused an EBGP multipath route in a VRF to not get announced in a Layer 3 VPN if one of the next-hop interfaces in LAN VRF is shut down. This issue has been fixed.
60594 For TCP optimization, upon receiving TCP options containing padding bytes after the EOL option in a TCP SYN packet, the VOS peer closest to the client ignores these padding bytes, which were added for byte alignment, resulting in a TCP SYN packet whose TCP options are not properly byte aligned. Because of this, the TCP options in the SYN packet are not being processed by the VOS peer closest to the server. This results in connection not being TCP optimized and is getting stalled. This issue has been fixed.
60595 TCP optimization is not functional when security features are turned on, which also causes a TCP session to be proxied, such as IPS.
60672 Mod16 group support in IKE was defective and not supported. This issue has been fixed.
61257 PIM neighbor down alarm was not getting generated. This issue has been fixed.
61267 DSCP rewrite was not working for reverse traffic when traffic is originated from WAN to LAN. This issue has been fixed.
61282 URL-based ZTP was not working on VOS device running Release 21.1.1 version because of an expired CA certificate. This issue has been fixed.
61526 Default route received through Layer 3 VPN was not getting installed in the forwarding plane if there was more than one Layer 3 VPN route received with different route distinguishers with same next hop address. (This happens if an SD-WAN hub originates the default route from an import VRF as well as export VRF.). This issue has been fixed.
61584 The Versa services process might crash because of missing sanity checks on the ICMP port unreachable error packet. This issue has been fixed.
61737 Fixed an issue with enabling uCPE hypervisor which can occur when hypervisor is enabled on Release 21.1.1, only when it is upgraded from 16.1R2S8 after updating OS Spack.
61828

Versa Service process might crash in the IKE ALG module in a rare timing condition when the ESP packets land in a different thread than IKE control packets and before IKE-ALG object is created. This issue has been fixed.

61851 Fixed a package dependency issue in OS Spack installation by allowing it to overwrite ESM package with higher version binaries. This issue has been fixed.
61873 Versa services process might crash while processing SIP traffic when a packet contains incomplete Replaces header. This issue has been fixed.
61950 Versa Service process might crash while processing GRE traffic over IPsec tunnel. This issue has been fixed.
61957 When OSPF and VRRP are both configured on the same interface, the backup router might redistribute routes without setting the configured metric when using direct protocol redistribution. This issue has been fixed.
61998 Versa service process might crash when receiving IPv6 multicast listener discovery (MLD) packets. This issue has been fixed.
62002 Versa service process might crash while processing SIP traffic when the received SIP packet has more than four bandwidth parameters. This issue has been fixed.
62075 TCP splicer might drop some ICMP unreachable messages of type MTU exceeded, fragmentation needed when DF bit it set. This issue has been fixed.
62126 SSH key authorization might fail because of incorrect handling of ssh-public-key configuration. This issue has been fixed.
62161 In an active standby interchassis redundant CPE configuration, a timing issue might cause Versa services to restart on the standby CPE node.
62268 A branch-to-branch IPsec tunnel might fail to come up when you reboot the branch. This issue has been fixed.
62429 Traceroute command had a command Injection vulnerability. This issue has been fixed.

Fixed Bugs in Release 21.1.3

Bug ID Description

20557

When you commit a VOS device configuration from the Director node, the VOS device now waits up to 10 minutes to determine whether it has connectivity to at least one Controller node. If it does not, it performs a rollback operation after that 10-minute window. Previously, the VOS device would perform a rollback operation only immediately after the commit operation if it had no connectivity to any Controller nodes.

30728

When a VOS device is a DHCP client, DHCP Renew should be a unicast packet to the DHCP server and not a broadcast packet.

33184

When a Controller node has only internet connectivity and branches have both internet and MPLS connectivity, whenever the internet link goes down at the Branch1 device, all the Branch1 routes may be removed from other remote branches by the Controller node even though the SLA is up between Branch1 and the remote branches.

35738

Upgrade numerous third-party and open source packages that VOS devices use to address vulnerabilities

36851

In staging.py script, you can now specify a Controller node as an FQDN name. Previously, you could specify only an IP address.

37411

In rare occurrences, an incorrect reference count in the IPsec IP address object may cause Versa services to restart. This issue has been fixed.

38310

A defect in the IPsec module may cause the versa-service process to crash, causing a service restart. This issue has been fixed.

40160

Add support to fetch VOS device and OS SPack packages with the path-query option.

43497, 66215

When you reference an address group is referenced before it is defined, a commit operation fails. Support has been added to handle this gracefully.

45615

Cannot move an OSPF network between OSPF areas of the same routing instance within a single commit. This issue has been fixed.

48993

CPU load statistics sometimes show values greater than 100%. This issue has been fixed.

50689

Issuing the show orgs org-services organization-name dhcp statistics dhcp interface CLI command sometimes may cause a timing issue, leading the versa-infngr process to restart and then causing all services to restart. This issue has been fixed.

52361

Depending on how many address families and capabilities are exchanged, the BGP neighbor alarms may not show the full name of the site. This issue has been fixed to show the complete site name.

52860

The request system package download-status CLI command, which was to be used by a Director node issuing an asynchronous package download command, is now deprecated.

52874

IPsec alarm configuration is not being honored, and the destination and soak intervals are not activated. This issue has been fixed.

54479

Python binary may have the incorrect permissions or capabilities set, which prevents the SPACKMGR process from starting. This has been fixed. The permissions and capabilities are now forcibly set.

54808

Certificate constantly renews after renewal interval is exceeded. Two days before renewal, the VOS device generates a CSR and applies to the CMP responder for renewal. The VOS node constantly sends CSRs to the PKI server instead of waiting for next renewal period. This issue has been fixed.

56464

After the following error message, VOS SD-WAN CPE does not re-attempt to resolve the IP address of public CA server, causing global ZTP to fail because the certificate download fails:

2020-12-17 09:45:36.652 ERROR ../usr/sbin/certd/certd_cfg_hdlr.c:514: CMP: Tnt 1, Srvr versa-public-ca, FQDN ‘public-ca.versa-networks.com’ resolve-request send failed for CMP URL url. Will retry.

This issue has been fixed.

56492

When a deleted interface is added back, the interface-up alarm that corresponds to the earlier interface-down alarm is not generated. This issue has been fixed.

58693

The versa-certd process may crash when handling the USER certificate. This issue has been fixed. VOS devices now handle the USER certificate in addition to handing the SIGN (signing) and ENCR (encryption) certificates.

59117

IPv6 on LTE interfaces is not fully functional. This issue has been fixed.

59161

The rule name of a session in the Analytics log may be called "implicit-rule”. This happens only when the session expires and the rule corresponding to the session has been removed from the configuration. This issue has been fixed. Now, the rule name is empty.

59618

When the versa-infmgr process incorrectly handles a stale link-update message, it may crash, causing services to restart. This issue has been fixed.

59972

When upgrading a security pack (SPack), Versa services may restart because of a race condition while accessing an internal data structure. This issue has been fixed.

60526

New branch staging may fail if IKE flaps or if the WAN IP address keeps changing. The result is that the IP address pool runs out of addresses, because older IKE connections linger on, and because of this, the staging of a new device to fail. This issue has been fixed. Now, the DPD process is more aggressive.

60879

When multiple CoS OIDs are passed in the same snmpget request, the versa-vmod process does not clear some internal tables, causing this process to restart. This issue has been fixed.

60968

When you upgrade the software, a redistribution policy term that has DHCP as the match protocol might the match protocol, and the term ends up matching all protocols. This issue has been fixed.

61851

Package dependency issue in OS SPack installation. This issue has been fixed. Now, the OS SPack installation overwrites ESM packages with higher binaries versions.

62268

When services start, the branch-to-branch IPsec tunnel might not be set up because of a race condition between two threads completing initialization at startup. This issue has been fixed.

62505

The application route cache (ARC) implementation has been enhanced to remove entries that after not been used for 1 hour. This optimizes the memory usage for this cache and has no impact on the system behavior, because ARC entries older than 1 hour were always considered to be stale.

62586

GRE and PPPoE interface MTU is not set to the default value, 1492. This issue has been fixed.

62758

The IPsec history CLI command output sometimes displays an incorrect error or reason. This issue has been fixed.

62793

Static ARP entries might not be activated in the data path. This issue has been fixed. The entries are now resilient to all timing conditions (for example, whether an interface is not up).

62800

A versa service crash might occur because of invalid memory access in the SD-WAN module. This issue has been fixed.

62805

During the upgrade process, MPLS tenant ID changes may be lost, leading to a tenant ID mismatch for VPN label and causing the packet to be blackholed. The workaround was to updated the mplsvpnentry tenant ID and restart the services. This issue has been fixed.

62806

A site-to-site IPSec connection between a branch and Azure Virtual WAN does not come up first time unless IKE is cleared. This issue has been fixed.

62856

When you configure the out-of-band management interface, eth0, for speed and duplex, extra commands might be appended to the network configuration file. This issue has been fixed.

62883

Issuing the show orgs org-services organizaton lef collectors collector status CLI command might cause the versa-vmod process to restart. One cause was a leak of a resources under certain error conditions: A slow leak eventually causes the process to restart but does not cause a service restart. Another cause was when the Versa Director dashboard triggered this command to fetch LEF statistics. This issue has been fixed.

62931

The sdwan-datapath-up alarm may not be generated. This issue has been fixed. Now, the alarm is triggered unconditionally when a path to a remote site is removed for any reason.

62955

When QoS policy rules were being evaluated, services might restart because the versa-service process crashes. The versa-service process crashes after repeated crashes of the versa-vmod process, and it is the result of a race condition in the security and policy rule compilation and data path. This issue has been fixed.

62978

SLA metrics are not displayed when the interval is greater than 150 seconds. This issue has been fixed.

63104

Sporadic packet latency is observed in Azure virtual instance of VOS devices. This issue has been fixed.

62955

When evaluating a QoS policy rule, the Versa services process may crash and services may restart. This is observed after versa-vmod repeatedly crashes, which is because of a race condition in the security and policy rule compilation and data path. This issue has been fixed.

63354

The memory consumption of the zone protection logic has been optimized to consume less memory without affecting performance.

63356, 63381

The software-upgrade-success alarm is not raised after you upgrade a device. Sometimes the alarm is incorrectly deferred until the next service restart. This issue has been fixed.

63442

Versa CPE uses a 4-digit host-uniq value, and if a DSLAM is non-compliant with RFC 2516 (such as Nokia ISAM7353), this causes an issue of interoperability. This issue has been fixed. The PPPoE PADI has been increased to 5 digits.

63481, 63543

When a large volume of IKE SA init traffic arrives at a VOS device, a memory leak is observed in the versa-service process. This issue has been fixed.

63506

When a configuration is pushed to create system users, user creation is noticeably slow. This issue has been fixed. Now, user creation is faster.

63593

When a user's group membership changes in Active Directory, this information might not be updated on the VOS device, and so the VOS device applies group-based policies based on previous membership details. This issue has been fixed. Now, when membership details are refreshed at the configured refresh interval, the details are updated in the live-user table and the new group-based policy is applied.

63594

When you configure IPS detection and IPS-based application identification reporting, a recursion might cause Versa services to crash and restart. This issue has been fixed. Now, the IPS-based application ID reporting is separated from IPS detection.

63612

For traffic monitoring policies, you could not configure a match destination for zone information. This issue has been fixed in the Director GUI and VOS CLI.

63647

Option-82 is not stripped by a VOS device functioning as a DHCP relay agent, causing clients to drop the DHCP response packets from the server. This issue has been fixed.

63699

Jumbo frame packets larger than 1686 bytes are not forwarded over the SD-WAN. This issue has been fixed.

63755

A memory leak is observed in the IKE-ESP ALG. This issue has been fixed.

63777, 63902

In the GUI, when you delete all the terms of redistribution policy, the VOS devices deletes the policy itself, causing the configurations on Director node and the VOS device to be out of sync. This issue has been fixed.

63839

Web proxy rule match does not work with HTTP PATCH method. This issue has been fixed.

63949

Having a large number of FQDN address objects might lead to a memory leak in the versa-certd and versa-addrmgr processes. This leak causes these processes to bloat in size, and eventually they terminate and restart. However, there was no service disruption. This issue has been fixed.

63976

This issue occurs when two Controller nodes each have at least two WAN interfaces with disjoint transport domains (such as one for internet and a second for MPLS) and a branch device connects to the Controller node using only one of the transport domains. If one of the Controller WAN interfaces goes down and comes back up, and if during the time when the Controller interface is down, the branch's WAN interface for the other transport domain goes down and stays down even after the Controller's WAN interface comes back up, the branch device may retain stale state for the Controller node's MP-BGP information until the configured graceful-restart time expires. The result is that the branch cannot establish MP-BGP peering with the Controller node until the graceful-restart time expires. This issue has been fixed to ensure that that when underlay connectivity from branch to the Controller node is restored, that branch can re-establish MP-BGP peering with the Controller node.

64049

When the SD-WAN connection selection method is set as high-available bandwidth but no interface uplink or downlink bandwidth is configured, the available bandwidth cannot be calculated, causing the VOS device to select random paths instead of priority ones. This issue has been fixed so that the weighted round-robin (WRR) method is used.

64067

After the routing process restarts because of a core, the SD-WAN Controller may not install the host routes for the branches in a scaled environment. This issue has been fixed.

64144

When service chaining with Riverbed WAN-OPT in Full Transparency with RS”, TCP reset packets sent for the inner connection from WAN-OPT are processed locally by the VOS device, which closes the outer connection as well. This issue has been fixed.

64148

The sulogin binary process may be triggered and may then crash, causing the system to reboot. This issue has been fixed. The sulogin binary has been replaced with one that does not crash.

64333

The show alarms CLI command displays a truncated timezone offset. This issue has been fixed. Now, the full timezone offset information is displayed.

64391

Some set of static route addition and deletion followed by disabling the interface associated with the static route may cause the Versa services process to restart. This issue has been fixed.

64400

The packet TX counter does not increment to indicate an issue on the Versa CPE device specific to the driver (i40e) of the port. The TX operation gets stuck because of the multisegment packets that were pushed to the NIC. The maximum segments supported by i40e is 8. Sending more than 8 segments causes the NIC TX ring to enter this state. This issue is a problem for the V1000, V1800, V1500, V930, V810 (FWA-3260), and CSG1300 platforms.

64444

When a destination is reachable through two or more remote SD-WAN sites and all the paths to at least one of the sites are in SLA-violated state, the Versa services daemon may experience a segmentation fault and restart. The workaround is to switch to active/standby routing instead of equal cost SD-WAN routes to the destination. This issue has been fixed.

64513

Core in the routing CLI transformer process may occur when an external peer group does not have peer AS configured and when the peer AS configuration is removed from a neighbor belonging to this group. This issue has been fixed.

64514

If you set up a site-to-site IPsec tunnel with a non-Versa peer and an aggressive DPD timeout (1-2 seconds) in configured on the peer (which is not a typical use case), the tunnel on the Versa side might go down. This issue has been fixed.

64527

If per-CPU QAT initialization fails even though global QAT initialization succeeds, the Versa services process may restart during data processing. This issue has been fixed. Now, it falls back to software-based cryptography.

64685

For the first packet of session that is evaluated by a rule that matches a source user or group, NGFW policy evaluation does not complete and therefore the rule action is not taken even though the source user and group information for the session is known.

64733, 64826

When LEF establishes a TCP connection to the destination collector, during overloaded conditions, if the server is slow, the connection moves to a write-blocked state. During this time, logs queued to the collector are dropped instead of being held until the connection is unblocked. This issue has been fixed.

64745

During IP fragmentation reassembly, if the packet header length does not match the actual packet length, packet buffers may get lost. This issue has been fixed.

64790

The memory footprint of the security and policy contexts increases with each commit ,causing memory load issues on firewalls with large configurations. This issue has been fixed. Now, the increase is capped at one older context.

64811

Having a large number of FQDN objects (more than 100) slows the versa-service process and causes high CPU usage and failure of some show commands. This issue has been fixed.

64844

The .ncconnect file has invalid permissions, which might prevent the recognition of a successful connection between a Director node and a VOS device. This issue causes the trial period countdown to begin and eventually degrades VOS services. This issue has been fixed.

64988

The VOS device reassembles IP fragments received with DF bit, but after reassembly it retains the DF bit before transmitting reassembled, larger packets. This may cause downstream routers to drop the packets with DF bit set. This issue has been fixed. Now, the software resets the DF bit, allowing any router to fragment the packets.

65115

When an IPv6 destination is reachable using multiple remote SD-WAN sites (for example, if there are equal-cost routes using multiple sites), the circuit priorities specified in the SD-WAN forwarding profile may not be honored. Also, an SD-WAN or PBF policy rule that is used to override routing and enforce a specific next hop does not work for IPv6. This issue has been fixed.

65292

When you upgrade from an older release such as Release 16.1R2Sx to a newer release, if the address object contains an invalid wildcard FQDN object, the versa-vmod process might crash. This issue has been fixed. Now, a misconfigured FQDN object is ignored.

65294

When you perform an IPv6 traceroute between a source and a destination, a VOS device might drop IPv6 traceroute response packets, because it incorrectly parsing the length of the ICMP time exceeded in transit. This issue has been fixed.

65310

Issuing the debug command to display session extensive details causes a service restart. This issue has been fixed.

65319

A QoS rewrite with a service function chaining (SFC) configuration (with Layer 3 rewrite for inner, Layer 3 rewrite for outer, copy from outer, copy from inner) is not working as expected. This issue has been fixed.

65373

On a VOS device, if you manually edit the /etc/ssh/sshd_config file, for example, to add match commands, if you then use the CLI to change the SSH keepalive and timeout values, you are unable to access the device using SSH. This issue has been fixed.

65435

When an SD-WAN route flaps, the DIA traffic switches to the SD-WAN. This issue has been fixed.

65501

TCP evasion check may incorrectly drop 1-byte payload TCP keepalive packets assuming it is an overlapping segment. This issue has been fixed.

65502

Croatian Telecom LTE does not detect the correct APN. This issue has been fixed.

65505

Intermittent packet loss may occur when packet replication is enabled for large packets that need fragmentation. This issue has been fixed.

65536

For PPPoE, the VNI interface displays the correct RX BPS value, but the TVI interface does not. This issue has been fixed.

65643

When you configure twice-napt-44, it does not take effect the first time. You must configure it a second time to make it active.

65809

The show route table ipv4.unicast CLI command does not display the desired output when you specify both the detail and prefix options. This issue has been fixed.

65823

The IP TOS value in the outer tunnel header for host originated packets is set incorrectly, instead of being copied from the inner packet. This issue has been fixed.

65826

When you add a vni interface enabled with family DHCP to vnf-manager, it does not populate the local interface route in global space. This issue has been fixed.

65843

The versa-vmod process may restart during a Qualys scan directed at a VOS device. This occurs because the Qualys client tries to connect to servers running inside the VOS device. This issue has been fixed. The software has been enhanced and is now resilient to any clients that connect to internal Versa services.

65904

Top-N application computation every 5 minutes may cause increased packet latency and loss for traffic processed by worker thread 0. This issue has been fixed.

65926

In SLA alarms, the site names are truncated to 32 characters. Add support for site names up to 128 characters.

65953

In an active-active SD-WAN CPE deployment, when you change the paired-site location ID of any CPE, SLA contexts between the two CPEs are created. These SLA contexts are not deleted when the matching location ID is updated on another CPE to pair the two CPEs. This issue has been fixed.

66043

During a service package (SPack) upgrade, services may restart because the versa-vsmd process restarts. This was reported once. This issue has been fixed.

66097

Path MTU is not calculated correctly when the same source IP address and destination IP address pairs are present in two different VRFs.This issue has been fixed.

66136

The Versa services process restarts once because of an invalid timer (uninitialized value) in the application monitor module. This issue has been fixed.

66350

For a PIM-over-SD-WAN deployment, if you change the cluster ID to higher value, PIM may be disabled between the two SD-WAN sites even if they both have the same cluster ID. This issue is fixed.

66395

The show ospf neighbor brief CLI command may cause the routing CLI process to restart, causing the show command to fail. This issue has been fixed.

66583

The device model, SKU ,and serial number details are now available in an additional MIB container that does not take a serial number as a key.

66599

The output of the show orgs org organization sd-wan statistics vni command for TX BPS and RX BPS is now displayed in bits per second instead of bytes per second.

66617

The staging.py scripts writes the staging.cfg file to current directory, but some scripts look for it in the /opt/versa/scripts directory. Now, the file is saved in both directories.

66768

A memory leak in the QoS data structure may occur when the preclassified packets arrive over a cross-connect link from the peer and you have configured an App-QoS policy on the device. This issue has been fixed.

66789

Routing CLI process may crash when you delete a routing instance that uses a redistribution policy for instance import, followed by another commit that moves the terms of the same redistribution policy. This issue has been fixed.

66817

With packet replication and per-packet load balancing, packets are cached and released from the buffer to reorder out-of-order packets. Thee released packets may use the stale data, which can cause the Versa services process crash. This issue has been fixed.

67147

Changed the default behavior so that the origin of a BGP route in VRF to Layer 3 VPN, and vice versa. The origin can be overridden if it is configured in the redistribution policy.

67276

Traffic ingressing from the SD-WAN cannot be further redirected to another SD-WAN next hop on the middle hop using forwarding profile with next hop as the site. This issue has been fixed so that steering to another site on a hub is supported.

67404

Versa service process may crash when VSA is enabled with TCP optimization in auto mode. This issue has been fixed

67446

Versa 810 devices may report the incorrect power supply status “Either PSU2 cable is unplugged or PSU2 is unplugged”. This issue has been fixed.

67456

Externally authenticated users in the admin group cannot able run show alarms or other privileged commands from the CLI. This issue has been fixed.

67491

Modify the default method of defining a string in the CLI to use quotation marks instead of a backslash

67629

When you issue a CLI command to display the BGP route table for a specific routing instance and an extended community, the routing process may crash. This issue has been fixed.

67659

Enhanced the output of the show interface info command to include DSL interface information.

67707

Fixed an issue with timezone settings that can occur if /etc/localtime is not a symbolic link.

68087

When you run a CLI command to display interface status immediately after you run an SNMP query to retrieve interface status, the interface manager process may crash. This issue has been fixed.

68103, 68124

When you upgrade a VOS device from Release 16.1R2W10.4 to Release 20.2.2, the management and configuration process may crash because of an invalid tenant ID in SNMP query.

68157

Timeout error may occur when you issue the show orgs org-services organization-name dns-proxy profile-monitor CLI command. This issue has been fixed.

68198

If you modify the LEF profile in the ADC module, the Analytics node may miss ADC logs. This issue has been fixed.

68226

Versa services crash is seen due to incorrect reference counting of IP routes. This issue has been fixed.

68266

On PPPoE interfaces, some PPPoE servers may terminate the connection directly with PADT, and the LCP TermAck may not be received, so IP cleanup does not happen. This issue has been fixed.

68677

Versa services process may crash because of malformed packets recovered by the FEC module. This issue has been fixed by dropping the malformed packets.

68911

After unsuccessful attempts to ssh login as root, the root account may be disabled. This prevents changing running “sudo su” to drop to root shell. This issue has been fixed.

69080

On Advantech devices with an LCD screen, the lcd4linux service continuously invokes the command to fetch the system status if you press the menu and navigate to one of the options. On systems on which TACACS+ accounting is enabled, this issue causes to a large build up of account records, leading to memory overload of the versa-vmod process. This issue has been fixed.

69282

On systems with Rangeley (C2xxx) CPUs, if the QAT is stressed by traffic requiring cryptographic processing, the Versa service process may stop all further processing of cryptographic traffic, requiring a restart to recover the system. This issue has been fixed.

69369

When you apply a configuration change that reconfigures the Layer 3 VPN module, you may see a core in the routing process. This issue has been fixed.

Fixed Bugs in Release 21.1.4

Bug ID

Summary

43497, 66215 When you reference an address group before it is defined during a commit, it was not successful. Support has been added to handle this gracefully.

45301

Running tcpdump on the vni-0/2 interface in system with WiFi interfaces (vni-0/20*) is unsuccessful, because cleanup on previous invocations was not successful.
45840 SNMP walk fails to fetch the SD-WAN policy if address monitors are attached to the policy.
46302 Config Sync-from-Appliance performance has been improved. On systems with large routing configurations, this operation would previously take several minutes.
53277 NTP cannot resolve FQDN server names.
58454 If you enable device Identification, intermittent service disruption occurs because of a process crash and restart. As a workaround, do not enable device identification.
58509 If you include special characters in any of the encoded attribute values in the ZTP URL, such as the Controller PSK, the VOS CPE would be configured incorrectly.
60515 CA-signed certificate for device management reverts to a self-signed default certificate when you upgrade the VOS software.
61985 IPsec alarm has been enhanced to include the name of VPN profile associated with the IPsec tunnel or to include the name of the tunnel interface if it is a route-based IPsec tunnel.
63569 The IF-MIB field ifOperStatus shows as Up even if the tunnel interface is down.
64067 After the routing process restarts because of a core, the SD-WAN Controller node may not install the host routes for the branches in a scaled environment. This issue has been fixed.
64533 Fixed a memory leak in audisp-aaa plugin for VOS systems running Ubuntu 14.04 (Trusty).
65114 Certain threshold and utilization alarms are occasionally not cleared.
65168 If the SKU field is empty, the show system details command shows no data.
67751 If a redistribute policy contains a set-community attribute and is used for redistribution to OSPF, the commit fails with a cryptic message. This issue has been fixed, and the error message is now more descriptive.
69064 Becuase of a timing issue, physical interfaces may not be recognized as vni-x/x interfaces and sometimes appear as unknown-x/x interfaces.
69175 If the IP lookup database is corrupted, services do not start because the Versa services continuously restart. The process has been made more resilient and continues to run if the database is corrupted.
69188 SPack installation was reporting a failure even if it was installed successfully, because the installation took longer than five minutes. The timeout has been extended to 10 minutes to accommodate slower installations.
69517 The static source NAT and twice static NAT are bidirectional NAT policies, which means that sessions can be initiated in the server-to-client (out-to-in) direction as well. For sessions matching the NAT policy in the server-to-client direction, the reevaluation of the NAT policy was not being done correctly, and as a result, the NAT session was being torn down.
69815 Moving existing BGP neighbor addresses to a new BGP group causes a commit operation to.
69825 Setting a link speed of 10 Mbps configures the default shaping burst size to 1250. For all link speeds less than 100 Mbps, the default burst size is now 12500 bytes, to allow for jumbo packets.
69921 When you define the same application in two different organizations in a VOS instance, application reporting works correctly in one organization but not in the other.
70029 The TCP MSS on an unencrypted SD-WAN tunnel is not adjusted up, but rather it remains the same as the encrypted tunnel MSS.
70036 The show system status”CLI command crashes the vmod process because of stale status files.
70089 When you enable isolate-cpu, the Versa services process keeps restarting after a software upgrade.
70101 Provisioning a new routing Instance becomes progressively slower as the number of routing instances become very large.
70106 TVI interface type change not allowed message prevents a template deploy even if you select the reboot option.
70206 When a branch-to-branch SD-WAN tunnel goes down, the IpsecTunnelDown alarm is incorrectly generated.
70233 In an SD-WAN network with a set of hierarchical Controller nodes, if a spoke loses connectivity with T1 controller1, at the T0 Controllers, the T1 Controller1's routes are selected because the T1 Controller's IP address is lower.
70239 On a hub-controller node, when all the interfaces go down and then one of the interfaces comes up in reverse order, the SLA did not come up.
70314 In file-based actions, if you specify the file size limit, downloading any file exceeding that size is not blocked unless you also specify the deny list option.
70315 On CSG300 Series appliances, an auto-SIM detection issue may occur with the Ubuntu 18.04 (Bionic) version of the OS.
70363 The Don’t-Fragment override configuration option do not work for PIM Register packets.
70366 For Ethernet ports using i354 MAC controllers, when the remote end is running at 100M/FD with autonegotiation On, disabling the port on the local side causes the interface to hang or get stuck. In this situation, the LED on the local link is Down, whereas the LED on the remote link is still On. The only way to recover (unhang) the interface is to power cycle the device. This issue affects the following CSG and white-box appliances:
  • Advantech—FWA-1320, FWA-2320, FWA1010VC
  • Lanner—FW7525, FW7551
  • Nexcom—DTA1152AC4
  • Silicom—80500
  • Versa Networks—CSG350, CSG355, CSG365
70604

A local user for whom a ssh-public-key is configured cannot use ssh to log in to a VOS device.

70662 When there are 200+ interfaces in the traffic-identification configuration, a commit change can take up to 3 minutes.
70823 Security package installation fails if there is an earlier commit that contains more than four attributes configured under “system parameters”.
70832 An application monitor’s last status of Up remains as Up if you disable the WAN interface and the monitoring threshold is more than 20 seconds. (The default is 3 seconds).
70893 If private-key decoding fails, issues with OCSP monitoring occur.
70906 The alarmDevice field in SNMP trap messages now includes the name of the device that originated the trap. Previously, the field had the name of the module that originated the traffic.
71182 When you enable a SIP ALG, in a rare scenario, SIP confirmed that dialogs were not cleaned up, which, over time, caused a memory leak in Versa service process. This issue has been fixed.
71256 Moving a BGP neighbor address from one BGP group to another is not reflected in the show bgp neighbor brief CLI command output and led to inconsistencies in the Director and device configurations. This issue has been fixed
71310 Fixed a negative value displayed in the Versa log collector’s process debug memory statistics.
71424 For Google Chrome browsers with CECPQ2, the SSL handshake failed for domains starting with letter "a". This issue has been fixed.
71437 The Versa services process consistent uses a large amount of member because of an issue in which unused memory is not released to the system. This issue has been fixed
71485 When multiple certificates must be OCSP validated, a port bind issue may occur, with a connect_fail issue, because of a single client side port.
71528 For a SASE client, when TCP SYN is not retransmitted, the client may not connect to the gateway. This issue has been fixed.
71569 Increase the space in the filter table to support 1K or more static BGP peers.
71669 When Layer 2 services with STP were enabled, a memory leak was detected in the Layer 2 control process, resulting in high memory utilization. This issue has been fixed.
71675 During service initialization, an SNMP request to the routing process may cause the process to restart.
71717 When you configure the share-aro option for a BGP instance, the Controller node may not sync some of the routes to a peer when a reconnection occurs.
71901 BGP does not advertise the slave local preference value configured in a redistribution policy for a static route. This can happen when you add a static route after configuring slave-local-preference. This issue has been fixed.
71911 When a user-defined URL category name contains a period (.), a configuration commit fails. The commit check now allows only alphanumeric characters, hyphens (-), and underscores (_).
71992 The Versa services daemon may occasionally get stuck in repeated attempts to select an SD-WAN path for a session. This issue has been fixed
72189 For an SD-WAN Controller node, continuous IKE flaps were seen towards the SD-WAN branch appliance. This occurred because of mismatch of information between the two modules. This issue has been fixed.
72363 When an SD-WAN network has more than six SD-WAN Controller nodes, the routing process may go in to a high CPU state when any network failures occur.
72410 The CGNAT module might crash and restart the services.
72514 Logging related to an error condition in the routing process fills up the logs.
72610 Add support for an additional PLMN for Verizon 311270.
72792 The routing process stops and restarts because of a buffer overflow caused by printing too many communities in a show command in a routing loop situation.
72915 In the rare scenario of a double failure, Controller-to-Controller and Controller-to-branch routes are not removed, creating stale routes. This issue has been fixed
72953 While handling an aggregate route with the discard option, the routing process stops and then restarts.
73079

If a PPPoE interface has different subnets at the two ends, there may be a reachability issue because of improper route installation.

73118 If you specify a source interface in a ping or traceroute command to an FQDN destination, the command may fail because of a defect in how the dig command output is parsed.
73234 Fix services process crash triggered by ADC server down when load-balancing is set to WRR.
73262 When an FQDN object is resolved through multiple routing instances and then one of the routing instance stops resolving, the policy module cannot obtain the resolved address from other routing instances.
73518 Fix routing process restart when routing peer policy configuration containing a prefix list is modified
73587 Add support for handling 16K jumbo frames in QAT to perform fast cryptographic operations in hardware.
73608 Fix an issue in DNS zone transfer by allowing multiple DNS responses in a single query for AXFR/IXFR.
73702 Fix routing process crash that might happen when you issue the clear bgp neighbor CLI command.
73896 EVPN remote MAC entries are deleted when a Layer 3 interface is removed when same core virtual router instance is used for a Layer 3 and a Layer 2 VPN and L2 VPN. This issue has been fixed
73957 Fix a crash in Versa services process when traffic goes through the CGNAT service and an SD-WAN policy is configured with a next-hop priority.
74333 Fix a delay in the DHCP offer when the DHCP server profile is configured with ping settings.
74378 Fix an issue in which packets are dropped on a TCP SIP session after the session idle timeout is reached.
74429 Sometimes, when multiple rollbacks of the IPsec VPN rule configuration are performed, a services process crash is observed. This issue has been fixed.
74936 Automatically exclude statically mapped IP address from the DHCP server dynamic IP address pool.
74955 Fix private key export/preview for TPM-enabled hardware.
74988 Fix an issue with IKE route installation in the routing table that may occur after network disruption when the device has more than 1 million routes.
75050 Fix upgrade script timeout on an appliance with a large configuration.
75283 Fix missing CMP server entry from address manager database after services restart when OSCP is configured.
75402 SIP Invite confirm dialog deletion timer increased to 6 hours.
75466 Fix vstated process memory spike that causes service disruption when routes are removed and added frequently.
75629 BGP does not advertise the configured VRRP slave priority when multiple interfaces are configured as VRRP slaves. This issue has been fixed.
75704 Some access policy rules may be removed incorrectly from the firewall engine during an SPack update after a failed commit, if the failed commit includes any access policy rule changes.
75967 Monitor down with maximum threshold of 60 seconds.
76115 Monitor group state remains in inactive after a reboot when more than two monitor groups are configured.
76290 An externally authenticated user sometimes cannot execute sudo commands without passwords.
76587 When a circuit for a remote site, say B2, is removed, the updates are propagated and consumed by all SD-WAN sites. Let’s assume current site is B1. When the associated transport paths are being cleaned up on B1 corresponding to the deleted B2 circuit, it is important to ensure that the transport path table itself has not already cleaned up. This bug fix adds a defensive check for this purpose. This issue is seen only if all circuits for a remote site are progressively cleaned up.
77039 Operator-level users can no longer log in after upgrading to Release 21.1.3.
77431 Fix services process crash caused by an unprogrammed interface that may occur if the same interface flaps multiple times.
77723 Packets are dropped on the receiver when a rule switches on the sender side after the session starts. This occurs before the packet egresses, when the packet is processed through FEC and then App ID detection causes the rule that does not have FEC enabled to match. As a result, the same packet is processed again and the end notification is not sent, causing the receiver to assume that FEC is still active on sender.
77781 ARP entries are not cleared when the VOS device is the VRRP active node and the interface on which VRRP is configured is shut down.
78584 Monitor does not come up on bootup, resulting in an inactive IP SLA.
78778 Fix routing process crash that can occur when a routing instance is deleted.
78817 For data traffic, the VOS device being used as a VRRP active node uses the interface MAC address as source address in ARP request or reply for the virtual IP address. This has been fixed to use the virtual MAC address instead.
78876 Long-lived RTP sessions accumulate memory and cause the Versa service process memory usage to increase.
79163

URL cloud lookup may fail after many days because of a memory leak.

76913 Do not send LEF logs for the file filter action of allow to prevent an overflow of the LEF logs.
80011 If you rearrange the terms of a redistribution policy while the policy is being used for redistribution to BGP for IPv6, the Versa routing transformer process may restart.
80074 A memory leak in the Infmgr process may occur, and stale neighbor objects are leaked slowly over time.
80537 Tenant QoS policer may skip policing the reverse traffic and police only the forward traffic.

Limitations and Behavior Changes

The following are the limitations and behavior changes in Release 21.1.

Limitations and Behavior Changes in Release 21.1

  • TCP optimization is designed for WANs with bottleneck bandwidth up to 300 Mbps that also experience high latency (> 50 ms) and some degree of packet loss. Using TCP optimization in other environments, such as low-latency networks or in networks with high latency but no packet loss, may be counterproductive and may instead decrease performance.
  • With TCP optimization, peer discovery, or automode, is currently limited to an SD-WAN network, even though the optimization is designed to also work on Versa appliances in a non SD-WAN network.
  • On Windows remote access clients connecting to a VOS RAS server, you must add static routes for remote access. Routes are not automatically installed on the Windows RAC client when it connects to the VOS RAS server.
  • A VOS device does not configure a RAC client with the DNS server address. You must manually configure it on the Windows RAC client.
  • You cannot configure IRB as an inter-HA link.
  • The maximum number of IRB interfaces is 64.
  • For bridging, you must configure Layer 2 interfaces in promiscuous mode.
  • Versa Director monitor screens are not available for Layer 2 show commands.
  • Class of service (CoS) and access lists are not supported for Layer 2.
  • IRB interfaces support family inet only. These interfaces currently do not support IPv6.
  • You should ensure that the Layer 2 interface MTU matches the IRB interface MTU to avoid any packet drops caused by MTU mismatch.
  • Previously, by default, FEC sent the parity on the same link and the duplicate parity on an alternate link.This has changed. Now, the parity packet is sent on alternate link and the duplicate parity packet is disabled. This was done to reduce the overhead on already congested lists. You can enable the duplicate parity packet through configuration.
  • In Releases 20.2 and later, the BGP AS path loop check behavior has been changed to prevent BGP routes that contain the local AS number of the BGP instance from being installed even when they are received from IBGP peers. (In software releases prior to Release 20.2, an AS loop check was performed only for routes received from EBGP peers). This change was made to comply with RFC 4271, to prevent loops in all cases. When you upgrade a VOS devices from Release 16.1R2 to Release 21.1, if the VOS device is configured the overlay AS number in the BGP AS path to the Controller node, the Controller node no longer installs these routes and therefore does not propagate the routes to other branches. As a result, you might encounter one the following situations:
    • The local AS number configured in the branch VRF BGP group or neighbor may be same as the overlay control VR. If so, do one of the following as part of upgrade:
      • Ensure that the local AS number configured for the group or neighbor in the VRF is different from the overlay BGP AS number in the control VR. If the AS numbers are different, the controller node does not receive its own overlay AS number in the AS path, and the route is installed.
      • Check whether the default local AS mode to mode-2, which adds the configured local AS in the BGP group or neighbor level to the AS path when the route is imported. If so, change the mode to mode-4, which does not add the AS number to the AS path. As a result, this route passes the AS loop check on the Controller node and is installed.
      • Configure the loops ;option in the BGP group corresponding to the branches in the Controller’s control VR as well as in the control VR in the branches. This option allows routes with as many loops as specified in the configuration to be installed.
    • The AS path received from the BGP peers in the VRF may already contain the overlay AS number. If so, do one of the following as part of upgrade:
      • Ensure that the customer network does not use the overlay BGP AS number in the control VR, with the result that the controller will not receive its own overlay AS number in the AS path and the route will be installed.
      • Configure the loops option in the BGP group corresponding to the branches in the Controller’s control VR as well as in the control VR in the branches. This option allows routes with as many loops as specified in the configuration to be installed.
  • In Releases 20.2.3 and earlier, when BGP detects that a neighbor is going down, the Controller nodes reruns the best path selection for Layer 3 VPN routes, selects an alternate route from another active neighbor, and announces the route to other BGP route-reflector clients so that they can use the new route. In Release 20.2.4 and Releases 21.2.2, and later, the Controller node reruns the best path selection only for Versa private routes. This means that a stale Layer 3 VPN route from the neighbor that has gone down still remains as the best path, and subsequent best path selection for Layer 3 VPN routes occurs only if the Controller node receives an update for the route. This behavior change can cause issues when route distinguisher (RD) values are the same on different VOS devices and they are advertising the same route for the purpose of redundancy or failover. It is recommended that the route distinguisher values for a tenant LAN virtual router (tenant-LAN-VR) be unique for each VOS device so that the Controller node can reflect the same route received from multiple clients, ensuring faster failover if a client that is sending the best route fails. In Releases 21.x, during the workflow deployment, the Director node generates unique route distinguisher values for each VOS device, in the format global-vrf-idL:site-id, for both standalone and HA deployments. In Releases 20.2.3 and earlier, the route distinguisher values were not unique for standalone VOS devices.

Limitations and Behavior Changes in Release 21.1.1

  • Starting with Release 20.2.x, VOS software requires the underlying Intel CPU to have RDRAND capability. To check the CPU's capability, issue the following command:
# cat /proc/cpuinfo | grep rdrand
  • When you change the maximum number of tenants, you must commit the change separately, and a service restart occurs. After the restart, make any other configuration changes.
  • Whenever you configure a SD-WAN or policy-based forwarding (PBF) rule to override routing (by enforcing a next hop), you must configure a source zone in addition to other match criteria in the rule in order to prevent traffic not intended for the rule from matching it inadvertently. An example of this is when you use an SD-WAN or PBF policy rule for application-based DIA. This requires a rule to identify traffic originating from the LAN (typically, some Intf-<>-LAN-zone), and then using the rule to send the traffic into the required transport VR, where a second session gets created. CGNAT rules are used to source-NAT this traffic. If the source zone is omitted in the SD-WAN/PBF rule's match condition, the second session also matches it and causes a packet loop. By adding the source zone Intf-<>-LAN-zone as a match condition, you prevent the second session from matching the PBF rule.

Limitations and Behavior Changes in Release 21.1.2

  • When you change the maximum number of tenants, you must commit the change separately, and a service restart occurs. After the restart, make any other configuration changes.
  • When you configure an SD-WAN or a policy-based forwarding (PBF) rule to override routing (by enforcing a next hop), you must configure a source zone in addition to other match criteria in the rule, to prevent traffic not intended for the rule from matching it inadvertently. An example of this is when you use an SD-WAN or a PBF policy rule for application-based DIA. This requires a rule to identify traffic originating from the LAN (typically, some Intf-<>-LAN-zone), and then using the rule to send the traffic into the required transport VR, where a second session gets created. CGNAT rules are used to source-NAT this traffic. If you omit the source zone n the SD-WAN/PBF rule's match condition, the second session also matches it and causes a packet loop. By adding the source zone Intf-<>-LAN-zone as a match condition, you prevent the second session from matching the PBF rule.
  • For the DHCP server to provide an IP address, there must be at least one matching rule in the DHCP service profile. In earlier releases, DHCP provided an IP address even when there were no matching rules.

Limitations and Behavior Changes in Release 21.1.3

  • When you change the maximum number of tenants, you must commit the change separately, and a service restart occurs. After the restart, make any other configuration changes.
  • Whenever you configure an SD-WAN or a policy-based forwarding (PBF) rule to override routing (by enforcing a next hop), you must configure a source zone in addition to other match criteria in the rule in order to prevent traffic not intended for the rule from matching it inadvertently. An example of this is when you use an SD-WAN or PBF policy rule for application-based DIA. This requires a rule to identify traffic originating from the LAN (typically, some Intf-<>-LAN-zone), and then using the rule to send the traffic into the required transport VR, where a second session gets created. CGNAT rules are used to source-NAT this traffic. If the source zone is omitted in the SD-WAN/PBF rule's match condition, the second session also matches it and causes a packet loop. By adding the source zone Intf-<>-LAN-zone as a match condition, you prevent the second session from matching the PBF rule.

Known Issues

The following are the known issues in Release 21.1.

Known Issues in Release 21.1

Bug ID

Summary

45578

Need an option to clear bridge MAC table for all instances.

46884

LACP-based AE interfaces flap in a scaled setup.

46661

Director monitor option for Layer 2 commands is not available.

46967

IRB does not show up under router advertisement.

45535

TCP optimization policy-based statistics do not reflect the actual statistics when you select a remote branch.

45569

With high latency but no loss, BBR throughput is slower than that of cubic (standard TCP congestion control).

46703

IPsec RAS DNS server configuration is missing for remote-vpn-client.

45572

Any changes to a RADIUS authentication profile do not take effect until a restart is done.

Known Issues in Release 21.1.1

  • In multicast routing, when you enable the Anycast-RP mechanism on a first-hop router, the source information is not shared between Anycast-RP peers through PIM register packets. As a workaround, ensure that you do not enable the Anycast-RP mechanism on a first-hop router.
  • If a VOS node is a part of interchassis HA pair (for active-standby stateful HA), you must first upgrade it to Release 16.1R2S11 before you upgrade it to Release 21.1.1. If the interchassis HA pair is running Release 16.1R2S9 or later, you must increase the HA probe miss threshold to 3600 seconds during the upgrade. If the interchassis HA pair is running Release 16.1R2S8 or earlier, you must set the probe type to none on both the nodes before performing the upgrade. Otherwise, the standby device restarts continuously after the upgrade. After the upgrade, you can return the HA probe miss threshold value to the originally configured value. To upgrade an interchassis HA pair from Release 20.2.2 to Release 21.1.1, it is recommended that you first upgrade the VOS device from Releases 20.2.2 to Release 20.2.3 and then upgrade to Release 21.1.1.
  • Device identification may not fully identify all end devices in the network. It is recommended that you use this feature only in labs, POCs, and trials.
  • A tenant-based traffic shaper expects the shaper on the physical interface to be configured on the provider organization. If this is not the case, you must perform the commit in two steps. First, delete the shaping configuration from the non-provider organization, and commit the configuration. Then, configure the shaping, and commit the configuration. You can, for instance, configure the shaper on the provider organization and the provider limit on the customer organization. This limitation applies only to multitenant CPE or hub VOS instances.
  • If you want to upgrade a VOS device on which uCPE is enabled (hypervisor installed) from Release 16.1R2 to Release 21.1.1, contact Versa Network Customer Support. Also see https://support.versa-networks.com/a...es/23000021050
  • If you enable information validation on a stateful HA branch deployment, and if there is a long delay in bringing up interfaces in the global VRF, the information validation client may fail to register with information validation server on the peer VNF. As a workaround, restart the versa-vmod service alone on the affected VOS device.
  • The rollback x command might not work properly.
  • The show commit changes x command might not show the actual CLI changes.

Known Issues in Release 21.1.2

  • Device identification may not be able to fully identify all end devices in the network. It is recommended that you use this feature only in the lab, POCs, and trials.
  • In multicast routing, the source information is not shared between anycast-RP peers through PIM register packets when you enable the anycast-RP mechanism on a first-hop router. As a workaround, do not enable anycast-RP on a first-hop router.
  • If a VOS node is part of an inter-chassis HA pair (active-standby Stateful HA), you must first upgrade it to Release 16.1R2S11 before upgrading to Release 21.1.2. When an interchassis HA pair is running Release 16.1R2S9 or later, you must set the probe-type to none on both the nodes before the upgrade. Otherwise, the standby device continuously restarts after the upgrade. After the upgrade, you can revert the HA probe-type value to the originally configured value.
    To upgrade an interchassis HA pair from Release 20.2.2 to 21.1.2, it is recommended that you upgrade VOS from Release 20.2.2 to Release 20.2.3, and then upgrade to Release 21.1.2.
  • A tenant-based traffic shaper expects the shaper on the physical interface to be configured on the provider organization. If this is not the case, you need to perform the commit in two steps. First, delete the shaping configuration from the non-provider organization and commit the configuration. The second commit could have the shaper configured on the provider organization and provider-limit configured on the customer organization. This limitation only applies to multitenant CPE or hub VOS instances.
  • You cannot upgrade a VOS device on which uCPE enabled (hypervisor installed) from Release 16.1R2 to Release 21.1.2. Please contact the support team if you are considering the upgrade. For more information, see https://support.versa-networks.com/a/solutions/articles/23000021050
  • When you enable the info-validation feature in a stateful HA branch deployment, a huge delay might occur in bringing up of interfaces in the global VRF, and the info-validation client may fail to register with the info-validation server on the peer VNF. As a workaround, restart only the versa-vmod service on the affected VOS device.
  • If you configure an SLA profile at the next-hop level in conjunction with configuration application monitors, the SLA profile options to select a path based on the lowest latency and on the lowest packet loss are ignored. To utilize these best-path selection features, configure the SLA profile at the global level.

Known Issues in Release 21.1.3

  • Device identification may not be able to fully identify all end devices in the network. It is recommended that you use this feature only in the lab, POCs, and trials.
  • In multicast routing, when you enable the anycast-RP mechanism on a first-hop router, the source information is not shared between anycast-RP peers through PIM register packets. As a workaround, do not enable anycast-RP on a first-hop router.
  • If a VOS device is part of an interchassis HA pair (active-standby stateful HA), you must first upgrade it to Release 16.1R2S11 before upgrading to Release 21.1.3. When an interchassiss HA pair is running Release 16.1R2S9 or later, you must set the probe type to none on both the nodes before the upgrade. Otherwise, the standby device continuously restarts after the upgrade. After the upgrade, you can return the HA probe-type value to the originally configured value. To upgrade an interchassis HA pair from Release 20.2.2 to 21.1.3, it is recommended that you upgrade VOS from Release 20.2.2 to Release 20.2.3, and then upgrade to Release 21.1.3.
  • A tenant-based traffic shaper expects the shaper on the physical interface to be configured on the provider organization. If this is not the case, you need to perform the commit in two steps. First, delete the shaping configuration from the non-provider organization and commit the configuration. The second commit could have the shaper configured on the provider organization and provider-limit configured on the customer organization. This limitation applies only to multitenant CPE devices or hub VOS instances.
  • You cannot upgrade a VOS device on which uCPE enabled (hypervisor installed) from Release 16.1R2 to Release 21.1.3. Please contact the support team if you are considering the upgrade.
    https://support.versa-networks.com/a/solutions/articles/23000021050
  • When you enable info-validation in a stateful HA branch deployment, a large delay might occur in bringing up interfaces in the global VRF, and the info-validation client may fail to register with the info-validation server on the peer VNF. As a workaround, restart only the versa-vmod service on the affected VOS device.

Request Technical Support

To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.

Additional Information

Deployment and Initial Configuration

Revision History

Revision 1—Release 21.1, December 20, 2019
Revision 2—Release 21.1.1, August 21, 2020
Revision 3—Release 21.1.2, December 1, 2020
Revision 4—Release 21.1.3, June 6, 2021
Revision 5—Release 21.1.4, April 27, 2022

  • Was this article helpful?